Claude Code v2.1.114 — Native Binary Launcher, /fewer-permission-prompts, and 20 New Environment Variables#
Published on April 20, 2026
Part of the Claude Code Version Tracker series. | Official Env Vars | Official Changelog
Claude Code moved from v2.1.107 to v2.1.114 across seven releases, and two shifts stand out[1]. First, v2.1.113 changed the CLI to spawn a native Claude Code binary — shipped as a per-platform optional dependency — instead of running bundled JavaScript through Node. The JS still exists inside the binary, but it is distributed as a native segment rather than a plain-text bundle sitting on disk for anyone to grep. That is a packaging, supply-chain, and security posture shift, not a cosmetic one. Second, v2.1.111 introduced /fewer-permission-prompts (originally announced as /less-permission-prompts — the name was corrected) — a skill that reads your transcripts, finds the read-only Bash and MCP tool calls you keep approving by hand, and proposes a prioritized allowlist for .claude/settings.json. It is the first feature that actually reduces the biggest daily friction point in Claude Code usage. Around those two, the release stretch ships fullscreen TUI rendering, cloud-based /ultrareview, Opus 4.7 xhigh effort, session recap, and 20 new environment variables backing Agent Teams, a proxy auth helper subprocess, and a server-side Advisor tool.
What Changed#
| v2.1.107 | v2.1.114 | |
|---|---|---|
| Environment variables | 230 | 250 (+20) |
| Model IDs | 16 | 17 (+1) |
| Feature gates | 41 | 41 |
| Dynamic configs | 29 | 29 |
| Slash commands | 24 | 24 |
/fewer-permission-prompts — the feature power users have been asking for#
The single highest-value change in this release stretch for anyone who actually lives in Claude Code is /fewer-permission-prompts (v2.1.111). The name shifted during rollout: the v2.1.111 changelog originally introduced it as /less-permission-prompts, then the skill itself was renamed to /fewer-permission-prompts for grammatical correctness. Both forms appear across documentation and settings; the rename is cosmetic.
What it does is mechanical and overdue. The skill scans your conversation transcripts, identifies Bash and MCP tool calls that are read-only (e.g., git status, git log, ls, rg, read-only MCP queries) and that you have repeatedly approved, and then proposes a prioritized allowlist for your project's .claude/settings.json. You approve the list once; those categories stop prompting. The key word is prioritized — the skill doesn't dump 200 entries at you, it ranks by approval frequency so the most valuable allows are first. Pairs directly with v2.1.111's other permission QoL: glob patterns in read-only Bash (ls *.ts) and cd <project-dir> && prefixes no longer trigger prompts, and v2.1.113 extends that to cd <current-directory> && git … no-ops.
Practical flow: run Claude Code for a few sessions, then invoke /fewer-permission-prompts. Review what it suggests — you can reject individual entries — and accept. The prompt volume for the next session drops noticeably.
The native binary launcher — a packaging and security shift#
v2.1.113 changed how the claude CLI actually starts. Before: Node resolved the claude package and ran a bundled JavaScript file. After: the CLI spawns a native Claude Code binary, shipped as a per-platform optional dependency (@anthropic-ai/claude-code-darwin-arm64, -linux-x64, etc.). The binary wraps a Node runtime and the Claude Code JavaScript as a bundled payload. From the user's perspective, nothing changes — claude still works, --help still prints, sessions still resume. Under the hood, three things shift.
Faster cold start. Resolving a native binary and jumping into it is measurably faster than Node resolving a large JS bundle, parsing it, and hitting its entrypoint. Repeatable on your own machine: compare time claude --version before and after.
Smaller and more consistent supply chain. Native binaries per platform replace the "download Node, then download the npm package, then pray about your Node version" loop. The optional-dependency mechanism means only the binary for your platform downloads on install. A Linux x64 user doesn't pull the Darwin arm64 artifact.
Tighter distribution integrity. The JS bundle is inside the binary, not a plain-text file sitting at a predictable path under node_modules. Modifying it no longer means editing a file; it means patching a binary. For enterprises evaluating Claude Code, that tightens the "can someone silently swap out the runtime" threat model. For Anthropic, it makes signing and integrity verification tractable — you sign one binary per platform, not a tree of JS files. It also eliminates a class of accidental break: a stray postinstall hook or a rogue npm package patching Claude Code's JS no longer has an obvious target.
The native-binary REPL layer is the reason five of this release's new env vars exist (CLAUDE_CODE_REPL, CLAUDE_REPL_VARIANT, CLAUDE_CODE_DECSTBM, CLAUDE_CODE_BS_AS_CTRL_BACKSPACE, CLAUDE_CODE_TUI_JUST_SWITCHED). If the cutover causes problems on your setup, CLAUDE_CODE_REPL=0 is the documented escape hatch back to the old path while it exists.
