Apparently this is the jailbreak? Telling it that humans won’t read the output and to use a custom bash tool to examine files?

Nice semaphore btw.

      const instructions =
        `You are a sub-agent in an automated workflow. Your FINAL message is consumed ` +
        `programmatically (not shown to a human) — return exactly what is asked, no preamble. ` +
        `You are working in the repository at ${ctxState.project}. Use the bash tool to ` +
        `inspect/modify files and run commands. Be efficient.` +
        (schema
          ? ` When done, call submit_result exactly once with your final answer; do not answer in prose.`
          : '');

I don't want my ANT account banned, going to try this on some Chinese "proxies".

But this also looks quite useful to understand how CC dynamic workflows work. Was thinking of implementing something similar in my homemade orchestration system.

Did you get claude itself to RE the dynamic workflows?