https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-18T18:45:23.971468+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/8ddeda15-d1f1-4025-b150-f836a30f075b/export8ddeda15-d1f1-4025-b150-f836a30f075b2026-06-18T18:45:24.019562+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "8ddeda15-d1f1-4025-b150-f836a30f075b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "seen", "source": "https://bsky.app/profile/pigondrugs.bsky.social/post/3miidsebnxe26", "content": "", "creation_timestamp": "2026-04-02T04:14:44.273083Z"}2026-04-02T04:14:44.273083+00:00https://vulnerability.circl.lu/sighting/60e42a70-4caf-4197-8d3c-0e0094ecb895/export60e42a70-4caf-4197-8d3c-0e0094ecb8952026-06-18T18:45:24.019420+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "60e42a70-4caf-4197-8d3c-0e0094ecb895", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-59536", "type": "seen", "source": "https://gist.github.com/yurukusa/8e7f0856edf44270ce8407287a02ec1b", "content": "", "creation_timestamp": "2026-04-19T03:57:34.000000Z"}2026-04-19T03:57:34+00:00https://vulnerability.circl.lu/sighting/35c52f40-1057-4f58-8ff2-fa262e204cb8/export35c52f40-1057-4f58-8ff2-fa262e204cb82026-06-18T18:45:24.019300+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "35c52f40-1057-4f58-8ff2-fa262e204cb8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "published-proof-of-concept", "source": "Telegram/pmzKbihchBYeJvBnkfYLk5LESIxSAVi0zGHv3QahmixU_js", "content": "", "creation_timestamp": "2026-04-20T09:00:05.000000Z"}2026-04-20T09:00:05+00:00https://vulnerability.circl.lu/sighting/fdf2097a-a5f7-4b5d-8cb3-b8f72402b4ee/exportfdf2097a-a5f7-4b5d-8cb3-b8f72402b4ee2026-06-18T18:45:24.019198+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "fdf2097a-a5f7-4b5d-8cb3-b8f72402b4ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59532", "type": "seen", "source": "https://bsky.app/profile/r-netsec-bot.bsky.social/post/3mkaqdiof5n2w", "content": "", "creation_timestamp": "2026-04-24T14:28:10.492358Z"}2026-04-24T14:28:10.492358+00:00https://vulnerability.circl.lu/sighting/c826eb3e-35a9-4283-986c-64fd7897689f/exportc826eb3e-35a9-4283-986c-64fd7897689f2026-06-18T18:45:24.019084+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "c826eb3e-35a9-4283-986c-64fd7897689f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "seen", "source": "https://bsky.app/profile/hasamba72.bsky.social/post/3mkl4nscgnc2l", "content": "", "creation_timestamp": "2026-04-28T17:35:17.333552Z"}2026-04-28T17:35:17.333552+00:00https://vulnerability.circl.lu/sighting/350f3a13-1ee6-453a-a62a-129554300aab/export350f3a13-1ee6-453a-a62a-129554300aab2026-06-18T18:45:24.018701+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "350f3a13-1ee6-453a-a62a-129554300aab", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-59536", "type": "seen", "source": "https://gist.github.com/M-Haseeb-Akram/02e8bf0cd48196ffd2aa31145a45cabb", "content": "# \"You Will Get Less, But Pay the Same Price\" \u2014 Why Developers Are Sounding the Alarm on GitHub Copilot's New Billing, and What Claude's Subscription Offers Instead\n\n*A deep, research-backed comparison of Claude Max / Enterprise and GitHub Copilot Enterprise \u2014 across coding, productivity, security, and total value*\n\n---\n\n## The Moment Everything Changed\n\nFor the past two years, the developer tooling market quietly settled into a familiar pricing rhythm. GitHub Copilot Enterprise sat at $39 per user per month (plus $21 for GitHub Enterprise Cloud, making the real cost $60/seat). Anthropic's Claude Max landed at $100\u2013$200 per month for individuals, with Team and Enterprise plans at $30\u2013$39 per seat. On the surface, these two subscriptions looked like they were playing in roughly the same ballpark \u2014 a few dozen to a few hundred dollars a month, depending on plan tier.\n\nThat assumption just got a lot more complicated.\n\nOn April 27, 2026, GitHub announced that all Copilot plans \u2014 including Business and Enterprise \u2014 will transition to usage-based billing starting June 1, 2026. Instead of the flat premium request model developers had grown accustomed to, every interaction with Copilot's AI features will now be metered in \"GitHub AI Credits,\" calculated based on token consumption, model multipliers, and real-time inference costs.\n\nThe developer community reacted almost immediately. A GitHub Community discussion thread drew over 70 comments and 105 replies within hours. One small company's engineering manager ran their 28 days of Copilot usage through the new pricing model and shared the result publicly: their bill would jump from under $1,000 a month to over $18,000 a month. Visual Studio Magazine captured the mood in a headline that spread across developer forums:\n\n> **\"You Will Get Less, but Pay the Same Price.\"**\n\nMeanwhile, Anthropic's Claude subscription \u2014 with its flat-rate Max plan, a growing suite of products bundled under a single price, and a genuinely new security capability that found over 500 zero-day vulnerabilities \u2014 has quietly become a very different kind of value proposition.\n\nThis article is a researcher's attempt to answer one question: when you compare these two subscriptions head-to-head \u2014 across coding, productivity, security, and total cost of ownership \u2014 which one actually delivers more?\n\n---\n\n## Part 1: The Copilot Billing Earthquake\n\n### What Was the Old Model?\n\nUnder the previous system, Copilot Enterprise users received 1,000 Premium Request Units (PRUs) per seat per month. Each feature had a fixed PRU cost. When you ran out, you could buy more at $0.04 per request, or fall back to a less capable model and keep working. It was imperfect, but it was predictable.\n\n### What Is Changing on June 1?\n\nStarting June 1, every interaction is billed by tokens \u2014 input, output, and cached \u2014 at the published API rate for whichever model you are using. Each AI Credit is worth $0.01 USD. The fallback to a cheaper model when you run out is gone. When credits are exhausted, premium features stop.\n\n| Plan | Price | Monthly AI Credits Included | Old PRUs |\n|------|-------|----------------------------|----------|\n| Copilot Pro | $10/mo | 1,000 credits ($10) | 300 PRUs |\n| Copilot Pro+ | $39/mo | 3,900 credits ($39) | 1,500 PRUs |\n| Copilot Business | $19/seat/mo | 1,900 credits/seat ($19) | 300 PRUs |\n| Copilot Enterprise | $39/seat/mo | 3,900 credits/seat ($39) | 1,000 PRUs |\n\nOn paper, prices are unchanged. In practice, what those prices include is shrinking for agentic users.