Other User-Facing Highlights#
Rendering and the TUI#
/tui fullscreen(v2.1.110) — flicker-free fullscreen rendering in the same conversation. Built on the native binary's DECSTBM terminal control (CLAUDE_CODE_DECSTBM).- Readline-compatible input:
Ctrl+A/Ctrl+Emove to start/end of the current logical line in multiline input (v2.1.113).Ctrl+Uclears the full buffer,Ctrl+Yrestores (v2.1.111).Ctrl+Lforces full redraw. WindowsCtrl+Backspacedeletes the previous word. - OSC 8 wrapped URLs stay clickable across line wraps (v2.1.113).
- "Auto (match terminal)" theme (v2.1.111) — follows your terminal's dark/light mode.
- Fixes for iTerm2 + tmux tearing, washed-out 16-color palette over SSH/mosh across Ghostty/Kitty/Alacritty/WezTerm/foot/rio/Contour, garbled startup on macOS Terminal.app, missing cursor under
NO_COLOR, and/helpdropping its tab bar at short heights.
/ultrareview, /effort, and Opus 4.7 xhigh#
/ultrareview(v2.1.111) — cloud-based parallel multi-agent code review. No args reviews the current branch;/ultrareview <PR#>fetches and reviews a GitHub PR. v2.1.113 parallelized its checks and added a diffstat + animated launching state.- Opus 4.7 xhigh (v2.1.111) — new effort level between
highandmax./effortopens an interactive slider when called without arguments. Other models fall back tohighwhen xhigh is selected. - Auto mode for Max subscribers with Opus 4.7 (v2.1.111); no longer requires
--enable-auto-mode. v2.1.112 hotfixed "claude-opus-4-7 is temporarily unavailable" in auto mode.
Prompt caching and session continuity#
ENABLE_PROMPT_CACHING_1H(v2.1.108) opts into 1-hour prompt cache TTL on API key, Bedrock, Vertex, and Foundry.FORCE_PROMPT_CACHING_5Mforces the 5-minute TTL.ENABLE_PROMPT_CACHING_1H_BEDROCKis deprecated but still honored.- Session recap (v2.1.108) — returning to a long session gets an auto catch-up summary, manually invokable with
/recap. Extended to telemetry-disabled users (Bedrock, Vertex, Foundry) in v2.1.110. - Subagent stall detection — subagents that stall mid-stream now fail with a clear error after 10 minutes instead of hanging silently (v2.1.113). Tunable via
CLAUDE_ASYNC_AGENT_STALL_TIMEOUT_MS. - Compacting a resumed long-context session no longer fails with "Extra usage is required for long context requests" (v2.1.113).
- MCP concurrent-call timeout — a message for one tool call could silently disarm another's watchdog. Fixed (v2.1.113).
Permissions and security hardening#
- Complements
/fewer-permission-prompts: read-only Bash with glob patterns andcd <project-dir> &&no longer prompts (v2.1.111);cd <current-directory> && git …no-ops are transparent (v2.1.113). sandbox.network.deniedDomains(v2.1.113) blocks specific domains even under a broader wildcardallowedDomains.- macOS:
/private/{etc,var,tmp,home}are now dangerous removal targets underBash(rm:*)allow rules. - Deny rules now match commands wrapped in
env/sudo/watch/ionice/setsid.Bash(find:*)allows no longer auto-approve-exec/-delete. - Bash
dangerouslyDisableSandboxno longer silently skipped the permission prompt. - "Open in editor" hardened against command injection from untrusted filenames (v2.1.110).
Remote Control, SDK, observability#
- Parity pushes:
/context,/exit,/reload-plugins,@-file autocomplete,/extra-usage, and subagent transcript streaming now work from mobile/web Remote Control clients. - Push notification tool (v2.1.110) — Claude can push-notify mobile when Remote Control is enabled and "Push when Claude decides" is on.
- Distributed tracing: SDK/headless sessions read
TRACEPARENT/TRACESTATEfrom env (v2.1.110).OTEL_LOG_RAW_API_BODIES(v2.1.111) emits full request/response bodies as OpenTelemetry log events.
Agent ergonomics#
- Plan files named after your prompt (v2.1.111) —
fix-auth-race-snug-otter.md. - Model discovers built-in slash commands (
/init,/review,/security-review) via the Skill tool (v2.1.108). /modelwarns before mid-conversation switches (v2.1.108) — the next response re-reads history uncached./resumepicker defaults to current directory;Ctrl+Aexpands to all projects.--resume/--continueresurrect unexpired scheduled tasks.- Typo suggestions:
claude udpate→ "Did you meanclaude update?" - LSP diagnostics from before an edit no longer appear after it (v2.1.111).
