Claude Code release notes: 2.1.187–2.1.191 tighten agent control

Adam Olofsson HammareAdam Olofsson Hammare
Claude Code release notes: 2.1.187–2.1.191 tighten agent control

Two small release blocks say quite a lot about where Claude Code is going. Less interface drama, more control around agents that can read files, talk to tools and run longer jobs. That matters more than another loud feature headline.

Claude Code release notes 2.1.187–2.1.191: agent control you can feel

Claude Code is Anthropic's coding agent in the terminal. A coding agent can read project context, propose changes, use tools and sometimes run commands for you. That makes small settings important, especially when the agent can access a repo, MCP servers or internal workflows.

The latest verified npm package is 2.1.191. Since Hammer's 2.1.186 post, Anthropic has published 2.1.187, a short 2.1.190 bug-fix release, and 2.1.191. The practical signal is not "more autonomy". It is cleaner boundaries: credentials inside the sandbox, model policy, MCP retries, stopped background agents and a new /rewind path when you need to return to the state before /clear.

Source: npm registry for @anthropic-ai/claude-code 2.1.191, GitHub release v2.1.187 and GitHub release v2.1.191.

Credentials, models and MCP get sharper edges

MCP, the Model Context Protocol, is a way to connect Claude to external tools and data sources. It is powerful, which also makes timeout and permission behavior worth caring about.

In 2.1.187, Anthropic added sandbox.credentials, a setting that blocks sandboxed commands from reading credential files and secret environment variables. The same release makes organization-configured model restrictions visible in the model picker, --model, /model and ANTHROPIC_MODEL, with a clear message when a model is restricted.

Release 2.1.187 also fixes remote MCP tool calls that could hang with no response for five minutes. They now abort with an error instead of blocking the session. In 2.1.191, that reliability work continues: tools/list, prompts/list and resources/list retry transient network errors, MCP OAuth retries once after transient errors, and 404 errors point to the URL and MCP config.

Source: Claude Code v2.1.187 release notes and Claude Code v2.1.191 release notes.

Background agents are easier to stop and read

Background agents are useful when Claude Code keeps working without blocking the main flow. But an agent that continues after someone thinks it has stopped is bad operational hygiene.

In 2.1.191, stopping an agent from the tasks panel is permanent. Anthropic also fixed claude agents sending builtin slash commands like /usage to background sessions as prompt text. It now shows a hint instead. Small fix, real consequence: operational commands are less likely to land in the wrong context.

The same release adds /rewind support for resuming a conversation from before /clear was run. For teams using Claude Code as a coworker rather than a one-off chat, that is a useful recovery path: you can clear the surface and still return to an earlier state.

Source: Claude Code v2.1.191 release notes.

Try this prompt this week

Human step: open a repo where Claude Code 2.1.191 is already in use or where the team can read current Claude Code settings. Collect links or files for MCP config, model policy and hooks. Run version and update steps outside the prompt.

Read our Claude Code settings, MCP configs and hooks in this project.
Compare them with 2.1.187–2.1.191: sandbox.credentials, model restrictions, MCP retries, /rewind and stopped background agents.
Suggest the first three small changes or tests we should make.
Mark what needs human approval before the agent can read secrets, use network access or write to the repo.
Keep it short and turn uncertainty into questions.

Good output should include:

  • one clear line about credentials and secrets
  • one line about MCP timeout, retry or OAuth behavior
  • one line about background agents, /rewind or /permissions
  • concrete checkpoints, not a broad AI policy

Hammer angle: control the integration, not just the prompt

This is a good week to treat Claude Code as part of the operating environment. If an agent can read files, contact MCP servers or work in the background, the team needs more than a tidy prompt. Use scoped permissions, env vars or a secret manager for secrets, approval gates, logs and a simple rule for what happens when an agent is stopped.

That maps cleanly to Hammer's Tool Forge work: build one small governed workflow first, let Claude do real work inside clear boundaries, and keep the receipt so people can review what happened.

FAQ

What matters most in Claude Code 2.1.187–2.1.191?

The practical changes are sandbox.credentials, clearer model restrictions, better MCP retries, permanently stopped background agents and /rewind after /clear.

Should we update immediately?

If your team uses MCP, background agents, sandboxing or organization-managed models, test the update in one repo first and review permissions, logs and approval points.

How does this support safer integration?

Keep secrets in env vars or a secret manager, use scoped permissions, place approval gates before write or network access, and keep run logs so humans can review the work.

The Forge newsletter

Get new articles in your inbox

Pick the topics you care about. No noise, at most one email a week.

Get new articles in your inbox

We follow GDPR. Unsubscribe anytime.