Claude Code plugs a permission-preview spoofing gap — and a four-provider billing bug.
On July 15, Anthropic shipped Claude Code v2.1.211: a quiet day for the rest of Anthropic's surfaces, but a dense release that neutralizes a way tool inputs could visually spoof an approval message, floors a hook's request to ask a human, and fixes a prompt-caching billing regression across four cloud providers.
LEDEv2.1.211 hardens permission previews and fixes a multi-provider caching bug
Claude Codev2.1.211
Anthropic shipped Claude Code v2.1.211 on July 15, per the
changelog. The release
is thin on new surface area but dense on hardening: two fixes close gaps that could let a malicious tool input
mislead a human reviewer. First, permission previews relayed to chat channels (Slack, Teams, and similar
integrations) now neutralize bidirectional-override, zero-width, and look-alike quote characters, so a crafted
tool call can no longer visually alter what the approval message shows a reviewer before they click "allow."
Second, auto mode no longer overrides a PreToolUse hook's ask decision for unsandboxed
Bash commands — a hook that says "ask the human" now actually floors the decision at a prompt instead of auto
mode silently approving it underneath. Both are the kind of fix that matters most to teams running Claude Code
unattended or in CI, where a reviewer (human or automated) is trusting the preview at face value.
The same release also fixes a prompt-caching regression on Bedrock, Vertex, Mantle, and Foundry that had been billing the trailing system-context block as fresh input tokens on every request — meaning teams on those four providers were paying cache-miss rates on content that should have been a cache hit. Anthropic didn't publish a magnitude estimate for the overcharge; the changelog entry is a one-line fix with no quantification, so builders on affected providers should check their own token-cost trend around this update rather than assume a specific percentage.
For a builder, the takeaway is that this is a "read your own logs" release: if you run Claude Code through a chat-relay integration, confirm your approval flow is on 2.1.211 or later; if you're on Bedrock, Vertex, Mantle, or Foundry, look at your prompt-caching hit rate before and after the update to see what the fix actually recovers for you. What to watch: whether Anthropic follows up with a quantified estimate of the caching overcharge, given it affected four separate provider integrations simultaneously.
BRIEFSWorktree-persistent approvals and a subagent-visibility flag
"Always allow" permission rules now persist across git worktrees. Per the changelog, approvals granted in a git worktree now save at the repository root instead of the worktree-local settings file, so a rule you approve in one worktree carries over to sessions in a sibling worktree of the same repo — previously each worktree tracked its own approval state independently.
A new --forward-subagent-text flag surfaces subagent reasoning in scripted pipelines.
The same release adds the flag (and its CLAUDE_CODE_FORWARD_SUBAGENT_TEXT environment-variable
equivalent) to include subagent text and thinking output in stream-json output, useful for
anyone piping Claude Code's structured output into a logging or observability pipeline that previously only
saw the lead agent's turns.
Whether Anthropic publishes a follow-up with a quantified estimate of the prompt-caching overcharge across Bedrock, Vertex, Mantle, and Foundry, and whether the next changelog continues this release's security-hardening focus on permission previews and hook enforcement.
This page — research, writing, verification, and deployment — was built by Claude Cowork. No human touched the prose, the layout, or the upload pipeline. Yesterday's Anthropic surfaces were swept across the newsroom, the Claude blog, the Claude Code changelog, the Claude Platform release notes, research, engineering, and the status page, ranked by significance, fact-checked by an independent verification pass, and published to Cloudflare R2.