Version 2.1.140

The sandbox runtime (SRT) can now terminate TLS in-process, making HTTPS request and response bodies visible to a per-request filter callback.

// In a programmatic SDK / harness integration:
{
  network: {
    tlsTerminate: {
      caCertPath: "/path/to/ca.crt",  // optional — omit to generate an ephemeral CA
      caKeyPath:  "/path/to/ca.key",
    },
    filterRequest: (request) => {
      // request is a web-standard Request object
      if (request.url.includes("evil.com")) return { action: "deny", reason: "blocked domain" };
      return { action: "allow" };
    }
  }
}

• network.tlsTerminate activates in-process CONNECT interception. When a sandboxed child makes an HTTPS request, SRT intercepts the CONNECT tunnel, terminates TLS, and proxies the decrypted traffic through the existing filter pipeline.
• If caCertPath/caKeyPath are omitted, SRT generates an ephemeral RSA CA into a temp directory for the lifetime of the session and configures the sandboxed child to trust it. The ephemeral CA is cleaned up on exit.
• caCertPath and caKeyPath must be provided together; providing only one throws an error.
• The CA key must be RSA (non-RSA keys are rejected with "must be RSA").
• network.tlsTerminate and network.mitmProxy are mutually exclusive — enabling both throws "network.tlsTerminate and network.mitmProxy are mutually exclusive".
• filterRequest applies to both plain HTTP and, when tlsTerminate is active, to decrypted HTTPS. Denied requests receive a 403 with the reason.
• Log prefixes: [mitm-ca] (CA lifecycle), [mitm-leaf] (per-host cert minting), [tls-terminate] (connection errors), [request-filter] (allow/deny decisions).

Full TLS intercept stack (search for "[mitm-ca] generated ephemeral CA at" or "tlsTerminate.caCertPath")

A new environment variable that lets you override the message Claude sends when auto-resuming an interrupted conversation.

export CLAUDE_CODE_RESUME_PROMPT="Pick up exactly where you left off, no preamble."
claude

• If unset, the default message is "Continue from where you left off.".
• Takes effect whenever the auto-resume prompt is generated (e.g., after a context window compaction or interrupted session).

y58() function (search for "CLAUDE_CODE_RESUME_PROMPT")

The /fast toggle and its description have been updated to include Claude Opus 4.7 alongside Opus 4.6.

• Old description: "…is only available on Opus 4.6."
• New description: "…is available on Opus 4.6 and Opus 4.7."
• No change in behavior; /fast enables the same faster-output mode, now on an expanded set of models.

Updated fast-mode description string (search for "available on Opus 4.6 and Opus 4.7")

Plugin plugin.json manifest fields that accept paths now clearly state whether they replace or extend the default auto-loaded directory.

• Fields that fully replace the default directory (e.g., agents, commands, output-styles, themes) now document: "When set, the <name>/ directory is not auto-loaded — list its files here if you want both."
• Fields that load in addition to the default (e.g., the extra skills path) now document: "Loaded in addition to the skills/ directory."
• Previously, descriptions used "in addition to those in the <name>/ directory" uniformly, which was ambiguous.

New .describe() strings (search for "When set, the agents/ directory is not auto-loaded")

Claude Code now surfaces a warning when a plugin.json manifest field shadows the corresponding default auto-loaded folder, and tells the plugin author how to fix it.

• Warning message: "Default <component>/ folder is ignored because plugin.json sets '<manifestField>'".
• Suggested fix: "Remove '<manifestField>' from plugin.json to auto-load the folder, or add the folder's files to the '<manifestField>' list if you want both".
• Warnings are categorized separately from hard errors (plugin_errors) — a warned plugin still loads and is present in plugins[].
• Warnings now appear in the UI via the plugins.warnings state that the plugin panel reads.

PE() and te$() functions (search for "folder-shadowed-by-manifest")

The marketplace identifier "skills-dir" is now reserved by Claude Code for the built-in .claude/skills/ auto-loading plugin. Third-party plugins cannot claim this name.

• If your own plugin registration uses the name skills-dir, it will conflict with the built-in slot.
• Reserved-name enforcement happens at load time.

SF = "skills-dir" constant (search for "Marketplace name \"skills-dir\" is reserved")

The /goal skill now reports a more specific reason when it cannot run due to hook policy settings.

• Old message: "/goal is disabled by your organization's policy (disableAllHooks)."
• New message: "/goal can't run while hooks are disabled (disableAllHooks or allowManagedHooksOnly is set in settings or by policy)."
• The allowManagedHooksOnly policy mode (which restricts hooks to a managed subset) is now correctly cited as a blocking reason in addition to the existing disableAllHooks setting.

Updated goal-blocked message (search for "allowManagedHooksOnly is set in settings or by policy")

When writing a plan in plan mode, Claude is now instructed to begin with a Context section explaining why the change is being made before listing implementation steps.

• The Context section must describe: the problem or need being addressed, what prompted the change, and the intended outcome.
• This addition helps reviewers understand the motivation before reading the technical steps.
• The rest of the plan format is unchanged (recommended approach, file paths, utilities to reuse, verification steps).

Phase-4 plan instructions (search for "Begin with a Context section: explain why this change is being made")

After a user rejects a tool use (e.g., blocks a file edit), Claude is now reminded to pay attention to any correction the user provides next, and to save it to memory for future sessions.

• New prompt appended after tool rejection: "The user's next message may contain a correction or preference. Pay close attention — if they explain what went wrong or how they'd prefer you to work, consider saving that to memory for future sessions."
• This makes Claude more likely to learn from in-session feedback rather than repeating the same rejected behavior across sessions.

p95 string (search for "consider saving that to memory for future sessions")

When a user rejects a plan in plan mode and stays in planning, Claude now receives explicit context about what happened instead of inferring it.