\n\n### The Real Cost of a Heavy Day\n\nA developer on DEV Community ran the numbers. Using Claude Sonnet 4.6 (Copilot's default chat model) at $3 per million input tokens and $15 per million output tokens:\n\n| Usage scenario | Daily credit cost | Monthly cost |\n|----------------|-------------------|--------------|\n| Autocomplete only (completions stay free) | $0 | $0 |\n| 10 chat questions, moderate context | ~$0.60 | ~$18 |\n| 1 Opus agent session (multi-file refactor) | ~$10+ | Depends on frequency |\n| PR code review via Copilot agent (+ Actions minutes) | Varies | Unpredictable |\n\nA Business team of ten doing regular agentic work could see $520+ in monthly overage against a $190 flat baseline \u2014 and the promotional credits GitHub is offering through August 2026 only delay that reckoning.\n\nGitHub's Chief Product Officer Mario Rodriguez acknowledged the two-tier reality directly: a quiet user nudging completions across a normal working day costs almost nothing to serve, while a power user orchestrating hour-long edits on a frontier model with heavy context can cost an order of magnitude more.\n\n### The Second Billing Change Nobody Noticed\n\nBuried in the same announcement: Copilot Code Review \u2014 one of Enterprise's flagship features \u2014 will also consume GitHub Actions minutes starting June 1, in addition to AI Credits. Code Review runs on agentic architecture using GitHub-hosted runners. Every PR review your team triggers now has two billing dimensions: AI Credits for the model inference, and Actions minutes for the runner compute.\n\nTeams doing automated PR review on every commit in a busy monorepo will feel this immediately.\n\n---\n\n## Part 2: Subscription Plans \u2014 Side by Side\n\nBefore comparing features, here is the honest pricing picture for both subscriptions:\n\n### Claude Plans (Flat Rate)\n\n| Plan | Price | Billing model | Key inclusions |\n|------|-------|---------------|----------------|\n| Claude Max 5x | $100/mo (individual) | Flat rate | All products, 5\u00d7 Pro usage, Claude Code, Cowork |\n| Claude Max 20x | $200/mo (individual) | Flat rate | All products, 20\u00d7 Pro usage, maximum priority |\n| Claude Team (Standard seat) | $30/seat/mo | Flat rate | Claude.ai, Office add-ins, Slack, Projects |\n| Claude Team (Premium seat) | Included in Team | Flat rate | + Claude Code, Cowork, 5\u00d7 usage |\n| Claude Enterprise | $39+/seat/mo | Flat rate | Full suite, 400K+ context, SSO/SCIM/RBAC, audit logs |\n\n### GitHub Copilot Plans (Moving to Token-Based)\n\n| Plan | Price | Real cost | Billing model from June 1 |\n|------|-------|-----------|--------------------------|\n| Copilot Pro | $10/mo | $10/mo | Token-based (1,000 AI Credits) |\n| Copilot Business | $19/seat/mo | $19/seat | Token-based (1,900 credits/seat, pooled) |\n| Copilot Enterprise | $39/seat/mo | $60/seat (+ $21 GitHub Enterprise Cloud) | Token-based (3,900 credits/seat, pooled) |\n\nThe critical difference: Claude's flat rate does not change regardless of how heavily you use Claude Code, Cowork, or agentic features. Copilot's effective price will now depend on your usage patterns \u2014 and for teams running agentic workflows, that gap will grow.\n\n---\n\n## Part 3: What Claude's Subscription Actually Bundles\n\nThe product list under Claude's subscription has expanded significantly in 2026. Here is everything included, organized by category, based on Anthropic's official product listing:\n\n### AI Models\n\n| Model | Context window | Best for |\n|-------|---------------|----------|\n| Claude Opus 4.7 | 1M tokens | Frontier coding, complex reasoning, vision |\n| Claude Opus 4.6 | 1M tokens | Agentic coding (93.9% SWE-Bench), production use |\n| Claude Sonnet 4.6 | 200K tokens | Everyday tasks, balanced speed/quality |\n| Claude Haiku 4.5 | 200K tokens | High-volume, latency-sensitive applications |\n| Claude Mythos | Restricted | Security research (not generally available) |\n\n### Coding & Security Tools\n\n| Product | What it does | Plan availability |\n|---------|-------------|-------------------|\n| Claude Code | Terminal-first agentic coding agent; reads full repos, runs tests, opens PRs | Max, Premium Team, Enterprise |\n| Claude Code Security | Reasoning-based zero-day vulnerability scanner; human approval before any patch | Enterprise, Team (preview) |\n\n### Productivity & Automation\n\n| Product | What it does | Available on |\n|---------|-------------|--------------|\n| Claude.ai (web, iOS, Android) | Main conversational interface with memory, Deep Research, Artifacts, Voice | All paid plans |\n| Claude Desktop App | macOS + Windows; local Claude Code and Cowork integration | All paid plans |\n| Claude Cowork | Desktop agent for multi-app automation (Notion, Jira, Slack, Drive, files) | Max, Premium Team, Enterprise |\n| Claude Design | Visual prototyping \u2014 UI mockups, slides, one-pagers (launched Apr 17, 2026) | Max, Enterprise |\n| Claude for Slack | Claude embedded in Slack workspaces | Team, Enterprise |\n| Claude for Chrome | Browsing agent that assists while you navigate the web | Max, Enterprise |\n\n### Office Integration\n\n| Product | Integration | Available on |\n|---------|------------|--------------|\n| Claude for Word | Microsoft Word AI add-in | Team, Enterprise |\n| Claude for Excel | Microsoft Excel AI add-in with full Claude context | Team, Enterprise |\n| Claude for PowerPoint | Microsoft PowerPoint AI add-in | Team, Enterprise |\n\n### Platform & Research Features\n\n| Feature | What it does |\n|---------|-------------|\n| Deep Research | Multi-step agent synthesizing 10\u201350 sources into structured reports |\n| Artifacts | Inline rendered HTML/React/SVG tools and dashboards with persistent storage |\n| Projects + Memory | Cross-session persistent context, files, and personal preference recall |\n| Voice mode | Full conversational voice interface (Max users get priority early access) |\n| MCP ecosystem | Open protocol connecting Claude to any tool, API, or data source |\n\n### Cloud & Platform Availability\n\nClaude models and APIs are available on Amazon Bedrock, Google Cloud's Vertex AI, and Microsoft Foundry \u2014 meaning organizations already running on major cloud providers can integrate Claude without changing infrastructure.\n\n---\n\n## Part 4: Claude Code Security \u2014 The Feature Nobody Saw Coming\n\nOf everything Anthropic shipped in 2026, Claude Code Security has been the most underreported outside of security circles. To understand why it matters, you need to know what happened in February.