Claude Code 2.1.98
Monitor tool — a first-class tool for streaming events from background scripts. Fills a long-standing gap: agents running background processes had no native way to observe stdout line-by-line; Monitor closes that loop and enables reactive agentic pipelines without polling hacks.
New primitives
Monitor tooltoolStream events from background scripts line-by-line
CLAUDE_CODE_PERFORCE_MODEenv-varCauses Edit/Write/NotebookEdit to fail on read-only files with a `p4 edit` hint instead of silently overwriting them
CLAUDE_CODE_SUBPROCESS_ENV_SCRUB + PID namespace isolationenv-var/capabilityEnables subprocess sandboxing with PID namespace isolation on Linux
CLAUDE_CODE_SCRIPT_CAPSenv-varLimits per-session script invocations
--exclude-dynamic-system-prompt-sectionsflagPrint mode flag for improved cross-user prompt caching by excluding dynamic sections
workspace.git_worktree (re-listed)capability**NOT new in 2.1.98** — first shipped in **2.1.97** (identical status-line JSON field). 2.1.98 re-lists it with a near-identical changelog line; demoted to an "already shipped" annotation per RECONCILIATION.md (mirrors the `/effort xhigh` handling in 2.1.154).
TRACEPARENT env var in Bash subprocessesenv-varW3C TRACEPARENT injected into Bash tool subprocesses when OTEL tracing enabled, so child spans parent correctly
Google Vertex AI setup wizardcapabilityInteractive wizard from the login screen for GCP auth, project/region config, credential verification, and model pinning
LSP clientInfo identificationcapabilityClaude Code now identifies itself to language servers via `clientInfo` in the initialize request
Workflow recipes
Monitor gives agents a native event stream from background processes; workspace.git_worktree lets a hook or status-line integration know which worktree the agent is operating in. Together, a multi-worktree agent setup can launch a background build/test process in each worktree and route Monitor events back to the correct parent agent context — without polling and without conflating worktree identity.
Orchestrator spawns one subagent per linked worktree. Each subagent runs its build script via Bash with run_in_background, then attaches Monitor to stream stdout. The workspace.git_worktree field in the status line JSON lets each agent confirm its worktree identity before acting on Monitor events. Parent agent collects first-failure lines and synthesizes a cross-worktree health report.
Subprocess sandboxing with PID namespace isolation prevents runaway child processes from escaping their session boundary; CLAUDE_CODE_SCRIPT_CAPS provides a hard cap on total script invocations so a misbehaving agent loop cannot exhaust the environment. Pairing both with Monitor lets an operator-controlled harness watch script output in real time while enforcing execution budgets — a meaningful step toward safe autonomous CI without a full container wrapper.
In a Linux CI environment, set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 and CLAUDE_CODE_SCRIPT_CAPS=<budget> before launching a headless Claude Code agent on a PR. The agent runs test/lint scripts; Monitor streams their output to the parent for structured result extraction. If the script cap is hit, the agent surfaces residue rather than spinning indefinitely. The PID namespace isolation ensures no subprocess outlives the session.
Agentic relevance
The Monitor tool is the headline agentic primitive: it enables reactive agent loops that observe background process output line-by-line without polling, unblocking event-driven pipeline patterns. The `CLAUDE_CODE_SCRIPT_CAPS` + subprocess sandboxing env vars give operators a new control surface for limiting and isolating script execution in multi-agent deployments. (The `workspace.git_worktree` status field — already shipped in 2.1.97, re-listed here — remains relevant for worktree-aware hooks and parallel worktree agent patterns common in this repo.)
Hardening & fixes (49)
- Fixed Bash tool permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code execution
- Fixed compound Bash commands bypassing forced permission prompts in auto and bypass-permissions modes
- Fixed read-only commands with env-var prefixes not prompting unless the var is known-safe
- Fixed redirects to `/dev/tcp/...` or `/dev/udp/...` not prompting
- Fixed stalled streaming responses timing out instead of falling back to non-streaming mode
- Fixed 429 retries burning all attempts in ~13s — exponential backoff now applies as a minimum
- Fixed MCP OAuth `oauth.authServerMetadataUrl` config override not being honored on token refresh after restart
- Fixed capital letters being dropped to lowercase on xterm and VS Code terminal with kitty keyboard protocol
- Fixed macOS text replacements deleting the trigger word instead of inserting the substitution
- Fixed `--dangerously-skip-permissions` being silently downgraded to accept-edits mode after a protected-path write
- Fixed managed-settings allow rules remaining active after admin removal until process restart
- Fixed `permissions.additionalDirectories` changes not applying mid-session
- Fixed removing a directory from `additionalDirectories` revoking access to the same directory passed via `--add-dir`
- Fixed `Bash(cmd:*)` and `Bash(git commit *)` wildcard rules failing on commands with extra spaces or tabs
- Fixed `Bash(...)` deny rules being downgraded to a prompt for piped commands mixing `cd` with other segments
- Fixed false Bash permission prompts for `cut -d /`, `paste -d /`, `column -s /`, `awk`, and filenames containing `%`
- Fixed permission rules with names matching JavaScript prototype properties causing `settings.json` to be silently ignored
- Fixed agent team members not inheriting the leader's permission mode with `--dangerously-skip-permissions`
- Fixed crash in fullscreen mode when hovering over MCP tool results
- Fixed copying wrapped URLs in fullscreen mode inserting spaces at line breaks
- Fixed file-edit diffs disappearing from the UI on `--resume` for files larger than 10KB
- Fixed several `/resume` picker issues (uneditable sessions, filter reload wiping search, empty-list key swallow, cross-project staleness, transient status text)
- Fixed `/export` not honoring absolute paths and `~`, and silently rewriting extensions to `.txt`
- Fixed `/effort max` being denied for unknown or future model IDs
- Fixed slash command picker breaking when a plugin's frontmatter `name` is a YAML boolean keyword
- Fixed rate-limit upsell text being hidden after message remounts
- Fixed MCP tools with `_meta["anthropic/maxResultSizeChars"]` not bypassing the token-based persist layer
- Fixed voice mode space-character leak when re-holding push-to-talk during transcript processing
- Fixed `DISABLE_AUTOUPDATER` not fully suppressing npm registry version check and symlink modification
- Fixed memory leak in Remote Control permission handler entries
- Fixed background subagents not reporting partial progress to the parent on error
- Fixed prompt-type Stop/SubagentStop hooks failing on long sessions; hook evaluator API errors showing "JSON validation failed"
- Fixed feedback survey rendering when dismissed
- Fixed Bash `grep -f FILE` / `rg -f FILE` not prompting when pattern file is outside the working directory
- Fixed stale subagent worktree cleanup removing worktrees with untracked files
- Fixed `sandbox.network.allowMachLookup` not taking effect on macOS
- Fixed `CLAUDE_CODE_MAX_CONTEXT_TOKENS` not honoring `DISABLE_COMPACT` when set
- Dropped `/compact` hints when `DISABLE_COMPACT` is set
- Improved `/resume` filter hint labels and added project/worktree/branch names in the filter indicator
- Improved footer indicators to stay on the mode-indicator row at narrow terminal widths
- Improved `/agents` with tabbed layout (Running tab for live subagents, Library tab with Run/View actions)
- Improved `/reload-plugins` to pick up plugin-provided skills without restart
- Improved Accept Edits mode to auto-approve filesystem commands prefixed with safe env vars or process wrappers
- Improved Vim mode: `j`/`k` in NORMAL mode navigate history and select footer pill at input boundary
- Improved hook errors in the transcript to include the first line of stderr for self-diagnosis
- Improved OTEL tracing: interaction spans correctly wrap full turns; headless turns end spans per-turn
- Improved transcript entries to carry final token usage instead of streaming placeholders
- Updated `/claude-api` skill to cover Managed Agents alongside Claude API
- [VSCode] Fixed false-positive "requires git-bash" error on Windows
Raw changelog
## 2.1.98
- Added interactive Google Vertex AI setup wizard accessible from the login screen when selecting "3rd-party platform", guiding you through GCP authentication, project and region configuration, credential verification, and model pinning
- Added `CLAUDE_CODE_PERFORCE_MODE` env var: when set, Edit/Write/NotebookEdit fail on read-only files with a `p4 edit` hint instead of silently overwriting them
- Added Monitor tool for streaming events from background scripts
- Added subprocess sandboxing with PID namespace isolation on Linux when `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB` is set, and `CLAUDE_CODE_SCRIPT_CAPS` env var to limit per-session script invocations
- Added `--exclude-dynamic-system-prompt-sections` flag to print mode for improved cross-user prompt caching
- Added `workspace.git_worktree` to the status line JSON input, set whenever the current directory is inside a linked git worktree
- Added W3C `TRACEPARENT` env var to Bash tool subprocesses when OTEL tracing is enabled, so child-process spans correctly parent to Claude Code's trace tree
- LSP: Claude Code now identifies itself to language servers via `clientInfo` in the initialize request
- Fixed a Bash tool permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code execution
- Fixed compound Bash commands bypassing forced permission prompts for safety checks and explicit ask rules in auto and bypass-permissions modes
- Fixed read-only commands with env-var prefixes not prompting unless the var is known-safe (`LANG`, `TZ`, `NO_COLOR`, etc.)
- Fixed redirects to `/dev/tcp/...` or `/dev/udp/...` not prompting instead of auto-allowing
- Fixed stalled streaming responses timing out instead of falling back to non-streaming mode
- Fixed 429 retries burning all attempts in ~13s when the server returns a small `Retry-After` — exponential backoff now applies as a minimum
- Fixed MCP OAuth `oauth.authServerMetadataUrl` config override not being honored on token refresh after restart, affecting ADFS and similar IdPs
- Fixed capital letters being dropped to lowercase on xterm and VS Code integrated terminal when the kitty keyboard protocol is active
- Fixed macOS text replacements deleting the trigger word instead of inserting the substitution
- Fixed `--dangerously-skip-permissions` being silently downgraded to accept-edits mode after approving a write to a protected path via Bash
- Fixed managed-settings allow rules remaining active after an admin removed them, until process restart
- Fixed `permissions.additionalDirectories` changes not applying mid-session — removed directories lose access immediately and added ones work without restart
- Fixed removing a directory from `additionalDirectories` revoking access to the same directory passed via `--add-dir`
- Fixed `Bash(cmd:*)` and `Bash(git commit *)` wildcard permission rules failing to match commands with extra spaces or tabs
- Fixed `Bash(...)` deny rules being downgraded to a prompt for piped commands that mix `cd` with other segments
- Fixed false Bash permission prompts for `cut -d /`, `paste -d /`, `column -s /`, `awk '{print $1}' file`, and filenames containing `%`
- Fixed permission rules with names matching JavaScript prototype properties (e.g. `toString`) causing `settings.json` to be silently ignored
- Fixed agent team members not inheriting the leader's permission mode when using `--dangerously-skip-permissions`
- Fixed a crash in fullscreen mode when hovering over MCP tool results
- Fixed copying wrapped URLs in fullscreen mode inserting spaces at line breaks
- Fixed file-edit diffs disappearing from the UI on `--resume` when the edited file was larger than 10KB
- Fixed several `/resume` picker issues: `--resume <name>` opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and transient task-status text replacing conversation summaries
- Fixed `/export` not honoring absolute paths and `~`, and silently rewriting user-supplied extensions to `.txt`
- Fixed `/effort max` being denied for unknown or future model IDs
- Fixed slash command picker breaking when a plugin's frontmatter `name` is a YAML boolean keyword
- Fixed rate-limit upsell text being hidden after message remounts
- Fixed MCP tools with `_meta["anthropic/maxResultSizeChars"]` not bypassing the token-based persist layer
- Fixed voice mode leaking dozens of space characters into the input when re-holding the push-to-talk key while the previous transcript is still processing
- Fixed `DISABLE_AUTOUPDATER` not fully suppressing the npm registry version check and symlink modification on npm-based installs
- Fixed a memory leak where Remote Control permission handler entries were retained for the lifetime of the session
- Fixed background subagents that fail with an error not reporting partial progress to the parent agent
- Fixed prompt-type Stop/SubagentStop hooks failing on long sessions, and hook evaluator API errors showing "JSON validation failed" instead of the real message
- Fixed feedback survey rendering when dismissed
- Fixed Bash `grep -f FILE` / `rg -f FILE` not prompting when reading a pattern file outside the working directory
- Fixed stale subagent worktree cleanup removing worktrees that contain untracked files
- Fixed `sandbox.network.allowMachLookup` not taking effect on macOS
- Improved `/resume` filter hint labels and added project/worktree/branch names in the filter indicator
- Improved footer indicators (Focus, notifications) to stay on the mode-indicator row instead of wrapping at narrow terminal widths
- Improved `/agents` with a tabbed layout: a Running tab shows live subagents, and the Library tab adds Run agent and View running instance actions
- Improved `/reload-plugins` to pick up plugin-provided skills without requiring a restart
- Improved Accept Edits mode to auto-approve filesystem commands prefixed with safe env vars or process wrappers
- Improved Vim mode: `j`/`k` in NORMAL mode now navigate history and select the footer pill at the input boundary
- Improved hook errors in the transcript to include the first line of stderr for self-diagnosis without `--debug`
- Improved OTEL tracing: interaction spans now correctly wrap full turns under concurrent SDK calls, and headless turns end spans per-turn
- Improved transcript entries to carry final token usage instead of streaming placeholders
- Updated the `/claude-api` skill to cover Managed Agents alongside Claude API
- [VSCode] Fixed false-positive "requires git-bash" error on Windows when `CLAUDE_CODE_GIT_BASH_PATH` is set or Git is installed at a default location
- Fixed `CLAUDE_CODE_MAX_CONTEXT_TOKENS` to honor `DISABLE_COMPACT` when it is set.
- Dropped `/compact` hints when `DISABLE_COMPACT` is set.