research

Claude Code CLI capability audit — unexploited surface (v2.1.202)

Jul 14, 2026

Date: 2026-07-07 · Installed CLI: 2.1.202 (native binary, ~/.local/share/claude/versions/2.1.202, 243MB) Method: claude --help + subcommand helps run live; rg -a string-mining of the 2.1.202 binary; live docs fetch (code.claude.com/docs + GitHub CHANGELOG.md via research subagent); web/X research for Claude Tag. Evidence tags: [docs] = official documentation · [strings] = binary strings, behavior inferred, speculative until tested · [live] = verified by running it on this machine during this audit.

Scope filter: this doc deliberately skips what the system already exploits (loop-engineering + /loops, /goal + /schedule doctrine, extract-approach, routing matrix, Mission Control reading `/.claude`, cmux hooks, pxpipe, channels/Monitor, the agent-teams flag itself).


1. "Claude Tag" — RESOLVED

It is not a codename and not CLI infrastructure. "Claude Tag" is a shipped Anthropic product (beta ~June 23–24, 2026, Enterprise/Team): Claude as a persistent, @-taggable teammate in Slack.

  • Official: anthropic.com/news/introducing-claude-tag. One shared Claude per workspace — "anyone can see what it's working on, and can pick up the conversation from where the last person left off" (the multiplayer part).
  • The "agents waking themselves" part is explicit in Anthropic's copy: with ambient behavior enabled, Claude "can also schedule tasks for itself, pursuing a project autonomously over hours or days," responds in channels without being tagged, follows up across channels proactively, and can wait days on a blocking dependency before acting. Coverage: Latent Space — "Claude Tag: Multiplayer, Proactive, Persistent Agents in Slack" (also: tags coworkers who own related code, watches thresholds, monitors A/B tests over days). Identity angle: it runs under its own service-account identity, not impersonating a user (Help Net Security).
  • Thariq Shihipar connection confirmed: he promoted it at launch — thread at x.com/trq212/status/2069474335656694003 ("Claude Tag is an incredible new form factor for agents… best practices 🧵"). Anthropic claims 65% of its product team's PRs go through their internal instance. We did not find a distinct stage-talk transcript; the on-stage mention almost certainly covered this same launch.
  • CLI tie-in [strings][live]: the bundled claude-code-guide skill ships an offline reference references/claude-tag.md inside the binary, and /install-slack-app is the CLI entry point. So the CLI can answer "what is Claude Tag" and install the Slack app, but the CLI itself is not Claude Tag.

Exploit: the underlying primitives (self-scheduling, ambient wake, shared visibility) exist locally too — see §2. For actual Claude Tag: it's Enterprise/Team-gated, so not usable on this Max plan today; the OpenClaw gateway + channels already cover the "persistent agent in chat" slot. Park it; revisit if it reaches Max plans.


2. Self-waking machinery in the local CLI (the biggest unexploited lane)

The CLI has a whole "kairos" subsystem [strings] (feature gates tengu_kairos_cron, tengu_kairos_loop_dynamic, tengu_kairos_push_notifications, tengu_kairos_input_needed_push, tengu_kairos_brief) for agents that schedule their own future invocations:

