Anthropic Release Notes

About the Services Track

Almost every large enterprise is moving AI into production, and many have discovered something important: a successful pilot is not the same as a system a business can run on. The real work—and the real opportunity—is in the integration, the evaluation, and the way people's work evolves. That's why the companies getting AI integration right are doing it with partners who have done it before.

In March, we launched the Claude Partner Network—a program, backed by a $100 million investment in partner training, technical support, and shared marketing, for the firms that help enterprises put Claude into production. Since then, more than 40,000 firms have applied to join and more than 10,000 consultants have earned a Claude certification—a credential, held by an individual, that signals they've been trained to build and deploy Claude in production.

The largest professional-services firms in the world are building their own practices around Claude — putting it into production for clients while getting it into the hands of their own people. Accenture is training 30,000 professionals on the model. Cognizant has rolled Claude out to roughly 350,000 associates. Deloitte is making it available to 470,000 people across its global network. KPMG is integrating Claude across a workforce of more than 276,000. Infosys is building Claude-powered agents for specific industries, and PwC is rolling out Claude Code and Cowork starting with its US teams and expanding towards a global workforce in the hundreds of thousands.

Today we’re announcing two things that make this ecosystem easier for customers to navigate. The Services Track is a tiered structure that reflects what a firm has actually built and delivered with Claude. The Claude Partner Hub is a portal where partners see exactly where they stand against the program's requirements, and customers find the firms most qualified for the scope of their project.

The best partners have firsthand experience with Claude. They use the newest models for their own work before they put it in front of a client. This way, when they tell a customer what it takes, they’re speaking from experience. The Services Track is built to give customers confidence in a firm’s ability to help them bring Claude into their businesses.

About the Services Track

The Services Track has three tiers, each reflecting how deep a firm's Claude practice runs.

1. Select: where partnership begins. At least 10 active certified individuals, at least 2 joint customers deployed in production in the trailing 12 months, and at least 1 public customer story.
2. Preferred: for firms with deeper Claude practices. At least 100 active certified individuals, at least 15 deployed joint customers, and at least 3 public stories.
3. Global Premier: the top tier for firms running the deepest Claude practices. At least 1,000 active certified individuals, at least 100 deployed joint customers across three or more regions, at least 15 public customer stories, and a joint business plan with named executive sponsors.

Every firm is measured against the same requirements, whether it's a ten-person AI-native shop or a global consultancy. Size doesn't lower the bar or raise the tier; a smaller firm climbs by growing its certified bench. And because the ladder counts adoption and enablement work, firms that specialize in getting customers live on Claude can qualify early.

The criteria include:

1. Certified practitioners: How many of the firm’s people hold a current Anthropic certification and have used Claude in the past 90 days. Certifications belong to individual people, not firms, and are earned through Anthropic Partner Academy exams.
2. Customers running Claude in production: How many customers the firm has taken live with Claude.
3. Public endorsements of the firm’s work: How many customers will vouch for the firm’s work in a published customer story.

Every firm's dashboard shows the same numbers we see, and we verify standing every quarter. Detailed requirements for each tier are published at claude.com/partners.

About the Claude Partner Hub

The Claude Partner Hub allows each partner to see its own standing against the published requirements, refreshed daily. It’s also where customers looking for Claude expertise find the firms most qualified to help. Every partner’s standing—their tier, certified team, customer deployments, and public references—is visible in the Hub’s public directory, so anyone evaluating partners can see what a firm has built and delivered.

Partners can connect the Partner Hub to Claude through a new MCP connector, and from there information about the partnership becomes a conversation. For example, ask Claude where your firm stands against the next tier, the status of a registered deal, or how many of your consultants hold an active certification, and act on the answer within Claude.

