Date: 2026-07-07 · Installed CLI: 2.1.202 (native binary, ~/.local/share/claude/versions/2.1.202, 243MB)
Method: claude --help + subcommand helps run live; rg -a string-mining of the 2.1.202 binary; live docs fetch (code.claude.com/docs + GitHub CHANGELOG.md via research subagent); web/X research for Claude Tag.
Evidence tags: [docs] = official documentation · [strings] = binary strings, behavior inferred, speculative until tested · [live] = verified by running it on this machine during this audit.
Scope filter: this doc deliberately skips what the system already exploits (loop-engineering + /loops, /goal + /schedule doctrine, extract-approach, routing matrix, Mission Control reading `/.claude`, cmux hooks, pxpipe, channels/Monitor, the agent-teams flag itself).
1. "Claude Tag" — RESOLVED
It is not a codename and not CLI infrastructure. "Claude Tag" is a shipped Anthropic product (beta ~June 23–24, 2026, Enterprise/Team): Claude as a persistent, @-taggable teammate in Slack.
- Official: anthropic.com/news/introducing-claude-tag. One shared Claude per workspace — "anyone can see what it's working on, and can pick up the conversation from where the last person left off" (the multiplayer part).
- The "agents waking themselves" part is explicit in Anthropic's copy: with ambient behavior enabled, Claude "can also schedule tasks for itself, pursuing a project autonomously over hours or days," responds in channels without being tagged, follows up across channels proactively, and can wait days on a blocking dependency before acting. Coverage: Latent Space — "Claude Tag: Multiplayer, Proactive, Persistent Agents in Slack" (also: tags coworkers who own related code, watches thresholds, monitors A/B tests over days). Identity angle: it runs under its own service-account identity, not impersonating a user (Help Net Security).
- Thariq Shihipar connection confirmed: he promoted it at launch — thread at x.com/trq212/status/2069474335656694003 ("Claude Tag is an incredible new form factor for agents… best practices 🧵"). Anthropic claims 65% of its product team's PRs go through their internal instance. We did not find a distinct stage-talk transcript; the on-stage mention almost certainly covered this same launch.
- CLI tie-in
[strings][live]: the bundledclaude-code-guideskill ships an offline referencereferences/claude-tag.mdinside the binary, and/install-slack-appis the CLI entry point. So the CLI can answer "what is Claude Tag" and install the Slack app, but the CLI itself is not Claude Tag.
Exploit: the underlying primitives (self-scheduling, ambient wake, shared visibility) exist locally too — see §2. For actual Claude Tag: it's Enterprise/Team-gated, so not usable on this Max plan today; the OpenClaw gateway + channels already cover the "persistent agent in chat" slot. Park it; revisit if it reaches Max plans.
2. Self-waking machinery in the local CLI (the biggest unexploited lane)
The CLI has a whole "kairos" subsystem [strings] (feature gates tengu_kairos_cron, tengu_kairos_loop_dynamic, tengu_kairos_push_notifications, tengu_kairos_input_needed_push, tengu_kairos_brief) for agents that schedule their own future invocations:
ScheduleWakeuptool[strings]— the model schedules its own next wakeup inside a loop: tool result reads "Next wakeup scheduled for X (in Ns). Nothing more to do this turn — the harness re-invokes you when the wakeup fires or a task-notification arrives." SupportsScheduleWakeup({stop:true})to end the loop; dynamic wakeups are clamped (recurring cap 30min, one-shot ≤90s floor rules inwVconfig). This is what makes/loopself-pacing. Env knobs:CLAUDE_CODE_LOOP_KEEPALIVE,CLAUDE_CODE_LOOP_PERSISTENT[strings].- In-session cron tools:
CronCreate/CronList/CronDelete[strings]— "Schedule a prompt to run at a future time — either recurring on a cron schedule, or once at a specific time. Passdurable: trueto persist to.claude/scheduled_tasks.json; otherwise session-only." Durable jobs survive restarts; lock file~/.claude/scheduled_tasks.lockexists on this machine[live]. Kill switch:CLAUDE_CODE_DISABLE_CRON. This is distinct from/schedulecloud routines (those live in~/.claude/routines/.state/[strings]) — cron jobs are local, per-session-or-durable, and the model can create them mid-task. asyncRewakehooks[strings]— hooks can declareasync: true+asyncRewake, run in the background, and re-invoke Claude when they exit withrewakeMessage(injected) andrewakeSummary(one-line shown in terminal when the async hook exits code 2). I.e., a hook can watch something slow (CI, a deploy, a render) and wake the session when it resolves — no polling loop burning turns.- Away summary
[strings]—CLAUDE_CODE_ENABLE_AWAY_SUMMARY/ settingsawaySummaryEnabled(gatetengu_sedge_lantern): a summary generated for when you come back; skipped if a loop wakeup is pending. Related:/recap[docs]. - Proactive assistant mode
[strings]—CLAUDE_CODE_PROACTIVEflips the REPL intoassistantMode(output style "Proactive";/loophas alias/proactiveper docs). Skills invoked without user ask are telemetred asclaude-proactive. Speculative: this looks like the local sibling of Claude Tag's ambient mode. - Push notifications
[docs][strings]— mobile push when input is needed (tengu_kairos_input_needed_push, settingsagentPushNotifEnabled,inputNeededNotifEnabled; "Allow Claude to push proactive mobile notifications").CLAUDE_CLIENT_PRESENCE_FILE(v2.1.181) suppresses pushes while you're at the machine.
Exploit (workflow): replace the heaviest /loops crontab-style scaffolding with model-owned scheduling: long runs create durable CronCreate jobs for their own follow-ups ("check the CI result at :30"), and slow externals move to asyncRewake hooks instead of poll loops. This directly cuts turn burn on unattended runs while keeping the hard-cap doctrine (cap still lives in the finish condition).
Exploit (Mission Control): parse /.claude/routines/` and render a "What wakes up next" timeline — every pending wakeup/cron/routine across projects, with kill buttons. Nothing in the current app shows future scheduled work..claude/scheduled_tasks.json (per-project) + `
3. Sessions/PID registry + the bridge (question answered)
~/.claude/sessions/<pid>.json[live]— one JSON per live CLI process:{pid, sessionId, cwd, startedAt, procStart, version, peerProtocol, kind (interactive|background|daemon|peer|remote), entrypoint, name, status (busy|idle|waiting), statusUpdatedAt, bridgeSessionId}. This is the real-time registry Mission Control should watch (it's small, updated on status change;procStartguards against PID reuse).claude agents --json[live]— supported scripting API over that registry: returns all active sessions incl.status,state: "blocked", andwaitingFor: "permission prompt".--allincludes completed;--cwd <path>filters. Works without a TTY.- The bridge = the claude.ai session ingress.
bridgeSessionId(formatsession_01…) is the claude.ai-side ID a CLI session registers under (registerBridgeEnvironment,sessionIngressUrl,apiBaseUrlin[strings];[live]: this audit's own session carries one, matching its claude.ai/code URL). It's what Remote Control / claude.ai/code / mobile use to see and steer a terminal session. Supporting cast:outboundOnly= view-only ("This session is outbound-only. Enable Remote Control locally to allow inbound control."[strings]);/teleportpulls a web session into the terminal[docs]; transcripts carrybridge-sessionrecords withlastSequenceNumfor resume;$CLAUDE_CODE_BRIDGE_SESSION_IDis exported to hooks during RC (v2.1.199[docs]);CLAUDE_CODE_FORCE_BRIDGE[strings]looks like a force-on switch (untested). Session titles and prompt-bar colors sync to the bridge (updateBridgeSessionTitle,updateBridgeSessionColorTag[strings]), so/colorand-nnames are visible on claude.ai. - Background-agent daemon
[live]—~/.claude/daemon/(roster.json,dispatch/,control.key) +daemon.status.json+daemon.log: a supervisor (control socket at/tmp/cc-daemon-501/…/control.sock) that adopts/respawns background workers and keeps pre-warmed "spare" host processes for instant dispatch.claude --bg,/background, and/exit-detach all land here. Dispatch records show full launch config incl. injected hook settings — cmux's hooks ride along into background agents[live].
