Claude Code 2.1.98 - リリースノート

日本語サマリー

以下は Claude Code 2.1.98 のリリースノートの要約です。

⚠️ 破壊的変更およびセキュリティ修正

• セキュリティ修正: バックスラッシュでエスケープされたフラグが読み取り専用として自動許可され、任意のコード実行につながる Bash ツールの権限バイパスを修正。
• セキュリティ修正: 複合 Bash コマンドにより、安全チェックや明示的な確認ルールが強制プロンプトを回避できてしまう問題を修正。
• セキュリティ修正: /dev/tcp/... や /dev/udp/... へのリダイレクトが自動許可されていた問題を修正し、確認を要求するように変更。
• セキュリティ: Linux環境において、CLAUDE_CODE_SUBPROCESS_ENV_SCRUB 設定時のPID名前空隔離によるサブプロセスのサンドボックス化と、セッションごとのスクリプト実行回数を制限する CLAUDE_CODE_SCRIPT_CAPS 環境変数を追加。

🚀 新機能と主な変更点

• Google Vertex AI セットアップ: GCP認証やプロジェクト設定などをガイドするインタラクティブなセットアップウィザードを追加。
• Perforce対応: CLAUDE_CODE_PERFORCE_MODE 環境変数を追加。設定時、読み取り専用ファイルの編集時に p4 edit のヒントを表示し、暗黙的な上書きを防ぐ。
• バックグラウンドスクリプト監視: バックグラウンドスクリプトからのイベントをストリーミングする Monitor ツールを追加。
• エージェント管理の改善: /agents コマンドがタブレイアウトになり、実行中のサブエージェントの確認や、新しいエージェントの実行が可能に。
• 権限管理の修正: --dangerously-skip-permissions が意図せず accept-edits モードにダウングレードされていた問題を修正。

🛠️ その他の重要な修正と改善

• ストリーミングの安定性: ストリーミング応答が停止した際、タイムアウトではなく非ストリーミングモードへのフォールバックが正常に行われるよう修正。
• リトライ処理の改善: HTTP 429エラー（レート制限）時のリトライが短時間で消費される問題を修正し、指数バックオフを適用。
• 権限設定の即時反映: permissions.additionalDirectories の変更がセッション途中で即座に適用されるよう修正。
• MCP設定: sandbox.network.allowMachLookup が macOS で正常に機能しない問題や、MCP OAuthのトークンリフレッシュ問題を修正。
• 各種UI/UX改善: /resume フィルターの改善、Vimモードの操作向上 (j/k での履歴移動)、プラグインスキルを再起動なしで読み込む /reload-plugins の改善など。

