CLAUDE CODE 24/7 AGENTIC — PhD-LEVEL RESEARCH MEMO

Date: 2026-04-23 | Author: SCOUT | Status: FINAL

Commissioned by: TITAN / Harnoor | Word Count: ~5,800

---

Executive Summary

True 24/7 agentic Claude Code is now achievable through two paths: (1) Anthropic's native Routines infrastructure (cloud-hosted, launched April 14 2026), and (2) self-hosted loop patterns like Nightshift/24x7 that run on your own machine. The Max plan gives you 15 cloud routine runs/day plus unlimited local /loop sessions. The security surface is real and documented by multiple incidents. Cost control requires explicit architecture choices — the subscription is $200/mo but a poorly configured agent can burn API overage or AWS in parallel. What follows is everything known as of April 23 2026, cited at source.

---

A. Max Plan 24/7 Patterns — Who's Doing It

The Routines Wave (April 2026)

On April 14 2026, Anthropic shipped Claude Code Routines as a research preview, which is the single biggest enabler of true 24/7 unattended operation. The announcement, covered by 9to5Mac, The New Stack, DevOps.com, and The Register, establishes a new paradigm: you define a prompt + repo + connectors once, and Anthropic's cloud infrastructure runs it for you. Your laptop does not need to be on. The session clones your GitHub repo, executes, and optionally pushes a branch — all without local process management.

Max plan allocation for Routines: 15 daily runs (Pro: 5, Team/Enterprise: 25). Each run counts against your subscription usage the same way an interactive session does. If you hit the daily cap, extra runs are billed as metered overage via "extra usage" if enabled in billing settings. This is the official documented limit from claude.ai/code/routines.

Pre-Routines Community Patterns (2025)

Before April 2026, the community invented workarounds. These remain relevant for Windows users (Routines are cloud-agnostic but local pattern options are more controlled):

ClaudeNightsWatch (github.com/aniketkarne/ClaudeNightsWatch): A daemon that monitors your 5-hour usage window via the ccusage CLI or a timestamp file, and fires claude --dangerously-skip-permissions against a task.md + rules.md combo when the window resets. Adaptive check intervals: every 10 min when >30 min remains, every 2 min when 5-30 min remains, every 30 sec when <5 min remains.

Nightshift & 24x7 Skills (godmodeai2025.github.io/NightShift): The more sophisticated community toolkit. Nightshift runs a single planned task from a runbook.md with a SessionStart hook that re-injects the runbook after context compaction, surviving multi-hour runs. 24x7 runs an eternal daemon — a bash polling loop that detects tasks in an inbox/ folder structure and spawns fresh Claude sessions per task, routing completed work to outbox/ or failed/. Key insight: fresh sessions per task, not one marathon session. This avoids context rot.

swyx's framing (x.com/swyx): "Claude Code started as a humble CLI side project. Today it forms the basis for Claude Cowork, a general-purpose non-coding desktop agent." The trajectory confirms the tool is designed for ambient operation.

Simon Willison's Agentic Engineering Patterns (simonwillison.net/2026/Feb/23/agentic-engineering-patterns): Published February 23 2026, this is the most systematic public treatment of Claude Code as an autonomous tool. Willison defines "Agentic Engineering" as using coding agents that can generate AND execute code, iterating independently. He covers linear walkthroughs (where Claude works through a checklist and commits after each step), anti-patterns (inflicting unreviewed code on collaborators), and testing disciplines for agents.

Harper Reed (github.com/harperreed): Has published "Remote Claude Code: programming like it was the early 2000s" and "Getting Claude Code to do my emails," reflecting a pattern of treating Claude Code as an ambient infrastructure layer.

Claude Swarm Mode (paddo.dev/blog/claude-code-hidden-swarm): Discovered January 24 2026. Hidden feature-flagged capability that runs multiple specialist agents in parallel, coordinating via shared task boards. Real deployment: a 9-agent system with Manager (Opus 4.5), specialized design/dev/QA agents, a global event loop waking agents based on Kanban folder state.