What this means for partners

For firms building a Claude practice, this program is meant to reward real work and to be predictable enough to plan around. Four things hold true for every partner:

• You always know where you stand. A firm can see its standing against the published requirements and exactly what the next tier requires. This information is refreshed daily in the Claude Partner Hub.
• Building a practice and bringing us business are two different things, and we credit them separately. Tier standing measures the practice a firm has built: certified practitioners, production deployments, and customers willing to vouch for them. Sending new business to Anthropic is rewarded on its own track, through referral credit and deal protection. A firm is never forced to choose between the two.
• The ladder moves on a schedule you can see in advance. Promotions are processed twice a year, on January 1 and July 1, with an additional review on October 1, 2026, in this first year. A firm moves down only at the annual review on December 31, only if it no longer meets its tier’s published requirements, and only after 90 days’ notice and a chance to close the gap. The narrow exceptions are spelled out in the Program Guide.
• The $100 million we committed in March funds partner training, dedicated technical support, and shared marketing. Firms that join now also get priority access to new certifications as we introduce them.

What’s next

Specializations for specific industries and use cases are coming, along with rewards that grow as a partner’s deployments grow. Getting started is free. Firms gain Anthropic Partner Academy access, including certification exams, with tiered partners receiving discounted rates on their first attempt, and new applicants start at Registered, the program’s entry level, with a minimum commitment to 10 certified practitioners. Partnership begins at Select. The requirements are the same for every firm. Learn more at claude.com/partners.

• Added fallbackModel setting to configure up to three fallback models tried in order when the primary model is overloaded or unavailable; --fallback-model now also applies to interactive sessions
• Added glob pattern support in deny rule tool-name position ("*" denies all tools); allow rules reject non-MCP globs, and unknown tool names in deny rules warn at startup
• Hardened cross-session messaging: messages relayed via SendMessage from other Claude sessions no longer carry user authority 6 receivers refuse relayed permission requests, and auto mode blocks them
• MAX_THINKING_TOKENS=0, --thinking disabled, and the per-model thinking toggle now disable thinking on models that think by default via the Claude API (3P providers unchanged)
• Claude Code now retries a turn once on the fallback model when the API rejects an unexpected non-retryable error; auth, rate-limit, request-size, and transport errors still surface immediately
• claude update now announces the target version before downloading instead of going silent
• claude agents: typing a URL into the list now filters to the session whose first prompt contained it
• Fixed a recurring "image could not be processed" error and extra token usage when an unprocessable image was sent in a session
• Fixed remote sessions becoming permanently stuck when a brief backend disruption occurred during worker registration at startup
• Fixed flickering in JetBrains IDE terminals (IntelliJ, PyCharm, WebStorm, etc.) on 2026.1+ by enabling synchronized output
• Fixed Shift+non-ASCII characters (e.g. Shift+e4 16 c4) being dropped in terminals using the Kitty keyboard protocol (WezTerm, Ghostty, kitty)
• Fixed PowerShell command validation occasionally hanging far past its time budget on Windows when a killed process's children held its output pipes
• Fixed orphaned claude --bg-pty-host processes spinning at 100% CPU after the daemon dies while connected on macOS
• Fixed voice mode requiring /login to clear a stale auth check after toggling /voice
• Fixed managed settings with an invalid entry silently disabling enforcement of their remaining valid policies
• Fixed managed-settings allowedMcpServers/deniedMcpServers predicates not matching when they use ${VAR} references
• Fixed background agent sessions that entered a git worktree crash-looping with "No conversation found" when reopened from claude agents
• Fixed duplicated thinking text in the Ctrl+O transcript view while streaming
• Fixed /doctor showing a contradictory failed "Not inside a remote session" check when run inside a remote session
• Fixed the cursor sticking at the end of the first line when typing a multiline prompt in the claude agents dispatch and reply inputs
• Fixed blank lines appearing between background agent rows in the task list on terminals without Unicode support

• Added requiredMinimumVersion and requiredMaximumVersion managed settings — Claude Code refuses to start if its version is outside the allowed range and directs the user to an approved version

