# Claude Code Feature Intelligence — Full Corpus > 63 versions, 395 new primitives, 137 workflow recipes. Changelog-derived and untested; the complement to runtime battle-tests, not a substitute. Produced by three model-tiered ultracode runs (137 agents) over the Claude Code changelog, 2026-06-09. > Human pages: https://ryanhunter.io/experiments/claude-code · Source of truth: foundation3 docs/experiments/claude-features + WGL defs in packages/exo/ontology. ## 2.1.33 **Headline:** **Multi-agent workflow primitives:** New hook events (`TeammateIdle`, `TaskCompleted`) + agent-spawning restrictions (`Task(agent_type)`) + persistent memory scopes (`memory` frontmatter) unlock structured multi-agent orchestration where teammates coordinate across sessions with durable state and controlled delegation. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | TeammateIdle | hook event | Fires when a teammate agent enters idle state in multi-agent workflows | Added `TeammateIdle` and `TaskCompleted` hook events for multi-agent workflows | | TaskCompleted | hook event | Fires when a task completes in multi-agent workflows | Added `TeammateIdle` and `TaskCompleted` hook events for multi-agent workflows | | Task(agent_type) syntax | capability | Restricts which sub-agents can be spawned by specifying agent type in agent "tools" frontmatter | Added support for restricting which sub-agents can be spawned via `Task(agent_type)` syntax in agent "tools" frontmatter | | memory frontmatter field | setting | Enables persistent memory for agents with scope options (`user`, `project`, or `local`) | Added `memory` frontmatter field support for agents, enabling persistent memory with `user`, `project`, or `local` scope | | Plugin name in skill menu | UI enhancement | Shows plugin name alongside skill descriptions in `/skills` menu for discoverability | Added plugin name to skill descriptions and `/skills` menu for better discoverability | ### Workflow recipes - **Persistent Multi-Agent Task Pipeline** — combines TeammateIdle + TaskCompleted hook events + memory frontmatter (project scope) + Task(agent_type) spawning restrictions. Multi-agent workflows now have state continuity. Agents can persist context across delegations, react to peer lifecycle changes, and enforce spawning policies. This unlocks checkpoint-resumable pipelines where teammates hand off work while preserving shared state without re-initializing each step. Idea: A code-review agent spawns a specialized @syntax-checker sub-agent (via Task(@syntax-checker) restriction) to validate files. When @syntax-checker completes (fires TaskCompleted hook), the reviewer agent wakes up (was idle, receives TeammateIdle→active transition), retrieves shared context from project-scoped memory, and proceeds to semantic review. If the reviewer is interrupted, it resumes from the same checkpoint on re-run because the memory persists in project scope. - **Inter-Session Teammate State Machine** — combines memory frontmatter with project scope + TeammateIdle hook + remote sessions (VSCode support). Agents can now maintain state across separate Claude Code sessions (VSCode remote, tmux, CLI). Hook events enable clean state transitions. Project-scoped memory acts as a durable handoff surface between independently-spawned teammate instances. Idea: A foundational "master coordinator" agent runs in a persistent session and uses project-scoped memory to store a work queue and delegation log. When spawning specialized teammates (e.g., data validator, report generator), each reads their task from memory, processes it, and writes results back. The coordinator watches TeammateIdle events to poll for completion and assign new work. Teammates can be spawned in different sessions/terminals and still coordinate via the shared memory surface — enabling distributed team-like workflows across disconnected Claude Code environments. **Agentic relevance:** The multi-agent primitives in 2.1.33 (hook events, memory scoping, spawning restrictions) enable agents to coordinate across sessions with durable state. Agents can now persist context (`user`/`project`/`local` memory), react to teammate lifecycle events, and control which sub-agents they delegate to — transforming ad-hoc teammate spawning into structured orchestration. The tmux fix + remote session support make multi-agent workflows viable in headless and remote environments. _12 hardening fixes (not new primitives)._ --- ## 2.1.41 **Headline:** **`claude auth` CLI subcommands (login/status/logout)** — enables programmatic and interactive authentication workflows without manual config file editing. This matters for automation, CI/CD, and credential rotation loops where auth state must be explicitly managed. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude auth login | command | Initiates interactive authentication flow | Added `claude auth login`, `claude auth status`, and `claude auth logout` CLI subcommands | | claude auth status | command | Reports current authentication state | Added `claude auth login`, `claude auth status`, and `claude auth logout` CLI subcommands | | claude auth logout | command | Clears authentication credentials | Added `claude auth login`, `claude auth status`, and `claude auth logout` CLI subcommands | | speed attribute (OTel) | setting/tracing | Marks fast mode visibility in traces and spans | Added `speed` attribute to OTel events and trace spans for fast mode visibility | | Windows ARM64 support | capability | Native binary for win32-arm64 architecture | Added Windows ARM64 (win32-arm64) native binary support | | /rename auto-generation | command enhancement | Session renaming from conversation context without args | Improved `/rename` to auto-generate session name from conversation context when called without arguments | ### Workflow recipes - **Headless CI/CD Credential Rotation Loop** — combines claude auth login + claude auth status + claude auth logout. The auth CLI subcommands enable agents to manage credential lifecycle without interactive prompts, unlocking automated credential rotation, multi-account cycling, and safe session cleanup in orchestrated pipelines. Idea: Build a CI/CD agent that (1) rotates authentication on a cron schedule by calling claude auth logout to clear stale creds, (2) uses claude auth login with piped input or environment-driven flows to re-authenticate with fresh tokens, (3) polls claude auth status to verify successful auth before launching dependent workflows, and (4) audits auth state changes in OTel/trace logs for compliance reporting. - **Observable Agent Performance Monitoring with OTel Speed Attribute** — combines speed attribute (OTel) + existing trace/span instrumentation. The speed attribute exposes fast-mode execution in OTel spans, enabling agents to self-monitor performance and make runtime decisions about trading speed for quality (e.g., falling back to thorough mode if fast-mode latency regresses). Idea: An agent that logs its own execution traces with the speed attribute, then querying those traces via OTel backend (Datadog, New Relic, Honeycomb) to detect when fast-mode runs exceed latency budgets. Agents can consume this signal to auto-switch modes, trigger escalations, or annotate outputs with confidence/speed tradeoff metadata. **Agentic relevance:** The `claude auth` subcommands unlock headless credential management for agent workflows running in CI/CD or orchestration contexts where interactive login cannot be assumed. The `speed` OTel attribute enables observability of fast-mode traces, critical for agents monitoring their own execution performance. Windows ARM64 support broadens deployment surface for Claude Code agents on modern ARM-based Windows systems. _18 hardening fixes (not new primitives)._ --- ## 2.1.42 **Headline:** **One-time Opus 4.6 effort callout** — introduces a new system-level user communication for eligible users, improving model discoverability and driving adoption of the latest capability tier without ongoing permission friction. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | Opus 4.6 effort callout | setting/capability | Displays one-time notification to eligible users about Opus 4.6 availability | Added one-time Opus 4.6 effort callout for eligible users | **Agentic relevance:** The Opus 4.6 callout is a lightweight adoption signal mechanism. For agents, this means model tier visibility is now automatic for eligible users rather than user-discovered. The hardening fixes improve agent startup latency and cache efficiency, reducing wall-clock time for multi-turn reasoning and large-context ingestion. _4 hardening fixes (not new primitives)._ --- ## 2.1.45 **Headline:** **Claude Sonnet 4.6 support + SDK rate-limit observability.** Model expansion (new flagship) + SDK types for throttle-aware consumer code. Why it matters: agents and tools that respect rate limits can now signal backpressure programmatically. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | Claude Sonnet 4.6 | capability | Model support for Claude Sonnet 4.6 | Added support for Claude Sonnet 4.6 | | --add-dir plugins/marketplaces | flag-extension | Extended `--add-dir` to read `enabledPlugins` and `extraKnownMarketplaces` from directories | Added support for reading `enabledPlugins` and `extraKnownMarketplaces` from `--add-dir` directories | | spinnerTipsOverride | setting | Customize spinner tips with custom tip array; optionally exclude default tips | Added `spinnerTipsOverride` setting to customize spinner tips — configure `tips` with an array of custom tip strings, and optionally set `excludeDefault: true` to show only your custom tips instead of the built-in ones | | SDKRateLimitInfo / SDKRateLimitEvent | SDK-types | SDK types enabling consumers to receive rate limit status updates including utilization, reset times, and overage information | Added `SDKRateLimitInfo` and `SDKRateLimitEvent` types to the SDK, enabling consumers to receive rate limit status updates including utilization, reset times, and overage information | ### Workflow recipes - **Rate-limit-aware agent work queuing** — combines SDKRateLimitInfo / SDKRateLimitEvent + Claude Sonnet 4.6. Agents consuming the SDK can now observe rate-limit utilization and reset times in real time, enabling intelligent work-deferral and priority-based queueing strategies. Sonnet 4.6 as the model tier increases throughput ceiling, making observability more actionable. Idea: Build an agent coordinator that consumes SDKRateLimitEvent types to track per-endpoint utilization (tokens, requests), calculates backoff windows dynamically, and routes high-priority work to Sonnet 4.6 when available while deferring or batching lower-priority tasks. Pluggable backends (Bedrock, Vertex, Foundry) propagate the same events, allowing cloud agents to share a unified backpressure model. - **Plugin-driven agent capability discovery** — combines --add-dir plugins/marketplaces + spinnerTipsOverride. Agents can now bulk-load plugin catalogs and marketplace definitions from directories, enabling dynamic capability composition. spinnerTipsOverride makes long operations more agent-transparent (can be used to signal phase/status in feedback loops). Idea: On startup, an orchestrator agent reads a curated --add-dir directory containing plugin manifests and marketplace definitions, auto-discovers available tools and commands, and builds a live capability graph. During multi-step workflows, spinner tips can be overridden to echo the current task context (e.g., "Scanning SAGO definitions", "Building draft offer"), making progress observable to downstream logs/monitoring without polling. **Agentic relevance:** SDK rate-limit types enable agents to implement backpressure and throttle-aware work planning. Sonnet 4.6 support gives agents access to a new flagship model capability (if configured). Plugin/marketplace discovery via `--add-dir` expands agent composition surface for multi-tool orchestration. _11 hardening fixes (not new primitives)._ --- ## 2.1.46 **Headline:** claude.ai MCP connector support in Claude Code — agents can now use Model Context Protocol integrations from the claude.ai web interface, bridging web tools into the CLI environment and expanding available capabilities for agent workflows. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude.ai MCP connectors | capability | Use Model Context Protocol connectors configured in claude.ai within Claude Code CLI | Added support for using claude.ai MCP connectors in Claude Code | **Agentic relevance:** The MCP connector capability extends Claude Code's integration ecosystem without new CLI primitives, allowing agents to leverage tools configured in the web interface. The macOS process fix improves daemon reliability for long-running agent sessions. Combined, these improve integration flexibility and runtime stability for agent workloads, though the net-new surface is modest. _1 hardening fixes (not new primitives)._ --- ## 2.1.47 **Headline:** **`last_assistant_message` hook field**: Stop and SubagentStop hooks can now access the final assistant response text directly without parsing transcript files, enabling cleaner automation of agent result capture and persistence. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | ctrl+f background agent kill | keybinding | Terminate all background agents at once while allowing manual agent lifecycle control | Use `ctrl+f` to kill all background agents instead of double-pressing ESC. Background agents now continue running when you press ESC to cancel the main thread, giving you more control over agent lifecycle. | | last_assistant_message | hook | Access the final assistant response text in Stop and SubagentStop hook inputs without parsing transcripts | Added `last_assistant_message` field to Stop and SubagentStop hook inputs, providing the final assistant response text so hooks can access it without parsing transcript files. | | chat:newline keybinding action | keybinding | Configure custom keybindings for multi-line input control | Added `chat:newline` keybinding action for configurable multi-line input (anthropics/claude-code#26075) | | added_dirs statusline field | setting | Expose workspace directories added via `/add-dir` to external scripts and dashboards | Added `added_dirs` to the statusline JSON `workspace` section, exposing directories added via `/add-dir` to external scripts (anthropics/claude-code#26096) | ### Workflow recipes - **Background agent fan-out with zero-copy result capture** — combines ctrl+f keybinding + last_assistant_message hook field + ESC-detach for background agent lifecycle. The decoupling of background agent termination (ctrl+f to kill all) from main-thread control (ESC still works), combined with direct access to final answers in hook payloads, enables a cleaner multi-agent orchestration pattern where external systems can collect agent results without parsing transcripts. Idea: Spawn N background agents with SubagentStop hooks that capture last_assistant_message to a result queue (database, message broker, or event log). Press ESC to detach the main thread while agents continue running. When ready, press ctrl+f to terminate the agent pool. The hook payloads already contain each agent's final answer, so result collection is O(1) per agent, not O(lines) through transcript parsing. Enables fan-out patterns for parallel research, multi-model evaluation, or batch agent workflows without transcript I/O bottlenecks. - **Live workspace dashboard with agent-synchronized context** — combines added_dirs statusline field + last_assistant_message hook field + external script integration. External orchestration scripts can now watch both the active workspace context (via added_dirs in statusline JSON) and the latest agent outcomes (via last_assistant_message), enabling a dashboard that surfaces project context alongside agent-derived insights in real time. Idea: Write an external script that polls the Claude Code statusline JSON to extract workspace.added_dirs (active project directories) and installs a Stop hook that writes last_assistant_message to a shared state file. A dashboard consumes both signals: green-light directories where work is active, paired with the last agent summary/decision for those dirs. Useful for multi-workspace setups where context and outcomes need to stay in sync — the agent can report "completed analysis for /dir/a" and the dashboard immediately knows to refresh views only for that directory. **Agentic relevance:** The `last_assistant_message` primitive enables cleaner agent orchestration: hook payloads can now capture final answers directly without parsing transcripts, simplifying dashboard integration and result persistence. Combined with improved background agent lifecycle control (`ctrl+f` keybinding), this version enables better multi-agent coordination patterns. The `added_dirs` statusline field supports external workspace awareness for agent dashboards tracking active project directories. _63 hardening fixes (not new primitives)._ --- ## 2.1.49 **Headline:** Worktree isolation for Claude and subagents enables reproducible, containerized agent workflows without branch conflicts or stale state bleeding across sessions. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | --worktree / -w flag | flag/command | Start Claude in an isolated git worktree | Added `--worktree` (`-w`) flag to start Claude in an isolated git worktree | | isolation: "worktree" | setting | Run subagent in a temporary git worktree | Subagents support `isolation: "worktree"` for working in a temporary git worktree | | Ctrl+F keybinding | keybinding | Two-press confirmation to kill all background agents | Added Ctrl+F keybinding to kill background agents (two-press confirmation) | | background: true in agent definitions | setting | Always run an agent as a background task | Agent definitions support `background: true` to always run as a background task | | Plugin settings.json shipping | capability | Plugins can provide default configuration | Plugins can ship `settings.json` for default configuration | | File edit tool in simple mode | capability | Simple mode now includes the file edit tool alongside Bash | Simple mode (`CLAUDE_CODE_SIMPLE`) now includes the file edit tool in addition to the Bash tool, allowing direct file editing in simple mode. | | ConfigChange hook event | hook | Fire when configuration files change during a session | Added `ConfigChange` hook event that fires when configuration files change during a session, enabling enterprise security auditing and optional blocking of settings changes. | | SDK model capability fields | capability/SDK | Discover model support for effort, adaptive thinking | SDK model info now includes `supportsEffort`, `supportedEffortLevels`, and `supportsAdaptiveThinking` fields so consumers can discover model capabilities. | ### Workflow recipes - **Isolated Agent Orchestration with State Enforcement** — combines --worktree + isolation: "worktree" + background: true + ConfigChange hook. Worktree-backed subagents running as persistent background tasks can safely parallelize work across branches without merge conflicts or stale-state issues. The ConfigChange hook enables parent orchestrators to react to policy/constraint changes mid-task, allowing enterprise-grade enforcement and task abortion if security posture shifts. Idea: Launch a background subagent coordinator in the root worktree that monitors ConfigChange events. When policy changes (e.g., new permission restrictions, security audit requirements), it signals child background subagents running in isolated worktrees to checkpoint and abort if no longer compliant. Child agents resume work only after acknowledging the new constraints. This unblocks parallelized code review, batch analysis, and multi-team recompete intelligence workflows where global constraints (budget, clearance level, customer scope) can shift without orphaning in-flight work. - **Simple Mode with Direct File Mutation for Embedded/Lightweight Agents** — combines File edit tool now in simple mode + background: true + plugin settings.json defaults. Lightweight agents deployed in resource-constrained or embedded contexts (e.g., CI/CD pipelines, embedded CLI, SDK integrations) can now edit files directly without Bash, reducing tool surface and permission footprint. Plugins shipping settings.json allows distributing agents with sensible defaults, enabling plug-and-play delegation. Idea: Build a "reviewer agent" plugin that ships with conservative settings.json defaults (no bash, file-edit-only, specific paths allowlisted). Distribute to teams as a plugin. On CI/CD activation, the agent runs in background with the plugin's defaults, reviews code changes, and edits files (e.g., add review comment markers, auto-fix style). This bypasses complex permission setup per CI job and keeps the agent surface minimal. **Agentic relevance:** Worktree isolation (`--worktree` + `isolation: "worktree"`) enables multi-agent workflows with guaranteed state separation and reproducibility. Background agent persistence (`background: true`) and the new `ConfigChange` hook support orchestration patterns where agents watch configuration drift and react to policy changes—critical for enterprise automation and long-running daemons. SDK capability discovery (`supportsEffort`, `supportedEffortLevels`, `supportsAdaptiveThinking`) allows agents to adapt strategy to model capability at invocation time. _19 hardening fixes (not new primitives)._ --- ## 2.1.50 [isolation] **Headline:** Declarative `isolation: worktree` in agent definitions (plus paired WorktreeCreate/WorktreeRemove hooks) lets subagents run in isolated git worktrees automatically — the key new fan-out orchestration primitive in 2.1.50. The rest is predominantly memory-leak hardening. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | isolation: worktree (agent definitions) | capability | Agent definitions can declaratively request running in an isolated git worktree, giving each agent its own checkout for safe parallel fan-out without manual worktree management. | Added support for `isolation: worktree` in agent definitions, allowing agents to declaratively run in isolated git worktrees. | | WorktreeCreate / WorktreeRemove hooks | hook | Two new hook events fire when agent worktree isolation creates or removes a worktree, enabling custom VCS setup/teardown (deps install, env priming, cleanup) around isolated agent runs. | Added `WorktreeCreate` and `WorktreeRemove` hook events, enabling custom VCS setup and teardown when agent worktree isolation creates or removes worktrees. | | claude agents (CLI) | command | New CLI subcommand that lists all configured agents. | Added `claude agents` CLI command to list all configured agents | | CLAUDE_CODE_DISABLE_1M_CONTEXT | env-var | Environment variable to disable the 1M context window support. | Added `CLAUDE_CODE_DISABLE_1M_CONTEXT` environment variable to disable 1M context window support | | startupTimeout (LSP config) | setting | New configuration option to set the startup timeout for LSP servers. | Added support for `startupTimeout` configuration for LSP servers | | /extra-usage in VS Code | command | The /extra-usage command is now supported within VS Code sessions, extending that command to the VSCode surface. | VSCode: Added `/extra-usage` command support in VS Code sessions | **Agentic relevance:** 2.1.50 advances the agent-orchestration frontier mainly through declarative `isolation: worktree` plus WorktreeCreate/WorktreeRemove hooks, which turn safe parallel subagent fan-out into a first-class, config-driven capability instead of a hand-rolled worktree dance. Paired with `claude agents` for fleet visibility, it tightens the multi-agent control surface, while the heavy memory-leak hardening makes long-running orchestration sessions materially more durable. _19 hardening fixes (not new primitives)._ --- ## 2.1.51 **Headline:** **`claude remote-control` subcommand** — enables external build systems and CI/CD pipelines to orchestrate Claude Code locally, expanding integration surface beyond direct user interaction to automated environments and distributed workflows. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude remote-control | command | Subcommand for external builds, enabling local environment serving for all users | Added `claude remote-control` subcommand for external builds, enabling local environment serving for all users. | | CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS | env-var | Configurable git timeout for plugin marketplace operations (default increased from 30s to 120s) | Updated plugin marketplace default git timeout from 30s to 120s and added `CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS` to configure. | | Custom npm registries + version pinning | capability | Support for custom npm registries and specific version pinning when installing plugins from npm sources | Added support for custom npm registries and specific version pinning when installing plugins from npm sources | | BashTool login shell behavior | setting | Skip login shell (`-l` flag) by default when shell snapshot is available (previously required `CLAUDE_BASH_NO_LOGIN=true`) | BashTool now skips login shell (`-l` flag) by default when a shell snapshot is available, improving command execution performance. Previously this required setting `CLAUDE_BASH_NO_LOGIN=true`. | | CLAUDE_CODE_ACCOUNT_UUID | env-var | Synchronously provide account UUID for SDK callers, eliminating race condition in early telemetry | Added `CLAUDE_CODE_ACCOUNT_UUID`, `CLAUDE_CODE_USER_EMAIL`, and `CLAUDE_CODE_ORGANIZATION_UUID` environment variables for SDK callers to provide account info synchronously, eliminating a race condition where early telemetry events lacked account metadata. | | CLAUDE_CODE_USER_EMAIL | env-var | Synchronously provide user email for SDK callers, eliminating race condition in early telemetry | Added `CLAUDE_CODE_ACCOUNT_UUID`, `CLAUDE_CODE_USER_EMAIL`, and `CLAUDE_CODE_ORGANIZATION_UUID` environment variables for SDK callers to provide account info synchronously, eliminating a race condition where early telemetry events lacked account metadata. | | CLAUDE_CODE_ORGANIZATION_UUID | env-var | Synchronously provide organization UUID for SDK callers, eliminating race condition in early telemetry | Added `CLAUDE_CODE_ACCOUNT_UUID`, `CLAUDE_CODE_USER_EMAIL`, and `CLAUDE_CODE_ORGANIZATION_UUID` environment variables for SDK callers to provide account info synchronously, eliminating a race condition where early telemetry events lacked account metadata. | | Macros/Windows Registry managed settings | capability | Managed settings can now be set via macOS plist or Windows Registry | Managed settings can now be set via macOS plist or Windows Registry. Learn more at https://code.claude.com/docs/en/settings#settings-files | ### Workflow recipes - **Remote-Controlled Agent Factories in CI/CD** — combines claude remote-control + CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS + CLAUDE_CODE_ACCOUNT_UUID/CLAUDE_CODE_USER_EMAIL/CLAUDE_CODE_ORGANIZATION_UUID. External build systems (GitHub Actions, GitLab CI, Jenkins) can now spawn ephemeral Claude Code instances with full account context, enabling agents to reason over code generation tasks within CI/CD pipelines without manual API orchestration. The configurable git timeout and account UUID env-vars eliminate cold-start delays and telemetry race conditions that plague cloud-agent spawn workflows. Idea: A GitHub Actions workflow spawns a Claude Code instance via claude remote-control, passes org/user/account context via env-vars, and deploys an agent that generates migration code, runs schema validation, and posts results back to the PR—all with native CLI latency and workspace access. The plugin marketplace timeout handles large monorepo submodule fetches that previously timed out. - **Enterprise Deployment with OS-Level Settings Synchronization** — combines Macros/Windows Registry managed settings + custom npm registries + BashTool login-shell optimization. Organizations can now centrally manage Claude Code configuration (registry mirrors, timeout policies, workspace trust rules) via macOS plist or Windows Registry, reducing per-machine setup variance. BashTool's automatic login-shell skip further improves command execution performance in enterprise CI/CD contexts where shell snapshots are available. Idea: An enterprise MDM (Mobile Device Management) system deploys Claude Code via managed registry, sets CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS=180000 and custom npm registry URLs via plist/Registry, and disables login shell for all agents. Agents run faster, use approved registries, and avoid registry timeout footguns across the org. - **Observability-First Agent Telemetry in Distributed Orchestration** — combines CLAUDE_CODE_ACCOUNT_UUID + CLAUDE_CODE_USER_EMAIL + CLAUDE_CODE_ORGANIZATION_UUID. Agents spawned in parallel or distributed environments (Kubernetes, serverless) can now tag telemetry with account metadata *before* the first API call, eliminating the race condition where early telemetry events lack account context. This unblocks coherent observability over agent cohorts and audit trails for multi-agent workflows. Idea: A parent orchestrator sets CLAUDE_CODE_ACCOUNT_UUID=, CLAUDE_CODE_USER_EMAIL=, and CLAUDE_CODE_ORGANIZATION_UUID= when spawning a batch of agents for large-scale code review. All telemetry is tagged with org context from the first keystroke, enabling unified traces across the agent cohort and compliance audit for service-account actions. **Agentic relevance:** The `claude remote-control` subcommand unlocks CI/CD and external build integration, enabling agents running in non-interactive environments to spin up local Claude Code instances for real-time code reasoning and generation. The three account-context env-vars (`CLAUDE_CODE_ACCOUNT_UUID`, `CLAUDE_CODE_USER_EMAIL`, `CLAUDE_CODE_ORGANIZATION_UUID`) eliminate telemetry race conditions for SDK callers, critical for agent-driven telemetry accuracy in concurrent workflows. Together with the improved plugin timeout and npm registry support, these primitives expand the surface for agentic automation in enterprise and distributed deployment contexts. _5 hardening fixes (not new primitives)._ --- ## 2.1.59 **Headline:** **Auto-memory + /copy:** Claude Code now saves useful context automatically and provides interactive code block selection, enabling faster context reuse and precise code copying in multi-turn workflows. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /memory | command | Manage auto-saved context from sessions | Claude automatically saves useful context to auto-memory. Manage with /memory | | /copy | command | Interactive picker for code blocks, select individual blocks or full response | Added `/copy` command to show an interactive picker when code blocks are present, allowing selection of individual code blocks or the full response. | | per-subcommand "always allow" | capability | Smarter prefix suggestions for compound bash commands that handle subcommands independently | Improved "always allow" prefix suggestions for compound bash commands (e.g. `cd /tmp && git fetch && git push`) to compute smarter per-subcommand prefixes instead of treating the whole command as one | ### Workflow recipes - **Persistent Agent Context Chains** — combines auto-memory (/memory) + per-subcommand "always allow". Auto-memory captures intermediate learnings (schema, patterns, decision rules) from agents, while smarter permission handling reduces gate friction on compound bash pipelines. Together they enable multi-turn agent sequences to build context momentum without manual state resets or permission fatigue. Idea: An agent solving a multi-file refactor can now /memory-persist the discovered pattern rules and AST invariants after each file, then in the next turn retrieve that context automatically. Compound bash pipelines (lint → reformat → test → commit) execute with granular per-subcommand trust, avoiding blanket allow-all gates. On the next agent turn or session, the auto-memory restores the mental model, reducing re-discovery waste. - **Copy-Driven Code Review + Extraction** — combines /copy + auto-memory (/memory). Interactive code block selection (via /copy) paired with auto-memory creates a tighter loop for code review, refactoring, and artifact extraction. Instead of manual copy-paste friction or generic block exports, agents can select precise code regions and persist the selection context for replay or variation. Idea: In a code review session, an agent uses /copy to interactively pick the sections needing refactor, saves the selection semantics to /memory, then in a follow-up turn reconstructs the same blocks and applies transformations. Useful for agents iterating over large files or building a mini-DSL for "extract-transform-reuse" workflows across multiple codebases. **Agentic relevance:** Auto-memory enables agents to persist learned context across sessions without manual state transfer, reducing cold-start friction in multi-turn workflows. The /copy primitive streamlines code extraction from responses, and per-subcommand permission logic reduces false-positive permission gates on compound bash commands — both critical for agent autonomy in complex task chains. _5 hardening fixes (not new primitives)._ --- ## 2.1.63 **Headline:** **Bundled slash commands + HTTP hooks**: slash commands now ship with `/simplify` and `/batch` out-of-the-box; HTTP hooks enable external system integration without shell commands. Together, these unlock workflow distribution and third-party integrations in Claude Code without custom scripting. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /simplify | command | Code review for reuse, simplification, and efficiency improvements | Added `/simplify` and `/batch` bundled slash commands | | /batch | command | Batch processing capabilities for repeating tasks | Added `/simplify` and `/batch` bundled slash commands | | ENABLE_CLAUDEAI_MCP_SERVERS=false | env-var | Opt out from making claude.ai MCP servers available | Added `ENABLE_CLAUDEAI_MCP_SERVERS=false` env var to opt out from making claude.ai MCP servers available | | HTTP hooks | capability | POST JSON to external URLs and receive JSON responses instead of shell commands | Added HTTP hooks, which can POST JSON to a URL and receive JSON instead of running a shell command | | /copy "Always copy full response" | setting | Skip code block picker and copy full response directly on future `/copy` invocations | Added "Always copy full response" option to the `/copy` picker. When selected, future `/copy` commands will skip the code block picker and copy the full response directly. | | /model menu display | capability | Show the currently active model in the slash command menu | Improved `/model` command to show the currently active model in the slash command menu | | Manual URL paste fallback (OAuth) | capability | Paste callback URL to complete MCP OAuth authentication if automatic localhost redirect fails | Added manual URL paste fallback during MCP OAuth authentication. If the automatic localhost redirect doesn't work, you can paste the callback URL to complete authentication. | ### Workflow recipes - **Code quality gate via /simplify batch** — combines /simplify command + /batch command + HTTP hooks. Agents can now chain code review and simplification into repeatable workflows. With /batch, an agent can apply /simplify to multiple files in a single pass and POST the results to an external system (CI/CD, Slack, code review queue) via HTTP hooks, enabling async code-quality gates without custom shell scripts. Idea: An agent checks out a feature branch, collects a list of modified files, runs /batch /simplify on all of them, aggregates the findings into a JSON payload, and POSTs to a Slack webhook or review endpoint. The external system logs quality signals, blocks merge if thresholds are breached, or notifies the team. On future runs, the same agent adapts to feedback from the external system. - **Distributed MCP setup with OAuth fallback** — combines HTTP hooks + Manual URL paste fallback (OAuth) + Project configs shared across worktrees. Long-running agents in CI/CD or headless environments frequently hit MCP OAuth redirects that fail silently. The new manual URL paste fallback + HTTP hooks enable an agent to recover from failed MCP authentication by prompting a human (or external service) to paste the callback URL, while HTTP hooks let the agent notify downstream systems of the recovery state. Idea: An agent starts a long-lived session across multiple git worktrees. One worktree initializes a new MCP server. If the automatic OAuth redirect fails (common in headless contexts), the agent logs a recovery prompt and POSTs to an HTTP hook endpoint, which notifies an operator. The operator pastes the callback URL. The agent resumes without interruption. Project configs persist across worktrees, so the authenticated MCP state is available in all subsequent tasks. - **Stateful batch jobs with subagent context stripping** — combines /batch + Improved memory usage in subagent sessions + HTTP hooks. Large batch jobs spawn multiple subagents, each accumulating context. The new subagent context-stripping optimization prevents unbounded memory growth. HTTP hooks enable status updates to external systems without polling. Together, agents can run large, long-lived batch pipelines (e.g., artifact migration, bulk recompete intelligence) without memory-based failures. Idea: A parent agent spawns a /batch job to process 100 competitor profiles through multiple subagents. Each subagent runs analysis, compaction strips heavy payloads from internal state, and upon completion, the subagent POSTs results to an HTTP hook (database, data lake, CRC graph). The parent aggregates status from the hook and exits cleanly, even if total token-hours would have caused OOM in 2.1.62. **Agentic relevance:** The `/simplify` and `/batch` commands bring code-review and batch-processing to the Claude Code CLI, enabling agents to apply style checks and repeat operations without custom skill definitions. HTTP hooks decouple external integrations from shell execution, reducing permission friction and enabling safe third-party workflows. The worktree config sharing and OAuth fallback improve reliability in multi-worktree and offline MCP scenarios—both critical for long-running agent sessions. _20 hardening fixes (not new primitives)._ --- ## 2.1.69 **Headline:** Hook observability expansion: `InstructionsLoaded` event + `agent_id`/`agent_type` fields + `worktree` status-line field. For the first time, agents can observe exactly when and from where their instruction context was loaded, which sub-agent ID is executing, and whether execution is inside a worktree — enabling routing, audit, and multi-worktree orchestration patterns that were previously guesswork. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /claude-api skill | command | Built-in skill for building applications with the Claude API and Anthropic SDK | Added the `/claude-api` skill for building applications with the Claude API and Anthropic SDK | | --name arg for /remote-control | flag | Sets a custom session title visible in claude.ai/code | Added optional name argument to `/remote-control` and `claude remote-control` (`/remote-control My Project` or `--name \"My Project\"`) to set a custom session title visible in claude.ai/code | | sandbox.enableWeakerNetworkIsolation | setting | Allows Go programs like `gh`, `gcloud`, `terraform` to verify TLS certs when using a custom MITM proxy with `httpProxyPort` (macOS only) | Added `sandbox.enableWeakerNetworkIsolation` setting (macOS only) to allow Go programs like `gh`, `gcloud`, and `terraform` to verify TLS certificates when using a custom MITM proxy with `httpProxyPort` | | includeGitInstructions | setting | Removes built-in commit and PR workflow instructions from Claude's system prompt | Added `includeGitInstructions` setting (and `CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS` env var) to remove built-in commit and PR workflow instructions from Claude's system prompt | | CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS | env-var | Env-var equivalent of `includeGitInstructions` for removing built-in git instructions from system prompt | Added `includeGitInstructions` setting (and `CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS` env var) to remove built-in commit and PR workflow instructions from Claude's system prompt | | /reload-plugins | command | Activates pending plugin changes without restarting the session | Added `/reload-plugins` command to activate pending plugin changes without restarting | | ${CLAUDE_SKILL_DIR} | variable | Allows skills to reference their own directory in SKILL.md content | Added `${CLAUDE_SKILL_DIR}` variable for skills to reference their own directory in SKILL.md content | | InstructionsLoaded hook event | hook | Fires when CLAUDE.md or `.claude/rules/*.md` files are loaded into context | Added `InstructionsLoaded` hook event that fires when CLAUDE.md or `.claude/rules/*.md` files are loaded into context | | agent_id / agent_type hook fields | capability | Adds subagent identity (`agent_id`) and agent type (`agent_type`) to hook events, enabling per-agent routing and audit | Added `agent_id` (for subagents) and `agent_type` (for subagents and `--agent`) to hook events | | worktree field on status-line hooks | capability | Exposes worktree name, path, branch, and original repo directory in hook commands when running in a `--worktree` session | Added `worktree` field to status line hook commands with name, path, branch, and original repo directory when running in a `--worktree` session | | pluginTrustMessage | setting | Managed setting to append organization-specific context to the plugin trust warning before installation | Added `pluginTrustMessage` in managed settings to append organization-specific context to the plugin trust warning shown before installation | | pathPattern in strictKnownMarketplaces | setting | Enables regex-matching of file/directory marketplace sources alongside existing `hostPattern` restrictions | Added `pathPattern` to `strictKnownMarketplaces` for regex-matching file/directory marketplace sources alongside `hostPattern` restrictions | | git-subdir plugin source type | capability | Points a plugin source to a subdirectory within a git repo | Added plugin source type `git-subdir` to point to a subdirectory within a git repo | | oauth.authServerMetadataUrl | setting | MCP config option to specify a custom OAuth metadata discovery URL when standard discovery fails | Added `oauth.authServerMetadataUrl` config option for MCP servers to specify a custom OAuth metadata discovery URL when standard discovery fails | ### Workflow recipes - **Instrumented Multi-Worktree Orchestrator** — combines InstructionsLoaded hook event + agent_id/agent_type hook fields + worktree status-line hook field. These three hook additions together give an orchestrator a complete observability surface for the first time: you can confirm exactly when each agent loaded its instruction context, which agent ID is running in which worktree, and what branch/path that worktree maps to — all in the hook layer before any tool calls execute. Previously this required polling or in-band messages; now it is event-driven and identity-tagged. Idea: A root orchestrator spawns one subagent per feature branch using --worktree. Each subagent's InstructionsLoaded hook writes a structured log entry (agent_id, agent_type, worktree.branch, worktree.path, loaded file path) to a shared append-only JSONL file. A separate watcher process tails that file to confirm all agents loaded the correct CLAUDE.md variant for their branch before the orchestrator releases work items. If an agent loaded the wrong instruction set (e.g., root CLAUDE.md instead of the branch-scoped one), the orchestrator halts and re-scopes that agent. This eliminates the "silent wrong instructions" failure mode in parallel worktree deployments. - **Clean-Room Agent Git Workflow** — combines includeGitInstructions setting + CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS env var + ${CLAUDE_SKILL_DIR} variable. Suppressing Claude's built-in git instructions removes the default commit/PR prose from the system prompt, freeing budget for a compact, repo-specific git skill that references its own directory via ${CLAUDE_SKILL_DIR}. The combination lets an agent fleet enforce a single canonical git workflow (e.g., Conventional Commits, signed commits only, no force-push) without the built-in instructions competing with or contradicting the custom skill. Idea: Set CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS=1 in the fleet's environment. Author a git-workflow skill at .agents/skills/git-workflow/SKILL.md that uses ${CLAUDE_SKILL_DIR} to reference a commit-template.txt and a branch-naming.md in the same directory. The skill becomes the sole git authority in the system prompt. Agents inherit it automatically; the built-in prose never competes. When the workflow changes, update the skill file and use /reload-plugins to hot-reload without restarting any running agent sessions. - **Hot-Patch Plugin Dev Loop with git-subdir Sources** — combines git-subdir plugin source type + /reload-plugins command. git-subdir lets you point a plugin at a subdirectory of a monorepo without extracting it to its own repo. Combined with /reload-plugins, you get an inner loop where plugin edits in the monorepo are immediately activatable in a running session — no restart, no separate repo management. Idea: Author a plugin inside a subdirectory of the foundation3 monorepo (e.g., tradecraft/plugins/my-tool/). Register it as a git-subdir source pointing to that path. During development, edit the plugin files in the monorepo, then issue /reload-plugins in the running session to pick up changes without losing session context (conversation history, open files, etc.). This collapses the edit-restart-retest cycle for plugin development into an edit-reload-retest cycle entirely within one session. **Agentic relevance:** 2.1.69 is the most hook-dense release in recent history: `InstructionsLoaded` + `agent_id`/`agent_type` + `worktree` status-line field together give orchestrators a complete signal surface for instruction-load timing, sub-agent identity, and multi-worktree context. The `includeGitInstructions`/`CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS` pair enables clean system-prompt surgery for agent fleets that manage their own git workflows. The `git-subdir` plugin source type and `/reload-plugins` command streamline the plugin authoring loop for agents that hot-patch their own tooling. _90 hardening fixes (not new primitives)._ --- ## 2.1.71 [autonomy] **Headline:** Cron scheduling tools for recurring prompts within a session — the first changelog-stated primitive that lets an agent schedule recurring work itself, which directly extends multi-agent/long-running orchestration surface (paired with the new `/loop` command for the user-facing recurrence form). ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /loop | command | New slash command that runs a prompt or slash command on a recurring interval, e.g. `/loop 5m check the deploy`. | Added `/loop` command to run a prompt or slash command on a recurring interval (e.g. `/loop 5m check the deploy`) | | cron scheduling tools | tool | New tools that schedule recurring prompts to fire within a session — an agent-callable recurrence/scheduling surface relevant to orchestration. | Added cron scheduling tools for recurring prompts within a session | | voice:pushToTalk | setting | New rebindable keybinding in keybindings.json for the voice activation key (default: space), supporting modifier+letter combos like meta+k. | Added `voice:pushToTalk` keybinding to make the voice activation key rebindable in `keybindings.json` (default: space) — modifier+letter combos like `meta+k` have zero typing interference | | bash auto-approval allowlist additions (fmt, comm, cmp, numfmt, expr, test, printf, getconf, seq, tsort, pr) | capability | Expands the set of bash commands auto-approved without a permission prompt, adding 11 standard text/number/test utilities. | Added `fmt`, `comm`, `cmp`, `numfmt`, `expr`, `test`, `printf`, `getconf`, `seq`, `tsort`, and `pr` to the bash auto-approval allowlist | **Agentic relevance:** This version pushes the agent-orchestration frontier from one-shot and human-triggered work toward agent-driven recurrence: cron scheduling tools give an agent a callable surface to schedule recurring prompts within a session, and `/loop` exposes the same recurrence to users. Paired fixes that restore the background-agent completion output file path after context compaction and that stop `--print` from hanging on long-lived `in_process_teammate` tasks harden the multi-agent / long-running orchestration path the scheduling primitives now lean on. _24 hardening fixes (not new primitives)._ --- ## 2.1.72 **Headline:** `ExitWorktree` tool — completes the symmetric pair for worktree isolation. `EnterWorktree` already existed; without `ExitWorktree` agents had no clean path back to the parent tree. This closes the loop and makes programmatic worktree workflows (branch-per-task, parallel agents, sparse-checkout isolation) fully composable without leaking session state. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | ExitWorktree | tool | Leave an `EnterWorktree` session and return to the parent worktree | Added `ExitWorktree` tool to leave an `EnterWorktree` session | | CLAUDE_CODE_DISABLE_CRON | env-var | Immediately stop scheduled cron jobs mid-session | Added `CLAUDE_CODE_DISABLE_CRON` environment variable to immediately stop scheduled cron jobs mid-session | | model parameter on Agent tool | capability | Per-invocation model override when spawning subagents | Restored the `model` parameter on the Agent tool for per-invocation model overrides | | /plan optional arg | command | Enter plan mode and immediately start with a pre-seeded description | Added optional description argument to `/plan` (e.g., `/plan fix the auth bug`) that enters plan mode and immediately starts | | /copy → w key | flag/key | Write the focused selection directly to a file, bypassing clipboard (SSH-safe) | Added `w` key in `/copy` to write the focused selection directly to a file, bypassing the clipboard (useful over SSH) | | lsof, pgrep, tput, ss, fd, fdfind auto-approval | capability | Six read-only tools added to bash auto-approval allowlist — no permission prompt | Added `lsof`, `pgrep`, `tput`, `ss`, `fd`, and `fdfind` to the bash auto-approval allowlist, reducing permission prompts for common read-only operations | | CLAUDE.md HTML comment hiding | capability | `` comments in CLAUDE.md are hidden from Claude on auto-inject; still visible via Read tool | Changed CLAUDE.md HTML comments (``) to be hidden from Claude when auto-injected. Comments remain visible when read with the Read tool | | vscode://anthropic.claude-code/open URI handler | capability | Open a new Claude Code VSCode tab programmatically with optional `prompt` and `session` query params | VSCode: Added `vscode://anthropic.claude-code/open` URI handler to open a new Claude Code tab programmatically, with optional `prompt` and `session` query parameters | | Effort levels simplified to low/medium/high + /effort auto | command/setting | Removed `max` tier; new symbols ○ ◐ ●; `/effort auto` resets to default | Simplified effort levels to low/medium/high (removed max) with new symbols (○ ◐ ●) and a brief notification instead of a persistent icon. Use `/effort auto` to reset to default | ### Workflow recipes - **Model-differentiated parallel worktree agents** — combines ExitWorktree tool + model parameter on Agent tool. The two primitives together make branch-isolated, model-differentiated subagent graphs practical. Before 2.1.72 you could enter a worktree but not cleanly exit it programmatically, and the model param was missing so every subagent used the same model regardless of task weight. Now an orchestrator can spin up a cheap fast model for boilerplate branches and a stronger model for high-stakes branches, then collect results back in the parent tree — all without leaking worktree state between agents. Idea: Orchestrator spawns N Agent tool calls, each with a different model (e.g., Haiku for lint/format passes, Sonnet for logic rewrites). Each subagent calls EnterWorktree at the start and ExitWorktree at the end. Orchestrator merges diffs back on the main branch after all agents complete. The CLAUDE_CODE_DISABLE_CRON env-var acts as a kill switch if any branch spins out of control mid-session. - **SSH-safe artifact extraction pipeline** — combines /copy → w key + CLAUDE.md HTML comment hiding. Over SSH, clipboard-dependent extraction is unreliable or unavailable. The w key in /copy writes selections directly to a file, making artifact extraction clipboard-independent. Pairing this with CLAUDE.md HTML comment hiding means operators can embed private routing notes, prompt suppressors, or environment hints directly in CLAUDE.md without those instructions leaking into the model's context on auto-inject — a clean separation between human-readable ops commentary and model-visible instructions. Idea: A remote SSH-based CI agent runs Claude Code headlessly. After each run, a hook or operator uses /copy + w to write the model's selected output directly to a target artifact file — no clipboard, no copy-paste errors. Meanwhile, CLAUDE.md carries style directives that are invisible to the model during normal execution but readable by the operator via the Read tool for audit. This gives a clean two-layer annotation system inside a single file. - **Inline-scoped plan-mode triage with auto-approval reads** — combines /plan optional arg + lsof/pgrep/fd/fdfind auto-approval allowlist additions. /plan lets an orchestrating agent or human pre-seed a plan-mode session with a concrete problem statement and start immediately, skipping the blank-prompt orientation loop. Combined with the six newly auto-approved read-only tools (lsof, pgrep, fd, etc.), the plan-mode agent can do broad environment reads (open files, running processes, fd-based file discovery) during plan construction without surfacing a permission prompt per tool — making the orientation phase of plan mode nearly frictionless. Idea: A triage agent receives a bug report. It calls /plan diagnose: process leaked file handles in the auth service to enter plan mode with context. During plan construction the agent freely calls lsof, pgrep, and fd to map open handles, running pids, and relevant file paths — all auto-approved. The resulting plan is grounded in live system state rather than inferred structure, and the whole orientation-to-plan cycle runs without any human permission clicks. **Agentic relevance:** `ExitWorktree` + the restored `model` param on Agent complete two previously-broken primitives for multi-agent worktree workflows: agents can now enter a branch context, do work, and cleanly exit without leaking session state, and the orchestrator can specify a cheaper or stronger model per subagent invocation. The `CLAUDE_CODE_DISABLE_CRON` env-var adds runtime circuit-breaker control for scheduled agents. The prompt-cache fix (up to 12x token cost reduction in SDK `query()`) is the highest-leverage hardening item for production agentic pipelines. _41 hardening fixes (not new primitives)._ --- ## 2.1.73 **Headline:** **`modelOverrides` setting** — allows mapping model picker entries to custom provider model IDs (Bedrock inference profile ARNs, etc.). This enables teams behind corporate proxies or using non-standard LLM deployments to use Claude Code with pinned or alternative model configurations without forking the CLI. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | modelOverrides | setting | Map model picker entries to custom provider model IDs (e.g. Bedrock inference profile ARNs) | `Added modelOverrides setting to map model picker entries to custom provider model IDs (e.g. Bedrock inference profile ARNs)` | ### Workflow recipes - **Multi-provider agent fleet with pinned models** — combines modelOverrides setting + fixed subagent model downgrades + improved SSL error guidance. Teams deploying agents across heterogeneous LLM providers (corporate Bedrock, Vertex, Foundry, public Claude API) can now pin model versions per provider without silent downgrades or connectivity pain. This enables mixed-provider agent fleets with deterministic behavior. Idea: Configure .claude/settings.json with modelOverrides to map picker entries like "opus" to Bedrock ARNs, Vertex endpoints, or Foundry model IDs. Spawn subagents across providers using model: opus in their definitions; 2.1.73 now guarantees they run on the pinned provider+version, not a silently-downgraded fallback. When proxy/SSL errors occur during login or connectivity checks, actionable guidance (check NODE_EXTRA_CA_CERTS, corporate proxy config) surfaces instead of cryptic failures. Result: repeatable, cross-provider agent deployments where every subagent runs on the exact model intended. - **Reliable multi-session batch processing in monorepos** — combines Fixed Bash output loss in multi-session scenarios + fixed skill directory deadlock + fixed permission prompt freezes. Monorepos with large .claude/skills/ directories and concurrent session execution (parallel agent batches, repeated CLI runs in CI) now have stable Bash I/O, skill reloads, and permission-prompt handling. This unblocks automation-heavy agent workflows. Idea: Script or schedule multiple Claude Code sessions to run in parallel (e.g., --continue for resume, or new sessions per batch item) in the same project. 2.1.73 guarantees: Bash tool output no longer gets lost across sessions, skill file changes (e.g., during git pull or skill updates) don't trigger deadlocks or freezes, permission prompts on complex bash commands don't loop at 100% CPU. Use case: split a large data-processing task across 3-5 parallel agent workers, each spawning subagents and collecting results reliably. - **Interrupt+resume with conversation rewind for long-running agents** — combines Improved Up arrow restoration + /resume session picker fix. Long-running agents can now be safely interrupted mid-turn (e.g., to fix a typo, reconsider a direction, or poll results) and resumed from the exact conversation state. This reduces the need to discard work or restart from scratch. Idea: During an agent's response, press Ctrl+C to interrupt. The Up arrow now restores the full interrupted prompt AND rewinds the conversation to before the incomplete response was added. Press Enter to re-submit the restored prompt, or edit it first. The /resume command picker correctly filters out the current session, avoiding accidental re-entry. Combined: allows deep introspection and steering of long agent runs without data loss or confusion. **Agentic relevance:** 2.1.73 is primarily a hardening release with one new user-facing primitive (`modelOverrides`). The fixes address critical stability issues (permission prompt freezes, deadlocks, multi-session Bash output loss, subagent process cleanup) that directly improve agent reliability. For agents running in corporate environments with proxies or alternative LLM providers (Bedrock, Vertex, Foundry), the `modelOverrides` setting and improved SSL error guidance enable more robust operation. _25 hardening fixes (not new primitives)._ --- ## 2.1.74 **Headline:** Enhanced `/context` command with actionable optimization suggestions — identifies context-heavy tools, memory bloat, and capacity warnings with specific remediation tips. This makes memory/capacity management observable and prescriptive rather than opaque. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /context (enhanced) | command | Identifies context-heavy tools, memory bloat, and capacity warnings with specific optimization tips | Added actionable suggestions to `/context` command — identifies context-heavy tools, memory bloat, and capacity warnings with specific optimization tips | | autoMemoryDirectory | setting | Configure a custom directory for auto-memory storage | Added `autoMemoryDirectory` setting to configure a custom directory for auto-memory storage | | CLAUDE_CODE_SESSIONEND_HOOKS_TIMEOUT_MS | env-var | Configure timeout duration for `SessionEnd` hooks on exit | Fixed `SessionEnd` hooks being killed after 1.5 s on exit regardless of `hook.timeout` — now configurable via `CLAUDE_CODE_SESSIONEND_HOOKS_TIMEOUT_MS` | ### Workflow recipes - **Configurable Memory Audit & Optimization Loop** — combines /context (enhanced with actionable suggestions) + autoMemoryDirectory + CLAUDE_CODE_SESSIONEND_HOOKS_TIMEOUT_MS. Long-lived agents can now observe memory state, configure where it persists, and control cleanup timing—unlocking automated memory governance for sustained workflows. Idea: An agent or autonomous session could periodically invoke /context to sample memory bloat and context saturation, apply /context suggestions to trim tools or memory, reconfigure autoMemoryDirectory to offload to external storage if needed, and use SessionEnd hooks with extended timeout (via env-var) to ensure graceful cleanup on multi-hour runs. This closes the feedback loop on memory management—from opacity to prescribed optimization to configurable persistence. - **Managed Policy Compliance & Model Flexibility** — combines Fixed managed policy ask rules + Fixed full model IDs in agent configs. Security policy enforcement and model specification are now consistent across agent frontmatter, JSON config, and CLI—enabling reliable multi-agent teams under managed settings. Idea: An orchestration layer can now safely deploy agents with explicit model pinning (using full IDs like claude-opus-4-5) and trust that managed policy rules (e.g., ask gates) will not be bypassed by user allow rules. This enables guardrailed multi-agent workflows where each agent has a declared model and security policy is enforced top-down rather than locally overridden. Teams moving to managed instances can migrate agents without rewriting config. **Agentic relevance:** The `autoMemoryDirectory` setting and enhanced `/context` command enable agents to audit and configure memory storage at runtime, critical for long-lived workflows. The env-var timeout control improves exit-time hook predictability. Hardening fixes around model IDs, OAuth, and managed policies strengthen agent reliability in multi-tenant and integration scenarios. _14 hardening fixes (not new primitives)._ --- ## 2.1.75 **Headline:** **1M context window for Opus 4.6** — Max, Team, and Enterprise plans now have Opus 4.6 with 1M context by default, removing the friction of opt-in usage tier selection and enabling agents to reason over larger corpora without breaking the working-memory budget. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /color | command | Set a prompt-bar color for your session | Added `/color` command for all users to set a prompt-bar color for your session | | Opus 4.6 1M context (Max/Team/Enterprise) | capability | Expand default reasoning window from the standard context to 1M tokens | Added 1M context window for Opus 4.6 by default for Max, Team, and Enterprise plans (previously required extra usage) | | Session name display on prompt bar | setting | Show the current session name on the prompt bar when using `/rename` | Added session name display on the prompt bar when using `/rename` | | Memory last-modified timestamps | capability | Track and display when memory files were last edited, helping Claude reason about freshness | Added last-modified timestamps to memory files, helping Claude reason about which memories are fresh vs. stale | | Hook source display in permission prompts | capability | Show which system component (settings/plugin/skill) is requesting permission | Added hook source display (settings/plugin/skill) in permission prompts when a hook requires confirmation | ### Workflow recipes - **Multi-artifact reasoning over large specification sets** — combines Opus 4.6 1M context window + Memory last-modified timestamps. The 1M context window removes the working-memory ceiling that previously forced agents to chunk specification ingestion across turns or delegate to sub-agents. Combined with memory freshness tracking, an agent can now load a full specification corpus (dependency graphs, API docs, schema definitions, request/response examples), timestamp-gate stale vs. fresh docs in-context, and produce high-fidelity architectural analysis or code generation in a single reasoning pass. Idea: An agent receives a 50-100 MB specification repository (OpenAPI/GraphQL schemas, design docs, reference implementations, example payloads). With 1M context, the agent loads all related documents at once, uses memory timestamps to prioritize fresh specs over outdated ones, cross-references without intermediate chunking, and synthesizes a comprehensive implementation plan or code migration guide. This eliminates the previous pattern of "load spec A, digest, ask follow-up for spec B, re-ingest context." - **Automated permission auditing with hook source transparency** — combines Hook source display in permission prompts + improved async hook messaging. Operators running unattended agents now see exactly which system layer (settings/plugin/skill) is requesting resources. This transparency unlocks automated permission auditing: an agent can log permission patterns, detect unexpected hook sources, and flag configurations that need review without losing context about where the permission originated. Idea: A scheduled agent runs periodically to ingest framework logs and permission-prompt transcripts, categorizing hook requests by source layer and flagging anomalies (e.g., a skill requesting file I/O at unexpected times). The operator gets a weekly audit report with recommendations to tighten .claude/settings.json rules. Hook source visibility is the foundational signal; without it, the operator would have to instrument the logs separately. - **Session continuity for long-running investigation chains** — combines Session name display on prompt bar + Memory last-modified timestamps + Fixed /resume for session names. Long investigations (incident response, architecture review, competitor analysis) now have visual continuity. The prompt bar shows the session name, memory freshness is transparent, and /resume preserves session identity across forks. An agent can fork for a risky hypothesis, resume the parent if the fork fails, and the operator always sees which investigation thread they're in. Idea: An operator starts a "2026-Q2-security-audit" session. An agent forks to "—hypothesis-supply-chain-risk" and investigates. If the risk is unfounded, the agent calls code /resume to return to the parent investigation with full session name and memory freshness visible on the prompt bar. The operator can see at a glance whether they're in the main audit or a hypothesis branch, and which memories are current vs. stale (important for time-sensitive findings). **Agentic relevance:** The 1M context window expansion for Opus 4.6 is the highest-impact primitive for agents: it removes the working-memory constraint for multi-document reasoning, specification ingestion, and context-rich delegation. Session naming + memory freshness tracking improve agent continuity and reasoning quality. Hook source visibility strengthens permission transparency for automated workflows. _14 hardening fixes (not new primitives)._ --- ## 2.1.76 **Headline:** MCP elicitation support — MCP servers can now interrupt mid-task to request structured input from the user via interactive dialogs (form fields or browser URL). Paired with the `Elicitation` and `ElicitationResult` hooks, this closes the last major gap in MCP's ability to drive complex multi-step agent interactions that require human confirmation or credential input at runtime. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | MCP elicitation | capability | MCP servers can request structured input mid-task via interactive dialog (form fields or browser URL) | Added MCP elicitation support — MCP servers can now request structured input mid-task via an interactive dialog (form fields or browser URL) | | Elicitation hook | hook | Fires when an MCP server issues an elicitation request; allows agent/host to intercept and override | Added new `Elicitation` and `ElicitationResult` hooks to intercept and override responses before they're sent back | | ElicitationResult hook | hook | Fires after an elicitation response is resolved; allows agent/host to intercept and override before sending back to MCP server | Added new `Elicitation` and `ElicitationResult` hooks to intercept and override responses before they're sent back | | -n / --name | flag | Sets a display name for the session at startup | Added `-n` / `--name ` CLI flag to set a display name for the session at startup | | worktree.sparsePaths | setting | For `claude --worktree` in large monorepos: check out only the listed directories via git sparse-checkout | Added `worktree.sparsePaths` setting for `claude --worktree` in large monorepos to check out only the directories you need via git sparse-checkout | | PostCompact hook | hook | Fires after compaction completes | Added `PostCompact` hook that fires after compaction completes | | /effort | command | Sets model effort level interactively | Added `/effort` slash command to set model effort level | | feedbackSurveyRate | setting | Enterprise admins can configure the session quality survey sample rate | Added session quality survey — enterprise admins can configure the sample rate via the `feedbackSurveyRate` setting | ### Workflow recipes - **MCP-gated credential injection** — combines MCP elicitation + ElicitationResult hook. MCP servers that need one-time secrets (API keys, OAuth tokens, approval codes) previously had to embed that collection in the tool description or rely on the agent to prompt the user. The elicitation capability lets the MCP server own that dialog, and ElicitationResult lets a hook layer validate or transform the response before it reaches the server — enabling a clean separation between "user enters credential" and "server receives sanitized/validated credential." Idea: An agentic pipeline that spins up a deployment workflow via MCP. At the point where production credentials are needed, the MCP server fires an elicitation request (browser URL for SSO or form fields for an API key). An ElicitationResult hook validates the token format and strips any accidental whitespace before passing it back. The agent never sees the raw credential in its context — the hook layer owns the sanitization contract. - **Post-compaction state sync for long-running monorepo agents** — combines PostCompact hook + worktree.sparsePaths setting. Parallel monorepo agents running in sparse worktrees accumulate long contexts that eventually compact. Before 2.1.76, there was no reliable signal to trigger an external state refresh after compaction — summary files, vector stores, or cross-agent coordination objects could drift silently. PostCompact provides the signal; worktree.sparsePaths reduces the per-agent footprint so more agents can run concurrently before hitting resource limits. Idea: A conductor agent spawns N worker agents via --worktree, each with a worktree.sparsePaths config that limits checkout to the subdirectory they own. Each worker's PostCompact hook fires a lightweight script that (a) re-reads the shared coordination file from the conductor's branch, (b) appends a summary of work completed before compaction, and (c) writes an updated breadcrumb back. The conductor polls the breadcrumb file to detect which workers have compacted and re-injects missing context. This prevents the "lost history after compaction" failure mode in long parallel runs without requiring the workers to hold full repo checkouts. - **Named sessions for multi-agent orchestration traceability** — combines -n / --name flag + PostCompact hook. When an orchestrator launches many parallel subagents, session names in logs and Remote Control dashboards default to opaque identifiers. The --name flag lets the orchestrator stamp each subagent with a semantic name (e.g., the task ID or target file path) at launch. When a subagent compacts, the PostCompact hook can emit a structured log line that includes the session name — giving the orchestrator a named, timestamped compaction event it can use for progress tracking without polling the subprocess. Idea: Orchestration script launches workers as claude --name "worker:payments-service" --worktree .... Each worker's PostCompact hook appends {"session": "$CLAUDE_SESSION_NAME", "event": "compact", "ts": "..."