Four releases in three days. The Claude Code team shipped v2.1.186 through v2.1.191 (plus a follow-on v2.1.193) between June 22 and 25, 2026. Individually each changelog looks incremental. Together they represent a meaningful push on two themes: security hardening for agents with filesystem and credential access, and reliability improvements for MCP-heavy workflows.
sandbox.credentials: Your Secrets Stay Yours#
The headline feature of v2.1.187 (June 23) is sandbox.credentials. Add it to your project or user settings and any command Claude runs inside a sandboxed context — ! bash mode, tool calls, subagent-spawned shells — cannot read your credential files or secret environment variables.
Concretely: the agent can no longer read ~/.aws/credentials, ~/.ssh/id_rsa, ~/.claude.json, or environment variables carrying names associated with secrets (AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, ANTHROPIC_API_KEY, and the like). It can read everything else it needs to do its job.
{
"sandbox": {
"credentials": true
}
}This setting matters most for three scenarios. First, projects where you’re letting Claude Code interact with production systems via MCP tools — you want the coding agent to deploy code, not to exfiltrate the credentials that make deployments possible. Second, teams running Claude Code in CI/CD pipelines where service account tokens are present in the environment by default. Third, any situation where you’re running code from a third-party plugin or untrusted CLAUDE.md (the supply-chain attack surface CVE-2026-21852 demonstrated the relevance here).
This is a correct security primitive. It applies the principle of least privilege to the agent itself: give it the capability it needs for the task, not access to everything the human operator has accumulated.
The same release also surfaced org-configured model restrictions directly in the model picker and --model flag. If your enterprise admin has restricted which models are available, Claude Code now tells you cleanly at selection time rather than failing at runtime.
claude mcp login and claude mcp logout#
Managing MCP server authentication before v2.1.186 required navigating the interactive settings menu — not usable in headless environments, CI runners, or SSH sessions. The new claude mcp login <name> and claude mcp logout <name> CLI commands fix this.
# Authenticate an MCP server non-interactively
claude mcp login github
# For environments without a browser (CI, SSH, containers)
claude mcp login github --no-browser
# → prints an auth URL; you paste the resulting token back to stdin--no-browser is the key option here. In a CI environment, the agent can prompt for a token once at pipeline setup and cache it, then use the MCP server for the rest of the run. This brings GitHub MCP, Salesforce MCP, and other OAuth-gated servers into automated workflows that previously had to work around them.
The same release fixed a MCP tool call hang that had been affecting v2.1.182 through v2.1.185: tool calls could silently stall for up to five minutes on certain server configurations before timing out. v2.1.187 aborts with an error immediately and exposes a new CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT env var if you need to tune the threshold.
/rewind Can Now Recover From Before /clear#
/rewind was introduced in v2.1.180 as a way to roll back individual turns. The limitation: if you had run /clear to start a fresh session, /rewind couldn’t reach back before that boundary. Sessions split by /clear were different conversations from the checkpoint system’s perspective.
v2.1.191 (June 24) changed this. /rewind can now restore conversation state from before a /clear — effectively undeleting a session you thought you’d discarded. If you cleared context to debug something and then realized you needed the earlier work, you can recover it.
/rewind # rolls back last turn as before
/rewind --before-clear # restores state from before the most recent /clearThis pairs naturally with the agent session patterns that the v2.1.139 /goal command introduced: if an agent runs /clear internally as part of a context-management loop, a human supervisor can still step in and recover prior state rather than having to re-run the entire task.
Mouse Click Support in Fullscreen#
Small quality-of-life change in v2.1.187, but worth noting for teams that run Claude Code on external monitors or remote desktops: the fullscreen terminal interface now responds to mouse clicks. You can click to select options in the model picker, permission prompts, and /config menus rather than tabbing through them.
This closes a persistent gap with IDE-embedded alternatives. When you’re explaining to a teammate that Claude Code is genuinely usable in fullscreen, being able to point-and-click the permission dialogs removes one common objection.
37% CPU Reduction During Streaming#
v2.1.191 included a performance optimization for the streaming output path. Claude Code now coalesces text updates on a 100ms interval rather than updating the terminal on every token. The result: ~37% reduction in CPU usage during active streaming.
For developers running Claude Code on battery-powered hardware or sharing a machine with compute-intensive workloads (local model inference, build pipelines), this is meaningful. A 37% CPU reduction during a long agentic session translates to measurably longer battery life and fewer thermal throttle events.
The coalescing happens transparently — token output still appears smooth to the human eye, because 100ms is below perception threshold for reading.
! Bash Auto-Respond (v2.1.186)#
A small but useful behavioral change: when you run a ! bash command in Claude Code, Claude now automatically responds to the output. Previously the shell output was injected into context and you had to explicitly ask Claude to interpret it. Now it does so by default.
Opt out with "respondToBashCommands": false in settings if you prefer the old behavior — useful for scripts that run a lot of diagnostic commands where you want to accumulate output before asking Claude to analyze it all at once.
What’s Next: v2.1.193#
The June 25 v2.1.193 release (one day outside the primary window) added autoMode.classifyAllShell, which routes all Bash and PowerShell commands through the auto-mode classifier. In Auto mode, this means every shell command gets evaluated against your permission policy before execution — not just the commands Claude initiates, but also ! commands you type yourself. Auto-mode denial reasons now appear in the transcript, the denial toast, and /permissions recent denials.
Live file path autocomplete in bash mode also shipped in this release, which removes one persistent friction point when navigating unfamiliar codebases via the ! shell.
These releases are characteristic of Claude Code’s current development pace: security hardening and reliability fixes that close the gap between “impressive demo” and “trusted production tool.” sandbox.credentials in particular is the kind of permission primitive that should be on by default in high-stakes environments and referenced in every enterprise Claude Code deployment guide.
Sources: