Between June 2 and June 4, Anthropic shipped four Claude Code releases: v2.1.160, 2.1.161, 2.1.162, and 2.1.163. A fifth (2.1.165) landed on June 5 with stability fixes. Not all of them are equal — but collectively they signal where the product is heading in the run-up to Code with Claude Tokyo next week.
Here’s what actually changed, and why it matters.
The Ultracode Rename#
The most visible change landed quietly in v2.1.160: the dynamic-workflow trigger keyword is now ultracode, not workflow.
If you’ve been running agentic orchestration sessions, you may have already noticed the shift. Asking Claude Code to “run a workflow” no longer automatically triggers Dynamic Workflows mode. You need to use the word “ultracode” explicitly — or ask for one “in your own words,” which still works.
This isn’t cosmetic. “Ultracode” has been the established keyword in Claude Code’s internal harness for months; aligning the trigger eliminates a confusing collision where the word “workflow” — used naturally in hundreds of contexts — could accidentally kick off high-compute orchestration. It also makes ultracode a deliberate invocation signal: the word that means “bring full autonomous power to this task.”
The rename appeared in the same release that removed CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE. Anthropic is cleaning up the model-era archaeology that accumulated when Opus 4.7 and 4.8 shipped. The stack is tidier now.
Enterprise Version Enforcement#
v2.1.163 added requiredMinimumVersion and requiredMaximumVersion to managed settings. When set, Claude Code refuses to launch if its installed version falls outside the allowed range and directs the user to an approved version.
This is a significant enterprise feature — essentially a browser update policy applied to your AI coding agent. Teams can now ensure everyone is on the same version, blocking both overly old installs (security risk) and overly new ones (untested changes hitting production before IT review). For organizations managing Claude Code across hundreds or thousands of developer machines, this closes a governance gap that has existed since the tool went enterprise-GA.
The requiredMaximumVersion cap is particularly telling. It lets cautious IT teams slow-roll Claude Code updates and evaluate each release before exposing it to the fleet — the same due diligence they apply to browser and OS updates. That an AI coding tool now needs this kind of policy surface speaks to how deeply it’s embedded in serious enterprise workflows.
Hooks That Talk Back#
v2.1.163 also extended the hook system: Stop and SubagentStop hooks can now return hookSpecificOutput.additionalContext to give Claude feedback without triggering a hook error.
Previously, if a Stop hook ran and had something meaningful to report — the build failed, here’s the log; the tests are red, here’s the output — it had to either surface that as an error (noisy) or stay silent (useless). Now it can pass context back to Claude, which uses it to continue the turn rather than stopping.
The pattern this enables: run your test suite in a Stop hook when Claude finishes a change, report failures via additionalContext, and let Claude keep going to fix them. This is a small API surface change with large implications for automated quality loops in multi-agent pipelines.
Combined with the earlier SubagentStop hook (fires when a subagent in a multi-agent session finishes), teams now have building blocks for automated quality checks that integrate natively with the agentic loop — no polling, no external orchestration needed.
Shell Startup File Safety#
v2.1.160 added prompts before Claude Code writes to shell startup files (.zshenv, .zlogin, .bash_login) and ~/.config/git/. The acceptEdits mode also now prompts before touching build-tool configuration files: .npmrc, .yarnrc*, bunfig.toml, .bazelrc, .pre-commit-config.yaml, .devcontainer/.
This closes a real attack surface. A compromised CLAUDE.md, a malicious MCP server, or a prompt-injected task could previously instruct Claude Code to silently persist itself — or something else — in your shell startup. Now any write to these paths requires explicit confirmation, regardless of the permission mode you’re in.
It’s a quiet change that reflects how seriously Anthropic takes the security model after CVE-2026-21852 and the ongoing stream of MCP security disclosures.
Smaller Changes Worth Knowing#
v2.1.161 (June 2):
OTEL_RESOURCE_ATTRIBUTESvalues now appear as labels on metric datapoints. Your OpenTelemetry dashboards can slice Claude Code telemetry by team, repo, or environment — useful for the Analytics API workflow.- Parallel tool calls: a failed Bash command no longer cancels other calls in the same batch. This was a regression that hit multi-tool operations; it’s fixed.
v2.1.162 (June 3):
claude agents --jsonnow includes awaitingForfield showing what a blocked session is waiting on. Essential for scripting agent orchestration when you need to know whether a session is blocked on user input, a tool call, or another agent.- Windsurf renamed to Devin Desktop in
/idemenu,/terminal-setup, and/scroll-speed. Cognition’s brand migration is complete; Claude Code’s IDE detection has been updated to reflect the new name. /effortnow confirms explicitly when your chosen level will persist as the default for new sessions. This was a genuine UX confusion: users would set effort once and not realize it stuck until sessions started behaving unexpectedly.
v2.1.163 (June 4):
/plugin listcommand with--enabledand--disabledfilters. Basic plugin hygiene, but useful for enterprise admins auditing what’s installed on managed machines.- stdio MCP servers now receive
CLAUDE_CODE_SESSION_IDon--resume. This lets MCP servers track which session is resuming, enabling server-side session state and better debugging across long-running agentic pipelines. - Skills:
\$escape syntax lets you include a literal$before a digit in command bodies without it being interpreted as a parameter reference. A small fix with outsized impact for skill authors using shell syntax in command bodies.
The Pattern#
The June sprint is maintenance-heavy and deliberately so. Three weeks after a major model upgrade (Opus 4.8) and a large feature batch (v2.1.152-158 plugin overhaul), Anthropic is tightening the security model, cleaning up model-era cruft, and expanding the enterprise governance surface.
The ultracode rename makes invocation intent explicit. The version enforcement gives IT teams the policy surface they need for serious deployments. The hook feedback loop closes a gap in automated quality pipelines. The shell startup file prompts harden an attack vector that has been exploited before.
None of these will make the keynote slide deck at Code with Claude Tokyo next week. All of them will make Claude Code more reliable, more secure, and more governable in production. That’s what a platform looks like at this stage of maturity.
Source: Claude Code Changelog (v2.1.160–2.1.165, June 2–5, 2026)