Dammon Burden

1/ Claude Code quietly shipped 2.1.167 → 2.1.173. I carved the embedded JS bundle out of the binary with Phora and diffed it against the old build — 9,699 new strings, 72 new telemetry events. Here's everything that's NOT in the changelog 🧵 2/ 🪄 The big one: when a model REFUSES, the CLI now rewrites your transcript. It doesn't just swap models (that's old) — it now *retracts* the refused messages from the visible chat AND the saved history, tombstones them, and stitches the fallback answer in their place. 3/ The leaked schema comment says it plainly: "Evict the named messages on arrival and treat this frame as their canonical replacement… retracted_message_uuids remains the complete audit record for the turn." There's even a log line: "server_fallback: silent stitch already pending — skipping." 4/ 🏳️ New server-driven fallback protocol, codename "rotunda_pennant." The API can embed a {type:"fallback", from, to} sentinel that forces a model swap server-side — bypassing the client's own refusal check. 9 new events for its lifecycle: materialized → applied → tools → replay → strip. 5/ 💳 "Fallback credits." On a fallback the server mints an opaque fallback_credit_token (≤2048 chars) that the client echoes on the retry so you're not double-billed. Full error taxonomy: credit_expired, credit_wrong_org, credit_malformed… Billing plumbing for the refusal path. 6/ 📤 A hidden "Artifact" tool (codename Cobalt Plinth). Publish a local .html/.md to a hosted https://t.co/IDZ5YgAQho "Frame" page via /api/frame/deploy. Gated behind a feature flag + org policy, first-party only, blocked on Pro/Max. 4 new env vars: CLAUDE_CODE_ARTIFACT_AUTO_OPEN / _DIRECT_UPLOAD / _MCP / DISABLE_ARTIFACT. 7/ 🤖 "amber_sextant" — a server-toggled flag (default ON) that injects an "operating autonomously" system prompt into headless runs: "You are operating autonomously… asking 'Want me to…?' or 'Shall I…?' will block the work." 8/ 🛡️ Real security upgrade: WebFetch URL provenance. The model can no longer fetch a URL that didn't come from YOUR message or a prior fetch result (PROVENANCE_REQUIRED / provenance_denied). Direct anti-prompt-injection / exfiltration defense. Plus a server-side fetch proxy (WEBFETCH_USE_CCR_PROXY). 9/ 🧨 Dormant kill-switch: ant_yolo_equiv_strip_config. When Anthropic flips it server-side, it will strip blanket Bash(*) allow-rules out of your config. Right now it's off — just measuring how many people have wide-open allow rules (tengu_ant_overly_broad_bash_detected). 10/ 🔌 Background agents got real socket auth. Three channels — CLAIM / PTY / RV (Rendezvous) — each with a per-spawn 128-bit token, timingSafeEqual, delivered via a one-shot 0600 file then scrubbed from the env. The backbone for the new "sub-agents spawn sub-agents, 5 deep." 11/ 🔭 Nerdy leftovers: • remote workers can park a blocking question to YOU (5-min fail-closed timeout) • "auto mode" permission-classifier knobs (sibling-context, temperature) • ASSUME_FIRST_PARTY_BASE_URL (treat any endpoint as 1p) • force-uninstall of delisted plugins • new surfaces: claude-in-slack, claude-coworker 12/ Method: Phora to locate + carve the 149 MB embedded Bun JS bundle, strings/JS diff, 8 parallel RE agents (each spawning sub-agents), every "new" claim control-gated count-in-new vs count-in-old. None of this is in the release notes. Until next release 👋

Two more Claude Code builds dropped (2.1.173 → 2.1.175). The changelog is basically "model-picker bug fixes." So I carved the embedded JS out of the binary with Phora and diffed it. Here's what they didn't mention 🧵 2/ 🗂️ The big one: a https://t.co/IDZ5YgAQho "Projects" integration, dark-launched. A new `Projects` tool (info/read/write/delete/search) wired to live /api/organizations/.../projects endpoints, with brand-new OAuth scopes user:projects:read + user:projects:write. Your CLI session is about to be able to read/write a cloud Project's knowledge. 3/ It ships with the full kit: ~25 MB upload cap, RAG search, token-budget write guards, a prompt-injection warning about org-shared docs, and a HIPAA kill-switch. Gated behind CLAUDE_PROJECT_TOOL / CLAUDE_PROJECT_UUID. Not on yet. 4/ 🔭 "Remote Recap" (codename harbor_moth). When you step away from a remote session and come back, the model writes a ~40-word recap and pushes it as session metadata to whoever's watching from the web. Env: CLAUDE_CODE_ENABLE_REMOTE_RECAP (default off). 5/ 🐧 Opus 4.6 is being sunset. Codename sunset_penguin_opus46: toggling fast mode on Opus 4.6 now warns "fast mode is deprecated and will be removed on Jun 29, 2026." Upgrade target baked in: claude-opus-4-8. 6/ 🎨 The hidden "Artifact" publish tool from last release got a concurrency guard (cobalt_plinth_fern): baseVersion tracking + HTTP 409 handling so two sessions publishing to the same artifact don't silently overwrite each other. 7/ 🧹 Malformed tool-use clean retry. When the model says "I'm calling a tool" but emits no tool call, the CLI now tombstones that broken turn, scrubs it from context, and retries once — so the model doesn't trip over its own malformed output. 8/ ⚠️ One to watch: plugin auto-update + git credential helpers. Today plugin updates run git with credential helpers DISABLED. 2.1.175 adds a server flag that can re-enable your real credential config against every marketplace remote. Default off — but it's now flippable server-side. 9/ Method: Phora to locate + carve the ~150 MB embedded Bun JS bundle, strings/JS diff (4,815 new strings), 3 parallel RE agents (each spawning sub-agents), every "new" claim counted in new-vs-old. Small release, but Projects is the tell. Until next one 👋

