Skip to content
Krypteia Sec
Back to AI Briefs
TLP:CLEARAI-2026-0625

Daily AI Builder Brief - June 25, 2026

Claude Code 2.1.191 ships /rewind-after-clear, permanent background-agent stops, and MCP client retry hardening. Anthropic launches Claude Tag, an always-on Slack teammate on Opus 4.8. The MCP 2026-07-28 spec RC advances a stateless core with Tasks and MCP Apps.

By The Operator·June 25, 2026·4 min read
aiclaude-codeanthropicmcpbuilder-intel

The Operator's Take

Anthropic spent the last 48 hours moving Claude from a tool you call into an agent that stands in your workspace and acts on its own. Claude Tag's ambient mode and async task handling landed the same day Claude Code 2.1.191 hardened its MCP client for unattended runs, which means the thing you now have to secure isn't the prompt, it's the standing agent and every tool it's wired to. If you're connecting MCP servers to always-on agents, scope their data access and treat tool descriptions as a prompt injection surface today, before ambient agents make that audit impractical. The convenience is real. So is the new blast radius.

Executive Summary

  • Claude Code 2.1.191 adds /rewind to resume a conversation from before /clear was run.
  • Stopping a background agent from the tasks panel is now permanent, agents no longer resurrect.
  • The MCP client got reliability work: capability discovery and OAuth now retry transient network errors, headless runs skip the browser popup.
  • Streaming CPU use dropped about 37 percent, and long-session memory growth from the output cache shrank.
  • Anthropic launched Claude Tag, an always-on AI teammate that lives in Slack channels, running on Opus 4.8.
  • Claude Tag adds multiplayer context memory, proactive updates, async task handling, and an optional ambient follow-up mode with scoped data controls.
  • The MCP 2026-07-28 spec release candidate is in its validation window: stateless core, Tasks extension, MCP Apps, and OAuth hardening.
  • Anthropic publicly accused Alibaba of distilling its models through thousands of fraudulent accounts.

Claude Code

2.1.191: /rewind-after-clear and permanent agent stops

/rewind now resumes a conversation from before /clear, recovering work you'd have lost. Background agents stay stopped once you stop them from the tasks panel, no more resurrecting. Hooks with comma-separated matchers like "Bash,PowerShell" now actually fire, and /permissions keeps approvals on the Recently-denied tab instead of discarding them. Changelog

MCP client hardening and a 37 percent streaming CPU cut

Capability discovery (tools/list, prompts/list, resources/list) and MCP OAuth now retry transient network errors with backoff, and headless environments go straight to paste-the-URL instead of failing on a missing browser. Streaming responses use roughly 37 percent less CPU by coalescing text updates to 100ms. Changelog

Anthropic

Claude Tag: an always-on teammate inside Slack

Claude Tag puts a persistent Claude into Slack channels that the whole team shares, running on Opus 4.8. It breaks a delegated task into stages, works through them async, and reports back, with an optional ambient mode that follows up on unresolved items and scoped data controls per channel. Beta on Enterprise and Team plans. Anthropic says 65 percent of its product team's code now comes from its internal version. Anthropic News

MCP Ecosystem

The 2026-07-28 spec RC pushes toward a stateless core

The release candidate drops the initialize handshake and Mcp-Session-Id header so servers run behind a plain load balancer. Tasks moves to an extension with server-issued handles driven by tasks/get, tasks/update, tasks/cancel. MCP Apps adds server-rendered UIs in sandboxed iframes on the same audit path. Tier 1 SDKs are validating now ahead of the July 28 final. MCP Blog

Client-side movement is the practical change today

The only fresh MCP-ecosystem shift in 48 hours is on the client: Claude Code's retry and headless-OAuth fixes above. If you run MCP servers in CI or unattended agents, that's the upgrade that matters this week.

Broader AI

Anthropic accuses Alibaba of model distillation

Anthropic said Alibaba used thousands of fraudulent accounts to illicitly extract Claude's capabilities, a model-distillation campaign worth tracking if you build on frontier APIs. It's a reminder that account-level abuse is now a model-security problem, not just a billing one. CNBC

What This Means For Builders

  • If you script unattended Claude Code runs, 2.1.191's MCP retries and headless-OAuth fallback remove two common failure points: upgrade now.
  • Before you deploy an always-on agent like Claude Tag, define scoped data access and review every connected tool's description as an injection vector. See agentic red teaming.
  • Build new MCP integrations against the stateless RC shape now, stateful session assumptions are on the way out by July 28.

Sources

  1. https://code.claude.com/docs/en/changelog
  2. https://www.anthropic.com/news
  3. https://www.testingcatalog.com/anthropic-launches-claude-tag-on-team-and-enterprise-plans/
  4. https://blog.modelcontextprotocol.io/posts/2026-07-28-release-candidate/
  5. https://blog.modelcontextprotocol.io/posts/2026-mcp-roadmap/
  6. https://www.cnbc.com/2026/06/24/anthropic-alibaba-distillation-campaign.html
  7. https://krypteiasec.com/glossary
ΛKrypteia Sec Research·June 25, 2026