Skip to content

Releases: awslabs/cli-agent-orchestrator

v2.3.0

Choose a tag to compare

@github-actions github-actions released this 12 Jul 06:19

Highlights

This is a substantial release. CAO 2.3 introduces cao workflow — a script-tier orchestration engine that lets a supervisor author multi-agent runs as plain JavaScript (agent() / parallel() / pipeline()), with a durable run journal, resumable execution, and a linter + run-step env guard for safety (#312, Bolts 1–4). Alongside it: CAO memory federation and portability — cross-project FEDERATED scope, Open Knowledge Format (OKF) export/import, and self-healing wiki repair (cao memory heal); a major event-driven architecture rebase (#273) that removes polling from inbox delivery across the terminal/session stack; a new cross-node fleet coordinator + web control panel for managing many CAO nodes from one place; and a broad kiro-cli 2.11 compatibility pass that fixes a supervisor deadlock plus several TUI status-detection regressions. New providers this release: Cursor CLI, Antigravity CLI (agy), Kimi CLI, and Hermes/herdr backends; Amazon Q CLI and Gemini CLI providers were removed. (cao profile and the graph rendering layer are in progress on main and will ship in a following minor release, not 2.3.0.)

Added

  • cao workflow — script-tier orchestration engine (#312, Bolts 1–4) — A new way to author multi-agent runs as a plain JS script instead of prose instructions to a supervisor. Ships incrementally across this release:

    • Spec grammar + run_agent_step substrate (Bolt 1) by @fanhongy in #320
    • Authoring, persistence & structured returns (Bolt 2) by @fanhongy in #326
    • Orchestration run engine (Bolt 3 / N5) by @fanhongy in #329
    • Durable run journal + resume — a crashed or killed workflow can resume from its last completed step (N6) by @fanhongy in #372
    • Script-tier journal extension (C3/U3) by @fanhongy in #391
    • Script linter + run-step env guard (B2: U1+U2) — catches unsafe scripts before they run by @fanhongy in #394
    • Script-tier execution engine, U4 runner by @fanhongy in #396
  • CAO memory: cross-project federation — FEDERATED scope (Phase 4 U3) — A new scope that lets memories be shared and recalled across projects rather than pinned to one, closing a gap flagged during Phase 2.5 hardening by @fanhongy in #314

  • CAO memory: Open Knowledge Format (OKF) export/import (Phase 4 U2)cao memory export/cao memory import CLI commands plus a read-scoped GET /memory/export API endpoint stream a memory scope as a portable tar.gz bundle, enabling memory migration and backup by @fanhongy in #384

  • CAO memory: wiki self-healing — cao memory heal (Phase 4 U1) — Detects and repairs structural drift in the memory wiki (orphaned entries, broken cross-references, stale index) without a full rebuild by @fanhongy in #306

  • CAO memory Phase 3 — LLM wiki compile, cross-references, lint, audit log, scoring — Compiles raw memory entries into a browsable wiki via LLM summarization, adds cross-reference linking, a lint pass for wiki health, a daily audit log, and a memory-quality scoring pass by @fanhongy in #285

  • CAO memory: Web UI support — Browse, search, and manage stored memories from the Web UI dashboard by @fanhongy in #290

  • CAO memory: bundle built-in memory plugins for Claude Code, Kiro, and Codex — Ships ready-to-use memory-injection plugins for the three most common providers so memory.enabled works out of the box without custom wiring by @fanhongy in #269

  • CAO memory: docs — per-scope store samples, on-disk comparison, SQLite architecture diagram by @fanhongy in #355

  • Enable/disable an agent-profile directory (closes #280, #281) — A profile directory's profiles can now be toggled out of the active set without removing the directory from config by @call-me-ram in #368

  • Scope the per-agent skill catalog via a profile allowlist — Optional skills field on AgentProfile restricts which skills a given agent can see, via an fnmatch allowlist; runtime-prompt providers only by @vprudnikoff in #351

  • Discover skills from extra_skill_dirs — Mirrors the existing extra_agent_dirs pattern so custom skill directories are picked up the same way custom agent directories are by @vprudnikoff in #277

