Claude Code 2.1.126: OAuth that works over SSH, sessions that survive Mac sleep, and a managed-settings security fix

If you've ever opened your laptop after lunch and watched Claude Code die with a "Stream idle timeout" error mid-stream, or tried to log in over SSH and gotten stuck because the OAuth callback couldn't reach localhost – Claude Code 2.1.126 just fixed both. Plus 31 other things.

Since 2.1.121 shipped four days ago, three releases have followed: a hefty 18-entry 2.1.122, a one-line 2.1.123 hotfix, and today's 33-entry 2.1.126. Anthropic skipped 2.1.124 and 2.1.125 entirely – they don't appear in the public changelog. Total: 52 individual changes since 2.1.121.

This release isn't a feature dump. It's an operational hardening pass. Most of the fixes only matter if you've been bitten by them – and a lot of you have been bitten by these specific ones.

The big one: sessions that survive a Mac sleeping

Three related fixes in 2.1.126 land on the same problem.

Fixed "Stream idle timeout" error after waking Mac from sleep mid-request.

Fixed background and remote sessions falsely aborting with "Stream idle timeout" during long model thinking pauses.

Fixed a hang where the assistant could finish thinking but show no output after a run of empty turns.

If you've been mid-task, closed the lid, walked away, come back, and watched the response just… vanish – that's what was happening. The stream-idle watcher couldn't tell the difference between "the model is thinking hard" (a 90-second extended-thinking pause is normal on Opus 4.7 with high effort) and "the network actually died." So it killed the request.

The same bug bit background tasks and remote-control sessions on long thinking pauses. And the related "thinking finished but no output" hang was the surface symptom of the third case: empty turns making the renderer think nothing was happening.

If you run claude in iTerm/Terminal/tmux, leave it for any meaningful amount of time, or use background mode for long agents – this one alone is the upgrade reason.

OAuth login that actually works in real environments

Five fixes across 2.1.123 and 2.1.126 turn OAuth from the most common new-user blocker into something that actually works on the dev environments people actually use.

The big one: paste the code. From the 2.1.126 entry:

claude auth login now accepts the OAuth code pasted into the terminal when the browser callback can't reach localhost (WSL2, SSH, containers).

If you've ever SSH'd into a remote dev box, run claude auth login, watched a URL print, opened it on your laptop, and then sat there waiting because the callback can't loop back to the remote machine's localhost – yeah. Now the login flow detects that and lets you paste the code directly into the terminal.

This is the single biggest WSL2 / SSH / devcontainer quality-of-life win in months. Anyone running Claude Code on a remote machine, in a container, or inside Codespaces gets a normal login flow now.

The other four:

• OAuth login on slow or proxied connections, IPv6-only devcontainers (2.1.126). The login was timing out before the browser flow finished. Fixed.
• Concurrent credential write race (2.1.126). A rare race could clear a valid OAuth refresh token if two processes wrote at the same time. Fixed.
• "OAuth not allowed for organization" (2.1.126). Was showing the login screen on a permanent loop. Now shows guidance to contact your admin.
• 401 retry loop with CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1 (2.1.123). If you set this env var to opt out of beta features, OAuth was getting stuck in a 401 retry loop. One-line release. Fixed.

Together, these are the kind of fixes that don't make headlines but stop a hundred GitHub issues from being filed.

claude project purge (2.1.126)

New command. Worth knowing about.

claude project purge [path]           # interactive, prompts to confirm
claude project purge --dry-run        # show what would be deleted
claude project purge -y               # skip confirmation
claude project purge --all            # nuke every project's state

Deletes all Claude Code state for a project: transcripts, tasks, file history, config entry. If you've been collecting state from one-off projects, plugin experiments, or the kind of marketing-side automation tinkering some of us do, this gives you a clean way to reclaim it without rooting around in ~/.claude/projects/.

Pair with the claude plugin prune command added in 2.1.121, and Claude Code finally has both halves of "clean up the cruft I generated while experimenting."

Gateway-aware /model picker (2.1.126)

The /model picker now lists models from your gateway's /v1/models endpoint when ANTHROPIC_BASE_URL points at an Anthropic-compatible gateway.

If your team runs an internal proxy in front of the Anthropic API – LiteLLM, an internal gateway, a corporate firewall pass-through – the /model picker now talks to it. Whatever models the gateway exposes, that's what shows up.

