Claude Code v2.1.136: Hard Deny for Auto Mode, MCP OAuth Fixes, and 40+ Bug Fixes

Anthropic shipped Claude Code v2.1.136 with two notable additions and a massive tail of bug fixes — over 40 issues resolved. Here's what matters.

New Features

• CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL — re-enables the session quality survey for enterprises capturing responses through OpenTelemetry. Explicit opt-in for telemetry-aware feedback collection.
• settings.autoMode.hard_deny — new auto mode classifier rule that blocks an action unconditionally, ignoring user intent or allow exceptions. For strict guardrails where certain operations must be denied regardless of context.

Critical Fixes

• MCP server loss after /clear — MCP servers configured in .mcp.json, plugins, and claude.ai connectors silently disappeared after /clear in the VS Code extension, JetBrains plugin, and Agent SDK. Now persistent.
• OAuth token rotation race condition — a rare login loop where concurrent credential writes could overwrite a freshly-rotated OAuth token, forcing repeated logins. Fixed to prevent credential corruption.
• MCP OAuth concurrent refresh — refresh tokens were lost when multiple MCP servers refreshed concurrently. Users with several remote MCP servers should no longer need daily re-authentication.
• API 400 on redacted thinking blocks — extended thinking emitting a redacted thinking block after a tool call caused a 400 error. Now handled correctly.
• --resume/--continue with underscored paths — sessions weren't found when the project path contained underscores. Path parsing fixed.
• Plan mode bypass with Edit(...) allow rule — plan mode was not blocking file writes when a matching Edit(...) allow rule existed. Now enforced.

Platform-Specific & Developer Experience

• WSL2 image paste — pasting images from Windows clipboard now works via a PowerShell fallback when xclip/wl-paste cannot read image data.
• Plugin hooks crash on cache cleanup — Stop/UserPromptSubmit hooks failed when cache cleanup deleted a version still in use. Fixed by retaining versions until hooks finish.
• Slash command dialog visual consistency — standardised footer hints, dialog spacing, and arrow-key styling. The dialog frame now appears immediately during loading instead of popping in later.

Other Noteworthy Fixes

• Bash output colors at wrong positions in terminal and markdown code blocks
• ReasonML diff corrupted undefined text artifacts at word-diff boundaries
• Worktree exit dialog pointed to wrong directory after removal
• @ file picker missed files in small non-git directories and directories with >100 entries
• Failed tool calls not click-to-expand in fullscreen when output was truncated
• Backspace/Ctrl+Backspace swapped after Ctrl+G external editor on terminals with persistent extended-key modes
• /usage weekly reset showed time-of-day instead of calendar date
• Welcome banner ellipsis caused column overflow on CJK terminals
• /insights crash on tool calls with malformed input fields
• Renderer crash when tool collapsibility classification changes mid-session
• skills entry in plugin.json hiding default skills/ directory; listing a file path now shows an error instead of failing silently
• IDE shell-integration lock files ignoring CLAUDE_CONFIG_DIR
• Trailing whitespace in copied terminal output during streaming
• Plugin uninstall/enable/disable not matching slugs case-insensitively
• Tool error truncation marker showed negative count for surrogate-pair strings
• Env vars from CLAUDE_ENV_FILE SessionStart hooks went stale after /resume or /clear
• /branch saved multi-line session title when pasted with line breaks
• Stray leading space on second line of wrapped text at column boundary
• Esc not dismissing dialogs in /install-github-app, /desktop, /resume, /web-setup
• /doctor MCP schema errors missing field name and source file path
• Bash permission prompts showed parser diagnostic instead of user-readable explanation
• Plugin slash commands with spaces not resolving to namespaced form
• AskUserQuestion discarding multi-select answers when supplied as array
• /clear <name> not labeling cleared session for /resume
• CronList output missing qualifiers and scheduled prompt
• 'Jump to bottom' overlay left color artifacts on CJK characters in fullscreen
• Wide markdown tables left stale bordered render in terminal scrollback while streaming
• Pasted text silently dropped when long prompt with pasted-text placeholder was auto-truncated
• /release-notes stuck on old version

For details and download, see the GitHub release.