  • Event-driven architecture (rebase onto main + green suite) — Replaces polling-based inbox delivery with an event-driven model across the terminal/session stack by @call-me-ram in #273

  • cao-mcp-server operations tools + orchestration worker profiles — Adds worker status/output MCP tools and bundled worker profiles tuned for the ops MCP server by @call-me-ram in #324

  • Gate network egress behind a web_fetch tool category (closes #310) — Network-fetch capability is now an explicit, allowlist-gated tool category rather than implicit access, tightening the default security posture by @call-me-ram in #311

  • pyte rendered-screen status detection (closes #287) — Uses a virtual terminal screen buffer (pyte) instead of raw-buffer regex matching for provider status detection, reducing false IDLE/PROCESSING reads by @call-me-ram in #293

  • Herdr terminal backend with event-driven inbox delivery — A new terminal backend option with native event-driven message delivery by @anilkmr-a2z in #271

  • Hermes provider support — Adds Hermes Agent as a supported provider by @NorethSea in #272

  • Cursor CLI provider — Adds Cursor CLI as a first-class provider by @ThePlenkov in #296

  • Antigravity CLI (agy) provider — Adds Google's terminal-native coding agent, the successor to the Gemini CLI after its free "Login with Google" path was retired by @MarkusWohlmuth in #323

  • codexConfig field on AgentProfile — Optional per-agent config overrides for the codex provider by @vprudnikoff in #278

  • Web UI: optional Session Name field on the Spawn Agent dialog — Lets operators name a session at spawn time instead of only after the fact by @vprudnikoff in #279

  • Configurable server timeouts + file-based Claude Code prompt delivery by @jitendrasinghsankhwar in #318

  • cao flow renamed to cao schedule — Avoids confusion with the new cao workflow feature. cao flow remains as a hidden, deprecated alias that warns on stderr; flow files, ~/.cao/flows, stored schedules, and the /flows REST API are unchanged by @fanhongy in #380

  • cao-mcp-apps: canonical-source fidelity + host-delegated dogfooding by @plauzy in #347

  • Sandboxed host-rendered fleet UI (SEP-1865) by @plauzy in #332

  • examples/fleet — cross-node fleet coordinator — Manages many CAO nodes from one place: one-command node bootstrap, a fleet control helper (list/show/exec against any node), and an AI conductor wired to one cao-ops-mcp-server per node. Purely additive under examples/; each node stays a stateless client of the existing cao-server API by @SparkyWen in #365, plus a web control panel + live console (#366) and a coordinator guide (docs/fleet_instructions.md, #367)

  • examples/aws — cloud-ops agent examples with config by @sujoydc in #377

Changed

  • Unify CAO configuration into a single source of truth — Consolidates config resolution that was previously spread across multiple layers/files by @fanhongy in #381

Removed

  • Amazon Q CLI and Gemini CLI providers removed — Q CLI is superseded by kiro_cli; Gemini CLI's free "Login with Google" path was retired (see the new Antigravity CLI provider above) by @gutosantos82 in #353

Deprecated

  • cao flow — use cao schedule instead; the alias will be removed in a future release (#380)

Fixed

  • kiro-cli 2.11 compatibility — unblock multi-agent orchestration — A multi-part fix for a supervisor deadlock and detection regressions introduced by kiro-cli 2.11: bracketed paste now sends 2 Enters with a submit delay (2.11's TUI swallowed the single-Enter used by older versions); TUI_PROCESSING_PATTERN matches both the pre-2.11 and 2.11+ processing strings; the no-Credits completion check now requires a full bordered response box instead of any idle-prompt match; and kiro-cli chat always launches with --trust-all-tools so the new "subagent requires approval" dialog doesn't deadlock headless orchestration (CAO still enforces tool scoping at its own layers) by @haofeif in #390

  • claude_code: backgrounded task no longer reads as COMPLETED (fixes #392) — The "✻ Waiting for N workflows" wait line has no spinner ellipsis and can look like a finished turn; both the raw-buffer and pyte screen paths now correctly report PROCESSING until a real completion signal appears by @call-me-ram in #393

