Changelog
Product release notes and development timeline.
Restrictive policy for destructive commands
The built-in Restrictive policy now blocks around one hundred destructive command patterns out of the box, so the worst classes of agent mistakes get caught before they run.
Restrictive policy
- About one hundred deny patterns covering filesystem wipes (rm -rf /, rd /s /q, wipefs), git history rewrites (reset --hard, push --force), database drops (DROP DATABASE, prisma db push --force-reset, FLUSHALL), cloud teardowns (aws s3 rm --recursive, terraform destroy, gcloud projects delete), secrets exfiltration, remote-execution pipes (curl ... | sh, encoded PowerShell), and accidental package publishes
- Permissive allowlist also expanded so common safe commands (git status, npm list, docker ps, kubectl get, version probes) keep moving without prompting
- Patterns apply to Bash, shell aliases, and structured MCP tool input alike
- Tightened the `find -delete` deny pattern and added two new standalone `--delete` flag patterns so destructive forms — including stacked (`rsync -av --delete src/ dest/`) and trailing (`aws s3 sync s3://bucket/ ./ --delete`) — are still caught, while suffixed flags like `gh pr merge --delete-branch` no longer false-positive
- New `endsWith` pattern type for the policy matcher complements the existing `exact`, `prefix`, and `contains` types; useful any time a destructive flag tends to be the final token of a command
iOS app
- New confirmation toast after resetting policies to defaults so you know the change went through
- Renaming an agent now persists to the server and the list and detail view update immediately
- New "Reset Image" menu item on the agent detail screen to clear a custom avatar back to the default icon
- Confirmation toasts on rename, photo upload, image-from-URL, and avatar reset, with in-sheet error toasts when something fails
- Quieter activity feed during Claude Code's new Monitor tool — background task-notifications appear as `Monitor Update` rows and their brief replies no longer trigger "Agent Stopped" entries, completion pushes, or stop-input prompts between cycles
Web site
- New Use Cases hub describing where Agent Approve helps you ship faster
- New Prevent destructive actions page covering 24 publicly reported AI agent incidents and the deny patterns Agent Approve ships to prevent them
- New Monitor agent activity page covering reported observability failures, OWASP's 2026 Agentic Top 10, and the full event catalog of what Agent Approve captures across every supported agent
Pi agent support
Pi joins Agent Approve. Approve tool calls from iPhone or Apple Watch, apply the same centralized policy you use across your other agents, and send follow-up instructions when a turn completes.
@agentapprove/pi
- Mobile approval flow for Pi shell, file, search, edit, network, and MCP tools
- Shared allow and deny lists across Pi and your other agents
- Voice and text follow-ups from iPhone or Apple Watch
- Pi responses, plans, and tool results in the unified activity history
- Published to npm — install with the standard Agent Approve installer
Agent pages
- Dedicated landing page and setup guide for Pi
- Pi added to the supported agents list with consistent capability badges
GitHub Copilot and OpenAI Codex support
Three new agent integrations in a single week. Agent Approve now works with eight coding agents across CLI, editor, and autonomous workflows.
3 new agents
- GitHub Copilot CLI hook integration
- GitHub Copilot for VS Code hook integration
- OpenAI Codex hook integration
Agent pages
- Dedicated landing page and setup guide for each new agent
- Consistent capability badges and agent display names across the site
Search and MCP tool management
Search across agents, events, and policy lists. Add custom tools by searching against observed MCP servers and tools. Collapsible MCP server sections make large tool sets manageable.
Search and discovery
- Search across agents, events, and commands in policy lists
- Add custom tools by searching and matching against observed MCP servers and tools
- MCP tools organized under their server in collapsible sections
Apple Watch
- Demo mode: experience the full approval flow without a live agent
- Improved event detail and tool labeling on the watch
Policy editor
- Inline allow/deny list editing on iPhone
- Deny-takes-precedence conflict resolution
Independent Apple Watch app
The Apple Watch app now runs independently with its own realtime connection and approval flow. No iPhone required.
