Claude Code v2.1.98 adds Vertex AI wizard, security fixes, and subprocess sandboxing

Claude Code v2.1.98 is a maintenance release focused on security hardening, new platform integrations, and developer workflow improvements. The update addresses several critical security issues while adding practical features for teams using Google Cloud and version control systems.

New Features and Integrations

The release adds an interactive Google Vertex AI setup wizard accessible from the login screen when selecting "3rd-party platform." This guides users through GCP authentication, project and region configuration, credential verification, and model pinning.

For Perforce users, the CLAUDE_CODE_PERFORCE_MODE environment variable now causes Edit/Write/NotebookEdit operations to fail on read-only files with a p4 edit hint instead of silently overwriting them.

Other additions include:

• Monitor tool for streaming events from background scripts
• Subprocess sandboxing with PID namespace isolation on Linux when CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set
• CLAUDE_CODE_SCRIPT_CAPS environment variable to limit per-session script invocations
• --exclude-dynamic-system-prompt-sections flag to print mode for improved cross-user prompt caching
• workspace.git_worktree to the status line JSON input, set whenever the current directory is inside a linked git worktree
• W3C TRACEPARENT env var to Bash tool subprocesses when OTEL tracing is enabled
• LSP: Claude Code now identifies itself to language servers via clientInfo in the initialize request

Security Fixes

The release addresses multiple security vulnerabilities:

• Fixed a Bash tool permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code execution
• Fixed compound Bash commands bypassing forced permission prompts for safety checks and explicit ask rules in auto and bypass-permissions modes
• Fixed read-only commands with env-var prefixes not prompting unless the var is known-safe (LANG, TZ, NO_COLOR, etc.)
• Fixed redirects to /dev/tcp/... or /dev/udp/... not prompting instead of auto-allowing
• Fixed --dangerously-skip-permissions being silently downgraded to accept-edits mode after approving a write to a protected path via Bash
• Fixed managed-settings allow rules remaining active after an admin removed them, until process restart

Bug Fixes and Improvements

The release includes numerous stability and usability fixes:

• Fixed stalled streaming responses timing out instead of falling back to non-streaming mode
• Fixed 429 retries burning all attempts in ~13s when the server returns a small Retry-After — exponential backoff now applies as a minimum
• Fixed MCP OAuth oauth.authServerMetadataUrl config override not being honored on token refresh after restart, affecting ADFS and similar IdPs
• Fixed capital letters being dropped to lowercase on xterm and VS Code integrated terminal when the kitty keyboard protocol is active
• Fixed macOS text replacements deleting the trigger word instead of inserting the substitution
• Fixed permissions.additionalDirectories changes not applying mid-session — removed directories lose access immediately and added ones work without restart
• Fixed removing a directory from additionalDirectories revoking access to the same directory passed via --add-dir
• Fixed Bash(cmd:*) and Bash(git commit *) wildcard permission rules failing to match commands with extra spaces or tabs
• Fixed Bash(...) deny rules being downgraded to a prompt for piped commands that mix cd with other segments
• Fixed false Bash permission prompts for cut -d /, paste -d /, column -s /, awk '{print $1}' file, and filenames containing %
• Fixed permission rules with names matching JavaScript prototype properties (e.g. toString) causing settings.json to be silently ignored
• Fixed agent team members not inheriting the leader's permission mode when using --dangerously-skip-permissions

UI and Workflow Fixes

• Fixed a crash in fullscreen mode when hovering over MCP tool results
• Fixed copying wrapped URLs in fullscreen mode inserting spaces at line breaks
• Fixed file-edit diffs disappearing from the UI on --resume when the edited file was larger than 10KB
• Fixed several /resume picker issues: --resume <name> opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and transient task-status text replacing conversation summaries
• Fixed /export not honoring absolute paths and ~, and silently rewriting user-supplied extensions to .txt
• Fixed /effort max being denied for unknown or future model IDs
• Fixed slash command picker breaking when a plugin's frontmatter name is a YAML boolean keyword
• Fixed rate-limit upsell text being hidden after message remounts
• Fixed MCP tools with _meta["anthropic/maxResultSizeChars"] not bypassing the token-based pe

This release is particularly important for teams concerned with security hardening, as it addresses multiple permission bypass vulnerabilities that could lead to arbitrary code execution. The subprocess sandboxing features provide additional isolation for untrusted code execution environments.