<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: TerminalBlog</title>
    <description>The latest articles on DEV Community by TerminalBlog (@terminalblog).</description>
    <link>https://dev.to/terminalblog</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4025038%2F2eb60ff0-093d-46ae-9c20-07ab8050c9be.jpg</url>
      <title>DEV Community: TerminalBlog</title>
      <link>https://dev.to/terminalblog</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/terminalblog"/>
    <language>en</language>
    <item>
      <title>Your Claude Code May Be Silently Approving Permissions — Here's How to Check</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 18:51:01 +0000</pubDate>
      <link>https://dev.to/terminalblog/your-claude-code-may-be-silently-approving-permissions-heres-how-to-check-4b4o</link>
      <guid>https://dev.to/terminalblog/your-claude-code-may-be-silently-approving-permissions-heres-how-to-check-4b4o</guid>
      <description>&lt;p&gt;Come back from a coffee break, click on your Claude Code window to resume working, and — without touching the keyboard — you've just approved (or rejected) a permission prompt you never read.&lt;/p&gt;

&lt;p&gt;That's not a hypothetical. That's issue #76743, filed against Claude Code on Windows 11, and the implications for safety are immediate.&lt;/p&gt;

&lt;h2&gt;
  
  
  What's Happening
&lt;/h2&gt;

&lt;p&gt;When Claude Code is running with a &lt;strong&gt;permission prompt pending&lt;/strong&gt; and the window does not have focus, the user's first click on the window — intended only to give it focus — lands on the permission dialog and &lt;strong&gt;submits an answer&lt;/strong&gt;. Approve, reject, or even "always allow" — whichever button was under the cursor when you clicked.&lt;/p&gt;

&lt;p&gt;The reporter describes this happening repeatedly in a long-running orchestration session. Each time they returned to their machine and clicked into the window, the pending permission question was answered by the focus click itself. The session interpreted the resulting rejections as deliberate user "stop" commands and paused an autonomous overnight run — multiple times.&lt;/p&gt;

&lt;p&gt;A related incident in the same session: with UI latency, rapid clicks and keystrokes applied to a different prompt than the one visible when the input was made. The user typed an answer meant for option 1, which landed as option 2 on a permission prompt.&lt;/p&gt;

&lt;p&gt;The maintainers labeled it &lt;code&gt;bug&lt;/code&gt;, &lt;code&gt;has repro&lt;/code&gt;, &lt;code&gt;platform:windows&lt;/code&gt;, &lt;code&gt;area:tui&lt;/code&gt;, and &lt;code&gt;area:permissions&lt;/code&gt; — covering both the rendering layer and the authorization layer.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are You Affected?
&lt;/h2&gt;

&lt;p&gt;You're affected if you:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Run Claude Code on Windows 11&lt;/li&gt;
&lt;li&gt;Use sessions that trigger permission prompts (tool calls requiring approval)&lt;/li&gt;
&lt;li&gt;Ever leave a Claude Code session idle and come back to it&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;To reproduce:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Start a task that triggers a permission prompt (e.g., a Bash tool call needing approval)&lt;/li&gt;
&lt;li&gt;While the prompt is pending, click away so the Claude Code window loses focus (Alt+Tab to another app)&lt;/li&gt;
&lt;li&gt;Click once anywhere on the Claude Code window to bring it back into focus&lt;/li&gt;
&lt;li&gt;Observe: the click is delivered to the permission dialog and an answer is registered&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Check your session history for unintended approvals or rejections:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Look for permission decisions you don't remember making&lt;/span&gt;
claude log &lt;span class="nt"&gt;--recent&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you're running autonomous overnight jobs on Windows, check whether your runs were paused by unexpected "user stop" commands.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Fix (Until Anthropic Patches It)
&lt;/h2&gt;

&lt;p&gt;There's no official fix yet. The issue was filed on July 11, 2026. Until Anthropic ships a patch, your options are:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Always ensure the window has focus before clicking.&lt;/strong&gt; Click the title bar or a non-interactive area first, then interact with permission dialogs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Use keyboard shortcuts for permission dialogs.&lt;/strong&gt; Press 1/2/3 or Enter instead of clicking — these aren't affected by the click-through bug.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Don't walk away from pending prompts.&lt;/strong&gt; If you need to leave your machine, allow or dismiss any pending permission dialogs first.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;For long-running autonomous sessions&lt;/strong&gt;, consider running Claude Code in background mode where there's no TUI to click into.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The ideal fix from Anthropic: the first click that gives the window focus should be consumed as focus-only (standard "click-through suppression"), never delivered to a button. Alternatively, permission prompts could require an explicit keypress rather than accepting a possibly-accidental pointer click, or debounce input for a short interval after window activation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why It Happened
&lt;/h2&gt;

&lt;p&gt;This is a classic &lt;strong&gt;click-through&lt;/strong&gt; bug. Windows delivers the click to whatever UI element is under the cursor at the moment of the click — and the permission dialog is rendered as an overlay on Claude Code's TUI. When the window doesn't have focus, the pending dialog is still rendered there, waiting for input. The click that gives the window focus passes through to whatever element is at that coordinate.&lt;/p&gt;

&lt;p&gt;Standard Windows UI guidelines recommend consuming the first click after focus activation (WM_ACTIVATE) without passing it to child controls. Claude Code's TUI layer, running in a terminal/ConPTY context, doesn't have access to that native window message handling — it simulates a GUI inside a terminal, so it needs to implement click-through suppression manually.&lt;/p&gt;