Standalone watch app
- Full approval support directly on Apple Watch
- Agent list, event history, and approval actions on the wrist
- Independent connectivity — works without iPhone nearby
Reliability
- Credential sync and key handoff between iPhone and Watch
- Automatic cleanup of expired or duplicate requests
OpenCode plugin
OpenCode joins the supported agent list via a TypeScript plugin. Five agents now supported.
@agentapprove/opencode
- TypeScript plugin for approval and event hooks
- Same approval flow as Claude Code and Cursor
- Published to npm — install with the standard installer
Installer improvements
- Unified install and uninstall across all plugin agents
- Plugin versioning and automated publish flow
OpenClaw plugin and mobile Q&A
OpenClaw is the first plugin-based integration. Also new: relay agent questions to your phone for plan creation and other interactive workflows (beta).
@agentapprove/openclaw
- Native OpenClaw plugin with lifecycle events and privacy parity
- Published to npm with dedicated docs and setup guide
Mobile Q&A (beta)
- Relay agent questions to your phone during plan creation and interactive workflows
- Configurable question input mode in settings
End-to-end encryption
All approval payloads are encrypted end-to-end between the CLI and the iOS app. Keys are bound to individual machines with configurable rotation and retention.
Encryption
- E2E encryption across hooks, server, and iOS
- Per-machine encryption keys for stronger isolation
- Key rotation with forward secrecy
Key management
- Key management UI on iPhone
- Configurable rotation period: off, hourly, daily, weekly, or monthly
- Key retention options: keep all, last 7, last 30, or discard old keys
- Key sync via Mac Keychain
Marketing site launch
The public marketing site goes live with landing page, agent pages, FAQ, and about page.
Website
- Production landing page with agent overview and feature highlights
- Dedicated pages for supported agents, FAQ, and company story
- Dark mode, responsive layout, and social previews
Voice follow-up on agent stop
When your agent stops and waits for input, send follow-up instructions by voice or text directly from your phone. A 5-minute window lets you respond before the agent times out.
Stop input
- Send follow-up commands when an agent stops for user input
- Voice dictation and quick-reply pills for common responses
- 5-minute response window with countdown timer
- Multi-agent banner stacking when several agents wait simultaneously
Completion notifications
- Push notification when an agent finishes a task
- Stop hooks for Claude Code and Cursor
Agent personalization and data control
Rename agents, upload custom images, control how long data is stored, and manage paired devices. Plus formatted markdown and JSON in event details.
Agent naming and custom images
- Rename agents — call "Claude Code" something like "Backend Claude" or "Ralph"
- Upload a custom image for each agent
- Names and images sync across hooks, iOS, and the dashboard
Data retention
- Configurable data retention: 1 day, 1 week, 30 days, 90 days, or 1 year
- Automated daily pruning of old event data
Device management
- Manage paired computers and iOS devices from Settings
- Device limit enforcement with replacement flow
Content formatting
- Markdown rendering for agent responses and tool output
- JSON pretty-printing with syntax highlighting in event details
Policy presets and bulk actions
Choose from multiple default policies, create custom ones, and manage pending approvals in bulk. Batch command parsing catches dangerous commands hidden inside compound expressions.
Custom and default policies
- Create custom policies and choose type: Ask User, Allow List, or Default
- Built-in policies: Restrictive, Permissive, Allow All Except Deny List, Deny All Except Allow List, Deny All, Allow All
Bulk actions
- Bulk Approve All and Deny All for pending approvals
- Remember decisions: add commands to allow or deny lists from the approval card
- Match on exact input, first part, contains, or edit a custom pattern
Batch command parsing
- Compound bash commands separated by &&, ;, or pipes are parsed individually
- Each subcommand is evaluated against the policy separately
- Dangerous commands hidden inside batch expressions are caught before execution
Privacy enforcement
- Privacy levels enforced end-to-end: Minimal, Summary, or Full Content
- Controls what is stored in event logs — approval cards always show full context
Demo mode and onboarding
Try the full approval experience without a live agent or subscription. Redesigned onboarding walks new users through setup step by step.
