<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Open Source &#183; PiniShv</title><link>https://pinishv.com/tags/open-source/</link><description>Pini Shvartsman leads AI transformation inside a 100+ engineer SaaS org. Field notes on autonomous engineering: AI-powered execution, human accountability.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Pini Shvartsman</copyright><lastBuildDate>Sat, 04 Apr 2026 18:00:00 +0200</lastBuildDate><atom:link href="https://pinishv.com/tags/open-source/index.xml" rel="self" type="application/rss+xml"/><item><title>Your AI Stack Is Rented Until You Can Run Part of It Yourself</title><link>https://pinishv.com/articles/local-llms-your-stack-is-rented/</link><pubDate>Sat, 04 Apr 2026 18:00:00 +0200</pubDate><guid>https://pinishv.com/articles/local-llms-your-stack-is-rented/</guid><description>Anthropic just told Claude Code users that third-party harnesses need separate billing. Google dropped Gemma 4 under Apache 2.0 across phone-to-workstation tiers. One story is about dependence. The other is about escape velocity. The local LLM landscape finally crossed from &amp;lsquo;cute demo&amp;rsquo; to &amp;lsquo;actually useful.&amp;rsquo;</description><content:encoded>&lt;p>When &lt;a
href="https://techcrunch.com/2026/04/04/anthropic-says-claude-code-subscribers-will-need-to-pay-extra-for-openclaw-support/"
target="_blank"
>Anthropic tells&lt;/a> paying Claude Code subscribers that OpenClaw and other third-party harnesses need separate pay-as-you-go billing starting April 4, that&amp;rsquo;s not just a pricing update. That&amp;rsquo;s platform risk made visible. If your workflow depends on someone else&amp;rsquo;s limits, economics, and tolerance for power users, your stack is rented.&lt;/p>
&lt;p>At almost the same moment, &lt;a
href="https://blog.google/innovation-and-ai/technology/developers-tools/gemma-4/"
target="_blank"
>Google dropped Gemma 4&lt;/a> under Apache 2.0 across phone-to-workstation tiers. Over 400 million downloads of the Gemma family so far. This isn&amp;rsquo;t a niche hobbyist corner anymore.&lt;/p>
&lt;p>One story is about dependence. The other is about escape velocity.&lt;/p>
&lt;h2 class="relative group">Local finally crossed the line
&lt;div id="local-finally-crossed-the-line" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#local-finally-crossed-the-line" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>For a long time, &amp;ldquo;run it locally&amp;rdquo; meant weaker models, ugly tooling, and a lot of compromises. You got privacy but gave up capability.&lt;/p>
&lt;p>That&amp;rsquo;s changing fast. The model layer is better. The runtime layer is better. And the quality-to-hardware ratio finally crossed from &amp;ldquo;cute demo&amp;rdquo; to &amp;ldquo;actually useful.&amp;rdquo;&lt;/p>
&lt;p>The mistake people make is treating local LLMs as a single category. They&amp;rsquo;re not. There are now three very different tiers:&lt;/p>
&lt;p>&lt;strong>Phone and tablet.&lt;/strong> &lt;a
href="https://ai.google.dev/gemma/docs/core"
target="_blank"
>Gemma 4&amp;rsquo;s&lt;/a> smallest models (E2B at ~3.2GB, E4B at ~5GB) run on mobile through Google&amp;rsquo;s AI Edge Gallery. Microsoft&amp;rsquo;s &lt;a
href="https://huggingface.co/microsoft/Phi-4-mini-instruct"
target="_blank"
>Phi-4-mini&lt;/a> targets mobile CPUs with ONNX builds. Hugging Face&amp;rsquo;s &lt;a
href="https://huggingface.co/HuggingFaceTB/SmolLM2-1.7B"
target="_blank"
>SmolLM2&lt;/a> is built for on-device from the start. Not your frontier coding copilot. But credible for summarization, drafting, classification, and offline assistance.&lt;/p>
&lt;p>&lt;strong>Laptop.&lt;/strong> The 4B to 8B class is the sweet spot. &lt;a
href="https://huggingface.co/Qwen/Qwen3-4B"
target="_blank"
>Qwen3-4B&lt;/a> with switchable thinking modes, Phi-4-mini for compact reasoning, &lt;a
href="https://mistral.ai/news/mistral-3"
target="_blank"
>Ministral 8B&lt;/a> for edge setups. Real assistants on normal hardware.&lt;/p>
&lt;p>&lt;strong>Workstation and higher-memory Macs.&lt;/strong> This is where local stops being a privacy story and becomes a control story. &lt;a
href="https://mistral.ai/news/mistral-small-3-1"
target="_blank"
>Mistral Small 3.1&lt;/a> runs on a single RTX 4090 or a 32GB Mac. Gemma 4&amp;rsquo;s 26B and 31B models are realistic for workstation setups. &lt;a
href="https://arxiv.org/abs/2505.09388"
target="_blank"
>Qwen3-30B-A3B&lt;/a> has 30.5B total parameters but only 3.3B activated per token, which is exactly the kind of design that makes local deployment attractive.&lt;/p>
&lt;p>And the tooling caught up. Gemma 4 is already in &lt;a
href="https://ollama.com/library/gemma4"
target="_blank"
>Ollama&lt;/a>. LM Studio keeps pushing the &amp;ldquo;download and run&amp;rdquo; workflow. Microsoft has ONNX Runtime and Foundry Local for Phi. The gap between &amp;ldquo;model exists&amp;rdquo; and &amp;ldquo;normal person can run it&amp;rdquo; is closing fast.&lt;/p>
&lt;h2 class="relative group">What local doesn&amp;rsquo;t do
&lt;div id="what-local-doesnt-do" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-local-doesnt-do" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Local isn&amp;rsquo;t magic and I don&amp;rsquo;t want to romanticize it.&lt;/p>
&lt;p>You still give up raw frontier capability. You give up some convenience. You give up the giant context windows and web-connected workflows that cloud models handle more naturally. On mobile, you fight battery and heat. A phone can run a model. That doesn&amp;rsquo;t mean you want it thinking for three minutes over a giant prompt while your battery melts.&lt;/p>
&lt;p>The local story is strongest around focused workloads: summarization, extraction, drafting, classification, translation, private notes, offline copilots, and first-pass coding help.&lt;/p>
&lt;p>So no, local doesn&amp;rsquo;t mean &amp;ldquo;replace Claude, ChatGPT, and Gemini everywhere.&amp;rdquo; That&amp;rsquo;s the wrong goal.&lt;/p>
&lt;p>The right goal is to stop letting every useful AI workflow become a monthly lease tied to someone else&amp;rsquo;s pricing model, product roadmap, and policy mood.&lt;/p>
&lt;h2 class="relative group">Why the Anthropic move matters more than people think
&lt;div id="why-the-anthropic-move-matters-more-than-people-think" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-the-anthropic-move-matters-more-than-people-think" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Everyone repeats the privacy argument for local models. Fair enough.&lt;/p>
&lt;p>The stronger argument is operational.&lt;/p>
&lt;p>If a vendor can wake up on Friday and tell you that a workflow you built around is no longer covered by the subscription you&amp;rsquo;re already paying for, then &amp;ldquo;works today&amp;rdquo; isn&amp;rsquo;t the same thing as &amp;ldquo;belongs in your stack.&amp;rdquo;&lt;/p>
&lt;p>Anthropic&amp;rsquo;s move may be rational. If third-party harnesses blow past the economics of a flat subscription, of course they&amp;rsquo;ll tighten the terms. That&amp;rsquo;s what platforms do. I &lt;a
href="https://pinishv.com/articles/ai-wrapper-companies-legitimacy-or-hype/">wrote about this pattern&lt;/a> when I was looking at AI wrappers, and again when I argued &lt;a
href="https://pinishv.com/articles/saas-is-dead-we-just-havent-stopped-paying-for-it/">the SaaS bargain is breaking&lt;/a>. Platform providers always move up the stack eventually.&lt;/p>
&lt;p>Local gives you a floor the platform can&amp;rsquo;t take away.&lt;/p>
&lt;p>That floor doesn&amp;rsquo;t need to be frontier-grade to be strategically valuable.&lt;/p>
&lt;p>It just needs to be yours.&lt;/p>
&lt;h2 class="relative group">What I&amp;rsquo;d actually run today
&lt;div id="what-id-actually-run-today" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-id-actually-run-today" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>If I wanted a phone-first local assistant: &lt;strong>Gemma 4 E2B/E4B&lt;/strong> first, then &lt;strong>Phi-4-mini&lt;/strong> for reasoning-heavy tasks.&lt;/p>
&lt;p>If I wanted a good local model on a normal laptop: &lt;strong>Qwen3-4B&lt;/strong>, &lt;strong>Phi-4-mini&lt;/strong>, or &lt;strong>Ministral 8B&lt;/strong>.&lt;/p>
&lt;p>If I had a 32GB Mac or stronger desktop: &lt;strong>Mistral Small 3.1&lt;/strong> and &lt;strong>Gemma 4 26B&lt;/strong>.&lt;/p>
&lt;p>If I had a 24GB GPU and wanted the best local jump in capability: &lt;strong>Gemma 4 31B&lt;/strong> and &lt;strong>Qwen3-30B-A3B&lt;/strong>.&lt;/p>
&lt;p>That&amp;rsquo;s not a benchmark answer. It&amp;rsquo;s a deployment answer.&lt;/p>
&lt;p>For two years, local LLMs mostly meant compromise. In 2026, they increasingly mean options. The frontier cloud models are still stronger. But that&amp;rsquo;s no longer the only question that matters.&lt;/p>
&lt;p>The real question is: which parts of your AI stack are you still comfortable renting?&lt;/p>
&lt;hr>
&lt;p>&lt;em>Running local models? I&amp;rsquo;d love to hear what you&amp;rsquo;re using and where. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/local-llms-your-stack-is-rented/feature.png"/></item><item><title>DeerFlow 2.0: ByteDance Just Open-Sourced What Most Companies Are Trying to Build Internally</title><link>https://pinishv.com/articles/deerflow-bytedance-super-agent-harness/</link><pubDate>Mon, 23 Mar 2026 12:00:00 +0200</pubDate><guid>https://pinishv.com/articles/deerflow-bytedance-super-agent-harness/</guid><description>37,000 GitHub stars in weeks. #1 on GitHub Trending. ByteDance rebuilt DeerFlow from scratch into a super agent harness with sandboxed execution, sub-agents, persistent memory, and a skills system. It&amp;rsquo;s not a chatbot framework. It&amp;rsquo;s closer to what an internal AI platform team would build if they had unlimited runway.</description><content:encoded>&lt;p>Most agent frameworks give you a chat interface with tool access. &lt;a
href="https://github.com/bytedance/deer-flow"
target="_blank"
>DeerFlow 2.0&lt;/a> gives the agent a computer.&lt;/p>
&lt;p>ByteDance rebuilt DeerFlow from the ground up and open-sourced it in late February 2026. It hit #1 on GitHub Trending within days. As of this week it has over 37,000 stars and 4,400 forks. The community is excited. But most of the coverage I&amp;rsquo;ve seen misses what actually makes this interesting.&lt;/p>
&lt;p>DeerFlow isn&amp;rsquo;t a research tool with a nice UI. It&amp;rsquo;s a super agent harness. The difference matters.&lt;/p>
&lt;h2 class="relative group">What &amp;ldquo;super agent harness&amp;rdquo; actually means
&lt;div id="what-super-agent-harness-actually-means" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-super-agent-harness-actually-means" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The term sounds like marketing, so let me break down what it does in practice.&lt;/p>
&lt;p>A typical agent framework lets you chain LLM calls with tool use. You give the model access to search, file reading, maybe code execution. The model decides what to do step by step. That&amp;rsquo;s what most people mean when they say &amp;ldquo;agent.&amp;rdquo;&lt;/p>
&lt;p>DeerFlow does something architecturally different. A lead agent receives a task, decomposes it into sub-tasks, and spawns specialized sub-agents that run in parallel. Each sub-agent gets its own isolated context, its own tools, and its own termination conditions. They work concurrently, report structured results back to the lead agent, and the lead synthesizes everything into a coherent output.&lt;/p>
&lt;p>That&amp;rsquo;s not a chain. That&amp;rsquo;s an orchestration layer. And the execution doesn&amp;rsquo;t happen in an LLM&amp;rsquo;s imagination. It happens inside an actual sandbox.&lt;/p>
&lt;h2 class="relative group">The sandbox is the real differentiator
&lt;div id="the-sandbox-is-the-real-differentiator" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-sandbox-is-the-real-differentiator" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Each DeerFlow task runs inside an isolated Docker container with a full filesystem. The agent can read files, write files, execute bash commands, run Python scripts, and manipulate outputs. There&amp;rsquo;s a virtual path system that prevents the agent from seeing real host paths, which blocks path traversal attacks.&lt;/p>
&lt;p>The directory structure per thread looks like this:&lt;/p>
&lt;pre tabindex="0">&lt;code>/mnt/user-data/
├── uploads/ # your files
├── workspace/ # agent&amp;#39;s working directory
└── outputs/ # final deliverables
&lt;/code>&lt;/pre>&lt;p>This is the difference between &amp;ldquo;the model says it would write a file&amp;rdquo; and &amp;ldquo;the model actually wrote the file.&amp;rdquo; When DeerFlow generates a report, builds a slide deck, creates a website, or runs a data pipeline, the output exists as actual files in an actual filesystem. Not text in a chat window.&lt;/p>
&lt;p>That matters because it means DeerFlow can handle tasks that take minutes to hours. A research task fans out into a dozen sub-agents, each exploring a different angle, and converges into a single report. Or a website. Or a deck with generated visuals.&lt;/p>
&lt;h2 class="relative group">The skills system
&lt;div id="the-skills-system" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-skills-system" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>DeerFlow&amp;rsquo;s capabilities are defined as &amp;ldquo;skills,&amp;rdquo; which are structured Markdown files containing workflows, best practices, and references to supporting resources. The framework ships with skills for research, report generation, slide creation, web page generation, and image/video creation.&lt;/p>
&lt;p>The clever part is progressive loading. Skills only get injected into the agent&amp;rsquo;s context when the task needs them. This keeps the context window lean, which matters when you&amp;rsquo;re running sub-agents in parallel and every token counts.&lt;/p>
&lt;p>You can add custom skills, replace built-in ones, or combine them. The skill system is essentially a plugin architecture defined in Markdown. It&amp;rsquo;s simple enough that someone who isn&amp;rsquo;t a framework developer can extend it.&lt;/p>
&lt;h2 class="relative group">How it compares
&lt;div id="how-it-compares" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#how-it-compares" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The landscape is crowded, so here&amp;rsquo;s where DeerFlow sits relative to tools engineers are actually using:&lt;/p>
&lt;p>&lt;strong>Claude Code&lt;/strong> is a terminal-based CLI agent. Powerful for deep coding sessions, strong reasoning, MCP support. But it&amp;rsquo;s fundamentally a single-agent tool. You start it, it works, it finishes. DeerFlow orchestrates multiple agents in parallel with isolated contexts. Different architectural layer.&lt;/p>
&lt;p>&lt;strong>OpenAI Codex CLI&lt;/strong> runs in a sandboxed microVM with strong safety guarantees. Fast, cost-efficient, good for GitHub workflows. But it&amp;rsquo;s scoped to coding tasks. DeerFlow handles research, content generation, data pipelines, and arbitrary multi-step workflows.&lt;/p>
&lt;p>&lt;strong>Devin&lt;/strong> positions itself as an autonomous &amp;ldquo;AI software engineer&amp;rdquo; with a full IDE. But &lt;a
href="https://aitoolclash.com/posts/ai-coding-assistants-compared-2026/"
target="_blank"