• Added /plugin list command to list installed plugins, with --enabled/--disabled filters

• Added a "c to copy" shortcut to /btw that copies the raw markdown answer to the clipboard, preserving formatting when pasted elsewhere

• Hooks: Stop and SubagentStop hooks can now return hookSpecificOutput.additionalContext to give Claude feedback and keep the turn going without being labeled a hook error

• Skills: added \$ escape syntax to include a literal $ before a digit in command bodies

• stdio MCP servers now receive the same CLAUDE_CODE_SESSION_ID as hooks/Bash on --resume

• Fixed claude -p hanging forever after its final result when a backgrounded command never exits — background shells are now stopped ~5s after the result once stdin closes

• Fixed claude -p failing with "ANTHROPIC_API_KEY required" on Bedrock/Vertex/Foundry when CI=true and no Anthropic API key is set

• Fixed bash commands failing under bazel and EDR-protected Go workflows: $TMPDIR was overridden to /tmp/claude-{uid} for all commands instead of only sandboxed ones (regression in 2.1.154)

• Fixed Bash commands failing on Windows with "EEXIST: file already exists" on the session-env directory when it has the read-only attribute or is inside OneDrive

• Fixed org-managed permission rules not applying for the entire session when the managed settings fetch completed during startup on a fresh config directory

• Fixed background sessions in claude agents losing their running background tasks when reattached after a Claude Code update

• Fixed terminal misalignment and a multi-second hang when exiting the agent view by pressing Esc

• Fixed clicking Stop on a background-task chip in the desktop app not clearing the chip when the underlying process was already gone

• Fixed keyboard input becoming permanently unresponsive after a paste operation whose end marker is dropped by the terminal

• Fixed hook if: "Bash(...)" conditions firing on every Bash command containing $() or $VAR; the pattern now matches against commands inside subshells and backticks too

• Fixed deny rules on home-directory paths (e.g. Read(~/Desktop/**)) not blocking Bash commands that reference the path via $HOME

• Fixed a stray "(no content)" line left in the transcript after closing panel dialogs like /mcp and /plugins

• Background agent sessions now update to a new Claude Code version in the background, so opening a session after an update no longer waits on a cold restart

• Clearer descriptions for built-in commands and skills in the / menu

• The subscription-switch suggestion now shows in the startup announcement slot instead of a toast

• claude agents dispatching from the state-grouped view now starts the session in the directory the agent view was opened from