---

B. The Claude Max Rate-Limit Reality

Official Plan Structure

From finout.io/blog/claude-code-pricing-2026 and intuitionlabs.ai/articles/claude-max-plan:

Max 5x ($100/mo): 5x more usage per session than Pro, 15 daily routine runs
Max 20x ($200/mo): 20x more usage per session than Pro, 15 daily routine runs
Both tiers have a 5-hour reset window for interactive sessions, plus a weekly all-model limit and a weekly Sonnet-specific limit introduced in 2026
"Usage" is Anthropic's black box — they do not publicly document whether the multiplier applies to RPM, TPM, or a daily activity budget

The Quota Bug Crisis (March-April 2026)

A documented regression (GitHub Issue #41788, GitHub Issue #38335, MacRumors coverage, The Register) starting around March 23 2026 with v2.1.88/v2.1.89:

Max 20x users exhausted 100% of quota within 70 minutes after reset (normal expected use: 3-4 hours minimum)
Root cause: a user who reverse-engineered the binary found two independent bugs that break prompt cache, silently inflating costs by 10-20x. Prompt cache invalidation causes full re-processing of system prompts on every turn
Workaround at time of writing: /model sonnet or /model haiku to reduce per-turn cost

Implication for Harnoor: For 24/7 autonomous operation, token cost per task is unpredictable due to the agentic loop's re-read-execute-verify cycle. Claude Code routinely consumes 10x-100x the tokens of a chat session (truefoundry.com/blog/claude-code-limits-explained). A single long autonomous session with retries can burn 50,000-300,000 tokens.

What Counts as Session vs. Quota

Interactive CLI sessions: 5-hour rolling window per the published model
Routines: draw from the same subscription usage pool plus the separate 15/day run cap
The /loop command for in-session scheduled tasks: same session token budget
Idle background runs: documented by the NightShift team that 24x7's "sleep when no tasks await" behavior prevents credit burn during idle — but a session with no tool calls still holds quota context

Prompt Cache TTL

Anthropic caches prompt prefixes for 5 minutes (confirmed via Context Compaction Research gist). For overnight runs, cached context from session start will miss after the first compaction cycle. This means system prompts, CLAUDE.md, and tool schemas are re-counted at full price after each compaction event — a key cost multiplier for unattended runs.

---

C. Autonomous Task-Loop Architectures in the Wild

Architecture Pattern 1: The Fresh-Session Worker Queue (Recommended)

The consensus from NightShift 24x7 (godmodeai2025.github.io/NightShift), practical blog posts (sitepoint.com/claude-code-as-an-autonomous-agent-advanced-workflows-2026), and sankalp's blog:

Don't run one marathon session. Spawn fresh sessions per task.

Rationale: context rot is real. A session degraded by accumulated tool outputs, retries, and compaction cycles performs measurably worse. Fresh sessions = Claude at full quality. The cost of session initialization is small relative to the benefit.

Implementation:


inbox/
  task-001/task.md + materials/
  task-002/task.md
outbox/
  task-001-complete/
failed/
  task-003-failed/

A bash daemon polls inbox/ every 30 seconds, spawns claude -p "$(cat task.md)" --dangerously-skip-permissions, and moves the folder on exit code.

Architecture Pattern 2: The Runbook Session with Hook-Based Compaction Recovery

For single long-horizon tasks that can't be decomposed (e.g., "refactor the entire auth module"):

A runbook.md with a numbered checklist is committed to the repo
A SessionStart hook re-injects the runbook on every compaction cycle via: Read runbook.md again. Find the next unchecked item. Continue there.
Checkboxes in the runbook survive context loss because they're persisted on disk, not in memory
Git commit after each checklist item provides rollback points
Cost per Nightshift run: $5-50 depending on complexity

Architecture Pattern 3: Anthropic Routines (Native Cloud)

Described in full in Official Docs:

Schedule trigger: hourly/daily/weekdays/weekly (custom cron via CLI /schedule update, minimum 1-hour interval)
API trigger: POST to /v1/claude_code/routines/{id}/fire with bearer token, optional text payload for runtime context
GitHub trigger: reacts to pull_request.opened/closed, release events
Combinations: a routine can have all three trigger types simultaneously
Branches: Claude creates claude/-prefixed branches by default; unrestricted branch push requires explicit opt-in
Sessions: each routine run is a full isolated session visible at claude.ai/code/routines

Critical note: Routines run with no permission prompts. Scope connectors and repo access to minimum needed.