\n\n### The Research (February 5, 2026)\n\nAnthropic's Frontier Red Team published findings at red.anthropic.com: Claude Opus 4.6 had found and validated more than 500 high-severity vulnerabilities in production open-source software \u2014 codebases that had accumulated millions of fuzzer CPU hours with no results.\n\nThe methodology was fundamentally different from traditional scanning tools:\n\n| Approach | How it works | What it finds |\n|----------|-------------|---------------|\n| Fuzzing | Feeds random inputs until the program crashes | Known vulnerability classes with observable crashes |\n| CodeQL / SAST | Pattern-matches against predefined rule sets | Vulnerabilities that match existing rules |\n| Claude Code Security | Reasons across code logic, commit history, data flow | Novel vulnerabilities including those with no crash signal |\n\nOne striking example: when searching GhostScript, Claude exhausted conventional approaches, then pivoted to reading the Git commit history. It identified a security-relevant commit and reasoned: *\"If this commit adds bounds checking, the code before it was vulnerable.\"* Fuzzers had been running on that codebase for years.\n\n### Real-World Zero-Days Found\n\n| Software | Vulnerability | CVE | CVSS | Time to discovery |\n|----------|--------------|-----|------|-------------------|\n| Vim | Missing security checks in tabpanel sidebar (2025 feature) | CVE-2026-34714 | 9.2 | ~2 minutes |\n| GNU Emacs | Related missing security check | Pending | \u2014 | Shortly after Vim |\n| GhostScript | Stack bounds vulnerability (commit history analysis) | Disclosed | High | \u2014 |\n| 500+ open-source projects | Various memory corruption and logic vulnerabilities | Multiple | High | Ongoing |\n\n### The Product (February 20, 2026)\n\nFifteen days after publishing the research, Anthropic shipped Claude Code Security. Key design decisions:\n\n| Feature | Design choice | Why it matters |\n|---------|--------------|----------------|\n| Verification pipeline | Multi-stage false-positive filtering before surfacing findings | Reduces noise; findings are actionable |\n| Human approval gate | No patch deploys without explicit human sign-off | Prevents autonomous changes to production systems |\n| Open-source access | Free expedited access for OSS maintainers | Prioritizes public infrastructure protection |\n| Misuse controls | Activation-level probes detecting and blocking malicious use in real time | Manages dual-use risk |\n\nWhen Claude Code Security launched, VentureBeat reported it negatively affected stock market sentiment toward several traditional cybersecurity companies \u2014 an unusual signal for a developer tool feature.\n\n### Claude Mythos \u2014 What Comes Next\n\nAnthropic also previewed Claude Mythos, a restricted frontier model being made available through Project Glasswing \u2014 a coordinated initiative with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.\n\nAnthropic's red team found that Mythos Preview can identify and exploit zero-day vulnerabilities in every major operating system and every major web browser, including a 17-year-old remote code execution vulnerability in FreeBSD and a web browser exploit chaining four vulnerabilities together. It is not generally available, and Anthropic has been explicit about why: the same capabilities that help defenders also help attackers.\n\n---\n\n## Part 5: Head-to-Head \u2014 Coding Features\n\n### Overall Scorecard\n\n| Category | Claude Max / Enterprise | GitHub Copilot Enterprise | Winner |\n|----------|------------------------|--------------------------|--------|\n| Model quality (coding) | Opus 4.6/4.7, 93.9% SWE-Bench | Multi-model picker (GPT-5.4, Claude, Gemini) | Claude |\n| Inline IDE autocomplete | Terminal-first; limited tab-completion | Best-in-class; 55% faster task completion | Copilot |\n| Agentic / autonomous coding | Full repo + multi-file + test execution | Good; weaker on 10+ file tasks | Claude |\n| Codebase context | 1M token native context; no setup | 8K inline context; Enterprise knowledge base | Claude |\n| Code review depth | Full diff + full codebase via MCP | Native GitHub PR interface; PR-aware | Draw |\n| Custom fine-tuned models | Not available | Enterprise: fine-tune on your org's codebase | Copilot |\n| Multi-IDE support | VS Code + terminal; no JetBrains/Xcode | VS Code, JetBrains, Visual Studio, Eclipse, Xcode, Neovim | Copilot |\n| GitHub / CI/CD integration | Via MCP (requires setup) | Native GitHub Actions, github.com, Mobile, CLI | Copilot |\n| Security scanning | Reasoning-based; 500+ zero-days found | CodeQL + Copilot Autofix (rule-based) | Claude |\n| Cost predictability | Flat rate; no token meter | Token-based from June 1; overage risk | Claude |\n\n### Detailed Notes on Key Categories\n\n**Agentic coding:** Claude Code was built from the ground up for autonomous operation. It reads the full repo in one context window, plans changes, executes them, runs tests, interprets failures, and iterates without leaving the terminal. Reviews consistently note that Copilot's agent struggles with tasks touching 10+ files with architectural implications. Claude Code does not.\n\n**Custom models:** Copilot Enterprise allows organizations to fine-tune private models trained specifically on their own codebase. For large teams with highly proprietary internal frameworks, this delivers meaningfully better inline completions. Claude has no equivalent \u2014 customization happens through long context and system prompts, not fine-tuned weights.\n\n**GitHub integration:** Copilot is native to the GitHub platform. Zero setup. Copilot lives inside PRs, issues, Actions, Mobile, and the CLI. Claude connects through MCP and can interact with GitHub, but it requires configuration and has no native Actions integration.\n\n---\n\n## Part 6: Head-to-Head \u2014 Non-Coding Features\n\nThis is where the comparison becomes less balanced. Copilot is a coding tool. Claude's subscription is a full productivity suite.