v2.1.0

v2.1.0 — 2026-04-22

Highlights

CAO 2.1 adds a cao session CLI for driving running sessions from the shell, an external-plugin extension point (pip-installable observer/hook plugins), a first-class skills system with managed skills auto-seeded at cao init, Kiro CLI full-TUI support, agent-profile env-var injection, a universal allowedTools vocabulary translated per-provider, and the Web UI now ships inside the Python wheel. Plus a stack of TUI-detection and session-lifecycle fixes across Claude Code, Kiro CLI, and terminal-service.

Added

• cao session command group — New cao session list | status | send lets you inspect and drive running sessions from the shell without attaching to tmux. cao shutdown and cao launch now go through the HTTP API so a local CLI can drive a remote cao-server. cao launch also gains --working-directory and an optional trailing message argument for one-shot headless task execution. A new cao-session-management skill documents the command group for LLM-driven operators by @anilkmr-a2z in #187
• External plugins — Observer/hook plugins can now be installed via pip and auto-discovered through the cao.plugins entry point group. Plugins subclass CaoPlugin and register handlers with the @hook decorator. Ships with lifecycle tests and a documented install flow at docs/plugins.md by @patricka3125 in #172
• Skills system — Native support for reusable agent skills installed to ~/.cao/skills/ via cao skill add. New cao-provider skill guides contributors through adding new CLI agent providers end-to-end; cao-supervisor-protocols and cao-worker-protocols seeded via cao init. Managed-skills section added to the README by @patricka3125 and @haofeif in #145, #154, #170
• Kiro CLI full TUI mode + --legacy-ui fallback — Support for Kiro CLI's new full-screen TUI alongside the legacy prompt; --legacy-ui flag preserved for compatibility by @haofeif in #138, #163
• Agent-profile environment variable injection — Agent profiles can declare env entries loaded into the agent process at launch, with secret-aware handling via ~/.cao/.env by @patricka3125 in #156
• Universal allowedTools vocabulary — Unified CAO tool-restriction vocabulary translated per-provider, replacing provider-specific allow/deny flags. Child agents now honor explicit allowedTools=["*"] instead of silently inheriting parent restrictions by @haofeif in #125, #144
• Web UI bundled in the wheel — Built Web UI assets now ship inside the Python wheel, so a plain uv tool install gives you the dashboard with no extra build steps by @patricka3125 in #169
• Clearer launch confirmation + --auto-approve — Redesigned the cao launch confirmation prompt to show Role instead of Blocked, clearly distinguish [Y] / [--auto-approve] / [--yolo], and added --auto-approve to skip the prompt without removing restrictions by @haofeif in #146

Fixed

• Cleanup guard on terminal creation — _create_terminal no longer kills sessions it didn't create during rollback; the cleanup path now tracks whether this call actually created the tmux session by @gutosantos82 in #191
• Graceful handling of missing agent profiles — terminal_service returns a clear error instead of tracebacking when an agent profile can't be found in the CAO store by @anilkmr-a2z in #186
• Profile-level model honored at terminal creation — Providers now pass profile.model through to the CLI at launch, so per-agent model selection works end-to-end by @patricka3125 in #189
• Claude Code: false-positive IDLE on pre-existing shell prompt — Initialize-time status check could return IDLE against the pre-existing zsh/bash ❯ prompt before Claude Code actually started. Added pre-launch pane snapshot + Claude-specific startup markers to confirm the CLI is actually running before accepting IDLE by @gutosantos82 in #190
• Claude Code: structural PROCESSING detection — get_status() now uses structural detection for PROCESSING instead of relying on ❯ position, eliminating a race where the spinner and prompt interleaved mid-capture by @gutosantos82 in #177
• Claude Code: stale processing spinners no longer block inbox delivery — by @haofeif in #106
• Kiro CLI: 2.0 credits-before-separator layout — Status detection updated for the new Kiro TUI layout where the credits line appears before the separator by @anilkmr-a2z in #188
• Kiro CLI: position-aware "Kiro is working" check — Stale scrollback could leave "Kiro is working" in the capture after completion and block handoffs with a false PROCESSING; detection is now position-aware to the latest interaction by @wahidzzz in #185
• Kiro CLI: new-TUI fallback patterns + FileNotFoundError handling — Added fallback detection patterns for the new Kiro CLI TUI prompt format (ask a question, or describe a task). Fixed load_agent_profile() wrapping FileNotFoundError as RuntimeError, which caused assign() to fail for JSON-only agent profiles by @haofeif in #140 (resolves #137)
• Web UI: missing providers in dropdown — Added gemini_cli, kimi_cli, and copilot_cli to the /agents/providers endpoint and frontend fallback list so all 7 providers appear by @haofeif in #158 (resolves #157)
• Web UI: terminal scroll and paste reliability — Fixes for scrollback drift and multi-line paste handling in the browser terminal by @gosmonso96 in #162
• WAITING_USER_ANSWER false positives from stale scrollback — Regex hardened so historical confirm? [y/n] lines in scrollback don't get re-detected as active prompts by @patricka3125 in #142
• Gemini skill-catalog test assertion — Test reads GEMINI.md rather than a hardcoded fixture so the catalog assertion tracks the live skill set by @haofeif in #180

