Strengthening Agentic Safety and Permissions
Recent releases have significantly tightened the guardrails for autonomous operations. A key focus is the introduction of granular control over destructive operations; for instance, the tool now blocks dangerous Git commands (e.g., git reset --hard, git clean -fd) unless the user explicitly requests them. Furthermore, the system now enforces stricter rules for terraform and pulumi destruction, requiring explicit stack targeting to prevent accidental infrastructure deletion.
Permissions management has also been overhauled. The system now remembers sandbox network allowances for the duration of a session, reducing prompt fatigue. Additionally, the introduction of sandbox.credentials allows users to explicitly block sandboxed commands from accessing sensitive environment variables or credential files, a critical requirement for enterprise security.
Background Task Orchestration
Managing long-running background processes has become more robust. The system now features improved memory-pressure reaping for idle background shell commands and better handling of background agent daemons. The claude agents interface has been refined to provide better visibility into active jobs, ensuring that background tasks do not disappear or lose state during version updates or session transitions. The system now also prevents "phantom" subagents from spawning during backgrounding, ensuring that the main conversation flow remains clean and predictable.
Developer Experience and Terminal Integration
Significant effort has been directed toward making the CLI feel more native and responsive.
- Performance: Streaming response latency has been reduced by ~37% through text update coalescing, and startup times have been optimized by removing unnecessary network calls in fresh environments.
- Voice & Input: Voice dictation has been improved for non-space-delimited languages (Japanese, Chinese, Thai) and now handles device changes more gracefully on macOS.
- UI/UX: The terminal UI (TUI) now supports mouse-click selection in fullscreen mode, and bash mode features live file path autocomplete. The system also provides better feedback for restricted models and MCP server authentication requirements.
MCP and Plugin Reliability
Model Context Protocol (MCP) integration has seen major stability improvements. The system now automatically retries transient network errors during capability discovery and tool listing. OAuth flows for MCP servers have been streamlined, with headless environments now correctly redirecting to URL-paste prompts rather than failing on browser popups. Plugin management is more flexible, with automatic handling of marketplace renames and better surfacing of installed skills.