Release notes

• claude agents --json now includes waitingFor showing what a waiting session is blocked on (e.g. permission prompt)
• --tools: explicitly listing Grep/Glob now provides the dedicated search tools on native builds with embedded search (previously these names were silently ignored)
• /effort now confirms when your chosen level will persist as the default for new sessions
• Clicking a slash command in the autocomplete menu now fills it into your prompt instead of running it immediately; press Enter to run
• Remote Control now shows as a persistent footer pill (with a link to the session) instead of a startup message
• Renamed Windsurf to Devin Desktop in the /ide menu, /terminal-setup, and /scroll-speed, following the editor's rebrand
• Fixed a silent startup hang when the config directory is read-only or unwritable — Claude Code now starts with in-memory config and surfaces startup errors instead of showing a blank screen
• Fixed WebFetch permission rules not being applied to built-in preapproved domains; explicit WebFetch(domain:...) deny/ask/allow rules now take precedence over the preapproved-host auto-allow
• Fixed Windows permission rules never matching when spelled with backslashes (~\, \\server\share) or case-variant paths, and Read deny rules not hiding files from Glob/Grep results
• Fixed an interrupt (Esc) sent at the very start of a turn being silently dropped in stream-json/SDK sessions, leaving the turn running with no "Interrupted" feedback
• Fixed API 400 no low surrogate in string errors for classifier side-queries and MCP server descriptions containing emoji near a truncation boundary
• Fixed MCP per-server timeout config values below 1000 ms being floored to a 1-second watchdog that aborted every tool call; sub-1000 ms values are now ignored (falling back to MCP_TOOL_TIMEOUT or default), and claude mcp get annotates them accordingly
• Fixed the LSP tool's workspaceSymbol operation returning no results; it now accepts a query parameter and passes it to the language server
• Fixed claude agents cutting live status text (tool args, replies, prompts, exec output) at 60–120 columns on wide terminals; the status detail now uses the full terminal width
• Fixed claude agents truncating long session names at 40 columns; the name column now grows with terminal width
• Fixed claude agents attach occasionally bouncing straight back to the session list on the first try after a background-service restart
• Fixed claude agents Ctrl+V image paste doing nothing in the dispatch input and the session reply box; pasting with no image now shows a hint
• Fixed backgrounding a session with
  silently losing the conversation when the background service cannot start; the session stays in the list as a failed row you can wake with Enter
• Fixed replies from the agents view that fail to send being lost; they are now queued for delivery on the next session start
• Fixed cross-session messaging (SendMessage) silently breaking when CLAUDE_CODE_TMPDIR or $TMPDIR points at a deep directory
• Fixed opening a running background session from claude agents stalling for 5 seconds before attaching
• Quieter startup: notices group by severity, and session info and announcements share a single line per launch
• Startup warnings rewritten to be shorter and clearer, each with a concrete fix
• Launch-prompt warnings (deep link/pre-filled prompt) now stay pinned below the input until you act instead of scrolling away
• Failed turns now show a compact warning line instead of a multi-line red error block
• Improved background service startup and claude update verification to wait out endpoint-security scanning of new binaries instead of failing after 5 seconds
• Background dispatch spawn failures now report the error class name when no errno is available
• Removed the "Claude in Chrome enabled" and "marketplace installed" startup messages; model auto-updates and the team-onboarding tip now show as quiet notices under the logo

• OTEL_RESOURCE_ATTRIBUTES values are now included as labels on metric datapoints, so you can slice usage metrics by custom dimensions like team or repo
• claude agents rows now show done/total before the detail when work is fanned out; peek shows the longest-running item
• /mcp now collapses claude.ai connectors you've never signed in to behind a "Show unused connectors" row
• Parallel tool calls: a failed Bash command no longer cancels other calls in the same batch 94 each tool returns its own result independently
• Fullscreen mode: clipboard now uses wl-copy/xclip/xsel on Linux when available, copies to both the clipboard and PRIMARY selection for middle-click paste, and the "hold {key} for native selection" hint now shows the correct key per terminal
• Fixed the /effort dialog, workflow animations, and prompt keyword shimmer not honoring the "Reduce motion" setting
• Fixed forceLoginOrgUUID/forceLoginMethod managed-settings policies blocking third-party provider sessions (Bedrock, Vertex, Foundry, Mantle) alongside the org pin (regression in 2.1.146)
• Fixed background subagent output corrupting claude -p stdout when using --output-format text or json
• Fixed /usage-credits starting a re-login for Team and Enterprise admins instead of pointing to the organization's usage settings page
• Fixed /autofix-pr reporting "cannot run on the default branch" when the session is inside a git worktree or another repository
• Fixed --resume picker not showing sessions from the current directory when it isn't a git worktree (e.g., jj workspaces)
• Fixed Windows hooks that invoke bash explicitly (e.g., /usr/bin/bash script.sh) failing with "command not found" or "cannot execute binary file"
• Fixed OpenTelemetry log events (user_prompt, api_request, tool_result, tool_decision) being silently dropped when emitted before telemetry initialization completed
• Fixed claude mcp list/get/add printing secrets to the terminal: ${VAR} references are no longer expanded, and credential headers and URL secrets are redacted
• Fixed Workflow agents spawned with isolation: "worktree" in background sessions being blocked from editing files inside their own worktree
• Fixed background sessions dispatched from claude agents booting on a stale model from the daemon's environment instead of the model in settings.json
• Fixed a potential crash when rendering Write tool results after resuming a session
• Fixed completed subagents getting stuck showing as running when an error occurs while finalizing their result
• Fixed EADDRINUSE errors from tools that bind Unix sockets under $TMPDIR when CLAUDE_CODE_TMPDIR is set to a deep path
• Improved terminal rendering performance by stabilizing the layout engine's JIT compilation profile
• Improved rendering performance for large file writes
• [VSCode] Added a tip suggesting disabling terminal GPU acceleration (or running /terminal-setup) to fix garbled glyphs

