Claude Code 2.1.162 Fixes the Boring Runtime Edges That Decide Whether Background Agents Are Trustworthy

Claude Code 2.1.162 is the kind of release that will not trend unless it breaks. That is usually a compliment. The release does not introduce a new model, a cinematic workflow name, or a feature you can screenshot for LinkedIn. It fixes the runtime seams where coding agents either become trustworthy tools or expensive interns with shell access.

The short version: Anthropic shipped v2.1.162 on June 3 at 21:31 UTC, and the changelog is mostly about permission precedence, background-agent state, MCP timeout behavior, Windows path matching, SDK interrupts, and operational visibility. That sounds like plumbing because it is. But plumbing is what decides whether a team can run background agents against real repositories without building a shrine to luck.

The most important fix is also the least glamorous: explicit WebFetch(domain:...) deny, ask, and allow rules now take precedence over Claude Code’s built-in preapproved-host auto-allow list. GitHub issue #64610 described the failure mode plainly: a user could configure a deny rule, but Claude Code could still fetch certain preapproved domains such as Anthropic-owned or GitHub-hosted URLs. That is not a “small edge case.” That is a policy engine violating the mental model of the operator.

Explicit deny has to mean explicit deny

Permission systems are only useful when they are boringly literal. If a user says “deny this domain,” the runtime cannot quietly decide that a product-maintained allowlist is more authoritative. The domains involved may be benign, but the precedent is not. Security controls fail most dangerously when the UI and the runtime disagree: the operator thinks they configured a hard boundary, while the tool has a convenience exception tucked underneath.

This is especially important for WebFetch because fetching is not just browsing. In an agent workflow, fetched content can become context, instructions, code snippets, dependency guidance, or justification for later tool use. If a team is testing network-deny policies for sensitive work, they need confidence that the agent will not route around them because a host is “normally safe.” The correct hierarchy is simple: local explicit policy beats product defaults. v2.1.162 moves Claude Code back toward that rule.

The Windows permission fixes belong in the same bucket. Claude Code now handles backslashes, ~\, UNC paths like \\server\share, and case variants more correctly, while Read deny rules now hide files from Glob and Grep results. That last part matters. A denied file that still appears in search output may not be directly readable, but the file name, path, and surrounding structure can leak useful information. In a regulated monorepo, “the agent can infer that file exists” is not the same as “no exposure.”

Background agents need machine-readable state, not vibes

The other major signal in this release is claude agents --json gaining waitingFor. That field lets automation see what a waiting background session is blocked on, including permission prompts. It is a small API surface with outsized consequences: dashboards, wrappers, cron jobs, and internal agent managers can now distinguish “still computing” from “stuck waiting for a human.”

That distinction is how agent operations become manageable. Without it, teams either over-poll, abandon runs too early, or let zombie sessions burn time until someone notices. With it, you can build sane review queues: this session is blocked on a permission prompt; this one is running; this one failed; this one needs a reply. For individual developers, that is convenience. For teams, it is the beginning of an audit trail.

v2.1.162 also fixes background-session delivery problems that are less photogenic but more operationally serious: failed service startup no longer silently loses conversations, failed replies get queued for later delivery, first attach after service restart is fixed, deep CLAUDE_CODE_TMPDIR or $TMPDIR paths no longer break SendMessage, and attach to running background sessions is faster. These are not merely UX bugs. A lost conversation or dropped reply can cause duplicated migrations, repeated commands, inconsistent patches, or missing evidence during review.

There is a useful comparison here to ordinary distributed systems. Nobody trusts a job runner because its happy path is elegant. They trust it because retries are visible, failures are durable, state is inspectable, and interrupts work. Background coding agents are job runners with a language model in the loop. They need the same boring guarantees.

MCP flakiness is governance debt

The MCP timeout fix is another practical one. The release corrects semantics around per-server timeout values below 1000 ms: they are no longer floored into a one-second watchdog that aborts every tool call. Instead, those too-low values are ignored and Claude Code falls back to MCP_TOOL_TIMEOUT or the default behavior, with claude mcp get annotating the situation.

That sounds like a footnote until you run MCP servers in anger. MCP is rapidly becoming the connector layer for issue trackers, databases, browsers, internal tools, cloud APIs, and other agents. A connector that mysteriously dies at roughly 1001 ms trains developers to do the wrong thing: retry blindly, over-permit, paste data manually into chat, or bypass the governed connector entirely. Flaky governance is not governance. It is a tax that users eventually evade.

The fix also sends a message to teams building MCP servers: test latency as part of the contract. A local demo server that returns instantly tells you almost nothing about the tool once it sits behind corporate networking, OAuth refresh, database warmup, or a slow SaaS API. Document expected response times. Test on the exact Claude Code version your team runs. Verify timeout behavior before the connector becomes part of a production workflow.

Other bullets reinforce the same direction. --tools now honors explicit Grep and Glob entries on native builds with embedded search, instead of silently ignoring those names. /effort now confirms when the selected effort level persists as the default for new sessions, which matters when effort is effectively a cost and latency control. Slash-command autocomplete now fills the command into the prompt rather than executing it immediately. Selection is not execution. That is a good default for a tool whose whole job is to sit near sharp objects.

The SDK path got its own safety fix: pressing Esc at the start of a turn no longer gets silently dropped in stream-json and SDK sessions. Interrupts are part of the control plane. If the human or wrapper says stop, the runtime should hear it, especially before a turn has acquired momentum.

Practitioners should treat this release less like a casual upgrade and more like a regression-test prompt. After updating, test the controls you depend on. Create a WebFetch deny rule for a normally trusted domain and confirm it wins. Test Windows-style paths if your fleet includes Windows developers. Run an MCP tool that takes longer than one second. Exercise SDK interrupts. Kill and restart the background service, then attach, reply, and confirm messages survive. Check whether your automation can consume waitingFor and route blocked sessions to humans instead of letting them idle.

The broader market lesson is that the coding-agent race is moving out of the benchmark screenshot phase. Codex, Cursor, Copilot, Antigravity, Claude Code, and local stacks will keep trading model headlines. The lasting difference is the harness: permission precedence, observability, MCP behavior, background recovery, secret redaction, interrupt semantics, and whether the tool does what the operator thinks it does. Claude Code 2.1.162 is not flashy. That is exactly why it matters.

Sources: Anthropic Claude Code v2.1.162 GitHub release, Claude Code security docs, Claude Code monitoring docs, Claude Code MCP docs, GitHub issue #64610, GitHub issue #62121