release: v3.37.1 - threat-db v2.8.0, CC releases v2.1.78, 19 skills update, doc fixes
- threat-db v2.8.0: GhostClaw campaign, Fake OpenClaw Installer, CVE-2026-24910 (Bun), T017 Shadow MCP, T018 AI Search Poisoning, Jozu Agent Guard, MCP Sentinel - Claude Code releases tracked to v2.1.78 (StopFailure hook, plugin state, security fixes) - 19 skill descriptions improved (PR #9 selective merge, @popey/Tessl) - MCP vs CLI token overhead corrected (lazy loading, 85% reduction benchmark) - Agent Adoption Curve self-assessment (7-level maturity scale, Martignole framework) - ctx7 CLI section §5.5 + resource evals #079 #080 #081 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX
parent
eea5662a65
commit
44818a3f04
19 changed files with 785 additions and 87 deletions
|
|
@ -12,7 +12,7 @@ tags: [cheatsheet, reference]
|
|||
|
||||
**Written with**: Claude (Anthropic)
|
||||
|
||||
**Version**: 3.37.0 | **Last Updated**: March 2026
|
||||
**Version**: 3.37.1 | **Last Updated**: March 2026
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -639,4 +639,4 @@ Speed: `rg` (~20ms) → Serena (~100ms) → ast-grep (~200ms) → grepai (~500ms
|
|||
|
||||
**Author**: Florian BRUNIAUX | [@Méthode Aristote](https://methode-aristote.fr) | Written with Claude
|
||||
|
||||
*Last updated: March 2026 | Version 3.37.0*
|
||||
*Last updated: March 2026 | Version 3.37.1*
|
||||
|
|
|
|||
|
|
@ -2107,11 +2107,11 @@ For developers hitting Claude Code's subscription limits or needing model flexib
|
|||
|
||||
An **on-machine AI coding agent** developed by Block (formerly Square), released under Apache 2.0 license. Unlike Claude Code, Goose runs entirely locally and is **model-agnostic**—it can use Claude, GPT, Gemini, Groq, or any LLM provider.
|
||||
|
||||
| Metric | Value (Jan 2026) |
|
||||
| Metric | Value (Mar 2026) |
|
||||
|--------|------------------|
|
||||
| **GitHub Stars** | 15,400+ |
|
||||
| **Contributors** | 350+ |
|
||||
| **Releases** | 100+ since Jan 2025 |
|
||||
| **GitHub Stars** | 33,000+ |
|
||||
| **Contributors** | 400+ |
|
||||
| **Releases** | 175+ since Jan 2025 |
|
||||
| **License** | Apache 2.0 (permissive) |
|
||||
| **Primary Language** | Rust (64%) + TypeScript (26%) |
|
||||
|
||||
|
|
@ -2124,7 +2124,7 @@ An **on-machine AI coding agent** developed by Block (formerly Square), released
|
|||
| **Cost Model** | Subscription ($20-$200/mo) | Free + your LLM API costs |
|
||||
| **Rate Limits** | Anthropic's weekly/5-hour caps | Your LLM provider's limits |
|
||||
| **Token Visibility** | Opaque (no per-prompt tracking) | Full transparency |
|
||||
| **MCP Support** | Native (growing ecosystem) | 3,000+ MCP servers available |
|
||||
| **MCP Support** | Native (growing ecosystem) | Thousands of MCP servers available |
|
||||
| **Setup Complexity** | Simple (npm install) | Moderate (Rust toolchain, API keys) |
|
||||
|
||||
### When to Consider Goose
|
||||
|
|
@ -2142,6 +2142,14 @@ An **on-machine AI coding agent** developed by Block (formerly Square), released
|
|||
- You value Claude's specific reasoning capabilities and can't substitute
|
||||
- You don't want to manage LLM API credentials
|
||||
|
||||
### Recipes: Goose's Equivalent of Skills + Commands
|
||||
|
||||
Goose has a workflow primitive called **Recipes** — versionable, shareable, parameterized multi-step workflows. Unlike Claude Code's skills (which define agent capabilities) or slash commands (which trigger one-shot actions), Recipes define complete execution sequences: what to do, in what order, with which model at each step. They can be shared as deeplinks, imported by teammates, and checked into source control. Closest Claude Code analogy: a skill that chains multiple commands in a defined sequence, with state carried between steps.
