Claude Code 2.1.98: Vertex AI, Perforce, Bash Hardening

TL;DR

• Google Vertex AI setup wizard for easier 3rd-party platform auth
• Perforce mode prevents accidental overwrites of read-only files
• Major Bash permission fixes closing multiple security gaps
• Subprocess sandboxing with PID namespace isolation on Linux

New

• Google Vertex AI setup wizard — Interactive guide from login screen for GCP auth, project/region config, and credential verification.
• Perforce mode — Set CLAUDE_CODE_PERFORCE_MODE to fail Edit/Write/NotebookEdit on read-only files with a p4 edit hint instead of silently overwriting.
• Monitor tool — Stream events from background scripts for better visibility into async operations.
• Subprocess sandboxing — PID namespace isolation on Linux when CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set; CLAUDE_CODE_SCRIPT_CAPS limits per-session script invocations.
• LSP client identification — Claude Code now identifies itself to language servers via clientInfo in initialize requests.
• OTEL tracing improvements — W3C TRACEPARENT env var added to Bash subprocesses; interaction spans now correctly wrap full turns under concurrent SDK calls.
• Git worktree support — workspace.git_worktree added to status line JSON input.
• Prompt caching flag — --exclude-dynamic-system-prompt-sections for improved cross-user caching in print mode.

Fixed

• Bash permission bypass with escaped flags — Backslash-escaped flags could be auto-allowed as read-only, leading to arbitrary code execution.
• Compound Bash commands bypassing prompts — Safety checks and explicit ask rules were being circumvented in auto and bypass-permissions modes.
• Read-only commands with env-var prefixes — Now prompt unless the var is known-safe (LANG, TZ, NO_COLOR, etc.).
• /dev/tcp and /dev/udp redirects — Now prompt instead of auto-allowing.
• Bash wildcard permission rules — Bash(cmd:*) and Bash(git commit *) now match commands with extra spaces or tabs.
• Bash deny rules for piped commands — Fixed false downgrades to prompts for piped commands mixing cd with other segments.
• False Bash permission prompts — Fixed for cut -d /, paste -d /, column -s /, awk patterns, and filenames containing %.
• Permission rules with prototype property names — Rules named toString, constructor, etc. no longer cause settings.json to be silently ignored.
• Agent team permission inheritance — Team members now inherit leader's permission mode with --dangerously-skip-permissions.
• Managed settings persistence — Removed allow rules now lose access immediately instead of remaining active until restart.
• additionalDirectories mid-session changes — Removed directories lose access immediately; added ones work without restart.
• Directory access conflicts — Removing a directory from additionalDirectories no longer revokes access if passed via --add-dir.
• Stalled streaming responses — Now fall back to non-streaming mode instead of timing out.
• 429 retry backoff — Exponential backoff now applies as minimum when server returns small Retry-After.
• MCP OAuth metadata override — oauth.authServerMetadataUrl now honored on token refresh after restart (ADFS and similar IdPs).
• Kitty keyboard protocol — Capital letters no longer dropped to lowercase on xterm and VS Code integrated terminal.
• macOS text replacements — No longer delete trigger word instead of inserting substitution.
• Dangerously-skip-permissions downgrade — No longer silently downgraded to accept-edits after approving a write to protected path.
• Fullscreen mode crashes — Fixed crash when hovering over MCP tool results.
• Wrapped URL copying — No longer inserts spaces at line breaks in fullscreen mode.
• File-edit diffs on resume — Diffs no longer disappear for files larger than 10KB.
• /resume picker issues — Fixed --resume <name> opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and task-status text replacing summaries.
• /export path handling — Now honors absolute paths and ~; stops silently rewriting extensions to .txt.
• /effort max validation — No longer denied for unknown or future model IDs.
• Slash command picker — Fixed breaking when plugin frontmatter name is a YAML boolean keyword.
• Voice mode input leaking — Fixed dozens of space characters leaking when re-holding push-to-talk while previous transcript processes.
• DISABLE_AUTOUPDATER — Now fully suppresses npm registry version check and symlink modification.
• Remote Control permission memory leak — Handler entries no longer retained for session lifetime.
• Background subagent error reporting — Now reports partial progress to parent agent on failure.
• Prompt-type hook failures — Stop/SubagentStop hooks no longer fail on long sessions; evaluator API errors show real message instead of "JSON validation failed".
• Bash grep/rg pattern files — grep -f FILE and rg -f FILE now prompt when reading pattern file outside working directory.
• Stale subagent worktree cleanup — No longer removes worktrees containing untracked files.
• sandbox.network.allowMachLookup — Now takes effect on macOS.

Improved

• /resume filter hints — Added project/worktree/branch names in filter indicator.
• Footer indicators — Focus and notifications now stay on mode-indicator row instead of wrapping at narrow widths.
• /agents command — Tabbed layout with Running tab for live subagents and Library tab with Run/View actions.
• /reload-plugins — Now picks up plugin-provided skills without restart.
• Accept Edits mode — Auto-approves filesystem commands prefixed with safe env vars or process wrappers.
• Vim mode navigation — j/k in NORMAL mode now navigate history and select footer pill at input boundary.
• Hook error diagnostics — Transcript now includes first line of stderr for self-diagnosis without --debug.
• OTEL tracing — Headless turns now end spans per-turn; transcript entries carry final token usage instead of streaming placeholders.
• /claude-api skill — Updated to cover Managed Agents alongside Claude API.
• Windows Git detection — Fixed false-positive "requires git-bash" error when CLAUDE_CODE_GIT_BASH_PATH is set or Git at default location.
• CLAUDE_CODE_MAX_CONTEXT_TOKENS — Now honors DISABLE_COMPACT when set; /compact hints dropped when disabled.

Update via npm install -g @anthropic-ai/claude-code@latest or your package manager.

Source: Claude Code