  • memory: validate user-derived path components, closing CodeQL path-injection alerts — Every user-derived path component (key, scope, scope_id) is now validated as a single safe path segment and confined under the memory base directory via realpath + containment guard, closing 11 CodeQL py/path-injection alerts by @gutosantos82 in #401

  • mcp: launch bundled cao-mcp-server without a per-launch network fetch by @tedswinyar in #403

  • fifo: non-blocking reader loop + event-loop-safe session teardown (fixes #382) — Reader threads could be stranded in a blocking FIFO open() by a stop/reopen race; DELETE /sessions now runs teardown in a worker thread so repeated create/delete cycles can't wedge cao-server by @call-me-ram in #383

  • cli: auto-detect server backend + herdr reconcile fixes by @anilkmr-a2z in #309

  • cli: add --version/-V option (#354) by @fanhongy in #379

  • providers: read herdr native status in all providers (#359) by @fanhongy in #361

  • providers: harden Claude and OpenCode status detection by @aygnep in #327

  • kiro: detect TUI idle state without falling back to --legacy-ui by @haofeif in #330

  • claude_code: echoed system prompt false-matches idle, blocking the workspace-trust dialog by @cdrury526 in #319

  • Allow permissionMode to override yolo in the claude_code provider by @zz3...

Read more

v2.2.0

Choose a tag to compare

@haofeif haofeif released this 04 Jun 11:25
4fada4e

v2.2.0 — 2026-06-04

Highlights

CAO 2.2 introduces persistent agent memory — agents can now store and recall knowledge across sessions through memory_store / memory_recall / memory_forget MCP tools, with global / project / session / agent scoping, BM25 fallback retrieval over a SQLite index, file-lock-safe concurrent writes, per-scope caps, and stable project identity via git remote. Memories auto-inject as <cao-memory> context at session start. Plus a new external-tool integration path that lets CAO orchestrate non-CAO CLI agents (OpenClaw, Hermes Agent, etc.) as first-class workers, handoff terminals that auto-delete after completion with snapshot-based restore, eager inbox delivery for providers that buffer input mid-turn, --env forwarding through cao launch to supervisors and children, codex / claude_code profile fields (codexProfile, permission_mode), an official devcontainer feature, and a stack of TUI-detection, security, and dependency fixes.

Added

  • CAO memory (Phase 1 + 2 + 2.5 hardening) — Three-phase build of a persistent agent memory system. Phase 1 lays down the storage foundation: memory_store / memory_recall / memory_forget MCP tools, scope-based partitioning under ~/.aws/cli-agent-orchestrator/memory/, and a CLI surface (cao memory list/show/delete/clear). Phase 2 adds SQLite metadata, BM25 fallback retrieval, and <cao-memory> context injection at session start via a context manager. Phase 2.5 hardens the system with per-scope caps (10 entries / 1000 chars), an ISO-8601 Z round-trip lock on index.md, real-multiprocess flock contention tests, a memory.enabled short-circuit on recall, and stable project identity via canonicalized git remote (with cwd-hash alias for repos without a remote). See docs/memory.md by @fanhongy in #245, #254, #262

  • External tool integration (OpenClaw, Hermes Agent) — A new external-tool-integration skill lets CAO orchestrate non-CAO CLI agents as first-class workers. Hermes Agent is shipped as a worked end-to-end example — see docs/external-tool-integration.md by @anilkmr-a2z and @haofeif in #241, #253

  • CAO operations MCP server (cao-mcp-server) — Exposes CAO's session/terminal/launch operations to LLM agents as MCP tools, so a supervisor can drive cao launch, cao session list, etc. via tool calls instead of shell invocations by @patricka3125 in #166

  • Auto-delete handoff terminals with snapshot-based restorehandoff workers now self-delete on completion. The supervisor still sees the worker's final output through a captured snapshot, so cross-provider handoff results survive cleanup by @anilkmr-a2z in #233

