Claude Code v2.1.211 fixes approval-prompt spoofing and several stability bugs

Claude Code v2.1.211 fixes approval-prompt spoofing and several stability bugs

Claude Code 2.1.211 adds a `--forward-subagent-text` flag (and matching ) that includes a subagent's text and thinking output in stream-json output. On the security side, permission previews relayed to chat channels previously failed to strip -override characters, , and look-alike quote characters, meaning tool inputs could visually distort the approval message a user sees before granting permission; that gap is now closed.

Another fix stops auto mode from silently overriding a 's "ask" decision for unsandboxed Bash commands — a hook that requests confirmation now always forces a prompt. Additional fixes address parallel sessions sharing one credential store all logging out simultaneously after the machine wakes from sleep, plugin MCP servers failing to reconnect after an idle web session wakes (leaving MCP calls broken until the next message), Claude Code on Vertex and Bedrock needlessly trying the default Opus model and printing a fallback notice even when a model was explicitly configured, subagents with an explicit model override reverting to the parent's model after being resumed or sent a follow-up, and nested `.claude/rules/*.md` files still loading even when project settings sources were excluded.

File upload validation now accepts filenames ending in a DOS device suffix like `.prn` or a trailing dot, while rejecting files with multiple hard links; uploading files to from remote and CLI sessions is also fixed. Lastly, edits that leave the input as just "?" no longer get silently swallowed while toggling the shortcuts panel.

Key points

  • New `--forward-subagent-text` flag streams a subagent's text and thinking into stream-json output
  • Fixed a spoofing gap where character tricks ( override, zero-width, look-alike quotes) could visually alter messages
  • Fixed auto mode silently overriding a 's "ask" decision for unsandboxed Bash — hooks now take priority
  • Fixed simultaneous logout across parallel sessions sharing a credential store after wake-from-sleep, and MCP reconnection failures after idle web sessions wake
  • Improved file upload validation (accepts certain filenames, rejects multi-hard-link files) and fixed Chrome remote/CLI uploads
Read original