Exploit (Mission Control): switch the session list to ~/.claude/sessions/*.json (or claude agents --json on a timer) as the primary live feed — it gives busy/idle/waiting-on-permission per session, which enables the highest-value feature the app lacks: a "3 sessions blocked on permission prompts" attention row. For each session with a bridgeSessionId, deep-link "Open on claude.ai" (mobile steering). Read daemon/roster.json for a background-agents pane with PID health.
4. Teams / multiplayer mechanics (beyond the known flag)
Flag itself is known; the unexploited details:
- Wire-level tools
[strings]:TeamCreate/TeamDelete,SendMessage,TaskCreate/TaskUpdate/TaskList/TaskGet. Teammate messages carry{from, text, summary, timestamp, color}andretryWake.emit()— messaging an idle teammate wakes it (in-CLI multiplayer wake, same shape as Claude Tag's). Task list persists at~/.claude/tasks/{team}/, team state at~/.claude/teams/{team}/config.json[docs]. - Team hooks
[docs]:TeammateIdle(exit 2 = keep working — a "not done yet" gate per teammate),TaskCreated,TaskCompleted(exit 2 = block completion — enforce paste-proof finish conditions mechanically, per the standing "hook enforcement > prompt prose" rule in CLAUDE.md). - Observer agents
[strings], undocumented:CLAUDE_CODE_EXPERIMENTAL_OBSERVER_AGENTS+ gatetengu_observer_agents_enabled; an agent definition can declare anobserverthat auto-spawns to watch it (no chaining — observers can't observe observers). Requires background tasks enabled. Speculative but the code path is complete. - Display/infra
[docs][strings]:teammateModesetting (in-process|auto|tmux|iterm2), tmux session prefixclaude-swarm,CLAUDE_CODE_TEAMMATE_COMMAND(override the binary teammates launch with — e.g. route teammates through a wrapper). Coordinator knobs[strings]:CLAUDE_CODE_COORDINATOR_MODE,CLAUDE_CODE_COORDINATOR_EXTRA_TOOLS. - Known limits
[docs]: no nested teams, no/resumeof in-process teammates, one team per session.
Exploit (workflow): the PreToolUse fan-out-cap hook that CLAUDE.md says "until that hook lands" — pair it with TaskCompleted exit-2 as the done-means-proven gate on team runs; use CLAUDE_CODE_TEAMMATE_COMMAND to pin teammate model/effort/pxpipe wrapping at spawn instead of trusting prompt prose.
Exploit (Mission Control): render ~/.claude/tasks/{team}/ as a live kanban per team (claimed/blocked/done), and surface teammate mailbox summaries — that's the multiplayer view no terminal shows.
5. Checkpoints / rewind
All [docs] unless noted: /rewind (Esc Esc) restores code, conversation, or both to any checkpoint, and can "summarize from/to point" (selective context compression, cheaper than /compact); file snapshots are automatic per user-prompt (file-history-snapshot records in transcript [strings], data in ~/.claude/file-history/ [live]), retained cleanupPeriodDays (default 30). /branch [name] forks the conversation in place; --fork-session does it at the CLI; v2.1.191+ can rewind past /clear into the previous session. SDK checkpointing exists behind CLAUDE_CODE_ENABLE_SDK_FILE_CHECKPOINTING [strings]. Kill switch: CLAUDE_CODE_DISABLE_FILE_CHECKPOINTING.