• Added a prompt before writing to shell startup files (.zshenv, .zlogin, .bash_login) and ~/.config/git/, which could otherwise lead to unintended command execution
• acceptEdits mode now prompts before writing build-tool config files that grant code execution (.npmrc, .yarnrc*, bunfig.toml, .bazelrc, .pre-commit-config.yaml, .devcontainer/, etc.)
• Edit no longer requires a separate Read after viewing a file with grep: single-file grep/egrep/fgrep commands now satisfy the read-before-edit check
• Fixed copy-on-select not writing to the Windows clipboard on WSL 94 now uses PowerShell interop instead of OSC 52, which terminals like MobaXterm don't support
• Fixed restoring a completed session from claude agents dropping chat history and re-running the original prompt
• Fixed background sessions re-attached after overnight retire losing their conversation and re-running the original prompt
• Fixed claude --bg occasionally failing with "socket missing" when the background daemon was cold-starting on a loaded machine
• Fixed an issue on Windows where the directory a background session was started in could not be deleted after claude rm until the background daemon exited
• Fixed background agents that resumed work being shown under Completed in the agents list
• Fixed claude agents freezing for several seconds when returning to the session list due to the auto-updater re-checking on every exit
• Fixed Esc, arrow keys, and typing becoming unresponsive on Windows when attached to a background session or in the agent view while the host is under heavy CPU load
• Fixed background agents emitting terminal sync-output markers to terminals that don't support them (Apple Terminal, tmux), causing render artifacts when entering a running agent
• Fixed mouse wheel scrolling prompt history instead of the transcript right after opening a session from the agents list
• Fixed CJK IME composition appearing at the bottom-left of the screen instead of at the input caret in the claude agents view
• Fixed valid file:///C:/... links being rewritten to a broken path on Windows terminals with hyperlink support
• Fixed voice mode failing to connect when the project directory or branch name contains non-ASCII or special characters
• Fixed the auto mode unavailability message on third-party providers (Bedrock/Vertex/Foundry) to point to the CLAUDE_CODE_ENABLE_AUTO_MODE opt-in instead of incorrectly blaming the model
• Fixed /effort ultracode incorrectly blaming the dynamic workflows setting when the model cannot run xhigh; ultracode is no longer offered on models that do not support it
• Fixed model-not-found errors suggesting --model when running via the SDK or other hosts where the CLI flag doesn't apply
• Fixed Claude's past replies disappearing from scrollback when resuming a brief mode session with brief mode turned off
• Fixed vim mode p pasting on the line below instead of at the cursor when the register was yanked with v$
• Improved performance of opening recently-inactive background agent sessions in claude agents
• Improved auto mode classifier latency by reducing reasoning on routine actions, lowering the chance of "could not evaluate this action" blocks
• Improved background-session teardown (claude rm/stop, idle reap) to send SIGTERM to running shell subprocesses before SIGKILL, so cleanup handlers run
• Removed CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE; the environment variable is now a no-op
• Removed the JetBrains plugin install suggestion from startup
• Renamed the dynamic-workflow trigger keyword from workflow to ultracode. The word "workflow" no longer triggers a run; asking for one in your own words still works. The trigger keyword is highlighted in violet in the prompt input

