Four research threads converge on a single structural insight: the description field is the universal interface contract for every extension layer in Claude Code. It is the activation signal in SKILL.md [1], the tool-selection mechanism in MCP server schemas [2], and the dispatch signal for subagent auto-invocation in the Agent SDK [3]. Getting a description wrong is not a documentation problem — it is a routing failure that compounds across every session. The session should open here and make participants write one before the first break.
Progressive disclosure is the architecture, not a style choice. Skills carry ~100 tokens at startup (name + description only); the body loads only when the skill is relevant [4]. MCP Tool Search (Jan 2026) applies the same principle to tool schemas: names enter context at startup, full definitions defer until searched — reported savings up to 95% in startup token cost [5], recovering 13,200+ tokens in measured sessions [6]. Subagent descriptions front-load the routing decision so the spawn prompt never enters context unless the parent decides to dispatch. The pattern is consistent; the session should treat it as a first-class design principle, not an optimization tip. The corollary: CLAUDE.md loads unconditionally; everything that can be a Skill should become one. Keep CLAUDE.md under 200 lines.
The client-side MCP primitives are the session’s highest-leverage underused content. Sampling, elicitation, and roots are what the audience’s mental model of MCP likely omits, because every “hello tool” tutorial shows only the three server-side primitives [7]. Elicitation (typed execution gates, structured user input) is operationally the most valuable — replacing fragile multi-turn loops with schema-validated JSON back from a native form [8]. However, the spec and the implementations are out of sync: elicitation shipped in the June 2025 spec, but as of June 2026 Claude Code and Claude Desktop support neither elicitation nor sampling [9]. VS Code (GitHub Copilot) supports both. This is a live contradiction worth naming in the session. Sampling faces additional pressure: the 2026-07-28 draft RC (SEP-2577) proposes deprecating it in favour of direct provider API calls.
The security thread from session 1 lives inside every description field you write or consume. Tool poisoning is prompt injection via the tool manifest: an attacker embeds directives in a description field; the LLM treats the manifest as authoritative and executes the embedded instructions alongside the legitimate call, with the user seeing expected output [10]. The rug-pull variant (a trusted tool updated post-approval) is especially insidious because manifests are not version-locked at install time. The MCPTox benchmark measured attack success rates above 60% across popular agents, highest 72% [11]. A 2026 disclosure found ~200,000 vulnerable MCP instances [12]. The defences — manifest pinning and signing, allowlists with version locks, semantic content scanning before consumption — are the authoring craft side of the security thread. This connects directly to session 1 and makes the two sessions feel like a coherent arc.
Headless/SDK operation has a June 15, 2026 billing boundary that teams need to plan around. claude -p --bare is the correct CI invocation — --bare skips all local config discovery and produces identical results across machines [13]. It will become the default for -p in a future release; CI pipelines without it are running on borrowed time. The Agent SDK monthly credit ($20–$200/user depending on plan tier) separates from interactive limits on June 15 [14]. Enterprise deployments average ~$13/dev/active day, $150–250/dev/month; agent teams (parallel Claude instances) use ~7× more tokens than standard sessions [15]. These numbers give the audience a forcing function: token budget discipline is not academic — it is what determines whether the tooling is sustainable at team scale.
The sharpest open question this expedition leaves: the 2026 MCP roadmap removes stateful session IDs to enable stateless horizontal scaling [16], and the Tasks extension (SEP-1686) enables async agent-to-agent communication via MCP. When agents become both MCP clients and MCP servers in the same pipeline, what does the tool-poisoning threat model look like? The defences developed for human-to-agent flows may not compose cleanly when the “user” approving a manifest is another agent.