  • ScheduleWakeup tool [strings] — the model schedules its own next wakeup inside a loop: tool result reads "Next wakeup scheduled for X (in Ns). Nothing more to do this turn — the harness re-invokes you when the wakeup fires or a task-notification arrives." Supports ScheduleWakeup({stop:true}) to end the loop; dynamic wakeups are clamped (recurring cap 30min, one-shot ≤90s floor rules in wV config). This is what makes /loop self-pacing. Env knobs: CLAUDE_CODE_LOOP_KEEPALIVE, CLAUDE_CODE_LOOP_PERSISTENT [strings].
  • In-session cron tools: CronCreate / CronList / CronDelete [strings] — "Schedule a prompt to run at a future time — either recurring on a cron schedule, or once at a specific time. Pass durable: true to persist to .claude/scheduled_tasks.json; otherwise session-only." Durable jobs survive restarts; lock file ~/.claude/scheduled_tasks.lock exists on this machine [live]. Kill switch: CLAUDE_CODE_DISABLE_CRON. This is distinct from /schedule cloud routines (those live in ~/.claude/routines/.state/ [strings]) — cron jobs are local, per-session-or-durable, and the model can create them mid-task.
  • asyncRewake hooks [strings] — hooks can declare async: true + asyncRewake, run in the background, and re-invoke Claude when they exit with rewakeMessage (injected) and rewakeSummary (one-line shown in terminal when the async hook exits code 2). I.e., a hook can watch something slow (CI, a deploy, a render) and wake the session when it resolves — no polling loop burning turns.
  • Away summary [strings]CLAUDE_CODE_ENABLE_AWAY_SUMMARY / settings awaySummaryEnabled (gate tengu_sedge_lantern): a summary generated for when you come back; skipped if a loop wakeup is pending. Related: /recap [docs].
  • Proactive assistant mode [strings]CLAUDE_CODE_PROACTIVE flips the REPL into assistantMode (output style "Proactive"; /loop has alias /proactive per docs). Skills invoked without user ask are telemetred as claude-proactive. Speculative: this looks like the local sibling of Claude Tag's ambient mode.
  • Push notifications [docs][strings] — mobile push when input is needed (tengu_kairos_input_needed_push, settings agentPushNotifEnabled, inputNeededNotifEnabled; "Allow Claude to push proactive mobile notifications"). CLAUDE_CLIENT_PRESENCE_FILE (v2.1.181) suppresses pushes while you're at the machine.

Exploit (workflow): replace the heaviest /loops crontab-style scaffolding with model-owned scheduling: long runs create durable CronCreate jobs for their own follow-ups ("check the CI result at :30"), and slow externals move to asyncRewake hooks instead of poll loops. This directly cuts turn burn on unattended runs while keeping the hard-cap doctrine (cap still lives in the finish condition). Exploit (Mission Control): parse .claude/scheduled_tasks.json (per-project) + `/.claude/routines/` and render a "What wakes up next" timeline — every pending wakeup/cron/routine across projects, with kill buttons. Nothing in the current app shows future scheduled work.


3. Sessions/PID registry + the bridge (question answered)

  • ~/.claude/sessions/<pid>.json [live] — one JSON per live CLI process: {pid, sessionId, cwd, startedAt, procStart, version, peerProtocol, kind (interactive|background|daemon|peer|remote), entrypoint, name, status (busy|idle|waiting), statusUpdatedAt, bridgeSessionId}. This is the real-time registry Mission Control should watch (it's small, updated on status change; procStart guards against PID reuse).
  • claude agents --json [live] — supported scripting API over that registry: returns all active sessions incl. status, state: "blocked", and waitingFor: "permission prompt". --all includes completed; --cwd <path> filters. Works without a TTY.
  • The bridge = the claude.ai session ingress. bridgeSessionId (format session_01…) is the claude.ai-side ID a CLI session registers under (registerBridgeEnvironment, sessionIngressUrl, apiBaseUrl in [strings]; [live]: this audit's own session carries one, matching its claude.ai/code URL). It's what Remote Control / claude.ai/code / mobile use to see and steer a terminal session. Supporting cast: outboundOnly = view-only ("This session is outbound-only. Enable Remote Control locally to allow inbound control." [strings]); /teleport pulls a web session into the terminal [docs]; transcripts carry bridge-session records with lastSequenceNum for resume; $CLAUDE_CODE_BRIDGE_SESSION_ID is exported to hooks during RC (v2.1.199 [docs]); CLAUDE_CODE_FORCE_BRIDGE [strings] looks like a force-on switch (untested). Session titles and prompt-bar colors sync to the bridge (updateBridgeSessionTitle, updateBridgeSessionColorTag [strings]), so /color and -n names are visible on claude.ai.
  • Background-agent daemon [live]~/.claude/daemon/ (roster.json, dispatch/, control.key) + daemon.status.json + daemon.log: a supervisor (control socket at /tmp/cc-daemon-501/…/control.sock) that adopts/respawns background workers and keeps pre-warmed "spare" host processes for instant dispatch. claude --bg, /background, and /exit-detach all land here. Dispatch records show full launch config incl. injected hook settings — cmux's hooks ride along into background agents [live].