|
||||
|
||||
### Subagent Orchestration
|
||||
|
||||
Since mid-2025, Goose supports spawning specialized subagents within a workflow. A parent agent can delegate subtasks to subagents with different roles (Planner, Architect, Frontend Dev, Backend Dev), each potentially running a different LLM optimized for its task. This differs from Claude Code's Agent tool (which spawns a subagent with the same model) — Goose enables heterogeneous agent teams where model choice is per-role, not per-session. See §9 for Claude Code's native multi-agent patterns.
|
||||
|
||||
### Skill Portability
|
||||
|
||||
Both Claude Code and Goose support the [Agent Skills open standard](https://agentskills.io) (agentskills.io). Skills you create with SKILL.md are portable across 26+ platforms including Cursor, VS Code, GitHub, OpenAI Codex, and Gemini CLI. Claude Code-specific fields (`context`, `agent`) are ignored by other platforms but don't break compatibility.
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ This page compares two integration patterns for giving Claude Code access to ext
|
|||
|
||||
| Advantage | Detail |
|
||||
|-----------|--------|
|
||||
| **Zero context overhead** | No schema injected at startup — relevant when context budget is tight |
|
||||
| **Zero context overhead** | No schema injected at startup. Since v2.1.7 lazy loading closes most of the gap, but CLI is still the absolute minimum. |
|
||||
| **Deterministic actions** | Explicit commands with predictable output are easier to audit and test |
|
||||
| **Human + AI use** | The same CLI wrapper works for a developer running it manually and for Claude |
|
||||
| **Frontier models** | Claude Opus/Sonnet 4.6 can drive complex CLIs (aws-cli, glab, gh) without a structured schema |
|
||||
|
|
@ -52,7 +52,7 @@ This page compares two integration patterns for giving Claude Code access to ext
|
|||
|
||||
| Weakness | Detail |
|
||||
|----------|--------|
|
||||
| **Schema token cost** | Every MCP server injects its full tool list into the context window at session start, whether or not those tools are used that session |
|
||||
| **Schema token cost** | Since v2.1.7, lazy loading (MCP Tool Search) means unused tools inject only their name, not their full schema. Cost is still non-zero: tool names load at startup, full schemas load on first use. The pre-v2.1.7 worst case (~55K tokens for a 5-server setup) now averages ~8.7K — an 85% reduction, but not zero. |
|
||||
| **Connection overhead** | Session startup takes longer with many MCP servers connected |
|
||||
| **Debugging difficulty** | Failures inside an MCP server are harder to trace than a failed shell command |
|
||||
| **Maintenance complexity** | Running, updating, and securing remote MCP servers adds infrastructure |
|
||||
|
|
@ -112,7 +112,7 @@ Quick reference — not rules, but directional defaults.
|
|||
| Individual dev, local machine | **CLI or skill** | Simpler, faster, no infrastructure |
|
||||
| Deterministic actions (git, CI, deploy) | **CLI** | Explicit commands, predictable output, auditable |
|
||||
| Complex auth (OAuth, token refresh) | **MCP** | Server handles auth; CLI would require credential plumbing |
|
||||
| Tight context budget / many tools loaded | **CLI** | No schema injection at startup |
|
||||
| Tight context budget / many tools loaded | **CLI** | Still the minimum-overhead option. Lazy loading (v2.1.7+) reduces MCP cost significantly, but CLI has zero schema cost by design. |
|
||||
| Agent-to-agent structured output | **MCP** | JSON responses are more reliable than parsed CLI text |
|
||||
| Debugging / prototyping a new integration | **CLI** | Easier to inspect, faster to iterate |
|
||||
| Browser automation (non-frontier model) | **MCP** | Playwright MCP structures interaction reliably |
|
||||
|
|
@ -138,18 +138,35 @@ The mistake is applying one answer to both layers. A solo developer building a C
|
|||
|
||||
## Token cost of MCP schemas — what the numbers look like
|
||||
|
||||
MCP servers inject their full tool list into the context at session start. This is not free.
