Image: GitHub / anthropics/claude-code Claude Code 2.1.187: Credential Sandboxing, Org Model Restrictions, and Eight Bug Fixes
The June 23 release adds a sandbox.credentials setting to block sandboxed commands from reading API keys and secret env vars, plus organization-level model restrictions that show a clear message when a model is off-limits.
Claude Code 2.1.187 shipped June 23 with two new features focused on access control, plus fixes for several bugs that have been tripping people up.
Sandboxed Commands Can’t Read Your Credentials
When Claude Code runs commands inside the sandbox, those commands inherit the same environment your shell session has. That includes any API keys, tokens, or credentials sitting in env vars or files like .env.
The new sandbox.credentials setting closes that gap. When enabled, it blocks sandboxed commands from reading credential files and secret environment variables. The intent is straightforward: give Claude Code access to run commands without giving everything it spawns a path to your secrets.
This matters most in team or enterprise setups where Claude Code is running automated workflows. A sandboxed agent shouldn’t be able to exfiltrate credentials even if it tries to.
Organizations Can Now Restrict Models
Admins can configure which models are available to users in their organization. When a user tries to select a restricted model via the model picker, --model, /model, or the ANTHROPIC_MODEL env var, they’ll see a message explaining it’s restricted by their organization’s settings rather than a cryptic error.
This gives IT and security teams a concrete mechanism to enforce model policies. If your org has approved only certain Claude models for production use, you can now block others at the configuration level.
Mouse Click Support in Fullscreen Mode
Select menus in fullscreen mode now respond to mouse clicks. This affects permission prompts, the /model picker, /config, and other overlay menus. Before this release, fullscreen users had to navigate those menus with keyboard only.
Bug Fixes
The release closes eight bugs:
--resume failures were throwing “No conversation found” when the original -p run didn’t produce any model turns. That’s fixed. Resume now handles those edge cases cleanly.
Structured output loops in --json-schema and workflow agent({schema}) calls were sending repeated StructuredOutput requests instead of stopping after validation failures. Now they stop.
Remote MCP tool calls that hung for more than five minutes now abort with an error instead of blocking indefinitely. The timeout is configurable via CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT if you need to adjust it.
Korean and CJK text was turning into garbage characters during paste events in terminals that handle extended keys byte-by-byte. Fixed.
Background jobs were getting stuck showing “working” when they weren’t. Also fixed: agent channel connection drops and incorrect subagent depth tracking.
Remote session startup is around 2.7 seconds faster after a fix to how the agent proxy CA system trust install runs.
Update via npm install -g @anthropic-ai/claude-code or claude update.
The Weekly Diff
One email a week: every AI coding tool price change, plan restructure, and major release we verified, with sources. No filler.
Free. Unsubscribe anytime.