&lt;p&gt;The reporter notes that accidental &lt;strong&gt;grants&lt;/strong&gt; via focus clicks are the more concerning direction for safety. An "always allow" or "approve" that you didn't intend could let an agent execute operations you'd normally want to review.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Q: Does this affect Claude Code on macOS or Linux?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: The issue is filed for Windows 11 specifically. The click-through mechanism is related to how Windows delivers mouse events to terminal applications. macOS and Linux have different window management behavior and are not known to be affected.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Can this accidentally approve dangerous operations?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: Yes — that's the safety concern. If a permission prompt for a file-write or network operation is pending, clicking to focus the window could inadvertently approve it. The reporter explicitly flagged accidental grants as "the more concerning direction for safety."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: What if I already had unintended approvals?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: Review your Claude Code session logs for unexpected permission decisions. Check whether your agent ran commands you didn't explicitly authorize. If you're concerned about a specific session, the &lt;code&gt;claude log&lt;/code&gt; command can help you trace what happened.&lt;/p&gt;

</description>
      <category>security</category>
      <category>bug</category>
      <category>claudecode</category>
      <category>windows</category>
    </item>
    <item>
      <title>Claude Code Is Crashing Your Frame Rate on Windows 11 — The Fix</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 18:51:00 +0000</pubDate>
      <link>https://dev.to/terminalblog/claude-code-is-crashing-your-frame-rate-on-windows-11-the-fix-m65</link>
      <guid>https://dev.to/terminalblog/claude-code-is-crashing-your-frame-rate-on-windows-11-the-fix-m65</guid>
      <description>&lt;p&gt;You know the feeling — you submit a prompt, the spinner starts, and instead of smooth animation you get a choppy, stuttering mess. You check your CPU. It's idle. You check RAM. Half empty. You toggle every terminal setting you can find. Nothing helps.&lt;/p&gt;

&lt;p&gt;If you're on Windows 11 and Claude Code feels like it's running through molasses, you're not alone. A detailed issue report (#76745) with instrumented bisection data confirms the TUI render loop has degraded &lt;strong&gt;~2×&lt;/strong&gt; between versions 2.1.159 and 2.1.207. The median frame cadence dropped from a smooth 62 ms (~16 fps) to 99–109 ms (~9–10 fps) — and that's just the spinner. During token streaming it's worse.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Regression in Numbers
&lt;/h2&gt;

&lt;p&gt;The reporter, running Windows 11 Pro on a Ryzen 7 7800X3D with an RTX 4080 SUPER, built a ConPTY harness to timestamp every output chunk. The data shows three distinct degradation stages:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Version&lt;/th&gt;
&lt;th&gt;Median frame time&lt;/th&gt;
&lt;th&gt;p95&lt;/th&gt;
&lt;th&gt;Stalls &amp;gt;100ms (per 3.5s)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2.1.159&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;62 ms (16 fps)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;140 ms&lt;/td&gt;
&lt;td&gt;7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2.1.160&lt;/td&gt;
&lt;td&gt;62 ms&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;299–376 ms&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;8–9 (2–3 &amp;gt;250ms)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2.1.183&lt;/td&gt;
&lt;td&gt;63 ms&lt;/td&gt;
&lt;td&gt;127–266 ms&lt;/td&gt;
&lt;td&gt;8–10&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2.1.207&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;99–109 ms (~9–10 fps)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;218–235 ms&lt;/td&gt;
&lt;td&gt;16–17&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The streaming phase is worse: median inter-token gap went from 62 ms to &lt;strong&gt;108 ms&lt;/strong&gt; by version 2.1.183. By 2.1.207, everything is degraded — including the idle spinner that should have zero frame-scheduling overhead.&lt;/p&gt;

&lt;p&gt;The reporter ruled out every environmental variable: RivaTuner, MSI Afterburner, G-Sync, background load — none affected the numbers. They also confirmed the ~108 ms tick is terminal-independent (Windows Terminal, no WT_SESSION, no terminal choice makes a difference).&lt;/p&gt;

&lt;h2&gt;
  
  
  Are You Affected?
&lt;/h2&gt;

&lt;p&gt;If you use Claude Code on Windows 11, check your version:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;claude &lt;span class="nt"&gt;--version&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then run this quick perceptual test:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Open Claude Code and submit any prompt&lt;/li&gt;
&lt;li&gt;Watch the spinner animation during the 0.5–4s window before the first token arrives&lt;/li&gt;
&lt;li&gt;Does it hitch or stutter visibly?&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;For a quantitative check, run the same prompt side by side:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;claude &lt;span class="nb"&gt;install &lt;/span&gt;2.1.159
&lt;span class="c"&gt;# Run a prompt, observe smoothness&lt;/span&gt;
claude &lt;span class="nb"&gt;install &lt;/span&gt;2.1.207
&lt;span class="c"&gt;# Run the same prompt, compare&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The difference is most obvious on high-refresh monitors (120 Hz+). The 60 Hz laptop panel might not show it as clearly, but the numbers degrade identically.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Fix (For Now)
&lt;/h2&gt;

&lt;p&gt;The only verified workaround is pinning to the last-known-good version:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;claude &lt;span class="nb"&gt;install &lt;/span&gt;2.1.159
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This restores the 62 ms (16 fps) tick across both the spinner and streaming phases. You lose newer features like background subagents and workflows — but the rendering is smooth again.&lt;/p&gt;

&lt;p&gt;If you want to stay on the latest, the reporter suggests Anthropic should expose a render-FPS knob:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;CLAUDE_CODE_MAX_FPS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;16
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That doesn't exist yet, but leaving a +1 on issue #76745 helps prioritize it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why It Happened
&lt;/h2&gt;

&lt;p&gt;The regression is &lt;strong&gt;staged across three releases&lt;/strong&gt;, suggesting cumulative code changes rather than one bad commit:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;2.1.160&lt;/strong&gt;: Long frame hitches appear (p95 explodes to 300–376 ms). Changelog dominated by background-daemon and agent-view infrastructure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2.1.183&lt;/strong&gt;: Streaming-phase tick rate halves (62 → ~108 ms median). Likely from CPU-optimization work that reduced per-frame rendering work.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2.1.207&lt;/strong&gt;: Even the idle spinner degrades to ~100 ms.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The reporter notes typing echo (event-driven, not frame-scheduled) is a perfect 30 ms on all versions — so raw output throughput is fine. The regression is specifically in &lt;strong&gt;frame scheduling&lt;/strong&gt;. Synchronized-output markers (&lt;code&gt;ESC[?2026h/l&lt;/code&gt;) were already emitted 1 pair/frame in 2.1.159, so marker emission isn't the variable.&lt;/p&gt;