>benchmarks show&lt;/a> a 13.86% official success rate and it&amp;rsquo;s the slowest option in head-to-head tests. DeerFlow&amp;rsquo;s parallel sub-agent architecture is fundamentally more efficient for complex decomposable tasks.&lt;/p>
&lt;p>&lt;strong>&lt;a
href="https://pinishv.com/articles/cursor-automations-ai-stopped-waiting/">Cursor Automations&lt;/a>&lt;/strong>, which I wrote about this week, takes a different approach entirely: event-driven triggers that launch agents automatically. DeerFlow is more of a task-delegation platform. Cursor is more of an always-on operational layer. They could complement each other.&lt;/p>
&lt;p>The closest analogy might be: Claude Code is your best individual contributor. Codex is your safe pair of hands for PRs. Cursor Automations is your on-call bot. DeerFlow is the team lead who decomposes the project and assigns the work.&lt;/p>
&lt;h2 class="relative group">What engineering leaders should notice
&lt;div id="what-engineering-leaders-should-notice" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-engineering-leaders-should-notice" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Three things stand out to me.&lt;/p>
&lt;p>&lt;strong>First, the architecture is what most internal AI platform teams are trying to build.&lt;/strong> Sub-agent orchestration, sandboxed execution, persistent memory, a skills/plugin system, support for multiple models and deployment modes (local, Docker, Kubernetes). If you&amp;rsquo;re an engineering leader thinking about building an internal agent platform, DeerFlow is either your starting point or your benchmark.&lt;/p>
&lt;p>&lt;strong>Second, it&amp;rsquo;s ByteDance.&lt;/strong> That means serious engineering resources behind it. But it also means you should do your own security review before running it anywhere near production data. The code is MIT-licensed and open source, which is great. But &amp;ldquo;open source from a large tech company&amp;rdquo; and &amp;ldquo;audited for your threat model&amp;rdquo; are different things. Read the code. Check the network calls. Understand what telemetry exists. The same advice applies to any framework you&amp;rsquo;d run in Docker containers with filesystem access.&lt;/p>
&lt;p>&lt;strong>Third, the skills system is the part with the most long-term potential.&lt;/strong> Right now it ships with research and content generation skills. But the architecture supports arbitrary capabilities defined in Markdown. That means the community can build and share skills for specific domains: legal research, financial analysis, infrastructure automation, compliance workflows. If the ecosystem develops, DeerFlow becomes a platform, not just a tool.&lt;/p>
&lt;h2 class="relative group">The honest assessment
&lt;div id="the-honest-assessment" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-honest-assessment" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>DeerFlow 2.0 is impressive engineering. The sandbox execution model, parallel sub-agents with isolated context, and progressive skill loading are genuine architectural innovations in the open-source agent space. It&amp;rsquo;s more production-oriented than most frameworks I&amp;rsquo;ve seen.&lt;/p>
&lt;p>But it&amp;rsquo;s also early. The documentation has gaps. The learning curve is steep. Running multiple specialized models requires significant compute. And the project is moving fast enough that what you read about it this week might be outdated next week.&lt;/p>
&lt;p>If you&amp;rsquo;re evaluating it for your team, my advice: clone it, run it locally, throw a real multi-step task at it, and see how it handles decomposition, failure recovery, and output quality. Don&amp;rsquo;t evaluate it from the README. Evaluate it from the sandbox.&lt;/p>
&lt;p>The agent framework landscape is moving fast. DeerFlow just raised the bar for what &amp;ldquo;open source&amp;rdquo; means in this space. Whether it becomes the default depends on whether the community builds the skills ecosystem and whether ByteDance sustains the investment.&lt;/p>
&lt;p>37,000 stars in a few weeks says the interest is real. Now we&amp;rsquo;ll see if the execution holds.&lt;/p>
&lt;hr>
&lt;p>&lt;em>Experimenting with DeerFlow or building your own agent orchestration? I&amp;rsquo;d love to hear how you&amp;rsquo;re approaching it. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/deerflow-bytedance-super-agent-harness/feature.png"/></item><item><title>Glassworm Is Back. Your Code Review Won't Catch It.</title><link>https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/</link><pubDate>Sun, 22 Mar 2026 20:00:00 +0200</pubDate><guid>https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/</guid><description>151 malicious packages in one week. The payload is invisible. Literally invisible. Glassworm uses Unicode characters that don&amp;rsquo;t render in any editor, terminal, or code review tool. And the cover commits are AI-generated. Here&amp;rsquo;s how it works and why your current defenses probably miss it.</description><content:encoded>&lt;p>Between March 3 and 9, 2026, &lt;a
href="https://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties"
target="_blank"