Combined with the 2.1.122 Bedrock fix that finally let /model show the Effort option for Bedrock application inference profile ARNs (and pass output_config.effort to those ARNs), enterprise deployments can now use /model and /effort the way the docs say you should.

Two security stories at once

This release rebalanced the security model in two directions on the same day, which is interesting.

Story 1: a silent enforcement bypass got fixed

Security: Fixed allowManagedDomainsOnly / allowManagedReadPathsOnly being ignored when a higher-priority managed-settings source lacked a sandbox block.

If you're an admin running Claude Code with managed settings – the policy mechanism that lets enterprise IT enforce which domains and paths Claude is allowed to touch – this is the most important line in the release. Until now, if a higher-priority managed-settings source (e.g. machine policy) didn't include a sandbox block, the enforcement of allowManagedDomainsOnly / allowManagedReadPathsOnly from a lower-priority source was silently dropped.

Translation: the sandbox you thought was on, wasn't. Patch your fleet.

Story 2: --dangerously-skip-permissions got more permissive

--dangerously-skip-permissions now bypasses prompts for writes to .claude/, .git/, .vscode/, shell config files, and other previously-protected paths (catastrophic removal commands still prompt as a safety net).

If you've been running with --dangerously-skip-permissions (also exposed as claude --auto), you used to still get permission prompts for writes to .claude/, .git/, .vscode/, and shell config files. Now you don't. The flag now does what its name says.

The safety net: catastrophic removal commands (rm -rf, etc.) still prompt regardless. So --dangerously-skip-permissions will let an agent edit your .gitconfig without asking, but won't let it rm -rf .git without asking.

Read the room before turning this on. For solo loops where you trust the agent, it's a productivity win. For shared infra or anything resembling production, the answer is still no.

Telemetry, OTel, and skill authoring (2.1.122 + 2.1.126)

If you write skills or run a Claude Code deployment with observability:

skill_activated event now distinguishes invocation source (2.1.126):

claude_code.skill_activated OpenTelemetry event now fires for user-typed slash commands and carries a new invocation_trigger attribute ("user-slash", "claude-proactive", or "nested-skill").

Three values: a user typed /skill-name, Claude proactively invoked the skill, or another skill nested into this one. If you've been trying to measure which skills get used vs. which Claude reaches for on its own, you can finally tell.

OTel improvements from 2.1.122:

• Numeric attributes on api_request / api_error log events are now numbers, not strings (no more parsing "42" to 42 in your dashboards).
• New claude_code.at_mention log event for @-mention resolution.

stop_reason, gen_ai.response.finish_reasons, and user_system_prompt were already added in 2.1.121.

If you don't run OTel, none of this matters. If you do, your dashboards just got better resolution.

Bedrock service tier (2.1.122):

ANTHROPIC_BEDROCK_SERVICE_TIER=priority  # or default, flex

Sent as the X-Amzn-Bedrock-Service-Tier header. If you have priority/flex contracts with AWS, this is how you target them.

Windows + IDE quality-of-life

A bundle of Windows-specific fixes that, taken together, add up to "Windows works":

• PowerShell 7 detection (2.1.126): now finds PS7 installed via Microsoft Store, MSI without PATH, or .NET global tool.
• PowerShell as primary shell (2.1.126): when the PowerShell tool is enabled, Claude treats it as primary instead of defaulting to Bash.
• Clipboard EDR/SIEM exposure fix (2.1.126): clipboard writes no longer expose copied content as command-line arguments visible to telemetry tools. This is a real corporate-environment unlock.
• CJK rendering (2.1.126): Japanese, Korean, and Chinese text no longer renders as garbled chars on Windows in no-flicker mode.
• PowerShell -- token fix (2.1.126): bare -- (e.g. git diff -- file) is no longer mis-flagged as the PowerShell --% stop-parsing token.

And one IDE fix that bites cross-platform:

• Trackpad scrolling in Cursor and VS Code 1.92–1.104 (2.1.126): the integrated terminal was scrolling overly fast. Fixed.