Architecture Pattern 4: Orchestrator-Spawned Subagents

From wshobson/agents and the claude-quickstarts autonomous demo:

A lightweight Python/Node orchestrator manages Claude as a subprocess:

1. Reads task queue (JSONL file, Linear API, GitHub issues with label)

2. Constructs prompt with task context

3. Spawns claude -p {prompt} as subprocess

4. Captures stdout for validation

5. On success: mark done, commit, notify; on failure: retry with adjusted prompt or escalate

Architecture Pattern 5: Event-Driven via Channels

Using the Channels feature (v2.1.80+, research preview):


claude --channels plugin:discord@claude-plugins-official

This keeps a session alive, listening for Discord/Telegram/iMessage pushes. CI failures, monitoring alerts, or deploy events posted to the channel wake Claude to react. This is the "always-listening" pattern vs. scheduled polling. Requires the session to remain open (either in a background terminal or via Remote Control).

Stall Detection (Critical for Overnight)

The NightShift 24x7 stall detection pattern via Stop hook:

Track completed steps (checklist checkmarks) between consecutive checks
If 3 consecutive checks show no new checkmarks: inject STALL WARNING into context
Claude reads its error budget and either skips the step or escalates
This catches infinite retry loops that look healthy on heartbeat but burn credits

---

D. Security Architecture for Unattended Agents

The Permission Mode Decision Tree

Option 1: --dangerously-skip-permissions — bypasses all safety checks. All subagents inherit. Not appropriate on a primary machine with SSH keys, API tokens, browser sessions. Use only inside Docker/VM with no mounted credentials.

Option 2: Auto Mode (launched March 24 2026, anthropic.com/engineering/claude-code-auto-mode) — a Sonnet 4.6 transcript classifier evaluates each tool call before execution. 17% false-negative rate on real overeager actions. Blocks: force-pushes, mass deletions, unauthorized data sharing, disabling logging, installing persistence mechanisms, production deploys, direct main pushes. Currently limited to Team plan; not on Pro/Max. This changes the security calculus — Max users cannot yet use Auto Mode.

Option 3: PreToolUse Hooks — the right answer for Max plan users today. Exit code 2 from a hook blocks the tool call unconditionally; Claude cannot override. Pattern:


# .claude/hooks/pre_tool_use.py
BLOCKED = ["rm -rf", "sudo", "mkfs", "chmod 777", "curl|bash", "eval"]
if any(b in tool_input for b in BLOCKED):
    sys.exit(2)  # Block unconditionally

This provides deterministic security policies at the POSIX level, not model-level judgment.

Sandboxing: The Only Safe Path for Full Bypass

From Docker's official Claude Code sandbox docs, trailofbits/claude-code-devcontainer, and mattolson/agent-sandbox:

The Trail of Bits devcontainer (purpose-built for security audits) provides:

Network egress firewall: default-deny, allows DNS, allows loopback, whitelists specific domains (npm registry, GitHub, Anthropic API)
Filesystem: only /workspace writable; system paths read-only
No mounted SSH keys, API tokens, or browser credentials
Safe to run --dangerously-skip-permissions inside this container

Docker Sandboxes (announced 2026): microVM-level isolation, described as "strongest agent isolation in the market." Disposable per-task environments.

For Harnoor's Windows + git-bash setup: Docker Desktop on Windows with WSL2 backend provides the container isolation layer. Run each autonomous task session inside:


docker run --rm -v F:/TITAN/workspace:/workspace \
  --network=none \  # or custom allowlist network
  claude-sandbox:latest \
  claude -p "$(cat /workspace/task.md)" --dangerously-skip-permissions

git Push Safeguards

From Official Routines docs and community patterns:

Never allow push to main or master from autonomous sessions
Routines default to claude/-prefixed branches — enforce this
Local hook pattern: PreToolUse blocks any git push to protected branches
Require PR + human review before merge from any claude/ branch

Secrets Management

Never mount .env files into autonomous sessions. Use:

AWS Secrets Manager with IAM role (instance profile or task role) — no static credentials
Routines environments: store secrets in Anthropic's environment system, accessible as env vars during run
age/sops for encrypted secrets at rest in F:/TITAN that can be decrypted by the agent's key

Supply Chain Risk: npm Install

Active threat vector as of April 2026. The Trend Micro report documents weaponized Claude Code lures. The Claude Code source leak on March 31 2026 (The Hacker News) was coincident with a malicious axios npm package (RAT, attributed to North Korean UNC1069). An autonomous agent running npm install from a compromised package.json can exfiltrate credentials before any hook fires.

