Version 2.1.181

A new screen-reader-friendly rendering mode that outputs flat text with no decorative borders, box-drawing characters, or animations — making Claude Code's output legible to assistive technology.

# Via CLI flag
claude --ax-screen-reader

# Via environment variable
CLAUDE_AX_SCREEN_READER=1 claude

# Via /config
/config axScreenReader=true

• When active, Claude Code prints [Accessible screen reader mode: on] at startup.
• Forces the classic (non-TUI) renderer; the tui setting has no effect while screen reader mode is active.
• Priority order: --ax-screen-reader CLI flag → CLAUDE_AX_SCREEN_READER env var → axScreenReader settings key.
• The env var is automatically passed to subprocesses (via CLAUDE_AX_SCREEN_READER=1) so nested Claude Code invocations inherit the mode.

Screen reader renderer class (search for "[Accessible screen reader mode: on]") — Yei class at line ~160584; setting description (search for "Render screen-reader friendly output (flat text, no decorative borders or animations)")

A new /design slash command that integrates with Claude Design (claude.ai/design), letting you create, import, export, sync, and manage design systems without leaving Claude Code.

/design                   # opens hub (shows available subcommands)
/design login             # authorize with your claude.ai account
/design sync              # push your local design system to claude.ai/design
/design import            # pull a Claude Design project into the working directory
/design export            # push the working directory into a new Claude Design project
/design status            # show auth status and available design systems
/design <prompt>          # free-form prompt routed through the design MCP tools

• Requires the Claude Design MCP server to be connected. If it isn't, Claude will tell you to run /design login or add the server.
• sync and login are also accessible as the dedicated /design-sync and /design-login commands.
• The command always fetches live Claude Design instructions via the get_claude_design_prompt tool rather than shipping a vendored copy, so behavior stays in sync with the server.
• Tab completion available for the subcommands.

Hub command registration (search for "Work with Claude Design (claude.ai/design) — create, import, export, sync, login") — c6l() at line ~750618

MCP servers can now deliver skills (slash commands) as downloadable tar.gz or zip archive bundles. Claude Code fetches, validates, and unpacks the archive, then registers its SKILL.md as a command — all transparently.

(Automatic — no user action required. Archive skills appear in the command list
 alongside regular MCP skills once the server is connected.)

• Archives are fetched via the MCP resources/read protocol.
• Supported formats: application/gzip / application/x-gzip (tar.gz) and application/zip.
• Cached by content hash or declared digest field; subsequent connections to the same server skip re-downloading if nothing changed.
• Hard limits enforced: maximum archive size, maximum file count, maximum uncompressed size.
• Security: rejects path traversal entries, symlinks/hardlinks, sparse/GNU-extension tar entries, base-256 numeric fields, and entries that alias the same disk path under case-folding or dot-segment normalization.
• Requires the MCP server to declare a digest or the archive's SHA-256 to be consistent between calls.
• On load, shows progress message: "Downloading skill archive from \<server\>".

Archive fetch and extraction (search for "Downloading skill archive from") — WUd() at line ~324105; tar parser (search for "tar archive contains an unsafe entry") — YZi at line ~323530

/config now accepts key=value pairs as arguments, letting you set configuration settings without opening the interactive panel.

/config theme=dark
/config model=claude-opus-4-5 theme=dark
/config key=value key2=value2

• Works in both interactive mode and non-interactive (--print) mode.
• Invalid keys produce: "<key> isn't a /config setting. Run /config to see what's available." and "can't be set with key=value — open /config to change it from the panel." for panel-only settings.
• Running /config with no arguments still opens the interactive settings panel.
• Some settings (like model and theme) have dedicated slash commands (/model, /theme) that are also surfaced in the error hint.

/config handler (search for "Usage: /config key=value [key=value ...]") — xqp handler at line ~570976; key→command map (search for "outputStyle") — Cqp map at line ~570945

A new macOS-only sandbox setting that permits sandboxed commands to send Apple Events — required for open, osascript, and browser-based auth flows that open URLs.

// In user or managed settings (not project settings)
{
  "sandbox": {
    "allowAppleEvents": true
  }
}

• Only honored from user, managed/policy, or CLI --settings settings. Project settings (.claude/settings.json and .claude/settings.local.json) are explicitly ignored.
• Security warning: Enabling this removes code-execution isolation. Sandboxed commands can launch other applications unsandboxed with no user prompt, and can script running apps (e.g. Terminal) subject to the user's per-app TCC automation consent.
• Default: false.

Setting schema (search for "macOS only: Allow sandboxed commands to send Apple Events") — allowAppleEvents field at line ~46966

After writing a file, Claude Code now stat()s the result and compares the on-disk size against the expected byte count. If they differ, it throws immediately rather than silently leaving a truncated file.

This catches a class of failure that commonly occurs on network drives, NFS mounts, and cloud-sync folders (Dropbox, OneDrive, etc.) where the OS kernel reports write success even though the backing store silently truncated the data.

Error text: "Write verification failed: <path> is <N> bytes on disk, expected <M>. The filesystem may have silently truncated the write (network drive / cloud sync)."

Post-write check (search for "writeTextContent: on-disk size mismatch after write") — YSe() at line ~55365

The atomic file-write path now catches EINVAL, ENOTSUP, EPERM, and ENOSYS errors from fchmod and fsync calls and continues rather than aborting. This resolves hard write failures on certain network filesystems and Docker-mounted volumes that don't support those syscalls.

Previously, a fchmod error on a file that had just been written would leave the file in an inconsistent state. Now Claude Code logs the limitation (e.g. "fchmod unsupported on this filesystem") and continues normally.