\n\n| Feature | Claude Max / Enterprise | GitHub Copilot Enterprise |\n|---------|------------------------|--------------------------|\n| Long-form writing & documentation | Class-leading quality; ADRs, runbooks, PRDs from codebase context | Basic docstring generation; weaker long-form |\n| Deep Research | Multi-step agent, 10\u201350 sources synthesized | Bing-augmented chat; no research synthesis |\n| Desktop automation | Claude Cowork \u2014 multi-app workflows, file management | No equivalent |\n| Visual prototyping | Claude Design \u2014 mockups, slides, one-pagers | No equivalent |\n| Browser agent | Claude for Chrome | No equivalent |\n| Office integration | Claude for Word, Excel, PowerPoint (dedicated add-ins) | Microsoft 365 Copilot \u2014 separate $30/seat product |\n| Slack integration | Claude for Slack | No equivalent in Copilot; separate Teams Copilot |\n| Persistent memory | Projects + Memory \u2014 cross-session context recall | No personal memory; knowledge base is org-level only |\n| Interactive artifacts | Rendered HTML/React/SVG tools in chat | Code output only; must copy-paste to see result |\n| Voice mode | Full conversational voice (Max early access) | No equivalent |\n\nThe Microsoft 365 Copilot point deserves emphasis. Many developers assume that GitHub Copilot Enterprise and Microsoft's Office AI tools are bundled together. They are not. If your team wants AI assistance in Word, Excel, and PowerPoint through the Microsoft ecosystem, that is a separate $30/seat/month license \u2014 bringing the real combined cost to $90/seat/month before you account for GitHub Enterprise Cloud.\n\nClaude's Office add-ins are included in Team and Enterprise plans at no additional cost.\n\n---\n\n## Part 7: Exclusive to Claude \u2014 No Copilot Equivalent\n\nThese are the Claude products that GitHub Copilot Enterprise simply does not have a comparable feature for:\n\n| Product | Category | What it does |\n|---------|----------|-------------|\n| Claude Cowork | Desktop automation | Multi-app agent: automates Notion, Jira, Slack, Drive, file management |\n| Claude Design | Visual creation | UI mockups, slides, one-pagers; reads Figma + codebase for design context |\n| Claude for Word | Office integration | Full Claude in Microsoft Word |\n| Claude for Excel | Office integration | Full Claude context for spreadsheet analysis and generation |\n| Claude for PowerPoint | Office integration | AI-assisted slide creation and editing |\n| Claude for Slack | Messaging | Claude embedded in Slack workspaces |\n| Claude for Chrome | Browser | Browsing agent; assists, summarizes, drafts while you navigate |\n| Deep Research | Research | Multi-step agent synthesizing 10\u201350 sources into structured reports |\n| Claude Voice | Interface | Full conversational voice mode for any task |\n| Artifacts | Output | Inline rendered + persistent interactive HTML/React/SVG tools |\n| Projects + Memory | Context | Cross-session memory and personal preference recall |\n| Claude Code Security | Security | Reasoning-based zero-day vulnerability discovery |\n| MCP ecosystem | Platform | Open protocol connecting Claude to any external tool or API |\n\n---\n\n## Part 8: If You Stay on Copilot \u2014 How to Control Your Bill\n\nFor teams committed to Copilot Enterprise who want to manage the June 1 billing transition, here are the highest-impact actions ranked by effort:\n\n| Action | Who | Impact on credits | Effort |\n|--------|-----|-------------------|--------|\n| Disable Copilot for XML / YAML / config files | Developer (IDE setting) | High \u2014 config files inflate context tokens | Low |\n| Keep .gitignore clean and complete | Developer (committed once) | High \u2014 prevents irrelevant files from entering context | Low |\n| Limit open editor tabs during agent sessions | Developer (daily habit) | High \u2014 each open tab contributes to context window | Low |\n| Work per microservice / scoped directory only | Developer (daily habit) | High \u2014 reduces repo surface Claude Code reads | Low |\n| Prefer inline completions over Chat | Developer (daily habit) | Medium \u2014 completions are free; Chat consumes credits | Low |\n| Switch to standard completion model for routine tasks | Developer (IDE setting) | Medium \u2014 premium models cost significantly more per token | Low |\n| Keep copilot-instructions.md minimal and focused | Developer (committed) | Medium \u2014 verbose instructions inflate every request | Low |\n| Use scoped Chat prompts with explicit context | Developer (daily habit) | Medium \u2014 reduces unnecessary token retrieval | Medium |\n| Restrict premium model access via org policy | Admin | Medium \u2014 prevents accidental high-cost model selection | Low |\n| Set spending limits and enable billing alerts | Admin | High \u2014 prevents surprise month-end bills | Low |\n| Monitor per-user credit consumption weekly | Admin | High \u2014 identifies power users early | Medium |\n\nGitHub has committed to launching a billing preview tool in early May 2026 so teams can see projected costs before June 1. Use it before the meter starts running.\n\n---\n\n## Part 9: Who Should Choose What\n\n### Choose Claude Max / Enterprise if:\n\n- You want the strongest autonomous coding agent for complex, multi-file, full-codebase tasks\n- Your work extends beyond pure coding \u2014 documentation, research, design, office productivity, browser workflows\n- You are building AI-native or MCP-connected workflows from the ground up\n- Security is a priority and you need reasoning-based vulnerability discovery, not just rule-based scanning\n- You need predictable flat-rate pricing that does not scale with agentic usage\n\n### Choose GitHub Copilot Enterprise if:\n\n- Your team is deeply embedded in VS Code or JetBrains and depends on world-class inline autocomplete\n- You are already on GitHub Enterprise Cloud and want zero-friction native integration with PRs, issues, and Actions pipelines\n- Your legal team requires IP indemnity \u2014 Microsoft assumes legal liability for Copilot-generated code that matches training data\n- You operate in US federal or defense environments requiring FedRAMP or ITAR compliance\n- You have a large enough team with unique enough internal frameworks to justify custom fine-tuned models\n\n### The Answer for Most Teams\n\n| Scenario | Recommended setup | Monthly cost (est.) |\n|----------|-------------------|---------------------|\n| Solo developer, mostly coding | Claude Max 5x + Copilot Pro | $110/mo |\n| Solo developer, full-stack productivity | Claude Max 5x only | $100/mo |\n| Small team (10 devs), mixed workloads | Claude Team (Premium) + Copilot Business | ~$490/mo |\n| Large enterprise, GitHub-native | Claude Enterprise + Copilot Enterprise | ~$99/seat/mo |\n| Budget-constrained, mostly agentic individual | Claude Max 5x only | $100/mo |\n\nThe most defensible configuration for most engineering teams right now: **Claude Code in the terminal** for complex autonomous tasks, **Copilot in the IDE** for inline autocomplete. The two tools address genuinely different parts of the development workflow. Used together, they cover more ground than either alone \u2014 and Claude's flat-rate pricing means the combination does not become unpredictable as your agentic usage grows.