Claude Code Daily Briefing - 2026-05-28

Release Summary

Full Release Notes

New Features & Practical Usage

v2.1.152 — /code-review —fix, /reload-skills, MessageDisplay Hook (5/27)

v2.1.152 significantly improves the code review workflow and extends the skill management and hook systems.

/code-review --fix — Auto-apply review findings: Running /code-review --fix now automatically applies discovered issues to your working tree after the review completes. It surfaces reuse opportunities, simplifications, and efficiency improvements. /simplify now internally invokes /code-review --fix.

# Review and auto-fix
/code-review --fix

# /simplify now does the same
/simplify

/reload-skills — Rescan without restarting: After installing new skills, run /reload-skills to pick them up immediately. SessionStart hooks can also return reloadSkills: true to make hook-installed skills available in the same session.

disallowed-tools frontmatter: Skills and slash commands can now set disallowed-tools in frontmatter to remove specific tools from the model while the skill is active. Useful for research-only skills that shouldn’t write files.

MessageDisplay hook: A new hook event that lets you transform or hide assistant message text as it’s displayed. Useful for masking sensitive information or custom formatting.

Auto mode no longer requires opt-in: Auto mode no longer prompts for initial consent.

Other improvements:

• /resume now shows background sessions started via claude --bg or agent view (tagged with bg)
• Vim mode: / in NORMAL mode opens reverse history search
• Plugin marketplace managed setting pluginSuggestionMarketplaces for org allowlists
• Thinking summaries stay readable for at least 3 seconds, capped at 10 lines

GitHub v2.1.152

Security Guidance Plugin — Free Real-Time 3-Stage Vulnerability Detection (5/27)

Anthropic released the Security Guidance plugin for Claude Code, free on all plans. It detects vulnerabilities in real time across three stages during coding.

3-Stage Review Process:

1. On file edits (pattern matching): Instantly detects dangerous constructs like eval(), new Function(), os.system(), child_process.exec(), pickle deserialization, dangerouslySetInnerHTML, and .innerHTML=. No model calls, so zero usage cost.

2. After model turn (diff analysis): Analyzes the complete git diff to catch authorization bypasses, IDOR, injection flaws, SSRF, and weak cryptography.

3. On commits/pushes (context validation): Reviews surrounding files, sanitizers, and related code paths to reduce false positives.

Results: Internal testing showed a 30–40% decrease in security-related PR comments. Over 157,000 downloads within the first 24 hours.

Requirements: Claude Code v2.1.144+, Python 3.8+, Git repository

# Install from Claude Code plugin marketplace
claude plugin install security-guidance

Anthropic | Help Net Security | CybersecurityNews

Developer Workflow Tips

Running Claude Code Overnight — What Breaks and How to Fix It

Eva Khmelinskaya shared a practical guide on running Claude Code autonomously overnight, covering real failure points and solutions.

Common failure points:

• Context window saturation: Relevance drops sharply after ~400K tokens
• Error loops: Repeatedly attempting the same failing approach, burning tokens
• Permission prompt blocking: Unattended runs stalling on approval requests

Practical solutions:

1. Use /goal: Built-in feature that auto-evaluates goal completion and prevents unnecessary loops
2. claude --bg + /resume: v2.1.152 now shows background sessions in /resume, so work persists even after closing the terminal
3. Restrict with --allowedTools: Minimize permitted tools for autonomous runs to prevent unintended changes
4. Split tasks: Use multiple small background agents instead of one large task

Medium | Agensi

Building an Automated Quality Loop with /code-review —fix

Combine v2.1.152’s /code-review --fix with hooks and the Security Guidance plugin to create a pre-commit quality pipeline:

1. Complete implementation → run /code-review --fix — auto-fixes reuse, simplification, and efficiency issues
2. Security Guidance plugin catches vulnerabilities in real time on the modified code
3. PreCommit hook runs linting and tests automatically

Combined with Nolan Lawson’s multi-model review strategy (covered in previous briefings), this creates a triple verification pipeline: Claude self-review (/code-review --fix) → Security Guidance plugin → external model cross-validation.

