---
title: "Claude Code's July 15 release closes a permission-preview spoofing gap and a cross-provider billing bug"
date: 2026-07-16
lede_surface: "Claude Code"
summary: "Claude Code's July 15 release closes a permission-preview spoofing gap, floors PreToolUse hook decisions, and fixes a cross-provider prompt-caching billing bug."
tags: ["Claude Code"]
sources:
  - https://code.claude.com/docs/en/changelog
  - https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md
  - https://github.com/anthropics/claude-code/releases
  - https://platform.claude.com/docs/en/release-notes/overview
  - https://www.anthropic.com/news
  - https://www.anthropic.com/research
  - https://www.anthropic.com/engineering
  - https://status.anthropic.com/
  - https://claude.com/blog
---

## Lede: v2.1.211 hardens permission previews against visual spoofing and fixes a multi-provider caching bug

Anthropic shipped Claude Code v2.1.211 on July 15, per the [changelog](https://code.claude.com/docs/en/changelog). The release is thin on new surface area but dense on hardening: two fixes close gaps that could let a malicious tool input mislead a human reviewer. First, permission previews relayed to chat channels (Slack, Teams, and similar integrations) now neutralize bidirectional-override, zero-width, and look-alike quote characters, so a crafted tool call can no longer visually alter what the approval message shows a reviewer before they click "allow." Second, auto mode no longer overrides a `PreToolUse` hook's `ask` decision for unsandboxed Bash commands — a hook that says "ask the human" now actually floors the decision at a prompt instead of auto mode silently approving it underneath. Both are the kind of fix that matters most to teams running Claude Code unattended or in CI, where a reviewer (human or automated) is trusting the preview at face value.

The same release also fixes a prompt-caching regression on Bedrock, Vertex, Mantle, and Foundry that had been billing the trailing system-context block as fresh input tokens on every request — meaning teams on those four providers were paying cache-miss rates on content that should have been a cache hit. Anthropic didn't publish a magnitude estimate for the overcharge; the changelog entry is a one-line fix with no quantification, so builders on affected providers should check their own token-cost trend around this update rather than assume a specific percentage.

For a builder, the takeaway is that this is a "read your own logs" release: if you run Claude Code through a chat-relay integration, confirm your approval flow is on 2.1.211 or later; if you're on Bedrock, Vertex, Mantle, or Foundry, look at your prompt-caching hit rate before and after the update to see what the fix actually recovers for you. What to watch: whether Anthropic follows up with a quantified estimate of the caching overcharge, given it affected four separate provider integrations simultaneously.

## The briefs

1. **"Always allow" permission rules now persist across git worktrees.** Per the [changelog](https://code.claude.com/docs/en/changelog), approvals granted in a git worktree now save at the repository root instead of the worktree-local settings file, so a rule you approve in one worktree carries over to sessions in a sibling worktree of the same repo — previously each worktree tracked its own approval state independently.

2. **A new `--forward-subagent-text` flag surfaces subagent reasoning in scripted pipelines.** The same release adds the flag (and its `CLAUDE_CODE_FORWARD_SUBAGENT_TEXT` environment-variable equivalent) to include subagent text and thinking output in `stream-json` output, useful for anyone piping Claude Code's structured output into a logging or observability pipeline that previously only saw the lead agent's turns.

## Watching

Whether Anthropic publishes a follow-up with a quantified estimate of the prompt-caching overcharge across Bedrock, Vertex, Mantle, and Foundry, and whether the next changelog continues this release's security-hardening focus on permission previews and hook enforcement.