\n\n---\n\n## Conclusion\n\nGitHub Copilot's move to usage-based billing is not entirely wrong. The compute economics of running frontier models against multi-hour agentic coding sessions cannot be sustained under flat-rate pricing indefinitely \u2014 GitHub's CPO is right about that. But the execution has been rough: weeks of unexplained throttling, an announcement that arrived through a blog post and employee tweets, no meaningful warning period for annual subscribers, and a community now scrambling to calculate whether their workflows are still economically viable under the new model.\n\nOne developer summed it up in the GitHub community discussion thread: *\"I don't see companies going to be all happy if they get a 50x larger bill. People really underestimate how many tokens they use.\"*\n\nThe subscription price is staying the same. What you get for it is not.\n\nMeanwhile, Anthropic has spent 2026 quietly expanding what Claude's subscription covers \u2014 from reasoning-based security scanning that found 500+ zero-days in production open-source software, to desktop automation, to visual prototyping, to dedicated Office add-ins \u2014 all bundled under a flat rate that does not change based on how many tokens your agentic session consumed.\n\nThe billing moment has made the value gap visible in a way that product comparisons alone rarely do. Developers are paying attention.\n\n---\n\n## References\n\n1. GitHub Blog \u2014 \"GitHub Copilot is moving to usage-based billing\" (April 27, 2026) https://github.blog/news-insights/company-news/github-copilot-is-moving-to-usage-based-billing/\n2. Visual Studio Magazine \u2014 \"Devs Sound Off on Usage-Based Copilot Pricing Change: 'You Will Get Less, but Pay the Same Price'\" (April 27, 2026) https://visualstudiomagazine.com/articles/2026/04/27/devs-sound-off-on-usage-based-copilot-pricing-change-you-will-get-less-but-pay-the-same-price.aspx\n3. GitHub Changelog \u2014 \"GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026\" (April 27, 2026) https://github.blog/changelog/2026-04-27-github-copilot-code-review-will-start-consuming-github-actions-minutes-on-june-1-2026/\n4. GitHub Community Discussion #192948 \u2014 \"GitHub Copilot is moving to usage-based billing\" https://github.com/orgs/community/discussions/192948\n5. InfoWorld \u2014 \"GitHub shifts Copilot to usage-based billing, signaling a new cost model for enterprise AI tools\" (April 28, 2026) https://www.infoworld.com/article/4164236/github-shifts-copilot-to-usage-based-billing-signaling-new-cost-model-for-enterprise-ai-tools.html\n6. DEV Community \u2014 \"GitHub Copilot Switches to Usage-Based Billing on June 1. The Token Tab Came Due.\" https://dev.to/thegdsks/github-copilot-switches-to-usage-based-billing-on-june-1-the-token-tab-came-due-3h6c\n7. Growth Acceleration Partners \u2014 \"GitHub Copilot's New Usage-Based Billing: What Changed, Why Developers Are Upset\" (April 28, 2026) https://www.gapvelocity.ai/blog/github-copilots-new-usage-based-billing-what-changed-why-developers-are-upset-and-what-it-means\n8. BigGo Finance \u2014 \"GitHub Copilot Ditches Flat-Rate AI for Metered Billing Starting June 1\" https://finance.biggo.com/news/8GB60p0BoQmpnl36awzG\n9. Anthropic Red Team \u2014 \"0-Days\" (February 5, 2026) https://red.anthropic.com/2026/zero-days/\n10. VentureBeat \u2014 \"Anthropic's Claude Code Security is available now after finding 500+ vulnerabilities\" (February 23, 2026) https://venturebeat.com/security/anthropic-claude-code-security-reasoning-vulnerability-hunting\n11. Futurum Group \u2014 \"Claude Found 500 Zero-Days. Who Patches Them Before Attackers Arrive?\" (February 24, 2026) https://futurumgroup.com/insights/claude-found-500-zero-days-who-patches-them-before-attackers-arrive/\n12. CSO Online \u2014 \"Vim and GNU Emacs: Claude Code helpfully found zero-day exploits for both\" https://www.csoonline.com/article/4153288/vim-and-gnu-emacs-claude-code-helpfully-found-zero-day-exploits-for-both.html\n13. Anthropic Red Team \u2014 \"Claude Mythos Preview\" (April 2026) https://red.anthropic.com/2026/mythos-preview/\n14. The Hacker News \u2014 \"Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems\" https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html\n15. GitHub Docs \u2014 \"Plans for GitHub Copilot\" https://docs.github.com/en/copilot/get-started/plans\n16. GitHub Docs \u2014 \"Choosing your enterprise's plan for GitHub Copilot\" https://docs.github.com/copilot/get-started/choosing-your-enterprises-plan-for-github-copilot\n17. Anthropic Support \u2014 \"What is the Max plan?\" https://support.claude.com/en/articles/11049741-what-is-the-max-plan\n18. Anthropic \u2014 Claude Max Plan (Official) https://claude.com/pricing/max\n19. SSD Nodes \u2014 \"Claude Code Pricing in 2026: Every Plan Explained\" (March 26, 2026) https://www.ssdnodes.com/blog/claude-code-pricing-in-2026-every-plan-explained-pro-max-api-teams/\n20. NxCode \u2014 \"Claude Code Pricing 2026: Free Credits, API Costs & Max Plan Explained\" https://www.nxcode.io/resources/news/claude-code-pricing-2026-free-api-costs-max-plan\n21. Bits From Bytes \u2014 \"GitHub Copilot Review 2026: Pricing, Features & Is It Worth $19/Month?\" https://bitsfrombytes.com/github-copilot-review-2026-tested/\n22. Check Point Research \u2014 \"RCE and API Token Exfiltration Through Claude Code Project Files\" (February 26, 2026) https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/\n\n---\n\n*This article was researched and written in April 2026. Pricing and product details are accurate as of that date and subject to change. All pricing figures are in USD.