Exploit (Mission Control): switch the session list to ~/.claude/sessions/*.json (or claude agents --json on a timer) as the primary live feed — it gives busy/idle/waiting-on-permission per session, which enables the highest-value feature the app lacks: a "3 sessions blocked on permission prompts" attention row. For each session with a bridgeSessionId, deep-link "Open on claude.ai" (mobile steering). Read daemon/roster.json for a background-agents pane with PID health.


4. Teams / multiplayer mechanics (beyond the known flag)

Flag itself is known; the unexploited details:

  • Wire-level tools [strings]: TeamCreate/TeamDelete, SendMessage, TaskCreate/TaskUpdate/TaskList/TaskGet. Teammate messages carry {from, text, summary, timestamp, color} and retryWake.emit() — messaging an idle teammate wakes it (in-CLI multiplayer wake, same shape as Claude Tag's). Task list persists at ~/.claude/tasks/{team}/, team state at ~/.claude/teams/{team}/config.json [docs].
  • Team hooks [docs]: TeammateIdle (exit 2 = keep working — a "not done yet" gate per teammate), TaskCreated, TaskCompleted (exit 2 = block completion — enforce paste-proof finish conditions mechanically, per the standing "hook enforcement > prompt prose" rule in CLAUDE.md).
  • Observer agents [strings], undocumented: CLAUDE_CODE_EXPERIMENTAL_OBSERVER_AGENTS + gate tengu_observer_agents_enabled; an agent definition can declare an observer that auto-spawns to watch it (no chaining — observers can't observe observers). Requires background tasks enabled. Speculative but the code path is complete.
  • Display/infra [docs][strings]: teammateMode setting (in-process|auto|tmux|iterm2), tmux session prefix claude-swarm, CLAUDE_CODE_TEAMMATE_COMMAND (override the binary teammates launch with — e.g. route teammates through a wrapper). Coordinator knobs [strings]: CLAUDE_CODE_COORDINATOR_MODE, CLAUDE_CODE_COORDINATOR_EXTRA_TOOLS.
  • Known limits [docs]: no nested teams, no /resume of in-process teammates, one team per session.

Exploit (workflow): the PreToolUse fan-out-cap hook that CLAUDE.md says "until that hook lands" — pair it with TaskCompleted exit-2 as the done-means-proven gate on team runs; use CLAUDE_CODE_TEAMMATE_COMMAND to pin teammate model/effort/pxpipe wrapping at spawn instead of trusting prompt prose. Exploit (Mission Control): render ~/.claude/tasks/{team}/ as a live kanban per team (claimed/blocked/done), and surface teammate mailbox summaries — that's the multiplayer view no terminal shows.


5. Checkpoints / rewind

All [docs] unless noted: /rewind (Esc Esc) restores code, conversation, or both to any checkpoint, and can "summarize from/to point" (selective context compression, cheaper than /compact); file snapshots are automatic per user-prompt (file-history-snapshot records in transcript [strings], data in ~/.claude/file-history/ [live]), retained cleanupPeriodDays (default 30). /branch [name] forks the conversation in place; --fork-session does it at the CLI; v2.1.191+ can rewind past /clear into the previous session. SDK checkpointing exists behind CLAUDE_CODE_ENABLE_SDK_FILE_CHECKPOINTING [strings]. Kill switch: CLAUDE_CODE_DISABLE_FILE_CHECKPOINTING.