Exploit: add "rewind, then re-run with a smarter model" to the escalation doctrine — today escalation re-prompts from scratch; /rewind (code+conversation) + /model opus replays the exact decision point. Mission Control: file-history is per-session on disk — a "what did this session change, snapshot by snapshot" diff viewer needs no new instrumentation.
6. Sandboxing (mature and unused here)
[docs] OS-level sandbox (macOS Seatbelt): sandbox.enabled, filesystem allowWrite/denyWrite/denyRead/allowRead, network default-deny with per-domain prompts (sandbox.network.allowedDomains), and v2.1.199's credential masking — sandbox.credentials.envVars mode "mask" replaces secrets with per-session sentinels, injecting real values only on requests to injectHosts (requires network.tlsTerminate). excludedCommands for things like docker; allowUnsandboxedCommands: false for strict mode; autoAllowBashIfSandboxed [strings] auto-approves sandboxed bash. --allow-dangerously-skip-permissions (make bypass available without defaulting to it) pairs naturally with sandbox for unattended runs.
Exploit: this is the missing safety layer for the unattended-runs doctrine: nightly /goal runs (income engine, crypto sweeps) should run sandbox.enabled + domain allowlist + masked ANTHROPIC_API_KEY/fleet keys, replacing trust-the-prompt with OS enforcement. One-time setup via /sandbox, per-project settings.
7. Unexploited flags, commands, env vars (grab bag, one line each)
CLI flags [live help]:
--bg//background— detach any run as a background agent under the daemon; manage withclaude agents. Exploit: launch loop runs with--bginstead of tmux windows; Mission Control gets them for free via §3.--brief+ SendUserMessage tool ([strings]incl.BRIEF_PROACTIVE_SECTION, "Pewter Owl" tool variantCLAUDE_CODE_PEWTER_OWL[_TOOL]— experimental brief upgrade, speculative) — agent proactively messages the user mid-run. Exploit: turn on for walk-away runs so progress pings arrive without polling.--max-budget-usd <amt>(print mode) — hard dollar cap per run. Exploit: add to every unattended launcher in ~/loops; it's the missing cost hard-cap next to turn/wall-clock caps.--json-schema <schema>— structured output with validation in-pmode. Exploit: make loop verifiers/judges emit machine-checkable verdicts instead of prose-grepping.--fallback-model a,b(print mode) — ordered fallback on overload; retries primary each turn. Exploit: wire into launchers to fix the "fallbacks: []" outage-stall noted for OpenClaw fan-outs (at least for CLI-side runs).--bare— no hooks/plugins/CLAUDE.md/keychain; explicit context only. Exploit: the cheap deterministic executor for pipeline glue (pairs with pxpipe); also isolates auth toANTHROPIC_API_KEY.--safe-mode— all customizations off; for debugging broken config.--from-pr <n>— resume the session that made a PR.-n <name>//rename— names show in/resume, terminal title, and on the bridge.--effort xhigh|max,--tmux(+-wworktrees),--prompt-suggestions,--exclude-dynamic-system-prompt-sections(cache-friendly system prompt),--include-hook-events(hook lifecycle in stream-json — Mission Control could tail this for live hook telemetry).CLAUDE_CODE_TAGS[strings]— free-form tags attached to session telemetry/metadata (withCLAUDE_CODE_SESSION_NAME,CLAUDE_CODE_SESSION_KIND). Not the Claude Tag product. Exploit: launchers setCLAUDE_CODE_TAGS=loop:<name>so Mission Control can group sessions by originating loop.
Commands [docs]: /cd (move session, keep cache — stop killing sessions to change repo), /fork <directive> (subagent with full conversation context — cheaper than re-briefing), /btw (side question, zero context pollution), /batch (worktree-isolated parallel edits), stacked skills /a /b /c args (v2.1.199, ≤6), /insights, /usage, /context all, claude plugin eval (A/B-grade your own skills — run against loop-engineering/graphify to tune trigger descriptions), claude auto-mode critique (AI feedback on custom auto-mode permission rules), claude project purge (state hygiene for the disk-cleanup habit), claude ultrareview --json (cloud multi-agent review, scriptable).
