v2.0.0
v2.0.0 — 2026-03-28
Highlights
CAO 2.0 adds 3 new providers (Gemini CLI, Kimi CLI, Copilot CLI), a Web UI dashboard, cross-provider orchestration, and significant security hardening — bringing the total supported providers to 7.
Added
- Gemini CLI provider — Full integration with Google's Gemini CLI, including status detection, message extraction, and E2E tests by @haofeif in #102
- Kimi CLI provider — Support for Moonshot's Kimi CLI with agent profiles and MCP server integration by @haofeif in #113
- Copilot CLI provider — Native GitHub Copilot CLI provider by @aziz0220 in #82
- Web UI dashboard — React-based web interface for managing sessions, spawning agents, viewing live terminal status, configuring agent directories, and interacting with agents from the browser by @abdullahoff in #108
- Provider override in agent profiles — Agent profiles can now specify a
providerfield to override the default provider, enabling cross-provider workflows by @patricka3125 in #101 - Auto-inject sender terminal ID — New
CAO_ENABLE_SENDER_ID_INJECTIONenv var automatically appends sender terminal ID and callback instructions toassignandsend_messagemessages by @patricka3125 in #98 - Cross-provider example profiles and documentation by @haofeif in #109
- v2.0.0 changelog, Web UI docs (
web/README.md,docs/settings.md), cross-provider examples, Claude Code auth fix by @haofeif in #132
Fixed
- Claude Code bypass permissions prompt — Auto-set
skipDangerousModePermissionPromptand handle bypass prompt on startup by @haofeif in #120 - Terminal init status — Accept both IDLE and COMPLETED during terminal initialization for providers with initial prompts by @fanhongy in #111
- 400 Bad Request on non-home directories — Fix launching agents in directories outside
~/(e.g.,/Volumes/workplaceon macOS) by @haofeif in #110 - Gemini CLI extraction retry — Add extraction retry for TUI-based providers where premature COMPLETED status can occur by @haofeif in #117
- Path traversal in agent profile loading — Validate agent names to reject
/,\, and..before path construction by @haofeif in #129 - Claude Code Processing spinner — Fix regex to catch newer spinner format (#92)
- Codex TUI footer detection — Update detection for Codex v0.111.0 (#99)
- Q CLI unit tests — Fix failing tests due to working directory validation changes (#94)
Security
- Add DNS rebinding protection via Host header validation by @fanhongy in #124
- Add CodeQL SafeAccessCheck guard for path injection in API by @haofeif in #121
- Pin trivy-action to SHA instead of mutable
masterref in CI by @haofeif in #126 - Bump vite 5→6.4.1 and vitest 2→3.2.4 to fix esbuild vulnerability by @haofeif in #129
- Bump requests 2.32.5→2.33.0 for CVE-2026-25645 by @dependabot in #130
- Bump authlib 1.6.7→1.6.9 by @dependabot in #122
- Bump pyjwt 2.11.0→2.12.0 by @dependabot in #118
- Bump black 25.9.0→26.3.1 by @dependabot in #114
New Contributors
- @fanhongy made their first contribution in #111
- @aziz0220 made their first contribution in #82
- @abdullahoff made their first contribution in #108
Full Changelog: v1.1.1...v2.0.0