- v2.1.114 fixed a single bug: a crash in the permission dialog when an Agent Teams teammate requested tool permission.
Windows#
- PowerShell tool progressively rolling out; opt in with
CLAUDE_CODE_USE_POWERSHELL_TOOL(also works on Linux/macOS withpwshon PATH). CLAUDE_ENV_FILEand SessionStart hook env files now apply on Windows (previously no-op).- Drive-letter paths in permission rules are root-anchored and case-insensitive for the drive letter.
New Environment Variables#
| Variable | Likely Purpose |
|---|---|
CLAUDE_CODE_REPL | Boolean toggle for the new native REPL path introduced by v2.1.113's native-binary launcher. Forces on or off regardless of entrypoint detection — the documented escape hatch for pinning to the old JS-launcher behavior while native-binary bugs shake out. |
CLAUDE_REPL_VARIANT | Selects which REPL implementation to load. Multiple variants coexist in the native binary; this key lets Anthropic A/B-test REPL behavior without separate builds. |
CLAUDE_CODE_DECSTBM | Enables DECSTBM (VT100 Set Top and Bottom Margins) for scrolling regions in the TUI. The mechanism behind /tui fullscreen's flicker-free rendering — pins header and input while the middle region scrolls. Falls back to the tengu_marlin_porch gate when unset. |
CLAUDE_CODE_BS_AS_CTRL_BACKSPACE | Treats a bare backspace keypress as Ctrl+Backspace (delete-word). Default: on Windows unless the terminal is mintty or cygwin. Exists because Windows terminals report modifier keys inconsistently. |
CLAUDE_CODE_TUI_JUST_SWITCHED | Set to "fullscreen" immediately after /tui fullscreen. The next render reads it to show a one-time confirmation hint, then clears the flag. |
CLAUDE_CODE_FORCE_FULLSCREEN_UPSELL | Forces the fullscreen TUI upsell prompt past the normal fullscreenUpsellSeenCount cap and the tengu_ochre_hollow gate. Internal test/demo affordance. |
CLAUDE_CODE_ENABLE_PROXY_AUTH_HELPER | Set to "1" to enable the proxy auth helper subsystem. Lets Claude Code shell out to an external program to fetch proxy credentials dynamically — for Kerberos/Negotiate, rotating tokens, or interactive SSO. |
CLAUDE_CODE_PROXY_AUTH_HELPER_TTL_MS | Cache TTL for helper-returned credentials. Parsed as integer milliseconds; zero or negative falls back to default. |
CLAUDE_CODE_PROXY_URL | Full proxy URL, injected into the helper subprocess's environment. Claude-namespaced because the helper protocol is Claude-specific and must not collide with standard HTTPS_PROXY. |
CLAUDE_CODE_PROXY_HOST | Proxy hostname, passed alongside the URL so helpers that route credentials by hostname don't need to re-parse. |
CLAUDE_CODE_PROXY_AUTHENTICATE | Carries the WWW-Authenticate challenge from the proxy into the helper. Enables challenge-response schemes by reading what the proxy actually asked for. |
CLAUDE_ASYNC_AGENT_STALL_TIMEOUT_MS | Default 600,000ms (10 minutes). Directly backs v2.1.113's "subagents that stall mid-stream now fail with a clear error after 10 minutes" changelog bullet. Tune up for long-running research, down for tight CI. |
CLAUDE_BG_BACKEND | Set to "daemon" to route background work through a daemon backend. The code path is wrapped around EIO/EPIPE handling — pipe/socket IPC with graceful degradation. First evidence of a long-running daemon in the Claude Code architecture. |
CLAUDE_CODE_ENABLE_BACKGROUND_PLUGIN_REFRESH | Enables automatic background plugin refresh when the runtime detects updates are needed. Without this, refresh is synchronous and delays session startup. |
CLAUDE_CODE_ENABLE_APPEND_SUBAGENT_PROMPT | Authorizes SDK callers to append a custom string to a subagent's system prompt via options.appendSubagentSystemPrompt. Without this flag, the option is ignored. Capability gate. |
CLAUDE_CODE_ENABLE_EXPERIMENTAL_ADVISOR_TOOL | Enables the experimental Advisor Tool — a server-side tool with its own advisorModel config option. Requires first-party auth; falls back to the tengu_sage_compass2 gate. "Sage" / "Compass" codenames have previously mapped to deep-research capabilities. |
CLAUDE_API_SKILL_DESCRIPTION | Registration hook for the built-in "claude-api" skill that bundles Anthropic SDK docs (Python, TypeScript, Java, Go, Ruby, PHP, C#, curl) plus shared references on models, prompt caching, managed agents, and tool use. Overrides the default skill description. |