|
||||
Since v2.1.7 (January 2026), Claude Code uses **MCP Tool Search** (lazy loading) by default. This changes the token math significantly, but does not eliminate schema cost entirely.
|
||||
|
||||
A typical MCP server with 10-15 tools injects 500-2,000 tokens per session before any task starts. With 5 MCP servers connected, that is 2,500-10,000 tokens of overhead on every session, whether or not those tools are used.
|
||||
**How lazy loading works:** instead of injecting all tool schemas at session start, Claude receives only tool names in an `<available-deferred-tools>` block. Full schemas are fetched via `ToolSearch` only when Claude decides to call a specific tool. Unused tools in a session cost only their name in context (~0 schema tokens), not the full definition.
|
||||
|
||||
The practical consequence: if you load 10 MCP servers but only use 2 in a given session, you are paying for 8 servers worth of schema every time. This compounds with long sessions and high-frequency workflows.
|
||||
**Measured impact** (Anthropic benchmarks, 5-server setup):
|
||||
|
||||
**Mitigation strategies:**
|
||||
| Scenario | Token overhead | Note |
|
||||
|----------|---------------|------|
|
||||
| Before v2.1.7 (eager loading) | ~55,000 tokens | All schemas preloaded |
|
||||
| After v2.1.7 (lazy loading) | ~8,700 tokens | 85% reduction |
|
||||
| CLI (no MCP) | ~0 tokens | Baseline |
|
||||
|
||||
The old worst-case claim of "500-2,000 tokens per server" described eager loading, which is no longer the default. With lazy loading, the cost per unused server is near zero. The cost per *used* server (~600 tokens per tool schema loaded on demand) remains real, but is now pay-per-use rather than always-on.
|
||||
|
||||
**What still adds overhead even with lazy loading:**
|
||||
|
||||
- Tool names are still injected at startup (one line per tool per server)
|
||||
- Schemas load at first invocation — long sessions using many tools accumulate cost
|
||||
- Connection setup per server is unchanged (latency, not tokens)
|
||||
- Many connected MCP servers still means more names in context, even if schemas stay deferred
|
||||
|
||||
**Configuration** (v2.1.9+): the `ENABLE_TOOL_SEARCH` environment variable controls the threshold. `auto:N` triggers lazy loading when MCP tools exceed N% of context (default 10%).
|
||||
|
||||
**Mitigation strategies** (still relevant, lower urgency):
|
||||
|
||||
- Load MCP servers selectively per project (project-level config vs global config)
|
||||
- Use CLI tools for high-frequency operations where schema overhead accumulates
|
||||
- Monitor token usage per session to identify which MCP schemas are loaded but unused
|
||||
- Consider a CLI wrapper for tools you use frequently in tight loops (compile → test → fix cycles)
|
||||
- Use CLI tools for high-frequency tight loops where any overhead compounds (compile → test → fix)
|
||||
- Monitor token usage per session to identify which schemas are being loaded at invocation time
|
||||
- Consider a CLI wrapper for tools you use constantly but don't need structured output from
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
|
|
@ -28,11 +28,12 @@ tags: [guide, workflows]
|
|||
8. [Embracing AI Tools (Pattern: Avoidant)](#embracing-ai-tools)
|
||||
9. [Optimizing Your Flow (Pattern: Augmented)](#optimizing-your-flow)
|
||||
10. [Case Study: Hybrid Learning Principles](#case-study-hybrid-learning-principles)
|
||||
11. [30-Day Progression Plan](#30-day-progression-plan)
|
||||
12. [For Tech Leads & Engineering Managers](#for-tech-leads--engineering-managers)
|
||||
13. [Red Flags Checklist](#red-flags-checklist)
|
||||
14. [Sources & Research](#sources--research)
|
||||
15. [See Also](#see-also)
|
||||
11. [Where Are You on the Agent Adoption Curve?](#where-are-you-on-the-agent-adoption-curve)
|
||||
12. [30-Day Progression Plan](#30-day-progression-plan)
|
||||
13. [For Tech Leads & Engineering Managers](#for-tech-leads--engineering-managers)
|
||||
14. [Red Flags Checklist](#red-flags-checklist)
|
||||
15. [Sources & Research](#sources--research)
|
||||
16. [See Also](#see-also)
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -819,6 +820,35 @@ The combination of **human accountability + AI practice** beats either alone. Th
|
|||
|
||||
---
|
||||
|
||||
## Where Are You on the Agent Adoption Curve?
|
||||
|
||||
> **Audience**: Developers already using Claude Code who want to gauge their current sophistication — not beginners starting from scratch (use the 30-Day Plan below for that).