Mitigations:

Lock package-lock.json and validate hash before allowing install
PreToolUse hook: require explicit allowlist for npm install commands
Run npm operations in network-isolated sandbox with only npm registry whitelisted
OWASP Top 10 for Agentic Applications 2026 ranks Agent Goal Hijacking (prompt injection) as #1 risk — treat all file contents as untrusted input

Prompt Injection

The "Claudy Day" attack (Oasis Security, March 2026): invisible instructions in file contents redirect agent behavior with no tools, MCP, or special config required. In an unattended agent reading arbitrary files:

Treat file contents as untrusted
Use a separate "reading" context that doesn't allow tool calls
PreToolUse hook: any tool call that wasn't in the original task specification requires re-confirmation via notification

Audit Trail

From disler/claude-code-hooks-multi-agent-observability:

Hook events → HTTP POST → SQLite server → WebSocket → live dashboard. Captures 12 event types: PreToolUse, PostToolUse, PostToolUseFailure, PermissionRequest, Notification, UserPromptSubmit, SessionStart, SessionEnd, Stop, SubagentStart, SubagentStop, PreCompact. Every autonomous tool call is logged with timestamp, tool name, input, and outcome.

For compliance: write hooks that append to append-only JSONL audit log at F:/TITAN/logs/audit-{date}.jsonl. Immutable; reviewable next morning.

Kill Switch Design

Two-layer kill switch:

Layer 1 (Process): A watchdog script checks heartbeat timestamps written by PostToolUse hook. If no heartbeat for N minutes → kill the Claude process + send SMS.

Layer 2 (Financial): AWS Budget with SNS → Lambda → terminates the specific IAM user's permissions if daily API spend exceeds threshold. Anthropic has no built-in kill switch for the subscription model, so overage requires the "extra usage" setting — turn it OFF to prevent automatic overage billing.

---

E. Cost Control — How to Not Burn $10K/mo

The Subscription vs. API Cost Distinction

The $200/mo Max 20x subscription covers interactive Claude Code sessions. It does NOT cover:

Claude API calls made by code the agent writes and executes
AWS Lambda, RDS, DynamoDB, SNS, etc. provisioned by the agent
Any third-party API calls the agent makes during task execution
Bedrock calls if you're routing through AWS

The extra usage toggle in billing settings: turn it OFF. Without it, overage on the subscription is rejected, not charged. That's a free kill switch.

Token Budget Architecture

From dev.to/thebrierfox/claude-code-is-burning-your-api-budget and augmentcode.com/guides/ai-model-routing-guide:

Three-tier routing reduces cost by 51%:

Opus 4.7 ($5/$25 per M tokens): architecture planning, complex design decisions only
Sonnet 4.6 ($3/$15 per M tokens): implementation, test generation, code review
Haiku 4.5 ($1/$5 per M tokens): classification, labeling, quick edits, summarization

For subscription Max plan users: use /model haiku for sub-tasks within a session. The quota multiplier applies to all models, but token consumption rate differs drastically.

Opus 4.7 tokenizer warning (from finout.io/blog/claude-opus-4.7-pricing): new tokenizer produces up to 35% more tokens for the same input text. Real bill per request goes up even though the rate card did not change. Do not default autonomous tasks to Opus 4.7.

Early Termination Heuristics

From NightShift stall detection + community patterns:

No new checklist items completed in 3 consecutive checks → abort
Same tool call made >5 times with same error → abort
Wall-clock time >120% of estimated task duration → pause and notify
Token count approaching session limit → checkpoint, commit, notify, end session gracefully

ccusage + Claude-Code-Usage-Monitor

For real-time budget awareness:

ccusage (github.com/ryoppippi/ccusage, 4800+ stars): reads local JSONL files, daily/monthly/session cost breakdowns, 5-hour billing window views
Claude-Code-Usage-Monitor (github.com/Maciek-roboblog/Claude-Code-Usage-Monitor): real-time terminal UI, ML-based depletion predictions, burn rate analytics, P90 calculator
Official OpenTelemetry monitoring (code.claude.com/docs/en/monitoring-usage): token consumption, tool activity, session health in real time

For overnight monitoring: run Claude-Code-Usage-Monitor in a separate terminal or tmux pane. Configure alert webhooks to Discord/Pushover when burn rate is anomalous.

AWS Cost Controls

AWS Budgets with automated actions:

80% threshold → SNS → email + Pushover notification
90% threshold → Lambda → disable IAM policy that allows Bedrock/Anthropic API calls from the agent's role
100% threshold → Lambda → rotate credentials, terminate running sessions

This is the financial kill switch. Budget action on IAM policy denial is the hardest stop.