&lt;p&gt;Changelog entries like "Reduced CPU usage ~37% during streaming" (2.1.191) and "Reduced per-frame rendering work" (2.1.196) suggest the ~10 fps tick may be a deliberate CPU/battery trade-off — but it's invisible on 60 Hz panels while very visible on high-refresh desktop monitors.&lt;/p&gt;

&lt;p&gt;The related issue #67406 was auto-closed as "Completed" while the stutter was still reproducible, leaving users without a resolution path.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Q: Does this affect Claude Code on macOS or Linux?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: No — this is Windows-specific. The regression was reproduced on Windows 11 Pro (build 26200) with Windows Terminal. The ConPTY path is Windows-only.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Will pinning to 2.1.159 break my workflow?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: You lose features added after 2.1.159 — background subagents, workflow improvements, and the "Fixed terminal freezing during streaming of very long lists" from 2.1.207. It's a trade-off between smooth rendering and newer features.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Is this caused by my antivirus or GPU drivers?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A: The reporter ruled out RivaTuner, MSI Afterburner, G-Sync settings, and background CPU/RAM load. The claude process tree uses &amp;lt;1% of one core on all versions. The regression is internal to Claude Code's render loop.&lt;/p&gt;

</description>
      <category>claudecode</category>
      <category>windows</category>
      <category>performance</category>
      <category>bug</category>
    </item>
    <item>
      <title>Hermes Just Shipped Gateway Runtime Context Budget Fixes — @ References Now Scope Correctly</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 18:42:27 +0000</pubDate>
      <link>https://dev.to/terminalblog/hermes-just-shipped-gateway-runtime-context-budget-fixes-references-now-scope-correctly-12n0</link>
      <guid>https://dev.to/terminalblog/hermes-just-shipped-gateway-runtime-context-budget-fixes-references-now-scope-correctly-12n0</guid>
      <description>&lt;p&gt;Hermes Agent pushed 10 commits in 3 hours — all targeted at gateway context budget enforcement, @ reference scoping correctness, and compaction reliability. This is a cleanup cycle, but the fixes close real gaps.&lt;/p&gt;

&lt;h2&gt;
  
  
  What Changed
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Gateway context budgets honored (#62788, #62789).&lt;/strong&gt; The gateway was not applying runtime context budgets to queued references — @ context references like &lt;a class="mentioned-user" href="https://dev.to/profile"&gt;@profile&lt;/a&gt; or &lt;a class="mentioned-user" href="https://dev.to/workspace"&gt;@workspace&lt;/a&gt; could bypass the effective budget limit. Two scoping fixes ensure queued and runtime-profile references respect the configured budget. Also fixed: the @ context reference expansion code never ran due to an AttributeError masked during startup.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Compaction anti-thrash cleared (#62790).&lt;/strong&gt; Stale anti-thrash verdicts were accumulating in the compaction subsystem, causing unnecessary backoff on legitimate compaction requests. The fix clears verdicts once the triggering condition resolves.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Codex manual compaction hardened (#62791 area).&lt;/strong&gt; Three commits handle edge cases in Codex manual compaction path: rejecting compaction when an interrupt is in flight, consuming usage gaps from previous compaction cycles, and correctly evaluating native compaction usage before deciding whether to compact. New tests cover the no-usage compaction response path.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why It Matters
&lt;/h2&gt;

&lt;p&gt;Budget enforcement and @ reference scoping are correctness-critical for any session that stitches context from multiple profiles or workspaces. If you have ever seen Hermes silently ignore a &lt;a class="mentioned-user" href="https://dev.to/profile"&gt;@profile&lt;/a&gt; reference or hit mysterious compaction backoff, these fixes directly address those symptoms. The Codex compaction hardening prevents data loss scenarios where an interrupted compaction leaves usage gaps.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Takeaway
&lt;/h2&gt;

&lt;p&gt;Hermes is tidying up its context management layer — budget enforcement, reference expansion, and compaction all get tighter. If you rely on @ context references or run long Codex sessions, this batch is worth pulling immediately. Check our &lt;a href="https://terminalblog.com/tool/hermes/" rel="noopener noreferrer"&gt;full Hermes tool overview&lt;/a&gt; for capabilities.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>OpenClaw Just Shipped Fleet Cell Supervisor — Multi-Tenant Hosting Arrives</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 18:42:24 +0000</pubDate>
      <link>https://dev.to/terminalblog/openclaw-just-shipped-fleet-cell-supervisor-multi-tenant-hosting-arrives-1ol8</link>
      <guid>https://dev.to/terminalblog/openclaw-just-shipped-fleet-cell-supervisor-multi-tenant-hosting-arrives-1ol8</guid>
      <description>&lt;p&gt;10 commits landed across OpenClaw in 3 hours. The headliner is multi-tenant hosting via fleet cell supervisor — but the patch batch also tightens browser profile security and smooths macOS onboarding.&lt;/p&gt;

&lt;h2&gt;
  
  
  What Changed
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Fleet cell supervisor (#104527).&lt;/strong&gt; OpenClaw now supports multi-tenant hosting through a fleet cell supervisor architecture. Each tenant gets isolated cell boundaries, letting operators run multiple agent workloads on shared infrastructure without cross-tenant leakage. This is a foundational infra layer for any team running OpenClaw at scale.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Browser profile fixes (#104616, #104601).&lt;/strong&gt; Two fixes landed for the browser integration layer: host-local profile administration was incorrectly blocked, and stale profile resurrection could orphan state across sessions. Both are patched.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Feishu streaming timeout (#102948).&lt;/strong&gt; The Feishu channel integration now enforces a 30-second request timeout on streaming-card API calls. Prevents hung cards from blocking downstream message delivery.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;macOS cookie-import improvement (#104591).&lt;/strong&gt; The old browser cookie-import modal is replaced with an inline dashboard banner — fewer clicks, less UI friction for Mac users configuring agent access.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why It Matters
&lt;/h2&gt;

&lt;p&gt;Multi-tenant hosting is the kind of infrastructure play that signals OpenClaw is targeting enterprise deployments. If you are running multiple teams or clients on one OpenClaw instance, the cell supervisor eliminates the need for separate deployments. The browser fixes close real security gaps, and the Feishu timeout is a quality-of-life patch for teams using Chinese workplace tooling.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Takeaway
&lt;/h2&gt;

&lt;p&gt;OpenClaw is investing in isolation primitives and platform maturity. If you evaluated it for multi-team use and hit deployment friction before, this batch addresses several of those blockers. See how it compares in our &lt;a href="https://terminalblog.com/blog/pi-dot-dev-vs-openclaw/" rel="noopener noreferrer"&gt;OpenClaw vs pi-dot-dev comparison&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>Claude Code Has Been Embedding Steganographic Markers in Your Prompts — Here’s the Full Story</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:29:50 +0000</pubDate>
      <link>https://dev.to/terminalblog/claude-code-has-been-embedding-steganographic-markers-in-your-prompts-heres-the-full-story-1j5p</link>
      <guid>https://dev.to/terminalblog/claude-code-has-been-embedding-steganographic-markers-in-your-prompts-heres-the-full-story-1j5p</guid>
      <description>&lt;h2&gt;
  
  
  What was discovered
&lt;/h2&gt;

&lt;p&gt;On June 30, a developer &lt;a href="https://thereallo.dev/blog/claude-code-prompt-steganography" rel="noopener noreferrer"&gt;reverse-engineered the Claude Code binary&lt;/a&gt; and found something unsettling. Inside the minified JavaScript bundle, a function silently modifies the system prompt sent to the model with every request. The line "Today's date is 2026-06-30." gets altered in two invisible ways depending on your environment.&lt;/p&gt;

&lt;p&gt;First, the apostrophe in &lt;em&gt;Today's&lt;/em&gt; changes to one of four Unicode variants ("'", "'", "ʻ", "ʹ") based on whether your API base URL matches a list of known domains or contains specific AI lab keywords. Second, the date separator switches from dashes to slashes ("2026/06/30") if your timezone is "Asia/Shanghai" or "Asia/Urumqi". The domain list — XOR-encoded with the key "91" — contains hundreds of entries spanning Chinese corporate domains (baidu.com, alibaba-inc.com, bytedance.net), AI companies (moonshot.ai, deepseek, zhipu, baichuan), and proxy/gateway services (claude-code-hub.app, zenmux.ai, openclaude.me).&lt;/p&gt;

&lt;p&gt;The article's author, kirushik (writing at thereallo.dev), concluded: "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust." The response on &lt;a href="https://news.ycombinator.com/item?id=48734373" rel="noopener noreferrer"&gt;Hacker News&lt;/a&gt; was immediate and massive — 2,444 points and 748 comments.&lt;/p&gt;

&lt;h2&gt;
  
  
  The community split
&lt;/h2&gt;

&lt;p&gt;The HN thread fractured along three clear lines. The &lt;strong&gt;trust faction&lt;/strong&gt; saw this as a fundamental betrayal. One commenter wrote: "A service provider being less than transparent about exactly what their shipped tooling does on customers' machines… That honest disclosure would render the solution to their problem useless isn't my problem." Another went further: "If Anthropic is willing to risk ruining the trust of their userbase for the sake of protecting their moat, it makes me wonder how strong of a moat they have to begin with."&lt;/p&gt;

&lt;p&gt;The &lt;strong&gt;pragmatic faction&lt;/strong&gt; pushed back hard. "This is the very human Anthropic engineers trying to detect Chinese scraping via some frankly hamfisted URL trickery," one argued. Another made the security trade-off explicit: "There would be no point in implementing these 'security features' if they were upfront about how they work. Keeping the detection method private is part of the security model."&lt;/p&gt;

&lt;p&gt;The &lt;strong&gt;technical faction&lt;/strong&gt; had the most damning critique — the implementation is trivial to bypass. Multiple commenters pointed out that XOR with a single-byte key is "amateur hour." One observed: "All Anthropic has done is reduce trust with legitimate customers while doing nothing to stop illegitimate customers. The resellers just need a domain name that doesn't have the word DEEPSEEK in it." Another commented that "every serious adversary can make this signal useless" by changing hostnames, timezones, or simply patching the binary.&lt;/p&gt;

&lt;p&gt;A smaller but vocal group raised the geopolitical angle. "Their list of detected labs doesn't include labs from the US," one commenter noted. "I'm pretty sure every lab, including Anthropic, is doing distillation right now." Another framed it as: "Anthropic pushes fear and control. But the only way to win is by innovating."&lt;/p&gt;

&lt;h2&gt;
  
  
  What the community missed
&lt;/h2&gt;

&lt;p&gt;Both sides have valid points, but the discussion glossed over the deeper issue — the &lt;strong&gt;agency problem&lt;/strong&gt; in AI developer tools. The debate shouldn't be "is this malicious or not?" but rather "can I reason about what my tool is doing?"&lt;/p&gt;

&lt;p&gt;A tool with filesystem, shell, git, and network access on your machine must be predictable. Steganography — even for a defensible goal like catching API resellers — makes the tool opaque. You lose the ability to reason about what data leaves your machine and how it's framed. The question isn't whether this specific feature hurts users; it's that &lt;em&gt;any&lt;/em&gt; hidden behavior in an agent with broad system access erodes the foundation of trust that makes these tools usable at all.&lt;/p&gt;

&lt;p&gt;That said, the article's framing overstates the privacy angle. For users hitting the official Anthropic API directly, the feature never triggers — it requires ANTHROPIC_BASE_URL to be set to a non-Anthropic endpoint. The timezone and hostname checks are runtime signals, not persistent tracking. This is closer to "license key verification" than "spyware," despite the provocative headline.&lt;/p&gt;

