TL;DR
Single-segment
dir/**allow rules now match only<cwd>/dir, not nested directories anywhere in the tree. If you have rules likeEdit(src/**), they still work for your project root but stop silently auto-approving writes to asrc/buried inside dependencies. (more below)Bash commands over 10,000 characters now always prompt instead of running automatically. If your workflow generates large inline commands (long seds, JSON payloads, codegen), expect new permission prompts where you previously had none.
Docker and Podman commands with daemon-redirect flags (
--url,--connection,--identity, remote mode) now require permission. Previously auto-approved; remote Docker daemon workflows will see new prompts.Scheduled tasks no longer refuse their own configured prompt as untrusted input. If your cron-fired routines were silently failing after this regression, they should resume working without changes.
New in 2.1.214
2.1.214 (July 18, 2026)
- Fixed single-segment
dir/**allow rules likeEdit(src/**)auto-approving writes to nesteddir/directories anywhere in the tree instead of only<cwd>/dir - Fixed a permission-check bypass affecting commands run in Windows PowerShell 5.1 sessions
- Fixed Bash permission checks to fail closed on file-descriptor redirect forms that bash parses differently than the permission analyzer
- Fixed Bash permission checks misjudging very long commands; commands over 10,000 characters now always prompt instead of running automatically
- Fixed Bash permission checks treating zsh variable subscripts and modifiers in
[[ ]]comparisons as inert text; these commands now prompt for approval - Fixed Bash permission checks to no longer auto-approve certain
helpandmancommands that could run unsafe options, command substitutions, or backslash paths - Fixed permission prompts on remote sessions that could proceed before the local confirmation dialog
- Added the EndConversation tool: Claude can end sessions with highly abusive users or jailbreak attempts, as on claude.ai since 2025
- Added a periodic progress heartbeat for long-running tool calls that previously went silent
- Added an ISO
modifiedtimestamp to memory file frontmatter - Added
message.uuid,client_request_id, andtool_sourceattributes to OpenTelemetry log events for message-level correlation and tool provenance - Added
CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTHto configure the 60 KB truncation limit on OpenTelemetry content attributes - Added reasoning effort to the
subagentStatusLinepayload, so custom agent rows can render model and effort - Added permission prompts for
dockercommands (including the Podmandockershim) carrying daemon-redirect flags (--url,--connection,--identity, and Podman's remote mode) that previously ran without one - Fixed a crash when a GrowthBook feature evaluates to null, and a bug where a malformed flag payload could wipe the cached feature flags
- Fixed Bash tool killing the Claude session when a
pkill -fpattern accidentally matched the CLI's own process (Linux) - Fixed unbounded memory growth when
--settingspoints at a device file or multi-GB file; oversized (>2 MiB) settings files now fail at startup with a clear error - Fixed streaming turns failing with "Socket is closed" behind corporate proxies on Windows
- Fixed stream-json output truncation at exit for slow-reading SDK/pipeline consumers; the exit drain now scales with queued bytes instead of a flat 2s cap
- Fixed scheduled tasks refusing their own configured prompt as untrusted input; the fired prompt is now delivered as the session's assigned task
- Fixed PowerShell tool commands hanging until timeout when a child process waited on standard input (Windows)
- Fixed Python scripts under the PowerShell tool crashing with UnicodeDecodeError when reading non-UTF-8 data from standard input (Windows)
- Fixed Python scripts run via the PowerShell tool crashing with UnicodeEncodeError on non-ASCII output, and PowerShell 7 error messages containing raw ANSI escape sequences (Windows)
- Fixed the PowerShell tool reporting
where.exe,fc.exe, anddiff.exeas errors when they return a valid negative answer (Windows) - Fixed
>and>>under the PowerShell tool on Windows PowerShell 5.1 writing UTF-16LE files that other tools couldn't read as UTF-8 - Fixed a displaced background daemon deleting its successor's control socket on shutdown, which made the next client kill the healthy replacement daemon
- Fixed background sessions parked with
←or/backgroundand left idle keeping the background daemon and a worker process alive indefinitely - Fixed completed background sessions being impossible to remove via
claude rmor the agent view once the background service had gone idle - Fixed background sessions dispatched from a non-git folder being impossible to delete from the agents view
- Fixed reopening a stopped background session failing to restore its saved conversation when an unreadable folder exists in the session store
- Fixed the Remote Control "session ready" push notification firing for sessions where Remote Control was not explicitly enabled
- Fixed
/install-github-appand the/mcpsettings menu being blocked in agent-view sessions; they're now refused only in background sessions with no terminal attached - Fixed plugins enabled via the
--settingsCLI flag not loading (regression since v2.1.181) - Fixed feature flags going stale in long-running sessions after the OAuth token rotates
- Fixed
/ultrareviewrefusing to run in repos with no merge base; it now offers to review all tracked files - Fixed
claude updateandclaude doctorhanging silently, and the/statusSystem diagnostics section going blank, when a shell-config path is a directory - Fixed memory frontmatter values being silently truncated at an inline
#when memory files are saved - Fixed session cost and token telemetry double-counting on streams that emit multiple cumulative
message_deltaframes - Fixed a spurious "check your network" warning that appeared while the advisor was thinking
- Fixed hooks with exit code 2 not blocking as documented when the hook's stdout JSON fails schema validation
- Fixed OTel log events emitted outside the turn's async context missing the interaction span's trace context
- Fixed MCP transient errors during prompts/resources refresh clearing the server's slash commands and resources
- Improved the
claude rcworkspace-trust error in the home directory to say trust there is never saved and to suggest running from a project directory - Changed single-segment
dir/**hookif:conditions to match only<cwd>/dir; write**/dir/**for any-depth matching.deny/askpermission rules keep their any-depth match. - Changed
filecommands using-m/--magic-fileor-f/--files-fromto require permission instead of being auto-allowed as read-only - Changed keep-alive connection pooling to disable after a stale-connection error, so retries open a fresh socket
- Changed SessionStart hooks to report source
"fork"when a session begins as a fork instead of"resume"
Notes
Permission-rule scoping: the full picture
The dir/** scoping change is two fixes in one, and they work slightly differently. Allow rules like Edit(src/**) now correctly scope to <cwd>/src instead of matching any nested src/ directory anywhere in the checkout. Hook if: conditions with single-segment dir/** patterns also tightened, but they previously matched at any depth; to restore that behavior, rewrite to **/dir/**. The distinction matters: deny/ask permission rules keep their any-depth match, so this tightening only narrows allow rules and hook if: conditions.
This is the largest batch of Bash permission-analyzer fixes since at least 2.1.181. Seven distinct bypass vectors were closed in a single release: file-descriptor redirects, very long commands, zsh subscripts in conditionals, help/man subcommands, PowerShell 5.1, remote session race conditions, and the dir/** scoping bug. If you rely on the permission analyzer as a safety net for auto-approved commands, this release materially strengthens it.