Demo mode
- Interactive demo with realistic approval requests and agent events
- Multiple agents and MCP tools in the sample data
- Timed approval sequences that simulate real workflows
- Reset demo and add new demo events at any time
Onboarding
- Step-by-step onboarding flow with plan selection
- Cloud connection management screen
- Monthly and annual subscription options with 7-day free trial
Push notifications and gamification
Approval requests arrive as push notifications on iPhone and Apple Watch. A badge system tracks milestones and a profile view shows your approval stats.
Push notifications
- Push notifications for approval requests, agent completion, and stop events
- Badge count for pending approvals on the app icon
- Notification deep linking to the relevant approval card
- Option to be notified when an agent completes a task
Badges and achievements
- Badge system with milestone celebrations (first approval, Quick Draw, Weekend Warrior, etc.)
- Badges awarded in real time with confetti animation
User profile
- Profile view with approval and denial counts
- Activity streaks and login tracking
- Charts showing events over time and agent usage breakdown
Sign in with Apple and QR pairing
Native Sign in with Apple replaces manual token entry. Pair your computer by scanning a QR code from the app. 7-day free trial on monthly subscription.
Authentication
- Native Sign in with Apple
- 7-day free trial on monthly subscription
- Guided post-auth onboarding with plan selection
QR pairing
- QR code scanning for one-step computer pairing
- Computer and device management screens in Settings
Interactive installer
- First npm installer: npx agentapprove
- Interactive setup wizard with agent selection
- Token stored in Mac Keychain
Cloud mode and web dashboard
The app moves from local-only to cloud-connected. Authentication, realtime event sync, and a web dashboard for managing agents and policies.
Cloud connection
- Cloud connection mode with realtime event sync
- Approval responses routed through the cloud
- Observed-agent tracking across sessions
Web dashboard
- Agent overview with event history
- Hierarchical allow/deny lists with tool-level granularity
- Policy management from the browser
Gemini CLI support and agent details
Gemini CLI joins Claude Code and Cursor as the third supported agent. Tap any agent to see its status, supported hooks, and capabilities.
New agent
- Gemini CLI hook integration with session tracking and multi-session support
- Branded agent headers and splash screen with custom icons
Agent detail sheets
- Tap any agent to view status, supported hooks, and capabilities
- Agent activity status with real-time event drill-in
- Redesigned agent detail view with scrollable header
MCP tools and categorized allow/deny lists
See which MCP tools your agents are calling. Categorized allow and deny lists give you granular control over what runs automatically.
MCP visibility
- MCP server discovery, tool mapping, and event metadata
- MCP tool events displayed in the iOS event feed
- Tool and server badges in event list and detail views
Policy and connection
- Categorized allow/deny lists (shell, MCP, file, etc.)
- Auto-reconnect and foreground reconnection on iPhone
Claude Code and Cursor support
Full hook support for both Claude Code and Cursor. The mobile activity feed gains parsed metadata and privacy controls.
2 agents supported
- Claude Code hooks: pre-tool, post-tool, notification, session lifecycle
- Cursor hooks: approval, response, shell, MCP, subagent events
- Agent-specific branding and icons
Activity feed
- Parsed metadata in event detail views
- Privacy levels: Minimal, Summary, or Full Content
- Event history with infinite scroll
First approval loop
The first working proof of concept: Claude Code sends an approval request, it arrives on iPhone and Apple Watch, and the decision flows back to the CLI.
Approvals
- Approve, Deny, or Deny with Feedback sent back to the agent
- Approval requests delivered to iPhone and Apple Watch
- Completion notifications when the agent finishes
Initial iOS app
- Four tabs: Approvals, Agents, Lists, Settings
- Event storage and review screens
- Allow/deny list with basic command matching