  • Shell command tracking, flow recycling, inbox delivery reliability — Tracks shell commands per terminal for diagnostics; recycles flow records to avoid unbounded growth; and tightens inbox delivery so messages don't get stuck in PENDING when the receiver was briefly busy by @anilkmr-a2z in #230

  • Eager inbox delivery for buffering providers — Providers like Gemini CLI that buffer pasted input during processing now receive inbox messages eagerly the moment they reach a deliverable state, instead of waiting for a polling tick by @anilkmr-a2z in #251

  • cao launch --env forwarding to supervisor and child agents — Operators can now forward env vars through cao launch --env; the values travel in the JSON request body (not the URL) so secrets don't land in cao-server access logs and propagate to every worker spawned in the session by @call-me-ram in #259

  • codexProfile field on AgentProfile (codex provider) — Optional codexProfile frontmatter key lets codex agent profiles select a named codex profile at launch by @kjanoudi in #250

  • permission_mode field on AgentProfile (claude_code provider) — Optional permission_mode frontmatter key for fine-grained Claude Code permission control beyond the universal allowedTools vocabulary by @kjanoudi in #244

  • Official devcontainer feature — A reusable devcontainer feature for CAO so contributors can spin up a fully-provisioned dev environment with one click by @ThePlenkov in #260

  • Web UI: filtering, sorting, grouping, and session deletion — Dashboard home gains client-side filter/sort/group, plus a session-delete action so stale sessions can be cleaned up from the browser by @gutosantos82 in #200

  • OpenCode provider label in Web UIopencode_cli now appears in the Web UI's provider pickers and /agents/providers response, with a friendly "OpenCode" source label by @patricka3125 in #217

  • Auto-derive CORS origins from cao-server --host/--port — CORS allowlist is now built from the bind address by default, so the Web UI works out of the box on remote hosts without manual CAO_CORS_ORIGINS configuration by @call-me-ram in #261

Fixed

  • Codex: detect v0.136+ TUI footer (model · path without N% left) — codex 0.136 dropped the N% left segment from the status bar, so TUI_FOOTER_PATTERN never matched and get_status() couldn't tell the suggestion-hint line apart from a real user message. Handoff and assign workers were pinning at IDLE forever. Pattern extended to anchor on the path component shared across v0.111 and v0.136 footers by @haofeif

  • Codex: skip • Called <tool>(...) MCP tool-call markers during last-message extraction — the extractor anchored on the first after the user prompt, which can be a tool-call marker; the tool output that follows (e.g. the cao-worker-protocols skill body containing [CAO Handoff]) leaked into the extracted response. The extractor now iterates matches and skips MCP tool-call markers; ASSISTANT_PREFIX_PATTERN was also tightened from \s*• to [^\S\n]*• so the match anchors on the bullet line itself, not a preceding blank line by @haofeif

  • Kiro CLI: paste-into-boot-screen race that dropped the first message after launch — kiro shows a M of N mcp servers initialized line before the idle prompt becomes interactive, so a paste arriving in this window was silently absorbed by the boot screen. TUI_INITIALIZING_PATTERN extended to match this line, and Check 3 (shell-baseline = IDLE) gated on self._initialized so get_status() no longer returns IDLE while kiro is still exec'ing by @haofeif in #268

  • CI: stop TestPyPI squats breaking the release smoke test — the publish workflow's --extra-index-url to TestPyPI let a squatted FASTAPI 1.0 package outrank real fastapi and break the build. The smoke test now installs our package from TestPyPI with --no-deps and resolves dependencies from PyPI alone, with a fail-fast chain by @haofeif in #270

  • Always honor profile.provider at launch (yolo + allowed-tools paths)resolve_provider previously lived inside one branch of the permission-resolution conditional in launch.py, so --yolo and --allowed-tools paths silently dropped the profile's provider: frontmatter field. Cross-provider workflows where each profile pins a specific CLI now work in every launch path by @call-me-ram in #257

  • Resolve profile.provider in create_session()POST /sessions passed the caller-supplied provider straight through, so the Web UI and any HTTP client ignored profile.provider. The fix preserves explicit --provider over the profile (CLI flag wins) by @gutosantos82 in #198

