Claude Code 2.1.145 Turns Background Agents Into Observable Infrastructure

Claude Code 2.1.145 is not a headline release. That is exactly why it matters.

The release does not ship a new model, a flashy demo, or a sweeping “future of software” manifesto. Instead, Anthropic added claude agents --json, agent lineage fields in OpenTelemetry spans, GitHub and pull-request metadata in status-line JSON, richer plugin inspection before install, awaiting-input counts in terminal tab titles, and a fix for a Bash permission-prompt bypass involving bare environment-variable assignments. In other words: the product team is doing the work that happens after the demo, when background agents stop being a neat trick and start becoming infrastructure.

That is the right center of gravity. Autonomous coding agents become useful when they can run unattended. They become deployable only when operators can inspect what is running, who spawned it, which tools it called, which plugin introduced the capability, and where the permission boundary actually sits. Claude Code 2.1.145 is a control-plane release wearing patch-note clothing.

JSON is the quiet feature teams will actually use

The new claude agents --json command lists live Claude sessions in machine-readable form. The release notes explicitly call out scripting use cases such as tmux-resurrect, status bars, and custom session pickers. That sounds small until you have more than one long-running agent, more than one repository, and more than one blocked task waiting for human input.

Terminal UIs are fine for an individual developer watching a single session. They are a liability once agent work becomes a queue. Teams need to answer operational questions quickly: which agents are still running, which ones are waiting for approval, which repo are they touching, which task is stalled, and which session should be resumed after a machine restart? JSON output is boring in the exact way production tooling should be boring. It lets teams build status bars, dashboards, watchdogs, restore flows, and “who needs input?” views without scraping a TUI like it is 2009.

The adjacent tab-title change points in the same direction. Showing the awaiting-input count in claude agents terminal tabs is not glamorous, but it acknowledges the real workflow: a developer may have several agents running while working elsewhere. If an alt-tabbed session needs attention, the interface should say so. Background work only saves time if the human can tell when the background worker is blocked.

Trace lineage is where demos become postmortems

The deeper change is observability. Claude Code now adds agent_id and parent_agent_id attributes to claude_code.tool OpenTelemetry spans, and Anthropic fixed trace parenting so background subagent spans nest under the dispatching Agent tool span. That is the difference between “Claude did something” and “this specific agent, spawned by that parent session, called this tool in this execution chain.”

That distinction matters when something goes wrong. Without lineage, an incident timeline collapses into vibes: a model suggested an edit, a shell command ran, a plugin might have been involved, and someone probably approved something. With lineage, operators can connect the dispatching agent, subagent, tool call, MCP connector, GitHub action, and permission prompt into a single chain of evidence. That is what security teams, platform teams, and engineering managers need before unattended agent work can move from personal productivity into shared engineering systems.

OpenTelemetry is the right substrate because it already fits how serious teams watch distributed systems. Claude Code’s monitoring documentation describes exporting metrics, events/logs, and optional traces, with administrators able to configure telemetry centrally through managed settings. Adding agent identity to tool spans turns coding-agent work into something that can be joined against the rest of the engineering estate: CI jobs, GitHub events, deployment logs, MCP server logs, endpoint security alerts, and cloud audit trails.

The practical takeaway: if your team is piloting background agents, start capturing these fields now. Do not wait for the first confusing incident. Add agent IDs to your dashboards, retain trace IDs with PR metadata, and make sure high-risk tool calls can be attributed to both a session and a human approval path. You cannot retrofit clean attribution after the fact.

Plugin inspection is becoming a supply-chain control

Version 2.1.145 also makes /plugin Discover and Browse screens show a plugin’s commands, agents, skills, hooks, and MCP/LSP servers before installation. That is a meaningful step away from “install this useful thing” and toward “inspect this capability bundle.”

That framing is important because Claude Code plugins are not browser themes. A plugin can introduce commands, skills, agents, hooks, MCP servers, language-server behavior, settings, and sometimes access paths to external systems. If a team treats plugin install as a cosmetic choice, it will eventually import a policy decision through the side door. What commands does this expose? Does it add hooks that run at sensitive moments? Does it ship or configure an MCP server with credentials? Does it alter language-server behavior in a way that changes context or code actions? Does it increase token load every turn? Those are review questions, not preference questions.

This release does not solve plugin supply-chain security by itself. It does something more modest and more useful: it makes hiding less acceptable. Once the interface shows capability surfaces before install, teams can turn that into process. Require plugin review for shared repos. Record plugin origin and version. Prefer least-privilege MCP credentials. Keep an allowlist for approved plugins. Treat hooks and MCP servers as higher-risk than passive skills. The tooling is finally giving teams enough metadata to stop pretending plugin governance is impossible.

The Bash fix is the line item security teams should not skip

The most important security note in the release may be the least marketable one: Claude Code fixed a permission-prompt bypass where bare variable assignments to non-allowlisted environment variables in Bash commands were auto-approved. Shell syntax is full of sharp edges, and agent permission systems live exactly at those parser boundaries.

It is tempting to dismiss this as a narrow bug. Do not. If an agent can run shell commands, then command classification is a security boundary. Environment assignments, redirects, subshells, aliases, command substitutions, shell built-ins, and platform-specific separators all become places where a policy engine can misunderstand intent. A permission model that works only for clean, documented examples is not a permission model; it is a demo script.

Teams should upgrade, then test ugly shell forms against their own policy expectations. Try bare assignments, chained commands, subshells, redirects, unusual quoting, Windows PowerShell separators, and commands that look harmless but alter execution context. The goal is not to break the tool for sport. The goal is to learn whether your allowlist matches the shell your agents actually use.

The broader pattern is clear. Recent Claude Code changelog entries are dominated by agent view, background sessions, plugin dependencies, MCP reliability, permission persistence, telemetry, and state restoration. That is what a product looks like when users stop asking “can it write code?” and start asking “can we operate it?” Claude Code’s repository was already well past 125,000 stars at research time, but stars are not the signal here. The signal is that the boring operational requests are now driving the roadmap.

The editorial take: Claude Code 2.1.145 is a good release because it makes agent work less magical. Magic is impressive in a launch video. In production, magic is what you call a system when you cannot explain the outage. Background agents need JSON state, trace lineage, plugin inspection, permission hardening, and boring affordances that tell humans when work is blocked. This release moves in that direction.

Sources: Claude Code GitHub release v2.1.145, Claude Code changelog, Claude Code monitoring docs, Claude Code agent view docs