# Claude Code v2.1.214 发布：修复权限绕过、添加 EndConversation 工具与多项 Bash 权限检查改进

- 来源：Claude Code：GitHub Releases（RSS）
- 作者：ashwin-ant
- 发布时间：2026-07-18 09:20
- AIHOT 分数：50
- AIHOT 链接：https://aihot.virxact.com/items/cmrpp5dgu0434bisrm2cs33xt
- 原文链接：https://github.com/anthropics/claude-code/releases/tag/v2.1.214

## AI 摘要

Claude Code v2.1.214 修复了 Windows PowerShell 5.1 中的权限检查绕过漏洞，以及 Bash 权限检查对超长命令（超过 10,000 字符）和 zsh 变量下标比较的误判问题。

## 正文

What's changed

Fixed single-segment dir/** allow rules like Edit(src/**) auto-approving writes to nested dir/ directories anywhere in the tree instead of only <cwd>/dir

Fixed a permission-check bypass affecting commands run in Windows PowerShell 5.1 sessions

Fixed Bash permission checks to fail closed on file-descriptor redirect forms that bash parses differently than the permission analyzer

Fixed Bash permission checks misjudging very long commands — commands over 10,000 characters now always prompt instead of running automatically

Fixed Bash permission checks treating zsh variable subscripts and modifiers in [[ ]] comparisons as inert text — these commands now prompt for approval

Fixed Bash permission checks to no longer auto-approve certain help and man commands that could run unsafe options, command substitutions, or backslash paths

Fixed permission prompts on remote sessions that could proceed before the local confirmation dialog

Added the EndConversation tool: Claude can end sessions with highly abusive users or jailbreak attempts, as on claude.ai since 2025 — see https://www.anthropic.com/research/end-subset-conversations

Added a periodic progress heartbeat for long-running tool calls that previously went silent

Added an ISO modified timestamp to memory file frontmatter

Added message.uuid, client_request_id, and tool_source attributes to OpenTelemetry log events for message-level correlation and tool provenance

Added CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTH to configure the 60 KB truncation limit on OpenTelemetry content attributes

Added reasoning effort to the subagentStatusLine payload, so custom agent rows can render model and effort

Added permission prompts for docker commands (including the Podman docker shim) carrying daemon-redirect flags (--url, --connection, --identity, and Podman's remote mode) that previously ran without one

Fixed a crash when a GrowthBook feature evaluates to null, and a bug where a malformed flag payload could wipe the cached feature flags

Fixed Bash tool killing the Claude session when a pkill -f pattern accidentally matched the CLI's own process (Linux)

Fixed unbounded memory growth when --settings points at a device file or multi-GB file; oversized (>2 MiB) settings files now fail at startup with a clear error

Fixed streaming turns failing with "Socket is closed" behind corporate proxies on Windows

Fixed stream-json output truncation at exit for slow-reading SDK/pipeline consumers; the exit drain now scales with queued bytes instead of a flat 2s cap

Fixed scheduled tasks refusing their own configured prompt as untrusted input — the fired prompt is now delivered as the session's assigned task

Fixed PowerShell tool commands hanging until timeout when a child process waited on standard input (Windows)

Fixed Python scripts under the PowerShell tool crashing with UnicodeDecodeError when reading non-UTF-8 data from standard input (Windows)

Fixed Python scripts run via the PowerShell tool crashing with UnicodeEncodeError on non-ASCII output, and PowerShell 7 error messages containing raw ANSI escape sequences (Windows)

Fixed the PowerShell tool reporting where.exe, fc.exe, and diff.exe as errors when they return a valid negative answer (Windows)

Fixed > and >> under the PowerShell tool on Windows PowerShell 5.1 writing UTF-16LE files that other tools couldn't read as UTF-8

Fixed a displaced background daemon deleting its successor's control socket on shutdown, which made the next client kill the healthy replacement daemon

Fixed background sessions parked with ← or /background and left idle keeping the background daemon and a worker process alive indefinitely

Fixed completed background sessions being impossible to remove via claude rm or the agent view once the background service had gone idle

Fixed background sessions dispatched from a non-git folder being impossible to delete from the agents view

Fixed reopening a stopped background session failing to restore its saved conversation when an unreadable folder exists in the session store

Fixed the Remote Control "session ready" push notification firing for sessions where Remote Control was not explicitly enabled

Fixed /install-github-app and the /mcp settings menu being blocked in agent-view sessions — they're now refused only in background sessions with no terminal attached

Fixed plugins enabled via the --settings CLI flag not loading (regression since v2.1.181)

Fixed feature flags going stale in long-running sessions after the OAuth token rotates

Fixed /ultrareview refusing to run in repos with no merge base — it now offers to review all tracked files

Fixed claude update and claude doctor hanging silently, and the /status System diagnostics section going blank, when a shell-config path is a directory

Fixed memory frontmatter values being silently truncated at an inline # when memory files are saved

Fixed session cost and token telemetry double-counting on streams that emit multiple cumulative message_delta frames

Fixed a spurious "check your network" warning that appeared while the advisor was thinking

Fixed hooks with exit code 2 not blocking as documented when the hook's stdout JSON fails schema validation

Fixed OTel log events emitted outside the turn's async context missing the interaction span's trace context

Fixed MCP transient errors during prompts/resources refresh clearing the server's slash commands and resources

Improved the claude rc workspace-trust error in the home directory to say trust there is never saved and to suggest running from a project directory

Changed single-segment dir/** hook if: conditions to match only <cwd>/dir; write **/dir/** for any-depth matching. deny/ask permission rules keep their any-depth match.

Changed file commands using -m/--magic-file or -f/--files-from to require permission instead of being auto-allowed as read-only

Changed keep-alive connection pooling to disable after a stale-connection error, so retries open a fresh socket

Changed SessionStart hooks to report source "fork" when a session begins as a fork instead of "resume"