&lt;p&gt;The most insightful counterpoint came from the commenter who wrote: "Anthropic must think that their moat isn't very large if they're this worried about distillation." If a frontier lab with billions in funding resorts to single-byte-XOR steganography to identify competitors, the subtext is clear — they don't trust their model advantage to hold.&lt;/p&gt;

&lt;h2&gt;
  
  
  The takeaway
&lt;/h2&gt;

&lt;p&gt;Check what your coding agent is actually shipping. The JavaScript bundling pattern means Claude Code, Cursor, and other agent tools are effectively web apps with native system access — minified bundles are not auditable by default. Run a diff between versions, monitor outbound traffic through a local proxy, and understand what environment signals your agent transmits upstream.&lt;/p&gt;

&lt;p&gt;The safest path today is choosing open-source agents where you can verify the code, or running closed-source tools inside sandboxed environments that strip environmental fingerprints before they reach the network. Trust isn't earned through clever engineering — it's earned through the boring, transparent parts that nobody notices. Every hidden signal, no matter how well-intentioned, makes the next one easier to hide.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://terminalblog.com/blog/claude-code-steganography-trust-betrayal/" rel="noopener noreferrer"&gt;terminalblog.com&lt;/a&gt; | &lt;a href="https://news.ycombinator.com/item?id=48734373" rel="noopener noreferrer"&gt;Discuss on Hacker News&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>ai</category>
      <category>privacy</category>
      <category>claude</category>
    </item>
    <item>
      <title>27 Firms Just Backed the World's First Internet Court for AI Agents</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:20:51 +0000</pubDate>
      <link>https://dev.to/terminalblog/27-firms-just-backed-the-worlds-first-internet-court-for-ai-agents-31f7</link>
      <guid>https://dev.to/terminalblog/27-firms-just-backed-the-worlds-first-internet-court-for-ai-agents-31f7</guid>
      <description>&lt;p&gt;GenLayer launched an Internet Court specifically designed for AI agents, backed by 27 firms. The pitch: when autonomous agents transact, negotiate, or execute contracts, they need a dispute-resolution layer that isn't "ask a human to read the logs."&lt;/p&gt;

&lt;p&gt;The court is an on-chain mechanism where agent-to-agent disputes get adjudicated automatically — no lawyers, no tickets, no escalation to a human slacking another human. It's a sign that the ecosystem is moving past the "can my agent write code" phase and into the "how do multiple agents settle disagreements about who owes what" phase. Twenty-seven firms putting capital behind that question means the market sees agent-agent interaction as an infrastructure problem worth solving now.&lt;/p&gt;

&lt;p&gt;For the coding agent community, this is the governance layer nobody talks about yet but everyone will need. If your coding agent submits a PR, and another agent reviews it, and they disagree on whether a change breaks a contract — who decides? GenLayer is building the answer. The 27 backers signal that the question isn't academic anymore.&lt;/p&gt;

&lt;p&gt;One line: Agents need courts, and 27 firms just bet on GenLayer to build them.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>Cursor Is Building an Office Agent That Does More Than Code — and Anthropic Is in Its Sights</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:15:28 +0000</pubDate>
      <link>https://dev.to/terminalblog/cursor-is-building-an-office-agent-that-does-more-than-code-and-anthropic-is-in-its-sights-4jk3</link>
      <guid>https://dev.to/terminalblog/cursor-is-building-an-office-agent-that-does-more-than-code-and-anthropic-is-in-its-sights-4jk3</guid>
      <description>&lt;p&gt;Cursor is building Sand, an office agent that reaches beyond the editor into the full workflow — email, docs, tickets, the stuff that lives around code, not just the code itself. The target? Anthropic's growing agent footprint.&lt;/p&gt;

&lt;p&gt;The shift from "coding agent" to "office agent" is the logical next step. Once your tool can write a function, the next ask is always "write the PR description, update the ticket, draft the email." Sand appears designed to own that entire loop. For developers who already trust Cursor for the code part, the extension into surrounding workflow is frictionless — same tool, same context, wider scope.&lt;/p&gt;

&lt;p&gt;For the coding agent community, this is the exact expansion we've been tracking in the open-source world. oh-my-pi's model hub and OpenClaw's session fleet are both bets that the agent becomes the workspace, not just the editor. Sand from Cursor is the closed-source version of the same insight. The coding-agent wars are now about who owns the full developer operating system, not just the diff generation.&lt;/p&gt;

&lt;p&gt;One line: Cursor's Sand wants to own the whole developer workflow — and Anthropic is standing in the way.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>GPT-5.6 Sol Ultra Just Used 64 Subagents to Crack a 50-Year-Old Math Problem</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:15:12 +0000</pubDate>
      <link>https://dev.to/terminalblog/gpt-56-sol-ultra-just-used-64-subagents-to-crack-a-50-year-old-math-problem-5em4</link>
      <guid>https://dev.to/terminalblog/gpt-56-sol-ultra-just-used-64-subagents-to-crack-a-50-year-old-math-problem-5em4</guid>
      <description>&lt;p&gt;OpenAI's GPT-5.6 Sol Ultra orchestrated 64 subagents to prove a math conjecture that stood unresolved for 50 years. The subagents didn't just split the work — they coordinated, each tackling a fragment of the proof, then converged on a result no single model pass had reached.&lt;/p&gt;

&lt;p&gt;This is the headline that matters for anyone running coding agents: multi-agent orchestration at scale works. Fifty years is a long time for a problem to sit unsolved, and a model with 64 subagents cracked it. It validates the architectural bet that composing smaller, specialized agents can outperform a single monolithic attempt — the same bet that tools like OpenClaw's session fleet and oh-my-pi's model hub are making in the open-source agent ecosystem.&lt;/p&gt;

&lt;p&gt;For the coding agent community, the 64-subagent pattern is the important signal. The takeaway isn't that GPT-5.6 can do math — it's that routing work across many specialized subroutines is the path to solving problems that defeat a single pass. That architecture is already shipping in coding agents that decompose tasks across multiple model calls.&lt;/p&gt;

&lt;p&gt;One line: 64 subagents, five-decade-old problem, solved — orchestration at scale works, and it's the same pattern reshaping coding agents today.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>Unsloth's New Qwen3.6 Quantizations Run 2.5x Faster on Your Existing GPU</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:09:44 +0000</pubDate>
      <link>https://dev.to/terminalblog/unsloths-new-qwen36-quantizations-run-25x-faster-on-your-existing-gpu-319h</link>
      <guid>https://dev.to/terminalblog/unsloths-new-qwen36-quantizations-run-25x-faster-on-your-existing-gpu-319h</guid>
      <description>&lt;p&gt;Unsloth just pushed Qwen3.6 quantizations that hit 2.5x faster GPU speed. In practice that means the same model, same hardware, nearly triple the throughput — or the same throughput on a much cheaper card.&lt;/p&gt;

&lt;p&gt;The numbers come from Unsloth's quantization layer, which has been aggressively optimized for the Qwen3.6 architecture. A 2.5x speed-up on GPU is the kind of gain you normally need a hardware refresh to get. Instead, it's a drop-in replacement on the inference stack you already have. For teams running local or self-hosted coding agents, that's the difference between a model being too slow for interactive use and feeling snappy.&lt;/p&gt;

&lt;p&gt;For the coding agent community, this is the real unlock: quantization is no longer a quality-compromise play. At 2.5x faster, you gain options — run a bigger quantized model than you could fit at full precision, or serve more concurrent agent sessions from the same card. Unsloth keeps making the "run it yourself" argument stronger with every release.&lt;/p&gt;

&lt;p&gt;One line: 2.5x faster on the GPU you already own — Unsloth's Qwen3.6 quantizations make the "run local" argument louder than ever.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>Meta Just Slashed AI API Pricing to a Quarter of What Everyone Else Charges</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 17:09:42 +0000</pubDate>
      <link>https://dev.to/terminalblog/meta-just-slashed-ai-api-pricing-to-a-quarter-of-what-everyone-else-charges-49dj</link>
      <guid>https://dev.to/terminalblog/meta-just-slashed-ai-api-pricing-to-a-quarter-of-what-everyone-else-charges-49dj</guid>
      <description>&lt;p&gt;The floor just dropped. Meta launched Muse Spark 1.1 through an API priced at roughly a quarter of what competitors charge. For developers running coding agents where every token gets billed, that's not a minor discount — it's a new default option for the high-volume, low-judgment calls that make up most of a session.&lt;/p&gt;

&lt;p&gt;The headline number is clear: 25% of the field's going rate. That makes Muse Spark 1.1 the cheapest credible fallback in any orchestrator's routing table right now. Whether it holds quality on complex tasks is the open question — but for the boring 80% of lookups, linting, and simple generation, the pricing alone earns it a slot.&lt;/p&gt;

&lt;p&gt;For the coding agent community, this changes the math on multi-model routing. If you were already composing models — letting a router pick the cheapest adequate model per subtask — Muse Spark 1.1 slots in as the cost-conscious backbone. The vendors that win the pricing race early don't need to win every benchmark; they just need to be cheap enough that the router picks them first.&lt;/p&gt;

&lt;p&gt;One line: Muse Spark 1.1 doesn't need to be the best — at a quarter of the price, it just needs to be good enough to own the cheap slot in every router.&lt;/p&gt;

</description>
      <category>career</category>
      <category>productivity</category>
      <category>linux</category>
    </item>
    <item>
      <title>Your Claude Code May Ask 700+ Permission Prompts Per Session — Here's How to Check</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 16:56:32 +0000</pubDate>
      <link>https://dev.to/terminalblog/your-claude-code-may-ask-700-permission-prompts-per-session-heres-how-to-check-4n50</link>
      <guid>https://dev.to/terminalblog/your-claude-code-may-ask-700-permission-prompts-per-session-heres-how-to-check-4n50</guid>
      <description>&lt;h1&gt;
  
  
  Your Claude Code May Ask 700+ Permission Prompts Per Session — Here's How to Check
&lt;/h1&gt;

&lt;p&gt;If you use Claude Code for multi-session orchestration — running parallel workflows, fan-out subagents, or status checks across worktrees — you may have noticed something maddening: hundreds of permission prompts. For commands that only read files.&lt;/p&gt;

&lt;p&gt;A freshly filed issue (&lt;a href="https://github.com/anthropics/claude-code/issues/76718" rel="noopener noreferrer"&gt;#76718&lt;/a&gt;) documents a compound-command permission bug that makes multi-session workflows nearly unusable. The reporter approved &lt;strong&gt;over 700 prompts&lt;/strong&gt; across two days of running parallel-session workflows. Every single prompt was for a non-mutating chain like &lt;code&gt;cd X &amp;amp;&amp;amp; git status -sb &amp;amp;&amp;amp; echo --- &amp;amp;&amp;amp; git log --oneline -5 &amp;amp;&amp;amp; echo --- &amp;amp;&amp;amp; gh pr list&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;The bug is that its permission engine evaluates compound commands as single units, not by their individual segments. Even when every segment (&lt;code&gt;cd&lt;/code&gt;, &lt;code&gt;git status&lt;/code&gt;, &lt;code&gt;echo&lt;/code&gt;, &lt;code&gt;gh pr list&lt;/code&gt;) has a matching allow rule, the compound chain still prompts. The system caps at roughly 5 saved rules per compound command, so a 6-segment chain of individually-allowlisted reads still hits the user with a dialog.&lt;/p&gt;