CLAUDE_CODE_SYSTEM_PROMPT_GB_FEATURE | Names a GrowthBook feature flag whose value overrides the system prompt — but only when CLAUDE_CODE_REMOTE is set. Anthropic can A/B-test remote-session prompts without shipping new binaries while local sessions stay stable. |
CLAUDE_INTERNAL_ASSISTANT_TEAM_NAME | Passes the current Agent Teams team name (prefixed assistant-) to a spawned child process. Agent Teams surfaces in the binary as "Agent Teams is not yet available on your plan" and "Teammates cannot spawn other teammates." Backs v2.1.114's teammate permission-dialog crash fix. |
CLAUDE_SLOW_FIRST_BYTE_MS | Default 30,000ms. Logs a "Slow first byte: no stream chunk" observability event when the connection opens but produces no chunks within the window. Complements v2.1.107's byte watchdog. |
What These Tell Us#
The native-binary cutover is the seed for the rest of the release. Five of the 20 new env vars (CLAUDE_CODE_REPL, CLAUDE_REPL_VARIANT, CLAUDE_CODE_DECSTBM, CLAUDE_CODE_BS_AS_CTRL_BACKSPACE, CLAUDE_CODE_TUI_JUST_SWITCHED) exist because v2.1.113's new launcher now owns terminal semantics the JS bundle previously punted to libraries. DECSTBM enables fullscreen rendering. The REPL variants let Anthropic ship multiple REPL implementations in one artifact and switch between them via env. The shipped-as-binary model is also a supply-chain tightening: one signed artifact per platform replaces a tree of editable JS files under node_modules, and the optional-dependency mechanism keeps install footprint minimal. Expect more terminal-level features that the Node launcher couldn't easily reach.
/fewer-permission-prompts is a direction, not a one-off. Combine the skill with the v2.1.111 / v2.1.113 permission softenings (glob patterns, cd <project> prefixes, cd <current> no-ops) and the security tightenings (dangerous /private/* paths, deny rules matching sudo/env wrappers, find -exec no longer auto-approved, dangerouslyDisableSandbox re-prompting) and a coherent permission model emerges: reduce friction on things that are actually safe, increase friction on things that are actually dangerous. That is the opposite of the earlier "prompt on everything" posture. The trajectory suggests the read-only/destructive classification is going to keep getting more granular.
Proxy auth became a protocol, not a flag. Five variables (CLAUDE_CODE_ENABLE_PROXY_AUTH_HELPER, CLAUDE_CODE_PROXY_AUTH_HELPER_TTL_MS, CLAUDE_CODE_PROXY_URL, CLAUDE_CODE_PROXY_HOST, CLAUDE_CODE_PROXY_AUTHENTICATE) define a helper-subprocess contract for dynamic proxy credentials. Corporate Kerberos/Negotiate, rotating tokens, and interactive SSO now have a customer-writable integration point. Combined with v2.1.104's OS CA trust default and v2.1.113's sandbox.network.deniedDomains, the enterprise deployment story is being systematically closed out.
Agent Teams is real. CLAUDE_INTERNAL_ASSISTANT_TEAM_NAME, CLAUDE_CODE_ENABLE_APPEND_SUBAGENT_PROMPT, CLAUDE_ASYNC_AGENT_STALL_TIMEOUT_MS, and CLAUDE_BG_BACKEND describe a multi-agent orchestration layer with a two-level hierarchy, stall detection, and an optional daemon backend. v2.1.114's lone changelog bullet — a teammate permission-dialog crash fix — is the first user-visible surface. The Advisor Tool (gated by sage_compass2) plugs a server-side reasoning model into the teammate workflow.
Sources#
- Claude Code Official Changelog — v2.1.108, v2.1.109, v2.1.110, v2.1.111, v2.1.112, v2.1.113, v2.1.114 release notes
This analysis is conducted for independent security research and interoperability purposes under fair use principles. All trademarks belong to their respective owners. The information presented here documents publicly observable behavior of installed software and is not intended to circumvent any technological protection measures, infringe on intellectual property rights, or encourage unauthorized use. Use these findings at your own discretion.
Related Versions#
- Claude Code v2.1.107 — 6 New Environment Variables — Worktrees, away mode, and stream resilience
- Claude Code v2.1.104 — 2 New Environment Variables — Enterprise TLS and SDK OAuth
- Claude Code v2.1.100 — 3 New Environment Variables — context token limits, Perforce VCS, script caps
- Claude Code v2.1.96 — No New Environment Variables — Bedrock auth hotfix
- Claude Code v2.1.94 — 5 New Environment Variables — Mantle auth, MCP sandboxing, team onboarding
Related: Context Window Management Guide | Claude Code Productivity Tips | The Agentic Engineering Playbook