Managed Agents: self-hosted sandbox workers can now serve custom tools directly — including wrapping an internal-only MCP server as custom tools — without an MCP tunnel or exposing your Claude API key to the worker host.
Memory store endpoints (list/create/update/delete memories) move to their own agent-memory-2026-07-22 beta header, replacing managed-agents-2026-04-01 for those calls, with clearer depth/limit/path_prefix semantics — don't send both beta headers on the same request.
New API key expiration feature: Console and Admin API keys can now be created with a preset or custom expiration (or Never), with warning emails before expiry and automatic 401s once a key expires.
Claude Code 2.1.206 adds directory suggestions to /cd, a /doctor check that trims bloated checked-in CLAUDE.md files, gateway /login support for Anthropic-operated public endpoints, and a confirmation prompt before entering worktrees outside the project.
Custom tool descriptions across the Claude API can now be up to 4096 characters (up from 1024), and self-hosted work items no longer expose a secret credential field in their schema.
Added directory path suggestions to /cd, matching /add-dir behavior
Added a /doctor check that proposes trimming checked-in CLAUDE.md files by cutting content Claude could derive from the codebase
/commit-push-pr now auto-allows git push to the repo's configured push remote (remote.pushDefault, or the sole remote when only one is configured) in addition to origin
Gateway: /login now supports Anthropic-operated public gateway endpoints
EnterWorktree now asks for confirmation before entering a git worktree outside the project's .claude/worktrees/ directory
Existing feature improvements
Background agents now upgrade to a new version in the background right after a Claude Code update, instead of paying a slow stale-session upgrade when you attach
Improved /code-review findings quality on claude-opus-4-8 across all effort levels
Improved agents view: status column now uses full terminal width instead of truncating at 64 characters
Changed agents view: Ctrl+X now permanently removes a completed session, and sessions no longer render twice; deleted background jobs stay deleted
Major bug fixes
Fixed an expired login failing every model with a misleading "There's an issue with the selected model" error instead of prompting to run /login
Fixed claude --resume and --continue not responding to keyboard input on startup
Fixed MCP servers configured via --mcp-config or .mcp.json ignoring a per-server request_timeout_ms, which caused long-running MCP tool calls to time out at the 60s default in fresh sessions
Fixed CLAUDE_CODE_EXTRA_BODY being silently ignored by claude agents / --bg background workers; the shell-exported override now follows the dispatching session
Fixed OAuth MCP servers requiring manual re-authentication after a single failed token refresh
Fixed --permission-prompt-tool pointing at an MCP server crashing with "MCP tool not found" on cold start before the server finishes connecting
Fixed desktop sessions getting stuck showing "running" after a slash command was sent mid-turn
Bedrock: fixed a multi-minute startup hang when using an awsCredentialExport helper on networks with restricted egress
With streaming input, a message sent while a turn is still running now stays queued and starts its own turn when the max-turns limit ends the current one; before v2.1.205 such a message could be silently consumed and lost. [line 167] [Source]
An invalid JSON Schema now fails the run at startup with an error naming the problem, instead of being silently ignored and returning unstructured text. [line 227] [Source]
The format keyword (e.g. "format": "email") is now accepted as an unenforced annotation instead of making the whole schema invalid. [line 228] [Source]
interrupt() now resolves with a new SDKControlInterruptResponse (when the CLI advertises the interrupt_receipt_v1 capability) listing queued messages that survived the interrupt. [lines 476-590] [Source]
New capabilities field on SDKSystemMessage for feature-detecting protocol behaviors, including interrupt_receipt_v1. [lines 1139-1147] [Source]
SDKMessageOrigin's peer kind gains a body field alongside name (both require v2.1.205+). [lines 1282-1293] [Source]
ExitPlanModeInput.allowedPrompts is now deprecated and ignored; it previously requested prompt-based Bash permissions. [lines 2112-2120] [Source]
Row summaries now refresh from the session's own output every 15s without a model request, with full model rewrites at turn end and periodic mid-turn rewrites, truncated at 64 columns. [lines 125-129] [Source]
Pull-request linking expanded: sessions that edit/comment/close/ready an existing PR via gh are now linked to it, a push links a PR regardless of branch-name match, and PRs found in truncated command output are now linked too. [lines 134-136] [Source]
claude attach now waits up to ~60 seconds for a session that's mid-restart instead of failing immediately. [line 209] [Source]
Auto mode now also blocks by default: writes to Claude Code's own session transcript files, and recursive forced deletes targeting an unassigned shell variable or glob. [lines 225-228] [Source]
The "Repository visibility" classifier now reads only your messages and Claude's commands, not command output — a gh repo view result alone no longer counts as evidence a repo is public. [lines 238-239] [Source]
Cloud sessions now support /model, /effort, /fast, /color, and /rename with a value argument (e.g. /model sonnet), and /config key=value, instead of requiring the terminal picker. [line 645] [Source]
New claude doctor command for read-only installation/settings diagnostics from the terminal without starting a session. [line 25] [Source]
New --append-subagent-system-prompt flag to append text to every subagent's system prompt in non-interactive mode. [line 54] [Source]
--json-schema and --max-turns now document the invalid-schema error and the queued-message-on-limit behavior described in the SDK docs above. [lines 84-87] [Source]
/doctor is rewritten as a "setup checkup" skill: it finds unused skills/MCP servers/plugins, deduplicates CLAUDE.md files, migrates guidance into skills, flags slow hooks, and asks for confirmation before changing anything — replacing the old read-only diagnostics screen. [line 57] [Source]
/effort, /fast, /color, /mcp, /model, and /rename now document non-interactive (-p) support with value arguments; /usage-credits now opens/prints the billing URL. [lines 44-126] [Source]
/doctor reference rewritten to "Setup checkup": installation health, invalid settings, unused extensions, and duplicate subagent names, with proposed fixes applied only after confirmation; also documents the new claude doctor terminal command. [lines 18-32] [Source]
An array-value schema error in settings.json now rejects the whole file in user/project/local scope, but only strips the invalid entry in managed settings. [lines 48-52] [Source]
Permission modes renamed: "Ask permissions" → "Manual", "Auto accept edits" → "Accept edits", "Plan mode" → "Plan"; bypass-permissions now also covers safety-classifier prompts when Claude acts on external sites. [lines 58-73] [Source]
"Preview pane" renamed to "Browser pane", with a new "Browse external sites" feature: tabbed browsing, per-site approval (Allow once/Always allow/Deny), safety classifiers on write actions, and org-level allowlist/blocklist controls via a new browserExternalPageTools managed setting. [lines 80-115] [Source]
Permission mode list restructured to Manual/Accept edits/Plan, and the "Preview" pane is now the "Browser" pane, which can also open external sites. [lines 85-108] [Source]
New CLAUDE_CODE_ENABLE_APPEND_SUBAGENT_PROMPT variable, auto-set by --append-subagent-system-prompt. [line 189] [Source]
DISABLE_DOCTOR_COMMAND now hides the /doctor setup-checkup skill and its /checkup alias instead of the old diagnostics screen; it doesn't affect claude doctor. [line 197] [Source]
New "The --json-schema value is not a valid JSON Schema" section: an invalid schema now exits with code 1 and a diagnostic instead of silently producing unstructured output. [lines 909-931] [Source]
New "Could not import a server from Claude Desktop" section: claude mcp add-from-claude-desktop now imports the other selected servers and reports each one it couldn't add, instead of aborting the whole import on the first failure. [lines 933-944] [Source]
New "Plugin errors" section covering a marketplace registered under a name reserved for official Anthropic marketplaces — Claude Code now re-checks reserved names on every load, not just when the marketplace is added. [lines 946-963] [Source]
A download that stays connected but doesn't finish within 10 minutes now fails with Download timed out: exceeded the total deadline and isn't retried automatically. [line 886] [Source]
Documents that a restricted model-family alias (opus/sonnet/haiku/fable) now resolves to the newest permitted version under an org's allowlist instead of being substituted/rejected based on the family's newest release alone. [line 769] [Source]
/fast now works in non-interactive (-p) mode only when the session was launched with fast mode enabled via --settings, applying to that session only. [line 26] [Source]
Documents the new --json-schema validation error and that format is accepted but unenforced. [line 108] [Source]
The system/init event now carries an optional capabilities array for feature-detecting protocol behaviors such as interrupt_receipt_v1. [line 153] [Source]