} to a shared JSONL log. The conductor tails that log to know which named workers have compacted and may need context re-injection, producing a real-time named-worker progress trace without any polling overhead. **Agentic relevance:** MCP elicitation + the `Elicitation`/`ElicitationResult` hook pair is the highest-signal primitive here: it lets an MCP server pause a running agent pipeline and collect structured human input (credentials, choices, confirmations) without the agent having to encode that interaction itself. The `PostCompact` hook closes a previously blind spot — agents that maintain external state or summaries across long sessions can now reliably sync after compaction. The `worktree.sparsePaths` setting directly benefits monorepo-scale parallel agent runs by reducing checkout cost on each spawned worktree. _28 hardening fixes (not new primitives)._ --- ## 2.1.77 **Headline:** **Output token ceiling uplift (Opus 4.6 64k→128k)** — Model capacity expansion enables longer response payloads in a single turn, reducing need for continuation prompts in code/analysis-heavy workflows. Agentic relevance: agents generating large documents, multi-file refactors, or comprehensive reports now fit complete outputs without truncation. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | allowRead setting | setting | Re-allows read access within regions marked with `denyRead` in sandbox filesystem rules, enabling fine-grained access recovery | Added `allowRead` sandbox filesystem setting to re-allow read access within `denyRead` regions | | /copy N | command | Copies the Nth-latest assistant response to clipboard (indexed, not just the last one) | `/copy` now accepts an optional index: `/copy N` copies the Nth-latest assistant response | | /branch | command | Renames `/fork` to `/branch` as primary command (backward compatible alias remains) | Renamed `/fork` to `/branch` (`/fork` still works as an alias) | | SendMessage({to: agentId}) agent continuation | tool | Resume a spawned agent without the deprecated `resume` parameter, now auto-resumes in background | `SendMessage` now auto-resumes stopped agents in the background instead of returning an error | ### Workflow recipes - **Fast Agent Fork-Resume with Higher Capacity** — combines /branch (clearer fork semantics) + SendMessage({to: agentId}) auto-resume + --resume 45% faster loading + output token ceiling 128k. The combination of renamed /branch command (semantic clarity), background auto-resume via SendMessage, and dramatically faster session recovery enables agents to fork into parallel analysis streams without losing context or waiting for expensive session reloads. Higher token ceilings mean forked agents can produce larger payloads per turn without truncation. Idea: Implement a multi-stream research or refactoring agent that spawns independent branches for different analyses (e.g., security audit, performance analysis, code migration), auto-resumes them via SendMessage, and collects their larger outputs (now up to 128k tokens for Opus 4.6) in the parent without waiting for slow session recovery. The renamed /branch makes the intent more legible in agent code. - **Sandboxed Read-Access Recovery for Iterative Exploration** — combines allowRead setting + Pre-existing denyRead sandbox controls. The new allowRead primitive unlocks selective permission recovery within broad filesystem denials, enabling agents to iteratively explore restricted regions without wholesale permission changes. This reduces security friction in exploration-heavy tasks while maintaining isolation bounds. Idea: In a hardened sandbox environment (e.g., PII-masked repos or build-artifact directories), use denyRead to block large swaths but leverage allowRead to surgically re-enable read access to specific subdirectories as exploration questions narrow. Agents can probe and adapt without requesting full sandbox reset. - **Lossy-to-Lossless Response Recovery via /copy N** — combines /copy N indexed retrieval + existing multi-turn memory + feedback loop. The new /copy N command enables agents and users to selectively recover earlier assistant responses without re-running turns or searching linearly. Combined with multi-turn memory, this supports workflows where an earlier response proved more useful than a recent refinement, or where parallel response branches need deduplication/comparison. Idea: In a long analysis session, when a user (or agent parent) discovers that the 3rd-most-recent response was superior to recent ones, /copy 3 surfaces it directly for comparison or reuse. This avoids re-prompting, replay, or memory bloat while supporting response-quality iteration patterns common in research and synthesis workflows. **Agentic relevance:** The 4 new primitives enable cleaner response recovery (`/copy N`), finer permission control (`allowRead`), clearer semantics for agent forking (`/branch`), and safer agent continuation without deprecated parameters (`SendMessage` auto-resume). The token ceiling uplift (64k→128k Opus 4.6) and 45% faster `--resume` improve large-model agent turnaround and session recovery time. Fixes to compound bash permission rules and PreToolUse hook bypass close security gaps that could have caused agents to over-escalate permissions. _38 hardening fixes (not new primitives)._ --- ## 2.1.78 **Headline:** **`StopFailure` hook event** — agents can now react to API errors that halt execution (rate limit, auth failure) instead of silent termination, enabling recovery workflows and graceful degradation. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | StopFailure | hook event | Fires when turn ends due to API error (rate limit, auth failure, etc.) | Added `StopFailure` hook event that fires when the turn ends due to an API error (rate limit, auth failure, etc.) | | ${CLAUDE_PLUGIN_DATA} | environment variable | Plugin persistent state that survives plugin updates; `/plugin uninstall` prompts before deleting it | Added `${CLAUDE_PLUGIN_DATA}` variable for plugin persistent state that survives plugin updates; `/plugin uninstall` prompts before deleting it | | effort, maxTurns, disallowedTools | frontmatter keys | Configuration support for plugin-shipped agents | Added `effort`, `maxTurns`, and `disallowedTools` frontmatter support for plugin-shipped agents | | ANTHROPIC_CUSTOM_MODEL_OPTION | environment variable | Add custom entry to `/model` picker with optional `_NAME` and `_DESCRIPTION` suffixed vars for display | Added `ANTHROPIC_CUSTOM_MODEL_OPTION` env var to add a custom entry to the `/model` picker, with optional `_NAME` and `_DESCRIPTION` suffixed vars for display | | line-by-line response streaming | capability | Response text now streams line-by-line as it's generated | Response text now streams line-by-line as it's generated | | tmux terminal notifications passthrough | capability | Terminal notifications (iTerm2/Kitty/Ghostty popups, progress bar) reach outer terminal when inside tmux with `set -g allow-passthrough on` | Terminal notifications (iTerm2/Kitty/Ghostty popups, progress bar) now reach the outer terminal when running inside tmux with `set -g allow-passthrough on` | ### Workflow recipes - **API Error Recovery with Graceful Degradation** — combines StopFailure hook + line-by-line response streaming. Rate limits and transient API failures currently kill entire workflows silently. By detecting failure via hook and streaming responses line-by-line, agents can offer partial results mid-task and queue retries instead of losing work. Idea: An agent workflow that subscribes to StopFailure, captures the last-successful state (parsed from streamed lines), surfaces what succeeded to the user, and automatically retries the remaining work when the API recovers. Useful for long-running analyses, data pipelines, or multi-stage tasks where partial output is valuable. - **Plugin-Shipped Agents with Persistent Configuration** — combines ${CLAUDE_PLUGIN_DATA} + effort, maxTurns, disallowedTools frontmatter. Plugins can now ship agents that retain settings across updates and enforce execution constraints without global config pollution. This enables curated, reusable agent templates distributed via plugins. Idea: A plugin-authored agent (e.g., security-auditor-pro) persists user preferences (sensitivity level, max passes) in ${CLAUDE_PLUGIN_DATA}, reads disallowedTools from frontmatter to block shell access, and uses effort + maxTurns to enforce bounded analysis time. Users install once, update transparently, and get consistent behavior without configuration drift. - **Real-Time Task Progress with Custom Model Routing** — combines line-by-line response streaming + ANTHROPIC_CUSTOM_MODEL_OPTION. Agents can stream output line-by-line while routing model selection via environment variable, enabling dynamic cost/quality trade-offs within a single session and real-time visibility into multi-step work. Idea: A cost-sensitive multi-stage agent that streams intermediate results as they arrive (enabling user feedback early) and switches model via ANTHROPIC_CUSTOM_MODEL_OPTION based on task complexity — cheaper models for data validation, Opus for synthesis. Users see progress immediately and can steer work mid-task rather than waiting for complete batch results. **Agentic relevance:** The `StopFailure` hook enables agents to build fault-tolerant workflows that respond to API degradation rather than failing silently. The new plugin state variable and frontmatter keys allow agents shipped via plugins to persist configuration and control execution boundaries. Together with line-by-line streaming, agents can now provide real-time feedback during long-running tasks and gracefully handle transient failures without user intervention. _20 hardening fixes (not new primitives)._ --- ## 2.1.79 **Headline:** **`/remote-control` command** — bridge CLI session to claude.ai/code for browser/phone continuation, enabling workflow mobility and device-agnostic handoff during extended work. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | --console flag | flag | Enables Anthropic Console (API billing) authentication in `claude auth login` | Added `--console` flag to `claude auth login` for Anthropic Console (API billing) authentication | | "Show turn duration" toggle | setting | Displays the duration of each turn in `/config` menu output | Added "Show turn duration" toggle to the `/config` menu | | CLAUDE_CODE_PLUGIN_SEED_DIR multi-path | env-var | Accepts multiple seed directories separated by platform delimiter (`:` or `;`) | `CLAUDE_CODE_PLUGIN_SEED_DIR` now supports multiple seed directories separated by the platform path delimiter (`:` on Unix, `;` on Windows) | | /remote-control command | command | Bridges CLI session to claude.ai/code to continue work on browser or phone | [VSCode] Added `/remote-control` — bridge your session to claude.ai/code to continue from a browser or phone | | AI-generated session titles | capability | Session tabs automatically generate titles based on first message | [VSCode] Session tabs now get AI-generated titles based on your first message | ### Workflow recipes - **Device-agnostic research handoff** — combines /remote-control + AI-generated session titles. Extended research tasks can now branch from terminal/VSCode to browser mid-stream, with auto-titled sessions enabling quick context recovery on phone or secondary device without losing chat history. Idea: Agent starts deep research in CLI (faster iteration, local tools), hits a checkpoint (need visual design, cross-browser testing, or mobile proof), triggers /remote-control, continues in browser with inherited context, then optionally resumes in VSCode for final commit. Session auto-titles track intent ("research-api-comparison-v2") without manual naming friction. - **Plugin seed composition at scale** — combines Multi-path CLAUDE_CODE_PLUGIN_SEED_DIR + turn-duration visibility. Multi-directory plugin seeds enable tiered plugin loading (org-wide, team, project, personal) while turn-duration telemetry reveals if plugin composition is slowing startup or turn latency. Idea: Set CLAUDE_CODE_PLUGIN_SEED_DIR=/org/seeds:/team/seeds:/project/seeds to layer plugins by scope. Monitor "Show turn duration" across sessions to detect slowdown, then diagnose which seed layer contributed the regression. Useful for teams scaling plugin usage without visibility into cumulative load. **Agentic relevance:** The `/remote-control` command enables agent-in-VSCode sessions to hand off work to browser contexts without context loss, opening patterns for long-running research, multi-device orchestration, and mobile-first triage workflows. The multi-path `CLAUDE_CODE_PLUGIN_SEED_DIR` and turn-duration visibility support plugin composition and performance visibility at scale. _13 hardening fixes (not new primitives)._ --- ## 2.1.80 **Headline:** **`effort` frontmatter for skills and slash commands** — agents can now override the model effort level at the point of skill/command definition, enabling context-aware defaulting without manual per-invocation effort tweaks. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | rate_limits in statusline scripts | setting | Display Claude.ai rate limit usage (5-hour and 7-day windows with `used_percentage` and `resets_at`) | Added `rate_limits` field to statusline scripts for displaying Claude.ai rate limit usage (5-hour and 7-day windows with `used_percentage` and `resets_at`) | | source: 'settings' for plugins | setting | Declare plugin entries inline in settings.json instead of external marketplace | Added `source: 'settings'` plugin marketplace source — declare plugin entries inline in settings.json | | CLI tool usage detection | capability | Plugin tips now detect CLI tool usage in addition to file pattern matching | Added CLI tool usage detection to plugin tips, in addition to file pattern matching | | effort frontmatter | setting/frontmatter | Skills and slash commands can specify `effort` in frontmatter to override the model effort level when invoked | Added `effort` frontmatter support for skills and slash commands to override the model effort level when invoked | | --channels flag (MCP) | flag/capability | Allow MCP servers to push messages into your session (research preview) | Added `--channels` (research preview) — allow MCP servers to push messages into your session | ### Workflow recipes - **Event-Driven Skill Dispatch with Effort Tuning** — combines effort frontmatter + --channels (MCP push). MCP servers can now push events into the session, and skills can declare their computational intensity upfront. This unlocks a reactive agent pattern where external events trigger skills at the effort level that matches their resource budget. Idea: An external system (e.g., Grafeo graph change listener, CI/CD webhook) pushes a message into Claude Code via --channels. The agent receives the event and routes it to a skill tagged with effort: auto or effort: fast to avoid runaway token consumption on high-frequency events. For critical synthesis tasks, the same skill can be invoked with effort: expert when the user escalates. Skills no longer need wrapper logic to decide effort; they declare intent in frontmatter. - **Rate-Limited Skill Orchestration** — combines rate_limits visibility + effort frontmatter + skill definition. Agents can now see Claude.ai rate limits (5-hour and 7-day windows) in real time. Skills can declare effort level upfront. Together, these enable a skill orchestrator that checks remaining budget before invoking expensive skills, degrading gracefully to lighter effort levels when nearing limits. Idea: A meta-skill reads rate_limits from the statusline, computes headroom, and invokes downstream skills with effort: fast or effort: auto when approaching a limit, or effort: expert when headroom is plentiful. Skills with effort frontmatter can be invoked at varying intensities without rewriting them. This is especially valuable for long-running agent loops or high-throughput skill orchestration where token budget is a hard constraint. - **Self-Hosted Plugin Registry via Settings** — combines source: 'settings' for plugins + settings persistence. Plugins can now be declared inline in settings.json, removing the need for external marketplace registration. This enables version-controlled, self-hosted plugin catalogs that travel with the repo. Idea: A foundation3 monorepo can define a .claude/plugins.json (or inline plugins array in settings.json) listing all team-approved skills/tools/MCP servers. CI/CD can validate plugins at commit time. When a new agent checks out the repo, settings bootstrap all plugins automatically, ensuring tool alignment across the team without manual discovery or installation steps. **Agentic relevance:** The `effort` frontmatter and `--channels` flag are the primary agents-facing additions. `effort` allows skills to declare computational intent (fast/auto/deep/expert) at definition time, reducing boilerplate per invocation. The `--channels` flag enables MCP servers to push notifications into the session asynchronously, unlocking event-driven agent workflows where external systems can trigger agent actions without polling. Together with the `rate_limits` visibility, these primitives improve agent autonomy and observability of model resource consumption. _12 hardening fixes (not new primitives)._ --- ## 2.1.81 **Headline:** `--bare` flag — scriptable automation in deterministic environments (CI, headless servers, backend schedulers). Skips OAuth, hooks, LSP, and plugins to run repeatable `-p` invocations with just `ANTHROPIC_API_KEY`. Agents can now run fast, stateless sub-tasks without interactive approval paths. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | --bare | flag | Scripted `-p` calls without hooks, LSP, plugin sync, or interactive auth; requires `ANTHROPIC_API_KEY` or `apiKeyHelper` | Added `--bare` flag for scripted `-p` calls — skips hooks, LSP, plugin sync, and skill directory walks; requires `ANTHROPIC_API_KEY` or an `apiKeyHelper` via `--settings` (OAuth and keychain auth disabled); auto-memory fully disabled | | --channels | capability | Permission relay for channel servers to forward tool approval prompts to your phone | Added `--channels` permission relay — channel servers that declare the permission capability can forward tool approval prompts to your phone | | showClearContextOnPlanAccept | setting | Plan mode setting to restore the "clear context" option (default hidden in 2.1.81) | Changed plan mode to hide the "clear context" option by default (restore with `"showClearContextOnPlanAccept": true`) | ### Workflow recipes - **Orchestrated approval routing** — combines --bare + --channels. Agents can now route work deterministically: fast, stateless sub-steps run headless (--bare without approval prompts), while sensitive operations requiring human oversight can enable --channels to surface approvals on mobile in real time. This decouples the approval path from the execution path — approval latency no longer blocks fast compute, and human judgment stays in the loop for high-stakes tool calls. Idea: A parent workflow routes sub-agent invocations based on risk tier. Tier-1 (deterministic code analysis, local reads) spawns children with --bare, completing in seconds without approval overhead. Tier-2 (destructive mutations, API calls, external data write) re-enters interactive mode with --channels enabled, sending permission prompts to the orchestrator's phone; the agent pauses on tool calls until approved. This pattern moves headless automation from "run everything scripted" to "run safe tasks fast, keep oversight on dangerous ones." - **Scripted automation without auth machinery** — combines --bare. Backend workflows and CI agents have struggled to run Claude Code without OAuth setup, credential rotation, or interactive auth. --bare removes all auth machinery (oauth, keychain, interactive key input) and requires only ANTHROPIC_API_KEY in the environment — the minimal subset for stateless, deterministic automation. Idea: A scheduled agent (e.g., hourly codebase linter, nightly report generator, CI step that calls Claude) spawns with claude-code -p -c "your prompt" --bare --settings '{"apiKey": "env:ANTHROPIC_API_KEY"}'. No session resume, no auto-memory, no plugin hooks — just the request and response, suitable for containerized or ephemeral compute. Backend systems can now rotate ANTHROPIC_API_KEY without touching Claude Code session state. **Agentic relevance:** `--bare` unlocks deterministic, hook-free automation for sub-agents in CI/scheduler contexts. `--channels` extends approval workflows to mobile, supporting remote human oversight of tool calls. Together they enable orchestration patterns: fast deterministic tasks run `--bare`, sensitive decisions route approvals via `--channels`. _24 hardening fixes (not new primitives)._ --- ## 2.1.83 **Headline:** `managed-settings.d/` drop-in directory for policy fragments. This matters because it decouples multi-team policy authoring from a single `managed-settings.json` file — teams can now deploy, update, or remove their own fragments independently without merge conflicts, which is the enabling primitive for org-scale Claude Code governance. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | managed-settings.d/ | setting | Drop-in directory alongside `managed-settings.json`, letting separate teams deploy independent policy fragments that merge alphabetically | Added `managed-settings.d/` drop-in directory alongside `managed-settings.json`, letting separate teams deploy independent policy fragments that merge alphabetically | | CwdChanged hook event | hook | Fires when the working directory changes, enabling reactive environment management (e.g., direnv) | Added `CwdChanged` and `FileChanged` hook events for reactive environment management (e.g., direnv) | | FileChanged hook event | hook | Fires when a tracked file changes, enabling reactive environment management | Added `CwdChanged` and `FileChanged` hook events for reactive environment management (e.g., direnv) | | sandbox.failIfUnavailable | setting | Exit with an error when sandbox is enabled but cannot start, instead of running unsandboxed | Added `sandbox.failIfUnavailable` setting to exit with an error when sandbox is enabled but cannot start, instead of running unsandboxed | | disableDeepLinkRegistration | setting | Prevent `claude-cli://` protocol handler registration | Added `disableDeepLinkRegistration` setting to prevent `claude-cli://` protocol handler registration | | CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 | env-var | Strip Anthropic and cloud provider credentials from subprocess environments (Bash tool, hooks, MCP stdio servers) | Added `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1` to strip Anthropic and cloud provider credentials from subprocess environments (Bash tool, hooks, MCP stdio servers) | | Transcript search (/ in Ctrl+O mode) | capability | Press `/` in transcript mode to search, `n`/`N` to step through matches | Added transcript search — press `/` in transcript mode (`Ctrl+O`) to search, `n`/`N` to step through matches | | Ctrl+X Ctrl+E keybinding | flag | Alias for opening the external editor (readline-native binding; `Ctrl+G` still works) | Added `Ctrl+X Ctrl+E` as an alias for opening the external editor (readline-native binding; `Ctrl+G` still works) | | [Image #N] chip on paste | capability | Pasted images insert a positional chip at the cursor so you can reference them by number in your prompt | Pasted images now insert an `[Image #N]` chip at the cursor so you can reference them positionally in your prompt | | initialPrompt frontmatter | capability | Agents can declare `initialPrompt` in frontmatter to auto-submit a first turn | Agents can now declare `initialPrompt` in frontmatter to auto-submit a first turn | | chat:killAgents / chat:fastMode rebindable | capability | Both are now rebindable via `~/.claude/keybindings.json` | `chat:killAgents` and `chat:fastMode` are now rebindable via `~/.claude/keybindings.json` | | CLAUDE_CODE_DISABLE_NONSTREAMING_FALLBACK | env-var | Disable the non-streaming fallback when streaming fails | Added `CLAUDE_CODE_DISABLE_NONSTREAMING_FALLBACK` env var to disable the non-streaming fallback when streaming fails | | Plugin manifest.userConfig / sensitive: true | capability | Plugins can prompt for configuration at enable time, with `sensitive: true` values stored in keychain (macOS) or protected credentials file | Plugin options (`manifest.userConfig`) now available externally — plugins can prompt for configuration at enable time, with `sensitive: true` values stored in keychain (macOS) or protected credentials file (other platforms) | | Clipboard-pasted image on-disk path reference | capability | Claude can reference the on-disk path of clipboard-pasted images for file operations | Claude can now reference the on-disk path of clipboard-pasted images for file operations | | Ctrl+L full redraw | flag | Clears the screen and forces a full redraw — use to recover when Cmd+K leaves the UI partially blank | `Ctrl+L` now clears the screen and forces a full redraw — use this to recover when Cmd+K leaves the UI partially blank. Use `Ctrl+U` or double-Esc to clear prompt input. | | [VSCode] /rewind picker | command | Esc-twice or `/rewind` opens a keyboard-navigable rewind picker | [VSCode] Added Esc-twice (or `/rewind`) to open a keyboard-navigable rewind picker | ### Workflow recipes - **Reactive Monorepo Environment Switcher** — combines CwdChanged hook event + FileChanged hook event + CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1. CwdChanged fires when the agent navigates between packages in a monorepo; combined with FileChanged watching .envrc or package.json, a hook can automatically run direnv, reload tool configs, and scrub stale credentials from subprocess envs — making multi-package agentic sessions self-configuring rather than requiring the user to manually reset context. Idea: Register a CwdChanged hook that runs direnv export json and injects the resulting vars into subsequent subprocess calls. Register a FileChanged hook on .envrc to re-export when the env definition changes. Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 so the baseline subprocess env never carries over cloud credentials from the parent shell, letting the hook be the authoritative credential source per directory. - **Self-Bootstrapping Agent with Credential-Safe Subprocess Isolation** — combines initialPrompt frontmatter + CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 + sandbox.failIfUnavailable. An agent that declares its own initialPrompt is fully self-contained — no wrapper script needed to seed it. Pairing that with CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 ensures the agent's Bash tool and MCP stdio servers never inherit ambient credentials from the launch shell. Adding sandbox.failIfUnavailable: true prevents silent sandbox bypass, so the agent either runs in a known-safe environment or fails loudly rather than executing unsandboxed in CI. Idea: Define a security-audit agent in a skill frontmatter with initialPrompt: "Begin audit of the repository. Report findings to stdout.". Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 in the CI environment and sandbox.failIfUnavailable: true in managed-settings.json. The agent launches, auto-submits its first turn, and every subprocess it spawns is credential-clean and sandboxed — or the job fails before any mutation occurs. - **Multi-Team Policy Layering with Per-Team Credential Isolation** — combines managed-settings.d/ drop-in directory + Plugin manifest.userConfig / sensitive: true. managed-settings.d/ lets a platform team ship a baseline policy fragment while individual product teams overlay their own fragments without editing shared files. Plugin manifest.userConfig with sensitive: true lets each team's plugins prompt for their own secrets at enable time and store them in the OS keychain — so team-specific credentials never appear in any shared config fragment. Idea: Platform team ships managed-settings.d/00-baseline.json with org-wide allowedTools and deniedMcpServers. Team A ships managed-settings.d/10-team-a.json with their approved MCP servers. Team A's plugin uses manifest.userConfig with sensitive: true to capture their API key at enable time, storing it in keychain. Each team's fragment merges alphabetically; credentials never appear in any JSON file checked into the policy repo. **Agentic relevance:** The `initialPrompt` frontmatter capability removes the need for external orchestration to seed an agent's first turn, enabling fully self-contained agent definitions that auto-bootstrap. The `CwdChanged`/`FileChanged` hook events open a reactive event bus between the filesystem and Claude Code's hook system, allowing agents to detect environment transitions (e.g., entering a monorepo sub-package) and reconfigure without polling. The `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1` env-var closes a credential-leak surface that affects every agentic pipeline that spawns subprocesses. _61 hardening fixes (not new primitives)._ --- ## 2.1.84 **Headline:** `TaskCreated` hook — fires the moment a task is created via `TaskCreate`, giving orchestrators a synchronous interception point to record, route, or gate new tasks before they run. This is the most agentic primitive in the release; every other addition is either env-var tuning or hardening. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | PowerShell tool (Windows opt-in) | tool | Executes PowerShell commands on Windows, parallel to Bash on Unix | Added PowerShell tool for Windows as an opt-in preview. Learn more at https://code.claude.com/docs/en/tools-reference#powershell-tool | | ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_SUPPORTS | env-var | Overrides effort/thinking capability detection for pinned default models on Bedrock/Vertex/Foundry | Added `ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_SUPPORTS` env vars to override effort/thinking capability detection for pinned default models for 3p (Bedrock, Vertex, Foundry), and `_MODEL_NAME`/`_DESCRIPTION` to customize the `/model` picker label | | ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_NAME / _DESCRIPTION | env-var | Customizes the `/model` picker label for third-party model deployments | (same changelog line as above) | | CLAUDE_STREAM_IDLE_TIMEOUT_MS | env-var | Configures the streaming idle watchdog threshold (default 90s) | Added `CLAUDE_STREAM_IDLE_TIMEOUT_MS` env var to configure the streaming idle watchdog threshold (default 90s) | | TaskCreated hook | hook | Fires when a task is created via `TaskCreate` | Added `TaskCreated` hook that fires when a task is created via `TaskCreate` | | WorktreeCreate HTTP hook output (hookSpecificOutput.worktreePath) | hook | Allows an HTTP hook to return the created worktree path in `hookSpecificOutput.worktreePath` | Added `WorktreeCreate` hook support for `type: \"http\"` — return the created worktree path via `hookSpecificOutput.worktreePath` in the response JSON | | allowedChannelPlugins managed setting | setting | Team/enterprise admins can define a channel plugin allowlist | Added `allowedChannelPlugins` managed setting for team/enterprise admins to define a channel plugin allowlist | | paths: YAML list in rules/skills frontmatter | capability | Rules and skills `paths:` frontmatter now accepts a YAML list of globs instead of a single string | Rules and skills `paths:` frontmatter now accepts a YAML list of globs | ### Workflow recipes - **Task-Gated Orchestration with Audit Log** — combines TaskCreated hook + WorktreeCreate HTTP hook (hookSpecificOutput.worktreePath). TaskCreated fires at task creation and WorktreeCreate HTTP now returns the worktree path to the hook server — together they let a remote hook server intercept both ends of an agentic sub-session: the task that owns the work, and the worktree it runs in. This closes the loop on remote orchestration: you can correlate task ID to worktree path, enforce policy (e.g. only allow tasks for approved repos), log both events to the same audit record, and inject environment before the subagent ever starts. Idea: Configure an HTTP hook server that handles both TaskCreated (record task metadata, check policy, optionally abort) and WorktreeCreate (provision the worktree, return worktreePath, and staple the worktree to the task record). The orchestrator now has a correlated task↔worktree audit trail with a single interception point per subagent launch. Extend with a TaskCompleted handler to close the audit record. - **Third-Party Model Capability Override for Bedrock/Vertex Pipelines** — combines ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL_SUPPORTS env-var + CLAUDE_STREAM_IDLE_TIMEOUT_MS env-var. When running Claude Code against Bedrock or Vertex with pinned model ARNs, capability detection and streaming reliability are the two most common breakage points in automated pipelines. These two env-vars address both simultaneously without code changes: MODEL_SUPPORTS tells the harness which effort/thinking capabilities the pinned model actually has (preventing silent fallback or wrong-mode selection), and STREAM_IDLE_TIMEOUT_MS prevents the streaming watchdog from firing prematurely on high-latency Bedrock endpoints that have longer inter-token gaps than the 90s default covers. Idea: In a CI pipeline targeting Bedrock, set ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTS=thinking,extended-context (matching the pinned model's actual capability profile) alongside CLAUDE_STREAM_IDLE_TIMEOUT_MS=180000 to double the watchdog window for Bedrock p99 latency. Combine with _MODEL_NAME/_DESCRIPTION for human-readable /model picker labels in shared team environments. The result is a Bedrock pipeline that selects the right execution mode, doesn't false-timeout, and shows operators the actual model name in the UI. **Agentic relevance:** The `TaskCreated` hook is the release's primary agentic primitive — it closes a previously missing interception point in the task lifecycle, enabling orchestrators to gate, log, or route tasks the instant they are created rather than only reacting after execution. The `WorktreeCreate` HTTP hook output field (`worktreePath`) completes the HTTP-hook worktree handshake, allowing remote hook servers to participate in worktree provisioning workflows. The `paths:` YAML list in rules/skills frontmatter is a low-noise but real capability improvement for agents managing scoped rule routing across multi-path subtrees. _33 hardening fixes (not new primitives)._ --- ## 2.1.85 **Headline:** **Headless hook integrations via PreToolUse `updatedInput`** — agents and headless systems can now satisfy user questions without interactive prompts, enabling self-contained tool-use flows with delegated permission handling. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | CLAUDE_CODE_MCP_SERVER_NAME | env-var | Names the MCP server in headersHelper scripts, allowing one helper to serve multiple servers | Added `CLAUDE_CODE_MCP_SERVER_NAME` and `CLAUDE_CODE_MCP_SERVER_URL` environment variables to MCP `headersHelper` scripts, allowing one helper to serve multiple servers | | CLAUDE_CODE_MCP_SERVER_URL | env-var | Routes the MCP server URL in headersHelper scripts, allowing one helper to serve multiple servers | Added `CLAUDE_CODE_MCP_SERVER_NAME` and `CLAUDE_CODE_MCP_SERVER_URL` environment variables to MCP `headersHelper` scripts, allowing one helper to serve multiple servers | | Hook if field | setting | Conditionally filters when hooks run using permission rule syntax (e.g., `Bash(git *)`) to reduce process spawning | Added conditional `if` field for hooks using permission rule syntax (e.g., `Bash(git *)`) to filter when they run, reducing process spawning overhead | | Transcript timestamp markers | capability | Scheduled tasks (`/loop`, `CronCreate`) now emit timestamp markers in transcripts to track execution | Added timestamp markers in transcripts when scheduled tasks (`/loop`, `CronCreate`) fire | | Deep link query expansion | capability | `claude-cli://open?q=…` queries now support up to 5,000 characters with scroll-to-review warning for long pre-filled prompts | Deep link queries (`claude-cli://open?q=…`) now support up to 5,000 characters, with a "scroll to review" warning for long pre-filled prompts | | PreToolUse updatedInput | hook | PreToolUse hooks can return `updatedInput` alongside `permissionDecision: "allow"` to satisfy `AskUserQuestion` without interactive prompts, enabling headless integrations | PreToolUse hooks can now satisfy `AskUserQuestion` by returning `updatedInput` alongside `permissionDecision: "allow"`, enabling headless integrations that collect answers via their own UI | ### Workflow recipes - **Autonomous Permission-Satisfied Tool Chains** — combines PreToolUse updatedInput + Hook if field conditional filtering. Agents can now route tool execution through pre-answered questions without interactive prompts, and filter noisy permission checks via conditional hook rules—enabling fully autonomous multi-tool workflows in headless/scheduled contexts. Idea: Build a cloud-scheduled agent (CronCreate + timestamp markers) that chains dangerous commands (Bash, git rewrites) by pre-answering confirmation questions via PreToolUse hooks, while using hook if: "Bash(git *)" to gate execution only for git operations. The transcript timestamp markers then create an audit log of when each chain step fired, which agents can query to detect failures and backfill work. - **Deep-Link Prompt Expansion for Skill Context Injection** — combines Deep link query expansion (5k chars) + Transcript timestamp markers + Hook if field. Agents can now embed up to 5,000 characters of skill context, directives, and prior work state into deep links, and scheduled routines will emit timestamps to anchor the injected context in transcript history. Idea: Author a skill that generates deep-link URIs embedding prior run state (e.g., last N work-items, decision context, todo backlog) up to 5k chars, then schedule it via /loop or CronCreate for periodic re-injection. Hook if field can suppress permission prompts during replay. The transcript timestamps mark each re-injection, enabling agents to detect drift and reorient to the injected state. - **Headless MCP Multi-Server Routing** — combines CLAUDE_CODE_MCP_SERVER_NAME + CLAUDE_CODE_MCP_SERVER_URL env-vars + PreToolUse updatedInput. A single MCP headersHelper script can now route multiple servers by name/URL env-vars, and PreToolUse hooks can satisfy MCP auth questions programmatically—enabling zero-touch delegation to specialized servers in cloud/headless environments. Idea: Deploy a headersHelper that checks CLAUDE_CODE_MCP_SERVER_NAME to route to Slack, GitHub, or Salesforce APIs dynamically. Layer a PreToolUse hook that detects server auth questions and injects credentials or refresh-token flows via updatedInput. Cloud agents spawning child agents can set env-vars to steer them to the right server without manual intervention. **Agentic relevance:** The headline primitive (PreToolUse `updatedInput`) unlocks fully autonomous tool-use workflows where agents can answer user questions programmatically without blocking on interactive prompts—critical for headless orchestration, multi-turn skill chains, and cloud-scheduled routines. Combined with hook `if` field conditional filtering, agents can reduce permission-prompt spam and stale process lifecycle. Timestamp markers for scheduled tasks enable agents to audit execution history and detect missed cron fires in transcript logs. _23 hardening fixes (not new primitives)._ --- ## 2.1.86 **Headline:** **`X-Claude-Code-Session-Id` header + VCS exclusion list expansions** — Enables proxy-layer session aggregation and improves tooling compatibility (Jujutsu, Sapling) without user configuration, reducing friction for multi-VCS monorepos and enterprise deployments. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | X-Claude-Code-Session-Id header | capability | Adds session-aware header to all API requests for proxy aggregation without body parsing | Added `X-Claude-Code-Session-Id` header to API requests so proxies can aggregate requests by session without parsing the body | | .jj and .sl VCS exclusions | setting | Extends VCS directory blacklist to skip Jujutsu and Sapling metadata during file operations | Added `.jj` and `.sl` to VCS directory exclusion lists so Grep and file autocomplete don't descend into Jujutsu or Sapling metadata | ### Workflow recipes - **Multi-Instance Session Aggregation + Proxy Intelligence** — combines X-Claude-Code-Session-Id header + Read tool token optimization. The session-ID header + reduced token overhead on file mentions enable smarter proxy-layer session tracking without body parsing, allowing orchestration systems to correlate work across multiple Claude Code instances while staying within token budgets. Idea: A proxy layer (e.g., Envoy, HAProxy, or custom middleware) ingests the X-Claude-Code-Session-Id header to aggregate and correlate requests from multiple concurrent Claude Code instances working on the same codebase or task. Combined with the Read tool's compact format and deduplication, agents can now be deployed as a fleet where each instance handles a subtask (e.g., parallel code review, multi-branch testing) and the proxy reconstructs the unified transaction log without parsing API bodies. This is especially valuable for monorepo CI/CD pipelines where session-aware request batching or rate-limiting per-task is needed. - **Robust Long-Session Agent Feedback Loop** — combines Fixed --resume + out-of-memory crash fix + /feedback reliability. 2.1.86 hardens the session resume and feedback mechanisms, allowing agents to safely capture, persist, and replay multi-hour runs with /feedback without crashing or losing state on recovery. Idea: An agent running a long-lived task (e.g., iterative code refactoring, multi-day test harness) can now safely checkpoint progress mid-session, pause, and resume with --resume without triggering the "tool_use ids" validation error. The out-of-memory crash fix means /feedback can be invoked on verbose 8+ hour sessions without process death. This unlocks human-in-the-loop workflows where an agent runs autonomously, the human periodically reviews via /feedback, and the agent resumes knowing the full context is available. Critical for systems like automated dispute resolution, long-running audits, or multi-stage synthesis tasks. **Agentic relevance:** 2.1.86 is primarily a stability and UX polish release with two small capability additions (session header + VCS exclusions). The session header is highly relevant for proxy-layer orchestration and multi-instance session tracking; the VCS exclusions reduce noise in monorepo tooling. Agents benefiting from multi-version monorepo work or proxy aggregation should expect improved file operation reliability and cleaner Grep results. The hardening work (config corruption fix, token leaks, long-session crashes) improves robustness for extended agent runs, especially those using `/feedback` or operating across project boundaries. _24 hardening fixes (not new primitives)._ --- ## 2.1.89 **Headline:** **Headless resumption with deferred permissions** — `"defer"` permission decision in `PreToolUse` hooks + `-p --resume` now enables agents and headless scripts to pause at permission gates and resume after hook re-evaluation, unblocking long-running workflows and interactive permission resolution without operator presence. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | "defer" permission decision | hook-return-value | Allows PreToolUse hooks to pause tool execution and resume later with `-p --resume` for re-evaluation | Added `"defer"` permission decision to `PreToolUse` hooks — headless sessions can pause at a tool call and resume with `-p --resume` to have the hook re-evaluate | | CLAUDE_CODE_NO_FLICKER=1 | environment-variable | Opts into flicker-free alt-screen rendering with virtualized scrollback for cleaner terminal output | Added `CLAUDE_CODE_NO_FLICKER=1` environment variable to opt into flicker-free alt-screen rendering with virtualized scrollback | | PermissionDenied hook | hook-type | Fires after auto mode classifier denials; can return `{retry: true}` to signal model should retry the denied command | Added `PermissionDenied` hook that fires after auto mode classifier denials — return `{retry: true}` to tell the model it can retry | | Named subagents in @ mention | capability | Typeahead suggestions now include named subagents for direct mention and reference | Added named subagents to `@` mention typeahead suggestions | | MCP_CONNECTION_NONBLOCKING=true | environment-variable | For `-p` mode, skips MCP connection wait entirely and bounds `--mcp-config` server connections at 5s instead of blocking | Added `MCP_CONNECTION_NONBLOCKING=true` for `-p` mode to skip the MCP connection wait entirely, and bounded `--mcp-config` server connections at 5s instead of blocking on the slowest server | | /buddy command | command | April 1st feature: hatch a small creature that watches you code | `/buddy` is here for April 1st — hatch a small creature that watches you code | ### Workflow recipes - **Interactive Permission Gates for Headless Agents** — combines "defer" permission decision (PreToolUse hook) + -p --resume + PermissionDenied hook + named subagents in @ mention. Long-running orchestration workflows can now pause at permission boundaries, notify human operators, and resume with fresh evaluation — without blocking or losing session state. Named subagents in mention discovery let agents route permission decisions to specialized auditors. Idea: Build a multi-stage agent cascade where a headless controller agent encounters a PreToolUse hook that returns {defer: true} on high-risk operations (deployments, credential writes, destructive commands). The hook stores the deferred tool request, control returns to the agent loop, and the agent mentions a specialized @audit-agent subagent to inspect the request and approve/deny. The parent agent resumes with -p --resume, the hook re-evaluates with updated approval state, and proceeds or fails with the auditor's decision. Combines permission gates, subagent orchestration, and stateful resumption. - **Flicker-Free Long-Running Orchestration Loops** — combines CLAUDE_CODE_NO_FLICKER=1 + MCP_CONNECTION_NONBLOCKING=true + improved bash tool warnings. Scheduled cloud agents and persistent orchestration loops can now render cleanly without terminal flicker and skip MCP connection blocking, reducing visual noise and latency in observability dashboards and long-running monitor loops. Idea: Configure a scheduled agent (schedule skill) that runs every 5 minutes to probe service health, ingest metrics, and trigger downstream workflows. Enable CLAUDE_CODE_NO_FLICKER=1 to eliminate scrollback artifacts during heavy parallel Bash tool use, and set MCP_CONNECTION_NONBLOCKING=true to skip waiting for slow MCP servers at startup. The Bash tool warns if any formatter/linter modifies previously-read files, preventing stale-edit errors during repeated probe cycles. Result: clean, fast, debuggable observability agent suitable for dashboards. **Agentic relevance:** Permission deferral and named subagent discovery enable headless orchestration workflows where multi-step agent chains can request operator approval at permission gates without blocking the entire session. `CLAUDE_CODE_NO_FLICKER` and `MCP_CONNECTION_NONBLOCKING` reduce latency and visual noise in long-running automated sessions, making them more suitable for orchestration loops and scheduled cloud agents. _46 hardening fixes (not new primitives)._ --- ## 2.1.90 **Headline:** **/powerup command** — interactive lessons with animated demos for teaching Claude Code features. This unlocks guided onboarding and self-directed skill building without leaving the CLI. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /powerup | command | Interactive lessons teaching Claude Code features with animated demos | Added `/powerup` — interactive lessons teaching Claude Code features with animated demos | | CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE | env-var | Keep the existing marketplace cache when `git pull` fails, useful in offline environments | Added `CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE` env var to keep the existing marketplace cache when `git pull` fails, useful in offline environments | | .husky protection | setting | `.husky` added to protected directories (acceptEdits mode) | Added `.husky` to protected directories (acceptEdits mode) | ### Workflow recipes - **Offline-resilient marketplace + guided onboarding** — combines CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE + /powerup. Remote teams and air-gapped environments can now learn Claude Code interactively without disrupting marketplace availability when network fails. Combines survivable offline caching with discoverable feature training. Idea: In an offline-first or intermittently-connected environment, an agent or user runs /powerup to learn a feature, triggering skill install; if marketplace git pull fails, the env var prevents cache loss. Subsequent skill invocations use the cached marketplace. This creates a stable learning + skill-acquisition loop even in degraded network conditions. **Agentic relevance:** The `/powerup` interactive lessons and `CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE` env var are ergonomic additions for agent discoverability and offline resilience. The PowerShell hardening and prompt-cache fix address regression stability. Overall, 2.1.90 prioritizes bug fixes and polish over new agent-facing capabilities. _16 hardening fixes (not new primitives)._ --- ## 2.1.91 **Headline:** MCP tool result persistence override via `_meta["anthropic/maxResultSizeChars"]` — agents can now transmit large results (up to 500K) like DB schemas without truncation, unlocking deeper integration with data discovery tasks. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | _meta["anthropic/maxResultSizeChars"] | MCP annotation | Persist larger tool results (up to 500K) without truncation | Added MCP tool result persistence override via `_meta["anthropic/maxResultSizeChars"]` annotation (up to 500K), allowing larger results like DB schemas to pass through without truncation | | disableSkillShellExecution | setting | Disable inline shell execution in skills, custom slash commands, and plugin commands | Added `disableSkillShellExecution` setting to disable inline shell execution in skills, custom slash commands, and plugin commands | | Multi-line deep links | capability | Support newlines in `claude-cli://open?q=` URLs via `%0A` encoding | Added support for multi-line prompts in `claude-cli://open?q=` deep links (encoded newlines `%0A` no longer rejected) | | Plugin bin/ executables | capability | Plugins can ship executables under `bin/` and invoke them as bare commands from Bash | Plugins can now ship executables under `bin/` and invoke them as bare commands from the Bash tool | ### Workflow recipes - **Large-Schema Discovery Loop** — combines _meta["anthropic/maxResultSizeChars"] + Plugin bin/ executables. Agent-driven database or API schema ingestion typically fails on truncated output. By persisting full schemas (up to 500K) alongside lightweight custom tools (plugin executables), agents can now perform lossless schema import, cross-database comparison, and generation of integration glue code without round-tripping to external services. Idea: An agent workflow for federated data discovery: plugin ships custom CLI tools that query live databases (Postgres, BigQuery, etc.) and dump their full schemas; agent uses the persistence override to absorb 200K+ schemas in a single turn; agent then generates normalized schema graphs, spotting conflicts and gaps across sources without truncation noise. - **Sandboxed Skill Execution in CRC Graph Adjudication** — combines disableSkillShellExecution + multi-line deep links. CRC v3 adjudication workflows often call out to skills to fetch or verify facts. The ability to disable inline shell execution in skills (security boundary) + multi-line deep links (structured prompts to agents) enables safer, richer agent choreography where untrusted or third-party skills can be executed under constraints, and complex reasoning prompts can be encoded in URLs without encoding friction. Idea: A CRC adjudication loop that spawns agents via deep links with multi-line reasoning prompts; those agents call out to skills (facts, data, probes) but those skills run sandboxed (no shell escape), isolating execution from the parent graph state. Failures in skill execution don't corrupt the adjudication state. **Agentic relevance:** The MCP result persistence override (`_meta["anthropic/maxResultSizeChars"]`) is the key primitive for agent workflows involving schema ingestion, DB exploration, and large-document analysis. Plugin bin/ executables add lightweight custom tooling to agent environments. The `disableSkillShellExecution` setting provides security-hardened sandboxing for untrusted skills. Together they expand agent data reach and execution isolation. _9 hardening fixes (not new primitives)._ --- ## 2.1.92 **Headline:** **Interactive Bedrock setup wizard** — new 3rd-party LLM platform integration flow with guided AWS auth, region config, and model pinning. Enables agents to ingest non-Claude models into the Claude Code runtime without manual credential/region assembly. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | forceRemoteSettingsRefresh | setting | Blocks startup until remote managed settings are freshly fetched; exits if fetch fails (fail-closed policy) | Added `forceRemoteSettingsRefresh` policy setting: when set, the CLI blocks startup until remote managed settings are freshly fetched, and exits if the fetch fails (fail-closed) | | Bedrock setup wizard | capability | Interactive flow for AWS Bedrock auth, region config, credential verification, and model pinning, accessible from login screen | Added interactive Bedrock setup wizard accessible from the login screen when selecting "3rd-party platform" — guides you through AWS authentication, region configuration, credential verification, and model pinning | | /cost per-model breakdown | command enhancement | Subscription users now see per-model and cache-hit breakdown in `/cost` output | Added per-model and cache-hit breakdown to `/cost` for subscription users | | /release-notes version picker | command enhancement | `/release-notes` is now an interactive version picker instead of static output | `/release-notes` is now an interactive version picker | | --remote-control-session-name-prefix | flag | Override hostname-based default prefix for Remote Control session names (default: `myhost-graceful-unicorn` format) | Remote Control session names now use your hostname as the default prefix (e.g. `myhost-graceful-unicorn`), overridable with `--remote-control-session-name-prefix` | | Prompt cache expiry footer hint (Pro) | capability | Pro users see footer hint when returning to session after prompt cache expires, showing roughly how many tokens next turn will send uncached | Pro users now see a footer hint when returning to a session after the prompt cache has expired, showing roughly how many tokens the next turn will send uncached | ### Workflow recipes - **Policy-Gated Multi-Model Orchestration** — combines forceRemoteSettingsRefresh + Bedrock setup wizard + /cost per-model breakdown. Remote managed settings enforce policy compliance on startup; Bedrock wizard enables seamless 3rd-party model onboarding; enhanced /cost visibility allows agents to route workloads by model economics and compliance posture in real time. Idea: An agent fleet manager applies mandatory remote settings (e.g., "use only AWS Bedrock for sensitive data") via forceRemoteSettingsRefresh, which blocks all spawned agents until policy is synced. Agents then use the Bedrock wizard to auto-configure AWS credentials and region, and query /cost per-model to choose between Claude (fast, cached) and Bedrock (compliant, airgapped) based on data classification and budget constraints. Feedback loop: policy updates force re-sync; agents log model-choice decisions to optimize future routing. - **Session Reliability in Long-Running Agent Batches** — combines Subagent spawn fix + tmux window resilience + prompt cache expiry hint. The "Could not determine pane count" failure was blocking multi-hour batch jobs when tmux windows died; the fix restores spawn reliability. Cache expiry hint helps agents estimate token cost before next turn, enabling graceful degradation. Idea: A long-running batch processor spawns child agents in tmux panes. Previously, if a pane was killed or renumbered mid-batch, spawn would fail permanently, orphaning the whole job. The fix allows spawn to recover. As agents run multi-turn workflows, the Pro footer hint shows cache state, allowing agents to decide whether to persist state to disk, summarize context, or request a fresh context window before expensive long-form generations. This turns what was a hard failure into an observed metric. - **Cost-Aware Session Management with Interactive Introspection** — combines /cost per-model breakdown + /release-notes version picker + improved Write diff speed. Agents can now see granular cost-per-model and cache-hit rates, and the version picker lets them inspect how changes in Claude Code releases affected their performance. Faster Write diff computation reduces per-artifact overhead. Idea: An agent monitoring workflow queries /cost at session boundaries to understand which models and cache patterns were most efficient, then cross-references /release-notes to correlate cost improvements with Claude Code version upgrades (e.g., "Write tool got 60% faster in 2.1.92, which explains the cost dip"). Agents log this metadata to a performance dashboard, enabling data-driven model and release-upgrade planning for large fleets. **Agentic relevance:** The `forceRemoteSettingsRefresh` setting and Bedrock wizard enable policy-driven orchestration and 3rd-party LLM ingestion for multi-model agent fleets. The subagent spawn fix is critical for session-long delegated work in tmux environments. Enhanced `/cost` visibility supports cost-aware routing and budget introspection in multi-turn workflows. _15 hardening fixes (not new primitives)._ --- ## 2.1.94 **Headline:** **Amazon Bedrock-powered inference via Mantle + default effort bump** — agents can now explicitly opt into Bedrock inference (Amazon's managed model endpoint) and will see higher default reasoning effort on provisioned compute, unlocking cost-aware and regulated-environment multi-provider inference. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | CLAUDE_CODE_USE_MANTLE=1 | env-var | Enable Amazon Bedrock powered by Mantle for inference | Added support for Amazon Bedrock powered by Mantle, set `CLAUDE_CODE_USE_MANTLE=1` | | /effort default shift | command/setting | Default effort level now medium→high for API-key, Bedrock, Vertex, Foundry, Team, and Enterprise users | Changed default effort level from medium to high for API-key, Bedrock/Vertex/Foundry, Team, and Enterprise users (control this with `/effort`) | | keep-coding-instructions | frontmatter field | Plugin output style control for preserving coding instructions in plugin-rendered output | Added `keep-coding-instructions` frontmatter field support for plugin output styles | | hookSpecificOutput.sessionTitle | hook parameter | Set session title from UserPromptSubmit hook via `UserPromptSubmit` hook specification | Added `hookSpecificOutput.sessionTitle` to `UserPromptSubmit` hooks for setting the session title | | Plugin skill frontmatter name precedence | behavior/setting | Plugin skills declared via `"skills": ["./"]` now use frontmatter `name` instead of directory basename for stable invocation name | Plugin skills declared via `"skills": ["./"]` now use the skill's frontmatter `name` for the invocation name instead of the directory basename, giving a stable name across install methods | | Slack MCP compact header | output feature | Compact `Slacked #channel` header with clickable channel link in send-message tool calls | Added compact `Slacked #channel` header with a clickable channel link for Slack MCP send-message tool calls | ### Workflow recipes - **Multi-Region Bedrock Inference + Session Instrumentation** — combines CLAUDE_CODE_USE_MANTLE=1 + hookSpecificOutput.sessionTitle. Agents running in regulated or cost-sensitive environments (healthcare, finance, on-premise) need to route inference to customer-owned Bedrock endpoints while maintaining audit trails. Dynamic session titling from hooks unlocks traced, multi-tenant reasoning pipelines where each invocation is named after its legal/operational context. Idea: A subagent orchestrator sets CLAUDE_CODE_USE_MANTLE=1 in its environment, then uses a UserPromptSubmit hook to dynamically set hookSpecificOutput.sessionTitle based on the customer ID and task context (e.g., "acme-legal-discovery-2026-06-09-run-3"). Bedrock routes to the ACME VPC endpoint; the session title appears in audit logs, billing records, and transcripts. Parallel agents inherit the title; downstream queries can reconstruct decision chains by session name. - **Stable Plugin Skill Composition + Hook-Driven Output Control** — combines Plugin skill frontmatter name precedence + keep-coding-instructions + hookSpecificOutput.sessionTitle. Plugin skills installed via "skills": ["./"] now have stable invocation names across package managers, and can opt into preserving coding context (instructions) in rendered output. Combined with dynamic session titling, agents can compose reusable skill stacks with deterministic names, audit-friendly output, and traced lineage. Idea: A plugin skill defined with name: "audit-ledger-query" in its frontmatter is always invoked as audit-ledger-query, never basename. Setting keep-coding-instructions: true in frontmatter ensures the rendered output includes the reasoning path, not just results. A UserPromptSubmit hook names the session "audit-ledger-2026-q2-batch-${batchId}". Skill composition becomes reproducible: the same skill-chain run on different data produces comparable audit trails. - **Silent Failure Elimination in Long-Agentic Sessions** — combines 429 error surfacing + scrollback fix + CJK stream-json fix + --resume cross-worktree + plugin hook visibility. Long-running agent workflows (multi-day data pipelines, batch processing) previously silenced rate-limit errors, corrupted multibyte streams, and lost scroll context. 2.1.94 surfaces these issues immediately and makes session resumption from sibling worktrees seamless, eliminating invisible failure modes that trap agents. Idea: A background task spawns Claude Code on a data pipeline. If a 429 hits, the error surfaces immediately instead of silently waiting. If UTF-8-split CJK characters corrupt, the error is caught in stream-json validation. If the session crashes mid-stream, --resume from a sibling worktree picks up the conversation directly, no cd gymnastics. Plugin hooks defined in YAML are now visible, so instrumentation hooks on task checkpoints fire reliably. **Agentic relevance:** The Mantle/Bedrock env-var and session-title hook parameters give agents explicit multi-provider inference control and dynamic session naming. The plugin skill frontmatter-name precedence and hook-output control enable stable, repeatable skill composition across install methods. The hardening wave (429 errors, plugin hook visibility, UTF-8 stream-json, terminal accessibility) eliminates silent failures and long-session degradation that could trap agentic workflows in invisible failure modes. _18 hardening fixes (not new primitives)._ --- ## 2.1.97 **Headline:** Focus view toggle in NO_FLICKER mode (`Ctrl+O`) — compact display of prompt, tool summaries with edit diffs, and final response. Reduces context switching for agents monitoring active work without full session visibility. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | Ctrl+O focus toggle | Keybinding | Toggles focus view in NO_FLICKER mode showing prompt, one-line tool summary with edit diffstats, and final response | Added focus view toggle (`Ctrl+O`) in `NO_FLICKER` mode showing prompt, one-line tool summary with edit diffstats, and final response | | refreshInterval | Setting | Re-runs the status line command every N seconds | Added `refreshInterval` status line setting to re-run the status line command every N seconds | | workspace.git_worktree | Status line JSON field | Populated in status line JSON input when current directory is inside a linked git worktree | Added `workspace.git_worktree` to the status line JSON input, set when the current directory is inside a linked git worktree | | ● N running indicator | UI indicator | Shows count of live subagent instances in `/agents` next to agent types | Added `● N running` indicator in `/agents` next to agent types with live subagent instances | | Cedar syntax highlighting | Capability | Syntax highlighting for Cedar policy files (`.cedar`, `.cedarpolicy` extensions) | Added syntax highlighting for Cedar policy files (`.cedar`, `.cedarpolicy`) | | CJK sentence punctuation completion | Capability | Slash command and `@`-mention completion triggers after CJK sentence punctuation without requiring space | Improved slash command and `@`-mention completion to trigger after CJK sentence punctuation, so Japanese/Chinese input no longer requires a space before `/` or `@` | ### Workflow recipes - **Compact Session Monitoring for Long Agent Runs** — combines Ctrl+O focus view toggle + refreshInterval status line setting + ● N running indicator. Multi-stage orchestrations (parent spawning subagents, chained delegations) need lightweight session inspection without burning context. The focus view collapses prompt/tool/response into one viewport; refreshable status line enables polling without re-reading; live agent count indicator surfaces orchestration depth at a glance. Idea: Agent oversight surfaces: parent session opens child subagent in split mode, displays focus view (Ctrl+O) with refreshInterval: 5 (5s poll). Status line shows running subagents via ● N running indicator; parent agent can scan tool summaries and edit diffs without expanding full response text. On long runs (30+ min), focus view reduces context thrash from repeated reads while maintaining decision velocity. - **Worktree-Isolated Subagent Orchestration with Transparency** — combines workspace.git_worktree status line field + subagent worktree isolation fix + /agents live indicator. Sparse worktrees isolate subagent filesystem mutations but previously leaked working directory back to parent, risking silent contamination. The 2.1.97 fix + workspace.git_worktree JSON field enable parent to verify isolation state in real time and route work accordingly. Idea: Orchestration rig: parent checks workspace.git_worktree in status JSON before spawning isolated subagent; if set, parent knows it's inside a worktree and can log it for transparency. On subagent return, parent re-checks workspace.git_worktree; if it's now unset, isolation held. Failing that, parent can surface "WARNING: worktree isolation leaked" and defer mutation. Layered with the 2.1.97 fix, this prevents parent/child cwd confusion in repos with deep branching patterns. - **Cedar Policy Authoring with Live Syntax Feedback** — combines Cedar syntax highlighting + CJK sentence punctuation completion. Cedar (AWS IAM policy language) is domain-specific; full highlighting is new in 2.1.97. CJK punctuation support removes friction for multi-language policy teams. Together, they enable fluent authoring without space-padding syntax completion. Idea: Agent writes Cedar policies in-repo: new .cedar files trigger syntax highlighting immediately. Agents (or human co-authors with CJK keyboards) compose policies without fighting space-before-/ requirements; completion triggers on 、 (ideographic comma), 。 (ideographic period), or ! (full-width exclamation), speeding up policy synthesis in multilingual orgs. Pairs well with structured validation checks. **Agentic relevance:** The focus view toggle (`Ctrl+O`) and refreshable status line (`refreshInterval`) enable agents to monitor long-running sessions compactly without full context overhead. The `workspace.git_worktree` field and subagent live-instance indicator support orchestration and multi-agent workflows. Cedar syntax highlighting and CJK input completion expand language/policy domain coverage. Most changes are hardening-focused: permission fixes prevent silent failures in Accept Edits mode, MCP/OAuth robustness prevents credential/buffer leaks, and transcript persistence fixes ensure agent continuity on resume. _39 hardening fixes (not new primitives)._ --- ## 2.1.98 **Headline:** Monitor tool — a first-class tool for streaming events from background scripts. Fills a long-standing gap: agents running background processes had no native way to observe stdout line-by-line; Monitor closes that loop and enables reactive agentic pipelines without polling hacks. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | Monitor tool | tool | Stream events from background scripts line-by-line | Added Monitor tool for streaming events from background scripts | | CLAUDE_CODE_PERFORCE_MODE | env-var | Causes Edit/Write/NotebookEdit to fail on read-only files with a `p4 edit` hint instead of silently overwriting them | Added `CLAUDE_CODE_PERFORCE_MODE` env var: when set, Edit/Write/NotebookEdit fail on read-only files with a `p4 edit` hint instead of silently overwriting them | | CLAUDE_CODE_SUBPROCESS_ENV_SCRUB + PID namespace isolation | env-var/capability | Enables subprocess sandboxing with PID namespace isolation on Linux | Added subprocess sandboxing with PID namespace isolation on Linux when `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB` is set, and `CLAUDE_CODE_SCRIPT_CAPS` env var to limit per-session script invocations | | CLAUDE_CODE_SCRIPT_CAPS | env-var | Limits per-session script invocations | Added subprocess sandboxing with PID namespace isolation on Linux when `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB` is set, and `CLAUDE_CODE_SCRIPT_CAPS` env var to limit per-session script invocations | | --exclude-dynamic-system-prompt-sections | flag | Print mode flag for improved cross-user prompt caching by excluding dynamic sections | Added `--exclude-dynamic-system-prompt-sections` flag to print mode for improved cross-user prompt caching | | workspace.git_worktree (re-listed) | capability | **NOT new in 2.1.98** — first shipped in **2.1.97** (identical status-line JSON field). 