Hook events beyond the ones in use [docs]: PermissionRequest/PermissionDenied, PostToolUseFailure, PostCompact, SubagentStart, FileChanged, CwdChanged, ConfigChange, WorktreeCreate/Remove, StopFailure, UserPromptExpansion, plus handler types http, mcp_tool, prompt (LLM yes/no), agent. Exploit: a PermissionRequest hook that pings the phone (or Mission Control via HTTP handler) is the cleanest "session blocked" alert — no transcript tailing.
8. Strings-only curiosities (flagged, not recommended)
Purely [strings], undocumented, may be internal/flagged-off: CLAUDE_CODE_SHOJI_ENGINE (alt TUI engine?), CLAUDE_CODE_IS_COWORK / USE_COWORK_PLUGINS (Claude Desktop "cowork" mode; disables skill shell execution), CLAUDE_CODE_ENABLE_XAA, ENABLE_CFC, ENABLE_TASKS (a task system default-on gate), LAUNCH_COMPOSER, PLAN_V2_(EXPLORE_)AGENT_COUNT (plan-mode fan-out sizing), INVESTIGATE_FIRST, OWNERSHIP_FRAME, IDLE_THRESHOLD_MINUTES/IDLE_TOKEN_THRESHOLD + RESUME_* (auto-resume heuristics), MAX_TOOL_USE_CONCURRENCY, AUTO_BACKGROUND_TIMEOUT_MS, FABLE_BRIDGE_DIALOG_TIMEOUT_MS, skill-watcher-idle-wake. Watch these across changelogs; do not build on them yet.
9. Top 5 actions (ranked by leverage)
- Mission Control: adopt
~/.claude/sessions/*.json+claude agents --jsonas the live feed → busy/idle/waiting-on-permission board with bridge deep-links (§3). Highest value, zero new instrumentation. - Wire
asyncRewakehooks + durableCronCreateinto the loop scaffold; kill poll-loops (§2). - Sandbox +
--max-budget-usdon every unattended launcher — OS-enforced safety + cost hard-cap (§6, §7). TaskCompleted/TeammateIdleexit-2 hooks as the mechanical done-means-proven gate for team runs (§4).- "What wakes up next" timeline in Mission Control from
scheduled_tasks.json+ routines state (§2).
Sources
- Local:
claude --help,claude agents/auto-mode/project/plugin/mcp/ultrareview --help(v2.1.202, run 2026-07-07);rg -aover~/.local/share/claude/versions/2.1.202; live files under~/.claude/(sessions/, daemon/, daemon.status.json, scheduled_tasks.lock, file-history/). - Docs (fetched live 2026-07-07 by research subagent): code.claude.com/docs/en/{hooks, settings, sandboxing, checkpointing, agent-teams, sessions, headless, plugins, skills, remote-control}; changelog via raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md (docs release-notes page 404s). Version attributions (e.g. v2.1.199 credential masking, v2.1.198 background-default subagents) are per that changelog.
- Claude Tag: anthropic.com/news/introducing-claude-tag; latent.space/p/ainews-claude-tag-multiplayer-proactive; helpnetsecurity.com/2026/06/24/anthropic-claude-tag-agent-identity-model/; techrepublic.com/article/news-anthropic-claude-tag-ai-agent-slack/; x.com/trq212/status/2069474335656694003 (thread pulled via agent-reach/opencli).
- Agent teams background: code.claude.com/docs/en/agent-teams (confirmed via web search 2026-07-07).
Honesty note: everything tagged [strings] is reverse-read from a minified binary; names are exact, semantics are best-effort inference and should be verified with a throwaway session before building on them. The docs-derived section came from a subagent reading live pages; spot-check any load-bearing flag before shipping.