  • MCP worker provider resolution + ops MCP profile provider — Two related fixes ensuring spawned MCP workers and ops MCP sessions honor the agent profile's declared provider instead of falling back to the supervisor's CLI by @patricka3125 in #224, #229

  • MCP: reject send_message when receiver_id equals sender — Prevents an agent from accidentally messaging itself, which produced infinite forwarding loops on some providers by @call-me-ram in #263

  • Wait for IDLE before tmux attach (non-headless launch) — Non-headless cao launch attached the moment the API returned, racing the provider's TUI init and silently dropping early keystrokes. Mirrors the headless path's wait_until_terminal_status(IDLE/COMPLETED) with a warn-and-attach fallback on timeout by @haofeif in #221 (resolves #220)

  • Kiro CLI: false-IDLE during Initializing... — The new TUI renders the idle-prompt placeholder before init completes; CAO matched the placeholder and dropped the first user message. TUI_INITIALIZING_PATTERN now unconditionally returns PROCESSING during the init phase by @haofeif in #215 (resolves #211)

...

Read more

v2.1.1

Choose a tag to compare

@github-actions github-actions released this 28 Apr 04:38

What's Changed

  • fix(launch): honour profile.provider when --provider flag is not given by @gutosantos82 in #196
  • fix(claude-code): eliminate PROCESSING false-positives from compaction and /exit by @gutosantos82 in #199
  • feat: Add OpenCode CLI provider support by @patricka3125 in #193
  • fix(kiro_cli): honor --yolo and profile.model at launch by @haofeif in #201
  • fix(copilot_cli): recognise Copilot v1.0.31+ status bar and breadcrumb as footer lines for idle detection by @wahidzzz in #184
  • feat(ci): add PyPI publish workflow and update pyproject.toml by @fanhongy in #123
  • Feat/publish cao to pypi by @fanhongy in #209
  • build(deps-dev): bump postcss from 8.5.8 to 8.5.12 in /web by @dependabot[bot] in #208
  • Fix git cliff timeout issue to unblock the release action by @fanhongy in #212
  • switch to deploy key to bypass commit to main by @fanhongy in #213

Full Changelog: v2.1.0...v2.1.1

v2.1.0

Choose a tag to compare

@haofeif haofeif released this 22 Apr 04:03
c7d92cf

v2.1.0 — 2026-04-22

Highlights

CAO 2.1 adds a cao session CLI for driving running sessions from the shell, an external-plugin extension point (pip-installable observer/hook plugins), a first-class skills system with managed skills auto-seeded at cao init, Kiro CLI full-TUI support, agent-profile env-var injection, a universal allowedTools vocabulary translated per-provider, and the Web UI now ships inside the Python wheel. Plus a stack of TUI-detection and session-lifecycle fixes across Claude Code, Kiro CLI, and terminal-service.

Added

  • cao session command group — New cao session list | status | send lets you inspect and drive running sessions from the shell without attaching to tmux. cao shutdown and cao launch now go through the HTTP API so a local CLI can drive a remote cao-server. cao launch also gains --working-directory and an optional trailing message argument for one-shot headless task execution. A new cao-session-management skill documents the command group for LLM-driven operators by @anilkmr-a2z in #187
  • External plugins — Observer/hook plugins can now be installed via pip and auto-discovered through the cao.plugins entry point group. Plugins subclass CaoPlugin and register handlers with the @hook decorator. Ships with lifecycle tests and a documented install flow at docs/plugins.md by @patricka3125 in #172
  • Skills system — Native support for reusable agent skills installed to ~/.cao/skills/ via cao skill add. New cao-provider skill guides contributors through adding new CLI agent providers end-to-end; cao-supervisor-protocols and cao-worker-protocols seeded via cao init. Managed-skills section added to the README by @patricka3125 and @haofeif in #145, #154, #170
  • Kiro CLI full TUI mode + --legacy-ui fallback — Support for Kiro CLI's new full-screen TUI alongside the legacy prompt; --legacy-ui flag preserved for compatibility by @haofeif in #138, #163
  • Agent-profile environment variable injection — Agent profiles can declare env entries loaded into the agent process at launch, with secret-aware handling via ~/.cao/.env by @patricka3125 in #156
  • Universal allowedTools vocabulary — Unified CAO tool-restriction vocabulary translated per-provider, replacing provider-specific allow/deny flags. Child agents now honor explicit allowedTools=["*"] instead of silently inheriting parent restrictions by @haofeif in #125, #144
  • Web UI bundled in the wheel — Built Web UI assets now ship inside the Python wheel, so a plain uv tool install gives you the dashboard with no extra build steps by @patricka3125 in #169
  • Clearer launch confirmation + --auto-approve — Redesigned the cao launch confirmation prompt to show Role instead of Blocked, clearly distinguish [Y] / [--auto-approve] / [--yolo], and added --auto-approve to skip the prompt without removing restrictions by @haofeif in #146