>Aikido Security documented&lt;/a> 151 malicious packages uploaded across GitHub repositories, npm, and the VS Code/Open VSX marketplace. The campaign is called Glassworm, and it&amp;rsquo;s back for a second wave after first appearing in March 2025.&lt;/p>
&lt;p>What makes Glassworm different from most supply chain attacks is the technique. The malicious payload is invisible. Not obfuscated. Not minified. &lt;a
href="https://agent-wars.com/news/2026-03-14-glassworm-unicode-pua-supply-chain-attack"
target="_blank"
>Invisible&lt;/a>.&lt;/p>
&lt;p>I&amp;rsquo;ve been writing about &lt;a
href="https://pinishv.com/articles/ai-browser-hijacking-how-companies-fight-prompt-injection/">AI security threats&lt;/a> and &lt;a
href="https://pinishv.com/articles/securing-the-ai-supply-chain/">supply chain risks&lt;/a> for a while. Glassworm is the kind of attack that should change how you think about what &amp;ldquo;reviewing code&amp;rdquo; actually means.&lt;/p>
&lt;h2 class="relative group">How it works
&lt;div id="how-it-works" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#how-it-works" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Unicode has a range called the Private Use Area (PUA): characters from &lt;code>U+FE00&lt;/code> to &lt;code>U+FE0F&lt;/code> and &lt;code>U+E0100&lt;/code> to &lt;code>U+E01EF&lt;/code>. These characters are valid Unicode. They exist in the spec. But they don&amp;rsquo;t render. Not in VS Code. Not in your terminal. Not in GitHub&amp;rsquo;s diff view. Not in any standard code review interface.&lt;/p>
&lt;p>Glassworm encodes malicious JavaScript payloads as sequences of these invisible characters, stuffed inside what looks like an empty string. The actual code in the file looks something like this:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-javascript" data-lang="javascript">&lt;span class="line">&lt;span class="cl">&lt;span class="kr">const&lt;/span> &lt;span class="nx">s&lt;/span> &lt;span class="o">=&lt;/span> &lt;span class="nx">v&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="p">[...&lt;/span>&lt;span class="nx">v&lt;/span>&lt;span class="p">].&lt;/span>&lt;span class="nx">map&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">w&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="p">(&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">=&lt;/span> &lt;span class="nx">w&lt;/span>&lt;span class="p">.&lt;/span>&lt;span class="nx">codePointAt&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="mi">0&lt;/span>&lt;span class="p">),&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;gt;=&lt;/span> &lt;span class="mh">0xFE00&lt;/span> &lt;span class="o">&amp;amp;&amp;amp;&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;lt;=&lt;/span> &lt;span class="mh">0xFE0F&lt;/span> &lt;span class="o">?&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">-&lt;/span> &lt;span class="mh">0xFE00&lt;/span> &lt;span class="o">:&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;gt;=&lt;/span> &lt;span class="mh">0xE0100&lt;/span> &lt;span class="o">&amp;amp;&amp;amp;&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;lt;=&lt;/span> &lt;span class="mh">0xE01EF&lt;/span> &lt;span class="o">?&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">-&lt;/span> &lt;span class="mh">0xE0100&lt;/span> &lt;span class="o">+&lt;/span> &lt;span class="mi">16&lt;/span> &lt;span class="o">:&lt;/span> &lt;span class="kc">null&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="p">)).&lt;/span>&lt;span class="nx">filter&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">n&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="nx">n&lt;/span> &lt;span class="o">!==&lt;/span> &lt;span class="kc">null&lt;/span>&lt;span class="p">);&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="nb">eval&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">Buffer&lt;/span>&lt;span class="p">.&lt;/span>&lt;span class="nx">from&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">s&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="sb">``&lt;/span>&lt;span class="p">)).&lt;/span>&lt;span class="nx">toString&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="s1">&amp;#39;utf-8&amp;#39;&lt;/span>&lt;span class="p">));&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Those backticks at the end look empty. They&amp;rsquo;re not. They contain hundreds of invisible PUA characters that, when decoded by the function above, produce a full malicious payload. The &lt;code>eval()&lt;/code> executes it at runtime. No visible trace in the source file.&lt;/p>
&lt;p>The decoded payloads steal tokens, credentials, and secrets, using Solana blockchain as the command-and-control channel to make the exfiltration harder to trace and block.&lt;/p>
&lt;h2 class="relative group">Why this is harder to catch than you think
&lt;div id="why-this-is-harder-to-catch-than-you-think" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-this-is-harder-to-catch-than-you-think" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Traditional code review fails completely against this. A human looking at the diff sees a small utility function and an empty string. Syntax highlighting doesn&amp;rsquo;t flag it. Linting doesn&amp;rsquo;t catch it because the characters are valid Unicode. Grep doesn&amp;rsquo;t find it because you can&amp;rsquo;t search for characters you can&amp;rsquo;t see.&lt;/p>