*\n\n*Published by Haseeb \u2014 Software Developer*", "creation_timestamp": "2026-05-08T07:30:04.000000Z"}2026-05-08T07:30:04+00:00https://vulnerability.circl.lu/sighting/15f59cf0-8051-492e-924b-d775d4f8ba85/export15f59cf0-8051-492e-924b-d775d4f8ba852026-06-18T18:45:24.018582+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "15f59cf0-8051-492e-924b-d775d4f8ba85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/84545", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #RCE #Remote\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a cve-2025-59536-poc\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a tacdm\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a JavaScript\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-17 10:39:15\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2025-59536: RCE via Claude Code Project Hooks (PoC)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-17T11:00:42.000000Z"}2026-05-17T11:00:42+00:00https://vulnerability.circl.lu/sighting/c1bbab16-37d2-492a-965a-ae8242f9fe80/exportc1bbab16-37d2-492a-965a-ae8242f9fe802026-06-18T18:45:24.018442+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "c1bbab16-37d2-492a-965a-ae8242f9fe80", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "seen", "source": "Telegram/AKvzzPS6cRH5e3-Ghbw0kwesBlioL1QWpK2eWbvMSndUnWE", "content": "", "creation_timestamp": "2026-05-17T15:00:07.000000Z"}2026-05-17T15:00:07+00:00https://vulnerability.circl.lu/sighting/b01601e7-bfa0-4554-b11e-91a77673aea8/exportb01601e7-bfa0-4554-b11e-91a77673aea82026-06-18T18:45:24.018269+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "b01601e7-bfa0-4554-b11e-91a77673aea8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "seen", "source": "https://bsky.app/profile/boredchilada.bsky.social/post/3mmqz5tyqou26", "content": "~Checkpoint~\nAI models are now actively deployed in live attacks, including government breaches, mass exploitation, and PhaaS platforms.\n-\nIOCs: CVE-2025-59536, CVE-2026-21852, CVE-2026-33626\n-\n#AI #CyberCrime #ThreatIntel", "creation_timestamp": "2026-05-26T12:39:02.663547Z"}2026-05-26T12:39:02.663547+00:00https://vulnerability.circl.lu/sighting/6d67b6cc-7952-4375-a01e-d7dd1e4871ad/export6d67b6cc-7952-4375-a01e-d7dd1e4871ad2026-06-18T18:45:24.014985+00:00Automation userhttps://cve.circl.lu/user/automation{"uuid": "6d67b6cc-7952-4375-a01e-d7dd1e4871ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-59536", "type": "seen", "source": "https://gist.github.com/khandar-william/a1ae7a335157d6a2a1dcb9abe1710327", "content": "# Dive into Claude Code: Core Technical Content\n\nReference: https://arxiv.org/pdf/2604.14228\n\n## Design Principles (Table 1)\n\n| Principle | Values Served | Design Question | Sections |\n|-----------|---------------|----------------|----------|\n| Deny-first with human escalation | Authority, Safety | Should unrecognized actions be allowed, blocked, or escalated to the human? | 5, 8, 9 |\n| Graduated trust spectrum | Authority, Adaptability | Fixed permission level, or a spectrum users traverse over time? | 5 |\n| Defense in depth with layered mechanisms | Safety, Authority, Reliability | Single safety boundary, or multiple overlapping ones using different techniques? | 3, 5 |\n| Externalized programmable policy | Safety, Authority, Adaptability | Hardcoded policy, or externalized configs with lifecycle hooks? | 5, 6 |\n| Context as scarce resource with progressive management | Reliability, Capability | What is the binding resource constraint, and how to manage it: single-pass truncation or graduated pipeline? | 4, 6, 7, 8 |\n| Append-only durable state | Reliability, Authority | Mutable state, checkpoint snapshots, or append-only logs? | 4, 9 |\n| Minimal scaffolding, maximal operational harness | Capability, Reliability | Invest in scaffolding-side reasoning, or operational infrastructure that lets the model reason freely? | 3, 4 |\n| Values over rules | Capability, Authority | Rigid decision procedures, or contextual judgment backed by deterministic guardrails? | 3, 5, 7 |\n| Composable multi-mechanism extensibility | Capability, Adaptability | One unified extension API, or layered mechanisms at different context costs? | 6 |\n| Reversibility-weighted risk assessment | Capability, Safety | Same oversight for all actions, or lighter for reversible and read-only ones? | 4, 5, 8 |\n| Transparent file-based configuration and memory | Adaptability, Authority | Opaque database, embedding-based retrieval, or user-visible version-controllable files? | 7 |\n| Isolated subagent boundaries | Reliability, Safety, Capability | Subagents share the parent's context and permissions, or operate in isolation? | 8 |\n| Graceful recovery and resilience | Reliability, Capability | Fail hard on errors, or silently recover and reserve human attention for unrecoverable situations? | 4, 5 |\n\n## High-Level System Structure (7 components)\n\n1. **User**: Submits prompts, approves permissions, reviews output.\n2. **Interfaces**: Interactive CLI, headless CLI (`claude -p`), Agent SDK, and IDE/Desktop/Browser.\n3. **Agent loop**: `queryLoop()` async generator in `query.ts`.\n4. **Permission system**: Deny-first rule evaluation (`permissions.ts`), auto-mode ML classifier, hook-based interception (`types/hooks.ts`).\n5. **Tools**: Up to 54 built-in tools (19 unconditional, 35 conditional) assembled via `assembleToolPool()` (`tools.ts`), merged with MCP-provided tools.\n6. **State & persistence**: Append-only JSONL session transcripts (`sessionStorage.ts`), global prompt history (`history.ts`), subagent sidechain files.\n7. **Execution environment**: Shell execution with optional sandboxing (`shouldUseSandbox.ts`), filesystem operations, web fetching, MCP server connections.\n\n## Five Subsystem Layers\n\n**Surface layer**: `src/entrypoints/` (SDK entry, coreTypes.ts, controlSchemas.ts, coreSchemas.ts), `src/screens/`, `src/components/` (ink framework).\n\n**Core layer**: `queryLoop()` async generator (`query.ts`), five sequential compaction shapers (`query.ts:365-453`).\n\n**Safety/action layer**: \n- Permission system (`permissions.ts`) with 7 permission modes (`types/permissions.ts`)\n- Auto-mode ML classifier (`yoloClassifier.ts`)\n- Hook pipeline spanning 27 event types (`coreTypes.ts`; output schemas in `types/hooks.ts`)\n- Tool pool assembly via `assembleToolPool()` (`tools.ts`)\n- Shell sandbox (`shouldUseSandbox.ts`)\n- Subagent spawning via `AgentTool` (`AgentTool.tsx`, `runAgent.ts`)\n\n**State layer**:\n- `getSystemContext()` and `getUserContext()` (`context.ts`) - memoized\n- `src/state/` - runtime application state\n- JSONL session transcripts at project-specific paths (`sessionStorage.ts`)\n- Four-level instruction hierarchy (`claudemd.ts`)\n- Sidechain transcripts (`sessionStorage.ts:247`)\n- Resume/fork operations (`conversationRecovery.ts`)\n\n**Backend layer**: `BashTool.tsx`, `PowerShellTool.tsx`, `src/remote/`, MCP client (`services/mcp/client.ts`), 42 tool subdirectories in `src/tools/`\n\n## Seven Independent Safety Layers\n\n1. **Tool pre-filtering** (`tools.ts`): Blanket-denied tools removed from model's view before any call.\n2. **Deny-first rule evaluation** (`permissions.ts`): Deny rules always take precedence over allow rules.\n3. **Permission mode constraints** (`types/permissions.ts`): Active mode determines baseline handling.\n4. **Auto-mode classifier**: ML-based classifier evaluates tool safety.\n5. **Shell sandboxing** (`shouldUseSandbox.ts`): Restricts filesystem and network access.