Security

• Bump authlib 1.6.9 → 1.6.11 by @dependabot in #178
• Bump cryptography 46.0.5 → 46.0.7 by @dependabot in #135, #165
• Bump fastmcp 2.14.5 → 3.2.0 by @dependabot in #139
• Bump pygments 2.19.2 → 2.20.0 by @dependabot in #136
• Bump python-dotenv 1.1.1 → 1.2.2 by @dependabot in #194
• Bump python-multipart 0.0.22 → 0.0.26 by @dependabot in #175
• Bump pytest (dev) 8.4.2 → 9.0.3 by @dependabot in #173
• Bump vite 6.4.1 → 6.4.2 by @dependabot in #160

New Contributors

• @gosmonso96 made their first contribution in #162
• @wahidzzz made their first contribution in #185

Upgrade

uv tool install git+https://github.com/awslabs/cli-agent-orchestrator.git@v2.1.0 --upgrade

No breaking changes to existing CLI invocations. New features are additive; the HTTP refactor of cao shutdown / cao launch preserves the old argument shapes.

Full Changelog: v2.0.0...v2.1.0

v2.0.2

What's Changed

• feat(security): Support agent-profile environment variable injection and loading by @patricka3125 in #156
• feat: add cao-provider skill for new CLI agent providers by @haofeif in #154
• Fix/providers endpoint missing entries by @haofeif in #158
• build(deps-dev): bump vite from 6.4.1 to 6.4.2 in /web by @dependabot[bot] in #160
• fix: improve Web UI terminal scroll and paste reliability by @gosmonso96 in #162
• build(deps): bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #165
• feat(kiro_cli): add full TUI mode support with --legacy-ui fallback (#159) by @haofeif in #163

New Contributors

• @gosmonso96 made their first contribution in #162

Full Changelog: v2.0.1...v2.0.2

v2.0.1

What's Changed

• build(deps): bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #135
• build(deps): bump pygments from 2.19.2 to 2.20.0 by @dependabot[bot] in #136
• feat(security): add allowedTools — universal tool restriction across … by @haofeif in #125
• fix(kiro_cli): add --legacy-ui flag for new Kiro CLI TUI compatibility by @haofeif in #138
• build(deps): bump fastmcp from 2.14.5 to 3.2.0 by @dependabot[bot] in #139
• fix(kiro_cli): add new TUI fallback patterns + fix #137 exception handling by @haofeif in #140
• fix: replace WAITING_USER_ANSWER regex to prevent stale scrollback false positives by @patricka3125 in #142
• fix(security): honor child allowedTools=["*"] instead of inheriting p… by @haofeif in #144
• fix(launch): clarify prompt, add --auto-approve, document TOOL_MAPPING by @haofeif in #146

Full Changelog: v2.0.0...v2.0.1

v2.0.0

v2.0.0 — 2026-03-28

Highlights

CAO 2.0 adds 3 new providers (Gemini CLI, Kimi CLI, Copilot CLI), a Web UI dashboard, cross-provider orchestration, and significant security hardening — bringing the total supported providers to 7.

Added

• Gemini CLI provider — Full integration with Google's Gemini CLI, including status detection, message extraction, and E2E tests by @haofeif in #102
• Kimi CLI provider — Support for Moonshot's Kimi CLI with agent profiles and MCP server integration by @haofeif in #113
• Copilot CLI provider — Native GitHub Copilot CLI provider by @aziz0220 in #82
• Web UI dashboard — React-based web interface for managing sessions, spawning agents, viewing live terminal status, configuring agent directories, and interacting with agents from the browser by @abdullahoff in #108
• Provider override in agent profiles — Agent profiles can now specify a provider field to override the default provider, enabling cross-provider workflows by @patricka3125 in #101
• Auto-inject sender terminal ID — New CAO_ENABLE_SENDER_ID_INJECTION env var automatically appends sender terminal ID and callback instructions to assign and send_message messages by @patricka3125 in #98
• Cross-provider example profiles and documentation by @haofeif in #109
• v2.0.0 changelog, Web UI docs (web/README.md, docs/settings.md), cross-provider examples, Claude Code auth fix by @haofeif in #132