&lt;p>AI code review tools face the same problem. They operate on the visible text of the code. If the malicious content is invisible characters inside a string literal, the model sees an empty string. The &lt;a
href="https://techcrunch.com/2026/03/09/anthropic-launches-code-review-tool-to-check-flood-of-ai-generated-code"
target="_blank"
>Anthropic Code Review tool&lt;/a> that launched this month dispatches agents to analyze PRs for bugs and security issues. But if the payload isn&amp;rsquo;t visible in the code representation the model receives, it doesn&amp;rsquo;t get analyzed.&lt;/p>
&lt;p>And Glassworm&amp;rsquo;s operators are making detection even harder. The visible parts of malicious commits, the parts humans and AI can see, are &lt;a
href="https://agent-wars.com/news/2026-03-15-glassworm-returns-invisible-unicode-attacks-hit-150-github-repos-npm-and-vs-code"
target="_blank"
>deliberately convincing&lt;/a>. Documentation tweaks. Version bumps. Minor bug fixes. Stylistically consistent with the target repository. Security researchers believe attackers are using LLMs to generate these cover changes at scale across 151+ different codebases.&lt;/p>
&lt;p>So you have AI generating realistic-looking innocent commits to cover payloads that are invisible to both human reviewers and AI reviewers. That&amp;rsquo;s a new class of problem.&lt;/p>
&lt;h2 class="relative group">What this means for your team
&lt;div id="what-this-means-for-your-team" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-this-means-for-your-team" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>If you&amp;rsquo;re pulling npm packages, installing VS Code extensions, or depending on open source libraries (so, everyone), here&amp;rsquo;s what matters:&lt;/p>
&lt;p>&lt;strong>Your current review process probably doesn&amp;rsquo;t detect this.&lt;/strong> Unless your toolchain specifically scans for Unicode PUA characters in source files, invisible payloads pass through. &lt;a
href="https://snyk.io/articles/defending-against-glassworm/"
target="_blank"
>Snyk&amp;rsquo;s analysis&lt;/a> recommends detecting Unicode characters by category rather than maintaining explicit character lists, which means your existing SAST tools need updating.&lt;/p>
&lt;p>&lt;strong>Pin your dependencies and audit updates.&lt;/strong> Glassworm targets existing repos with seemingly innocent version bumps and doc changes. If you auto-merge dependency updates or trust patch versions without review, you&amp;rsquo;re exposed.&lt;/p>
&lt;p>&lt;strong>Scan for &lt;code>eval()&lt;/code> and dynamic execution patterns.&lt;/strong> The invisible payload still needs &lt;code>eval()&lt;/code> or an equivalent to execute. Static analysis rules that flag dynamic code execution in dependency code are your best early warning.&lt;/p>
&lt;p>&lt;strong>Be suspicious of repos you haven&amp;rsquo;t verified recently.&lt;/strong> Some of the compromised repos had over 1,400 GitHub stars. Popularity doesn&amp;rsquo;t mean safety. The Wasmer WebAssembly runtime was among the targeted projects.&lt;/p>
&lt;p>&lt;strong>VS Code extensions are a vector.&lt;/strong> Glassworm hit the Open VSX marketplace too. Extensions run with significant privileges. If your team installs extensions casually, you have an unmonitored attack surface.&lt;/p>
&lt;h2 class="relative group">The bigger picture
&lt;div id="the-bigger-picture" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-bigger-picture" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>I&amp;rsquo;ve written about &lt;a
href="https://pinishv.com/articles/ai-security-culture-problem/">AI security as a culture problem&lt;/a> and &lt;a
href="https://pinishv.com/articles/building-ai-systems-that-dont-break-under-attack/">building systems that don&amp;rsquo;t break under attack&lt;/a>. Glassworm sits at the intersection of two trends I keep coming back to.&lt;/p>
&lt;p>First, AI is accelerating both sides. Defenders are using AI to review code faster. Attackers are using AI to generate convincing cover commits at scale. The speed advantage isn&amp;rsquo;t one-sided.&lt;/p>
&lt;p>Second, the supply chain is where the real vulnerability concentration lives. Your code might be clean. Your review process might be solid. But if one of your 400 transitive dependencies gets compromised with an invisible payload that no human or AI reviewer can see, none of that matters.&lt;/p>
&lt;p>Glassworm didn&amp;rsquo;t exploit a zero-day. It didn&amp;rsquo;t find a novel vulnerability. It exploited the gap between what we look at and what we actually see. That gap is getting wider as codebases grow faster, reviews get thinner, and both sides of the attack use AI to scale.&lt;/p>
&lt;p>The fix isn&amp;rsquo;t one tool or one policy. It&amp;rsquo;s treating your supply chain with the same paranoia you&amp;rsquo;d treat your own production code. Because right now, for a lot of teams, that&amp;rsquo;s the door nobody&amp;rsquo;s watching.&lt;/p>
&lt;hr>
