Claude Code v2.1.113 Fixes the Stuff That Breaks Trust in an Agent Terminal

Claude Code v2.1.113 is the kind of release that product marketing usually struggles to love. There is no dramatic new model, no shiny interface reset, no benchmark chart meant to melt your frontal lobe. Instead, Anthropic spent this release hardening the sort of edge cases that quietly determine whether a coding agent feels like trustworthy infrastructure or a clever assistant that falls apart the moment real work gets messy.

That distinction matters more now than it did a few months ago. Coding agents are moving out of the novelty phase, where people mostly judge them by how impressive the first 15 minutes feel, and into the operational phase, where teams notice whether permissions are predictable, subagents fail cleanly, remote clients behave coherently, and long-running sessions survive the boring hazards of actual engineering. v2.1.113 is a release about those hazards.

The biggest architectural change is easy to overlook because it is buried in a bullet point. Anthropic says the CLI now spawns a native Claude Code binary through a per-platform optional dependency instead of bundled JavaScript. That is not a cosmetic packaging tweak. It suggests Anthropic is continuing to treat Claude Code less like a thin Node-based developer utility and more like a serious cross-platform terminal product where startup behavior, runtime consistency, and distribution control matter enough to justify a different execution model.

The security and trust fixes are even more revealing. Anthropic added sandbox.network.deniedDomains, which lets users block specific domains even when a broader wildcard would otherwise allow them. It hardened Bash deny-rule matching so wrappers like env, sudo, watch, ionice, and setsid no longer help commands slip past intent-based rules. It also stopped Bash(find:*) allow rules from auto-approving find -exec and -delete, and fixed a bug where dangerouslyDisableSandbox could run commands outside the sandbox without a permission prompt.

Those are not nice-to-have patches. They are trust patches. Agent terminals live or die on whether users believe the guardrails mean what they say. If wrapper commands can evade deny rules, if destructive find actions get waved through because they superficially match a safe pattern, or if a so-called dangerous mode behaves more dangerously than advertised, users stop treating the system as a tool and start treating it as an incident source.

Anthropic is fixing the social layer of trust too

One of the most interesting bullets in the release fixes a UI-spoofing vector: multi-line Bash commands whose first line was a comment now show the full command in the transcript. That sounds tiny until you think about how people audit AI actions in terminals. They skim. They anchor on what is visible. If the transcript can be made to present an innocent-looking comment while obscuring the real command, you do not just have a formatting bug, you have a trust-model failure. Anthropic closing that gap is a sign the company understands that agent safety is partly about interface honesty, not just sandbox rules.

The same pattern shows up elsewhere. Subagents that stall mid-stream now fail with a clear error after ten minutes instead of hanging silently. Remote Control sessions now stream subagent transcripts correctly and archive on exit. Session recap no longer auto-fires while a user is composing unsent text. Compacting a resumed long-context session no longer dies with an “Extra usage is required for long context requests” error. These are all fixes to moments where the user’s mental model and the product’s behavior had drifted apart.

That drift is poison for tools people rely on all day. Silent stalls are worse than visible failures because users cannot tell whether they should wait, retry, or distrust the output already produced. Misattributed messages make collaborative review harder. Unexpected prompts or missing prompts train users to ignore the permission system. Anthropic is basically paying down ambiguity debt here.

The MCP and remote-control fixes show where Claude Code is actually being used

The concurrency fix for MCP tool calls is especially telling. Anthropic says it fixed a case where a message for one concurrent tool call could silently disarm another call’s watchdog timeout. That is not an issue you discover in a toy prompt. It is the kind of failure that appears when people have started wiring Claude Code into real tool ecosystems with overlapping operations, longer execution paths, and enough complexity that one timing bug can make another part of the workflow look haunted.

Likewise, the Bedrock-specific Opus 4.7 fix, the Remote Control improvements, and the /extra-usage support from mobile and web clients all point to a product being exercised far beyond the simplest local-terminal path. Claude Code is increasingly a multi-surface system: local CLI, remote sessions, subagents, MCP tools, cloud provider variants, and long-context workflows. That is useful. It is also exactly where reliability problems multiply.

This is why the native-binary change may matter more than it first appears. As a product grows from “developer convenience” into “agent operating surface,” the tolerance for runtime weirdness drops. Distribution, startup predictability, platform-specific behavior, and performance characteristics become product issues, not packaging trivia. Anthropic seems to be acting accordingly.

The competitive frontier is moving down-stack

There is a broader lesson in releases like this. The next phase of competition among coding agents will not be won solely by whichever model writes the prettiest function on day one. It will be won by the stack that best survives interruption, permissions complexity, tool concurrency, long-lived context, and remote usage patterns without making users feel like they are beta-testing during business hours.

That is where v2.1.113 lands. It improves /ultrareview launch speed and diff visibility, keeps wrapped URLs clickable, cleans up multiline input ergonomics, and fixes table-copy formatting for Slack, Notion, and GitHub. None of these items is individually headline-worthy. Together, they say Anthropic is tuning Claude Code for people who actually live in it. That is what mature developer tooling looks like: less magic, more friction removal.

There is still a cautionary read. A release this dense with permission, transcript, remote-control, MCP, and long-context fixes is also a reminder that Claude Code remains moving infrastructure. Teams rolling it out broadly should keep versions pinned where possible, review changelogs with the same seriousness they apply to CI or deployment tooling, and test policy assumptions explicitly rather than trusting names like “dangerouslyDisableSandbox” to mean exactly what they intuitively sound like.

What should practitioners do now? First, if you rely on Claude Code in shared or semi-automated workflows, audit your sandbox and Bash policy configuration, especially around wrappers, find, and domain-level network access. Second, test stalled-subagent behavior and MCP concurrency in your real environment rather than assuming happy-path demos reflect your operational reality. Third, pay attention to the native-binary shift because it may affect packaging, fleet management, and debugging expectations in managed environments.

The important thing about this release is not that Anthropic added a pile of fixes. It is what those fixes say about the product’s phase change. Claude Code is no longer just trying to impress developers. It is trying to earn the much harder label of dependable.

Sources: GitHub Releases, GitHub Releases API, v2.1.112, v2.1.111