Claude Code v2.1.149 Makes Agent Usage and Sandbox Boundaries Auditable

Claude Code’s most important May 22 change is not a model upgrade, a new demo, or another promise that agents will write the boring parts for you. It is a usage screen and a set of sandbox fixes. That sounds like a footnote until you remember what coding agents are becoming: long-running processes with repo access, shell access, MCP connectors, plugins, subagents, and enough autonomy to turn a small permission mistake into a very large afternoon.

Version 2.1.149, published at 22:09 UTC, lands right after a busy Claude Code week. Version 2.1.147 made /code-review --comment a more real pull-request workflow. Version 2.1.148 quickly fixed a Bash regression where some users saw every command return exit code 127. Now 2.1.149 moves the conversation from “can the agent do useful work?” to “can the team see what the agent is costing, touching, and trusting?” That is the right question. It is also the one most agent tooling still tries to answer with vibes.

Usage limits are now a debugging surface

The visible product change is /usage breaking limit consumption down by category: skills, subagents, plugins, and per-MCP-server cost. That matters because agent costs are rarely caused by one obvious thing. A long session may be expensive because the model is reasoning heavily, because a subagent is looping, because a plugin is injecting too much context, or because an MCP server is returning payloads that should have been filtered two API calls earlier.

Without attribution, users blame the subscription. With attribution, teams can debug the workflow. If one MCP server is consistently expensive, you can redesign the tool contract, narrow responses, add pagination, or put a cheaper summarization step in front of it. If subagents are eating the budget, you can limit fan-out or require more precise goals. If a plugin is noisy, you can remove it from the default profile. The point is not merely saving money. The point is making agent behavior observable enough that engineering judgment can apply.

This is where agentic coding starts to look less like chat and more like operations. The same way cloud bills forced teams to care about per-service attribution, AI-agent bills will force teams to care about per-tool and per-workflow attribution. “Claude ran out again” is not a useful incident report. “The Kubernetes MCP server consumed half the session limit because it dumped every pod event into context” is something you can fix.

The sandbox bug class nobody should hand-wave

The security fixes in 2.1.149 are more interesting than the UI. Anthropic fixed a PowerShell permission bypass where built-in directory-changing helpers such as cd.., cd\, cd~, and drive switches like X: could change working directory without the permission layer detecting it. That creates a nasty class of failure: the user believes the agent is operating inside an approved workspace, while the shell state has quietly moved somewhere else.

For normal terminal use, that is just shell trivia. For an agent, it is a boundary condition. A later file read or command may look harmless in isolation, but its meaning depends on current directory state. If the permission analyzer’s model of PWD, OLDPWD, or DIRSTACK is stale after cd, pushd, or popd, the agent can reason from one filesystem location while the shell executes in another. That is not a theoretical concern. It is exactly the kind of “how did it read that?” bug that makes teams distrust agent sandboxes.

The git-worktree fix points at the same maturity curve. Worktrees are becoming the standard safety pattern for coding agents: isolate the agent’s edits, inspect the diff, then merge deliberately. But worktrees share repository internals. Claude Code’s write allowlist now avoids covering the entire main repository root and instead constrains access to the shared .git directory, while denying sensitive areas like hooks/ and config. Good. A worktree sandbox that can mutate hooks or config in the main repo is not a sandbox; it is a reassuring folder name.

Cloud MCP connectors need an owner, not enthusiasm

Version 2.1.149 also adds an enterprise managed setting, allowAllClaudeAiMcps, which loads claude.ai cloud MCP connectors alongside managed-mcp.json. This is useful, but it should make administrators pause. MCP is where agents stop being code-generation assistants and start becoming actors connected to live systems: docs, issue trackers, metrics, databases, internal APIs, and sometimes production-adjacent tools.

The right rollout pattern is boring and strict: inventory every connector, document what data it can access, assign an owner, log usage, and watch the new per-MCP usage attribution for noisy or unexpectedly expensive tools. Do not turn on every connector because the setting exists. Tool surface area is attack surface area, cost surface area, and context-pollution surface area. The companies that get value from MCP will not be the ones with the most connectors. They will be the ones whose connectors return the smallest useful amount of truth at the right time.

The release also includes fixes that fit the same operational theme: PowerShell prefix and wildcard allow rules now pre-approve native executables and scripts correctly; a macOS find issue that could exhaust file/vnode tables on large directory trees was fixed; /feedback now includes conversation before context compaction, which should make long-session bugs easier to diagnose; terminal freezes around managed-settings approval dialogs were addressed; and local resume names now update after mobile or claude.ai renames.

None of this is demo-friendly. All of it is adoption-friendly. A senior engineer evaluating Claude Code should spend less time asking whether it can produce a clever refactor and more time asking whether usage, permissions, worktrees, MCP, and resume state behave predictably under stress.

The practical checklist is straightforward: upgrade in a disposable repo first; test PowerShell directory changes and drive switches; create a canary file outside a worktree and verify the agent cannot write it; inspect whether .git/hooks and config are protected; enable cloud MCP connectors only through a managed profile; and capture /usage before and after a representative task. If one server, plugin, or subagent dominates consumption, fix the workflow before blaming the model.

Claude Code v2.1.149 is not a glamorous release. It is better than that. It treats cost accounting and sandbox boundaries as product surfaces. That is what has to happen for coding agents to become team infrastructure instead of expensive terminal toys with good autocomplete energy.

Sources: Claude Code v2.1.149 release notes, Claude Code v2.1.147, Claude Code v2.1.148, Claude Code repository