原文（Release Notes）

What's changed

• Added interactive Google Vertex AI setup wizard accessible from the login screen when selecting "3rd-party platform", guiding you through GCP authentication, project and region configuration, credential verification, and model pinning
• Added CLAUDE_CODE_PERFORCE_MODE env var: when set, Edit/Write/NotebookEdit fail on read-only files with a p4 edit hint instead of silently overwriting them
• Added Monitor tool for streaming events from background scripts
• Added subprocess sandboxing with PID namespace isolation on Linux when CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set, and CLAUDE_CODE_SCRIPT_CAPS env var to limit per-session script invocations
• Added --exclude-dynamic-system-prompt-sections flag to print mode for improved cross-user prompt caching
• Added workspace.git_worktree to the status line JSON input, set whenever the current directory is inside a linked git worktree
• Added W3C TRACEPARENT env var to Bash tool subprocesses when OTEL tracing is enabled, so child-process spans correctly parent to Claude Code's trace tree
• LSP: Claude Code now identifies itself to language servers via clientInfo in the initialize request
• Fixed a Bash tool permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code execution
• Fixed compound Bash commands bypassing forced permission prompts for safety checks and explicit ask rules in auto and bypass-permissions modes
• Fixed read-only commands with env-var prefixes not prompting unless the var is known-safe (LANG, TZ, NO_COLOR, etc.)
• Fixed redirects to /dev/tcp/... or /dev/udp/... not prompting instead of auto-allowing
• Fixed stalled streaming responses timing out instead of falling back to non-streaming mode
• Fixed 429 retries burning all attempts in ~13s when the server returns a small Retry-After — exponential backoff now applies as a minimum
• Fixed MCP OAuth oauth.authServerMetadataUrl config override not being honored on token refresh after restart, affecting ADFS and similar IdPs
• Fixed capital letters being dropped to lowercase on xterm and VS Code integrated terminal when the kitty keyboard protocol is active
• Fixed macOS text replacements deleting the trigger word instead of inserting the substitution
• Fixed --dangerously-skip-permissions being silently downgraded to accept-edits mode after approving a write to a protected path via Bash
• Fixed managed-settings allow rules remaining active after an admin removed them, until process restart
• Fixed permissions.additionalDirectories changes not applying mid-session — removed directories lose access immediately and added ones work without restart
• Fixed removing a directory from additionalDirectories revoking access to the same directory passed via --add-dir
• Fixed Bash(cmd:*) and Bash(git commit *) wildcard permission rules failing to match commands with extra spaces or tabs
• Fixed Bash(...) deny rules being downgraded to a prompt for piped commands that mix cd with other segments
• Fixed false Bash permission prompts for cut -d /, paste -d /, column -s /, awk '{print $1}' file, and filenames containing %
• Fixed permission rules with names matching JavaScript prototype properties (e.g. toString) causing settings.json to be silently ignored
• Fixed agent team members not inheriting the leader's permission mode when using --dangerously-skip-permissions
• Fixed a crash in fullscreen mode when hovering over MCP tool results
• Fixed copying wrapped URLs in fullscreen mode inserting spaces at line breaks
• Fixed file-edit diffs disappearing from the UI on --resume when the edited file was larger than 10KB
• Fixed several /resume picker issues: --resume <name> opening uneditable, filter reload wiping search state, empty list swallowing arrow keys, cross-project staleness, and transient task-status text replacing conversation summaries
• Fixed /export not honoring absolute paths and ~, and silently rewriting user-supplied extensions to .txt
• Fixed /effort max being denied for unknown or future model IDs
• Fixed slash command picker breaking when a plugin's frontmatter name is a YAML boolean keyword
• Fixed rate-limit upsell text being hidden after message remounts
• Fixed MCP tools with _meta["anthropic/maxResultSizeChars"] not bypassing the token-based persist layer
• Fixed voice mode leaking dozens of space characters into the input when re-holding the push-to-talk key while the previous transcript is still processing
• Fixed DISABLE_AUTOUPDATER not fully suppressing the npm registry version check and symlink modification on npm-based installs
• Fixed a memory leak where Remote Control permission handler entries were retained for the lifetime of the session
• Fixed background subagents that fail with an error not reporting partial progress to the parent agent
• Fixed prompt-type Stop/SubagentStop hooks failing on long sessions, and hook evaluator API errors showing "JSON validation failed" instead of the real message
• Fixed feedback survey rendering when dismissed
• Fixed Bash grep -f FILE / rg -f FILE not prompting when reading a pattern file outside the working directory
• Fixed stale subagent worktree cleanup removing worktrees that contain untracked files
• Fixed sandbox.network.allowMachLookup not taking effect on macOS
• Improved /resume filter hint labels and added project/worktree/branch names in the filter indicator
• Improved footer indicators (Focus, notifications) to stay on the mode-indicator row instead of wrapping at narrow terminal widths
• Improved /agents with a tabbed layout: a Running tab shows live subagents, and the Library tab adds Run agent and View running instance actions
• Improved /reload-plugins to pick up plugin-provided skills without requiring a restart
• Improved Accept Edits mode to auto-approve filesystem commands prefixed with safe env vars or process wrappers
• Improved Vim mode: j/k in NORMAL mode now navigate history and select the footer pill at the input boundary
• Improved hook errors in the transcript to include the first line of stderr for self-diagnosis without --debug
• Improved OTEL tracing: interaction spans now correctly wrap full turns under concurrent SDK calls, and headless turns end spans per-turn
• Improved transcript entries to carry final token usage instead of streaming placeholders
• Updated the /claude-api skill to cover Managed Agents alongside Claude API
• [VSCode] Fixed false-positive "requires git-bash" error on Windows when CLAUDE_CODE_GIT_BASH_PATH is set or Git is installed at a default location
• Fixed CLAUDE_CODE_MAX_CONTEXT_TOKENS to honor DISABLE_COMPACT when it is set.
• Dropped /compact hints when DISABLE_COMPACT is set.