Fixed

• Claude Code bypass permissions prompt — Auto-set skipDangerousModePermissionPrompt and handle bypass prompt on startup by @haofeif in #120
• Terminal init status — Accept both IDLE and COMPLETED during terminal initialization for providers with initial prompts by @fanhongy in #111
• 400 Bad Request on non-home directories — Fix launching agents in directories outside ~/ (e.g., /Volumes/workplace on macOS) by @haofeif in #110
• Gemini CLI extraction retry — Add extraction retry for TUI-based providers where premature COMPLETED status can occur by @haofeif in #117
• Path traversal in agent profile loading — Validate agent names to reject /, \, and .. before path construction by @haofeif in #129
• Claude Code Processing spinner — Fix regex to catch newer spinner format (#92)
• Codex TUI footer detection — Update detection for Codex v0.111.0 (#99)
• Q CLI unit tests — Fix failing tests due to working directory validation changes (#94)

Security

• Add DNS rebinding protection via Host header validation by @fanhongy in #124
• Add CodeQL SafeAccessCheck guard for path injection in API by @haofeif in #121
• Pin trivy-action to SHA instead of mutable master ref in CI by @haofeif in #126
• Bump vite 5→6.4.1 and vitest 2→3.2.4 to fix esbuild vulnerability by @haofeif in #129
• Bump requests 2.32.5→2.33.0 for CVE-2026-25645 by @dependabot in #130
• Bump authlib 1.6.7→1.6.9 by @dependabot in #122
• Bump pyjwt 2.11.0→2.12.0 by @dependabot in #118
• Bump black 25.9.0→26.3.1 by @dependabot in #114

New Contributors

• @fanhongy made their first contribution in #111
• @aziz0220 made their first contribution in #82
• @abdullahoff made their first contribution in #108

Full Changelog: v1.1.1...v2.0.0

v1.1.1

What's Changed

• fix: Fix regex to catch Claude Code Processing spinner by @patricka3125 in #92
• build(deps): bump authlib from 1.6.6 to 1.6.7 by @dependabot[bot] in #97
• fix: Update failing Q CLI unit tests due to working directory validation by @patricka3125 in #94
• fix: Update Codex TUI footer detection for v0.111.0 by @haofeif in #99

New Contributors

• @patricka3125 made their first contribution in #92

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Highlights

• Codex CLI provider rewrite with full TUI-aware status detection and response extraction
• Claude Code --dangerously-skip-permissions and workspace trust prompt handling
• 511 unit tests / 84% coverage (up from ~180 / ~60%)
• Security: path traversal fix, shell injection fixes, CVE-2026-26007 patch

Added

• cao launch --yolo — skip workspace trust prompts
• cao info — display DB path, active sessions, terminal count
• cao mcp-server — start MCP server directly from CLI
• Codex provider: agent profile injection, MCP server support, --no-alt-screen, trust prompt handling
• Claude Code: --dangerously-skip-permissions, CAO_TERMINAL_ID forwarding to MCP servers
• Immediate inbox delivery on POST (no more waiting for watchdog)
• Bracketed paste (paste-buffer -p) for all providers — bypasses TUI hotkey interception
• E2E test suite: 15 tests across handoff, assign, send_message for codex/claude_code/kiro_cli
• CI pipelines: main CI + provider-specific workflows (Python 3.10/3.11/3.12, black/isort/mypy, Trivy)

Fixed

• Permission prompt detection: line-based counting for active vs stale [y/n/t]: prompts (#71)
• Inbox delivery for TUI providers: tail lines 5 → 100
• Claude Code bracketed paste 0.3s delay (TUI swallowing Enter)
• Shell injection: shlex.join() in kiro_cli and q_cli providers
• Codex: idle prompt, trust prompt, TUI footer/spinner, extraction, tool_timeout_sec float
• Claude Code: PROCESSING_PATTERN for 2.x spinner, IDLE_PROMPT_PATTERN for ❯

Security

• Path traversal prevention via os.path.normpath + home directory containment (CodeQL py/path-injection)
• cryptography 46.0.1 → 46.0.5 (CVE-2026-26007)

Dependencies

• fastmcp 2.12.2 → 2.14.0, mcp>=1.23.0, libtmux>=0.51.0
• Default provider: q_cli → kiro_cli

