Release notes

Claude Code 2.1.98

· 7 new· 38 fixed

This release introduces an interactive Google Vertex AI setup wizard, providing streamlined configuration for GCP authentication, projects, and models directly from the login screen. Key additions include a Perforce integration mode to prevent accidental overwrites, a Monitor tool for live streaming of background script events, and enhanced security via subprocess sandboxing and new script invocation limits. The update also delivers numerous critical fixes addressing Bash tool permission bypasses, ensuring safer command execution, along with improvements to streaming responses, UI stability, and settings management for a more robust and reliable experience.

Added7

  • Added interactive Google Vertex AI setup wizard accessible from the login screen when selecting "3rd-party platform", guiding you through GCP authentication, project and region configuration, credential verification, and model pinning
  • Added `CLAUDE_CODE_PERFORCE_MODE` env var: when set, Edit/Write/NotebookEdit fail on read-only files with a `p4 edit` hint instead of silently overwriting them
  • Added Monitor tool for streaming events from background scripts
  • Added subprocess sandboxing with PID namespace isolation on Linux when `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB` is set, and `CLAUDE_CODE_SCRIPT_CAPS` env var to limit per-session script invocations
  • Added `--exclude-dynamic-system-prompt-sections` flag to print mode for improved cross-user prompt caching
  • Added `workspace.git_worktree` to the status line JSON input, set whenever the current directory is inside a linked git worktree
  • Added W3C `TRACEPARENT` env var to Bash tool subprocesses when OTEL tracing is enabled, so child-process spans correctly parent to Claude Code's trace tree

Improved9

  • Improved `/resume` filter hint labels and added project/worktree/branch names in the filter indicator
  • Improved footer indicators (Focus, notifications) to stay on the mode-indicator row instead of wrapping at narrow terminal widths
  • Improved `/agents` with a tabbed layout: a Running tab shows live subagents, and the Library tab adds Run agent and View running instance actions
  • Improved `/reload-plugins` to pick up plugin-provided skills without requiring a restart
  • Improved Accept Edits mode to auto-approve filesystem commands prefixed with safe env vars or process wrappers
  • Improved Vim mode: `j`/`k` in NORMAL mode now navigate history and select the footer pill at the input boundary
  • Improved hook errors in the transcript to include the first line of stderr for self-diagnosis without `--debug`
  • Improved OTEL tracing: interaction spans now correctly wrap full turns under concurrent SDK calls, and headless turns end spans per-turn
  • Improved transcript entries to carry final token usage instead of streaming placeholders

Changed3

  • LSP: Claude Code now identifies itself to language servers via `clientInfo` in the initialize request
  • Updated the `/claude-api` skill to cover Managed Agents alongside Claude API
  • Dropped `/compact` hints when `DISABLE_COMPACT` is set.

Fixed38

  • Fixed a Bash tool permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code execution
  • Fixed compound Bash commands bypassing forced permission prompts for safety checks and explicit ask rules in auto and bypass-permissions modes
  • Fixed read-only commands with env-var prefixes not prompting unless the var is known-safe (`LANG`, `TZ`, `NO_COLOR`, etc.)
  • Fixed redirects to `/dev/tcp/...` or `/dev/udp/...` not prompting instead of auto-allowing
  • Fixed stalled streaming responses timing out instead of falling back to non-streaming mode
  • Fixed 429 retries burning all attempts in ~13s when the server returns a small `Retry-After` — exponential backoff now applies as a minimum
  • Fixed MCP OAuth `oauth.authServerMetadataUrl` config override not being honored on token refresh after restart, affecting ADFS and similar IdPs
  • Fixed capital letters being dropped to lowercase on xterm and VS Code integrated terminal when the kitty keyboard protocol is active
  • Fixed macOS text replacements deleting the trigger word instead of inserting the substitution
  • Fixed `--dangerously-skip-permissions` being silently downgraded to accept-edits mode after approving a write to a protected path via Bash
  • Fixed managed-settings allow rules remaining active after an admin removed them, until process restart
  • Fixed `permissions.additionalDirectories` changes not applying mid-session — removed directories lose access immediately and added ones work without restart
  • Fixed removing a directory from `additionalDirectories` revoking access to the same directory passed via `--add-dir`
  • Fixed `Bash(cmd:*)` and `Bash(git commit *)` wildcard permission rules failing to match commands with extra spaces or tabs
  • Fixed `Bash(...)` deny rules being downgraded to a prompt for piped commands that mix `cd` with other segments
  • Fixed false Bash permission prompts for `cut -d /`, `paste -d /`, `column -s /`, `awk '{print $1}' file`, and filenames containing `%`
  • Fixed permission rules with names matching JavaScript prototype properties (e.g. `toString`) causing `settings.json` to be silently ignored
  • Fixed agent team members not inheriting the leader's permission mode when using `--dangerously-skip-permissions`
  • Fixed a crash in fullscreen mode when hovering over MCP tool results
  • Fixed copying wrapped URLs in fullscreen mode inserting spaces at line breaks
  • Fixed file-edit diffs disappearing from the UI on `--resume` when the edited file was larger than 10KB
  • Fixed several `/resume` picker issues: `--resume <name>` opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and transient task-status text replacing conversation summaries
  • Fixed `/export` not honoring absolute paths and `~`, and silently rewriting user-supplied extensions to `.txt`
  • Fixed `/effort max` being denied for unknown or future model IDs
  • Fixed slash command picker breaking when a plugin's frontmatter `name` is a YAML boolean keyword
  • Fixed rate-limit upsell text being hidden after message remounts
  • Fixed MCP tools with `_meta["anthropic/maxResultSizeChars"]` not bypassing the token-based persist layer
  • Fixed voice mode leaking dozens of space characters into the input when re-holding the push-to-talk key while the previous transcript is still processing
  • Fixed `DISABLE_AUTOUPDATER` not fully suppressing the npm registry version check and symlink modification on npm-based installs
  • Fixed a memory leak where Remote Control permission handler entries were retained for the lifetime of the session
  • Fixed background subagents that fail with an error not reporting partial progress to the parent agent
  • Fixed prompt-type Stop/SubagentStop hooks failing on long sessions, and hook evaluator API errors showing "JSON validation failed" instead of the real message
  • Fixed feedback survey rendering when dismissed
  • Fixed Bash `grep -f FILE` / `rg -f FILE` not prompting when reading a pattern file outside the working directory
  • Fixed stale subagent worktree cleanup removing worktrees that contain untracked files
  • Fixed `sandbox.network.allowMachLookup` not taking effect on macOS
  • vscodeFixed false-positive "requires git-bash" error on Windows when `CLAUDE_CODE_GIT_BASH_PATH` is set or Git is installed at a default location
  • Fixed `CLAUDE_CODE_MAX_CONTEXT_TOKENS` to honor `DISABLE_COMPACT` when it is set.

Never miss a Claude Code release.

Get a push notification the moment the next version ships.

Get Claude Drops

New to the changelog? Read our guide to reading the Claude Code changelog or browse all releases.