Exploit: add "rewind, then re-run with a smarter model" to the escalation doctrine — today escalation re-prompts from scratch; /rewind (code+conversation) + /model opus replays the exact decision point. Mission Control: file-history is per-session on disk — a "what did this session change, snapshot by snapshot" diff viewer needs no new instrumentation.


6. Sandboxing (mature and unused here)

[docs] OS-level sandbox (macOS Seatbelt): sandbox.enabled, filesystem allowWrite/denyWrite/denyRead/allowRead, network default-deny with per-domain prompts (sandbox.network.allowedDomains), and v2.1.199's credential maskingsandbox.credentials.envVars mode "mask" replaces secrets with per-session sentinels, injecting real values only on requests to injectHosts (requires network.tlsTerminate). excludedCommands for things like docker; allowUnsandboxedCommands: false for strict mode; autoAllowBashIfSandboxed [strings] auto-approves sandboxed bash. --allow-dangerously-skip-permissions (make bypass available without defaulting to it) pairs naturally with sandbox for unattended runs.

Exploit: this is the missing safety layer for the unattended-runs doctrine: nightly /goal runs (income engine, crypto sweeps) should run sandbox.enabled + domain allowlist + masked ANTHROPIC_API_KEY/fleet keys, replacing trust-the-prompt with OS enforcement. One-time setup via /sandbox, per-project settings.


7. Unexploited flags, commands, env vars (grab bag, one line each)

CLI flags [live help]:

  • --bg / /background — detach any run as a background agent under the daemon; manage with claude agents. Exploit: launch loop runs with --bg instead of tmux windows; Mission Control gets them for free via §3.
  • --brief + SendUserMessage tool ([strings] incl. BRIEF_PROACTIVE_SECTION, "Pewter Owl" tool variant CLAUDE_CODE_PEWTER_OWL[_TOOL] — experimental brief upgrade, speculative) — agent proactively messages the user mid-run. Exploit: turn on for walk-away runs so progress pings arrive without polling.
  • --max-budget-usd <amt> (print mode) — hard dollar cap per run. Exploit: add to every unattended launcher in ~/loops; it's the missing cost hard-cap next to turn/wall-clock caps.
  • --json-schema <schema> — structured output with validation in -p mode. Exploit: make loop verifiers/judges emit machine-checkable verdicts instead of prose-grepping.
  • --fallback-model a,b (print mode) — ordered fallback on overload; retries primary each turn. Exploit: wire into launchers to fix the "fallbacks: []" outage-stall noted for OpenClaw fan-outs (at least for CLI-side runs).
  • --bare — no hooks/plugins/CLAUDE.md/keychain; explicit context only. Exploit: the cheap deterministic executor for pipeline glue (pairs with pxpipe); also isolates auth to ANTHROPIC_API_KEY.
  • --safe-mode — all customizations off; for debugging broken config. --from-pr <n> — resume the session that made a PR. -n <name> / /rename — names show in /resume, terminal title, and on the bridge. --effort xhigh|max, --tmux (+-w worktrees), --prompt-suggestions, --exclude-dynamic-system-prompt-sections (cache-friendly system prompt), --include-hook-events (hook lifecycle in stream-json — Mission Control could tail this for live hook telemetry).
  • CLAUDE_CODE_TAGS [strings] — free-form tags attached to session telemetry/metadata (with CLAUDE_CODE_SESSION_NAME, CLAUDE_CODE_SESSION_KIND). Not the Claude Tag product. Exploit: launchers set CLAUDE_CODE_TAGS=loop:<name> so Mission Control can group sessions by originating loop.

Commands [docs]: /cd (move session, keep cache — stop killing sessions to change repo), /fork <directive> (subagent with full conversation context — cheaper than re-briefing), /btw (side question, zero context pollution), /batch (worktree-isolated parallel edits), stacked skills /a /b /c args (v2.1.199, ≤6), /insights, /usage, /context all, claude plugin eval (A/B-grade your own skills — run against loop-engineering/graphify to tune trigger descriptions), claude auto-mode critique (AI feedback on custom auto-mode permission rules), claude project purge (state hygiene for the disk-cleanup habit), claude ultrareview --json (cloud multi-agent review, scriptable).