ExitPlanMode's tool_input.allowedPrompts field is now deprecated and ignored by Claude Code. [lines 1378-1384] [Source]
WorktreeCreate command hooks must now print the path as the last non-empty line of stdout; a bad or relative path fails cleanly with an error instead of crashing the session or stalling ~30s in -p mode. [lines 2344-2348] [Source]
Permission mode names updated (Default → Manual, Auto-accept edits → Accept edits, Plan mode → Plan, Auto mode → Auto), and /doctor is now described as running a setup checkup that can fix problems it finds. [lines 127-146] [Source]
The dedicated Doctor keybinding context and doctor:fix action are removed along with the old diagnostics screen; keybinding validation warnings now go to the debug log instead of /doctor. [lines 63-467] [Source]
Reserves more MCP server names (claude-in-chrome, computer-use, Claude Preview, Claude Browser); claude mcp add now rejects reserved names with an error. [lines 153-154] [Source]
Claude Code now surfaces MCP connection failures to the model (including in ToolSearch results) instead of silently treating the server as never configured. [line 164] [Source]
claude mcp add-from-claude-desktop now reports and skips servers with invalid names instead of aborting the whole import. [line 748] [Source]
Model family aliases (opus/sonnet/haiku/fable) restricted by an availableModels allowlist now resolve to the newest permitted version instead of being rejected outright; Claude Code only rejects /model <alias> when every version of the family is restricted. [lines 113-276] [Source]
opusplan (and the Haiku→Sonnet plan-mode upgrade) now uses the newest permitted version of the upgrade family instead of falling back to the session's model whenever the newest version is excluded. [line 276] [Source]
Clarifies /effort set non-interactively (-p) applies to that session only, and reports Not applied when it can't override a model-default effort hold on Fable 5/Opus 4.8/4.7. [lines 353-354] [Source]
Auto mode now also blocks writes to Claude Code's own session transcript files, and recursive forced deletes targeting an unassigned shell variable or glob, by default. [lines 225-228] [Source]
Two more marketplace names are reserved (first-party-plugins, healthcare), and Claude Code now re-checks reserved names on every marketplace load, not just when it's added. [line 164] [Source]
New LSP config fields shutdownTimeout and restartOnCrash, which previously caused the server to be silently skipped if set. [lines 231-236] [Source]
Documents that when multiple LSP servers claim the same file extension, the first registered wins, and a server that fails to initialize is skipped without blocking other valid servers on the same extension. [lines 237-239] [Source]
/doctor is now listed as a bundled skill that stays typable even when disableBundledSkills is on. [lines 12-13] [Source]
Skill-description-overflow guidance updated: /doctor now gives an estimate/biggest-contributors view, and overflow warnings are also written to the debug log. [lines 227-228] [Source]
subagentStatusLine task objects gain new model and contextWindowSize fields for rendering a per-row context-usage percentage. [lines 1007-1008] [Source]
Clarifies duplicate subagent-name resolution: within one .claude/agents/ directory the winner is filesystem read order; across nested project directories the closest-to-cwd definition wins; /doctor now proposes renaming or removing duplicates. [line 148] [Source]
Resuming a stopped subagent via SendMessage now correctly shows it as "running" again instead of keeping a stale failed/completed status. [line 773] [Source]
Notes that on FreeBSD the installer now correctly reports the platform as unsupported, instead of misdetecting it as Linux and downloading a binary that couldn't run. [line 661] [Source]
/doctor guidance updated to reflect that it now proposes fixes you apply after confirmation, with MCP server status checks split out to /mcp. [lines 17-106] [Source]
If Claude Code can't enter a worktree directory at startup, it now prints an error and exits cleanly instead of crashing or stalling ~30s under -p. [line 30] [Source]
On Windows, worktree removal now strips NTFS junctions/symlinks at any depth as link entries before deleting, fixing a bug where a nested junction could delete files outside the worktree. [line 86] [Source]
Minor edits (not itemized individually)
feature-availability.md, plugin-dependencies.md, and web-quickstart.md picked up small consequences of the permission-mode rename and a "Cowork on 3P" → "Claude Desktop on 3P" product rename, with no new information beyond what's covered above.
permissions.md, platforms.md, vs-code.md, llm-gateway-rollout.md, and sandboxing.md had only cosmetic tweaks (wording/link touch-ups).
