docs: Claude Code v2.1.160 - Security prompts, ultracode rename, new Managed Agents API docs

content/CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## 2.1.160
+
+- Added a prompt before writing to shell startup files (`.zshenv`, `.zlogin`, `.bash_login`) and `~/.config/git/`, which could otherwise lead to unintended command execution
+- `acceptEdits` mode now prompts before writing build-tool config files that grant code execution (`.npmrc`, `.yarnrc*`, `bunfig.toml`, `.bazelrc`, `.pre-commit-config.yaml`, `.devcontainer/`, etc.)
+- Edit no longer requires a separate Read after viewing a file with `grep`: single-file `grep`/`egrep`/`fgrep` commands now satisfy the read-before-edit check
+- Fixed copy-on-select not writing to the Windows clipboard on WSL — now uses PowerShell interop instead of OSC 52, which terminals like MobaXterm don't support
+- Fixed restoring a completed session from `claude agents` dropping chat history and re-running the original prompt
+- Fixed background sessions re-attached after overnight retire losing their conversation and re-running the original prompt
+- Fixed `claude --bg` occasionally failing with "socket missing" when the background daemon was cold-starting on a loaded machine
+- Fixed an issue on Windows where the directory a background session was started in could not be deleted after `claude rm` until the background daemon exited
+- Fixed background agents that resumed work being shown under Completed in the agents list
+- Fixed `claude agents` freezing for several seconds when returning to the session list due to the auto-updater re-checking on every exit
+- Fixed Esc, arrow keys, and typing becoming unresponsive on Windows when attached to a background session or in the agent view while the host is under heavy CPU load
+- Fixed background agents emitting terminal sync-output markers to terminals that don't support them (Apple Terminal, tmux), causing render artifacts when entering a running agent
+- Fixed mouse wheel scrolling prompt history instead of the transcript right after opening a session from the agents list
+- Fixed CJK IME composition appearing at the bottom-left of the screen instead of at the input caret in the `claude agents` view
+- Fixed valid `file:///C:/...` links being rewritten to a broken path on Windows terminals with hyperlink support
+- Fixed voice mode failing to connect when the project directory or branch name contains non-ASCII or special characters
+- Fixed the auto mode unavailability message on third-party providers (Bedrock/Vertex/Foundry) to point to the `CLAUDE_CODE_ENABLE_AUTO_MODE` opt-in instead of incorrectly blaming the model
+- Fixed `/effort ultracode` incorrectly blaming the dynamic workflows setting when the model cannot run xhigh; ultracode is no longer offered on models that do not support it
+- Fixed model-not-found errors suggesting `--model` when running via the SDK or other hosts where the CLI flag doesn't apply
+- Fixed Claude's past replies disappearing from scrollback when resuming a brief mode session with brief mode turned off
+- Fixed vim mode `p` pasting on the line below instead of at the cursor when the register was yanked with `v$`
+- Improved performance of opening recently-inactive background agent sessions in `claude agents`
+- Improved auto mode classifier latency by reducing reasoning on routine actions, lowering the chance of "could not evaluate this action" blocks
+- Improved background-session teardown (`claude rm`/`stop`, idle reap) to send SIGTERM to running shell subprocesses before SIGKILL, so cleanup handlers run
+- Removed `CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE`; the environment variable is now a no-op
+- Removed the JetBrains plugin install suggestion from startup
+- Renamed the dynamic-workflow trigger keyword from `workflow` to `ultracode`. The word "workflow" no longer triggers a run; asking for one in your own words still works. The trigger keyword is highlighted in violet in the prompt input
+
 ## 2.1.159
 
 - Internal infrastructure improvements (no user-facing changes)