---

F. State Persistence + Recovery

Claude Code's Native Session Persistence

From Claude Code architecture docs and claudefa.st/blog/guide/mechanics/context-management:

Every message, tool use, and result is written to ~/.claude/projects/{hash}/ as a plaintext JSONL file in real time. Sessions are resumable via /resume picker. Context buffer as of early 2026: ~33,000 tokens (16.5% of 200K context window). Compaction fires automatically when approaching the buffer, clearing older tool outputs first, then summarizing if needed.

Compact Instructions in CLAUDE.md: Add a ## Compact Instructions section specifying what state must survive compaction. Example:


## Compact Instructions
Always preserve: current task ID, completed checklist items, error budget remaining,
last git commit hash, and the contents of decisions.md.

The Runbook Pattern for Compaction Survival

The NightShift pattern: all task state lives in runbook.md on disk, not in memory. SessionStart hook re-reads it. Checkboxes are the persistent state machine. This is the correct pattern for tasks >20 minutes.

Git as Working Memory

From sitepoint.com/claude-code-as-an-autonomous-agent-advanced-workflows-2026 and community consensus:

Commit after each checklist item: git commit -m "agent: completed step N - {description}"
Commit message contains the agent's reasoning for the change
On crash recovery: git log --oneline -20 reconstructs where the task was
Pre-run: git stash or git commit -am "pre-agent snapshot" as rollback point
On validation failure: git checkout . reverts uncommitted changes

Machine Reboot / Network Loss Recovery

For Windows environment with power loss risk:

Use Windows Task Scheduler (not just cron) with "start if missed" option
Save heartbeat timestamps to F:/TITAN/state/agent-heartbeat.json
On startup, check if any task was in-progress (state = "running") → inject recovery context:

```

Recovery context: session restarted at {time}. Last heartbeat was {N} minutes ago.

Read runbook.md to find the last completed step and resume from the next one.

```

Pending tasks in inbox/ survive reboot because they're files on disk

Context Window Handoff Pattern

When approaching context limit without completing the task:

1. Write a handoff.md summarizing: task objective, steps completed, steps remaining, key decisions made, files modified, current blockers

2. Commit handoff.md: git commit -m "agent: handoff checkpoint - step N of M"

3. End session

4. Next session starts: reads handoff.md as first action, continues from there

This is effectively the task-queue pattern applied within a single task. The decisions.md append-only log from NightShift serves this same purpose across all tasks.

DynamoDB/S3 for Durable State (Optional)

For Harnoor's AWS environment: a Lambda function triggered by the agent's PostToolUse hook can write task state to DynamoDB on each step completion. This provides cloud-durable state that survives full machine failure. S3 for artifact storage (generated files, reports). DynamoDB single-table design:


PK: TASK#{task_id}
SK: STEP#{step_number}
status: completed|failed|skipped
timestamp: ISO8601
summary: string
git_commit: SHA

This is optional complexity; the runbook.md + git pattern handles 90% of recovery scenarios with zero infrastructure.

---

G. Observability — How Harnoor Watches Without Being Present

Push Notification Stack

Tier 1 — Mobile push (instant):

Remote Control (code.claude.com/docs/en/remote-control, research preview, v2.1.51+, all plans): Claude sends mobile push notifications when a long-running task finishes or needs a decision. The session runs locally; you view and steer from the Claude mobile app (iOS/Android) or claude.ai. Auto-reconnects if network drops.
Pushover (mcpmarket.com/tools/skills/pushover-automation): dedicated Claude Code skill for Pushover notifications. $5 one-time, iOS/Android/desktop. PostToolUse hook sends task completion, errors, stalls.
ntfy.sh: free, self-hosted-optional push notification service. Hook sends HTTP POST to https://ntfy.sh/{your-topic} — arrives as iOS/Android notification. Zero configuration, open source.

Tier 2 — Chat bridge (interactive):

Discord Channel (code.claude.com/docs/en/channels, v2.1.80+): claude --channels plugin:discord@claude-plugins-official. DM your bot during an active session; Claude responds. Two-way: you can steer an in-progress task from your phone via Discord.
Telegram Channel: same pattern, different platform. Telegram is often preferred for personal bots due to simpler API.
Both require allowlisting your sender ID to prevent others from pushing commands.