Clarified the runner only appends the assistant message and tool results, and continues, when the response actually contains tool calls; with no tool calls, the loop just exits. [line 173] [Source]
The linked "Parallel tool use" guide now also covers disabling parallel tool calls, not just enabling/formatting them. [line 474] [Source]
Removed the environment.* and memory_store.* webhook event types and their event-data schemas entirely, dropping the documented event-data union from 40 variants to 33 (also removed from the language-specific webhook reference pages). [line 944] [line 250] [Source]
Removed the secret field (the credential payload for self-hosted workers) from the BetaSelfHostedWork schema across every work endpoint, including polling (also removed from the C#, Ruby, and PHP reference pages). [line 63] [Source]
--file / file is now a required parameter instead of optional when creating a skill or a skill version (also reflected across the C#, Ruby, PHP, and TypeScript reference pages). [line 21] [line 29] [Source]
Documented real semantics for depth (0/omitted = whole subtree, 1 = immediate children only), limit (1-100, default 20, capped at 20 for view=full), page (opaque cursor), and path_prefix (must end with /, segment-aligned) — previously placeholder text. [lines 23-39] [Source]
Removed the order and order_by query parameters entirely — results are now returned in a stable, server-defined order instead. [lines 22-39] [Source]
Memory store endpoints now require a dedicated agent-memory-2026-07-22 beta header instead of managed-agents-2026-04-01 — sending both on the same request returns a 400 error; session endpoints (including attaching a memory store to a session) keep using managed-agents-2026-04-01. [lines 11-15] [Source]
On July 22, 2026, managed-agents-2026-04-01 adopts the same list behavior on GET /v1/memory_stores/{id}/memories; page cursors from requests made without a header aren't valid once that behavior is opted into. [line 17] [Source]
path_prefix must end with / and match whole path segments; depth accepts only 0 (whole subtree) or 1 (immediate children), returning 400 otherwise; results come back in a stable, server-defined order. [lines 112-114] [Source]
Same memory-store beta-header split documented here. [line 15] [Source]
span.outcome_evaluation_ongoing events now include an iteration field. [line 155] [Source]
max_iterations_reached now triggers one final acknowledgment turn before the session goes idle, instead of ending evaluation immediately. [line 186] [Source]
New "Next steps" section linking to Vaults, Events and streaming, and Adding files. [line 252] [Source]
New "Serve custom tools from your sandbox" section: the SDK worker can implement a custom tool itself, so the tool call reaches only the credentials and network the sandbox is configured with, and the Claude API key never touches the worker host. [line 318] [Source]
New "Wrap an MCP server as custom tools" guide: expose an internal-network-only MCP server to the agent, with no inbound connectivity or tunnel required, by having the worker act as the MCP client and forward calls. [line 388] [Source]
All now note that memory store endpoints require the new agent-memory-2026-07-22 beta header instead of managed-agents-2026-04-01, linking to the Beta headers page. [line 13] [Source]
Documents the new expires_at field on Admin API key list/retrieve responses, and recommends auditing it alongside key rotation. [line 189] [line 278] [Source]
Clarifies this page covers the Claude API and Claude Platform on AWS (Anthropic as data processor); Bedrock, Google Cloud's Agent Platform, and Microsoft Foundry are covered by their own cloud provider as data processor instead. [line 7] [Source]
New ZDR detail: Claude Code's metrics-logging productivity data is exempt from Zero Data Retention and may still be retained even when ZDR is enabled; Claude Platform on AWS follows the same retention policy as the first-party API but ZDR there must be requested through an Anthropic account rep. [lines 28-29] [Source]
Notes Claude for Excel isn't ZDR-eligible yet, and that ZDR organizations can't use CORS — browser-based apps need a backend proxy instead. [lines 37-40] [Source]
New "Key expiration" feature: keys can be created with a preset (3 hours/1 day/7 days/30 days), a custom duration, or Never, subject to org-level maximum-expiration policies. [lines 44-46] [Source]
Expiring keys trigger warning emails to the creator: 7 days before expiry for keys with a lifetime of 14+ days, 1 day before for 7+ day keys; shorter-lived keys get no warning. [line 48] [Source]
After expiration, requests return 401 authentication_error and the key can't be reactivated — a new key must be created; the Console keys table and Admin API now expose each key's expires_at. [lines 50-52] [Source]
CMEK can now be combined with Zero Data Retention on both Claude Platform and Claude Enterprise, replacing the previous requirement to disable ZDR (or enable 30-day per-workspace retention) before attaching a customer-managed key. [line 33] [Source]
AWS now requires newer Claude models to be called through cross-region inference profiles; requests using the base model ID get an HTTP 400, and the doc now explains how to construct the inference-profile ID/ARN instead. [lines 92-100] [Source]
The model ID comparison table now describes Bedrock's us./global. prefix as a required "inference profile prefix" rather than optional, matching the new cross-region inference requirement. [line 555] [Source]
Minor edits (not itemized individually)
Roughly 230 per-language SDK reference pages under api/api/csharp/beta/**, api/api/ruby/beta/**, api/api/php/beta/**, api/api/go/beta/**, and api/api/typescript/beta/** mirror the tool-description-length increase, the secret-field removal from self-hosted work items, the new agent-memory-2026-07-22 beta header, and/or the removed webhook event types described above for the equivalent cli/beta pages.
adaptive-thinking.md, extended-thinking.md, and build-with-claude/files.md only had their obfuscated email-protection hashes regenerated (same visible mailto links).