claudekit / updates / claude-code-2-1-153
[ PATCH · ]

Claude Code 2.1.153

`/model` now saves your selection as the new-session default (matching the IDE); `s` in the picker switches the current session only — reversing the 2.1.144 `d` behavior and requiring a keybinding rename. Security fixes close a regression where a custom API gateway could receive the user's Anthropic OAuth credential, and subagent frontmatter MCP servers now respect `--strict-mcp-config` and enterprise managed policies. Other fixes cover `skipLfs` for `github`/`git` marketplace sources, `COLUMNS`/`LINES` env vars in status line, macOS Privacy & Security persistence, background sessions, and the Windows installer.

Claude Code
Official announcement →

This article is a summary based on official documentation.

What changed

Claude Code 2.1.153 shipped on May 28, 2026. /model now matches the IDE: your selection becomes the default for new sessions, and a current-session-only switch is now s in the picker — reversing the 2.1.144 d behavior, with a keybindings.json rename required for users who customized the binding. On security, two fixes close a regression where a custom API gateway could receive the user’s Anthropic OAuth credential and a gap where subagent frontmatter MCP servers ignored --strict-mcp-config, --bare, remote mode, enterprise managed MCP config, and managed-settings allow/deny policies. The rest is skipLfs for github/git marketplace sources, COLUMNS/LINES env vars in status line commands, broader claude agents autocomplete and PR column, macOS Privacy & Security persistence, and a wide background-session and Windows installer bug-fix sweep.

Key improvements

  • /model default reversed; s for current-session-only

    In 2.1.144, /model changed the current session only and d set the new-session default. Now /model saves your selection as the default for new sessions (matching the IDE), and s in the picker switches the current session only. If you customized the modelPicker:setAsDefault keybinding in keybindings.json, rename it to modelPicker:thisSessionOnly — the d action was replaced by s.

  • skipLfs option for github/git plugin marketplace sources

    Marketplace sources backed by repos with large LFS assets pulled the LFS data on every clone and update. github/git marketplace sources can now set skipLfs to skip Git LFS downloads during clone and update.

  • Status line commands receive COLUMNS and LINES env vars

    Status line scripts had no clean way to size output to the terminal width. The script now receives COLUMNS and LINES environment variables so it can match the terminal layout.

  • claude agents autocomplete and PR column

    Dispatch input autocomplete suggested only project skills, and the PR column showed a single number regardless of how many PRs the workspace had. Autocomplete now suggests native slash commands and bundled skills as well, and the PR column shows PR #N for a single PR or N PRs for multiple.

  • claude doctor shows the result of the last update attempt

    Silent update failures left users unsure where things broke. claude doctor now reports the result of the most recent update attempt.

  • One-time notice when an npm global install can’t auto-update

    Users on global npm installs could miss updates with no signal. A one-time notice now appears when auto-update is blocked, and /doctor lists the specific fixes.

  • MCP server and connector authentication notices combined

    Separate startup “needs authentication” notifications for MCP servers and connectors are now combined into a single message.

  • macOS: background agents are “Claude Code” in Privacy & Security and keep their grants across upgrades

    Background agents appeared under a different name in Privacy & Security and lost their permission grants on every upgrade, forcing repeated approval. They now appear as “Claude Code” and retain permission grants across upgrades.

  • /bg mid-response continues the response in the background session

    Running /bg while Claude was responding dropped the in-flight response. The response now continues in the background session.

Bug fixes

Security & enterprise

  • A regression where a custom API gateway could receive the user’s Anthropic OAuth credential instead of the gateway’s own token — only the gateway’s token is used.
  • Subagent (Agent tool) frontmatter MCP servers ignoring --strict-mcp-config, --bare, remote mode, enterprise managed MCP config, and managed-settings MCP server allow/deny policies — all policies are now enforced.
  • --strict-mcp-config stripping inline mcpServers from explicitly-passed agent definitions (--agents / SDK agents) — inline definitions are preserved, and blocked subagent MCP servers surface a visible warning.

MCP & plugins

  • Stateful MCP servers without the optional GET SSE stream reconnect-looping on tools/list (regression in v2.1.147) — fixed.
  • MCP tool progress notifications not rendering in the collapsed tool view — they now render.

Installer & updates

  • Windows PowerShell installer reporting “Installation complete!” when installation actually failed — failures are reported clearly.
  • claude update installing the latest version instead of the configured release channel’s version for npm installations — the channel setting is respected.
  • Windows update rollback — if an update fails, the original executable is restored by copy and recovery guidance is shown.

Sessions & agents

  • Excessive memory usage (multiple GB) when resuming a session by transcript file path on machines with many stored sessions — usage stays bounded.
  • claude agents and claude --bg running on a stale daemon started before binary-takeover support, even after upgrading — the upgraded daemon is used.
  • CLI hang when stdin was closed without EOF in stream-json mode, leaving a stale session marker behind — exits cleanly.
  • Agent tool with subagent_type: 'claude' running in an undocumented temporary worktree, which could silently discard outputs written to gitignored paths — runs in the documented worktree.

Background sessions

  • /btw keyboard shortcuts unresponsive in background sessions while a task is running — they respond.
  • Background sessions writing temp files to $CLAUDE_JOB_DIR triggering a “sensitive file” permission prompt — no prompt is triggered.
  • Recovering a background agent whose working directory was deleted showing a truncated stack trace — a clear error message is shown instead.
  • EnterWorktree not available immediately in background sessions (previously required ToolSearch first) — available immediately.
  • cmd+k in iTerm2/Terminal.app not repainting attached background sessions — repaints correctly.
  • IME candidate window appearing at the bottom of the screen instead of next to the input caret in attached background sessions on Windows — positions next to the caret.
  • Background-color bleed when attaching to a background agent from 256-color-only terminals after the agent had rendered file diffs — cleaned up.
  • /copy and copy-on-select silently failing to update the system clipboard when attached to a background session inside tmux — clipboard updates.
  • Opening claude agents with Remote Control enabled leaving zombie session entries on the Code tab after exiting — entries are cleaned up.
  • /rename in background sessions not updating the session banner immediately — the banner updates.

Terminal & UI

  • Malformed file:// links in Claude’s responses not being clickable in the terminal — they are now clickable.
  • claude --help rendering unwrapped output on terminals narrower than 92 columns — wraps properly.

Windows & VS Code

  • Claude Code processes not shutting down cleanly when VS Code closed on Windows, causing false “unclean exit” reports and orphaned MCP servers — clean shutdown.

Notes

  • /model reversed from 2.1.144: 2.1.144 made /model current-session-only with d setting the new-session default. 2.1.153 flips that — selection saves as the new-session default and s is the current-session-only switch. Anyone who customized modelPicker:setAsDefault must rename it to modelPicker:thisSessionOnly in keybindings.json.
  • Two security patches worth prompt upgrade: the custom API gateway OAuth credential leak and the subagent frontmatter MCP policy bypass both cross credential or policy boundaries; enterprise deployments should upgrade promptly.
  • skipLfs is a marketplace-source option: it applies to github/git marketplace source definitions, not user settings. Only meaningful when a marketplace repo carries large LFS assets.
  • macOS permission grant reset: users who had to re-approve background agents on every upgrade should approve once more after this release; grants then persist across future upgrades.
  • Broad background-session stability work: keyboard shortcuts, IME positioning, clipboard, zombie entries, deleted-directory recovery — many attached-session regressions are addressed together. Workflows that rely on background sessions should feel noticeably more stable.