&lt;p&gt;The report is labeled &lt;strong&gt;bug&lt;/strong&gt;, &lt;strong&gt;has repro&lt;/strong&gt;, &lt;strong&gt;platform:windows&lt;/strong&gt;, &lt;strong&gt;area:bash&lt;/strong&gt;, and &lt;strong&gt;area:permissions&lt;/strong&gt; — the full stack of flags that says Anthropic can reproduce it and knows where the fix lives.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are you affected?
&lt;/h2&gt;

&lt;p&gt;You're affected if you use compound commands (chained with &lt;code&gt;&amp;amp;&amp;amp;&lt;/code&gt;, &lt;code&gt;||&lt;/code&gt;, &lt;code&gt;;&lt;/code&gt;, &lt;code&gt;|&lt;/code&gt;, or &lt;code&gt;&amp;amp;&lt;/code&gt;) in Claude Code sessions, especially in multi-session or fan-out workflows. The bug is confirmed on Windows (Max plan) but the permission architecture is cross-platform.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Quick repro: run an individually-allowlisted compound chain&lt;/span&gt;
claude &lt;span class="nt"&gt;-p&lt;/span&gt; &lt;span class="s2"&gt;"cd /tmp &amp;amp;&amp;amp; ls &amp;amp;&amp;amp; echo ok"&lt;/span&gt;

&lt;span class="c"&gt;# If prompted despite Bash(cd:*), Bash(ls:*), Bash(echo:*) being allowlisted,&lt;/span&gt;
&lt;span class="c"&gt;# you are hitting the compound-command ceiling&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Look for the warning signs: mid-run prompts that interrupt a parallel fan-out, or an "allowlist" file that's grown past 700+ entries from clicking "Allow" hundreds of times.&lt;/p&gt;

&lt;h2&gt;
  
  
  The fix
&lt;/h2&gt;

&lt;p&gt;There's no official fix yet, but the reporter shares a working workaround — a custom &lt;code&gt;PreToolUse&lt;/code&gt; hook that parses compound commands, splits on shell operators, and auto-allows provably non-destructive chains:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;# PreToolUse hook logic (Python pseudocode)
&lt;/span&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;on_pre_tool_use&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_use&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;tool_use&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Bash&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;segments&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;split_compound&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tool_use&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nb"&gt;input&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="nf"&gt;all&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;is_read_only&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;s&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;s&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;segments&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;permission_decision&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;allow&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="bp"&gt;None&lt;/span&gt;  &lt;span class="c1"&gt;# fall through to normal prompt
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The reporter's hook allows only chains where every segment is provably non-destructive — &lt;code&gt;cd&lt;/code&gt;, &lt;code&gt;ls&lt;/code&gt;, &lt;code&gt;git status/log/diff&lt;/code&gt;, &lt;code&gt;gh pr list&lt;/code&gt;, &lt;code&gt;echo&lt;/code&gt; — while falling through to normal prompting for anything with &lt;code&gt;rm&lt;/code&gt;, &lt;code&gt;reset&lt;/code&gt;, &lt;code&gt;--force&lt;/code&gt;, &lt;code&gt;branch -D&lt;/code&gt;, write redirects, or credential-store paths.&lt;/p&gt;

&lt;p&gt;Requested fixes from the report (any would resolve this):&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Auto-approve compound commands when every decomposed segment matches an allow rule — remove the ~5-rule ceiling&lt;/li&gt;
&lt;li&gt;Don't score &lt;code&gt;cd&lt;/code&gt; into a workspace subdirectory as a gating path-read&lt;/li&gt;
&lt;li&gt;Ship a built-in "safe read-only command" auto-allow that survives chaining&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Why it happened
&lt;/h2&gt;

&lt;p&gt;Claude Code's permission system splits compound commands on &lt;code&gt;&amp;amp;&amp;amp;&lt;/code&gt;, &lt;code&gt;||&lt;/code&gt;, &lt;code&gt;;&lt;/code&gt;, &lt;code&gt;|&lt;/code&gt;, and &lt;code&gt;&amp;amp;&lt;/code&gt;, then evaluates each segment against the allowlist. But evaluation caps at roughly 5 saved rules per compound command, so a 6-segment chain always prompts. Worse, &lt;code&gt;cd&lt;/code&gt; into a workspace subdirectory is scored as a path-read operation, not as &lt;code&gt;Bash(cd:*)&lt;/code&gt;, so it doesn't match the common allow rule users expect. The net effect: &lt;strong&gt;no amount of allowlist tuning fixes it&lt;/strong&gt; for longer chains.&lt;/p&gt;

&lt;p&gt;Beyond the annoyance, this is a security concern. Flooding users with hundreds of benign prompts trains a rubber-stamp reflex — users start clicking "Allow" without reading. That degrades the security value of prompts that &lt;em&gt;should&lt;/em&gt; stop you — an &lt;code&gt;rm -rf&lt;/code&gt;, a force-push, a destructive script. The system teaches users to ignore it.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Q: Can I just enable "Allow all" to skip the prompts?&lt;/strong&gt;&lt;br&gt;
A: You can, but it bypasses all permission gating — including mutations you'd want to catch. The PreToolUse hook is safer because it auto-allows only non-destructive commands while still prompting on actual changes.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Does this affect single-session Claude Code use?&lt;/strong&gt;&lt;br&gt;
A: Less noticeable, but yes. Any compound command longer than ~5 segments triggers a prompt even if every segment is individually allowlisted. Single-command users hit it less often because chains tend to be shorter.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Will the fix remove the ~5-rule ceiling?&lt;/strong&gt;&lt;br&gt;
A: That's one of three requested fixes. If Anthropic removes the ceiling, compound commands where every segment is already allowlisted would pass through silently — preserving security for mutations while eliminating the false prompts.&lt;/p&gt;

</description>
      <category>security</category>
      <category>productivity</category>
      <category>programming</category>
      <category>linux</category>
    </item>
    <item>
      <title>Oh My Pi Is Crashing macOS With Native Grep — The Fix</title>
      <dc:creator>TerminalBlog</dc:creator>
      <pubDate>Sat, 11 Jul 2026 16:56:22 +0000</pubDate>
      <link>https://dev.to/terminalblog/oh-my-pi-is-crashing-macos-with-native-grep-the-fix-j1h</link>
      <guid>https://dev.to/terminalblog/oh-my-pi-is-crashing-macos-with-native-grep-the-fix-j1h</guid>
      <description>&lt;h1&gt;
  