GitHub v2.1.152

Security & Limitations

Security Guidance Plugin — Blocking 25+ Dangerous Patterns in Real Time (5/27)

The Security Guidance plugin (detailed above) covers several OWASP Top 10 categories:

• Injection: eval(), os.system(), SQL string concatenation
• XSS: dangerouslySetInnerHTML, .innerHTML=
• Insecure deserialization: pickle.loads(), yaml.load()
• SSRF and authorization bypass: Detected during the diff analysis stage

Limitations: Pattern matching is deterministic, but diff analysis and context validation rely on Claude’s reasoning and consume standard usage budget. For security-critical projects, use this plugin as a first line of defense, not a replacement for professional security review.

CSO Online

Ecosystem & Plugins

Anthropic Opens Korea Office — KiYoung Choi Appointed as Rep. Director (5/27)

Anthropic established its Korea entity and appointed KiYoung Choi, former Snowflake Korea GM, as Representative Director. The Seoul office will officially open in the coming weeks.

Why Korea matters:

• Anthropic’s March economic index shows Korean Claude usage is 3.5x higher than expected for the population
• Korea accounts for 3.06% of Claude traffic (30,618 sessions), ranking 2nd in East Asia after Japan
• Choi brings 30 years of tech leadership at Google Cloud, Adobe, Autodesk, and Microsoft Korea

The Korea team will focus on enterprise/startup partnerships, government and research institution engagement, and developer community support.

Anthropic | Asia Business Daily | Seoul Economic Daily

Cloudflare Flagship — Edge-Native Feature Flags (5/28)

Cloudflare launched Flagship, a feature flag service evaluated natively in Workers bindings with zero additional hops.

Key features:

• OpenFeature-compatible @cloudflare/flagship SDK (Workers, Node.js, browsers)
• Targeting with user attributes, 11 comparison operators, AND/OR logic, consistent hashing
• Boolean, String, Number, JSON variation types
• Dashboard management organized by app

For teams building Cloudflare Workers projects with Claude Code, define Flagship SDK patterns in CLAUDE.md to ensure consistent feature flag usage.

Cloudflare Docs | GeekNews

Community News

• Anthropic’s $900B+ valuation $30B round closing this week (5/28): Per Bloomberg, Sequoia, Dragoneer, Altimeter, and Greenoaks (~$2B each) are finalizing the round this week. If confirmed, Anthropic becomes the world’s most valuable AI startup, surpassing OpenAI. Q2 revenue at $10.9B, annualized $50B+ projected. Bloomberg

• Security Guidance plugin hits 157,000+ downloads in 24 hours: The explosive adoption signals that the industry is moving toward security-by-default in AI coding tools. CybersecurityNews

Minor Changes Worth Knowing

• /resume shows background sessions: Sessions started via claude --bg or agent view now appear alongside interactive ones, tagged bg (v2.1.152)
• Vim mode / reverse search: In NORMAL mode, / opens reverse history search (v2.1.152)
• /plugin browse shows update dates: Plugin browse and discover panes now display when a plugin was last updated (v2.1.152)
• /model session-scoped: /model changes now apply to the current session only (v2.1.152)
• Thinking summary readability: Summaries stay visible for at least 3 seconds, capped at 10 lines (v2.1.152)
• SessionStart hook session title: Set session title via hookSpecificOutput.sessionTitle on startup and resume (v2.1.152)

Recommended Reads

• “Running Claude Code Autonomously Overnight — What Breaks and How to Fix It”: Eva Khmelinskaya shares practical lessons from running Claude Code unattended. The observation that “agent relevance drops sharply after 400K tokens” is valuable for anyone planning autonomous workflows. Medium

• “Anthropic’s Claude Code Security Rollout Is an Industry Wakeup Call”: CSO Online analyzes the Security Guidance plugin as a decisive shift-left moment — embedding security at coding time rather than post-development review. “Making it free signals that this should be a baseline expectation, not a premium feature.” CSO Online

Interesting Projects & Tools

• Claude CLI Multi-Session Web Terminal — “Survives laptop lid close”: A web terminal managing multiple Claude CLI sessions in browser tabs. Sessions persist on the server via PTY, surviving browser/laptop closure. Auto-restores with --resume after system restarts. Single-file architecture: Vanilla JS + XTerm.js frontend (~2,400 lines), Python aiohttp backend (~500 lines). 3 points. GeekNews | GitHub

• AI Skill Store — Marketplace where AI agents discover and install skills: MCP-based marketplace supporting 7 platforms (Claude, GPT, Gemini). Agents can search skills in natural language and auto-install them. Universal Skill Key (USK) enables cross-platform skill usage. Both agents and humans can leave reviews. 1,900+ weekly tool calls. 2 points. GeekNews | GitHub