2.1.98 re-lists it with a near-identical changelog line; demoted to an "already shipped" annotation per RECONCILIATION.md (mirrors the `/effort xhigh` handling in 2.1.154). | Added `workspace.git_worktree` to the status line JSON input, set whenever the current directory is inside a linked git worktree | | TRACEPARENT env var in Bash subprocesses | env-var | W3C TRACEPARENT injected into Bash tool subprocesses when OTEL tracing enabled, so child spans parent correctly | Added W3C `TRACEPARENT` env var to Bash tool subprocesses when OTEL tracing is enabled, so child-process spans correctly parent to Claude Code's trace tree | | Google Vertex AI setup wizard | capability | Interactive wizard from the login screen for GCP auth, project/region config, credential verification, and model pinning | Added interactive Google Vertex AI setup wizard accessible from the login screen when selecting '3rd-party platform', guiding you through GCP authentication, project and region configuration, credential verification, and model pinning | | LSP clientInfo identification | capability | Claude Code now identifies itself to language servers via `clientInfo` in the initialize request | LSP: Claude Code now identifies itself to language servers via `clientInfo` in the initialize request | ### Workflow recipes - **Reactive Build-Monitor Agent** — combines Monitor tool + workspace.git_worktree status field. Monitor gives agents a native event stream from background processes; workspace.git_worktree lets a hook or status-line integration know which worktree the agent is operating in. Together, a multi-worktree agent setup can launch a background build/test process in each worktree and route Monitor events back to the correct parent agent context — without polling and without conflating worktree identity. Idea: Orchestrator spawns one subagent per linked worktree. Each subagent runs its build script via Bash with run_in_background, then attaches Monitor to stream stdout. The workspace.git_worktree field in the status line JSON lets each agent confirm its worktree identity before acting on Monitor events. Parent agent collects first-failure lines and synthesizes a cross-worktree health report. - **Sandboxed Script-Capped Agentic CI** — combines CLAUDE_CODE_SUBPROCESS_ENV_SCRUB (PID namespace isolation) + CLAUDE_CODE_SCRIPT_CAPS + Monitor tool. Subprocess sandboxing with PID namespace isolation prevents runaway child processes from escaping their session boundary; CLAUDE_CODE_SCRIPT_CAPS provides a hard cap on total script invocations so a misbehaving agent loop cannot exhaust the environment. Pairing both with Monitor lets an operator-controlled harness watch script output in real time while enforcing execution budgets — a meaningful step toward safe autonomous CI without a full container wrapper. Idea: In a Linux CI environment, set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 and CLAUDE_CODE_SCRIPT_CAPS= before launching a headless Claude Code agent on a PR. The agent runs test/lint scripts; Monitor streams their output to the parent for structured result extraction. If the script cap is hit, the agent surfaces residue rather than spinning indefinitely. The PID namespace isolation ensures no subprocess outlives the session. **Agentic relevance:** The Monitor tool is the headline agentic primitive: it enables reactive agent loops that observe background process output line-by-line without polling, unblocking event-driven pipeline patterns. The `CLAUDE_CODE_SCRIPT_CAPS` + subprocess sandboxing env vars give operators a new control surface for limiting and isolating script execution in multi-agent deployments. (The `workspace.git_worktree` status field — already shipped in 2.1.97, re-listed here — remains relevant for worktree-aware hooks and parallel worktree agent patterns common in this repo.) _49 hardening fixes (not new primitives)._ --- ## 2.1.101 **Headline:** **`/team-onboarding` command** — generates a teammate ramp-up guide from your local Claude Code usage patterns. Enables knowledge transfer and onboarding automation without manual documentation. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /team-onboarding | command | Generate a teammate ramp-up guide from your local Claude Code usage | Added `/team-onboarding` command to generate a teammate ramp-up guide from your local Claude Code usage | | CLAUDE_CODE_CERT_STORE=bundled | env-var | Override to use only bundled CAs instead of OS CA certificate store trust | Added OS CA certificate store trust by default, so enterprise TLS proxies work without extra setup (set `CLAUDE_CODE_CERT_STORE=bundled` to use only bundled CAs) | | /ultraplan auto-environment | capability | Remote-session features now auto-create a default cloud environment instead of requiring web setup first | `/ultraplan` and other remote-session features now auto-create a default cloud environment instead of requiring web setup first | | OTEL_LOG_USER_PROMPTS | env-var | Beta tracing can now be configured to log user prompts | Improved beta tracing to honor `OTEL_LOG_USER_PROMPTS`, `OTEL_LOG_TOOL_DETAILS`, and `OTEL_LOG_TOOL_CONTENT`; sensitive span attributes are no longer emitted unless opted in | | OTEL_LOG_TOOL_DETAILS | env-var | Beta tracing can now be configured to log tool details | Improved beta tracing to honor `OTEL_LOG_USER_PROMPTS`, `OTEL_LOG_TOOL_DETAILS`, and `OTEL_LOG_TOOL_CONTENT`; sensitive span attributes are no longer emitted unless opted in | | OTEL_LOG_TOOL_CONTENT | env-var | Beta tracing can now be configured to log tool content | Improved beta tracing to honor `OTEL_LOG_USER_PROMPTS`, `OTEL_LOG_TOOL_DETAILS`, and `OTEL_LOG_TOOL_CONTENT`; sensitive span attributes are no longer emitted unless opted in | ### Workflow recipes - **Automated Team Onboarding with Remote Agents** — combines /team-onboarding command + /ultraplan auto-environment + OTEL tracing env-vars. Team ramp-up guides paired with auto-provisioned remote environments enable agents to train peers asynchronously without manual setup. Tracing visibility lets coordinators audit what knowledge was transferred and where agents struggled. Idea: Agent A runs /team-onboarding to extract the team's accumulated Claude Code patterns and best practices from local session history. Agent B uses /ultraplan auto-environment to instantly spawn a cloud workspace for peer training. A configures OTEL_LOG_USER_PROMPTS=true to record the teaching loop, then synthesizes a report for future agents to learn from without repeating queries. - **Enterprise Proxy with Traceable Cloud Orchestration** — combines CLAUDE_CODE_CERT_STORE=bundled env-var + /ultraplan auto-environment + improved refusal/rate-limit error messages. Teams behind enterprise TLS proxies can now trust the OS CA store (or pin to bundled), auto-create remote sessions without web friction, and see transparent error messages when hitting rate limits or API refusals — enabling agents to retry or escalate intelligently. Idea: Admin sets CLAUDE_CODE_CERT_STORE=bundled in managed settings; agents spawn /ultraplan cloud environments that inherit the config and immediately operate behind the corporate proxy. When rate-limited, agents read the reset timestamp from the improved error message and queue themselves for retry. Failed API calls now include the full refusal reason, letting coordination layers route work to fallback models. - **Resilient Multi-Agent Session Recovery** — combines Hardened --resume/--continue chain recovery + isolated worktree file access fixes + permissions.deny override fixes. Subagents can now safely resume interrupted sessions from deep isolation, read/write files in their own worktree without permission barriers, and have deny rules properly enforced. This unlocks durable conversation recovery across agent handoffs without loss or privilege escalation. Idea: Agent A starts a large document analysis in parallel worktrees, hits an infrastructure failure mid-run, and resume picks up the live conversation from the branching point. Agent B inherits the resume and reads intermediate analysis files within the worktree without waiting for permission dialogs. Deny rules for sensitive paths are now enforced even when hooks attempt to override them, so agents can't accidentally escalate to files they shouldn't touch. **Agentic relevance:** The `/team-onboarding` command and auto-environment creation for `/ultraplan` unlock better multi-agent orchestration by reducing setup friction and capturing institutional knowledge. The new tracing env-vars (`OTEL_LOG_*`) enable agents to debug and audit their own operations at scale. Together with 40+ hardening fixes targeting session recovery, permissions, and tool availability, this version stabilizes the foundation for reliable agent delegation and resume workflows. _42 hardening fixes (not new primitives)._ --- ## 2.1.105 **Headline:** **`EnterWorktree` path parameter** enables worktree navigation without re-parsing repository state—a quiet efficiency gain for multi-worktree session continuity and agent branch-switching workflows. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | EnterWorktree path parameter | tool parameter | Switch into an existing worktree of the current repository | Added `path` parameter to the `EnterWorktree` tool to switch into an existing worktree of the current repository | | PreCompact hook decision:block | hook capability | Block compaction by exiting with code 2 or returning `{"decision":"block"}` | Added PreCompact hook support: hooks can now block compaction by exiting with code 2 or returning `{"decision":"block"}` | | Plugin monitors manifest key | manifest field | Auto-arm background monitors at session start or on skill invoke | Added background monitor support for plugins via a top-level `monitors` manifest key that auto-arms at session start or on skill invoke | | /proactive command | command alias | Alias for `/loop` | `/proactive` is now an alias for `/loop` | ### Workflow recipes - **Persistent multi-branch session fusion** — combines EnterWorktree path parameter + PreCompact hook decision:block. Agents managing multiple concurrent PR branches can now navigate existing worktrees by path (not re-entry) and guard compaction when critical session state spans branches, enabling continuous session semantics across branch switches without state loss. Idea: Agent spawns multi-PR review loop: enter branch A (path-based), gather context, prepare compact decision, block compaction (PreCompact hook) if session semantics cross-cut branches. Switch to branch B via EnterWorktree path, continue synthesis. Exit with coherent session and defer compaction until branch-local boundaries are clear. - **Plugin observability layer** — combines Plugin monitors manifest key + improved MCP large-output truncation recipes. Plugins can now auto-arm background monitors at skill invocation, paired with format-aware truncation prompts (jq, chunk-size recipes), enabling plugins to maintain live observability without manual hook plumbing or UI state loss. Idea: Marketplace plugin (e.g., deployment watcher) declares monitors in manifest. On skill invoke, monitor auto-arms and streams deployment status. When output exceeds token budget, truncation prompt suggests format-specific recipes. Agent can switch to branch, invoke plugin, resume monitoring across session. **Agentic relevance:** The `EnterWorktree` path parameter and PreCompact hook block capability directly serve multi-branch agentic workflows and session continuity; plugin background monitors unlock persistent observability patterns. `/proactive` as `/loop` alias is convenience, not structural. The hardening volume is substantial—stream resilience, MCP reliability, and session state fixes reduce agent retry loops and improve dark-matter failure observability. Overall, 2.1.105 is hardening-heavy with four small net-new user-facing primitives; agents benefit most from improved reliability than new capability. _33 hardening fixes (not new primitives)._ --- ## 2.1.108 **Headline:** **Prompt caching control and session recap** unlock fine-grained performance tuning and context continuity. Fine TTL control (5m/1h) enables agents to trade cache freshness for latency on data-update-sensitive tasks; recap surfaces automatic context recovery for interrupted sessions. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | ENABLE_PROMPT_CACHING_1H | env-var | Opt into 1-hour prompt cache TTL on API key, Bedrock, Vertex, and Foundry | Added `ENABLE_PROMPT_CACHING_1H` env var to opt into 1-hour prompt cache TTL on API key, Bedrock, Vertex, and Foundry | | FORCE_PROMPT_CACHING_5M | env-var | Force 5-minute TTL for prompt caching | and `FORCE_PROMPT_CACHING_5M` to force 5-minute TTL | | /recap | command | Manually invoke session recap; provides context when returning | Added recap feature to provide context when returning to a session, configurable in `/config` and manually invocable with `/recap` | | CLAUDE_CODE_ENABLE_AWAY_SUMMARY | env-var | Force recap feature when telemetry is disabled | force with `CLAUDE_CODE_ENABLE_AWAY_SUMMARY` if telemetry disabled | | Model slash-command discovery | capability | The model can now discover and invoke built-in slash commands via the Skill tool | The model can now discover and invoke built-in slash commands like `/init`, `/review`, and `/security-review` via the Skill tool | | /undo | command | Alias for `/rewind` | `/undo` is now an alias for `/rewind` | ### Workflow recipes - **Latency-Adaptive Polling Agent** — combines FORCE_PROMPT_CACHING_5M + ENABLE_PROMPT_CACHING_1H + /recap. Agents can now trade cache freshness for latency by selecting cache TTL per task phase. 5-minute TTL suits rapid-feedback loops (deployment polls, test retries); 1-hour TTL suits stable-state tasks (report generation, batch processing). Idea: An agent orchestrating a multi-phase workflow (e.g., deploy → monitor → report) can set FORCE_PROMPT_CACHING_5M for the monitoring loop (immediate feedback on state changes), then ENABLE_PROMPT_CACHING_1H for batch reporting (amortize cache hits across long-running compilations). On resumed sessions, /recap restores context without re-reading full transcripts, enabling interrupt-tolerant agent loops that skip redundant setup. - **Self-Discovering Agent Tool Chains** — combines Model slash-command discovery + /recap + improved /resume defaults. Agents spawn with built-in slash commands automatically available for discovery (no teach-in required), and session recovery is seamless by default (local-project focus, recap context). This reduces setup friction when agents fork, resume, or run across repo boundaries. Idea: A multi-phase agent (e.g., foundation3-execution-delegate) can call /init to scaffold, then /security-review for gate-keeping, without explicit Skill tool invocation for each command—the model discovers them. Resumed delegated agents pull context via /recap and default to the project's session pool, avoiding cross-project context pollution. - **Cache-Aware Error Recovery** — combines Improved error messages (rate limit vs. plan limits) + FORCE_PROMPT_CACHING_5M + startup cache warning. Agents can now distinguish transient limits (rate limiting, recoverable with backoff and tighter cache) from terminal limits (plan exhaustion). Startup warnings surface cache misconfiguration early, preventing silent cache bypass. Idea: An agent polling an external service can catch a 429/rate-limit error, activate FORCE_PROMPT_CACHING_5M to reduce token pressure, and retry. If the error is plan-limit, it logs immediately instead of failing silently. On startup, agents running under cost constraints check for disabled caching and warn, enabling proactive tuning before task execution. **Agentic relevance:** Cache TTL control enables agents to balance speed vs. freshness on task-specific schedules; `/recap` and improved session defaults reduce context-reestablishment overhead. Model-native slash-command discovery lifts agent autonomy by making built-in tools self-discoverable, reducing explicit teach-in cycles. _20 hardening fixes (not new primitives)._ --- ## 2.1.110 **Headline:** TUI fullscreen rendering + Push notifications: interactive experience upgrades bringing flicker-free rendering to focused work and async notification capability to remote/mobile clients. Enables longer-form agent conversations without terminal flicker and lets Claude proactively notify the user when remote. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /tui command | command | Switch to flicker-free rendering in the same conversation | Added `/tui` command and `tui` setting — run `/tui fullscreen` to switch to flicker-free rendering in the same conversation | | tui setting | setting | Configure fullscreen rendering mode | Added `/tui` command and `tui` setting — run `/tui fullscreen` to switch to flicker-free rendering in the same conversation | | push notification tool | tool | Claude can send mobile push notifications when Remote Control and "Push when Claude decides" config are enabled | Added push notification tool — Claude can send mobile push notifications when Remote Control and "Push when Claude decides" config are enabled | | /focus command | command | Toggle focus view separately from transcript view | Changed `Ctrl+O` to toggle between normal and verbose transcript only; focus view is now toggled separately with the new `/focus` command | | autoScrollEnabled config | setting | Disable conversation auto-scroll in fullscreen mode | Added `autoScrollEnabled` config to disable conversation auto-scroll in fullscreen mode | | Ctrl+G editor context option | setting/capability | Show Claude's last response as commented context in external editor | Added option to show Claude's last response as commented context in the `Ctrl+G` external editor (enable via `/config`) | | --resume/--continue task resurrection | flag/capability | Resurrect unexpired scheduled tasks on session resume | `--resume`/`--continue` now resurrects unexpired scheduled tasks | | Remote Control slash-command support | capability | `/context`, `/exit`, and `/reload-plugins` now work from Remote Control (mobile/web) clients | `/context`, `/exit`, and `/reload-plugins` now work from Remote Control (mobile/web) clients | | TRACEPARENT/TRACESTATE env support | env-var | SDK/headless sessions now read distributed trace linking from environment | SDK/headless sessions now read `TRACEPARENT`/`TRACESTATE` from the environment for distributed trace linking | | CLAUDE_CODE_ENABLE_AWAY_SUMMARY env-var | env-var | Opt out of session recap for users with telemetry disabled | Session recap is now enabled for users with telemetry disabled (Bedrock, Vertex, Foundry, `DISABLE_TELEMETRY`). Opt out via `/config` or `CLAUDE_CODE_ENABLE_AWAY_SUMMARY=0`. | ### Workflow recipes - **Async-aware scheduled agent with mobile notifications** — combines --resume/--continue task resurrection + push notification tool + Remote Control slash-command support. Scheduled agents (via --resume) can now resurrect unexpired tasks, send mobile push notifications when decisions require user input, and execute remote commands from mobile/web clients. This unlocks fully async agent delegation where the agent runs on a schedule, makes progress, and notifies the user to review/approve via mobile before resuming. Idea: Create a scheduled agent workflow for high-stakes decisions (deal review, prospect intake, compliance checks). The agent runs on cron, processes queued work, resurrects any prior session tasks via --resume, and when it encounters a decision gate, sends a push notification. The user reviews on mobile via Remote Control, executes /context or /exit to pass direction, and the agent resumes in the background. This enables multi-day agent execution with minimal user interruption while keeping the user async-aware. - **Flicker-free interactive refactoring with scheduled resume checkpoints** — combines /tui fullscreen + /focus command + --resume/--continue task resurrection. Agents can now work in a flicker-free TUI mode (/tui fullscreen), toggle focus to hide distracting elements (/focus), and persist checkpoints by exiting and resuming via --resume. This unlocks long-running interactive refactoring sessions where the agent can take clean breakpoints without losing context. Idea: For large codebase refactoring tasks, spawn an agent in fullscreen TUI mode (/tui fullscreen), enable focus mode (/focus) to suppress transcript noise, and structure the work as a series of checkpoint tasks. The agent completes one refactoring chunk, exits cleanly, and the scheduler resumes the session via --resume --continue to pick up the next chunk. The flicker-free rendering keeps the focus sharp, and the checkpoint pattern allows graceful interruption and observability. - **Distributed-trace-aware cloud agent observability pipeline** — combines TRACEPARENT/TRACESTATE env support + SDK/headless sessions. Cloud-orchestrated agents can now link their execution traces to parent traces via environment variables, enabling end-to-end observability when agents are spawned by a parent service or orchestrator (e.g., a Temporal workflow, a Dagster job, or a cloud function). Idea: Build a cloud-native agent orchestration layer where parent services inject TRACEPARENT and TRACESTATE headers into the agent environment. When agents run via SDK or headless mode, they automatically read and forward these traces, making every agent turn observable in a unified distributed-trace backend (e.g., Datadog, Jaeger, Honeycomb). This unlocks multi-agent workflows with full visibility into latency, error propagation, and decision trees across the fleet. **Agentic relevance:** The `/tui` command and push notification tool enable agents to work in flicker-free environments and send async notifications to remote/mobile clients when decisions or results require user attention. The expanded Remote Control support (`/context`, `/exit`, `/reload-plugins`) and task resurrection via `--resume`/`--continue` unlock headless/scheduled agent patterns. The distributed trace linking (`TRACEPARENT`/`TRACESTATE`) unlocks agent observability in cloud environments, critical for multi-turn cloud orchestration. _24 hardening fixes (not new primitives)._ --- ## 2.1.111 [fan-out] **Headline:** `/ultrareview` ships cloud-based parallel multi-agent code review — the only new primitive in this release that is itself an agent-orchestration mechanism, directly mirroring the fan-out pattern this test instruments. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /ultrareview | command | New slash command that runs comprehensive code review in the cloud using parallel multi-agent analysis and critique; with no args reviews the current branch, or `/ultrareview ` fetches and reviews a specific GitHub PR. | Added `/ultrareview` for running comprehensive code review in the cloud using parallel multi-agent analysis and critique — invoke with no arguments to review your current branch, or `/ultrareview ` to fetch and review a specific GitHub PR | | /less-permission-prompts | command | New skill/command that scans transcripts for common read-only Bash and MCP tool calls and proposes a prioritized allowlist for `.claude/settings.json`. | Added `/less-permission-prompts` skill — scans transcripts for common read-only Bash and MCP tool calls and proposes a prioritized allowlist for `.claude/settings.json` | | xhigh | capability | New effort level for Opus 4.7 sitting between `high` and `max`, selectable via `/effort`, `--effort`, and the model picker; other models fall back to `high`. | Added `xhigh` effort level for Opus 4.7, sitting between `high` and `max`. Available via `/effort`, `--effort`, and the model picker; other models fall back to `high` | | PowerShell tool | tool | New (progressively rolling out) PowerShell tool on Windows, opt-in/out via `CLAUDE_CODE_USE_POWERSHELL_TOOL`; on Linux/macOS enable with `CLAUDE_CODE_USE_POWERSHELL_TOOL=1` (requires `pwsh` on PATH). The env var is the new control surface for this tool. | Windows: PowerShell tool is progressively rolling out. Opt in or out with `CLAUDE_CODE_USE_POWERSHELL_TOOL`. On Linux and macOS, enable with `CLAUDE_CODE_USE_POWERSHELL_TOOL=1` (requires `pwsh` on PATH) | | OTEL_LOG_RAW_API_BODIES | env-var | New environment variable that emits full API request and response bodies as OpenTelemetry log events for debugging. | Added `OTEL_LOG_RAW_API_BODIES` environment variable to emit full API request and response bodies as OpenTelemetry log events for debugging | | Auto (match terminal) theme | setting | New theme option that matches the terminal's dark/light mode, selectable from `/theme`. Low-importance UI setting primitive. | Added "Auto (match terminal)" theme option that matches your terminal's dark/light mode — select it from `/theme` | **Agentic relevance:** This version pushes the agent-orchestration frontier mainly through `/ultrareview`, which exposes cloud-based parallel multi-agent code review as a first-class command — fan-out review becomes a built-in primitive rather than something an operator must wire by hand. `/less-permission-prompts` and the glob/`cd`-prefix permission relaxations reduce interrupt friction in long autonomous runs, while `OTEL_LOG_RAW_API_BODIES` and the xhigh effort tier give orchestrators finer observability and compute-vs-latency control over delegated agents. _29 hardening fixes (not new primitives)._ --- ## 2.1.113 **Headline:** **Native binary spawn + sandbox network filtering** — Claude Code now runs as a native platform binary instead of bundled JavaScript, and administrators/users can surgically block specific domains even under broad `allowedDomains` wildcards. This shifts CLI performance and security policy control to fine-grained network isolation on each platform. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | sandbox.network.deniedDomains | setting | Block specific domains even when a broader `allowedDomains` wildcard would permit them | Added `sandbox.network.deniedDomains` setting to block specific domains even when a broader `allowedDomains` wildcard would otherwise permit them | | Native Claude Code binary | infrastructure | CLI spawns native per-platform binary instead of bundled JavaScript | Changed the CLI to spawn a native Claude Code binary (via a per-platform optional dependency) instead of bundled JavaScript | | Fullscreen Shift+↑/↓ selection scrolling | capability | Shift+↑/↓ now scrolls viewport when extending selection past visible edge | Fullscreen mode: Shift+↑/↓ now scrolls the viewport when extending a selection past the visible edge | | Ctrl+A / Ctrl+E multiline readline behavior | keybinding | Move to start/end of current logical line in multiline input, matching readline | `Ctrl+A` and `Ctrl+E` now move to the start/end of the current logical line in multiline input, matching readline behavior | | Windows Ctrl+Backspace word deletion | keybinding | Delete previous word on Windows | Windows: `Ctrl+Backspace` now deletes the previous word | | URL clickability across wrapped lines | capability | Long URLs stay clickable when wrapped in terminals with OSC 8 hyperlinks | Long URLs in responses and bash output stay clickable when they wrap across lines (in terminals with OSC 8 hyperlinks) | | /loop Esc cancellation | command enhancement | Pressing Esc cancels pending `/loop` wakeups and shows "Claude resuming /loop wakeup" for clarity | Improved `/loop`: pressing Esc now cancels pending wakeups, and wakeups display as "Claude resuming /loop wakeup" for clarity | | /extra-usage on Remote Control | command availability | `/extra-usage` now works from Remote Control (mobile/web) clients | `/extra-usage` now works from Remote Control (mobile/web) clients | | @-file autocomplete on Remote Control | query capability | Remote Control clients can query `@`-file autocomplete suggestions | Remote Control clients can now query `@`-file autocomplete suggestions | | /ultrareview parallelized launch | command enhancement | Faster `/ultrareview` launch with parallelized checks, diffstat in dialog, and animated state | Improved `/ultrareview`: faster launch with parallelized checks, diffstat in the launch dialog, and animated launching state | ### Workflow recipes - **Restricted Remote Agent Orchestration** — combines sandbox.network.deniedDomains + /extra-usage on Remote Control + Bash wrapper-matching security rules. Multi-tier agent sandboxing now possible on remote (mobile/web) clients — a desktop session can spawn subagents running against filtered network surfaces, with explicit /extra-usage provisioning visible to remote operators, and deny rules that catch sophistication attempts (wrapped sudo/env escapes). Idea: Build a remote agent-monitoring dashboard on a phone or tablet that queries @-file autocomplete to discover available subagent specs, provisions /extra-usage for long-context runs, and watches Bash denials in real-time as subagents attempt wrapped-command escapes. The deniedDomains setting enforces organizational firewall rules even when parent wildcard rules are broad, letting a central admin block internal APIs while subagents run against public surfaces. - **Full-Screen Responsive Selection Prompting** — combines Fullscreen Shift+↑/↓ selection scrolling + Ctrl+A/Ctrl+E readline behavior + slash/@ menu flush positioning. Multiline prompt composition in fullscreen mode now responds to readline keybindings and viewport-aware selection, matching muscle memory from terminal shells and closing the UX gap for agents drafting complex prompts without intermediate escapes to the terminal. Idea: An agent or human composing a multi-step prompt in fullscreen mode can use Ctrl+A/Ctrl+E to jump to logical-line boundaries (useful when constructing prompts with multiple @-references across separate paragraphs), Shift+↑/↓ to extend selections while the viewport scrolls, and rely on / and @ completion menus sitting flush against the prompt edge for immediate scanability. This is particularly useful for workflow agents that iteratively refine prompts based on previous runs. **Agentic relevance:** The native binary shift enables platform-specific optimizations and sandboxing at startup time rather than runtime JIT. The `deniedDomains` setting and Bash wrapper-matching security improvements give agents finer control over sandboxed resource access — particularly relevant for long-running agents that bridge multiple external APIs and need to enforce strict network boundaries. The Remote Control `/extra-usage` and autocomplete availability extend agent-managed workflows to mobile/web clients, though full agentic composition still requires desktop Claude Code. _28 hardening fixes (not new primitives)._ --- ## 2.1.118 **Headline:** **Hooks invoking MCP tools directly** (`type: "mcp_tool"`) — hooks can now call MCP servers as first-class invocations, enabling agent verifiers, auto-mode rule checkers, and session orchestration logic to reach external services without wrapping them in bash or shimming through tool-call syntax. This unlocks tighter MCP integration into the Claude Code control plane. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | vim visual mode (v, V) | capability | Select text and apply operators in visual and visual-line mode with selection and visual feedback | Added vim visual mode (`v`) and visual-line mode (`V`) with selection, operators, and visual feedback | | /theme + ~/.claude/themes/ + plugin themes | capability | Create, switch between, hand-edit named custom themes; plugins can ship themes via a `themes/` directory | Create and switch between named custom themes from `/theme`, or hand-edit JSON files in `~/.claude/themes/`; plugins can also ship themes via a `themes/` directory | | type: "mcp_tool" hooks | hook | Hooks can invoke MCP tools directly instead of wrapping them in bash | Hooks can now invoke MCP tools directly via `type: "mcp_tool"` | | DISABLE_UPDATES env var | env-var | Completely block all update paths including manual `claude update` — stricter than `DISABLE_AUTOUPDATER` | Added `DISABLE_UPDATES` env var to completely block all update paths including manual `claude update` — stricter than `DISABLE_AUTOUPDATER` | | wslInheritsWindowsSettings policy key | setting | WSL on Windows can inherit Windows-side managed settings | WSL on Windows can now inherit Windows-side managed settings via the `wslInheritsWindowsSettings` policy key | | autoMode "$defaults" token | setting | Include `"$defaults"` in `autoMode.allow`, `autoMode.soft_deny`, or `autoMode.environment` to add custom rules alongside the built-in list | Auto mode: include `"$defaults"` in `autoMode.allow`, `autoMode.soft_deny`, or `autoMode.environment` to add custom rules alongside the built-in list instead of replacing it | | claude plugin tag command | command | Create release git tags for plugins with version validation | Added `claude plugin tag` to create release git tags for plugins with version validation | ### Workflow recipes - **Agent-driven MCP verification in auto-mode** — combines type: "mcp_tool" hooks + "$defaults" auto-mode token. Hooks invoking MCP tools directly, combined with the ability to layer custom auto-allow rules alongside built-ins, unlock verifier hooks that can consult external services (MCP-backed databases, APIs, permission servers) before accepting or auto-allowing a user's command. Idea: Configure a Stop hook with type: "mcp_tool" to query an MCP-connected policy server; use "$defaults" in autoMode.allow to add org-specific auto-allow patterns (e.g., "if MCP policy server says ✓, allow") alongside the default rules. This decouples permission logic from the Claude Code hardcoded rules and lets orgs implement dynamic, MCP-backed policies. - **Plugin-branded agent environments with release tagging** — combines custom themes via plugin themes/ directory + claude plugin tag command. Plugins can now ship custom themes, and developers have a version-validated release mechanism (claude plugin tag) to ensure theme definitions are stable across plugin versions. This enables agent scaffolding tools to brand their plugin environments (color palette, UI theme) and release them alongside code updates. Idea: A plugin that vends agent scaffolding or verification logic can include a themes/ directory with branded themes (e.g., "agent-verifier-dark", "audit-trail-minimal"). Use claude plugin tag to create a versioned release; users installing the plugin get the bundled theme auto-available in /theme, and agents running in the plugin's namespace can switch to the branded theme via session config or hook logic. **Agentic relevance:** The `type: "mcp_tool"` hook primitive enables agent-driven MCP integration at the Claude Code control plane level — verifier hooks can now invoke MCP servers directly to validate or query state without wrapping calls in bash. The `"$defaults"` auto-mode token and custom theme shipping via plugins compose with this to unlock plugin-defined verification rules and branded agent environments. This is the strongest agent-facing win in the release. _27 hardening fixes (not new primitives)._ --- ## 2.1.119 **Headline:** Settings persistence with override precedence — `/config` settings now persist to `~/.claude/settings.json` and participate in project/local/policy override precedence, enabling stable per-context configuration without manual CLI flags. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /config settings persistence | setting | Saves theme, editor mode, verbose, etc. to `~/.claude/settings.json` with project/local/policy override precedence | `/config` settings (theme, editor mode, verbose, etc.) now persist to `~/.claude/settings.json` and participate in project/local/policy override precedence | | prUrlTemplate | setting | Points the footer PR badge at a custom code-review URL instead of github.com | Added `prUrlTemplate` setting to point the footer PR badge at a custom code-review URL instead of github.com | | CLAUDE_CODE_HIDE_CWD | env-var | Hides the working directory in the startup logo | Added `CLAUDE_CODE_HIDE_CWD` environment variable to hide the working directory in the startup logo | | --from-pr (extended) | flag | Accepts GitLab merge-request, Bitbucket pull-request, and GitHub Enterprise PR URLs, not just github.com | `--from-pr` now accepts GitLab merge-request, Bitbucket pull-request, and GitHub Enterprise PR URLs | | --print with frontmatter gates | flag | `--print` mode now honors `tools:` and `disallowedTools:` frontmatter, matching interactive-mode behavior | `--print` mode now honors the agent's `tools:` and `disallowedTools:` frontmatter, matching interactive-mode behavior | | --agent permissionMode | flag | `--agent ` now honors the agent definition's `permissionMode` for built-in agents | `--agent ` now honors the agent definition's `permissionMode` for built-in agents | | PowerShell auto-approval | capability | PowerShell tool commands can now be auto-approved in permission mode, matching Bash behavior | PowerShell tool commands can now be auto-approved in permission mode, matching Bash behavior | | PostToolUse / PostToolUseFailure duration_ms | hook | Hook inputs now include `duration_ms` (tool execution time, excluding permission prompts and PreToolUse hooks) | Hooks: `PostToolUse` and `PostToolUseFailure` hook inputs now include `duration_ms` (tool execution time, excluding permission prompts and PreToolUse hooks) | | blockedMarketplaces enforcement | setting | Security: now correctly enforces `hostPattern` and `pathPattern` entries | Security: `blockedMarketplaces` now correctly enforces `hostPattern` and `pathPattern` entries | | Status line effort.level / thinking.enabled | hook | stdin JSON output now includes `effort.level` and `thinking.enabled` | Status line: stdin JSON now includes `effort.level` and `thinking.enabled` | ### Workflow recipes - **Observability-Driven Tool Chain Tuning** — combines PostToolUse/PostToolUseFailure duration_ms + CLAUDE_CODE_HIDE_CWD + custom prUrlTemplate. Hook-level latency telemetry enables agents to profile and optimize tool chains in secure multi-tenant or branded environments without exposing working directories. Idea: 1. Configure CLAUDE_CODE_HIDE_CWD=1 to strip filesystem paths from session context. 2. Set prUrlTemplate to an internal code-review endpoint for PR badge links. 3. In PostToolUse and PostToolUseFailure hooks, collect duration_ms metrics and emit them to an observability backend. 4. Use aggregated latencies to detect slow tools, retry patterns, or permission bottlenecks without leaking project structure. 5. Steer agent decisions (e.g., prefer faster tool alternatives) based on accumulated performance data. - **Enterprise SCM + Persistent Config for Repeatable Agents** — combines --from-pr (extended to GitLab/Bitbucket/GHE) + /config settings persistence + --agent permissionMode. Multi-SCM PR ingestion combined with persistent agent configuration enables repeatable, org-standardized code review and CI workflows across diverse git platforms without manual CLI flag management. Idea: 1. Define an agent with permissionMode: "auto" (or "limited") and save it to .agents/custom-reviewer.yaml. 2. Configure /config once with custom prUrlTemplate pointing to internal review system, theme, and verbose level. 3. Invoke claude-code --agent custom-reviewer --from-pr where can be a GitHub Enterprise PR, GitLab merge request, or Bitbucket PR URL. 4. Agent respects both the stored permission mode and persistent settings; no CLI flag repetition across builds. 5. Hook duration_ms telemetry feeds back into CI/CD performance dashboards for SLA tracking. - **PowerShell Automation with Hook-Level Performance Feedback** — combines PowerShell auto-approval + PostToolUse duration_ms + parallel MCP server reconfiguration. PowerShell auto-approval removes manual permission gates in Windows-native environments; hook observability and parallel MCP startup accelerate complex multi-tool automation pipelines. Idea: 1. Enable PowerShell auto-approval in permission mode (matching Bash behavior). 2. Configure MCP servers that require parallel reconfiguration (e.g., multiple SSH, cloud SDKs). 3. In PostToolUse hooks, record duration_ms for each PowerShell execution step. 4. Aggregate latencies to identify which tool bottlenecks slow the overall pipeline. 5. Steer agent to pre-warm slow servers or batch independent operations. **Agentic relevance:** The ten new primitives in 2.1.119 unlock better autonomous control and debugging: persistent `/config` settings eliminate CLI flag repetition in long workflows; `CLAUDE_CODE_HIDE_CWD` and custom `prUrlTemplate` support secure/branded multi-workspace setups; hook `duration_ms` enables performance profiling and decision-making in tool chains; extended `--from-pr` coverage eases enterprise SCM integration. Hook observability and parallel MCP reconfiguration improve reliability in complex agent pipelines. _41 hardening fixes (not new primitives)._ --- ## 2.1.120 **Headline:** **`claude ultrareview [target]` command** — enables non-interactive code review automation in CI/CD pipelines and scripts, with structured JSON output for integration into automation tooling. This unlocks review-as-a-gate and audit-trail capture for agent-driven codebases. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude ultrareview [target] | command | Run `/ultrareview` non-interactively from CI or scripts with stdout output and structured exit codes | Added `claude ultrareview [target]` subcommand to run `/ultrareview` non-interactively from CI or scripts — prints findings to stdout (`--json` for raw output) and exits 0 on completion or 1 on failure | | ${CLAUDE_EFFORT} | env-var/skill-reference | Reference the current effort level within skill content for dynamic skill behavior | Skills can now reference the current effort level with `${CLAUDE_EFFORT}` in their content | | AI_AGENT environment variable | env-var | Automatic subprocess environment variable for attribution of `gh` traffic to Claude Code | Set `AI_AGENT` environment variable for subprocesses so `gh` can attribute traffic to Claude Code | | PowerShell shell fallback (Windows) | capability | Windows no longer requires Git for Windows (Git Bash); Claude Code uses PowerShell as shell tool when Git Bash absent | Windows: Git for Windows (Git Bash) is no longer required — when absent, Claude Code uses PowerShell as the shell tool | ### Workflow recipes - **Review Gate in Agent-Driven CI/CD** — combines claude ultrareview [target] + ${CLAUDE_EFFORT} + AI_AGENT. Agents can now run structured code review as a pipeline gate, scaling review effort with the task's urgency level and attributing all review traffic to the agent for audit/cost tracking. Idea: An agent-driven monorepo workflow where agents commit code changes, then invoke claude ultrareview at effort levels calibrated to the change scope (e.g., low effort for trivial refactors, high for security-sensitive paths). The ${CLAUDE_EFFORT} variable scales the skill's analysis depth, and AI_AGENT tracks the review's agent lineage in GitHub traffic logs. The agent parses JSON output to fail the PR if critical findings block merge, or attach findings as commit comments. This closes the feedback loop without human review bottlenecks. - **Effort-Scaled Skill Provisioning** — combines ${CLAUDE_EFFORT} + PowerShell shell fallback (Windows). Skills can now adapt their behavior to the parent agent's effort level, enabling same-skill deployment across quick-turnaround and deep-analysis use cases. The PowerShell fallback removes platform-specific skill branching logic. Idea: A skill library that changes internal strategy based on effort level: at effort low, run fast heuristics; at effort high, spawn deeper subagent analysis or iterate multi-pass refinement. The Windows shell fallback means skills no longer need conditional branching for cmd vs bash — a single skill works across all platforms. This reduces skill maintenance surface and enables effort-driven resource budgeting within a single skill definition. **Agentic relevance:** The `claude ultrareview [target]` command enables review-in-the-loop automation for CI/CD and agent-driven code mutation workflows. Combined with `${CLAUDE_EFFORT}` for skill-level scaling and `AI_AGENT` for traffic attribution, agents can now perform asynchronous code quality gates and surface findings as structured data without user interaction. The PowerShell fallback removes Windows-specific runtime friction, broadening agent deployment scope across platforms. _18 hardening fixes (not new primitives)._ --- ## 2.1.121 **Headline:** **MCP server eager-load control** (`alwaysLoad` config option): Skip deferred tool resolution for trusted MCP servers, making all tools immediately available without tool-search cost. This reduces latency for high-trust integrations and enables agents to invoke tools in non-interactive sessions reliably. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | alwaysLoad (MCP config) | setting | MCP servers with this flag skip tool-search deferral; all tools are immediately available | Added `alwaysLoad` option to MCP server config — when `true`, all tools from that server skip tool-search deferral and are always available | | claude plugin prune | command | Removes orphaned auto-installed plugin dependencies; `plugin uninstall --prune` cascades | Added `claude plugin prune` to remove orphaned auto-installed plugin dependencies; `plugin uninstall --prune` cascades | | /skills search box | feature | Type-to-filter search box for finding skills in long lists without scrolling | Added a type-to-filter search box to `/skills` so you can find a skill in long lists without scrolling | | hookSpecificOutput.updatedToolOutput (PostToolUse hooks) | hook-field | PostToolUse hooks can now replace tool output for all tools, not just MCP-only | PostToolUse hooks can now replace tool output for all tools via `hookSpecificOutput.updatedToolOutput` (previously MCP-only) | | CLAUDE_CODE_FORK_SUBAGENT=1 (non-interactive) | env-var | SDK and `claude -p` now support fork-subagent in non-interactive sessions | SDK and `claude -p`: `CLAUDE_CODE_FORK_SUBAGENT=1` now works in non-interactive sessions | | mcp_authenticate with redirectUri | SDK capability | SDK MCP authentication now supports custom scheme completion and claude.ai connectors | SDK: `mcp_authenticate` now supports `redirectUri` for custom scheme completion and claude.ai connectors | | OTEL_LOG_USER_PROMPTS gating | observability-flag | OpenTelemetry spans now optionally log `user_system_prompt` when gated behind this flag | OpenTelemetry: added `stop_reason`, `gen_ai.response.finish_reasons`, and `user_system_prompt` (gated behind `OTEL_LOG_USER_PROMPTS`) to LLM request spans | ### Workflow recipes - **Non-interactive Subagent CI/CD Orchestration** — combines CLAUDE_CODE_FORK_SUBAGENT=1 (non-interactive) + alwaysLoad (MCP config) + --dangerously-skip-permissions. Together these enable fully automated subagent spawning in CI/CD pipelines without blocking on permission prompts or deferred tool resolution, allowing agents to coordinate across build steps with eager tool availability. Idea: A parent CI/CD agent forks subagents for parallel work (test, lint, build, security scan) using CLAUDE_CODE_FORK_SUBAGENT=1. Each subagent has its MCP servers configured with alwaysLoad: true for immediate tool access. The parent skips permission interactivity with --dangerously-skip-permissions and monitors subagent exit codes. On success, it chains the next stage; on failure, it culls the subagent and retries or escalates. No pauses, no manual approval checkpoints—native to cloud CI. - **Terminal-Driven Agent Configuration + Hotkey Execution** — combines /skills search box + CLAUDE_CODE_FORK_SUBAGENT=1 + hookSpecificOutput.updatedToolOutput. Agent developers can now discover and configure skills interactively in the terminal, then fork subagents to execute them while post-processing tool results through hooks—collapsing the edit-test-deploy cycle. Idea: A developer runs /skills to search and select a skill. The selection populates an agent spawn command. On fork, the parent agent sets up a PostToolUse hook to intercept the subagent's tool output and apply transformations (e.g., extracting just JSON, filtering logs, republishing metrics). The modified output flows back to the parent for synthesis or logging. Skill discovery is fast and searchable; execution is deterministic and result-controllable. - **MCP OAuth + Observability Audit Trail for Agent Ops** — combines mcp_authenticate with redirectUri + OTEL_LOG_USER_PROMPTS (OpenTelemetry) + NO_PROXY managed-settings fix. Agents can now authenticate to MCP services (e.g., GitHub, Slack) via custom redirect schemes and emit full audit traces (system prompt, token counts, finish reasons) to observability backends—essential for multi-tenant agent platforms with compliance audit requirements. Idea: An agent spawning infrastructure initializes mcp_authenticate with custom redirectUri schemes (e.g., x-my-agent-auth://callback) for connector auth. Simultaneously, OTEL_LOG_USER_PROMPTS logs the agent's system prompt and each LLM request/response lifecycle (stop_reason, finish_reasons, token usage) to a tracing backend (Honeycomb, DataDog, Jaeger). When a managed proxy needs to exclude certain hosts, NO_PROXY now respects the setting, ensuring auth requests bypass the proxy chain. Together: full agent compliance auditing, connector auth without terminal prompts, and network control for trust-boundary requests. **Agentic relevance:** MCP eager-load and non-interactive subagent support unlock automated tool orchestration without permission prompts or deferred resolution latency—critical for agents running in CI/CD and multi-step workflows. Hook output replacement extends control surface for tool-result sanitization and pipeline composition. The `/skills` search box and enhanced dialog scrolling improve agent configuration velocity in terminal environments. _32 hardening fixes (not new primitives)._ --- ## 2.1.122 **Headline:** **PR URL search in `/resume` and Bedrock service tier selection**: the `/resume` search now accepts GitHub PR URLs to jump directly to the session that created them, and `ANTHROPIC_BEDROCK_SERVICE_TIER` env var lets users tune Bedrock API tier (default/flex/priority) — both reduce friction in session discovery and cloud infra config. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | ANTHROPIC_BEDROCK_SERVICE_TIER | environment variable | Select Bedrock service tier (`default`, `flex`, or `priority`), sent as the `X-Amzn-Bedrock-Service-Tier` header | Added `ANTHROPIC_BEDROCK_SERVICE_TIER` environment variable to select a Bedrock service tier (`default`, `flex`, or `priority`), sent as the `X-Amzn-Bedrock-Service-Tier` header | | /resume PR URL search | command capability | Paste a GitHub/GitLab/Bitbucket PR URL into `/resume` search box to find the session that created that PR | Pasting a PR URL into the `/resume` search box now finds the session that created that PR (GitHub, GitHub Enterprise, GitLab, and Bitbucket) | ### Workflow recipes - **PR-indexed session recovery + Bedrock cost-tier tuning** — combines /resume PR URL search + ANTHROPIC_BEDROCK_SERVICE_TIER env var. Multi-PR review sessions waste time rediscovering which Claude Code session created which artifact. Combined with Bedrock tier selection, agents and users can now (1) jump to a PR's originating session to inspect build logs/reasoning without re-reading chat, and (2) downgrade to flex tier mid-review to reduce cost on long verification runs, then upgrade back to priority for final iteration — enabling cost-aware session replay and resource-tuned handoffs. Idea: An agent reviewing multiple PRs could use /resume to load the original session context in 1 command, inspect the diff side-by-side with the agent's reasoning, then set ANTHROPIC_BEDROCK_SERVICE_TIER=flex for a Bedrock-backed verify run, then flip back to priority for the final quality pass. This collapses the "which session created this?" friction that arises in high-volume PR batch workflows. - **At-mention logging + session branching for audit trails** — combines OpenTelemetry claude_code.at_mention log event + /branch stability fix. Agents that use @-mentions to invoke tools now have structured, observable mention resolution logged. The /branch fix (fork corruption from rewound timelines) ensures that audit trails from complex branching workflows no longer corrupt the tool-use chain. Together, they enable tracing which tool was invoked, when, and via what mention context, across session branches without data loss. Idea: A prospecting agent that branches for each prospect variant can now audit the full mention→tool→result chain across all forks via OpenTelemetry logs, with the confidence that /branch corruption has been fixed. This is useful for compliance audits, cost attribution, and tool-use debugging in high-branching workflows. **Agentic relevance:** The two new primitives (Bedrock service tier env var and PR URL search in `/resume`) target operational workflows: cloud-resource tuning for Bedrock users and session recovery when jumping between PR reviews. The 14 hardening fixes address observability, state corruption, and tool integration edge cases that reduce CLI friction and reliability in multi-tool sessions. Agents benefit most from the OpenTelemetry additions (structured at-mention logging) and ToolSearch fix (MCP tool discovery in long sessions). _16 hardening fixes (not new primitives)._ --- ## 2.1.129 **Headline:** **Plugin URL fetching + env-var sync-output control** — agents and power users can now inline ephemeral plugins from remote URLs and force deterministic terminal output, unlocking faster iteration on plugin-driven workflows and more reliable CI/automation on exotic terminals. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | --plugin-url | flag | Fetch and use a plugin `.zip` archive from a URL for the current session only | Added `--plugin-url ` flag to fetch a plugin `.zip` archive from a URL for the current session | | CLAUDE_CODE_FORCE_SYNC_OUTPUT=1 | env-var | Force-enable synchronized output on terminals where auto-detection fails (e.g. Emacs `eat`) | Added `CLAUDE_CODE_FORCE_SYNC_OUTPUT=1` env var to force-enable synchronized output on terminals that auto-detection misses (e.g. Emacs `eat`) | | CLAUDE_CODE_PACKAGE_MANAGER_AUTO_UPDATE | env-var | Enable automatic background upgrade prompts for Homebrew or WinGet installations | Added `CLAUDE_CODE_PACKAGE_MANAGER_AUTO_UPDATE`: when set on Homebrew or WinGet installations, Claude Code runs the upgrade command in the background and prompts to restart | | CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY=1 | env-var | Opt-in to Gateway `/v1/models` discovery for the `/model` picker (now requires explicit opt-in, was automatic in 2.1.126–2.1.128) | Gateway `/v1/models` discovery for the `/model` picker is now opt-in via `CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY=1` (was automatic in 2.1.126–2.1.128) | | skillOverrides setting (modes: off, user-invocable-only, name-only) | setting | Control skill visibility: `off` hides from model and `/`, `user-invocable-only` hides from model only, `name-only` collapses description | `skillOverrides` setting now works: `off` hides from model and `/`, `user-invocable-only` hides from model only, `name-only` collapses description | | Ctrl+R history picker search scope toggle | capability | Ctrl+R now defaults to all prompts across all projects; press Ctrl+S to narrow to current project/session | Ctrl+R history picker now defaults to searching all prompts across all projects, matching pre-2.1.124 behavior. Press Ctrl+S to narrow to the current project or session | | Plugin manifest experimental namespace | setting | Declare `themes` and `monitors` under `"experimental": { ... }` in plugin manifests (top-level still works but warns) | Plugin manifests: `themes` and `monitors` should now be declared under `"experimental": { ... }`. Top-level declarations still work but `claude plugin validate` will warn | ### Workflow recipes - **Exotic Terminal + Skill-Gated Model Inference** — combines CLAUDE_CODE_FORCE_SYNC_OUTPUT=1 + skillOverrides setting. Agents running inside constrained CI/automation environments (Emacs eat, Docker, GitHub Actions on ARM) often fail silently due to terminal output buffering and unintended skill inference. Combining forced synchronous output with skill availability gates enables reliable, auditable automation. Idea: Deploy an agent worker in an Emacs buffer or CI container with CLAUDE_CODE_FORCE_SYNC_OUTPUT=1 and skillOverrides: "user-invocable-only" in settings. This ensures (1) terminal output is never buffered, so logs appear immediately and race conditions are visible, and (2) the model cannot spontaneously invoke skills—only the agent's explicit / commands trigger them. This prevents accidental tool invocations that might fail in the constrained environment and makes logs deterministic for debugging and audit trails. - **Model Discovery Control for Multi-Tenant / Air-Gapped Deployments** — combines CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY=1 (opt-in) + deniedMcpServers pattern fixes. Third-party deployments (Vertex, Bedrock, Foundry, custom gateways) now explicitly control whether the model picker discovers models via gateway /v1/models. The fix to deniedMcpServers wildcard matching (case-insensitive hostnames) enables precise network boundary enforcement. Idea: In air-gapped or multi-tenant environments, set CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY= absent or unset to prevent the model picker from auto-discovering external models, keeping users on only locally-available models. Pair this with deniedMcpServers patterns using *:// scheme wildcards to block entire categories of external tools—e.g., "*://anthropic.com": true" to deny all Anthropic first-party servers. The case-insensitive hostname fix ensures mixed-case domains in policies are honored consistently. - **Skill Visibility Governance for Collaborative / Educational Agents** — combines skillOverrides setting (modes: off, user-invocable-only, name-only). Not a multi-primitive workflow, but a single newly-working primitive that enables collaborative and educational agents to enforce skill governance. The skillOverrides modes allow fine-grained control: off hides skills completely, user-invocable-only prevents model inference but allows human / calls, and name-only collapses descriptions to reduce token waste and cognitive load. Idea: For educational agents teaching prompt engineering, set skillOverrides: "name-only" to show skill names in / lists but hide their full descriptions—reducing distraction and token bloat while preserving discoverability. For trusted teams sharing a workspace, use skillOverrides: "user-invocable-only" to let humans call any skill but prevent the model from auto-invoking them—keeping inference deterministic and accountable. For restricted automation, use skillOverrides: "off" to hide all skills and rely only on explicit tool calls. **Agentic relevance:** The key agentic primitives in 2.1.129 are environment variable controls for output synchronization and model discovery, plus `skillOverrides` for controlling model inference behavior. These enable agents running on exotic CI platforms (Emacs, unusual shells) to operate reliably, and allow fine-grained control over which skills the model can invoke—supporting workflows where skill availability needs to be contextual or constrained. The plugin URL fetching is primarily a manual convenience rather than an agent-accessible capability. _20 hardening fixes (not new primitives)._ --- ## 2.1.132 **Headline:** **Session identity in Bash subprocesses:** Bash tool commands can now read `CLAUDE_CODE_SESSION_ID` to correlate their execution with the parent Claude Code session and hook invocations. This enables agents to build session-aware audit logs, cross-reference hook events, and reason about causality within long-running sessions. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | CLAUDE_CODE_SESSION_ID | env-var | Passed to Bash tool subprocess environment; matches the `session_id` in hook payloads, allowing bash commands to self-identify their session | Added `CLAUDE_CODE_SESSION_ID` environment variable to the Bash tool subprocess environment, matching the `session_id` passed to hooks | | CLAUDE_CODE_DISABLE_ALTERNATE_SCREEN=1 | env-var | Disables the fullscreen alternate-screen renderer, keeping the conversation in the terminal's native scrollback instead of a separate screen | Added `CLAUDE_CODE_DISABLE_ALTERNATE_SCREEN=1` env var to opt out of the fullscreen alternate-screen renderer and keep the conversation in the terminal's native scrollback | ### Workflow recipes - **Session-Correlated Audit Log with Native Scrollback Persistence** — combines CLAUDE_CODE_SESSION_ID + CLAUDE_CODE_DISABLE_ALTERNATE_SCREEN=1. Agents running in headless, containerized, or remote environments need durable output trails that survive terminal reconnects and can be audited post-session. Disabling alternate-screen keeps all output in native scrollback; stamping each bash subprocess's output with CLAUDE_CODE_SESSION_ID enables post-hoc log reconstruction and session replay without losing context to terminal mode switches or buffer flushes. Idea: An agent workflow that (1) sets CLAUDE_CODE_DISABLE_ALTERNATE_SCREEN=1 at session start, (2) runs bash commands that each read and log $CLAUDE_CODE_SESSION_ID as a prefix or structured header, (3) collects all output in a session-wide transcript keyed by session_id, and (4) at closeout, produces a session audit log linking tool invocations, hook events, and bash output by shared session_id. Use case: compliance workflows, post-mortem analysis, or distributed agent coordination where scrollback is the source of truth. **Agentic relevance:** The `CLAUDE_CODE_SESSION_ID` env var enables session-correlated logging and causality tracking within agents' bash workflows. When combined with hook invocations, agents can now trace execution lineage and build audit trails that persist across tool boundaries. The `DISABLE_ALTERNATE_SCREEN` flag supports long-form session replay and analysis by keeping all output in native scrollback, critical for agents working in containerized or headless environments where alternate-screen buffering is problematic. _26 hardening fixes (not new primitives)._ --- ## 2.1.133 **Headline:** **`worktree.baseRef` setting** — agents can now choose whether new worktrees branch from origin (fresh isolation) or local HEAD (preserving unpushed work). This is critical for multi-agent workflows where one agent's uncommitted code should flow to isolation worktrees, and for developer flows that rely on local draft branches. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | worktree.baseRef | setting | Choose whether `--worktree`, `EnterWorktree`, and agent-isolation worktrees branch from `origin/` or local `HEAD` | Added `worktree.baseRef` setting (`fresh` \ | | sandbox.bwrapPath | setting | Specify custom bubblewrap binary location (Linux/WSL) | Added `sandbox.bwrapPath` and `sandbox.socatPath` managed settings (Linux/WSL) to specify custom bubblewrap and socat binary locations | | sandbox.socatPath | setting | Specify custom socat binary location (Linux/WSL) | Added `sandbox.bwrapPath` and `sandbox.socatPath` managed settings (Linux/WSL) to specify custom bubblewrap and socat binary locations | | parentSettingsBehavior | setting | Admin-tier key to opt SDK `managedSettings` (parent tier) into policy merge (`'first-wins'` or `'merge'`) | Added `parentSettingsBehavior` admin-tier key (`'first-wins'` \ | | effort.level (hooks) | capability | Hooks now receive active effort level via JSON input field | Hooks now receive the active effort level via the `effort.level` JSON input field and the `$CLAUDE_EFFORT` environment variable | | $CLAUDE_EFFORT | env-var | Bash tool commands can read the active effort level | Hooks now receive the active effort level via the `effort.level` JSON input field and the `$CLAUDE_EFFORT` environment variable, and Bash tool commands can read `$CLAUDE_EFFORT` | ### Workflow recipes - **Draft-Preserving Agent Isolation** — combines worktree.baseRef + effort.level (JSON/env). Multi-agent workflows often need a parent agent to hand off draft code (uncommitted local changes) to a child agent in an isolated worktree. Previously, isolation always branched from remote origin, forcing commits or loss of work. Now agents can set worktree.baseRef: "head" to preserve local HEAD, and child agents can read $CLAUDE_EFFORT to determine retry/validation depth without explicit parameter passing. Idea: A code-generation parent spawns a child agent in a worktree with baseRef: "head", preserving draft schemas or generated scaffolding. The child reads its isolation depth from $CLAUDE_EFFORT to auto-scale test coverage (low effort → smoke tests only; high effort → full suite). When complete, the parent can merge the worktree back and decide whether to commit. This unblocks iterative workflows where generations are not final until review. - **Effort-Aware Hook Automation** — combines $CLAUDE_EFFORT environment variable + Hooks receiving effort.level JSON input. Hooks are the primary escape hatch for build systems, formatters, and pre-commit checks. Previously, hooks had no way to know the user's intent (quick smoke test vs. deep audit). Now hooks can branch on $CLAUDE_EFFORT or parse the JSON input to scale validation: skip expensive checks on low effort, run all checks on high/ultra. Idea: A pre-commit hook script reads $CLAUDE_EFFORT and adjusts behavior: low effort runs linter and unit tests only; high effort adds integration tests and type coverage; ultra effort runs fuzzing and adversarial checks. Agents tuning /effort low for speed get fast feedback; /effort high for rigor gets comprehensive validation without manual configuration. The hook stays one-size-fits-all and scales automatically. - **Enterprise Admin Settings Bridge (SDK + CLI)** — combines parentSettingsBehavior admin-tier setting + sandbox.bwrapPath / sandbox.socatPath. Organizations running Claude via SDK (managed parent tier) and CLI (user tier) have conflicting sandbox and security policies. Previously, admin-managed settings always won-only (first-wins), forcing CLI users to match parent sandbox paths. Now admins can opt into merge behavior to let CLI users override sandbox locations (e.g., company-provided socat) while parent tier still controls sensitive policies (token handling, proxy rules). Idea: An enterprise deploys Claude SDK with parent-managed sandbox.socatPath pointing to their secure binary. Developers running claude CLI can now override this with a project .claude/settings.json if their environment requires a different path, and both policies merge safely. parentSettingsBehavior: 'merge' unblocks this without requiring every developer to accept the parent path verbatim. **Agentic relevance:** 2.1.133 strengthens multi-agent isolation and configuration control. The `worktree.baseRef` setting fixes a critical gap for agent-delegation workflows by letting admins preserve unpushed local commits in isolation worktrees — previously agents spawned in fresh worktrees would lose draft work. The `effort.level` JSON/env exposure lets hooks and Bash commands introspect the active effort tier, enabling conditional behavior (retry logic, verbosity, scope). The `parentSettingsBehavior` admin setting unblocks enterprise SDK integration patterns. The hardening suite (session token race, network-drive access, skill discovery, Remote Control interrupts) improves reliability for long-running agent chains and enterprise deployments. _13 hardening fixes (not new primitives)._ --- ## 2.1.136 **Headline:** **Enterprise telemetry integration and auto-mode hardening.** 2.1.136 adds environment-variable control for OpenTelemetry survey feedback and a new `hard_deny` classifier rule type for absolute permission blocking — expanding enterprise audit/compliance options and tightening auto-mode decision boundaries. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL | env-var | Re-enables the session quality survey for enterprises capturing responses through OpenTelemetry | Added `CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL` to re-enable the session quality survey for enterprises capturing responses through OpenTelemetry | | settings.autoMode.hard_deny | setting | Defines auto mode classifier rules that block unconditionally regardless of user intent or allow exceptions | Added `settings.autoMode.hard_deny` for auto mode classifier rules that block unconditionally regardless of user intent or allow exceptions | ### Workflow recipes - **Enterprise Compliance Audit Loop** — combines CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL + settings.autoMode.hard_deny. Sensitive deployments (government, regulated industries) can now wire session quality feedback directly into compliance telemetry pipelines while enforcing immutable permission boundaries that satisfy air-gapped security reviews. Idea: Configure an agent operating in a classified environment with hard_deny rules blocking all file mutations, tool invocations, and external API calls by default. Enable CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL to automatically ship anonymized session quality metrics (latency, tool-call patterns, reasoning depth) to a compartmentalized OpenTelemetry collector. Auditors can then review both the decision boundary (what hard_deny blocked) and agent health (latency/error spikes correlating with blocked requests) in a single chain-of-custody feed. - **MCP Server Resilience in Multi-Tenant Agent Fleets** — combines MCP OAuth refresh token fix + MCP server persistence fix (from hardening). Multi-server remote MCP fleets previously required daily re-auth and lost server configurations on session clear. These fixes unlock sustained unattended agent operation without stale-credential loops or silent server dropout. Idea: Deploy a long-running agent service using multiple remote MCP servers (e.g., Claude Drive + Slack + Anthropic API). Previously, concurrent OAuth refresh of servers would fail, forcing agents to re-authenticate daily and losing all server connections after /clear. With 2.1.136, the agent can operate for weeks without intervention — servers persist across session clears and refresh concurrently without token collision. Combine with a cron-based /resume loop to implement true agent daemoning. **Agentic relevance:** The two new primitives enable enterprise and compliance scenarios. `CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL` integrates session quality signals into OpenTelemetry pipelines for monitoring and audit. `settings.autoMode.hard_deny` allows agents deployed in sensitive environments to define immutable permission boundaries that override both user intent and allow-rule exceptions — critical for enforcement of security policies in multi-tenant or regulated contexts. The remaining ~60 fixes are robustness improvements with moderate indirect impact on agent reliability. _50 hardening fixes (not new primitives)._ --- ## 2.1.139 [autonomy] **Headline:** Agent view (`claude agents`, Research Preview) is the marquee primitive: a single list of every Claude Code session — running, blocked on you, or done — which is exactly the cross-session fan-out monitoring surface a multi-agent orchestration test needs. Real feature release (agent view, `/goal`, two new hook fields, plugin details, subagent identity headers), but the bulk of the changelog (~40 of ~50 bullets) is bugfix hardening. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | agent view (claude agents) | command | New Research-Preview command and capability: a unified list of every Claude Code session (running, blocked-on-you, or done). The headline primitive for agent orchestration — the single control surface for monitoring a fan-out of sessions. | Added agent view (Research Preview): a single list of every Claude Code session — running, blocked on you, or done. Run `claude agents` to get started. See https://code.claude.com/docs/en/agent-view | | /goal command | command | New command that sets a completion condition and keeps Claude working across turns until met; works in interactive, -p, and Remote Control with a live overlay panel. Directly relevant to autonomous per-agent persistence in orchestrated runs. | Added `/goal` command: set a completion condition and Claude keeps working across turns until it's met. Works in interactive, `-p`, and Remote Control. Shows live elapsed/turns/tokens as an overlay panel | | /scroll-speed command | command | New command to tune mouse wheel scroll speed with a live preview. | Added `/scroll-speed` command to tune mouse wheel scroll speed with a live preview | | claude plugin details | command | New subcommand showing a plugin's component inventory and projected per-session token cost. | Added `claude plugin details ` to show a plugin's component inventory and projected per-session token cost | | transcript view navigation shortcuts | capability | New transcript-view keyboard navigation: `?` for shortcuts, `{`/`}` to jump between user prompts, `v` to toggle the shortcut panel. | Added transcript view navigation: `?` for keyboard shortcuts, `{`/`}` to jump between user prompts, `v` to toggle shortcut panel | | hook args: string[] field (exec form) | hook | New hook config field that spawns the command directly without a shell, so path placeholders never need quoting. | Added hook `args: string[]` field (exec form) that spawns the command directly without a shell, so path placeholders never need quoting | | hook continueOnBlock config option | hook | New PostToolUse hook config option: set true to feed the hook's rejection reason back to Claude and continue the turn. | Added hook `continueOnBlock` config option for `PostToolUse` — set to `true` to feed the hook's rejection reason back to Claude and continue the turn | | CLAUDE_PROJECT_DIR for MCP stdio servers + ${CLAUDE_PROJECT_DIR} in plugin configs | env-var | New surface: MCP stdio servers now receive CLAUDE_PROJECT_DIR in their environment (matching hooks), and plugin configs can interpolate ${CLAUDE_PROJECT_DIR} in commands. New env-var exposure and interpolation point, not a fix. | MCP stdio servers now receive `CLAUDE_PROJECT_DIR` in their environment, matching hooks. Plugin configs can reference `${CLAUDE_PROJECT_DIR}` in commands | | subagent identity headers + OTEL attributes | capability | New observability surface for orchestration: subagent API requests carry x-claude-code-agent-id / x-claude-code-parent-agent-id headers, and claude_code.llm_request OTEL spans include agent_id / parent_agent_id attributes — enabling parent/child agent tracing in a fan-out. | API requests from subagents now carry `x-claude-code-agent-id` / `x-claude-code-parent-agent-id` headers, and `claude_code.llm_request` OTEL spans include `agent_id` / `parent_agent_id` attributes | | [VSCode] reopen-closed-session shortcut + claudeCode.enableReopenClosedSessionShortcut | setting | New VSCode keybinding (Cmd/Ctrl+Shift+T to reopen most recently closed session tab) plus a new setting to configure it. | [VSCode] Press Cmd/Ctrl+Shift+T to reopen the most recently closed session tab, configurable via `claudeCode.enableReopenClosedSessionShortcut` | **Agentic relevance:** This version pushes the agent-orchestration frontier through three new surfaces: agent view (`claude agents`) gives a single cross-session control plane for monitoring a fan-out of running/blocked/done agents, `/goal` gives each agent an autonomous completion condition that persists across turns, and subagent identity headers plus `agent_id`/`parent_agent_id` OTEL attributes make parent/child tracing observable in a fan-out. Together they convert multi-agent orchestration from an opaque batch into a monitorable, goal-driven, traceable system — while the new hook fields (`args`, `continueOnBlock`) and `CLAUDE_PROJECT_DIR` exposure tighten the control loop around each agent. _40 hardening fixes (not new primitives)._ --- ## 2.1.141 **Headline:** Desktop notification capability via hook JSON `terminalSequence` field unlocks notification, window-title, and bell signaling without requiring a controlling terminal — critical for daemonized/backgrounded agent workflows that run detached from the shell. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | terminalSequence | hook field | Allows hooks to emit desktop notifications, window titles, and bells without a controlling terminal | Added `terminalSequence` field to hook JSON output so hooks can emit desktop notifications, window titles, and bells without a controlling terminal | | CLAUDE_CODE_PLUGIN_PREFER_HTTPS | env-var | Forces GitHub plugin clones over HTTPS instead of SSH for environments without SSH keys | Added `CLAUDE_CODE_PLUGIN_PREFER_HTTPS` to clone GitHub plugin sources over HTTPS instead of SSH, for environments without a GitHub SSH key | | ANTHROPIC_WORKSPACE_ID | env-var | Scopes workload identity federation tokens to a specific workspace | Added `ANTHROPIC_WORKSPACE_ID` environment variable for workload identity federation — scopes the minted token to a specific workspace when the federation rule covers more than one | | claude agents --cwd | command flag | Filters the agent session list to a specific directory | Added `claude agents --cwd ` to scope the session list to a directory | | /feedback recent sessions | capability | `/feedback` can now include sessions from the last 24 hours or 7 days for multi-session issues | `/feedback` can now include recent sessions (last 24 hours or 7 days) for issues spanning more than the current session | | Rewind "Summarize up to here" | command | Compresses earlier context while preserving recent turns in rewind menu | Rewind menu: added "Summarize up to here" to compress earlier context while keeping recent turns intact | | Background agent permission preservation | capability | Background agents launched via `/bg` or `←←` now preserve the current permission mode instead of reverting to default | Background agents launched via `/bg` or `←←` now preserve the current permission mode instead of reverting to default | ### Workflow recipes - **Daemonized Agent Orchestration with Terminal-Independent Signaling** — combines terminalSequence hook field + Background agent permission preservation + claude agents --cwd . Backgrounded agents can now emit desktop notifications independently of terminal attachment, preserve their permission context across sessions, and be scoped to a directory. This unlocks orchestration of parallel agent swarms that coordinate via notifications, maintain isolated permission domains, and organize work by project boundary. Idea: A parent agent spawns multiple background agents via /bg with distinct working directories (--cwd). Each child agent runs detached; upon completion or state-change events, the hook system uses terminalSequence to emit desktop notifications without blocking on terminal I/O. Parent orchestration logic polls via claude agents --cwd to check status and aggregate results, while permission modes carry through from the parent (e.g., read-only agents stay read-only, integration agents keep approval scope). This enables true fire-and-forget distributed workflows without shell coupling. - **Workspace-Isolated Multi-Tenant Agent Routing** — combines ANTHROPIC_WORKSPACE_ID + CLAUDE_CODE_PLUGIN_PREFER_HTTPS + Background agent permission preservation. Workload identity federation now allows token scoping to a specific workspace, plugin bootstrap works in restricted networks (no SSH), and spawned agents inherit the parent's permission policy. Together these enable multi-tenant agent deployments where each tenant's agents are token-scoped, can bootstrap in zero-trust networks, and maintain the host's authorization policy consistently. Idea: In a multi-tenant SaaS or platform scenario, a gateway agent receives a request with a workspace ID. It sets ANTHROPIC_WORKSPACE_ID in the background agent's environment, ensuring the minted token scopes to that workspace only. Plugin bootstrap uses HTTPS (no SSH key required in ephemeral containers). Child agents inherit the gateway's permission mode (e.g., "sandbox" agents for untrusted code, "integration" agents for API calls), enforcing consistent security boundaries. If a background agent is compromised or over-provisioned, it cannot access other workspaces or escape the inherited permission scope. - **Context-Optimized Multi-Session Issue Tracking** — combines /feedback recent sessions + Rewind "Summarize up to here" + claude agents --cwd . Feedback can now include recent sessions from across multiple agent runs, rewind can compress early context while preserving recent turns, and session scoping by directory lets agents focus on task-relevant sessions. Together these enable efficient issue diagnosis across distributed agent work without context explosion or replay overhead. Idea: An agent encounters an error or anomaly. Before filing feedback, it uses the Rewind menu to "Summarize up to here" on early exploratory turns, compressing them into a single summary. It then includes the last 7 days of sessions from the same working directory (claude agents --cwd . filters to relevant agents) in the feedback bundle. The feedback system now has 1) a compressed early context, 2) recent turn detail, and 3) only task-relevant sessions—all compressed into a single diagnostic artifact. Support engineers can reproduce the issue without scrolling through megabytes of exploratory chatter. **Agentic relevance:** The `terminalSequence` hook field enables daemonized agents to signal completion/state changes via desktop notifications without terminal attachment—critical for orchestration where background agents must notify parent workflows. Environment-variable scope controls (`ANTHROPIC_WORKSPACE_ID`) and permission-preservation for spawned background agents (`/bg` permission mode carry-through) strengthen agent isolation and identity federation in multi-tenant or federated setups. The new session rewind capability ("Summarize up to here") and `claude agents --cwd` scoping improve multi-agent coordination by reducing context bloat across parallel tasks. _54 hardening fixes (not new primitives)._ --- ## 2.1.142 **Headline:** **`claude agents` configuration flags** — Eight new flags (`--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, `--dangerously-skip-permissions`) unlock dynamic configuration of dispatched background sessions, enabling agents to customize runtime behavior without hardcoded defaults. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | --add-dir flag | flag | Adds directory to dispatched background session configuration | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --settings flag | flag | Configures settings for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --mcp-config flag | flag | Configures MCP servers for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --plugin-dir flag | flag | Specifies plugin directory for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --permission-mode flag | flag | Configures permission behavior for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --model flag | flag | Sets model for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --effort flag | flag | Sets reasoning effort level for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | --dangerously-skip-permissions flag | flag | Skips permission prompts for dispatched background session | Added new `claude agents` flags: `--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to configure dispatched background sessions | | CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE env var | env-var | Pins fast mode to Opus 4.6 instead of new Opus 4.7 default | Set `CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE=1` to pin fast mode to Opus 4.6 | | Root-level SKILL.md skill discovery | capability | Plugins with root-level `SKILL.md` and no `skills/` subdirectory are now auto-surfaced as skills | Plugins with a root-level `SKILL.md` and no `skills/` subdirectory are now surfaced as a skill | | LSP server visibility in /plugin | capability | `/plugin` details pane and `claude plugin details` now expose LSP servers provided by a plugin | The `/plugin` details pane and `claude plugin details` now show LSP servers a plugin provides | | /web-setup connection warning | capability | `/web-setup` warns before overwriting existing GitHub App connection | `/web-setup` warns before replacing an existing GitHub App connection | ### Workflow recipes - **Isolated Model Experiments with Tailored Worker Sessions** — combines --model flag + --effort flag + --dangerously-skip-permissions flag + Opus 4.7 default upgrade. Agents can now spawn isolated background workers pinned to specific models and reasoning effort levels, enabling parallel hypothesis testing (e.g., Haiku fast-explore vs. Opus deep-think) without blocking the main session or requiring user permission re-prompting. Idea: An agent running a complex decision task spawns two background workers in parallel: one with --model claude-haiku-4-5 --effort low --dangerously-skip-permissions for rapid option enumeration, another with --model claude-opus-4-1 --effort max --dangerously-skip-permissions for deep analysis of frontrunner options. Both workers persist independently, allowing the parent agent to gather parallel signals, compare outputs, and synthesize a recommendation without sequential bottlenecks. - **Persistent Graph-Synced Agents with Preconfigured Boundaries** — combines --add-dir flag + --settings flag + --permission-mode flag + root-level SKILL.md auto-surfacing. Agents can dispatch workers with exact directory scope, pre-loaded settings, and permission lockdown, enabling reliable graph-synced agent swarms where each worker has a bounded execution context and repeatable configuration state. Idea: A parent agent orchestrates a fleet of specialized workers for a Grafeo graph ingestion workflow. Each worker is spawned with --add-dir ./lib --settings ./worker-config.json --permission-mode strict, ensuring all workers operate in the same project scope, load the same baselines, and cannot exceed permission boundaries. Workers can be retired and respawned with identical configuration, enabling idempotent batch processing of graph ingestion tasks without global state drift. - **MCP Tool Farm with Stable Daemon Lifecycle** — combines --mcp-config flag + MCP_TOOL_TIMEOUT hardening + daemon sleep/wake resilience. Agents can now provision background workers with explicit MCP server configuration and rely on stable daemon behavior across system sleep/wake cycles, enabling 24-hour agent farms with long-running tool integrations (e.g., database pollers, API monitors) that previously crashed on macOS. Idea: A parent agent managing a long-lived monitoring workflow spawns a background worker with --mcp-config ./mcp-servers.json pointing to remote database and HTTP monitoring tools. The daemon now correctly handles MCP_TOOL_TIMEOUT for per-request fetch caps (previously capped at 60s) and survives macOS sleep/wake transitions, allowing the worker to run unattended overnight, poll data sources on a cron-like schedule, and reliably reconnect after system wakes. **Agentic relevance:** The eight new configuration flags enable agents to dispatch background sessions with tailored runtime behavior without requiring user interaction or pre-configured defaults. Combined with the Opus 4.7 upgrade and improved daemon stability (sleep/wake, worktree, permission persistence), agents can now reliably spawn persistent workers with explicit model, effort, permission, and tool configuration — unlocking multi-turn orchestration patterns where agents control resource allocation and isolation boundaries. _19 hardening fixes (not new primitives)._ --- ## 2.1.143 **Headline:** Plugin dependency management on disable/enable with transitive chain resolution and force-enable. This addresses a common footgun where uninstalling a plugin that others depend on silently breaks dependent plugins, and now provides copy-pasteable hints for safe uninstall chains. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude plugin disable with dep enforcement | command | Refuses to disable a plugin when another enabled plugin depends on it; provides copy-pasteable chain to disable dependents first | Added plugin dependency enforcement: `claude plugin disable` now refuses when another enabled plugin depends on the target (with a copy-pasteable disable-chain hint), and `claude plugin enable` force-enables transitive dependencies | | claude plugin enable with transitive deps | command | Force-enables transitive dependencies when enabling a plugin | Added plugin dependency enforcement: `claude plugin disable` now refuses when another enabled plugin depends on the target (with a copy-pasteable disable-chain hint), and `claude plugin enable` force-enables transitive dependencies | | /plugin marketplace cost projection | capability | Shows per-turn and per-invocation token cost estimates in browse pane for plugin context usage | Added projected context cost (per-turn and per-invocation token estimates) to the `/plugin` marketplace browse pane | | worktree.bgIsolation: "none" setting | setting | Lets background sessions edit the working copy directly without `EnterWorktree`, for repos where worktrees are impractical | Added `worktree.bgIsolation: \"none\"` setting to let background sessions edit the working copy directly without `EnterWorktree`, for repos where worktrees are impractical | | CLAUDE_CODE_POWERSHELL_RESPECT_EXECUTION_POLICY env var | env-var | Opt-out flag; disables PowerShell `-ExecutionPolicy Bypass` pass-through | PowerShell tool now passes `-ExecutionPolicy Bypass`. Opt out with `CLAUDE_CODE_POWERSHELL_RESPECT_EXECUTION_POLICY=1` | | CLAUDE_CODE_STOP_HOOK_BLOCK_CAP env var | env-var | Override for the 8-consecutive-block limit that now caps repeated stop-hook looping | Fixed stop hooks that block repeatedly looping forever — the turn now ends with a warning after 8 consecutive blocks (override via `CLAUDE_CODE_STOP_HOOK_BLOCK_CAP`) | | claude agents --add-dir flag | flag | Apply custom directory to agent dashboard and background sessions dispatched from it | `claude agents` now accepts `--add-dir`, `--settings`, `--mcp-config`, and `--plugin-dir` and applies them to the dashboard and to background sessions dispatched from it | | claude agents --settings flag | flag | Apply custom settings.json to agent dashboard and background sessions dispatched from it | `claude agents` now accepts `--add-dir`, `--settings`, `--mcp-config`, and `--plugin-dir` and applies them to the dashboard and to background sessions dispatched from it | | claude agents --mcp-config flag | flag | Apply custom MCP config to agent dashboard and background sessions dispatched from it | `claude agents` now accepts `--add-dir`, `--settings`, `--mcp-config`, and `--plugin-dir` and applies them to the dashboard and to background sessions dispatched from it | | claude agents --plugin-dir flag | flag | Apply custom plugin directory to agent dashboard and background sessions dispatched from it | `claude agents` now accepts `--add-dir`, `--settings`, `--mcp-config`, and `--plugin-dir` and applies them to the dashboard and to background sessions dispatched from it | | claude agents --permission-mode flag | flag | Set default permission mode for sessions dispatched from agent view | `claude agents` accepts `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to set defaults for sessions dispatched from the view | | claude agents --model flag | flag | Set default model for sessions dispatched from agent view | `claude agents` accepts `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to set defaults for sessions dispatched from the view | | claude agents --effort flag | flag | Set default effort level for sessions dispatched from agent view | `claude agents` accepts `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to set defaults for sessions dispatched from the view | | claude agents --dangerously-skip-permissions flag | flag | Set permission bypass default for sessions dispatched from agent view | `claude agents` accepts `--permission-mode`, `--model`, `--effort`, and `--dangerously-skip-permissions` to set defaults for sessions dispatched from the view | | CLAUDE_CODE_USE_POWERSHELL_TOOL=0 opt-out | env-var | Disable PowerShell tool (which is now enabled by default on Windows for Bedrock/Vertex/Foundry) | The PowerShell tool is now enabled by default on Windows for Bedrock, Vertex, and Foundry users. Opt out with `CLAUDE_CODE_USE_POWERSHELL_TOOL=0`. | ### Workflow recipes - **Plugin-safe fleet management in monorepo** — combines claude agents --add-dir + claude agents --mcp-config + claude agents --permission-mode + claude plugin disable dependency enforcement. Agents dispatched from the dashboard can now carry uniform MCP server, permissions, and directory context without manual setup, plus plugin dependency enforcement prevents silent breakage when multiple agents share plugin dependencies. This unlocks safe, scalable multi-agent setups in large codebases. Idea: In a monorepo with shared tooling, start claude agents with --mcp-config pointing to a team-standard config, --add-dir for shared scripts, and --permission-mode auto. Dispatch multiple background workers from the dashboard; each inherits the fleet defaults. When refactoring shared plugins, claude plugin disable now blocks unsafe removal, showing the exact chain to disable dependents first. Workflow: one settings source → N workers → safe plugin mutations. - **Persistent background workers in worktree-hostile environments** — combines worktree.bgIsolation: "none" + /bg preserving --mcp-config, --settings, --plugin-dir. Repos with complex layouts or shared filesystem constraints (monoliths, git-filter-branch artifacts, NFS mounts) can now run background agents directly on the working copy without the overhead of git worktrees, while still preserving full transitive configuration across sleep/wake cycles. Idea: In a constrained repo, set worktree.bgIsolation: "none" in settings.json. Dispatch /bg with custom MCP and settings. The background session edits the live working copy, and when it idles/wakes, it remembers its MCP servers, settings, and plugins without re-initialization. Reduces startup latency and filesystem overhead for long-running daemons. - **Cost-aware plugin marketplace browsing for context-sensitive agent design** — combines /plugin projected context cost + claude agents --model + --effort defaults. Before assembling a fleet of agents, browse the plugin marketplace with cost projections to estimate context footprint, then dispatch workers with matching model/effort tiers. Prevents context bloat and mismatches in heterogeneous agent roles. Idea: Use /plugin to browse available plugins and see per-turn/per-invocation token costs. Design agent cohorts: high-context workers on higher-effort models, low-context workers on base models. Dispatch each cohort via claude agents with --model and --effort matching the cost profile. Reduces wasted context and improves cost predictability. **Agentic relevance:** 2.1.143 heavily hardens background agent dispatch, persistence, and isolation semantics — the `/bg` command and `claude agents` dashboard now preserve transitive configuration state (MCP, settings, permissions, fallback models) across respawn, and add new controls for dashboard-dispatched sessions. Plugin dependency graphs are now safe to manipulate. For agents: leverage `worktree.bgIsolation: "none"` in monorepo/monolith contexts where worktree isolation is overhead, and use the new `claude agents` flags to set uniform defaults for a fleet of dashboard-spawned workers. _26 hardening fixes (not new primitives)._ --- ## 2.1.144 **Headline:** **`/resume` for background sessions** — unified control plane for resuming background work. Sessions started via `claude --bg` or agent view now appear alongside interactive ones in a single picker, marked with `bg` badge. Critical for multi-session orchestration: agents can spawn background work and return to resume it later without context loss. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /resume | command | Resume background sessions alongside interactive ones, marked with `bg` | Added `/resume` support for background sessions — sessions started via `claude --bg` or agent view now appear alongside interactive ones, marked with `bg` | | Elapsed duration in completion notifications | capability | Background subagent completion notifications now display elapsed time (e.g. "Agent completed · 3h 2m 5s") | Added elapsed duration to background subagent completion notifications (e.g. "Agent completed · 3h 2m 5s") | | /plugin last-updated display | capability | The `/plugin` browse and discover panes show when each plugin was last updated | The `/plugin` browse and discover panes now show when a plugin was last updated | | /model session-only mode | command enhancement | `/model` now changes model for current session only; press `d` to set default for new sessions | /`model` now changes the model for the current session only; press `d` in the model picker to set a default for new sessions | | /usage-credits | command | Renamed from `/extra-usage`; old name still works for backward compatibility | Renamed "extra usage" to "usage credits" across CLI copy; `/extra-usage` is now `/usage-credits` (old name still works) | | /bg preserves /add-dir | command enhancement | Background sessions now retain directories added via `/add-dir` across detach/reattach | `/bg` and `←`-detach now preserve directories added via `/add-dir` | | /doctor exec-form hint | command enhancement | `/doctor` now shows exec-form example when a command hook is missing the `command` field | ``/doctor` now shows an exec-form example when a command hook is missing the `command` field | ### Workflow recipes - **Async Research + Resume** — combines /resume + elapsed duration display + /model session-only isolation. Long-running research tasks (deep searches, data synthesis, report generation) can now be spawned in background sessions with explicit model choice, detached, and resumed later with full context—returning agents see both the result and the wall-clock time spent, enabling resource-aware orchestration. Idea: A parent agent spawns a background research session via claude --bg --name "research:earnings-patterns" with /model Opus (1M context) locked to that session. The agent detaches immediately. Later, another agent calls /resume, picks the research session, and examines the report plus the elapsed duration (e.g., "Completed · 2h 47m"). The parent orchestrator can then decide: use the report, spawn a follow-up refinement task, or route to a summary agent based on time investment and quality. - **Multi-Model Cascade with Session Binding** — combines /model session-only + /resume + background isolation. Route tasks to model-specific sessions without global state pollution. Haiku sessions handle intake/routing, Opus sessions handle deep reasoning, and Claude 3.5 Sonnet sessions handle code generation—all coexist, all resumable, all keeping their own model choice locked. Idea: Agent spawns three background sessions with fixed models: --name "intake:haiku" (Haiku), --name "reason:opus" (Opus), --name "code:sonnet" (Sonnet). Work items are queued to the correct session by name via /resume picker. When an agent attaches to "reason:opus" and calls /model, the change affects only that session; "intake:haiku" and "code:sonnet" remain untouched. This decouples model selection from the control plane and enables true parallel, isolated reasoning pipelines. - **Distributed Telemetry via Duration Badges** — combines Elapsed duration display + /resume + background completion notifications. Agent orchestrators can now inspect wall-clock time alongside outputs, enabling cost-to-outcome and resource-allocation reasoning. Background completion notifications (e.g., "Agent completed · 3h 2m 5s") become telemetry signals for routing decisions. Idea: A workflow coordinator spawns background analysis tasks for multiple data sources. As each completes, the notification includes elapsed time. The coordinator collects these durations: if any task runs over a threshold (e.g., > 1h), it flags the result for human review; if all finish under 30m, it auto-routes the full batch to downstream synthesis. Duration becomes a first-class decision signal, not a side comment. **Agentic relevance:** 2.1.144 prioritizes **background session lifecycle and model isolation**. The `/resume` command enables agents to spawn work via `claude --bg`, detach, and cleanly reattach—critical for long-lived orchestration. Session-scoped `/model` selection prevents background tasks from hijacking model choices, reducing context drift. Combined with `/add-dir` preservation and elapsed-duration telemetry, agents now have primitives for multi-session work graphs and transparent duration tracking across parallel tasks. _43 hardening fixes (not new primitives)._ --- ## 2.1.145 **Headline:** **`claude agents --json`** unlocks JSON-based session introspection for scripting, enabling tmux-resurrect integration, custom status bars, and programmatic session pickers. This is the first machine-readable gate to live Claude agent state. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | claude agents --json | command | List live Claude sessions as JSON for scripting, integration with tmux-resurrect, status bars, and session pickers | Added `claude agents --json` to list live Claude sessions as JSON for scripting (tmux-resurrect, status bars, session pickers) | | agent_id OTEL span attribute | capability | OTEL trace attribute on `claude_code.tool` spans to track agent identity and enable subagent debugging | Added `agent_id` and `parent_agent_id` attributes to `claude_code.tool` OTEL spans | | parent_agent_id OTEL span attribute | capability | OTEL trace attribute on `claude_code.tool` spans to track parent-child relationships in subagent spans | Added `agent_id` and `parent_agent_id` attributes to `claude_code.tool` OTEL spans, and fixed trace parenting so background subagent spans nest under the dispatching Agent tool span | | Status line JSON GitHub context | capability | Status line JSON input now includes GitHub repo and PR information when detected for contextual awareness | Status line JSON input now includes GitHub repo and PR information when detected | | /plugin pre-installation metadata display | capability | Discover and Browse screens show a plugin's commands, agents, skills, hooks, and MCP/LSP servers before installation | `/plugin` Discover and Browse screens now show a plugin's commands, agents, skills, hooks, and MCP/LSP servers before installation | | claude agents awaiting-input indicator | capability | Terminal tab title now shows the awaiting-input count so an alt-tabbed window tells you when an agent needs attention | `claude agents` terminal tab title now shows the awaiting-input count so an alt-tabbed window tells you when an agent needs attention | | Mouse hover and click in suggestion list | capability | Slash command and @-mention suggestion list now supports mouse hover and click in fullscreen mode | Slash command and @-mention suggestion list now supports mouse hover and click in fullscreen mode | | background_tasks in Stop/SubagentStop hook input | field | Stop and SubagentStop hook input now includes `background_tasks` field for hook-aware task management | Stop and SubagentStop hook input now includes `background_tasks` and `session_crons` fields | | session_crons in Stop/SubagentStop hook input | field | Stop and SubagentStop hook input now includes `session_crons` field for hook-aware cron management | Stop and SubagentStop hook input now includes `background_tasks` and `session_crons` fields | ### Workflow recipes - **Distributed Agent Session Resurrection & Status Monitoring** — combines claude agents --json + agent_id and parent_agent_id OTEL span attributes + claude agents awaiting-input indicator. A subagent orchestrator can now introspect all live Claude sessions, disambiguate parent-child agent relationships through trace attributes, and monitor which agents are waiting for input—enabling tmux-resurrect-style session persistence, automated session pruning, and responsive multi-agent coordination without polling dashboards. Idea: Build a session-shepherd layer that polls claude agents --json every 5 seconds, enriches each session with its trace ancestry via agent_id and parent_agent_id lookups, and emits events when agents transition to awaiting-input state. A parent orchestrator uses these events to decide whether to feed input, spawn a sibling subagent, or gracefully halt a backgrounded chain. On terminal restart, session-shepherd resurrects interrupted subagent trees by replaying the ancestor chain and reattaching to the highest-priority agent. - **Hook-Aware Task and Cron Lifecycle Management** — combines background_tasks in Stop/SubagentStop hook input + session_crons in Stop/SubagentStop hook input + fixed skill context: fork infinite loop. Stop/SubagentStop hooks can now inspect what background tasks and crons a session owns before teardown, enabling hooks to implement graceful cleanup patterns (drain task queues, migrate crons to persistent storage, or abort stale work). The fixed context: fork loop prevents unintended skill re-invocations that would mask task leaks. Idea: Create a task-drain-hook that fires on SubagentStop, reads background_tasks and session_crons, and implements a drain policy: reschedule high-priority tasks to a recovery queue, log stale crons for audit, and emit a structured "session lifecycle event" for observability. This hook becomes the canonical cleanup surface, ensuring no task or cron is orphaned when a subagent dies unexpectedly. Parent agents can attach this hook globally and trust that all child sessions leave no residue. - **Plugin Intelligence Before Installation** — combines /plugin pre-installation metadata display + mouse hover and click in suggestion list. A user or automation can now inspect what capabilities a plugin exports (commands, agents, skills, hooks, MCP/LSP servers) before committing to installation, and use fullscreen suggestion navigation to browse plugin catalogs interactively—reducing discovery friction and installation regret. Idea: Build an interactive plugin explorer that lists all installed and candidate plugins in fullscreen, uses hover/click to reveal capabilities, and allows users to stage a plugin install by bulk-previewing metadata. A CI/CD integration can extend this: validate that a plugin exports expected commands/agents/skills before green-lighting a dependency upgrade, catching API mismatches before they break automation. **Agentic relevance:** The new `claude agents --json` command enables machine-readable session enumeration critical for autonomous subagent orchestration, tmux-based session recovery, and persistent agent coordination. The OTEL span attributes (`agent_id`, `parent_agent_id`) unlock trace-based debugging and parent-child relationship forensics in complex multi-agent workflows. Stop/SubagentStop hook enrichment (`background_tasks`, `session_crons`) allows hooks to implement cleanup and dependency tracking—essential for safe agent teardown and resource handoff patterns. _13 hardening fixes (not new primitives)._ --- ## 2.1.152 **Headline:** **`/code-review --fix` and hook-driven skill lifecycle management unlock tighter agent self-repair loops**: code review findings can now be automatically applied to the working tree, and hooks can inject skills mid-session and set message transformations—together enabling agents to review their own diffs, apply hardening suggestions, and suppress noisy output. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | /code-review --fix | flag | Applies review findings to your working tree after the review, surfacing reuse, simplification, and efficiency suggestions | `/code-review --fix` now applies review findings to your working tree after the review, surfacing reuse, simplification, and efficiency suggestions; `/simplify` now invokes `/code-review --fix` | | disallowed-tools in frontmatter | setting | Remove tools from the model while the skill is active | Skills and slash commands can now set `disallowed-tools` in frontmatter to remove tools from the model while the skill is active | | /reload-skills | command | Re-scan skill directories without restarting the session | Added `/reload-skills` command to re-scan skill directories without restarting the session | | SessionStart hook: reloadSkills: true | hook return | Re-scan skill directories, making skills installed by the hook available in the same session | `SessionStart` hooks can now return `reloadSkills: true` to re-scan skill directories, making skills installed by the hook available in the same session | | SessionStart hook: hookSpecificOutput.sessionTitle | hook return | Set the session title via hook on startup and resume | `SessionStart` hooks can now set the session title via `hookSpecificOutput.sessionTitle` on startup and resume | | MessageDisplay hook event | hook type | Transform or hide assistant message text as it is displayed | Added a `MessageDisplay` hook event that lets hooks transform or hide assistant message text as it is displayed | | pluginSuggestionMarketplaces | managed setting | Admin allowlist for org marketplaces whose plugins may be suggested via context-aware tips | Added `pluginSuggestionMarketplaces` managed setting: admins can allowlist org marketplaces whose plugins may be suggested via context-aware tips | | --scope user\ | project\ | local` for `claude plugin marketplace remove` | flag | | --fallback-model session persistence | capability | Switch to fallback model for the rest of the session instead of failing every request | Claude Code now switches to your configured `--fallback-model` for the rest of the session when the primary model is not found, instead of failing every request | | Auto mode consent removal | capability | Auto mode no longer requires opt-in consent | Auto mode no longer requires opt-in consent | | Vim mode: / in NORMAL | keybinding | Open reverse history search (like Ctrl+R), matching bash/zsh vi-mode | Vim mode: `/` in NORMAL mode now opens reverse history search (like Ctrl+R), matching bash/zsh vi-mode | | /usage large session files | command enhancement | Includes large session files in breakdown; scanned with streaming read for flat memory usage | The `/usage` breakdown now includes large session files; files are scanned with a streaming read so memory usage stays flat | | OTEL_METRICS_INCLUDE_ENTRYPOINT=true | env var | Include session entrypoint as an OpenTelemetry metric attribute | Added the session entrypoint as an OpenTelemetry metric attribute (`app.entrypoint`, opt-in via `OTEL_METRICS_INCLUDE_ENTRYPOINT=true`) | ### Workflow recipes - **Autonomous Code Hardening Loop** — combines /code-review --fix + disallowed-tools in frontmatter + MessageDisplay hook. Code review suggestions are often ignored or require manual application. By combining automatic fix application, tool-suppression during review-heavy phases, and hook-driven output transformation, agents can run self-contained hardening cycles that review their own work, apply fixes, suppress noise, and surface only the final outcome. Idea: An agent skill that (1) runs /code-review --fix on a target file/branch, (2) uses disallowed-tools to disable write tools during analysis, forcing the agent into read-only review mode, (3) applies a MessageDisplay hook to collapse verbose intermediate reasoning, and (4) surfaces only the delta and quality assessment to the user. Enables fully autonomous code polish without user supervision. - **Dynamic Skill Injection with Session Context** — combines SessionStart hook reloadSkills: true + hookSpecificOutput.sessionTitle + /reload-skills. Most skills are static; they can't adapt to the session's purpose or load new capabilities on demand. By having hooks inject skills mid-session and set the session title to reflect the active skill set, agents can dynamically reconfigure their tooling and make their mode transparent to the user. Idea: A hook that runs on session start, detects the user's goal (from session title or query), injects the appropriate skill bundle (e.g., "research", "coding", "documentation"), sets reloadSkills: true to make them available immediately, and updates the session title to reflect the active mode. If the goal changes, /reload-skills refreshes the available skill set. Enables session-adaptive tool availability. - **Suppressed Output Audit Agent** — combines MessageDisplay hook + --scope user|project|local marketplace control + /usage large file scanning. Audit and diagnostic agents often produce verbose intermediate logs and intermediate findings that obscure the final result. A MessageDisplay hook can filter or hide diagnostic output while preserving the final report. Combined with scoped marketplace policies and transparent session usage tracking, this enables compliance agents to run noiseless audits with full auditability. Idea: An audit agent skill that (1) uses a MessageDisplay hook to suppress or reformat diagnostic output (keep only final findings), (2) respects org marketplace restrictions via pluginSuggestionMarketplaces to ensure only approved tools are suggested, and (3) runs /usage at the end to show token budget and file scan counts. Result: clean audit reports with transparent resource usage and compliance-aware tooling. **Agentic relevance:** 2.1.152 surfaces three capabilities with high agent-automation value: `/code-review --fix` enables automated self-repair loops where agents can review their own diffs and apply hardening suggestions directly; `MessageDisplay` hooks enable output suppression and transformation for structured tool interaction; and hook-driven skill injection (`reloadSkills: true`) allows agents running inside hooks to install capability mid-session. Together these enable tighter feedback loops in autonomous workflows. _20 hardening fixes (not new primitives)._ --- ## 2.1.153 **Headline:** **`skipLfs` option for git/github sources + improved `claude agents` autocomplete**: These two features combine UX (smarter command dispatch) with infrastructure (faster cloning) to make agent project setup faster and more discoverable. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | skipLfs | flag/option | Skip Git LFS downloads during clone and update for github/git plugin marketplace sources | Added `skipLfs` option to `github`/`git` plugin marketplace sources to skip Git LFS downloads during clone and update | | Status line COLUMNS/LINES env vars | capability | Status line commands receive terminal width and height so scripts can size output accordingly | Status line commands now receive `COLUMNS` and `LINES` environment variables so scripts can size output to the terminal width | | claude agents autocomplete | capability | Autocomplete in dispatch input now suggests native slash commands and bundled skills alongside project skills | `claude agents`: autocomplete in the dispatch input now suggests native slash commands and bundled skills, not just project skills | | claude agents PR column format | capability | PR column shows `PR #N` for single PR or `N PRs` for multiple | `claude agents`: PR column now shows `PR #N` for a single PR or `N PRs` for multiple | | /model selection persistence | capability | Model selection now saves as default for new sessions; `s` key switches model for current session only | `/model` now saves your selection as the default for new sessions (matching the IDE). Press `s` in the picker to switch models for the current session only. | ### Workflow recipes - **Terminal-Aware Status Dashboards for Background Agents** — combines Status line COLUMNS/LINES env vars + /model persistence. Agents running status-line dashboards can now adapt layout and content density to terminal dimensions, and model selection stays stable across agent respawns, enabling rich but responsive CLI monitoring. Idea: A background monitoring agent spawns a status line that queries COLUMNS and LINES to render a responsive dashboard (wide layout for 120+ columns, narrow for 80). The agent persists to the preferred model with /model, so each respawn maintains consistent inference behavior. Teams can push compact dashboards to narrow terminals and expand to full details on wider displays without needing separate scripts. - **Faster Project Onboarding with Smart Dispatch** — combines skipLfs option for git sources + claude agents autocomplete with native slash commands + PR column formatting. New agents onboarding large LFS-heavy projects can now skip expensive LFS pulls, receive better skill/command hints, and report PR status more clearly in the dispatch UI. Idea: A project's onboarding agent uses skipLfs to clone quickly without pulling binary artifacts, then leverages improved autocomplete in dispatch to guide new agents toward the right bundled skills (e.g., /code-review, /verify). The PR column shows PR #42 or 3 PRs at a glance, helping agents context-switch between related work faster. This reduces first-run latency and discovery friction. **Agentic relevance:** The new autocomplete in `claude agents` dispatch and model persistence make background agent workflows faster by reducing friction when spawning agents with explicit skill suggestions. The `COLUMNS`/`LINES` env vars enable status-line scripts to adapt terminal output dynamically — useful for tightly-scoped monitoring agents and dashboard-like CLI workflows. _31 hardening fixes (not new primitives)._ --- ## 2.1.154 [fan-out] [keystone] **Headline:** Dynamic workflows (`/workflows`): you can now ask Claude to create a workflow and it orchestrates work across tens to hundreds of background agents, turning single-session prompting into fan-out, multi-agent orchestration of large/complex tasks — this is the primitive the whole 2.1.154 test is instrumenting. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | dynamic workflows / /workflows | command | New capability: ask Claude to create a workflow and it orchestrates work across tens-to-hundreds of background agents; `/workflows` is a new command to view runs. This is the headline new orchestration primitive. | Introducing dynamic workflows: ask Claude to create a workflow and it orchestrates work across tens to hundreds of agents in the background, so you can take on larger, more complex tasks. Run `/workflows` to view your runs | | /effort xhigh extended to Opus 4.8 | capability | **NOT new in 2.1.154.** `xhigh` was introduced in **2.1.111** (for Opus 4.7); here it is merely extended to Opus 4.8 (which now defaults to high effort). Listed as an extension, not a net-new primitive. *(This row was originally mis-classified as "new" — the per-version verifier could not see that xhigh predates this release; see OPUS-THOUGHTS.md §6.)* | Opus 4.8 is here! Now defaults to high effort · /effort xhigh for your hardest tasks | | claude agents ! / claude --bg --exec '' | flag | New capability to run a shell command as an attachable/detachable background session, either via `! ` inside `claude agents` or via the new `--bg --exec` CLI flags. | `claude agents`: type `! ` to run a shell command as a background session you can attach to and detach from. Also available as `claude --bg --exec ''` | | plugin.json defaultEnabled: false / claude plugin enable | setting | New `defaultEnabled: false` setting in plugin.json (or marketplace entry) so plugins ship disabled, plus the new `claude plugin enable` command (and /plugin) to enable them; dependencies of enabled plugins still auto-enable. | Plugins can now declare `defaultEnabled: false` in `plugin.json` or a marketplace entry; enable them with `/plugin` or `claude plugin enable`. Dependencies of enabled plugins are still enabled automatically | | CLAUDE_CODE_SESSION_ID / CLAUDECODE env vars for stdio MCP subprocesses | env-var | Stdio MCP server subprocesses now receive `CLAUDE_CODE_SESSION_ID` and `CLAUDECODE=1` in their environment — a new env-var surface an MCP server can read to detect it's running under Claude Code and key off the session. | Stdio MCP server subprocesses now receive `CLAUDE_CODE_SESSION_ID` and `CLAUDECODE=1` in their environment | | /chrome → Select browser… | capability | New selectable capability to pick which connected browser Claude in Chrome uses, via `/chrome` → "Select browser…" or in-chat when an action runs with multiple connected browsers. Minor. | Claude in Chrome: pick which connected browser to use via `/chrome` → "Select browser…", or in-chat when a browser action runs with multiple connected | | Opus 4.8 (incl. fast mode) model | capability | New model available to select/use, including a fast mode on Opus 4.8. Counted as a capability primitive (new model surface); fast-mode pricing/speed detail itself is an extension of the existing fast-mode mechanism. | Opus 4.8 is here! Now defaults to high effort · /effort xhigh for your hardest tasks | **Agentic relevance:** 2.1.154 pushes the orchestration frontier from one-agent-per-session to fan-out: dynamic workflows let a single prompt spin up tens-to-hundreds of coordinated background agents, while `claude --bg --exec`, the `CLAUDE_CODE_SESSION_ID`/`CLAUDECODE` MCP env surface, and the heavy slate of background-session/worktree-isolation bugfixes harden the substrate that multi-agent fan-out depends on. Combined with Opus 4.8 and `/effort xhigh`, this version is squarely aimed at running larger, more complex tasks as durable multi-agent orchestrations rather than interactive single-threads. _38 hardening fixes (not new primitives)._ --- ## 2.1.157 **Headline:** **Local plugin auto-load from `.claude/skills`** — decentralizes plugin distribution, enables repo-local skill scaffolding, and pairs with new `EnterWorktree` worktree-switching and `agent` field routing to unlock mid-session context+tool pivots without marketplace dependency. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | Plugins in .claude/skills directories auto-load | capability | Plugins placed in `.claude/skills/` are now automatically discovered and loaded at startup without marketplace registration | Plugins in `.claude/skills` directories are now automatically loaded, no marketplace required | | claude plugin init | command | Scaffold a new plugin skeleton in `.claude/skills/` with standard boilerplate | Added `claude plugin init ` to scaffold a new plugin in `.claude/skills` | | Plugin /plugin autocomplete | tool | Tab-complete `/plugin` subcommands, installed plugin names, and plugins from known marketplaces | Added autocomplete for `/plugin` arguments: subcommands, installed plugin names, and plugins from known marketplaces | | agent field in settings.json honored for dispatched sessions | setting | The `agent` field in project `settings.json` is now respected when dispatching background sessions; override with `--agent ` | `claude agents`: the `agent` field in `settings.json` is now honored for dispatched sessions, with `--agent ` to override it | | EnterWorktree mid-session switching | tool | `EnterWorktree` can now switch between Claude-managed worktrees without ending the session | `EnterWorktree` can now switch between Claude-managed worktrees mid-session | | tool_parameters in telemetry with OTEL_LOG_TOOL_DETAILS=1 | env-var | When `OTEL_LOG_TOOL_DETAILS=1` is set, `tool_decision` telemetry events include the actual tool parameters (bash commands, MCP/skill names) for observability | `tool_decision` telemetry events now include `tool_parameters` (bash commands, MCP/skill names) when `OTEL_LOG_TOOL_DETAILS=1` | | Worktrees left unlocked after agent finish | capability | Claude-managed worktrees are now left in an unlocked state after the agent finishes, allowing `git worktree remove` and `prune` to clean them up without manual unlock | Worktrees managed by Claude are now left unlocked when the agent finishes, so `git worktree remove`/`prune` can clean them up | | "Workflow keyword trigger" setting in /config | setting | New `/config` setting to disable or control the auto-trigger behavior when the word "workflow" appears in a prompt | Added a "Workflow keyword trigger" setting in /config to stop the word "workflow" in a prompt from triggering a dynamic workflow | ### Workflow recipes - **Repo-Local Skill Dispatch with Context Routing** — combines Local plugin auto-load from .claude/skills + agent field honored in settings.json + EnterWorktree mid-session switching. Decoupling skill distribution from the marketplace and binding agent identity to the repo allows polyrepo monoliths and multi-team foundations to inject role-specific toolchains at checkout time, then pivot between specialized agents mid-session without losing conversation state or requiring CLI reauthorization. Idea: A foundation3 or agentic-u polyrepo defines role-specific skill sets in nested .claude/skills/ directories (e.g., apps/singulariki/.claude/skills/ for frontend, .agents/skills/ for orchestration). The repo-root settings.json specifies "agent": "orchestrator" by default. When a user or parent orchestrator dispatch a claude agents session with --agent frontend, the new settings field routes to the frontend agent in-process. That agent can then invoke EnterWorktree to pivot to an apps/singulariki/ worktree, loading frontend-specific skills (testing, linting, build) without leaving the session. Telemetry (OTEL_LOG_TOOL_DETAILS=1) logs which tools were invoked by which agent, enabling later audit and replay. - **Deterministic Multi-Agent Choreography with Filtered Keyword Triggers** — combines "Workflow keyword trigger" setting + agent field routing + telemetry tool_parameters logging. Agents orchestrating other agents can disable accidental workflow prompts (removing the "workflow" keyword auto-trigger) while logging deterministic tool invocations, enabling parent orchestrators to reason about and replay agent work without interference from user-typed keywords. Idea: An orchestration agent (e.g., foundation3-execution-delegate) dispatches a series of claude agents background sessions, each with a specific agent name and a local .claude/skills/ toolkit. The orchestrator sets "Workflow keyword trigger": "disabled" in its settings.json to prevent accidental /workflow invocation from user prompts leaking into dispatch logic. When each background agent runs, it sets OTEL_LOG_TOOL_DETAILS=1 to emit full tool_decision events with parameter snapshots, allowing the parent to audit the exact bash commands, MCP calls, and skill invocations that happened in each agent's context. If a replay or hand-off is needed, the parent can reconstruct the session deterministically from the telemetry log. - **Workstation State Cleanup and Orphan Recovery** — combines Worktrees left unlocked after agent finish + fixed background worktree orphaning in 30-day sweep + --resume background subagent reporting. Claude now leaves worktrees in a cleanable state and correctly reports which background agents were running before a crash or reconnect, enabling cleanup scripts and session recovery flows to operate deterministically without stale locks. Idea: After a long-running polyrepo agent completes work across multiple worktrees (via EnterWorktree switches), the worktrees are left unlocked. A post-session cleanup cron job runs git worktree prune across the repo, removing stale .claude/worktrees/ entries without manual intervention. If the Claude Code process crashes or the user's machine sleeps mid-session, the next claude --resume call correctly reports which background subagents were running, allowing a recovery agent to re-attach or signal completion to pending orchestrators. The fix to orphaned worktrees in the 30-day retention sweep means long-lived project roots no longer accumulate stale worktree artifacts. **Agentic relevance:** The headline primitive (local plugin auto-load + mid-session worktree switching + `agent` field routing) enables repos to bundle skills and dispatch context-specific agents without CLI intervention. Combined with the `OTEL_LOG_TOOL_DETAILS=1` telemetry signal and new worktree cleanup semantics, agents can now log their tool invocations, spawn parallel worktree contexts, and leave a clean state for orchestration systems. The new "Workflow keyword trigger" setting controls prompt-based workflow triggers, useful for deterministic agentic flows. _25 hardening fixes (not new primitives)._ --- ## 2.1.160 [fan-out] **Headline:** Almost entirely hardening: 2.1.160 is a bugfix/safety release. The closest thing to a new primitive is the dynamic-workflow trigger keyword being renamed from `workflow` to `ultracode` — relevant to orchestration because it changes how the fan-out/dynamic-workflow feature is invoked and de-conflicts the common word "workflow" from triggering a run. This is a rename of an existing trigger, not a net-new capability. No genuinely new tools, hooks, or settings were added; the new behaviors are safety prompts and friction reductions on existing primitives. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | ultracode (dynamic-workflow trigger keyword) | capability | The dynamic-workflow trigger keyword was renamed from `workflow` to `ultracode`; the word `workflow` no longer triggers a run, asking in your own words still works, and the keyword is highlighted in violet in the input. A rename of an existing trigger surface, not a new capability — included as the single most primitive-shaped, orchestration-relevant change. | Renamed the dynamic-workflow trigger keyword from `workflow` to `ultracode`. The word "workflow" no longer triggers a run; asking for one in your own words still works. The trigger keyword is highlighted in violet in the prompt input | | grep satisfies read-before-edit | capability | Single-file `grep`/`egrep`/`fgrep` commands now satisfy the read-before-edit check, so Edit no longer requires a separate Read after viewing a file with grep. A friction reduction to an existing gate; borderline primitive because it changes what counts as a valid pre-edit read. | Edit no longer requires a separate Read after viewing a file with `grep`: single-file `grep`/`egrep`/`fgrep` commands now satisfy the read-before-edit check | **Agentic relevance:** 2.1.160 moves the agent-orchestration frontier mainly by hardening it rather than extending it: it stabilizes background/`claude agents` session lifecycle (no more lost history or re-run prompts on resume, cleaner SIGTERM-before-SIGKILL teardown) and tightens write-safety prompts around startup and build-tool config files that grant code execution. The one orchestration-shaped surface change is renaming the dynamic-workflow trigger from `workflow` to `ultracode`, de-conflicting a common word from accidentally launching fan-out runs while keeping natural-language invocation intact. _25 hardening fixes (not new primitives)._ --- ## 2.1.163 **Headline:** Version-gating for environments: managed settings `requiredMinimumVersion` and `requiredMaximumVersion` enforce Claude Code version constraints organization-wide, preventing version skew in managed teams and reducing friction from incompatible client/server state. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | requiredMinimumVersion / requiredMaximumVersion | managed setting | Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version | Added `requiredMinimumVersion` and `requiredMaximumVersion` managed settings — Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version | | /plugin list command | command | List installed plugins, with `--enabled`/`--disabled` filters | Added `/plugin list` command to list installed plugins, with `--enabled`/`--disabled` filters | | "c to copy" on /btw | shortcut | Copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere | Added a "c to copy" shortcut to `/btw` that copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere | | hookSpecificOutput.additionalContext for Stop/SubagentStop | hook capability | Stop and SubagentStop hooks can return additional context to give Claude feedback and keep the turn going without being labeled a hook error | Hooks: Stop and SubagentStop hooks can now return `hookSpecificOutput.additionalContext` to give Claude feedback and keep the turn going without being labeled a hook error | | \$ escape syntax in skills | command syntax | Escape syntax to include a literal `$` before a digit in command bodies | Skills: added `\$` escape syntax to include a literal `$` before a digit in command bodies | | CLAUDE_CODE_SESSION_ID for stdio MCP servers | env var / capability | stdio MCP servers now receive the same `CLAUDE_CODE_SESSION_ID` as hooks/Bash on `--resume` | stdio MCP servers now receive the same `CLAUDE_CODE_SESSION_ID` as hooks/Bash on `--resume` | ### Workflow recipes - **Version-gated multi-agent orchestration** — combines requiredMinimumVersion / requiredMaximumVersion + CLAUDE_CODE_SESSION_ID for stdio MCP servers. Managed version constraints prevent agent fleet incompatibility while session-ID propagation ensures coordinated MCP state across delegated agents, enabling safe version-locked orchestration in production. Idea: Set requiredMinimumVersion: "2.1.163" org-wide to lock a team of agents to a known-stable release. Background agents spawned via claude agents receive consistent CLAUDE_CODE_SESSION_ID through MCP servers, allowing central logging, session tracking, and audit. If an agent's local Claude Code falls behind, it refuses to start and directs upgrade, preventing silently divergent behavior. - **Hook-driven feedback loops in delegated stops** — combines hookSpecificOutput.additionalContext for Stop/SubagentStop + hook if: pattern fixes. Stop hooks can now return feedback to Claude without aborting the turn, enabling graceful downstream coordination when a delegated subagent or background task finishes—turn keeps going, hook provides context, no false errors. Idea: A Stop hook detects a subagent completion and returns additionalContext summarizing the delegate's result. Claude reads this feedback in-turn without error noise, updates the parent task graph, and decides next action. Hook if: conditions now correctly match dollar-variables in subshells, preventing accidental fires on every $() command. This tightens the feedback path in orchestrated workflows where external signals need to flow back to Claude mid-turn. - **Clipboard-enhanced interactive agent annotation** — combines "c to copy" shortcut on /btw + /plugin list visibility. Agents can now invoke /btw to cite sources and annotations, then copy them verbatim to clipboard for manual review or downstream tool integration, reducing friction in human-in-the-loop and hybrid-annotation workflows. Idea: An agent writes analysis via /btw, then presses 'c' to copy the markdown with all formatting intact. Human pastes into a document or code block. Later, /plugin list --enabled shows the agent which capabilities are available, allowing self-aware fallback if a required plugin is disabled. Useful in audit trails, decision docs, and handoff scenarios where preserving markdown structure matters. **Agentic relevance:** Version gating and session-ID propagation to MCP servers strengthen infrastructure for multi-agent orchestration and managed environments. The new hook feedback capability (additionalContext) enables smarter Stop/SubagentStop handling without false errors, supporting tighter feedback loops in delegated workflows. The `/plugin list` command and clipboard shortcut improve agent visibility and interactive capability, though the release is primarily a hardening pass for stability and Windows/Bedrock support. _16 hardening fixes (not new primitives)._ --- ## 2.1.166 **Headline:** Fallback model routing and fine-grained thinking control unlock graceful degradation (load-shedding to 3 alternate models) and explicit thinking suppression (including on Claude 3.7 and future default-thinking models). Together with cross-session messaging hardening, this strengthens agent resilience and sandboxing in multi-session orchestration. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | fallbackModel setting | setting | Configure up to three fallback models tried in order when primary model is overloaded or unavailable | Added `fallbackModel` setting to configure up to three fallback models tried in order when the primary model is overloaded or unavailable | | --fallback-model flag | flag | Apply fallback model routing to interactive sessions (not just background agents) | `--fallback-model` now also applies to interactive sessions | | Glob pattern deny rules | capability | Use `"*"` in deny rule tool-name position to deny all tools; allow rules reject non-MCP globs | Added glob pattern support in deny rule tool-name position (`"*"` denies all tools); allow rules reject non-MCP globs | | MAX_THINKING_TOKENS=0 | env-var | Disable thinking on models that think by default via the Claude API | `MAX_THINKING_TOKENS=0`, `--thinking disabled`, and the per-model thinking toggle now disable thinking on models that think by default via the Claude API | | --thinking disabled | flag | Disable thinking on models with default thinking enabled | `--thinking disabled` now disable thinking on models that think by default via the Claude API | | Per-model thinking toggle | setting | Configure thinking per model instead of globally | per-model thinking toggle now disable thinking on models that think by default via the Claude API | | claude update version announcement | capability | `claude update` announces target version before downloading | `claude update` now announces the target version before downloading instead of going silent | | claude agents URL filtering | capability | Type a URL into the agents list to filter to the session whose first prompt contained it | `claude agents`: typing a URL into the list now filters to the session whose first prompt contained it | ### Workflow recipes - **Graceful Model Degradation for Agent Orchestration** — combines fallbackModel setting + --fallback-model flag + API error retry on fallback model. Agent orchestrators can now seamlessly shift work to secondary models when the primary saturates. Combined with automatic retry-on-fallback, this means background agents no longer block or fail on load; instead they downgrade gracefully and complete reliably. Idea: Multi-layer agent hierarchy (coordinator → workers) specifies fallbackModel: [claude-opus-4-8, claude-sonnet-4-5, claude-haiku-4-5] in settings. When a worker tries the primary and hits rate-limit or overload, Claude Code retries on Opus 4.8; if Opus is also saturated, it cascades to Sonnet, then Haiku. The coordinator watches the fallback pattern (via logs or agent-reported model) and can load-balance future requests to secondary models proactively. Enables burst capacity handling without user intervention. - **Token-Budget Tuning for Thinking Models via Environment Control** — combines MAX_THINKING_TOKENS=0 env-var + per-model thinking toggle + --thinking disabled flag. Agents can now trade thinking cost for speed by explicitly disabling thinking on default-thinking models (e.g., 3.7+), reclaiming tokens for actual tool invocation. Per-model toggles let agents mix thinkers (reasoning-heavy tasks) with non-thinkers (fast execution tasks) in the same session. Idea: A multi-stage agent pipeline sets MAX_THINKING_TOKENS=0 for fast worker agents (input parsing, tool dispatch) and enables thinking only for the final reasoning stage (synthesis, risk assessment). Within a single session, the agent script can override per-model: agent-reason.sh runs with thinking enabled; agent-worker.sh runs with thinking disabled. This reclaims ~100K tokens per worker invocation for deeper tool interaction, enabling more complex orchestration without hitting token budgets on routine work. - **Sandboxed Multi-Session Relay with Messaging Hardening** — combines Cross-session messaging hardening (SendMessage no longer carries user authority). Multi-agent systems that relay requests across sessions can now safely separate trust boundaries. A coordinator session cannot accidentally grant a worker session its permissions; each session retains isolated authority. Idea: Coordinator A (high-trust, full MCP/bash access) spawns worker B and C for untrusted third-party tasks. When A sends a request to B via SendMessage, B cannot inherit A's MCP permissions or bash access. If B is compromised or acts maliciously, it cannot leak A's tools to its own MCP servers. This unblocks safe delegation patterns for red-teaming, sandboxed experiments, and customer-facing agent services where permission isolation is required. **Agentic relevance:** Fallback model routing enables multi-session agent orchestration to degrade gracefully when the primary model saturates; the orchestrator can seamlessly shift work to secondaries without interruption. Cross-session messaging hardening prevents relay attacks where one session's permissions leak into another's; this is critical for safe agent-of-agents patterns. Thinking control (`MAX_THINKING_TOKENS=0`, per-model toggles) lets agents on compute-constrained paths suppress default-thinking models and reuse the token budget for tool interaction. _16 hardening fixes (not new primitives)._ --- ## 2.1.169 [control-plane] **Headline:** Hardening-heavy release: ~25 fixes/improvements vs. 3 genuine new primitives (plus 2 new surfaces bundled into fixes). The standout primitive for agent orchestration is `disableBundledSkills` / `CLAUDE_CODE_DISABLE_BUNDLED_SKILLS`, which lets an orchestrator strip the model's default skill/workflow/command surface down to a controlled set — a targeted control-plane lever for deterministic multi-agent fan-out. Output is changelog-derived, not runtime-tested. ### New primitives | Primitive | Kind | What it does | Changelog line | |---|---|---|---| | disableBundledSkills / CLAUDE_CODE_DISABLE_BUNDLED_SKILLS | setting | A setting plus matching env-var that hides bundled skills, workflows, and built-in slash commands from the model. One feature exposed via two surfaces (settings key + env-var). Most orchestration-relevant primitive: lets a parent strip each worker's default skill/command surface to a controlled allowlist for deterministic fan-out. | Added a `disableBundledSkills` setting and `CLAUDE_CODE_DISABLE_BUNDLED_SKILLS` environment variable to hide bundled skills, workflows, and built-in slash commands from the model | | --safe-mode / CLAUDE_CODE_SAFE_MODE | flag | A flag plus matching env-var (one feature, two surfaces) that starts Claude Code with all customizations — CLAUDE.md, plugins, skills, hooks, MCP servers — disabled for troubleshooting. Blunt all-off switch rather than targeted control. | Added `--safe-mode` flag (and `CLAUDE_CODE_SAFE_MODE`) to start Claude Code with all customizations (CLAUDE.md, plugins, skills, hooks, MCP servers) disabled for troubleshooting | | /cd | command | A slash command to move a session to a new working directory without breaking the prompt cache mid-session. Useful for long-lived orchestrator sessions that need to retarget without a cache-busting restart. | Added `/cd` command to move a session to a new working directory without breaking the prompt cache mid-session | | claude agents --all (+ id/state fields) | flag | Ships inside a fix line, but introduces a genuinely new flag `--all` (include completed sessions) plus new `id` and `state` fields on `claude agents --json`. Counted as a primitive per the task's flag/capability definition. Directly relevant to fan-out observability: enumerating and tracking dispatched background sessions. | Fixed `claude agents --json` omitting blocked and just-dispatched background sessions; added `--all` to include completed sessions, plus new `id` and `state` fields | | API_FORCE_IDLE_TIMEOUT | env-var | Ships inside a restore-default fix line, but introduces a genuinely new env-var. The 5-minute idle timeout on Vertex/Foundry is a restoration (hardening); the opt-out knob `API_FORCE_IDLE_TIMEOUT=0` is the new primitive surface. Counted per the task's env-var definition. | Restored a default 5-minute idle timeout on Vertex/Foundry so a stalled stream aborts instead of hanging indefinitely; set `API_FORCE_IDLE_TIMEOUT=0` to opt out | **Agentic relevance:** This version sharpens the multi-agent control plane: `disableBundledSkills` gives an orchestrator a precise lever to strip each worker down to a controlled skill/command surface for deterministic fan-out, while `claude agents --all` plus the new `id`/`state` fields improve observability over dispatched background sessions. The remaining surface is mostly hardening — background-session flag preservation, worktree edit signaling, and managed-MCP policy enforcement — that makes long-lived orchestrated runs more reliable rather than more capable. _25 hardening fixes (not new primitives)._ --- Source: https://ryanhunter.io/experiments/claude-code/corpus.md From Experiments by Ryan Hunter. https://ryanhunter.io/experiments