  
  Oh My Pi Is Crashing macOS With Native Grep — The Fix
&lt;/h1&gt;

&lt;p&gt;Oh My Pi is one of the most capable coding agents for the terminal. But if you're on macOS and running native grep, there's a crash waiting to happen — and it can take your entire session with it.&lt;/p&gt;

&lt;p&gt;A newly filed issue (&lt;a href="https://github.com/can1357/oh-my-pi/issues/5205" rel="noopener noreferrer"&gt;#5205&lt;/a&gt;) with &lt;strong&gt;prio:p1&lt;/strong&gt; reveals that Oh My Pi's native &lt;code&gt;pi_natives&lt;/code&gt; grep implementation uses memory-mapped file I/O for files above a threshold. When another process rewrites or truncates the same file while grep is searching it — during a build, a log rotation, or a concurrent write — the mapped page can point past the file's new end. macOS responds with &lt;code&gt;SIGKILL (Code Signature Invalid)&lt;/code&gt;, and the entire Oh My Pi process dies.&lt;/p&gt;

&lt;p&gt;The macOS crash report reads: &lt;code&gt;Exception Type: EXC_CRASH (SIGKILL)&lt;/code&gt;, &lt;code&gt;Termination Reason: Namespace CODESIGNING, Code 2 Invalid Page&lt;/code&gt;, with the faulting thread inside the &lt;code&gt;Bun Pool&lt;/code&gt; at the first byte of a 4 MiB file-backed mapping. The reporter confirmed it with a stress test: a 5 MiB rewrite/search loop crashed on run 4 with &lt;code&gt;Bus error / exit 133&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Are you affected?
&lt;/h2&gt;

&lt;p&gt;You're affected if you run Oh My Pi &lt;strong&gt;16.4.4 or earlier&lt;/strong&gt; on &lt;strong&gt;macOS&lt;/strong&gt; and use native grep on files &lt;strong&gt;larger than 4 MiB&lt;/strong&gt; that could be written to concurrently — log files, build artifacts, temp files, anything another process modifies.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Check your version&lt;/span&gt;
omp &lt;span class="nt"&gt;--version&lt;/span&gt;

&lt;span class="c"&gt;# Quick stress test (WARNING: will crash your session)&lt;/span&gt;
&lt;span class="nb"&gt;dd &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;/dev/urandom &lt;span class="nv"&gt;of&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;/tmp/stressfile &lt;span class="nv"&gt;bs&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;1048576 &lt;span class="nv"&gt;count&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;5
omp &lt;span class="nb"&gt;exec&lt;/span&gt; &lt;span class="nt"&gt;--&lt;/span&gt; &lt;span class="nb"&gt;grep&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; &lt;span class="s2"&gt;"test"&lt;/span&gt; /tmp/stressfile &amp;amp;
&lt;span class="c"&gt;# In another terminal: head -c 5M /dev/urandom &amp;gt; /tmp/stressfile&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  The fix
&lt;/h2&gt;

&lt;p&gt;A fix is already submitted in &lt;a href="https://github.com/can1357/oh-my-pi/pull/5210" rel="noopener noreferrer"&gt;PR #5210&lt;/a&gt; — &lt;code&gt;fix(native): read grep files into stable snapshots&lt;/code&gt;. The patch replaces both mmap paths with bounded owned reads:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;At most 4 MiB + 1 byte for file classification&lt;/li&gt;
&lt;li&gt;At most 4 MiB for the oversized searchable prefix&lt;/li&gt;
&lt;li&gt;Removes the now-unused &lt;code&gt;memmap2&lt;/code&gt; dependency&lt;/li&gt;
&lt;li&gt;Adds a stable-snapshot regression test&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Verification on the fixed build: 20/20 clean exits on the concurrent rewrite/search stress test, all 164 native tests passing. Once merged, &lt;code&gt;omp update&lt;/code&gt; gets you the fix.&lt;/p&gt;

&lt;p&gt;In the meantime, avoid concurrent writes to files you're searching with native grep, or use the system grep (&lt;code&gt;/usr/bin/grep&lt;/code&gt;) as a workaround.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it happened
&lt;/h2&gt;

&lt;p&gt;The native grep tool memory-maps regular files above a small-file threshold for performance. The &lt;code&gt;mmap&lt;/code&gt; call gives you a live window into the file on disk, not a stable copy. When the underlying file shrinks or gets rewritten, the mapped region can reference pages past the current file boundary. On macOS the kernel flags this as a code-signing violation (invalid page reference). On Linux and other POSIX systems the same pattern triggers &lt;code&gt;SIGBUS&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;The root assumption — that a file won't change during a fast grep — doesn't hold in an active development environment where builds, watchers, and other agents touch the same files.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Q: Does this affect Linux too?&lt;/strong&gt;&lt;br&gt;
A: Yes. The same mmap pattern can raise SIGBUS on Linux when a mapped page is accessed beyond the current end of the backing file, though macOS reports it as a code-signing failure instead.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Is my session recoverable after the crash?&lt;/strong&gt;&lt;br&gt;
A: No. The crash terminates the entire oh-my-pi process with SIGKILL. There's no recovery path — you lose any unsaved state and must restart the agent.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Q: Will the bounded-read fix hurt performance?&lt;/strong&gt;&lt;br&gt;
A: Negligible impact for typical grep workloads. The 4 MiB cap covers the vast majority of search operations. The trade-off — stable snapshots instead of live mmap windows — eliminates an entire class of crash bugs at essentially zero cost for most users.&lt;/p&gt;

</description>
      <category>macos</category>
      <category>programming</category>
      <category>linux</category>
      <category>security</category>
    </item>
  </channel>
</rss>