Graceful syscall error handling (search for "fchmod unsupported on this filesystem:") — uze() helper at line ~55344; sync path at line ~55365

The file-write fallback path now preserves content in the temporary file if an in-place overwrite fails after the target has been truncated, giving you a chance to recover data. The error message now points you to the temp file path.

Error text: "writeFileAndFlush: in-place fallback write failed; content preserved at temp path" / "writeFileSyncAndFlush: in-place fallback write failed; content preserved at temp path"

Content-preservation fallback (search for "content preserved at temp path") — hfr() at line ~55659, aEt() at line ~55513

The Linux/GitHub Actions sandbox permission list has been updated to include the files and directories required for git worktree operations:

• /.git/worktrees — worktree reference directory
• /.git/commondir — points a worktree back to the main .git
• /.git/config.worktree — per-worktree config overrides

This means Actions workflows that use git worktree add no longer need to disable sandboxing or add manual overrides.

Sandbox filesystem setup (search for "/.git/worktrees") — E1r() at line ~174833 and v1r() at line ~175075

Refusal handling has been refactored to better distinguish between model-level safety measures and topic-specific restrictions:

• frontier_llm and reasoning_extraction are now recognized as known refusal categories with dedicated handling.
• Cybersecurity refusals now surface an exemption link: https://claude.com/form/cyber-use-case
• Refusal messages now explicitly call out which model triggered the block (using a readable model name via Mp() rather than a raw model ID).
• The stop_details.category type is now an open string schema to forward new categories before schema updates ship.

Cybersecurity exemption URL (search for "https://claude.com/form/cyber-use-case") — xTd constant at line ~265379; category helpers (search for "frontier_llm") — GNi() at line ~265278

The AskUserQuestion tool's schema descriptions have been updated to make clear that the 1–4 questions and 2–4 options bounds are hard schema constraints validated at the tool-call layer — the model cannot exceed them even if the user requests more. The guidance now says to split into multiple calls instead.

Updated schema description (search for "hard schema constraints; do not exceed them even if the user requests more") — AskUserQuestion schema modification at line ~44768

When the model calls a tool with invalid JSON input multiple times in a row, Claude Code now injects a reminder into the next turn that includes the tool's full JSON Schema. This gives the model concrete structural guidance instead of just repeating a generic error.

Text injected: "This call has now failed validation N times in a row. The <tool> tool's input schema is: <schema>. Match the parameter names and types exactly on the next attempt."

Validation failure counter (search for "This call has now failed validation") — Bfi() at line ~172918

A new banner for first-time users is gated behind the tengu_birch_lantern feature flag. When shown, it displays:

"New here? Type /powerup for a 5-minute tour — modes, undo, @-mentions, and how to teach Claude your rules."

A "step" arm shows a slightly different message focused on quick lessons. The /powerup command itself remains available to all users.

Banner text (search for "New here? Type /powerup for a 5-minute tour") — y8n init at line ~608728; feature flag (search for "tengu_birch_lantern") — qEo() at line ~608722

When you try to set a setting via /config key=value that can only be changed through the interactive panel (like language, notifications, or agent view), the error message now names the exact panel location — for example: "/config (Language row)", "/config (Agents view row)", "/config (Default teammate model row)".

Key-to-location map (search for "/config (Language row)") — Cqp map at line ~570945

A new environment variable CLAUDE_CODE_ARTIFACTS_API_BASE_URL is now included in the list of variables that are stripped when spawning sandboxed subprocesses, preventing the artifacts API endpoint from leaking into shell commands.

Scrub list entry (search for "CLAUDE_CODE_ARTIFACTS_API_BASE_URL") — env scrub at line ~39753

• Fixed git tilde expansion in bash static analysis: ~, ~/, ~+, ~- patterns are now correctly recognized as HOME/PWD/OLDPWD references, preventing false positive security warnings on common shell idioms. (search for "HOME" inside kbd() at line ~253713)

• Fixed a UNC glob pattern defense check on Windows that was incorrectly triggering on valid paths. (search for "UNC glob pattern detected (defense-in-depth check)")

• Fixed execFileNoThrow maxBuffer exceeded detection to use a dedicated isMaxBuffer property check in addition to the error code, improving reliability across Node.js versions. (search for "execFileNoThrow maxBuffer exceeded:")

• Fixed presence pulse logic to correctly start a pulse when a client-presence-marker is active, rather than skipping it. (search for "client-presence-marker active → pulse")

• Fixed /cloud <session_id> to give a clear error when combined with --output-format stream-json (which is not supported for cloud sessions). (search for "Error: --cloud <session_id> does not support --output-format stream-json")

• Fixed an edge case in the MCP connected-status indicator: when tools fetch fails after a successful connection, the status now shows "Connected · tools fetch failed" rather than silently appearing connected. (search for "! Connected · tools fetch failed")

The xss / filterXSS library (~550 lines of bundled CSS-property whitelist and HTML parser code) has been removed from the CLI bundle. Any HTML sanitization that still occurs uses simpler inline escaping (CRr() at line ~161643 for &, <, >, ", ').

Removed BZ6, UZ6, ucK, UcK, s58, t58, QZ6, flK, cZ6 modules (search for "filterXSS" — absent from new version)

The previous mechanism that stitched interrupted model responses — which prepended a <partial-response> block and instructed the model to "continue from exactly where the quoted text leaves off" — has been removed. The text previously included: "The previous attempt at this response was interrupted before it could complete." This is replaced with a different approach to turn continuity.

Removed $iK() function (search for "The previous attempt at this response was interrupted" — absent from new version)