• New message: "The agent proposed a plan that was rejected by the user. The user chose to stay in plan mode rather than proceed with implementation."
• The rejected plan content is included so Claude can revise rather than re-propose the same plan.

S06 string (search for "The agent proposed a plan that was rejected by the user")

Claude now receives the current user's identity (derived from GITHUB_ACTOR, USER, or USERNAME, or the email username) to correctly resolve the $USER/... personal-branch pattern in rules.

• A new context line is injected: User identity: \<name>\. The \$USER/...\ pattern in the rules above resolves to \<name>/...\. Branches whose first path segment is a different person's name (\<other-user>/...\) are NOT this user's personal branches.
• This prevents Claude from treating sibling developers' branches as the user's own.

rm_() function (search for "Branches whose first path segment is a different person's name")

Claude Code now attempts to auto-enroll the device in the trusted-device program when it detects the device is not yet enrolled but a valid OAuth token is present.

• Log message: "[trusted-device] Not enrolled, attempting lazy enrollment with OAuth token".
• Enrollment is triggered silently in the background; no user action required.
• If enrollment fails, the session continues without it.

tO$() function (search for "[trusted-device] Not enrolled, attempting lazy enrollment with OAuth token")

A new "pill" visual style is available for progress bars, using filled (▰) and unfilled (▱) block characters, in addition to the existing block-fill variant.

• The variant: "pill" option switches to the new style.
• Both filled and empty segments accept color overrides via fillColor and emptyColor props; the empty color dims when no explicit color is set.
• Time-based progress estimation (exponential decay toward 95%) is also available for situations where the true percentage is unknown.

Nn component (search for "▰" or "▱" for the pill characters); jk7() function for time-based estimation

The compaction state now records when compaction began (compactingStartTime), enabling elapsed-time display in the UI during long compactions.

• compactingStartTime is set when compaction transitions to active and cleared when it completes.
• The value is preserved across state updates so elapsed time can be computed without drift.

$x_() function (search for "compactingStartTime")

A new MCP elicitation type (mcp_url_elicitation) allows MCP servers to prompt the user to provide a URL before completing a request.

• MCP servers that need a user-supplied URL (e.g., for resource access) can now issue a structured elicitation request.
• The default response when cancelled is { action: "cancel" }.
• This follows the same elicitation protocol as other interactive MCP flows.

De$() / IUH (search for "mcp_url_elicitation")

Organizations can now enforce a strictKnownMarketplaces policy that blocks skills-directory plugins from loading.

• When this policy is active, plugins from the .claude/skills/ directory are blocked with: "Plugins from <path>/skills/ are blocked by your organization's strictKnownMarketplaces policy and cannot be enabled."

gH5() function and block message (search for "strictKnownMarketplaces policy and cannot be enabled")

The autoUpdate setting for known marketplaces can now be centrally managed via managed-settings.json, the --settings flag, or an --add-dir directory's settings file.

• Claude Code checks all settings layers in priority order. If any layer specifies autoUpdate for a marketplace, that value is synced to the persisted marketplace config.
• Log message: "Synced autoUpdate=<value> from settings for marketplace: <name>".
• The source of the override (managed settings, --settings flag, or add-dir settings) is reported if the user asks to modify it: "…can't be changed here. Update that settings source (or ask your admin to) instead."

Lr7() function (search for "Synced autoUpdate=")

The browser-open fallback URL for authentication (shown when Claude Code cannot open a browser automatically) has changed from a YouTube Live stream to a permanent URL.

• Old URL: https://www.youtube.com/live/AUQKjgKQF7w
• New URL: https://clau.de/radio
• Message: "Couldn't open the browser. Listen at: https://clau.de/radio"

Updated fallback URL (search for "https://clau.de/radio")

The sandbox cleanup routine that removes planted bare-repo files now preserves the HEAD file and the .git directory within those repos during the scrub pass.

• Previously all files were deleted recursively without exception.
• Now HEAD and .git entries are skipped during the scrub, avoiding corruption of valid git metadata.

si1() function (search for "[Sandbox] scrubbed planted bare-repo file")

The HTTP and SOCKS proxy bridge process shutdown routines have been merged into a single generic handler, fixing a subtle race where one bridge could be left dangling.

• The new shared handler KpK() correctly checks exitCode and signalCode before sending SIGTERM (previously only pid and killed were checked).
• The setTimeout handle is now .unref()'d so it does not prevent the process from exiting if cleanup takes too long.
• Log messages now use the bridge type as a variable: "Sent SIGTERM to HTTP bridge process" / "Sent SIGTERM to SOCKS bridge process" remain the same visible messages.

KpK() function (search for "Sent SIGTERM to ${$} bridge process")

• mkdir in the internal filesystem class no longer throws when the directory already exists (EEXIST is now silently ignored). (search for "EEXIST" in the vCK class)

• Read tool offset parameter now emits a clearer diagnostic when its value cannot be coerced to an integer: "normalizeToolInput Read.offset coercion failed: <detail>". (search for "normalizeToolInput Read.offset coercion failed:")

• Skill health checks that are skipped (e.g., due to network issues or server status) now emit diagnostic log messages ("Skill health fetch skipped:" and "Skill health fetch skipped: status <code>") instead of silently failing. (search for "Skill health fetch skipped:")

• The computer use approval dialog is now routed through the standardized requestDialog mechanism rather than the setToolJSX hook, ensuring it participates correctly in abort-signal lifecycle management. (search for "computer_use_approval")

• Admin request API functions (api_admin_request_create, api_admin_request_list, api_admin_request_eligibility) now use the internal authenticated HTTP client, fixing potential token-refresh failures that could occur when the cached access token expired during a long session. (search for "admin_requests/eligibility:")