|
||||
|
||||
Before picking a learning path, locate yourself. Nicolas Martignole (Principal Engineer at Back Market) proposed a 6-level maturity scale in March 2026 that maps well onto practical Claude Code usage. The levels below are adapted from his framework, with the upper half (3-5) being where most of this guide's content lives.
|
||||
|
||||
| Level | Profile | Signal |
|
||||
|-------|---------|--------|
|
||||
| **0** | Never used AI dev tools | Using chatbots at most, nothing integrated in workflow |
|
||||
| **1** | Editor autocomplete | Cursor, Copilot, Windsurf — but no agent-level usage |
|
||||
| **2** | External LLM, copy-paste | ChatGPT or Claude in browser, pasting code manually into editor |
|
||||
| **3** | Claude Code basic user | Running Plan mode, simple prompts, reviewing everything manually |
|
||||
| **4** | Stage delegator | Handing off full development stages (research, architecture, implementation, tests) — writing less than 10% of code manually |
|
||||
| **5** | Context engineer | Designing CLAUDE.md, sub-agents, custom skills, MCP servers — building the environment for agents to operate in |
|
||||
| **6** | Orchestrator | Coordinating agent graphs, reinforcement loops, distributed agent systems |
|
||||
|
||||
**Quick self-placement questions:**
|
||||
|
||||
- Can you leave Claude Code running on a feature branch for 20+ minutes without checking in? → Level 4+
|
||||
- Do you write CLAUDE.md before starting a project, not after? → Level 5
|
||||
- Have you built a custom agent or hook in the last month? → Level 5-6
|
||||
- Is your primary output prompts and system design, not code? → Level 6
|
||||
|
||||
If you landed at Level 3 or below: the 30-Day Plan below is the right path. If you're at Level 4-6: skip to [Context Engineering](../core/context-engineering.md), [Agent Patterns](../../examples/agents/), or [MCP Ecosystem](../ecosystem/mcp-servers-ecosystem.md).
|
||||
|
||||
> Source: Nicolas Martignole, ["Découvrir les niveaux de maturité de l'adoption des coding agents"](https://www.touilleur-express.fr/2026/03/17/decouvrir-les-niveaux-de-maturite-de-ladoption-des-coding-agents), Le Touilleur Express, March 2026. Adapted and extended.
|
||||
|
||||
---
|
||||
|
||||
## 30-Day Progression Plan
|
||||
|
||||
A concrete path from wherever you are to augmented developer.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ tags: [guide, reference, workflows, agents, hooks, mcp, security]
|
|||
|
||||
**Last updated**: January 2026
|
||||
|
||||
**Version**: 3.37.0
|
||||
**Version**: 3.37.1
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -5166,7 +5166,7 @@ The `.claude/` folder is your project's Claude Code directory for memory, settin
|
|||
| Personal preferences | `CLAUDE.md` | ❌ Gitignore |
|
||||
| Personal permissions | `settings.local.json` | ❌ Gitignore |
|
||||
|
||||
### 3.37.0 Version Control & Backup
|
||||
### 3.37.1 Version Control & Backup
|
||||
|
||||
**Problem**: Without version control, losing your Claude Code configuration means hours of manual reconfiguration across agents, skills, hooks, and MCP servers.
|
||||
|
||||
|
|
@ -23482,4 +23482,4 @@ We'll evaluate and add it to this section if it meets quality criteria.
|
|||
|
||||
**Contributions**: Issues and PRs welcome.
|
||||
|
||||
**Last updated**: January 2026 | **Version**: 3.37.0
|
||||
**Last updated**: January 2026 | **Version**: 3.37.1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue