Date: 2026-05-09
Window covered: ~2026-04-01 → 2026-05-09 (versions 2.1.101 → 2.1.138)
Sources: Raw changelog archived at F:/TITAN/plans/claude-code-release-notes-raw-2026-05-09.md (287 KB, fetched from https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md); cross-referenced via Perplexity sonar-pro synthesis (recency=month).
---
Compact timeline of the releases shipped in the last ~30–40 days. Each line is one version; only TITAN-relevant items are listed (omits pure UI/terminal-rendering fixes).
settings.autoMode.hard_deny for unconditional auto-mode blocks; CLAUDE_CODE_ENABLE_FEEDBACK_SURVEY_FOR_OTEL; MCP .mcp.json/plugin/connector entries no longer disappear after /clear; concurrent-MCP OAuth refresh fix; --resume/--continue works with underscored project paths; plan mode now blocks file writes even when Edit(...) allow-rule matches; WSL2 image paste from Windows clipboard via PowerShell fallback. (citing changelog §2.1.136)worktree.baseRef setting (fresh | head); hooks now receive effort.level JSON field + $CLAUDE_EFFORT env var; Bash tool subprocess can read $CLAUDE_EFFORT; parentSettingsBehavior admin-tier key; subagents now discover project/user/plugin skills via Skill tool; Edit/Write denies on mapped network drives via --add-dir/SDK fixed.CLAUDE_CODE_SESSION_ID env var added to Bash subprocess (matches hook session_id); CLAUDE_CODE_DISABLE_ALTERNATE_SCREEN=1; SIGINT graceful shutdown.--plugin-url <url> flag (load plugin .zip from URL); CLAUDE_CODE_PACKAGE_MANAGER_AUTO_UPDATE; plugin manifests: themes/monitors move under experimental; CLAUDE_CODE_ENABLE_GATEWAY_MODEL_DISCOVERY=1 opt-in; skillOverrides setting now functional (off, user-invocable-only, name-only); 1-hour prompt cache TTL fix.--plugin-dir accepts .zip archives; --channels works with API-key auth; subprocess no longer inherits OTEL_* env vars; reconnecting MCP servers don't flood transcript with full tool lists; SDK Bash permission "Always allow" writes to .claude/settings.local.json; sub-agent progress summaries now use prompt cache (~3× cache_creation reduction); 1M-context Opus 4.7 sessions no longer falsely autocompact at 200K.claude project purge [path] with --dry-run/--all; --dangerously-skip-permissions now bypasses prompts for writes to .claude/, .git/, etc.; claude_code.skill_activated OTel event fires for user-typed slash commands with invocation_trigger attribute; deferred tools (WebSearch, WebFetch, etc.) now available to skills with context: fork on first turn; allowManagedDomainsOnly security fix.ANTHROPIC_BEDROCK_SERVICE_TIER (default/flex/priority); /resume accepts pasted PR URL; claude_code.at_mention OTel log event; numeric OTel attrs are numbers (not strings); ToolSearch MCP-late-connect fix.alwaysLoad MCP server config option (skip tool-search deferral); claude plugin prune; PostToolUse hooks can replace tool output via hookSpecificOutput.updatedToolOutput for all tools (was MCP-only); cleanupPeriodDays now sweeps tasks/, shell-snapshots/, backups/.${CLAUDE_EFFORT} in content; AI_AGENT env set on subprocesses (so gh attributes traffic correctly); spinner tips suppressed when skills/agents already exist./config settings now persist to ~/.claude/settings.json (theme, editor mode, verbose); prUrlTemplate; --print mode honors agent tools:/disallowedTools: frontmatter; --agent honors permissionMode; PowerShell tool can be auto-approved like Bash; PostToolUse hook input now includes duration_ms; status line stdin JSON now includes effort.level and thinking.enabled.type: "mcp_tool"; DISABLE_UPDATES; vim visual mode; merged /cost+/stats → /usage; wslInheritsWindowsSettings policy key; auto-mode "$defaults" sentinel for additive rules.CLAUDE_CODE_FORK_SUBAGENT=1 works on external builds; agent frontmatter mcpServers loaded for --agent main-thread; default effort for Pro/Max on Opus 4.6/Sonnet 4.6 raised to high; native bfs/ugrep replaces Glob/Grep on macOS/Linux native builds./resume on large sessions (up to 67% on 40MB+).sandbox.network.deniedDomains; security: Bash deny rules now match commands wrapped in env/sudo/watch/ionice/setsid; Bash(find:*) no longer auto-approves -exec/-delete; Bash dangerouslyDisableSandbox no longer skips permission prompt.xhigh effort; auto-mode no longer needs --enable-auto-mode; /less-permission-prompts skill (scans transcripts and proposes allowlist for .claude/settings.json); /ultrareview; PowerShell tool rolling out (Windows, opt in/out via CLAUDE_CODE_USE_POWERSHELL_TOOL); read-only bash with glob (ls *.ts) no longer prompts; cd <project-dir> && … no longer prompts./tui command, flicker-free renderer; push notification tool; autoScrollEnabled; /focus command.ENABLE_PROMPT_CACHING_1H env var for 1-hour TTL; /recap command (returning-to-session context); built-in slash commands (/init, /review, /security-review) now invocable by model via Skill tool.{"decision":"block"}; plugin monitors manifest key (background monitors auto-arm at session start or skill invoke); stalled API streams retry non-streaming after 5min idle./team-onboarding; OS CA cert store trust by default (CLAUDE_CODE_CERT_STORE=bundled to revert); plan mode "Refine with Ultraplan" routing; SDK query() cleans up subprocess/temp files on break.---
1. PreCompact hook can now BLOCK compaction (v2.1.105).
Hooks emitting exit 2 or {"decision":"block"} halt compaction. TITAN already wires both titan-precompact.py and precompact_dump.py as PreCompact hooks (settings.json lines 95–115). Today they only dump state. Now they can also veto compaction when conditions aren't safe (e.g., uncommitted memory writes, mid-batch). Patch surface: F:/TITAN/scripts/titan-precompact.py. Effort: ~15 min.
2. PostToolUse hook can replace tool output via hookSpecificOutput.updatedToolOutput for ALL tools (v2.1.121).
Previously MCP-only. Now hooks like titan-injection-scan.py (currently matcher Read|WebFetch|WebSearch, settings.json lines 65–73) can redact prompt-injection payloads instead of just scanning. Today it can flag — now it can sanitize before the model sees it. Patch surface: titan-injection-scan.py. Effort: ~30 min.
3. PostToolUse hook input now includes duration_ms (v2.1.119).
TITAN's titan-metrics.py runs after every Bash/Read/Glob/Grep/WebSearch/WebFetch/Write/Edit (settings.json lines 35–62). Right now it has no per-tool latency signal. With duration_ms we get a free per-tool latency histogram → feeds titan-daily-token-audit and SCOUT diagnostics. Patch surface: F:/TITAN/scripts/titan-metrics.py. Effort: ~20 min.
4. Hooks/skills receive effort.level and $CLAUDE_EFFORT (v2.1.119, v2.1.120, v2.1.133).
TITAN has no current visibility into what effort level the model is running at. Knowing this lets skills branch behavior — e.g., /dream can do deeper consolidation under xhigh, lighter at medium. Skills can inline ${CLAUDE_EFFORT} in content. Patch surface: ~/.claude/skills/dream/SKILL.md, ~/.claude/skills/sense/SKILL.md, optionally inject into session_start_inject.py. Effort: ~20 min.
5. claude_code.skill_activated OTel event with invocation_trigger (v2.1.126).
Distinguishes user-slash vs claude-proactive vs nested-skill. TITAN already runs titan-metrics.py; if you opt into OTel export this is a free signal for "is Claude using my skills proactively or am I always typing them?" — directly feeds DARWIN's evolution analysis. Effort: ~30 min if OTel collector not already running, ~5 min if it is.
6. --plugin-url <url> (v2.1.129) + claude plugin prune (v2.1.121).
TITAN doesn't ship plugins yet, but --plugin-url is the path to one-line distribution of a TITAN plugin pack (skills + agents + hooks bundled). When you eventually package TITAN for portability, this is the install vector.
7. MCP alwaysLoad: true per-server config (v2.1.121).
Skips tool-search deferral. If you have MCPs you depend on every session (e.g., GitHub, filesystem, browser), marking them alwaysLoad removes the first-turn "tools not available" race condition. Patch surface: any .mcp.json or settings MCP block.
8. CLAUDE_CODE_SESSION_ID env var in Bash subprocesses (v2.1.132).
Bash-tool scripts can now correlate themselves with the session_id passed to hooks. TITAN's titan-bash-guardrail.py and titan-token-saver.py could log against session, enabling per-session forensics. Effort: ~10 min.
9. Plan mode now blocks file writes even when Edit(...) allow-rule matches (v2.1.136).
Pure security tightening. Confirms TITAN's bypassPermissions defaultMode + plan mode is now properly layered.
10. settings.autoMode.hard_deny (v2.1.136).
Unconditional deny for auto-mode classifier. If TITAN ever flips into auto-mode for scheduled tasks, this is where you put rm -rf, git push --force, DROP TABLE, AWS credential paths, etc.
11. worktree.baseRef: 'fresh' | 'head' (v2.1.133).
Default flipped back to fresh (origin/<default>). If TITAN agent-isolation worktrees rely on local HEAD commits, set this to 'head' explicitly. Currently TITAN doesn't appear to use EnterWorktree heavily.
12. Native bfs/ugrep replacing Glob/Grep on macOS/Linux native builds (v2.1.117).
Faster searches, no tool round-trip. Windows unchanged — TITAN runs on Windows so this is mostly informational, except SCOUT memo searches will be faster on Linux/Mac mirror sessions.
13. /recap command + CLAUDE_CODE_ENABLE_AWAY_SUMMARY (v2.1.108, v2.1.110). Auto session-recap when returning. TITAN's session_start_inject.py already provides this kind of context — check for redundancy.
14. Sub-agent progress summaries now use prompt cache (v2.1.128). Free 3× cost reduction on cache_creation for sub-agents — applies automatically. No patch needed; just confirm it's in effect.
15. Skill descriptions raised from 250 → 1,536 chars (v2.1.105). TITAN skills can have longer descriptions. Currently each SKILL.md is fine; this is headroom if you want richer routing hints.
16. claude project purge [path] (v2.1.126). Use to clean up Claude Code state for archived TITAN sub-projects (transcripts, file history, config entries).
17. PowerShell tool on Windows (v2.1.111, v2.1.119). TITAN runs on Windows. PowerShell tool can now be auto-approved like Bash. If TITAN is currently routing through Git Bash, opting into PowerShell tool could unify shell semantics. Watch out — TITAN's hooks call python F:/TITAN/... and assume POSIX-ish shell on Bash tool; switching primary shell to PowerShell could break 2>/dev/null || true chains throughout settings.json. Recommendation: do NOT enable yet.
---
duration_ms into titan-metrics.pyWhy: Free per-tool latency signal lights up DARWIN/SCOUT diagnostics with zero extra work.
Where: F:/TITAN/scripts/titan-metrics.py
What changes: Read duration_ms from hook stdin JSON, append to per-tool histogram alongside existing token counts.
Effort: 20 min. Risk: zero — additive only.
# In titan-metrics.py, near where hook JSON is parsed:
hook_input = json.load(sys.stdin)
duration_ms = hook_input.get("duration_ms") # NEW (v2.1.119+)
tool_name = hook_input.get("tool_name")
if duration_ms is not None:
metrics_log.append({"tool": tool_name, "duration_ms": duration_ms, "ts": now})
titan-injection-scan.py redact (not just flag) prompt-injection payloadsWhy: Closes a real attack surface (web pages, file reads, search results) by sanitizing output BEFORE model sees it. Was MCP-only; now works on Read/WebFetch/WebSearch.
Where: F:/TITAN/scripts/titan-injection-scan.py
What changes: When injection pattern matches, return hookSpecificOutput.updatedToolOutput with the offending span replaced by [REDACTED: prompt-injection attempt].
Effort: 30 min. Risk: low — fail-open if hook errors (already does).
# Return shape (PostToolUse hook):
print(json.dumps({
"hookSpecificOutput": {
"updatedToolOutput": sanitized_text # was: "decision": "block" or scan-only
}
}))
Why: TITAN's precompact_dump.py snapshots state, but if a VAULT write is mid-flight, compaction races. Now the hook can refuse compaction until the staging dir is quiescent.
Where: F:/TITAN/scripts/titan-precompact.py (or precompact_dump.py)
What changes: Check for lock files in F:/TITAN/knowledge/memory/staging/ or auto-memory/; if any are <30s old, exit 2 (or emit {"decision":"block","reason":"memory write in flight"}) to defer compaction by one turn.
Effort: 15 min. Risk: low — Claude will retry the compact in the next idle window.
# In titan-precompact.py:
if any_recent_lockfile_exists(STAGING_DIR, max_age_s=30):
print(json.dumps({"decision": "block", "reason": "VAULT write in flight"}))
sys.exit(2)
---
2>/dev/null || true, single-quoted python -c). Switching breaks them. Wait until TITAN's hook layer is normalized via a small wrapper.--enable-auto-mode for scheduled tasks. Auto-mode is now default-available, but TITAN's scheduled tasks already run unattended through cron/Task Scheduler with explicit allowlists. Adding auto-mode classifier on top adds latency without obvious safety win.bfs/ugrep. Windows-only platform; doesn't apply.claude plugin migration. TITAN's skills/agents/hooks live in ~/.claude/. Repackaging as a plugin is a future portability play, not a 2026-Q2 priority.worktree.baseRef. TITAN doesn't appear to use EnterWorktree/agent-isolation worktrees. Set explicitly only if you start using them.CLAUDE_CODE_ENABLE_AWAY_SUMMARY / /recap. TITAN's session_start_inject.py already provides session context. Enabling auto-recap risks duplicate context injection.---
1. PostToolUse hook can replace tool output for all tools (v2.1.121) → enables redacting prompt-injection in Read/WebFetch/WebSearch.
2. PreCompact hook can block compaction (v2.1.105) → safer memory-write/compaction interleaving.
3. PostToolUse hook input now includes duration_ms (v2.1.119) → free per-tool latency telemetry.
All three are hook upgrades on hooks TITAN already runs. Highest ROI / lowest risk patch family in the entire 30-day window.
---
F:/TITAN/plans/claude-code-release-notes-raw-2026-05-09.mdsonar-pro, recency=month, query "claude code release notes april may 2026 changelog new features skills hooks mcp sub-agents"C:/Users/Harnoor/.claude/settings.json, C:/Users/Harnoor/.claude/CLAUDE.md, C:/Users/Harnoor/.claude/agents/.md (6 agents), C:/Users/Harnoor/.claude/skills//SKILL.md (15 skills), F:/TITAN/scheduled-tasks/ (15 routines), F:/TITAN/hooks/*