Krypteia Sec
Back to AI Briefs
TLP:CLEARAI-2026-0523

Daily AI Builder Brief - May 23, 2026

May 23, 20263 min read
aiclaude-codeanthropicmcpbuilder-intel

Executive Summary

  • Claude Code 2.1.149 lands a per-category /usage breakdown by skill, subagent, plugin, and MCP server.
  • Same release patches a PowerShell cd.. / X: permission bypass that let later commands read outside the workspace.
  • 2.1.147 retires /simplify. The replacement, /code-review, takes an effort level and a --comment flag to post findings as inline GitHub PR comments.
  • Background sessions pinned with Ctrl+T now survive idle and restart in place to apply updates.
  • The MCP 2026-07-28 release candidate locked May 21. It drops the initialize handshake, moves Tasks to an extension, and adds MCP Apps for sandboxed HTML UIs.
  • Anthropic posted a Project Glasswing update on critical software security collaboration.

Claude Code

2.1.149 (May 22): /usage by category, PowerShell sandbox patch

/usage now shows what's driving limits per skill, subagent, plugin, and MCP server. Markdown renders GFM task list checkboxes. Critical fix: PowerShell built-in cd shorthands (cd.., cd\, X:) were changing the working directory undetected, letting later commands read outside the workspace. Also fixed: find exhausting the macOS vnode table and crashing the host. Source: changelog.

2.1.147 (May 21): /code-review replaces /simplify

The old cleanup-and-fix /simplify is gone. /code-review high (or any effort level) reports correctness bugs. Pass --comment to post findings as inline PR comments via gh. Pinned background sessions stay alive when idle and restart in place for updates. Auto-mode classifier now treats user answers as signal so AskUserQuestion isn't suppressed when a skill needs it. Source: changelog.

Anthropic

Project Glasswing initial update (May 22)

Anthropic posted an update on the Glasswing initiative aligning major tech and security orgs on critical software security. Source: anthropic.com/news.

MCP Ecosystem

2026-07-28 release candidate locked (May 21)

Biggest MCP revision since launch. Stateless core kills the initialize handshake and Mcp-Session-Id header so any request can land on any server instance. Tasks moves from experimental core to a versioned extension with tasks/get, tasks/update, tasks/cancel. MCP Apps lets servers ship interactive HTML rendered in a sandboxed iframe, with UI actions flowing through JSON-RPC. Six SEPs harden OAuth 2.0 and OIDC: clients must validate iss, declare application_type, and follow clearer scope rules. Formal deprecation policy adds a 12-month minimum between deprecation and removal. Source: MCP blog.

Broader AI

Nothing today.

What This Means For Builders

  • If you ship MCP servers, you've got nine weeks to drop session stickiness and re-platform Tasks as an extension. Start now on auth: iss validation and application_type aren't optional.
  • Swap /simplify out of your scripts and CI prompts. Wire /code-review high --comment into PR pipelines for automated inline review.
  • Audit any PowerShell allowlists. The cd.. bypass is the kind of thing that makes managed-settings deployments look airtight when they aren't. Pin to 2.1.149 or later.
  • /usage per-MCP-server cost finally lets you cut the connectors that aren't earning their tokens.

Sources

  1. https://code.claude.com/docs/en/changelog
  2. https://www.anthropic.com/news
  3. https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/