Fixed

  • Cleanup guard on terminal creation_create_terminal no longer kills sessions it didn't create during rollback; the cleanup path now tracks whether this call actually created the tmux session by @gutosantos82 in #191
  • Graceful handling of missing agent profilesterminal_service returns a clear error instead of tracebacking when an agent profile can't be found in the CAO store by @anilkmr-a2z in #186
  • Profile-level model honored at terminal creation — Providers now pass profile.model through to the CLI at launch, so per-agent model selection works end-to-end by @patricka3125 in #189
  • Claude Code: false-positive IDLE on pre-existing shell prompt — Initialize-time status check could return IDLE against the pre-existing zsh/bash prompt before Claude Code actually started. Added pre-launch pane snapshot + Claude-specific startup markers to confirm the CLI is actually running before accepting IDLE by @gutosantos82 in #190
  • Claude Code: structural PROCESSING detectionget_status() now uses structural detection for PROCESSING instead of relying on position, eliminating a race where the spinner and prompt interleaved mid-capture by @gutosantos82 in #177
  • Claude Code: stale processing spinners no longer block inbox delivery — by @haofeif in #106
  • Kiro CLI: 2.0 credits-before-separator layout — Status detection updated for the new Kiro TUI layout where the credits line appears before the separator by @anilkmr-a2z in #188
  • Kiro CLI: position-aware "Kiro is working" check — Stale scrollback could leave "Kiro is working" in the capture after completion and block handoffs with a false PROCESSING; detection is now position-aware to the latest interaction by @wahidzzz in #185
  • Kiro CLI: new-TUI fallback patterns + FileNotFoundError handling — Added fallback detection patterns for the new Kiro CLI TUI prompt format (ask a question, or describe a task). Fixed load_agent_profile() wrapping FileNotFoundError as RuntimeError, which caused assign() to fail for JSON-only agent profiles by @haofeif in #140 (resolves #137)
  • Web UI: missing providers in dropdown — Added gemini_cli, kimi_cli, and copilot_cli to the /agents/providers endpoint and frontend fallback list so all 7 providers appear by @haofeif in #158 (resolves #157)
  • Web UI: terminal scroll and paste reliability — Fixes for scrollback drift and multi-line paste handling in the browser terminal by @gosmonso96 in #162
  • WAITING_USER_ANSWER false positives from stale scrollback — Regex hardened so historical confirm? [y/n] lines in scrollback don't get re-detected as active prompts by @patricka3125 in #142
  • Gemini skill-catalog test assertion — Test reads GEMINI.md rather than a hardcoded fixture so the catalog assertion tracks the live skill set by @haofeif in #180

Security

New Contributors

Upgrade

uv tool install git+https://github.com/awslabs/cli-agent-orchestrator.git@v2.1.0 --upgrade

No breaking changes to existing CLI invocations. New features are additive; the HTTP refactor of cao shutdown / cao launch preserves the old argument shapes.