Hook events beyond the ones in use [docs]: PermissionRequest/PermissionDenied, PostToolUseFailure, PostCompact, SubagentStart, FileChanged, CwdChanged, ConfigChange, WorktreeCreate/Remove, StopFailure, UserPromptExpansion, plus handler types http, mcp_tool, prompt (LLM yes/no), agent. Exploit: a PermissionRequest hook that pings the phone (or Mission Control via HTTP handler) is the cleanest "session blocked" alert — no transcript tailing.


8. Strings-only curiosities (flagged, not recommended)

Purely [strings], undocumented, may be internal/flagged-off: CLAUDE_CODE_SHOJI_ENGINE (alt TUI engine?), CLAUDE_CODE_IS_COWORK / USE_COWORK_PLUGINS (Claude Desktop "cowork" mode; disables skill shell execution), CLAUDE_CODE_ENABLE_XAA, ENABLE_CFC, ENABLE_TASKS (a task system default-on gate), LAUNCH_COMPOSER, PLAN_V2_(EXPLORE_)AGENT_COUNT (plan-mode fan-out sizing), INVESTIGATE_FIRST, OWNERSHIP_FRAME, IDLE_THRESHOLD_MINUTES/IDLE_TOKEN_THRESHOLD + RESUME_* (auto-resume heuristics), MAX_TOOL_USE_CONCURRENCY, AUTO_BACKGROUND_TIMEOUT_MS, FABLE_BRIDGE_DIALOG_TIMEOUT_MS, skill-watcher-idle-wake. Watch these across changelogs; do not build on them yet.


9. Top 5 actions (ranked by leverage)

  1. Mission Control: adopt ~/.claude/sessions/*.json + claude agents --json as the live feed → busy/idle/waiting-on-permission board with bridge deep-links (§3). Highest value, zero new instrumentation.
  2. Wire asyncRewake hooks + durable CronCreate into the loop scaffold; kill poll-loops (§2).
  3. Sandbox + --max-budget-usd on every unattended launcher — OS-enforced safety + cost hard-cap (§6, §7).
  4. TaskCompleted/TeammateIdle exit-2 hooks as the mechanical done-means-proven gate for team runs (§4).
  5. "What wakes up next" timeline in Mission Control from scheduled_tasks.json + routines state (§2).

Sources

  • Local: claude --help, claude agents/auto-mode/project/plugin/mcp/ultrareview --help (v2.1.202, run 2026-07-07); rg -a over ~/.local/share/claude/versions/2.1.202; live files under ~/.claude/ (sessions/, daemon/, daemon.status.json, scheduled_tasks.lock, file-history/).
  • Docs (fetched live 2026-07-07 by research subagent): code.claude.com/docs/en/{hooks, settings, sandboxing, checkpointing, agent-teams, sessions, headless, plugins, skills, remote-control}; changelog via raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md (docs release-notes page 404s). Version attributions (e.g. v2.1.199 credential masking, v2.1.198 background-default subagents) are per that changelog.
  • Claude Tag: anthropic.com/news/introducing-claude-tag; latent.space/p/ainews-claude-tag-multiplayer-proactive; helpnetsecurity.com/2026/06/24/anthropic-claude-tag-agent-identity-model/; techrepublic.com/article/news-anthropic-claude-tag-ai-agent-slack/; x.com/trq212/status/2069474335656694003 (thread pulled via agent-reach/opencli).
  • Agent teams background: code.claude.com/docs/en/agent-teams (confirmed via web search 2026-07-07).

Honesty note: everything tagged [strings] is reverse-read from a minified binary; names are exact, semantics are best-effort inference and should be verified with a throwaway session before building on them. The docs-derived section came from a subagent reading live pages; spot-check any load-bearing flag before shipping.