Added by: blind-spot analysis (April 2, 2026) Technique: Full reads of bridge/ (31 files), remote/ (4 files), entrypoints/sdk/ (2 files), utils/swarm/ (all files)
Multi-agent coordination system using AsyncLocalStorage for context isolation.
- In-process teammates: Run within main process using
runWithTeammateContext() - Pane backends: tmux or iTerm2 for process-based teammates
- IPC: File-based mailbox at
~/.claude/teams/{teamName}/
- Workers send
permission_requestmessages via JSON files - Leader reads from mailbox, shows interactive prompt, writes response
- Worker polls every
PERMISSION_POLL_INTERVAL_MS = 500ms - Workers cannot self-approve — enforced by architecture
- Callback registration handles async resolution with cleanup functions
TEAM_LEAD_NAME = 'team-lead'- Lock retry: 30 attempts, 5-100ms exponential backoff (~2.6s max wait)
O_NOFOLLOWflag prevents symlink attacks (Unix-only)
- Plan mode approval flow: teammates forced to enter plan mode before implementation
- Conversation compaction: in-process teammates auto-compact long histories
- Idle notification:
createIdleNotification()tells leader when available - Task claiming: auto-claims unblocked team tasks for distribution
- Formatted messages as XML
<teammate-message>for transcript rendering
Two-tier dispatch connecting local CLI to claude.ai web interface.
- Environments API → Poll/Ack/Stop work items
- Session spawn from work item
- HybridTransport: WebSocket + POST fallback
- Exponential backoff reconnection (2s initial → 2min cap)
- Direct OAuth → POST /bridge
- Worker JWT + epoch for stale worker discrimination
- SSE stream + CCRClient write path
- Epoch counter prevents stale worker interference
| Token | Purpose | Refresh |
|---|---|---|
| OAuth | claude.ai login | Refresh on 401 |
| JWT session ingress | Session authentication | Proactive refresh 5min before expiry |
| Worker Epoch | Stale worker discrimination | Incremented per connection |
close <code>— Fire ws_closed with WebSocket codepoll <status> [type]— Inject poll failuresregister fail [N]/register fatal— Inject register failuresreconnect-session fail— Fail reconnectionheartbeat <status>— Inject heartbeat failurereconnect— Force reconnectstatus— Print bridge state
Bidirectional format translation between SDK messages (used by web UI) and local Claude Code format. Permission request mediation between bridge and local approval system.
- Check eligibility (policy gate → login → env availability → git → GitHub app)
- Create session via API
- Subscribe via WebSocket:
wss://api.anthropic.com/v1/sessions/ws/{id}/subscribe - Send events via HTTP: POST
/v1/sessions/{id}/events - Poll for results with 100-event pages, backward iteration
CCR_PROXY_PATH_MARKERS = [
'/v2/session_ingress/shttp/mcp/',
'/v2/ccr-sessions/',
]Extracts mcp_url query param from proxy URLs to recover original vendor endpoints.
query()— Primary query functionunstable_v2_createSession()— Session creation (unstable API)- Session management utilities
Generated TypeScript types from Zod schemas defining:
- Control protocol for permission/model/interrupt requests
- Tool input/output schemas
- Message format schemas
- Event stream schemas
Validation gap: TODO — validate input types with zod at line 136. MCP tool inputs currently NOT validated.
Hardened execution environment for cloud-hosted sessions:
- Read session token from
/run/ccr/session_token prctl(PR_SET_DUMPABLE, 0)— block ptrace heap scraping- Download CA certificate from
/v1/code/upstreamproxy/ca-cert - Start local CONNECT→WebSocket relay
- Unlink token file (token remains heap-only)
- Inject
HTTPS_PROXYandSSL_CERT_FILEenvironment variables
5 transports: stdio, sse/http/ws, sdk, claudeai-proxy
Configuration scope priority:
local(highest)projectuseruserSettingspolicySettingsenterpriseclaudeaidynamic(lowest)
Duplicate detection via dedup signature across sources. Atomic writes: temp file → datasync → chmod → rename.