PowerShell 5.1 permission bypass fixed; Bash redirects fail closed
v2.1.214
5 features3 enhancements30 fixesThis release5 featuresNew capabilities3 enhancementsImprovements to existing features30 fixesBug fixesAI-tallied from the release notes
From the original release noteView original ↗
What's changed
- Fixed single-segment
dir/**allow rules likeEdit(src/**)auto-approving writes to nesteddir/directories anywhere in the tree instead of only<cwd>/dir - Fixed a permission-check bypass affecting commands run in Windows PowerShell 5.1 sessions
- Fixed Bash permission checks to fail closed on file-descriptor redirect forms that bash parses differently than the permission analyzer
- Fixed Bash permission checks misjudging very long commands — commands over 10,000 characters now always prompt instead of running automatically
- Fixed Bash permission checks treating zsh variable subscripts and modifiers in
[[ ]]comparisons as inert text — these commands now prompt for approval - Fixed Bash permission checks to no longer auto-approve certain
helpandmancommands that could run unsafe options, command substitutions, or backslash paths - Fixed permission prompts on remote sessions that could proceed before the local confirmation dialog
- Added the EndConversation tool: Claude can end sessions with highly abusive users or jailbreak attempts, as on claude.ai since 2025 — see https://www.anthropic.com/research/end-subset-conversations
- Added a periodic progress heartbeat for long-running tool calls that previously went silent
- Added an ISO
modifiedtimestamp to memory file frontmatter - Added
message.uuid,client_request_id, andtool_sourceattributes to OpenTelemetry log events for message-level correlation and tool provenance - Added
CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTHto configure the 60 KB truncation limit on OpenTelemetry content attributes - Added reasoning effort to the
subagentStatusLinepayload, so custom agent rows can render model and effort - Added permission prompts for
dockercommands (including the Podmandockershim) carrying daemon-redirect flags (--url,--connection,--identity, and Podman's remote mode) that previously ran without one - Fixed a crash when a GrowthBook feature evaluates to null, and a bug where a malformed flag payload could wipe the cached feature flags
- Fixed Bash tool killing the Claude session when a
pkill -fpattern accidentally matched the CLI's own process (Linux) - Fixed unbounded memory growth when
--settingspoints at a device file or multi-GB file; oversized (>2 MiB) settings files now fail at startup with a clear error - Fixed streaming turns failing with "Socket is closed" behind corporate proxies on Windows
- Fixed stream-json output truncation at exit for slow-reading SDK/pipeline consumers; the exit drain now scales with queued bytes instead of a flat 2s cap
- Fixed scheduled tasks refusing their own configured prompt as untrusted input — the fired prompt is now delivered as the session's assigned task
- Fixed PowerShell tool commands hanging until timeout when a child process waited on standard input (Windows)
- Fixed Python scripts under the PowerShell tool crashing with UnicodeDecodeError when reading non-UTF-8 data from standard input (Windows)
- Fixed Python scripts run via the PowerShell tool crashing with UnicodeEncodeError on non-ASCII output, and PowerShell 7 error messages containing raw ANSI escape sequences (Windows)
- Fixed the PowerShell tool reporting
where.exe,fc.exe, anddiff.exeas errors when they return a valid negative answer (Windows) - Fixed
>and>>under the PowerShell tool on Windows PowerShell 5.1 writing UTF-16LE files that other tools couldn't read as UTF-8 - Fixed a displaced background daemon deleting its successor's control socket on shutdown, which made the next client kill the healthy replacement daemon
- Fixed background sessions parked with
←or/backgroundand left idle keeping the background daemon and a worker process alive indefinitely - Fixed completed background sessions being impossible to remove via
claude rmor the agent view once the background service had gone idle - Fixed background sessions dispatched from a non-git folder being impossible to delete from the agents view
- Fixed reopening a stopped background session failing to restore its saved conversation when an unreadable folder exists in the session store
- Fixed the Remote Control "session ready" push notification firing for sessions where Remote Control was not explicitly enabled
- Fixed
/install-github-appand the/mcpsettings menu being blocked in agent-view sessions — they're now refused only in background sessions with no terminal attached - Fixed plugins enabled via the
--settingsCLI flag not loading (regression since v2.1.181) - Fixed feature flags going stale in long-running sessions after the OAuth token rotates
- Fixed
/ultrareviewrefusing to run in repos with no merge base — it now offers to review all tracked files - Fixed
claude updateandclaude doctorhanging silently, and the/statusSystem diagnostics section going blank, when a shell-config path is a directory - Fixed memory frontmatter values being silently truncated at an inline
#when memory files are saved - Fixed session cost and token telemetry double-counting on streams that emit multiple cumulative
message_deltaframes - Fixed a spurious "check your network" warning that appeared while the advisor was thinking
- Fixed hooks with exit code 2 not blocking as documented when the hook's stdout JSON fails schema validation
- Fixed OTel log events emitted outside the turn's async context missing the interaction span's trace context
- Fixed MCP transient errors during prompts/resources refresh clearing the server's slash commands and resources
- Improved the
claude rcworkspace-trust error in the home directory to say trust there is never saved and to suggest running from a project directory - Changed single-segment
dir/**hookif:conditions to match only<cwd>/dir; write**/dir/**for any-depth matching.deny/askpermission rules keep their any-depth match. - Changed
filecommands using-m/--magic-fileor-f/--files-fromto require permission instead of being auto-allowed as read-only - Changed keep-alive connection pooling to disable after a stale-connection error, so retries open a fresh socket
- Changed SessionStart hooks to report source
"fork"when a session begins as a fork instead of"resume"
Fetched July 18, 2026