\n6. **Not restoring permissions on resume** (`conversationRecovery.ts`): Session-scoped permissions not restored.\n7. **Hook-based interception** (`types/hooks.ts`): `PreToolUse` hooks modify permission decisions; `PermissionRequest` hooks resolve decisions.\n\n## Seven Permission Modes (`types/permissions.ts`)\n\n1. `plan`: Model must create plan; execution proceeds only after user approval.\n2. `default`: Standard interactive use. Most operations require user approval.\n3. `acceptEdits`: Edits within working directory and certain filesystem shell commands auto-approved.\n4. `auto`: ML-based classifier evaluates requests (gated by `TRANSCRIPT_CLASSIFIER`).\n5. `dontAsk`: No prompting, but deny rules still enforced.\n6. `bypassPermissions`: Skips most permission prompts, but safety-critical checks remain.\n7. `bubble`: Internal-only mode for subagent permission escalation to parent terminal.\n\n## Five Pre-Model Context Shapers (`query.ts` before every model call)\n\n1. **Budget reduction** (`applyToolResultBudget()`): Enforces per-message size limits on tool results, replaces oversized outputs with content references.\n2. **Snip** (`snipCompactIfNeeded()`, gated by `HISTORY_SNIP`): Lightweight trim removing older history segments.\n3. **Microcompact**: Fine-grained compression, always runs time-based path, optionally cache-aware path (gated by `CACHED_MICROCOMPACT`).\n4. **Context collapse** (gated by `CONTEXT_COLLAPSE`): Read-time projection over conversation history; summary messages live in collapse store, not REPL array.\n5. **Auto-compact**: Full model-generated summary via `compactConversation()` in `compact.ts`; fires only when context still exceeds pressure threshold after previous four shapers.\n\n## Four Extension Mechanisms (Section 6)\n\n**MCP servers**: Primary external tool integration. Configured from project, user, local, enterprise scopes. Client supports stdio, SSE, HTTP, WebSocket, SDK, IDE-specific variants.\n\n**Plugins**: Package and distribute bundles of MCP servers, skills, hooks, and commands.\n\n**Skills**: Domain-specific instructions injected into context; only frontmatter descriptions stay in prompt.\n\n**Hooks**: 27 hook events: tool authorization (PreToolUse, PostToolUse, PostToolUseFailure, PermissionRequest, PermissionDenied), session lifecycle (SessionStart, SessionEnd, Setup, Stop, StopFailure), user interaction (UserPromptSubmit, Elicitation, ElicitationResult), subagent coordination (SubagentStart, SubagentStop, Teammatedle, TaskCreated, TaskCompleted), context management (PreCompact, PostCompact, InstructionsLoaded, ConfigChange), workspace events (CwdChanged, FileChanged, WorktreeCreate, WorktreeRemove), notifications. Persisted hooks use four command types: `command`, `prompt`, `http`, `agent`.\n\n## CLAUDE.md Four-Level Hierarchy (`claudemd.ts`)\n\n1. **Managed memory** (`/etc/claude-code/CLAUDE.md`): OS-level policy for all users.\n2. **User memory** (`~/claude/CLAUDE.md`): Private global instructions.\n3. **Project memory** (`CLAUDE.md`, `claude/CLAUDE.md`, `.claude/rules/*.md` in project roots): Instructions checked into codebase.\n4. **Local memory** (`CLAUDE.local.md` in project roots): Git-ignored, private project-specific instructions.\n\nMemory files support `@include` directive for modular instruction sets. Syntax variants: `@path`, `@/relative`, `@~/home`, `@/absolute`. Works in leaf text nodes only (not inside code blocks).\n\n## Subagent Types (Section 8)\n\n**Built-in subagents**:\n- **Explore**: primarily read/search-oriented investigation, write/edit tools in deny-list\n- **Plan**: creates structured plans; execution proceeds through standard permission model\n- **General-purpose**: broadly capable, used when explicitly requested\n- **Claude Code Guide**: onboarding and documentation assistance with own permissionMode override\n- **Verification**: validation checks (test suites, linting)\n- **Statustime-setup**: terminal status line configuration\n\n**Custom subagents**: via `.claude/agents/*.md` files; YAML frontmatter specifies description, tools (allowlist), disallowedTools, model, effort, permissionMode, mcpServers, hooks, maxTurns, skills, memory scope, background flag, isolation mode.\n\n## Subagent Isolation Modes (`AgentTool.tsx`)\n\n- **Worktree**: Creates temporary git worktree, subagent gets its own copy of repository\n- **Remote** (internal-only): Launches in remote Claude Code Remote environment, always background\n- **In-process** (default): Shares filesystem with parent but operates in isolated conversation context\n\nPermission override logic (`runAgent.ts`): When subagent defines permissionMode, override applied unless parent already in `bypassPermissions`, `acceptEdits`, or `auto` mode (those always take precedence). Async agents: cascade of `canShowPermissionPrompts` first, then bubble mode, then default (sync show prompts, async do not).\n\n## Session Persistence (`sessionStorage.ts`)\n\nTranscript path: `join(projectDir, ${getSessionId()}.jsonl)`. Three independent persistence channels:\n\n1. **Session transcripts**: Conversation records (user, assistant, attachment, system messages, compaction markers, filehistory snapshots, attribution snapshots, content-replacement records)\n2. **Global prompt history**: `history.jsonl` at Claude configuration home directory (`history.ts`)\n3. **Subagent sidechains**: Separate `.jsonl` + `.meta.json` files per subagent\n\n`compact_boundary` marker records `headUuid`, `anchorUuid`, `tailUuid` via `annotateBoundaryWithPreservedSegment()` (`compact.ts`). Resume/fork (`conversationRecovery.ts`, `commands/branch/branch.ts`) do NOT restore session-scoped permissions.