content/claude-code-manifest.json

@@ -1,12 +1,12 @@
 {
   "name": "@anthropic-ai/claude-code",
-  "version": "2.1.159",
+  "version": "2.1.160",
   "author": {
     "name": "Anthropic",
     "email": "support@anthropic.com"
   },
   "license": "SEE LICENSE IN README.md",
-  "_id": "@anthropic-ai/claude-code@2.1.159",
+  "_id": "@anthropic-ai/claude-code@2.1.160",
   "maintainers": [
     {
       "name": "zak-anthropic",
@@ -73,20 +73,20 @@
     "claude": "bin/claude.exe"
   },
   "dist": {
-    "shasum": "44dcbd716dfb7515f979f995ab76b4ff7d9324f8",
-    "tarball": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.1.159.tgz",
+    "shasum": "98bc18eb6599d920bc3057473fc9f758d74bd1ac",
+    "tarball": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-2.1.160.tgz",
     "fileCount": 7,
-    "integrity": "sha512-l1Qsa3CamItHIpTgXWEEEPxpfCm3xB9QBfwxcvkk53QNr3HLS6NAkmutVrWusAA38mSwitrcwH3zOdY4qP/VMA==",
+    "integrity": "sha512-CmavoORpVR3UC7dFVfnSla+/FFWvEfzjj/HjnlQ4OMYQcZeuAl+IJ6NmGEbLk9R/5I4MflZKxd7fcG1L1l9ZMQ==",
     "signatures": [
       {
-        "sig": "MEYCIQD0SXo4uuCODoTSSEalYc+lHX06jmYUWZ/XCgNs2XmuiAIhAIg3WXJQYRncbvPazqknFBa51Sc4xH6Rdxf65CO2adMq",
+        "sig": "MEUCIQCAbxAyhIcAGhxgUPXXqPji30yxrip40ohkYczrnSX34gIgOqP2CB8HBbcOad3beLqHSWkIQuYFnlFeItPKZy9/8kQ=",
         "keyid": "SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"
       }
     ],
     "unpackedSize": 145798
   },
   "type": "module",
-  "_from": "file:staged-npm/anthropic-ai-claude-code-2.1.159.tgz",
+  "_from": "file:staged-npm/anthropic-ai-claude-code-2.1.160.tgz",
   "engines": {
     "node": ">=18.0.0"
   },
@@ -98,26 +98,27 @@
     "name": "wolffiex",
     "email": "wolffiex@anthropic.com"
   },
-  "_resolved": "/home/runner/work/claude-cli-internal/claude-cli-internal/staged-npm/anthropic-ai-claude-code-2.1.159.tgz",
-  "_integrity": "sha512-l1Qsa3CamItHIpTgXWEEEPxpfCm3xB9QBfwxcvkk53QNr3HLS6NAkmutVrWusAA38mSwitrcwH3zOdY4qP/VMA==",
+  "_resolved": "/home/runner/work/claude-cli-internal/claude-cli-internal/staged-npm/anthropic-ai-claude-code-2.1.160.tgz",
+  "_integrity": "sha512-CmavoORpVR3UC7dFVfnSla+/FFWvEfzjj/HjnlQ4OMYQcZeuAl+IJ6NmGEbLk9R/5I4MflZKxd7fcG1L1l9ZMQ==",
   "_npmVersion": "11.13.0",
   "description": "Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you.",
   "directories": {},
   "_nodeVersion": "24.16.0",
   "dependencies": {},
   "_hasShrinkwrap": false,
+  "readmeFilename": "README.md",
   "optionalDependencies": {
-    "@anthropic-ai/claude-code-linux-x64": "2.1.159",
-    "@anthropic-ai/claude-code-win32-x64": "2.1.159",
-    "@anthropic-ai/claude-code-darwin-x64": "2.1.159",
-    "@anthropic-ai/claude-code-linux-arm64": "2.1.159",
-    "@anthropic-ai/claude-code-win32-arm64": "2.1.159",
-    "@anthropic-ai/claude-code-darwin-arm64": "2.1.159",
-    "@anthropic-ai/claude-code-linux-x64-musl": "2.1.159",
-    "@anthropic-ai/claude-code-linux-arm64-musl": "2.1.159"
+    "@anthropic-ai/claude-code-linux-x64": "2.1.160",
+    "@anthropic-ai/claude-code-win32-x64": "2.1.160",
+    "@anthropic-ai/claude-code-darwin-x64": "2.1.160",
+    "@anthropic-ai/claude-code-linux-arm64": "2.1.160",
+    "@anthropic-ai/claude-code-win32-arm64": "2.1.160",
+    "@anthropic-ai/claude-code-darwin-arm64": "2.1.160",
+    "@anthropic-ai/claude-code-linux-x64-musl": "2.1.160",
+    "@anthropic-ai/claude-code-linux-arm64-musl": "2.1.160"
   },
   "_npmOperationalInternal": {
-    "tmp": "tmp/claude-code_2.1.159_1780249806665_0.9691747159953097",
+    "tmp": "tmp/claude-code_2.1.160_1780344203067_0.14145242551060178",
     "host": "s3://npm-registry-packages-npm-production"
   }
 }

content/en/agents-and-tools/mcp-tunnels/concepts.md

@@ -0,0 +1,72 @@
+# Architecture and components
+
+Canonical names for the parts of an MCP tunnel deployment, the two credential-provisioning modes, and the connection model.
+
+---
+
+<Note>
+  MCP tunnels are in research preview. [Request access](https://claude.com/form/claude-managed-agents) to try them.
+</Note>
+
+This page defines the terms used throughout the [MCP tunnels](/docs/en/agents-and-tools/mcp-tunnels/overview) documentation. Several components appear under different names in configuration files, container images, and prose; the following tables give one canonical name for each and list the aliases you may encounter.
+
+## Components
+
+| Term | Definition | Also appears as |
+|---|---|---|
+| **Tunnel stack** | The two containers you run inside your network to attach to a tunnel: the proxy and cloudflared. One stack serves one tunnel and can be replicated across hosts for availability. With programmatic access, the setup component runs alongside the stack to provision credentials. | the stack, the MCP tunnel stack, the tunnel deployment, your deployment |
+| **Proxy** | Anthropic's routing component. Terminates inner TLS, validates that upstream IPs fall within an allowed range, and routes each request to an upstream MCP server based on hostname. | `mcp-proxy` (image name, Compose service name, and Helm container name), `mcp-gateway` (container-internal config path `/etc/mcp-gateway/config.yaml` and Helm `gateway.config.*` values prefix) |
+| **cloudflared** | Cloudflare's open-source tunnel connector. Initiates the outbound-only connections from your network to the tunnel edge and carries encrypted traffic between the edge and the proxy. Not related to a Managed Agent. | the outbound connector, the tunnel connector |
+| **Setup component** | The `setup` binary, shipped inside the `mcp-proxy` image. With programmatic access it authenticates over Workload Identity Federation, fetches the tunnel token, generates a CA and server certificate, and registers the CA with Anthropic. Also provides `renew-cert`. | setup Job (the Helm pre-install hook), `setup` service (the Compose profile), setup hook, setup binary, setup CLI |
+| **Tunnel edge** | The Cloudflare edge servers that cloudflared dials out to (IP ranges `198.41.192.0/19` and `2606:4700:a0::/44`, port 7844 TCP and UDP). The tunnel that runs over them is provisioned and controlled by Anthropic; Cloudflare operates the underlying network. | the edge, the Anthropic-operated tunnel edge |
+| **Inner TLS** | A second TLS handshake carried inside the tunnel's plaintext WebSocket stream, between Anthropic's backend and your proxy. The proxy presents a server certificate signed by a CA you registered on the tunnel. Because only you hold the private key, the transport provider cannot read request or response payloads. | the inner TLS handshake |
+| **Upstream MCP server** | An MCP server running in your private network that the proxy routes to. Each upstream is exposed as one subdomain under your tunnel domain. | upstream, routed MCP server, tunneled MCP server |
+
+## Credential provisioning
+
+The tunnel stack needs two credentials at runtime: the **tunnel token**, which authenticates cloudflared's outbound connection, and a **server certificate** signed by a CA registered on the tunnel, which the proxy presents during the inner TLS handshake. There are two ways to supply them, presented throughout this guide as a pair of tabs.
+
+| Mode | How credentials reach the stack | Helm chart name | Tab label |
+|---|---|---|---|
+| **Programmatic access** | The setup component authenticates to the Tunnels API through [Workload Identity Federation](/docs/en/manage-claude/workload-identity-federation), fetches the tunnel token, generates a CA and server certificate locally, and registers the CA. No long-lived secret is copied by hand. Requires a federation rule with the `org:manage_tunnels` scope. | Managed mode (`setup.enabled: true`, the default) | **With programmatic access** |
+| **Manual** | You copy the tunnel token from the Claude Console, generate a CA and server certificate yourself (for example with `openssl`), register the CA in the Console, and supply the token and certificate to the stack as secrets. No setup component runs. | External mode (`setup.enabled: false`) | **Without programmatic access** |
+
+These modes are also referred to as **the programmatic flow** and **the manual flow** in the deploy guides.
+
+## Connection model
+
+Two directions are at work in a tunnel, and they point opposite ways:
+
+- **Connection direction:** cloudflared dials **outbound** from your network to the tunnel edge. Your firewall sees only egress on port 7844; no inbound port is opened.
+- **Request direction:** once that connection is established, MCP requests travel **from Anthropic toward your network** over it, through cloudflared to the proxy, and on to the upstream MCP server.
+
+The phrase "outbound-only" describes the connection, not the requests carried over it.
+
+Inner TLS spans Anthropic's backend and your proxy. cloudflared and the tunnel edge sit between them on the wire but see only ciphertext; the proxy is the first place inside your network where MCP request payloads are readable.
+
+```mermaid
+sequenceDiagram
+  participant A as Anthropic<br/>backend
+  participant E as Tunnel edge<br/>(Cloudflare network)
+  participant C as cloudflared
+  participant P as Proxy
+  participant M as Upstream<br/>MCP server
+
+  note over C,M: Inside your network
+
+  C->>E: 1. Outbound connection (port 7844)
+  note over C,E: Connection stays open.<br/>No inbound port is opened.
+
+  A->>E: 2. MCP request (outer mTLS)
+  E->>C: carried over the open connection
+  C->>P: localhost:8080
+  note over A,P: Inner TLS spans Anthropic backend to proxy.<br/>Terminates at the proxy.
+  P->>M: 3. Route by hostname
+  M-->>P: response
+  P-->>A: response (same path, reversed)
+```
+
+## See also
+
+- [MCP tunnels](/docs/en/agents-and-tools/mcp-tunnels/overview) for the security model and shared-responsibility table.
+- [MCP tunnels reference](/docs/en/agents-and-tools/mcp-tunnels/reference) for proxy configuration fields, certificate requirements, and the setup component.