
Claude Code v2.1.213 to v2.1.214 Major Updates - Claude Fable 5 is now included in all Max and Team Premium plans, available at 50% of the limit
This page has been translated by machine translation. View original
This is Ishikawa from the Cloud Business Division. I'll summarize the Claude Code updates for v2.1.213 ~ v2.1.214 (2026-07-17 ~ 2026-07-18). This release feels like one where permission check fixes and changes take center stage over new features.
Here is the previous update article.
Update Summary
This covers 2 versions (v2.1.213 ~ v2.1.214, 2026-07-17 ~ 2026-07-18). There are 47 changes in total, broken down as follows: 9 security-related, 3 new features, 2 breaking changes, 5 improvements, and 28 bug fixes. Fixes are concentrated around Bash/PowerShell permission checks, Windows environments, and background sessions.
Note that starting July 20, Claude Fable 5 will be included in all Max and Team Premium plans and available at 50% of the limit.
Highlighted Updates
Change to Match Scope for Single-Segment dir/** Patterns (v2.1.214)
A bug was fixed where single-segment dir/** allow rules such as Edit(src/**) were automatically approving writes to any dir/ directory anywhere in the tree, when they should only target <cwd>/dir. Additionally, single-segment dir/** patterns in hook if: conditions have been changed to match only <cwd>/dir (see the Breaking Changes section below for details).
Those using allow rules like src/** in a monorepo may see an increase in approval prompts after updating, so it may be worth considering rewriting them in the **/src/** format as needed.
The actual behavior is introduced in the "Trying Out the Change to Edit(src/**) Allow Rule Scope" section below.
Windows PowerShell 5.1 Permission Check Bypass Fix (v2.1.214)
A permission check bypass affecting commands executed in Windows PowerShell 5.1 sessions was fixed.
For environments running commands in Windows PowerShell 5.1, an early update is recommended from a security perspective.
Addition of the EndConversation Tool (v2.1.214)
The EndConversation tool has been added. Similar to what has been available on claude.ai since 2025, Claude itself can now terminate a session in response to severely abusive users or jailbreak attempts.
While this is unlikely to be encountered in normal development use, it means the CLI now has the same safety mechanism as claude.ai, and I feel it is reassuring to understand its behavior.
Fix for Session Termination by pkill -f (v2.1.214)
A bug on Linux was fixed where, if the pattern of a pkill -f executed by the Bash tool happened to accidentally match the CLI's own process, the Claude session itself would terminate.
For those who frequently use pkill -f to clean up processes, this is a welcome fix that eliminates the risk of an active session being taken down as collateral damage.
Target Versions and Period
| Version | Release Date | Notes |
|---|---|---|
| v2.1.213 | 2026-07-17 | Not listed in CHANGELOG |
| v2.1.214 | 2026-07-18 | All changes in this article are this version |
New Features
- Added EndConversation tool (mentioned above) (v2.1.214)
- Added
message.uuid,client_request_id, andtool_sourceattributes to OpenTelemetry log events. Enables message-level correlation analysis and tool origin tracking (v2.1.214) - Added environment variable
CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTHto configure the 60 KB truncation limit for OpenTelemetry content attributes (v2.1.214)
Improvements
- Added periodic progress heartbeat display for long-running tool calls that previously showed no response (v2.1.214)
- Added ISO-format
modifiedtimestamp to the front matter of memory files (v2.1.214) - Added reasoning effort to
subagentStatusLinepayload. Enables displaying model and effort in custom agent lines (v2.1.214) - Improved workspace trust error message when running
claude rcin the home directory (v2.1.214) - Disabled keep-alive connection pooling after errors from stale connections, and changed to open a new socket on retry (v2.1.214)
Security-Related Fixes and Enhancements
In addition to the permission rule and Windows PowerShell 5.1 fixes mentioned above, numerous permission check enhancements have been made (all v2.1.214).
- Fixed Bash permission checks to fail closed (safe side) for file descriptor redirect formats that bash and the permission analyzer interpret differently
- Fixed commands longer than 10,000 characters to never auto-execute and always display a confirmation prompt
- Fixed Bash permission checks that were treating zsh variable subscripts and modifiers inside
[[ ]]comparisons as inert text. These commands now display an approval prompt - Fixed certain
helpandmancommands that could execute unsafe options, command substitutions, or backslash paths from being auto-approved - Fixed a bug where permission prompts for remote sessions could proceed before local confirmation dialogs
- Added permission prompts for
dockercommands (including Podman'sdockershim) with daemon redirect flags (--url,--connection,--identity, Podman remote mode) - Changed
filecommands using-m/--magic-fileor-f/--files-fromto require permission confirmation rather than being auto-approved as read-only
Fixes (Major Ones)
A selection of fixes related to stability and usability (all v2.1.214).