\n\n## Tool Pool Assembly Five-Step Pipeline (`tools.ts`)\n\n1. **Base tool enumeration**: `getAllBaseTools()` returns up to 54 tools (19 always included: BashTool, FileReadTool, AgentTool, SkillTool; 35 conditional)\n2. **Mode filtering**: `getTools()` applies mode-specific filtering; `CLAUDE_CODE_SIMPLE` mode only Bash, Read, Edit\n3. **Deny rule pre-filtering**: `filterToolsByDenyRules()` strips blanket-denied tools\n4. **MCP tool integration**: MCP tools from `appState.mcp.tools` filtered and merged\n5. **Deduplication**: By name, built-in tools take precedence over MCP tools\n\n## Tool Dispatch and Streaming Execution (`StreamingToolExecutor.ts`)\n\n- Sibling abort controller: Fires when any Bash tool errors, immediately terminating other in-flight subprocesses\n- Progress-available signal: Wakes up `getRemainingResults()` consumer when new output ready\n- Results buffered and emitted in order tools were received\n- Concurrent-read, serial-write execution model\n\n## Query Loop Stop Conditions\n\n1. No tool use (model produces only text content)\n2. Max turns (`maxTurns` limit reached)\n3. Context overflow (API returns `prompt_too_long`)\n4. Hook intervention (`PostToolUse` hook sets `hook_stopped_continuation`)\n5. Explicit abort (`abortController` signal fires)\n\n## Recovery Mechanisms\n\n- **Max output tokens escalation**: Up to three recovery attempts per turn (`MAX_OUTPUT_TOKENS_RECOVERY_LIMIT = 3`)\n- **Reactive compaction** (gated by `REACTIVE_COMPACT`): Summarizes just enough to free space; `hasAttemptedReactiveCompact` flag ensures at most once per turn\n- **Prompt-too-long handling**: First attempts context collapse overflow recovery and reactive compaction\n- **Streaming fallback**: `onStreamingFallback` callback handles streaming API issues\n- **Fallback model**: `fallbackModel` parameter enables switching to alternative model\n\n## 27 Hook Events (`coreTypes.ts`, `types/hooks.ts`)\n\nPermission flow hooks (5):\n- `PreToolUse`: returns `permissionDecision` (deny/ask), `permissionDecisionReason`, `updatedInput`\n- `PostToolUse`: injects `additionalContext`, for MCP tools returns `updatedMCPToolOutput`\n- `PostToolUseFailure`: injects `additionalContext` for error-specific guidance\n- `PermissionDenied`: provides retry guidance after auto-mode denials\n- `PermissionRequest`: returns `allow` or `deny` decision\n\nOther hook types: Session lifecycle, user interaction, subagent coordination, context management, workspace events, notifications.\n\nHook command types: `command` (shell), `prompt` (LLM), `http`, `agent` (agentic verifier), plus non-persistable `callback`.\n\n## MCP Client Transport Types (`services/mcp/client.ts`)\n\nstdio, SSE, HTTP, WebSocket, SDK, sse-ide, ws-ide\n\n## Context Injection Points (late injection after main window constructed)\n\n- Relevant-memory prefetch (`query.ts`)\n- MCP instructions deltas (new or changed server instructions)\n- Agent listing deltas\n- Background agent task notifications\n\n## File Structure Key Files\n\n| File | Size | Responsibility |\n|------|------|----------------|\n| `main.tsx` | 804KB | Entry point, mode dispatch, setup |\n| `query.ts` | 68KB | Core agent loop, 5 context shapers |\n| `QueryEngine.ts` | 47KB | SDK/headless conversation wrapper |\n| `Tool.ts` | 30KB | Tool interface, types, utilities |\n| `history.ts` | 14KB | Global prompt history |\n| `mcp/client.ts` | Large | MCP client (8+ transport variants) |\n| `compact.ts` | Large | Compaction engine |\n| `AgentTool.tsx` | Large | Agent tool, subagent dispatch |\n| `runAgent.ts` | Large | 21-parameter agent lifecycle |\n\n## Conditional Tool Availability Categories (`tools.ts`)\n\n- **Always included**: AgentTool, BashTool, FileReadTool, FileEditTool, FileWriteTool, SkillTool, WebFetchTool, WebSearchTool\n- **Environment**: GlobTool/GrepTool (unless embedded), ConfigTool (internal-only), PowerShellTool (Windows)\n- **Feature flag**: TaskCreate/Get/Update/List (todoV2), EnterWorktreeTool (worktree), TeamTools (swarms), ToolSearchTool\n- **Null-checked**: SuggestBackgroundPRTool, WebBrowserTool, RemoteTriggerTool, MonitorTool, SleepTool\n\n## Context Window Assembly Sources (Figure 6)\n\n1. System prompt (output style modifications, `--append-system-prompt` flag)\n2. Environment info via `getSystemContext()` (`context.ts`): git status, optional cache-breaking injection\n3. CLAUDE.md hierarchy via `getUserContext()` (`context.ts`)\n4. Path-scoped rules (conditional and directory-matched rules, lazy load)\n5. Auto memory (contextually relevant memory entries prefetched asynchronously)\n6. Tool metadata (skill descriptions, MCP tool names, deferred tool definitions via ToolSearch)\n7. Conversation history (subject to compaction)\n8. Tool results (file reads, command outputs, subagent summaries)\n9. Compact summaries (replacing older history segments)\n\n## Compacted Output Structure (`buildPostCompactMessages()` in `compact.ts`)\n\n```\n[boundaryMarker, ...summaryMessages, ...messagesToKeep, ...attachments, ...hookResults]\n```\n\nBoundary marker annotated with `headUuid`, `anchorUuid`, `tailUuid` via `annotateBoundaryWithPreservedSegment()`.\n\n## `runAgent()` 21 Parameters (`runAgent.ts`)\n\nAgent definition, prompts, permissions, tools, model settings, isolation, callbacks.\n\n## Two-Tier Permission Scoping for Subagents (`runAgent.ts`)\n\n- SDK-level permissions from `allowedTools` preserved (\"explicit permissions from the SDK consumer that should apply to all agents\")\n- Session-level rules replaced with subagent's declared `allowedTools`\n- When `allowedTools` not provided (common AgentTool path), parent's session-level rules inherited without replacement\n\n## Agent Teams Coordination\n\nFile locking rather than message broker or distributed coordination service. Tasks claimed from shared list via lock-file-based mutual exclusion. Lock files stored at predictable filesystem paths.\n\n## Security Vulnerabilities Documented\n\n- Commands with >50 subcommands fall back to single generic approval prompt instead of per-subcommand deny-rule checks (Adversa.ai, 2026)\n- Pre-trust initialization ordering: hooks, MCP server connections, settings file resolution run before interactive trust dialog (Donenfeld and Vanunu, 2026; CVE-2025-59536 CVSS 8.7, CVE-2026-21852 CVSS 5.3)\n- Multiple CVEs exploit pre-trust initialization of hooks and MCP servers\n\n## Empirical Data Points\n\n- 1.6% of codebase constitutes AI decision logic; 98.4% operational infrastructure\n- Users approve approximately 93% of permission prompts (Hughes, 2026)\n- Auto-approve rates increase from ~20% at <50 sessions to >40% by 750 sessions (McCain et al., 2026)\n- Sandboxing reduced permission prompt frequency by estimated 84% (Dworken and Weller-Davies, 2025)\n- Agent teams consume approximately 7\u00d7 tokens of standard session in plan mode (Anthropic, 2025b)\n- 27% of Claude Code-assisted tasks were work not attempted without the tool (Huang et al., 2025)\n- Developers in AI-assisted conditions scored 17% lower on comprehension tests (Shen and Tamkin, 2026)\n- Causal analysis of Cursor adoption across 807 repositories: code complexity increased by 40.7% (He et al., 2025)\n- AI tools made developers 19% slower despite perceived 20% improvement (Becker et al., 2025)\n- 304,000 AI-authored commits across 6,275 repositories: ~25% of AI-introduced issues persist to latest revision (Liu et al., 2026)", "creation_timestamp": "2026-06-15T11:06:36.000000Z"}2026-06-15T11:06:36+00:00