Bash security overhaul closes 4 permission bypass holes; 37 fixes sweep /resume, voice mode, hooks, and MCP. Vertex AI setup wizard and Linux subprocess sandboxing also debut.
CLAUDE_CODE_PERFORCE_MODE env var: when set, Edit/Write/NotebookEdit fail on read-only files with a p4 edit hint instead of silently overwriting themCLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set, and CLAUDE_CODE_SCRIPT_CAPS env var to limit per-session script invocations--exclude-dynamic-system-prompt-sections flag to print mode for improved cross-user prompt cachingworkspace.git_worktree to the status line JSON input, set whenever the current directory is inside a linked git worktreeTRACEPARENT env var to Bash tool subprocesses when OTEL tracing is enabled, so child-process spans correctly parent to Claude Code's trace tree/resume filter hint labels and added project/worktree/branch names in the filter indicator/agents with a tabbed layout: a Running tab shows live subagents, and the Library tab adds Run agent and View running instance actions/reload-plugins to pick up plugin-provided skills without requiring a restartj/k in NORMAL mode now navigate history and select the footer pill at the input boundary--debugLANG, TZ, NO_COLOR, etc.)/dev/tcp/... or /dev/udp/... not prompting instead of auto-allowingRetry-After — exponential backoff now applies as a minimumoauth.authServerMetadataUrl config override not being honored on token refresh after restart, affecting ADFS and similar IdPs--dangerously-skip-permissions being silently downgraded to accept-edits mode after approving a write to a protected path via Bashpermissions.additionalDirectories changes not applying mid-session — removed directories lose access immediately and added ones work without restartadditionalDirectories revoking access to the same directory passed via --add-dirBash(cmd:*) and Bash(git commit *) wildcard permission rules failing to match commands with extra spaces or tabsBash(...) deny rules being downgraded to a prompt for piped commands that mix cd with other segmentscut -d /, paste -d /, column -s /, awk '{print $1}' file, and filenames containing %toString) causing settings.json to be silently ignored--dangerously-skip-permissions--resume when the edited file was larger than 10KB/resume picker issues: --resume <name> opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and transient task-status text replacing conversation summaries/export not honoring absolute paths and ~, and silently rewriting user-supplied extensions to .txt/effort max being denied for unknown or future model IDsname is a YAML boolean keyword_meta["anthropic/maxResultSizeChars"] not bypassing the token-based persist layerDISABLE_AUTOUPDATER not fully suppressing the npm registry version check and symlink modification on npm-based installsgrep -f FILE / rg -f FILE not prompting when reading a pattern file outside the working directorysandbox.network.allowMachLookup not taking effect on macOSCLAUDE_CODE_MAX_CONTEXT_TOKENS to honor DISABLE_COMPACT when it is set./claude-api skill to cover Managed Agents alongside Claude APIclientInfo in the initialize requestCLAUDE_CODE_GIT_BASH_PATH is set or Git is installed at a default location/compact hints when DISABLE_COMPACT is set.