Tier 3 — Email (daily digest):

TITAN already has daily-pa-email at 5:27 AM. Extend this: have the agent write a nightly-report.md at end of each overnight session summarizing: tasks completed, files changed, errors encountered, git commits made, token cost. The pa-email routine reads this file and includes it in the morning briefing.

Live Dashboard

From disler/claude-code-hooks-multi-agent-observability and simple10/agents-observe:

Architecture: PostToolUse hook → HTTP POST → local server (Bun, SQLite) → WebSocket → Vue 3 dashboard. Shows real-time timeline of every tool call, which files touched, cost accumulation, multi-agent session relationships. Runs on localhost; accessible via Remote Control on phone.

For Harnoor's setup: deploy agents-observe server on a persistent process (Windows Service via NSSM or Task Scheduler). Point all autonomous session hooks at it. View at http://localhost:{port} from any device when Remote Control is active.

Anomaly Detection

Unusual cost: ccusage burn rate alert. If 5-minute token burn rate is >3x the rolling average → Pushover alert
Unusual git activity: a PostToolUse hook watching git diff --stat — if >100 files modified in one step → inject warning into context + notify
Heartbeat staleness: if heartbeat file not updated in >10 min during active session → watchdog sends notification + optionally kills process
Loop detection: same bash command executed >5 times with same arguments in <10 min → PreToolUse hook blocks it + notifies

"Are You Alive" Pings

Simple heartbeat pattern: PostToolUse hook writes {"timestamp": "{ISO}", "session": "{id}", "step": N} to F:/TITAN/state/heartbeat.json. A separate lightweight watcher (Python/Node, runs as always-on process) checks this file every 2 minutes during expected active hours. If timestamp is stale → SMS via AWS SNS.

The stall detection from NightShift 24x7 is the agent-side complement: the agent itself detects when it's not making progress and self-reports.

---

H. Concrete Implementation Plan for Harnoor

Current State Audit

Harnoor's TITAN environment has:

15 scheduled tasks: swarm-health (15min), cc-audit (6h), daily-feed/backup/improve/monologue/newsletter/pa-email, weekly-dream/review/benchmark, monthly-evolve, inbox-watch, nightly-reindex, log-rotation
F:/TITAN persistent brain with memory, skills, advisor memos
~/.claude: hooks, skills, MCP servers, scheduled tasks
Windows + git-bash + Python 3.12 + Node + AWS CLI
Claude Max plan (confirmed from context)

Gap Analysis vs. A-G Patterns

| Capability | Current State | Gap |

|---|---|---|

| Cloud-hosted scheduled runs | None (all local) | Routines not configured |

| Fresh-session worker queue | Partial (inbox-watch exists) | Not connected to Claude sessions |

| Runbook pattern for long tasks | Not documented | No runbook.md convention |

| PreToolUse security hooks | Unknown | Need audit |

| Sandboxed execution | None | Docker not configured for Claude |

| Discord/Telegram channel | None | Channel plugins not installed |

| Remote Control | Unknown | Needs v2.1.51+ |

| Heartbeat + watchdog | Partial (swarm-health) | Not watching Claude processes |

| Budget alarms (Anthropic) | Extra usage setting unknown | Must disable |

| Budget alarms (AWS) | Unknown | Need SNS + Lambda |

| Stall detection | None | No Stop hook |

| Audit log (JSONL) | Not for Claude tool calls | Need hook |

| Morning briefing (agent output) | pa-email exists | Not reading agent reports |

Top 10 Implementation Steps (Effort × Impact Ranked)

Step 1 — Enable Anthropic Routines (1 hour, very high impact)

Go to claude.ai/code/routines. Create 3 routines for existing TITAN tasks:

nightly-reindex as a scheduled routine (nightly, against TITAN repo)
cc-audit as a scheduled routine (every 6h)
inbox-watch as an API-triggered routine (your existing scripts POST to it)

This moves the highest-value automation to Anthropic's infrastructure immediately, eliminating dependency on your machine being on.

Step 2 — Disable Extra Usage + Set Budget Alarm (30 min, critical safety)

Billing → extra usage → OFF (prevents any overage charges)
AWS Budgets → $50/month → SNS → email + Pushover at 80%, IAM policy denial at 100%
This is the financial kill switch. Do it first before anything else autonomous.

