2026-06-15 · v2.18.0 release · 5 min read

v2.18 — Your war room, now in any browser, tethered to your laptop

The thing that bugged me about ATO for the last six months: you had to be at your desktop to see what your team was doing. War-rooms, shared sessions, mission boards — all rendered beautifully in the desktop app, all invisible from anywhere else.

v2.18 fixes that. It also fixes the other thing — war-rooms that just sit there, idle, never closing, never showing up in the Sessions feed because someone forgot to type ato war-rooms close <id>. And it brings Claude Code’s Agent (Task) tool into the same receipt ledger as everything else, because subagent dispatches were the last black box.

Three clusters, one release. Let’s walk through them.

1. Read-only Team Workspaces on the web

Sign in at agentictool.ai with your cloud account. You see every shared session, war-room, chat, loop, and mission your team has published — rendered with the same fidelity as the desktop app. Session turns with role chips. War-room seats with verdict badges. Chat messages with per-message initiator attribution. Mission cards with the dispatch metadata you’d see in a kanban.

It’s read-only on purpose. The desktop is still where you author. The web is where you observe — from a meeting, from your phone in line at the coffee shop, from the conference room TV while the team walks through a multi-LLM review.

Pagination + load-more on event streams so a 2-week-old session doesn’t blow up the page. Connection-state indicator pill in the top right (green / amber / red) so you know when the live event stream is healthy. Mobile-responsive with a hamburger nav that actually works with a screen reader.

2. Browser ↔ Desktop tether

This is the part I’m most proud of. If your team shares an end-to-end-encrypted session, the cloud relay forwarding the events doesn’t have the team key — it lives in your desktop’s OS keychain. So how does the browser decrypt? It asks your desktop.

v2.18 ships a per-browser tether channel: X25519 ephemeral DH for key agreement, HKDF-SHA256 to derive the session key, XChaCha20-Poly1305 AEAD for every frame, with the nonce bound to direction + sequence to make replay impossible. The cloud relay forwards opaque ciphertext only. It cannot read what your browser asks your desktop to decrypt.

Pairing has a 12-character fingerprint — browser_pubkey_fp — displayed in both the browser tether card and the desktop approval modal. You compare them with your eyes before clicking Approve. It’s the same trick Signal uses for safety numbers. If someone in your office sits down at your laptop while you’re away from your desk, they don’t get to silently approve a browser pairing because the fingerprint they see in their browser won’t match the one on your desktop. (Defense-in-depth: even if the cloud were compromised and lied about the fingerprint, the desktop still cross-checks the local tether_approvals table before promoting an “Allow always”.)

3. Create teams + invite teammates from the web

You used to need the desktop to create a team. Now you don’t. The web has + New team, invite-by-email with role picker, per-member role change, remove, and a danger-zone delete with name-typing confirmation. A new Account sidebar panel shows your profile, plan tier, joined date, and a sign-out button that clears local state even if the API call fails.

What stays on the desktop: your LLM provider API keys (they live in the OS keychain — we’re not putting them in localStorage), your runtime detection (we have to actually look at your filesystem to find your Claude CLI binary), your skills + MCP installs (filesystem ops), and your end-to-end team-key material (same keychain story). The web shows you a clear note about what’s where.

4. `ato war-rooms sweep` — war-rooms that close themselves

The #1 UX trap of multi-LLM review was the manual close step. You’d fire ato dispatch claude + ato dispatch codex + ato dispatch google with a shared --war-room-id, get three independent reviews back, and then… you’d forget to run ato war-rooms close <id>. The war-room would sit there with three replies and no summary. The Sessions feed wouldn’t show it. You’d open the app a week later and wonder where your reviews went.

v2.18 ships ato war-rooms sweep. Wire it to launchd or cron:

*/5 * * * *  /opt/homebrew/bin/ato war-rooms sweep --idle-minutes 15 --max-per-run 5

Every 5 minutes, it scans execution_logs for war-rooms idle > 15 minutes, excludes already-closed ones, and runs the same coordinator-summary close orchestrator that ato war-rooms close <id> uses — capped to 5 closes per tick so a backlog doesn’t blow your bill. Default coordinator is Google (free quota, cheap summarization). Single-JSON envelope output for downstream tooling. Clap-layer validators on every flag.

One-shot R1 fan-outs self-close once the seats land. The Sessions feed populates without you thinking about it.

5. `ato subagent log` — receipts for Claude Code’s Task tool

When Claude Code uses the Task tool to spin up a subagent, that subagent runs in a fresh context window with its own prompt, its own model, its own cost, its own tool calls. From the parent session, you see one line: “Task tool invocation succeeded.” You don’t see what the subagent did. You don’t see what it cost. You don’t see what files it touched.

v2.18 adds ato subagent log create. Bracket every Agent tool call:

ato subagent log create \
  --prompt "review this diff for correctness" \
  --agent-slug pr-reviewer \
  --war-room-id $WR_ID \
  --auth-mode subscription \
  --billing-surface claude_code_subscription

The subagent dispatch now appears in execution_logs alongside everything else, with the same canonical auth_mode + billing_surface vocab so PRO analytics can group across CLI / desktop / browser / subagent uniformly. The git commit SHA at dispatch time is captured per receipt via a bounded 2-second timeout so we never block on a slow git rev-parse. UTF-8 truncation is safe on multi-byte prompts (the same bug also lived in dispatch.rs; we ported the fix).

Multi-agent fan-outs can share a --war-room-id and get summarized by ato war-rooms close <id> or auto-closed by the sweep above.

The smaller things

Sign-in screen redesigned. Minimal centered card. Marketing copy stays on agentictool.ai; the dashboard entry point is one focused viewport with logo + tagline + sign-in card + 3 outbound footer links. No more hero + features + sign-in stack.
Onboarding rewritten as 3-step setup. Install SDK, save key as .env, wrap the client. Each step explains why. The “I’ve copied my key” button is disabled until you actually copy. Non-technical users have a path now.
Cost Dashboard date picker no longer renders OS-default white chrome against the dark theme.
Deprecated Google models auto-filtered from the chat picker. gemini-2.0-flash-001 404s are gone.

What’s next

The v2.18 architecture doc — docs/v2.18-active-workstation.md — sketches the next wave: browser-driven dispatch over the tether channel. Today the tether carries a single frame kind (decrypt_events); next wave adds dispatch_request / dispatch_chunk / dispatch_complete so the browser becomes a real cockpit instead of just an observation deck. The desktop still runs the LLM call — same keys, same receipts — the browser just orchestrates.

Also queued: in-chat model picker for CLI runtimes (claude / codex / gemini CLI), full Loop Composer node-kind coverage (diagnose / apply / review / war_room / score / input / output), and PRO-tier UI gating so free users don’t hit dead-end 403s when they click the new team-management buttons.

Get it

Download v2.18.0 → · Full changelog

If you’re already on a prior version, the desktop app will detect the new release and walk you through the update on next launch. The first time you open v2.18, a “What’s new” modal pops up summarizing the changes — click through it once, never again. Brand-new installs see the Onboarding flow instead.

As always: MIT licensed, local-first, every byte stays on your machine unless you opt into Pro sync.

— Beatriz Nigri