Full Changelog: v2.0.0...v2.1.0

v2.0.2

Choose a tag to compare

@haofeif haofeif released this 12 Apr 08:44
a9fdfdf

What's Changed

  • feat(security): Support agent-profile environment variable injection and loading by @patricka3125 in #156
  • feat: add cao-provider skill for new CLI agent providers by @haofeif in #154
  • Fix/providers endpoint missing entries by @haofeif in #158
  • build(deps-dev): bump vite from 6.4.1 to 6.4.2 in /web by @dependabot[bot] in #160
  • fix: improve Web UI terminal scroll and paste reliability by @gosmonso96 in #162
  • build(deps): bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #165
  • feat(kiro_cli): add full TUI mode support with --legacy-ui fallback (#159) by @haofeif in #163

New Contributors

Full Changelog: v2.0.1...v2.0.2

v2.0.1

Choose a tag to compare

@haofeif haofeif released this 03 Apr 15:36
ae179a1

What's Changed

  • build(deps): bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #135
  • build(deps): bump pygments from 2.19.2 to 2.20.0 by @dependabot[bot] in #136
  • feat(security): add allowedTools — universal tool restriction across … by @haofeif in #125
  • fix(kiro_cli): add --legacy-ui flag for new Kiro CLI TUI compatibility by @haofeif in #138
  • build(deps): bump fastmcp from 2.14.5 to 3.2.0 by @dependabot[bot] in #139
  • fix(kiro_cli): add new TUI fallback patterns + fix #137 exception handling by @haofeif in #140
  • fix: replace WAITING_USER_ANSWER regex to prevent stale scrollback false positives by @patricka3125 in #142
  • fix(security): honor child allowedTools=["*"] instead of inheriting p… by @haofeif in #144
  • fix(launch): clarify prompt, add --auto-approve, document TOOL_MAPPING by @haofeif in #146

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Choose a tag to compare

@haofeif haofeif released this 26 Mar 14:08
c6447a3

v2.0.0 — 2026-03-28

Highlights

CAO 2.0 adds 3 new providers (Gemini CLI, Kimi CLI, Copilot CLI), a Web UI dashboard, cross-provider orchestration, and significant security hardening — bringing the total supported providers to 7.

Added

  • Gemini CLI provider — Full integration with Google's Gemini CLI, including status detection, message extraction, and E2E tests by @haofeif in #102
  • Kimi CLI provider — Support for Moonshot's Kimi CLI with agent profiles and MCP server integration by @haofeif in #113
  • Copilot CLI provider — Native GitHub Copilot CLI provider by @aziz0220 in #82
  • Web UI dashboard — React-based web interface for managing sessions, spawning agents, viewing live terminal status, configuring agent directories, and interacting with agents from the browser by @abdullahoff in #108
  • Provider override in agent profiles — Agent profiles can now specify a provider field to override the default provider, enabling cross-provider workflows by @patricka3125 in #101
  • Auto-inject sender terminal ID — New CAO_ENABLE_SENDER_ID_INJECTION env var automatically appends sender terminal ID and callback instructions to assign and send_message messages by @patricka3125 in #98
  • Cross-provider example profiles and documentation by @haofeif in #109
  • v2.0.0 changelog, Web UI docs (web/README.md, docs/settings.md), cross-provider examples, Claude Code auth fix by @haofeif in #132

Fixed

  • Claude Code bypass permissions prompt — Auto-set skipDangerousModePermissionPrompt and handle bypass prompt on startup by @haofeif in #120
  • Terminal init status — Accept both IDLE and COMPLETED during terminal initialization for providers with initial prompts by @fanhongy in #111
  • 400 Bad Request on non-home directories — Fix launching agents in directories outside ~/ (e.g., /Volumes/workplace on macOS) by @haofeif in #110
  • Gemini CLI extraction retry — Add extraction retry for TUI-based providers where premature COMPLETED status can occur by @haofeif in #117
  • Path traversal in agent profile loading — Validate agent names to reject /, \, and .. before path construction by @haofeif in #129
  • Claude Code Processing spinner — Fix regex to catch newer spinner format (#92)
  • Codex TUI footer detection — Update detection for Codex v0.111.0 (#99)
  • Q CLI unit tests — Fix failing tests due to working directory validation changes (#94)