What's Changed

• build(deps): bump cryptography from 46.0.1 to 46.0.5 by @dependabot in #72
• fix: detect active permission prompts using line-based counting by @sriharshaarangi in #71
• fix(claude-code): add --dangerously-skip-permissions, --yolo flag, and dependency upgrades by @haofeif in #76
• feat(codex): rewrite Codex provider, framework improvements, security fix, and docs by @haofeif in #77
• test: add comprehensive unit tests, E2E tests, and CI workflows by @haofeif in #81
• feat: add CLI commands, shell safety fixes, agent profiles, and docs by @haofeif in #83

Full Changelog: v1.0.3...v1.1.0

v1.0.3

What's Changed

• fix: Synchronize status detection with response completion by @anilkmr-a2z in #62
• fix: update IDLE_PROMPT_PATTERN_LOG to match actual kiro-cli ANSI output by @sriharshaarangi in #65
• fix: prevent permission prompt pattern from matching stale prompts by @sriharshaarangi in #69
• perf(tmux): replace chunked send_keys with paste-buffer for instant delivery by @sriharshaarangi in #67

New Contributors

• @sriharshaarangi made their first contribution in #65

Full Changelog: v1.0.2...v1.0.3

v1.0.2

What's Changed

• feat(working-dir): add dynamic working directory inheritance for spawned agents by @anilkmr-a2z in #47
• fix: Handle CLI prompts with trailing text by @anilkmr-a2z in #61

Full Changelog: v1.0.1...v1.0.2

v1.0.1

What's Changed

• build(deps): bump authlib from 1.6.4 to 1.6.6 by @dependabot[bot] in #51
• build(deps): bump urllib3 from 2.5.0 to 2.6.3 by @dependabot[bot] in #52
• Remove unused constants and enum values by @kimnamu in #45
• build(deps): bump starlette from 0.48.0 to 0.49.1 by @dependabot[bot] in #53
• build(deps): bump werkzeug from 3.1.1 to 3.1.5 by @dependabot[bot] in #55
• build(deps): bump python-multipart from 0.0.20 to 0.0.22 by @dependabot[bot] in #58
• Fix: Escape newlines in Claude Code multiline system prompts by @SraavanChevireddy in #59
• fix: release workflow version parsing by @haofeif in #60

New Contributors

• @dependabot[bot] made their first contribution in #51
• @kimnamu made their first contribution in #45
• @SraavanChevireddy made their first contribution in #59

Full Changelog: v1.0.0...v1.0.1

v1.0.0

What's Changed

• Initial Launch by @tuanknguyen in #1
• Inbox Service by @tuanknguyen in #2
• Feature: async delegate by @tuanknguyen in #3
• fix(q-cli): Handle percentage in agent prompt pattern by @anillohchab in #4
• tmux install script by @tuanknguyen in #5
• update README: orchestration modes by @tuanknguyen in #6
• Update README.md to fix the installation of tmux by @haofeif in #7
• Update issue templates by @tuanknguyen in #8
• Document update with Mermaid process diagram by @haofeif in #9
• refactor: rename 'delegate' to 'assign' throughout codebase by @gokulanv in #10
• Adding examples for assign (async parallel) by @haofeif in #11
• add badge to deepwiki for weekly auto-refresh by @tuanknguyen in #13
• refactor: update idle prompt pattern for Q CLI to use consistent colo… by @gutosantos82 in #15
• Add comprehensive test suite for Q CLI provider by @gutosantos82 in #16
• Add code formatting and type checking with Black, isort, and mypy by @gutosantos82 in #20
• Fix: Make Q CLI Prompt Pattern Matching ANSI color-agnostic by @nitin-k in #18
• Fix GitHub Actions security alerts by adding explicit workflow permissions by @gutosantos82 in #23
• Kiro CLI provider by @tuanknguyen in #25
• Add GET endpoint for inbox messages with status filtering by @yubing744 in #30
• Adding git to the install dependencies message by @evertonfraga in #28
• fix: resolve code formatting issues in upstream main by @yubing744 in #40
• libtmux: Bump to v0.51.0, update method name by @tony in #31
• providers: accept optional U+03BB (λ) after % in kiro and q CLIs by @jwalaQ in #44
• feat: add Codex CLI provider by @yubing744 in #39
• feat: add changelog and automated release workflow by @haofeif in #50

New Contributors

• @tuanknguyen made their first contribution in #1
• @anillohchab made their first contribution in #4
• @haofeif made their first contribution in #7
• @gokulanv made their first contribution in #10
• @gutosantos82 made their first contribution in #15
• @nitin-k made their first contribution in #18
• @yubing744 made their first contribution in #30
• @evertonfraga made their first contribution in #28
• @tony made their first contribution in #31
• @jwalaQ made their first contribution in #44

Full Changelog: https://github.com/awslabs/cli-agent-orchestrator/commits/v1.0.0