&lt;p>&lt;em>Seen something like Glassworm in your own supply chain? Dealing with invisible threats in your dependencies? I&amp;rsquo;d love to hear about it. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/feature.png"/></item><item><title>CLI Agent Orchestrator: When One AI Agent Isn't Enough</title><link>https://pinishv.com/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/</link><pubDate>Wed, 05 Nov 2025 00:00:00 +0000</pubDate><guid>https://pinishv.com/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/</guid><description>AWS open-sourced CLI Agent Orchestrator, a framework coordinating multiple AI agents for complex developer tasks. It&amp;rsquo;s hierarchical orchestration for CLI tools, showing where AI tooling is headed when single agents hit their limits.</description><content:encoded>&lt;p>You&amp;rsquo;ve hit this wall before. You&amp;rsquo;re working on some complex modernization project with Claude Code or Amazon Q Developer CLI, and the agent starts losing coherence. Too much context. Too many domains. Architecture bleeding into security bleeding into performance optimization. The agent can&amp;rsquo;t maintain focus.&lt;/p>
&lt;p>Your options have been to manually coordinate between separate agent sessions, copying context around like it&amp;rsquo;s 2010. Or overload one agent with everything and watch quality degrade as the context window fills up.&lt;/p>
&lt;p>AWS to the rescue; they just released CLI Agent Orchestrator (CAO): multiple specialized agents working together under a supervisor. Hierarchical orchestration for your AI CLI tools.&lt;/p>
&lt;p>It&amp;rsquo;s early, opinionated, and requires AWS infrastructure. But it shows where developer AI tooling is headed when single agents aren&amp;rsquo;t enough.&lt;/p>
&lt;h2 class="relative group">The Problem
&lt;div id="the-problem" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-problem" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Single agents work great for focused tasks. Refactoring? Boilerplate? Debugging? Claude Code or Amazon Q handles it.&lt;/p>
&lt;p>But try modernizing a legacy mainframe application. Architecture design, security review, performance optimization, testing, data migration. That&amp;rsquo;s a project spanning multiple disciplines. Load all that context into one agent and watch quality degrade. The agent contradicts itself, forgets earlier decisions, outputs get generic.&lt;/p>
&lt;p>The alternative is running separate agents manually. One for architecture. Another for security. Another for performance. Now you&amp;rsquo;re copying context between them, manually synthesizing outputs, spending more time coordinating than working. You&amp;rsquo;ve become the orchestration layer.&lt;/p>
&lt;p>CAO is AWS&amp;rsquo;s answer: a supervisor agent manages specialized workers. Each focuses on its domain. The supervisor handles coordination. Configure the team once, let them collaborate.&lt;/p>
&lt;h2 class="relative group">How It Works
&lt;div id="how-it-works" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#how-it-works" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>A supervisor agent delegates to specialized workers. One for architecture. One for security. One for performance. The supervisor manages sequencing and maintains context. Workers focus on their specialty and report back.&lt;/p>
&lt;p>
&lt;figure>
&lt;img
class="my-0 rounded-md"
loading="lazy"
decoding="async"
fetchpriority="low"
alt="Multi-agent orchestration architecture on AWS"
srcset="
/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/multi-agent-orchestration-on-aws_hu_5e68cdf0bc5192b3.png 330w,
/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/multi-agent-orchestration-on-aws_hu_3f727dcf1705082b.png 660w,
/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/multi-agent-orchestration-on-aws_hu_9fac1c38e76ee695.png 1280w
"
data-zoom-src="https://pinishv.com/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/multi-agent-orchestration-on-aws.png"
src="https://pinishv.com/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/multi-agent-orchestration-on-aws.png">
&lt;/figure>
&lt;/p>
&lt;p>Each agent runs in its own isolated tmux session. No context pollution. The architecture agent&amp;rsquo;s history doesn&amp;rsquo;t leak into the security agent&amp;rsquo;s work. Sessions communicate through Model Context Protocol (MCP) servers, which handle local communication between the isolated sessions, running entirely on your machine.&lt;/p>
&lt;p>CAO supports three patterns. Handoff (synchronous): supervisor waits for completion before proceeding. Assign (asynchronous): supervisor delegates and moves on. Send Message: supervisor checks status without blocking. All implemented through Amazon Bedrock action groups.&lt;/p>
&lt;h2 class="relative group">Example: Mainframe Modernization
&lt;div id="example-mainframe-modernization" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#example-mainframe-modernization" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The supervisor receives &amp;ldquo;Create a modernization plan for this COBOL banking system.&amp;rdquo; It hands off sequentially: architecture agent designs the structure, security agent reviews it, then performance and test agents work in parallel. The supervisor synthesizes outputs into a unified plan.&lt;/p>
&lt;p>You could apply this to building microservices applications or migrating monoliths. In practice, you&amp;rsquo;ll iterate on prompts and intervene when agents drift. But the pattern works when configured well.&lt;/p>
&lt;h2 class="relative group">The Reality Check
&lt;div id="the-reality-check" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-reality-check" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>CAO only works with Amazon Q Developer CLI and Claude Code. Nothing else has shipped despite &amp;ldquo;future plans&amp;rdquo; for other tools.&lt;/p>
&lt;p>The supervisor runs on Amazon Bedrock, AWS&amp;rsquo;s managed service for foundation models. You need AWS credentials, Bedrock access, and an AWS account. It&amp;rsquo;s open source code you can&amp;rsquo;t run without AWS infrastructure. This is lock-in you should choose consciously.&lt;/p>
&lt;p>Everything runs in tmux sessions. Great for transparency, but it&amp;rsquo;s another dependency with a learning curve. Running this in CI/CD adds complexity.&lt;/p>
&lt;p>Multiple agents mean multiple API calls, more token usage, higher latency. For simple tasks, this is wasteful overkill. You need to be selective about when orchestration overhead is worth it.&lt;/p>
&lt;p>This is infrastructure for developers comfortable with AWS, tmux, and orchestration concepts. It&amp;rsquo;s not polished. Limited early reactions on social media praise the privacy focus but flag AWS lock-in and tmux hurdles as barriers to adoption.&lt;/p>
&lt;h2 class="relative group">Why It Matters
&lt;div id="why-it-matters" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-it-matters" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The interesting part isn&amp;rsquo;t CAO specifically. It&amp;rsquo;s the shift from &amp;ldquo;AI tool as standalone assistant&amp;rdquo; to &amp;ldquo;AI tools as orchestrated teams.&amp;rdquo;&lt;/p>
&lt;p>Single-agent tools hit walls. Context windows don&amp;rsquo;t solve everything. At some point, more context just means more noise. Multi-agent architectures divide cognitive labor. Each agent has a focused job. The supervisor ensures pieces fit together.&lt;/p>
&lt;p>We&amp;rsquo;re seeing this everywhere. OpenAI&amp;rsquo;s Swarm. LangGraph. CrewAI. AutoGPT. The underlying idea is the same: complex tasks need coordination, not just more context. Specialization plus orchestration beats generalization with bigger context windows.&lt;/p>
&lt;p>The question: does this remain infrastructure developers explicitly configure, or does it become invisible? CAO is clearly &amp;ldquo;you configure this.&amp;rdquo; But the long-term direction is probably toward tools that orchestrate automatically, with developers intervening only when defaults fail.&lt;/p>
&lt;h2 class="relative group">Getting Started
&lt;div id="getting-started" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#getting-started" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>If you want to experiment with CAO:&lt;/p>
&lt;p>You need an AWS account with Bedrock access and permissions to use Claude models. Install Amazon Q Developer CLI or Claude Code. Install tmux (&lt;code>brew install tmux&lt;/code> on macOS). Clone the repo: &lt;code>git clone https://github.com/awslabs/cli-agent-orchestrator&lt;/code>. The README has configuration examples and workflows.&lt;/p>
&lt;p>Realistically, plan to spend an afternoon getting this working. This isn&amp;rsquo;t a tool you spin up in 10 minutes.&lt;/p>
&lt;h2 class="relative group">Should You Use This?
&lt;div id="should-you-use-this" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#should-you-use-this" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Use CAO if you&amp;rsquo;re handling complex, multi-disciplinary tasks where single agents struggle. If you&amp;rsquo;re already on AWS and Bedrock, integration is straightforward. You need comfort with tmux and orchestration concepts.&lt;/p>
&lt;p>Skip it if your tasks are straightforward. If you&amp;rsquo;re not on AWS or want to avoid lock-in, skip it. If you need something polished, this isn&amp;rsquo;t it.&lt;/p>
&lt;p>For most developers, single-agent tools remain the right choice. For teams tackling large-scale modernizations or complex migrations, CAO offers a pattern worth exploring.&lt;/p>
&lt;p>Check out the &lt;a
href="https://github.com/awslabs/cli-agent-orchestrator"
target="_blank"
>GitHub repository&lt;/a> and the &lt;a
href="https://aws.amazon.com/blogs/opensource/introducing-cli-agent-orchestrator-transforming-developer-cli-tools-into-a-multi-agent-powerhouse/"
target="_blank"
>AWS blog post&lt;/a>.&lt;/p>
&lt;p>The future of AI tooling is coordination, not just capability. CAO is AWS&amp;rsquo;s bet on how that works. Whether it becomes standard or just one experiment, the pattern it represents is where things are headed.&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/cli-agent-orchestrator-when-one-agent-isnt-enough/feature.png"/></item></channel></rss>