← nori

Nori Weekly: Multi-Provider Support, MCP Integrations, and 47 Bugfixes

Choose Your Fighter: Multi-Provider Support

Sessions now supports Claude, Codex, and Gemini as first-class agent providers. Each gets proper OAuth credential handling: upload your Codex or Gemini OAuth creds the same way you do Claude's, and the broker distributes them to every sprite in your fleet automatically.

Per-thread agents stay on their original provider even if you change the default, so switching mid-flight won't derail anyone's session.

Fleet Reliability: No More Infinite Waits

A single hung sprite provision used to block all fleet scaling. One stuck VM, the whole fleet frozen for 90+ minutes in the worst case. That's fixed now.

• Provisioning has a configurable timeout (default: 5 minutes) that kills stalled provisions
• The fleet dashboard now shows an inline alert when bootstrap failures are blocking scaling
• Orphaned sprites are caught and cleaned up via a new swap-and-sweep reconciliation pass
• A race condition that let two cron triggers claim the same sprite has been mutex'd away

MCP Integrations

Sessions now supports MCP integrations as a first-class feature. Any OAuth provider that supports dynamic client registration is automatically supported. Connect once, and every session in your fleet gets access.

Sentry is the first one-click MCP provider: your agents can query Sentry issues directly via OAuth without any manual configuration.

The Bugfix Buffet

Sessions saw a lot of fixes this week. The highlights:

• Popup blocker dodge: "New Session" now opens the tab synchronously before the API call, so browsers don't block it
• Slack thread context: Bot messages, /me messages, file shares, and thread broadcasts are no longer filtered out
• Error messages with details: JSON-RPC errors now preserve the .data field, so you see "You exceeded your quota" instead of "Internal error"
• ACP turn recovery: In-flight prompts now survive brief transport reconnects instead of silently dropping
• MCP config in the right place: Moved from settings.json (which Claude Code ignores) to .mcp.json (which it reads)
• Full-width log viewing: A new /api/logs endpoint queries VictoriaLogs on the broker. Log viewing is now available to any org member.

Bring Your Own Agent

The CLI now supports registering custom ACP agents via config.toml. If you're building your own agent, or running Mistral Vibe, ElizACP, Kimi, or anything else that speaks ACP, you can plug it in alongside the built-in providers. See the BYOA documentation for setup details.

Performance: No More Polling

The TUI was spawning nori-skillsets --version as a Node.js subprocess every 5 seconds to refresh the footer. With multiple sessions, that adds up fast. It's now event-driven: the footer only refreshes on startup, message submit, task completion, or directory change. The version result is cached for the lifetime of the process.

CLI Fixes

• Cancel, then keep going: Cancelling a turn and then sending a follow-up used to produce an empty response. The ACP layer now absorbs stale cancel-tail responses and retries until real work begins.
• Session usage in the footer: Token counts and cost now display in the footer's context segment instead of as a verbose line in the transcript. Less noise, same info.

API Keys for Programmatic Access

The registrar now supports org-scoped API keys. Create one from Admin Settings, use it in CI/CD pipelines, and authenticate without an interactive Firebase login. Keys are SHA-256 hashed at rest, and the raw token is shown exactly once.

The token format embeds the org ID (nori_<orgId>_<hex>) so you can tell at a glance which org a key belongs to. Legacy tokens still work.

Per-File Diffs in Collision Responses

When a skill upload hits a 409 conflict, the registrar now computes a per-file change list. The publish UI renders "View Diff" controls for each modified file , not just SKILL.md, but supporting scripts, prompts, and assets too.

Registrar Fixes

• Search no longer crashes on special characters: Searching for skills with =, /, or other special characters used to throw an FTS5 syntax error. A new whitelist regex sanitizes queries to only allow letters, numbers, and underscores.
• Weekly digest email redesign: Dark header bar, inline Nori logo, green accent bar, and a new "Changes" column showing what each suggestion actually modified.

Single Skill Uploads

New command: sks upload-skill <skill>. Publish a single skill from your profile without uploading the entire skillset. Includes collision detection, version bump prompts, and auto-syncs your local nori.json version after success.

API Token Auth Everywhere

Following the registrar's new API key support, sks login now offers three auth methods interactively: Email/Password, Google SSO, and API Token. You can also pass --token on the command line or set NORI_API_TOKEN in your environment.

All org-scoped commands (download, upload, search, and the new upload-skill) now accept API tokens. Previously, token auth worked for login but then every other command said "not found" because it only checked for a refresh token.

Conflict Resolution That Actually Resolves

Two fixes here. First: picking "Use Existing" on a conflict now actually overwrites your local file with the registry's version. Before, it only updated nori.json, so re-running upload would hit the same conflict again forever. Second: subagent conflicts were being silently misrouted because the CLI expected a field name the server never sent, causing an infinite retry loop.