Security

New Contributors

Full Changelog: v1.1.1...v2.0.0

v1.1.1

Choose a tag to compare

@haofeif haofeif released this 09 Mar 04:15
0e833a7

What's Changed

  • fix: Fix regex to catch Claude Code Processing spinner by @patricka3125 in #92
  • build(deps): bump authlib from 1.6.6 to 1.6.7 by @dependabot[bot] in #97
  • fix: Update failing Q CLI unit tests due to working directory validation by @patricka3125 in #94
  • fix: Update Codex TUI footer detection for v0.111.0 by @haofeif in #99

New Contributors

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Choose a tag to compare

@haofeif haofeif released this 27 Feb 06:30
2b1128d

Highlights

  • Codex CLI provider rewrite with full TUI-aware status detection and response extraction
  • Claude Code --dangerously-skip-permissions and workspace trust prompt handling
  • 511 unit tests / 84% coverage (up from ~180 / ~60%)
  • Security: path traversal fix, shell injection fixes, CVE-2026-26007 patch

Added

  • cao launch --yolo — skip workspace trust prompts
  • cao info — display DB path, active sessions, terminal count
  • cao mcp-server — start MCP server directly from CLI
  • Codex provider: agent profile injection, MCP server support, --no-alt-screen, trust prompt handling
  • Claude Code: --dangerously-skip-permissions, CAO_TERMINAL_ID forwarding to MCP servers
  • Immediate inbox delivery on POST (no more waiting for watchdog)
  • Bracketed paste (paste-buffer -p) for all providers — bypasses TUI hotkey interception
  • E2E test suite: 15 tests across handoff, assign, send_message for codex/claude_code/kiro_cli
  • CI pipelines: main CI + provider-specific workflows (Python 3.10/3.11/3.12, black/isort/mypy, Trivy)

Fixed

  • Permission prompt detection: line-based counting for active vs stale [y/n/t]: prompts (#71)
  • Inbox delivery for TUI providers: tail lines 5 → 100
  • Claude Code bracketed paste 0.3s delay (TUI swallowing Enter)
  • Shell injection: shlex.join() in kiro_cli and q_cli providers
  • Codex: idle prompt, trust prompt, TUI footer/spinner, extraction, tool_timeout_sec float
  • Claude Code: PROCESSING_PATTERN for 2.x spinner, IDLE_PROMPT_PATTERN for ❯

Security

  • Path traversal prevention via os.path.normpath + home directory containment (CodeQL py/path-injection)
  • cryptography 46.0.1 → 46.0.5 (CVE-2026-26007)

Dependencies

  • fastmcp 2.12.2 → 2.14.0, mcp>=1.23.0, libtmux>=0.51.0
  • Default provider: q_cli → kiro_cli

What's Changed

  • build(deps): bump cryptography from 46.0.1 to 46.0.5 by @dependabot in #72
  • fix: detect active permission prompts using line-based counting by @sriharshaarangi in #71
  • fix(claude-code): add --dangerously-skip-permissions, --yolo flag, and dependency upgrades by @haofeif in #76
  • feat(codex): rewrite Codex provider, framework improvements, security fix, and docs by @haofeif in #77
  • test: add comprehensive unit tests, E2E tests, and CI workflows by @haofeif in #81
  • feat: add CLI commands, shell safety fixes, agent profiles, and docs by @haofeif in #83

Full Changelog: v1.0.3...v1.1.0

v1.0.3

Choose a tag to compare

@haofeif haofeif released this 09 Feb 07:56
a70a43f

What's Changed

  • fix: Synchronize status detection with response completion by @anilkmr-a2z in #62
  • fix: update IDLE_PROMPT_PATTERN_LOG to match actual kiro-cli ANSI output by @sriharshaarangi in #65
  • fix: prevent permission prompt pattern from matching stale prompts by @sriharshaarangi in #69
  • perf(tmux): replace chunked send_keys with paste-buffer for instant delivery by @sriharshaarangi in #67

New Contributors

Full Changelog: v1.0.2...v1.0.3