claudemax runs autonomous AI agents that read your filesystem, run shell commands, edit files, fetch web pages, and spawn parallel subprocesses. Treat it accordingly.

In April 2026 Anthropic briefly blocked third-party agent frameworks (OpenClaw, claude-flow, others) from piping Pro/Max subscription limits through programmatic tools. The policy was reversed when Anthropic introduced a separate Agent SDK credit subcategory on Pro/Max plans (Pro $20, Max5x $100, Max20x $200) specifically allocated for programmatic uses including external tools.

claudemax routes 100% of provider calls through @anthropic-ai/claude-agent-sdk query(). The pool those calls draw from depends on the date:

• Today (pre-split era, until 2026-06-15): query() calls share the SAME 5-hour rolling subscription pool as the interactive claude REPL — confirmed by support.claude.com/en/articles/11145838 ("usage limits are shared across Claude and Claude Code"). The harness is era-aware and the cost-guard against the $100/$200 monthly Agent SDK credit is forward-compat only in this era.
• From 2026-06-15 onward (post-split era): query() calls move to a dedicated monthly Agent SDK credit pool ($20/$100/$200, billed at API list prices) per code.claude.com/docs/en/agent-sdk/overview and support.claude.com/en/articles/15036540. claudemax auto-switches by date; no config change needed.

cmax doctor surfaces the resolved era and which billing path is active. Override for dry-run testing via CMAX_BILLING_ERA=pre-split|post-split.

Users opt into the API-key billing path (CMAX_PLAN=api or ANTHROPIC_API_KEY set in env) explicitly. Default is subscription via Agent SDK credit.

1. Inspect setup.sh before piping to bash. It auto-installs tmux / qrencode / Tailscale via official package managers and downloads the official Tailscale install script. Review the file first.
2. Pin Claude Code version if you're on the Mode B Agent Teams experimental path — the API may shift.
3. Use --permission default on cmax run / cmax goal / cmax ask / cmax tdd when working in a repo where automated edits are risky — the v0.2.1 default is bypassPermissions (= Claude Code's --dangerously-skip-permissions), which runs unattended without approval prompts. --permission default restores per-edit prompts. --permission acceptEdits allows edits but prompts on Bash/shell.
4. Run claudemax inside a dev container or VM for untrusted goals. claudemax can read anything in the working directory, including files containing secrets.
5. Set CMAX_PLAN=api and use a scoped API key if you want strict cost control via Anthropic dashboard.
6. Use the cmax doctor budget guard — at > 90% of monthly Agent SDK credit, the router auto-demotes Opus → Sonnet for non-verify/non-spec packets. At > 95%, cmax run requires --force.
7. Install the dark-patterns hooks (waitdeadai/llm-dark-patterns) — the no-credential-leak-in-handoff hook blocks plaintext sk-* / ghp_* / AWS keys in agent task payloads, and no-approval-sneak blocks unapproved edits to sensitive paths (.env*, secrets/, .kube/, terraform/state/, .ssh/, .gnupg/, prod/).

• Sandbox isolation — claudemax does not run goals in a sandbox by default. Mode B uses Claude Code worktrees for write isolation, but reads are unconstrained. For untrusted code, run claudemax inside a Vercel Sandbox / Firecracker microVM / Docker container.
• API key rotation — if you commit an API key by accident, claudemax can't recover it for you. Use the dark-patterns no-credential-leak-in-handoff hook to catch this before push.
• Network egress filtering — claudemax doesn't restrict outbound calls. Use a network policy or proxy if you need to limit egress.
• Prompt-injection from fetched web pages — /deepresearch and /audit fetch URLs via WebFetch. Pages can contain prompt-injection payloads. The dark-patterns hooks help (especially no-phantom-tool-call and no-fake-cite), but a determined attacker can craft adversarial content. Treat anything claudemax surfaces from the web as untrusted input.

If you find a security issue in claudemax itself (not in a third-party dependency, not in Claude Code, not in Anthropic's API):

1. Do not open a public GitHub issue.
2. Email the maintainer privately (see the GitHub repo for the current contact address).
3. Include: reproduction steps, claudemax version (cmax --version), Node version, OS, and any logs from ~/.claudemax-state/ or the project's .claudemax/state/.
4. Allow up to 90 days for a fix before public disclosure.

For vulnerabilities in dependencies (Claude Code, @anthropic-ai/claude-agent-sdk, Tailscale, ntfy, etc.), report upstream to the respective project.

claudemax depends on:

• @anthropic-ai/claude-agent-sdk (Anthropic, official)
• better-sqlite3 (native bindings, compiled at install time)
• commander, kleur, zod (small, well-known)
• tmux / qrencode / tailscale (system packages; only installed via official package managers when you run setup.sh)

Native compilation happens at pnpm install time via the allowBuilds: { better-sqlite3: true, esbuild: true } opt-in in pnpm-workspace.yaml. Inspect pnpm-lock.yaml before installing if you need to audit the dependency tree.