TL;DR

• The CLI now spawns a native platform binary instead of bundled JavaScript. If you have custom launch scripts, shell aliases, or process managers wrapping claude, verify they still work after updating (more below).

• Three security fixes tighten Bash permission matching. Deny rules now catch commands wrapped in env/sudo/watch/setsid; Bash(find:*) no longer auto-approves -exec/-delete; and macOS /private paths are now dangerous removal targets (more below).

• Stalled subagents now fail with a clear error after 10 minutes. Previously they hung silently, so workflows that relied on indefinite waits will now surface a timeout.

• sandbox.network.deniedDomains lets you block specific domains within a wildcard allow. Useful if you permit *.example.com but need to carve out exceptions for sensitive endpoints.

New in 2.1.113, 2.1.114

2.1.114 (April 19, 2026)

• Fixed a crash in the permission dialog when an agent teams teammate requested tool permission

2.1.113 (April 19, 2026)

• Changed the CLI to spawn a native Claude Code binary (via a per-platform optional dependency) instead of bundled JavaScript
• Added sandbox.network.deniedDomains setting to block specific domains even when a broader allowedDomains wildcard would otherwise permit them
• Fullscreen mode: Shift+Up/Down now scrolls the viewport when extending a selection past the visible edge
• Ctrl+A and Ctrl+E now move to the start/end of the current logical line in multiline input, matching readline behavior
• Windows: Ctrl+Backspace now deletes the previous word
• Long URLs in responses and bash output stay clickable when they wrap across lines (in terminals with OSC 8 hyperlinks)
• Improved /loop: pressing Esc now cancels pending wakeups, and wakeups display as "Claude resuming /loop wakeup" for clarity
• /extra-usage now works from Remote Control (mobile/web) clients
• Remote Control clients can now query @-file autocomplete suggestions
• Improved /ultrareview: faster launch with parallelized checks, diffstat in the launch dialog, and animated launching state
• Subagents that stall mid-stream now fail with a clear error after 10 minutes instead of hanging silently
• Bash tool: multi-line commands whose first line is a comment now show the full command in the transcript, closing a UI-spoofing vector
• Running cd <current-directory> && git no longer triggers a permission prompt when the cd is a no-op
• Security: on macOS, /private/{etc,var,tmp,home} paths are now treated as dangerous removal targets under Bash(rm:*) allow rules
• Security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid and similar exec wrappers
• Security: Bash(find:*) allow rules no longer auto-approve find -exec/-delete
• Fixed MCP concurrent-call timeout handling where a message for one tool call could silently disarm another call's watchdog
• Fixed Cmd-backspace / Ctrl+U to once again delete from the cursor to the start of the line
• Fixed markdown tables breaking when a cell contains an inline code span with a pipe character
• Fixed session recap auto-firing while composing unsent text in the prompt
• Fixed /copy "Full response" not aligning markdown table columns for pasting into GitHub, Notion, or Slack
• Fixed messages typed while viewing a running subagent being hidden from its transcript and misattributed to the parent AI
• Fixed Bash dangerouslyDisableSandbox running commands outside the sandbox without a permission prompt
• Fixed /effort auto confirmation, now says "Effort level set to max" to match the status bar label
• Fixed the "copied N chars" toast overcounting emoji and other multi-code-unit characters
• Fixed /insights crashing with EBUSY on Windows
• Fixed exit confirmation dialog mislabeling one-shot scheduled tasks as recurring, now shows a countdown
• Fixed slash/@ completion menu not sitting flush against the prompt border in fullscreen mode
• Fixed CLAUDE_CODE_EXTRA_BODY output_config.effort causing 400 errors on subagent calls to models that don't support effort and on Vertex AI
• Fixed prompt cursor disappearing when NO_COLOR is set
• Fixed ToolSearch ranking so pasted MCP tool names surface the actual tool instead of description-matching siblings
• Fixed compacting a resumed long-context session failing with "Extra usage is required for long context requests"
• Fixed plugin install succeeding when a dependency version conflicts with an already-installed plugin, now reports range-conflict
• Fixed "Refine with Ultraplan" not showing the remote session URL in the transcript
• Fixed SDK image content blocks that fail to process crashing the session, now degrade to a text placeholder
• Fixed Remote Control sessions not streaming subagent transcripts
• Fixed Remote Control sessions not being archived when Claude Code exits
• Fixed thinking.type.enabled is not supported 400 error when using Opus 4.7 via a Bedrock Application Inference Profile ARN

Notes