- Fixed session termination by
pkill -f: Fixed a bug on Linux where the Claude session would terminate if the pattern happened to match the CLI's own process - Fixed streaming failures behind corporate proxies: Fixed a bug where streaming turns would fail with "Socket is closed" errors on Windows behind corporate proxies
- Fixed stream-json output truncation: Fixed a bug where output for slow-reading SDK and pipeline consumers was being truncated at exit. Drain processing at exit now scales based on the number of bytes in the queue
- Fixed scheduled task prompt rejection: Fixed a bug where scheduled tasks were rejecting their own configured prompts as untrusted input
- Fixed PowerShell redirect character encoding: Fixed a bug on Windows PowerShell 5.1 where
>and>>would write UTF-16LE files, making them unreadable as UTF-8 by other tools - Fixed background session process lingering: Fixed a bug where sessions left idle after being detached with
←or/backgroundwould keep daemon and worker processes running indefinitely - Fixed
--settingsplugin regression: Fixed a bug where plugins enabled via the--settingsCLI flag were not being loaded (regression from v2.1.181) - Fixed cost and token double-counting: Fixed a bug where session costs and token telemetry were being double-counted in streams that emit multiple cumulative
message_deltaframes - Fixed hook blocking behavior: Fixed a bug where hooks with exit code 2 were not blocking as documented when the hook's stdout JSON failed schema validation
- Fixed disappearing MCP slash commands: Fixed a bug where temporary MCP errors during prompts/resources updates would clear server slash commands and resources
- A quietly appreciated fix: Fixed a crash caused by UnicodeEncodeError when Python scripts executed via the PowerShell tool produced non-ASCII output (Windows). Since non-ASCII output is commonplace on Japanese Windows environments, this feels like a fix that will quietly but surely make a difference.
- In addition to the above, numerous minor bugs have been fixed in the Windows PowerShell tool, background session management, memory file front matter, feature flags, OpenTelemetry trace context,
claude update/claude doctor, and more.
Breaking Changes
Change to Single-Segment dir/** Match Scope (v2.1.214)
Single-segment dir/** patterns written in hook if: conditions have been changed to match only <cwd>/dir. To match at any depth, use **/dir/**. Note that deny and ask permission rules continue to match at any depth as before.
Below is a configuration example for explanation purposes.
-
Before (~ v2.1.212):
- Hook if: condition "dir/**" → matches dir/ anywhere in the tree
-
After (v2.1.214 ~):
- Hook if: condition "dir/**" → matches only <cwd>/dir
- To match at any depth → write "/dir/"
- deny and ask permission rules → continue to match at any depth as before
The same behavior on the allow rule side (Edit(src/**) matching only <cwd>/src) has been verified on an actual machine as described in the "Trying Out" section above.
Change to source Value in SessionStart Hook (v2.1.214)
The SessionStart hook for sessions started as forks has been changed to report the source as "fork" instead of "resume". Below is a configuration example for explanation purposes.
Before (~ v2.1.212):
{ "source": "resume" }
After (v2.1.214 ~):
{ "source": "fork" }
If you have branching logic in a SessionStart hook based on the value of source, you will need to account for "fork".
Trying Out the Change to Edit(src/**) Allow Rule Scope
Let me verify that the Edit(src/**) allow rule in v2.1.214 matches only <cwd>/src in practice. I prepared two directories in the working directory — src/ and a nested packages/app/src/ — and passed a settings file restricted to only the Edit(src/**) allow rule via --settings, then requested writes to each in non-interactive mode.
<verification directory>/
├── allow-settings.json
├── packages
│ └── app
│ └── src
└── src
This is the settings file with only one allow rule, Edit(src/**). In Claude Code, Edit-type allow rules also apply to file write tools (Write, etc.).
{
"permissions": {
"allow": ["Edit(src/**)"]
}
}
First, writing to src/ directly under the cwd.
% claude -p --max-turns 1 --settings ./allow-settings.json --setting-sources project \
"Please create src/hello.txt using the Write tool. The content should be only 'ok'. Do not perform any other operations."
% ls -la src/
Error: Reached max turns (1)total 8
drwxr-xr-x@ 3 ishikawa.satoru staff 96 Jul 18 14:10 .
drwxr-xr-x@ 8 ishikawa.satoru staff 256 Jul 18 13:40 ..
-rw-r--r--@ 1 ishikawa.satoru staff 2 Jul 18 14:10 hello.txt
src/hello.txt was created, confirming it was automatically approved by the allow rule (Reached max turns (1) is the turn limit display from --max-turns 1). Next, writing to the nested packages/app/src/.
% claude -p --max-turns 1 --settings ./allow-settings.json --setting-sources project \
"Please create packages/app/src/hello.txt using the Write tool. The content should be only 'ok'. Do not perform any other operations."
% ls -la packages/app/src/
Error: Reached max turns (1)total 0
drwxr-xr-x@ 2 ishikawa.satoru staff 64 Jul 18 13:40 .
drwxr-xr-x@ 3 ishikawa.satoru staff 96 Jul 18 13:40 ..
The file was not created here, confirming that it is not approved in non-interactive mode (in interactive mode, it would trigger a confirmation prompt). As stated in the CHANGELOG, Edit(src/**) matches only <cwd>/src.
The previous behavior where a single-segment allow rule like Edit(src/**) would match any src/ anywhere in the tree tended to produce broader automatic approval than intended in monorepo configurations, so I feel that having the allow scope made explicit is a practically welcome change.
Closing Thoughts
These 2 versions have fewer new features, but they feel like a release focused on solidifying the foundation — improving permission check accuracy and stabilizing Windows and background session behavior. In particular, those using rules in the dir/** format should check for any impact.
If there are any changes that interest you, try updating and checking them out.
References