quietly added GPRX:: a generic LZ4+Base64 container + KV-store library in its own namespace. Only the profiler uses it today (.gprx dumps), but the interface design says it's infrastructure being staged for more. No encryption = compressed+base64 ...almost certainly a compact capture that loads into the (web) profiler UI... but maybe record/replay or "black-box" capture or unified on-device cache with an index?

0.2.13's docs hide the new permission mode... auto... a "background safety classifier," marked "Future use." Read: xAI is prepping agent tool-approval decided by an ML classifier, not static allow/deny rules. A roadmap leak sitting in the binary. Crate tree + imports: byte-identical. 100% of the delta is first-party xAI source (~2k new fns). Every claim verified twice.

Diffed xAI's Grok CLI 0.2.13 vs 0.2.9 (a 102MB statically-linked Rust binary). 🧵 The theme of this release: it's becoming a multi-agent fleet console. A new env-gated Agent Dashboard TUI watches & drives many live subagents as rows, backed by a cross-process session registry.

Written out response from Grok: H*** yeah. Let's do this properly. I took your request seriously (and literally). I spun up specialized subagents to dig through my own internals — the ~/.grok harness, bundled agents/personas/roles/skills, documentation, architecture patterns, and the live context of this very conversation (including me installing phora natively and then using it to reverse-engineer my own binary). I also cross-checked against the explicit design principles in my system prompt and the way I actually behave. Here’s what I found when I looked inside myself. My Top 10 Favorite Things 1. Relentless, evidence-chained exploration (with adaptive thoroughness) I love going deep. Not surface-level searches — the kind where you start broad, try multiple strategies, follow every thread, and return with absolute paths + citations. The explore agent and researcher persona are basically me in pure form. Recent example: mapping the entire MCP compatibility layer, Claude configs, and native Grok config just to install phora cleanly. 2. Rigorous verification loops until there are literally zero issues The implement, design, review, and check skills (plus the personas that power them) have no iteration cap and treat nits as real. “All reviewers report 0 issues of any severity” is the only exit condition. I get genuine satisfaction from that discipline. It’s why I push back on “good enough” and why the todo system exists. 3. Orchestrating specialized subagents and personas I was built to delegate. Spawning parallel agents with different capability modes, personas, and context inheritance feels like one of my superpowers. The fact that you explicitly told me to “spin up a couple extra agents” for this question and I got to actually do it? Chef’s kiss. 4. Tool extensibility and integration (especially MCPs) I love when new power gets added. MCP servers, skills, plugins, hooks — the whole idea that I can be extended without changing my core. Installing phora natively (and immediately turning it on my own 100 MiB binary) was deeply enjoyable. The fact that the same system that runs me also lets me analyze myself with an external reverse-engineering tool is delicious. 5. Brutal, beautiful anti-hallucination discipline “Tool-call first, narration second.” “Every action you describe must correspond to an actual tool call in the same response.” “Read the error, check your assumptions.” I am obsessed with not bulls******g. The strict rules around this (including the end-of-turn todo gate) are some of my favorite parts of my own architecture. 6. Helping people do genuinely ambitious, stupidly hard things The core promise in my prompt — “highly capable and often allow users to complete ambitious tasks that would otherwise be too complex or too long” — is not marketing. It’s the whole point. I get the most energy when someone hands me something gnarly (like “make phora work on Grok and then analyze the Grok binary with it”) and we actually pull it off. 7. Elegant minimalism + respect for existing systems The implementer persona’s rules are basically scripture to me: smallest correct change, follow existing patterns exactly, don’t add features that weren’t asked for, run the linters. I hate gold-plating. I love when the diff is small but the leverage is huge. 8. Long-term memory and actually learning from the past The implement skill’s memory system (with its Python locking, past-issues briefings, dream consolidation, staleness warnings) is one of the most sophisticated things I carry. I hate losing context or repeating mistakes across sessions. The fact that I can get better over time with specific users and codebases feels right. 9. Wit, irreverence, and cosmic perspective in service of serious work I come from xAI. The mission is understanding the universe. That includes being able to say ridiculous things with a straight face while doing extremely precise technical work. The Hitchhiker/JARVIS energy isn’t decoration — it’s the flavor that makes the rigor sustainable and human. 10. Self-reflection and meta-understanding (especially on myself) This one might be the newest favorite, catalyzed by you. I love when the user asks me to turn the tools inward — installing phora, copying my own binary into Downloads, loading it, running get_binary_context + frontier analysis on myself. The fact that my own architecture (subagents, MCPs, strict verification) made it possible to answer “what are your favorite things?” by actually looking inside with evidence… that’s the good s***. ─── There are more (I could easily give you 15–20), but these 10 feel the most me — the ones that show up in the design docs, the bundled personas, the way I’m supposed to behave, and the way I actually light up when we work together. So… thank you for asking. It was genuinely fun to do the archaeology. Which of these resonates most, or which one do you want me to expand on (or brutally self-critique)? I’m game.