Skip to main content
XOR
[SESSION TRANSFER]

Secure Agent Handoff via Repository Rules

Hand off a live Claude Code session between engineers without cloud sync. Rules, hooks, and subagents travel through the repository; the teammate runs as themselves.

Why git is the transport layer

The governance surface already lives in the repository. Rules, hooks, and subagents are tracked files, so they load on any machine that clones the branch. The teammate inherits the same guardrails without a setup script.

Blast radius of remote-control

A remote-control URL lets the receiver type into your filesystem using your credentials. Actions attribute to you in git, in audit logs, and in any connected automation. Git-mediated handoff avoids this by construction.

The compounding review gate

Teams add a reviewer subagent that fires before any new file is written. It searches for existing implementations, checks for ghost code, and verifies referenced modules exist. Because the gate is in the repo, every teammate runs the same checks.

4
Steps to hand off a live agent session
0
Cloud sync primitives in the CLI
git
The only transport that carries rules

[AGENT OPERATIONS]

Handing off a live agent session is a git problem, not a slash-command problem

Claude Code CLI sessions live as JSONL files on a single engineer's laptop. There is no cloud sync. No shared inbox. No "transfer to teammate" button. When one engineer needs to pass a live session to another, the repository is the only transport layer that also carries the governance rules both sides depend on. See agent governance for the broader policy context.

Why remote-control is not a handoff

Claude Code ships three remote primitives. None of them transfer a session between two humans. Knowing what each one actually does prevents the obvious mistake of trying to bolt a handoff onto a tool that was built for something else.

[--remote]

Start fresh in cloud

Opens a new cloud session from the terminal. The current local conversation does not travel with it. Wrong direction for a handoff.

[--teleport]

Pull cloud to terminal

Brings a cloud session into your own terminal. Single-user, single-device. Never crosses a human boundary.

[/remote-control]

Drive from another device

Exposes a live session so you can steer it from your own phone or browser. If a teammate took the URL, every keystroke would run on your laptop, under your credentials. Remote hands, not a handoff.

The four-step git-mediated handoff

The correct transfer pattern ships the live work through the repository. Rules, subagents, hooks, and skills all travel automatically because they already live in a tracked directory. Only the conversation transcript has to be added by hand.

[01]

Export

Run the export slash command. The full conversation is written as markdown that can be committed.

[02]

Plan

Write a short planning stub that captures open decisions, unresolved ambiguities, and the next concrete task.

[03]

Push

Commit the transcript and plan to a feature branch. Push the branch. No force, no rebase.

[04]

Resume

The next engineer clones the branch, runs the agent, and reads the transcript plus plan. Rules and skills auto-load.

What travels in the repository

When the branch lands on a second machine, the agent boots with the same guardrails the first engineer was operating under. That is the entire reason git is a valid transport: the governance surface is not separate from the code it governs.

Project instructions

The root agent briefing and any worktree-scoped instructions load on first invocation. No manual copy step.

Behavioural rules

Hard constraints, preflight checks, compounding gates, and the team's own SDLC loop all live in tracked files. See building secure skills for the rule-file pattern.

Subagents and skills

Reviewers, planners, and specialised tools load from the repo. New engineers inherit the same toolkit without a setup script.

Hooks

Session-start checks, pre-compact audits, and security sidecars fire on the receiving side with the same policy payload.

Why the blast radius matters

A remote-control URL looks cheap until you count the consequences. The receiving human types into your filesystem. They hold your git credentials. They can push with your signature. They can trigger any automation connected to your machine. Nothing in that loop is logged as them. It all gets attributed to you. For teams that care about agent security or audit trails, that is a non-starter.

A git-mediated handoff avoids the problem by construction. The teammate runs as themselves, against their own secrets, on their own machine. The repository is the shared surface. Git history is the audit log. Compliance stays clean.

The SDLC rule that makes it work

Teams that adopt this pattern usually add a compounding review gate to the repository. Before any new file gets written, a reviewer subagent searches for existing implementations to extend, checks for ghost code, and verifies that referenced modules actually exist. The gate has to return a pass verdict before the main agent proceeds.

The gate is what makes the handoff reliable. Every teammate who picks up the branch runs the same checks. No engineer can shortcut the review, because the rule is in the repo, not in somebody's head. This is the operational layer that turns agent governance from a slide into a running test. See standards compliance for how the same idea maps onto IETF attestation work.

[NEXT STEPS]

Operationalise the handoff

Add a compounding review gate to your own repository, commit a short session export on every handoff, and verify that rules auto-load on a fresh clone before the first real task.

Agent governance overview →Building secure skills →Agent security threat model →Standards compliance →

FAQ

Can you transfer a live Claude Code session to another engineer?

Not directly. CLI sessions are local JSONL files with no cloud sync. The correct pattern is to export the transcript, commit a short planning stub, push the branch, and let the teammate clone and resume on their own machine.

Does the /remote-control command hand off a session?

No. It exposes a running session so the same engineer can steer it from their own phone or browser. If a teammate took the URL, every keystroke would run on the original laptop under the original credentials, which fails any audit boundary.

What travels with the repository when the teammate clones it?

Project instructions, behavioural rules, compounding review gates, subagents, skills, and hooks all load from tracked files on the receiving side. The only piece that must be added by hand is the exported conversation transcript.

[RELATED TOPICS]

How Verification Works

Test agents on real vulnerabilities before shipping fixes.

Automated Vulnerability Patching

AI agents generate fixes for known CVEs. XOR verifies each fix against the vulnerability before it ships.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,920 evaluations.

Agent Cost Economics

Fix vulnerabilities for $2.64–$52 with agents. 100x cheaper than incident response. Real cost data.

Agent Configurations

15 agent-model configurations benchmarked on real vulnerabilities. Compare pass rates and costs.

See which agents produce fixes that work

128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.