← All briefs
Matins
47 changes / 4 actionable / 2 deep dives
Claude Code

TL;DR

  • Single-segment dir/** allow rules now match only <cwd>/dir, not nested directories anywhere in the tree. If you have rules like Edit(src/**), they still work for your project root but stop silently auto-approving writes to a src/ buried inside dependencies. (more below)

  • Bash commands over 10,000 characters now always prompt instead of running automatically. If your workflow generates large inline commands (long seds, JSON payloads, codegen), expect new permission prompts where you previously had none.

  • Docker and Podman commands with daemon-redirect flags (--url, --connection, --identity, remote mode) now require permission. Previously auto-approved; remote Docker daemon workflows will see new prompts.

  • Scheduled tasks no longer refuse their own configured prompt as untrusted input. If your cron-fired routines were silently failing after this regression, they should resume working without changes.

New in 2.1.214

2.1.214 (July 18, 2026)

  • Fixed single-segment dir/** allow rules like Edit(src/**) auto-approving writes to nested dir/ directories anywhere in the tree instead of only <cwd>/dir
  • Fixed a permission-check bypass affecting commands run in Windows PowerShell 5.1 sessions
  • Fixed Bash permission checks to fail closed on file-descriptor redirect forms that bash parses differently than the permission analyzer
  • Fixed Bash permission checks misjudging very long commands; commands over 10,000 characters now always prompt instead of running automatically
  • Fixed Bash permission checks treating zsh variable subscripts and modifiers in [[ ]] comparisons as inert text; these commands now prompt for approval
  • Fixed Bash permission checks to no longer auto-approve certain help and man commands that could run unsafe options, command substitutions, or backslash paths
  • Fixed permission prompts on remote sessions that could proceed before the local confirmation dialog
  • Added the EndConversation tool: Claude can end sessions with highly abusive users or jailbreak attempts, as on claude.ai since 2025
  • Added a periodic progress heartbeat for long-running tool calls that previously went silent
  • Added an ISO modified timestamp to memory file frontmatter
  • Added message.uuid, client_request_id, and tool_source attributes to OpenTelemetry log events for message-level correlation and tool provenance
  • Added CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTH to configure the 60 KB truncation limit on OpenTelemetry content attributes
  • Added reasoning effort to the subagentStatusLine payload, so custom agent rows can render model and effort
  • Added permission prompts for docker commands (including the Podman docker shim) carrying daemon-redirect flags (--url, --connection, --identity, and Podman's remote mode) that previously ran without one
  • Fixed a crash when a GrowthBook feature evaluates to null, and a bug where a malformed flag payload could wipe the cached feature flags
  • Fixed Bash tool killing the Claude session when a pkill -f pattern accidentally matched the CLI's own process (Linux)
  • Fixed unbounded memory growth when --settings points at a device file or multi-GB file; oversized (>2 MiB) settings files now fail at startup with a clear error
  • Fixed streaming turns failing with "Socket is closed" behind corporate proxies on Windows
  • Fixed stream-json output truncation at exit for slow-reading SDK/pipeline consumers; the exit drain now scales with queued bytes instead of a flat 2s cap
  • Fixed scheduled tasks refusing their own configured prompt as untrusted input; the fired prompt is now delivered as the session's assigned task
  • Fixed PowerShell tool commands hanging until timeout when a child process waited on standard input (Windows)
  • Fixed Python scripts under the PowerShell tool crashing with UnicodeDecodeError when reading non-UTF-8 data from standard input (Windows)
  • Fixed Python scripts run via the PowerShell tool crashing with UnicodeEncodeError on non-ASCII output, and PowerShell 7 error messages containing raw ANSI escape sequences (Windows)
  • Fixed the PowerShell tool reporting where.exe, fc.exe, and diff.exe as errors when they return a valid negative answer (Windows)
  • Fixed > and >> under the PowerShell tool on Windows PowerShell 5.1 writing UTF-16LE files that other tools couldn't read as UTF-8
  • Fixed a displaced background daemon deleting its successor's control socket on shutdown, which made the next client kill the healthy replacement daemon
  • Fixed background sessions parked with or /background and left idle keeping the background daemon and a worker process alive indefinitely
  • Fixed completed background sessions being impossible to remove via claude rm or the agent view once the background service had gone idle
  • Fixed background sessions dispatched from a non-git folder being impossible to delete from the agents view
  • Fixed reopening a stopped background session failing to restore its saved conversation when an unreadable folder exists in the session store
  • Fixed the Remote Control "session ready" push notification firing for sessions where Remote Control was not explicitly enabled
  • Fixed /install-github-app and the /mcp settings menu being blocked in agent-view sessions; they're now refused only in background sessions with no terminal attached
  • Fixed plugins enabled via the --settings CLI flag not loading (regression since v2.1.181)
  • Fixed feature flags going stale in long-running sessions after the OAuth token rotates
  • Fixed /ultrareview refusing to run in repos with no merge base; it now offers to review all tracked files
  • Fixed claude update and claude doctor hanging silently, and the /status System diagnostics section going blank, when a shell-config path is a directory
  • Fixed memory frontmatter values being silently truncated at an inline # when memory files are saved
  • Fixed session cost and token telemetry double-counting on streams that emit multiple cumulative message_delta frames
  • Fixed a spurious "check your network" warning that appeared while the advisor was thinking
  • Fixed hooks with exit code 2 not blocking as documented when the hook's stdout JSON fails schema validation
  • Fixed OTel log events emitted outside the turn's async context missing the interaction span's trace context
  • Fixed MCP transient errors during prompts/resources refresh clearing the server's slash commands and resources
  • Improved the claude rc workspace-trust error in the home directory to say trust there is never saved and to suggest running from a project directory
  • Changed single-segment dir/** hook if: conditions to match only <cwd>/dir; write **/dir/** for any-depth matching. deny/ask permission rules keep their any-depth match.
  • Changed file commands using -m/--magic-file or -f/--files-from to require permission instead of being auto-allowed as read-only
  • Changed keep-alive connection pooling to disable after a stale-connection error, so retries open a fresh socket
  • Changed SessionStart hooks to report source "fork" when a session begins as a fork instead of "resume"

Notes

Permission-rule scoping: the full picture

The dir/** scoping change is two fixes in one, and they work slightly differently. Allow rules like Edit(src/**) now correctly scope to <cwd>/src instead of matching any nested src/ directory anywhere in the checkout. Hook if: conditions with single-segment dir/** patterns also tightened, but they previously matched at any depth; to restore that behavior, rewrite to **/dir/**. The distinction matters: deny/ask permission rules keep their any-depth match, so this tightening only narrows allow rules and hook if: conditions.

This is the largest batch of Bash permission-analyzer fixes since at least 2.1.181. Seven distinct bypass vectors were closed in a single release: file-descriptor redirects, very long commands, zsh subscripts in conditionals, help/man subcommands, PowerShell 5.1, remote session race conditions, and the dir/** scoping bug. If you rely on the permission analyzer as a safety net for auto-approved commands, this release materially strengthens it.