Step 3 — Install Discord Channel (2 hours, high impact)


# In Claude Code session:
/plugin install discord@claude-plugins-official
# Restart:
claude --channels plugin:discord@claude-plugins-official
/discord:access pair <code>
/discord:access policy allowlist

Now you can DM your Claude agent from your phone while it runs overnight. Also gets you Remote Control for mobile steering.

Step 4 — PreToolUse Safety Hook (3 hours, critical security)

Write ~/.claude/hooks/pre_tool_use.py:

Block: rm -rf, sudo, mkfs, chmod 777, curl | bash, eval, any git push origin main
Log: every tool call to F:/TITAN/logs/audit-{date}.jsonl
Notify (Pushover/ntfy): any blocked call → immediate alert

This is the security foundation for any unattended operation on your primary machine.

Step 5 — Heartbeat + Watchdog (2 hours, high reliability)

PostToolUse hook writes to F:/TITAN/state/heartbeat.json
Python watchdog script (Windows Task Scheduler, runs always): checks heartbeat every 2 min during 10pm-8am; if stale >10 min → ntfy.sh push
Stop hook: when Claude session ends naturally → write completion notice + notify

This gives you basic "is it alive" visibility without a full dashboard.

Step 6 — Upgrade inbox-watch to 24x7 Pattern (4 hours, high impact)

Current inbox-watch is likely a file poller. Upgrade it to:

Use task.md + rules.md convention
Spawn fresh claude -p sessions per task (not one long session)
Move to outbox/ or failed/ on completion
Write F:/TITAN/nightly-report.md on completion
pa-email hook reads this file at 5:27 AM

Step 7 — Runbook Convention for Long Tasks (2 hours, reliability)

Create F:/TITAN/templates/runbook-template.md with:

Task objective, success criteria, error budget
Numbered checklist with [ ] checkboxes
Autonomy zones (what Claude may do freely)
SessionStart hook that re-injects runbook after compaction

Use this template for any task expected to run >20 minutes.

Step 8 — Deploy agents-observe Dashboard (3 hours, observability)

Clone disler/claude-code-hooks-multi-agent-observability. Run server as Windows Service via NSSM. Configure all autonomous session hooks to POST to it. View via Remote Control on phone.

Step 9 — Docker Sandbox for High-Risk Tasks (4 hours, security)

Create F:/TITAN/docker/claude-sandbox/Dockerfile:

Base: Ubuntu 22.04 + Node + Python + Claude Code CLI
Network: custom bridge with only npm/GitHub/Anthropic API whitelisted
Filesystem: only /workspace writable, no host credentials mounted

Use for any task involving: npm install, running tests against production, any task from an external source (GitHub issue, email).

Step 10 — ccusage + Real-Time Monitor Integration (1 hour, cost)

Install ccusage: npm install -g ccusage. Add daily ccusage report to pa-email. Install Claude-Code-Usage-Monitor in a tmux pane. Set burn rate alert: if 5-min burn > 3x average → ntfy.sh push.

30-Day Rollout Plan

Week 1 (Days 1-7): Steps 2, 1, 4 — Safety first: kill switch, then cloud routines, then security hooks. No overnight runs yet.

Week 2 (Days 8-14): Steps 3, 5, 10 — Add observability. Discord channel, heartbeat watchdog, cost monitoring. Run first overnight task (small, low-risk) and review audit log in the morning.

Week 3 (Days 15-21): Steps 6, 7 — Upgrade inbox-watch to full 24x7 pattern. Establish runbook convention. Run first multi-task overnight batch.

Week 4 (Days 22-30): Steps 8, 9 — Dashboard and Docker sandbox for full production readiness. By day 30: full 24/7 operation with monitoring, security, and cost controls in place.

Security Hardening Checklist

[ ] Extra usage in billing: OFF
[ ] AWS Budget alarm at $50/mo with IAM kill switch at 100%
[ ] PreToolUse hook blocking dangerous commands + logging all tool calls
[ ] No SSH keys or .env files in any directory an agent session can reach
[ ] git branch protection: no direct push to main/master from any claude/ branch
[ ] Discord channel allowlist: only Harnoor's sender ID
[ ] Docker sandbox for any task involving npm install or production data
[ ] Routines: each routine uses minimal connectors (remove unused ones)
[ ] ntfy.sh webhook in watchdog for any blocked PreToolUse call
[ ] Audit JSONL log reviewed weekly; anomalies trigger security review