Smaller fixes that bite real workflows

A grab-bag from 2.1.126 worth knowing:

• Pasting an image >2000px no longer breaks the session – auto-downscaled on paste, oversized images in history removed and the request retried. Pair with 2.1.122's fix for newer-model image resizing (was 2576px, should have been 2000px).
• Deferred tools in forked-context skills – WebSearch, WebFetch, etc. are now available to skills with context: fork and other subagents on their first turn. Was a real footgun for skill authors.
• Plan-mode tools work in --channels sessions.
• /plugin Uninstall now reports "Uninstalled" instead of "Enabled".
• /remote-control retries now show their actual result instead of getting stuck on "connecting…".
• Remote Control failure notifications now show the error reason for initial connection failures.
• Ctrl+L no longer clears prompt input – matches readline behavior.
• File-modified reminders bounded when a linter touches many files at once.
• Agent SDK no longer hangs when the model emits a malformed tool name in a parallel tool call batch.
• API retry countdown no longer sticks at "0s" between attempts.

What 2.1.122 quietly added (that you should know)

If you skipped 2.1.122 in a hurry, these landed:

Change	Why it matters
/resume accepts PR URLs (GitHub, GitHub Enterprise, GitLab, Bitbucket)	Paste a PR URL, find the session that created it. Real workflow win.
/mcp deduplicates claude.ai connectors hidden by manually-added servers with the same URL, with a hint	Cleans up the duplicate-connector confusion that 2.1.121 partially addressed.
/branch fix for rewound timelines	Previously produced forks that failed with "tool_use ids were found without tool_result blocks". Fixed.
Vertex AI count_tokens proxy fix	Was returning 400s for users behind proxy gateways. Fixed.
/model Effort for Bedrock ARN profiles	Effort wasn't being shown or applied for Bedrock application inference profile ARNs. Fixed.
ToolSearch finds late-connecting MCP tools in nonblocking mode	Makes nonblocking MCP startup actually work.
!exit / !quit in bash mode	No longer terminates the CLI – runs as a shell command.
Image resize ceiling corrected to 2000px	Was 2576px on newer models. Fixed.
Malformed hooks entry in settings.json	No longer invalidates the entire file.

That's a lot for one release. The Vertex count_tokens fix and the /branch fix in particular were blocking real work for some teams.

Three releases at a glance

Version	Date	Theme	Standouts
2.1.126	May 1	Hardening (33 changes)	OAuth on SSH/WSL/containers, Mac-sleep recovery, claude project purge, gateway-aware /model, managed-sandbox security fix, --dangerously-skip-permissions widened
2.1.123	Apr 29	Hotfix (1 change)	OAuth 401 retry loop fix when CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1 is set
2.1.122	Apr 28	Enterprise + UX (18 changes)	Bedrock service tier, /resume PR URL search, /mcp connector dedup, Vertex AI fixes, /branch rewound-timeline fix, OTel polish

2.1.124 and 2.1.125 don't appear in the public changelog. Likely internal builds.

Should you update?

Yes. Three caveats:

1. If you've been relying on --dangerously-skip-permissions to still prompt for .git/ / .claude/ / .vscode/ / shell config writes, retest your loops. The flag is now more permissive. For most people this is what they wanted, but if your prompt expected those guardrails to be there, they aren't anymore.
2. If you run managed settings in an enterprise, the allowManagedDomainsOnly / allowManagedReadPathsOnly enforcement fix means previously-bypassed sandbox rules now apply. Audit before rollout in case something was depending on the silent bypass.
3. If you have OTel pipelines that parsed api_request / api_error numeric attributes as strings, retest after upgrading – they're now emitted as numbers (the right thing, but a parse change).

For everyone else: claude --version to confirm you're on 2.1.126, and move on.

The pattern from 2.1.117 through 2.1.126 is consistent. Anthropic shipped Opus 4.7 on April 17, and the 11 days since have been almost entirely about hardening the runtime around it. Memory leaks, context calculation, OAuth resilience, sleep recovery, managed settings, gateway integration. None of these are flashy. All of them are exactly what a model migration needs.

What's next

If you're getting Claude Code working in a real environment – SSH boxes, devcontainers, behind a corporate proxy, on a Bedrock or Vertex deployment – the 10-episode "Production Claude Code" series is the systematic version of what these releases are quietly enabling. Episode 1 covered the 1M context window. Episode 2 (steering with modes) is up next.

Until then: update, watch your sessions survive a Mac going to sleep, and try claude auth login over SSH if you've been suffering through it. It finally just works.