Daily AI Builder Brief - June 24, 2026

The Operator's Take

The shift that matters today isn't Claude Tag, it's that the credential boundary moved into the agent runtime. Claude Code 2.1.187's sandbox.credentials stops sandboxed commands from reading your secret files and environment variables, and hung remote MCP calls now abort instead of blocking forever. If you run unattended agents against real repos and keys, the way this very brief gets produced, turn sandbox.credentials on today and stop assuming a wedged MCP server fails loud. Treat your own automation as the threat model, not just the code it touches.

Executive Summary

Claude Code 2.1.187 adds sandbox.credentials to block sandboxed commands from reading credential files and secret env vars.
Remote MCP tool calls that hang now abort after five minutes instead of blocking forever, overridable with CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT.
Structured output is fixed: the model can no longer re-call StructuredOutput indefinitely after a successful call.
Subagent depth tracking is fixed, and leaked agent worktree registrations from killed agents now get cleaned up automatically.
Org-configured model restrictions now show in the model picker, --model, /model, and ANTHROPIC_MODEL.
Anthropic shipped Claude Tag: tag @Claude in Slack as a team member, in beta for Enterprise and Team, replacing the old Claude in Slack app.
/install-github-app now makes the GitHub Actions workflow step optional.
The MCP spec release candidate (stateless core, Tasks, MCP Apps) finalizes July 28, context for planning, not news.

Claude Code

sandbox.credentials isolates secrets from sandboxed commands

The new sandbox.credentials setting blocks sandboxed commands from reading credential files and secret environment variables. This is the first-class control unattended agents needed. See the credential isolation reference. Changelog

Hung remote MCP tool calls now abort after five minutes

Remote MCP calls that returned nothing used to block for five minutes silently. They now abort with an error, and you can tune the window with CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT. Changelog

Structured output and subagent reliability fixes

--json-schema and workflow agent({schema}) no longer loop on StructuredOutput. Resumed subagents restore their spawn depth, forked subagents count toward the depth cap, and locked worktree entries from killed agents get cleaned up. 2.1.190 followed on June 24 with reliability fixes. Changelog

Anthropic

Claude Tag puts @Claude in Slack as a team member

Claude Tag joins a Slack workspace as a multiplayer team member. Grant it channels, tools, data, and codebases, then anyone tags @Claude to delegate a task that it stages, runs, and reports back in-thread. It's in beta for Enterprise and Team, and it replaces the existing Claude in Slack app. Announcement

MCP Ecosystem

Claude Code hardens its MCP client

Today's real MCP movement is client-side: credential isolation plus the idle-timeout abort close two failure modes that bite unattended MCP automation. Separately, the MCP spec release candidate (stateless core, Tasks extension, MCP Apps, OAuth hardening) is still on track to finalize July 28, so plan server work against it now. MCP roadmap

Broader AI

Nothing today.

What This Means For Builders

Flip sandbox.credentials on for any daily or unattended agent that touches real repos and keys. Don't wait for an incident to find out a sandboxed command could read your .env.
If your MCP servers can wedge, set CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT tighter than five minutes so pipelines fail fast instead of stalling a build window.
Pin automation to 2.1.187 or later. The StructuredOutput retry loop and worktree leaks were silent reliability tax on schema-driven and agent-team runs.