• OTEL_RESOURCE_ATTRIBUTES values are now included as labels on metric datapoints, so you can slice usage metrics by custom dimensions like team or repo
• claude agents rows now show done/total before the detail when work is fanned out; peek shows the longest-running item
• /mcp now collapses claude.ai connectors you've never signed in to behind a "Show unused connectors" row
• Parallel tool calls: a failed Bash command no longer cancels other calls in the same batch; each tool returns its own result independently
• Fullscreen mode: clipboard now uses wl-copy/xclip/xsel on Linux when available, copies to both the clipboard and PRIMARY selection for middle-click paste, and the "hold {key} for native selection" hint now shows the correct key per terminal
• Fixed the /effort dialog, workflow animations, and prompt keyword shimmer not honoring the "Reduce motion" setting
• Fixed forceLoginOrgUUID/forceLoginMethod managed-settings policies blocking third-party provider sessions (Bedrock, Vertex, Foundry, Mantle) alongside the org pin (regression in 2.1.146)
• Fixed background subagent output corrupting claude -p stdout when using --output-format text or json
• Fixed /usage-credits starting a re-login for Team and Enterprise admins instead of pointing to the organization's usage settings page
• Fixed /autofix-pr reporting "cannot run on the default branch" when the session is inside a git worktree or another repository
• Fixed --resume picker not showing sessions from the current directory when it isn't a git worktree (e.g., jj workspaces)
• Fixed Windows hooks that invoke bash explicitly (e.g., /usr/bin/bash script.sh) failing with "command not found" or "cannot execute binary file"
• Fixed OpenTelemetry log events (user_prompt, api_request, tool_result, tool_decision) being silently dropped when emitted before telemetry initialization completed
• Fixed claude mcp list/get/add printing secrets to the terminal: ${VAR} references are no longer expanded, and credential headers and URL secrets are redacted
• Fixed Workflow agents spawned with isolation: "worktree" in background sessions being blocked from editing files inside their own worktree
• Fixed background sessions dispatched from claude agents booting on a stale model from the daemon's environment instead of the model in settings.json
• Fixed a potential crash when rendering Write tool results after resuming a session
• Fixed completed subagents getting stuck showing as running when an error occurs while finalizing their result
• Fixed EADDRINUSE errors from tools that bind Unix sockets under $TMPDIR when CLAUDE_CODE_TMPDIR is set to a deep path
• Improved terminal rendering performance by stabilizing the layout engine's JIT compilation profile
• Improved rendering performance for large file writes
• [VSCode] Added a tip suggesting disabling terminal GPU acceleration (or running /terminal-setup) to fix garbled glyphs

The role of Project Glasswing

Project Glasswing is our collaborative effort to secure the world’s most important software. In early April, we announced that roughly 50 initial partners had access to Claude Mythos Preview, and since then, they’ve been deploying the model to scan their codebases for vulnerabilities. We recently described how these partners have so far found more than 10,000 high- or critical-severity security flaws.

We’re now expanding Project Glasswing. Following several weeks of close collaboration with our Project Glasswing partners, the security industry, open-source software maintainers, and the US government, we’re extending the partnership to approximately 150 new organizations. Each one will need to meet our security requirements before they gain access.

The organizations in this new group are based in more than 15 countries, and most provide critical infrastructure to many more. (In the future, we intend to expand our geographical reach much further.) The group covers several industries that weren’t well represented in our initial cohort, such as power, water, healthcare, communications, and hardware. And many of the new partners are vendors—companies or nonprofits that maintain codebases that are relied upon by lots of other organizations around the world, including governments.

What each partner has in common is that a successful attack on their codebase could be catastrophic. For most partners, we estimate that a major attack could affect more than 100 million people, with important ramifications for both global and national security.

This expansion is the next step toward our long-term goals: for AI to make all software more secure, and for us to help the industry adjust to how AI could change many of the core assumptions of cybersecurity.

Supporting cyberdefenders

Project Glasswing and the capabilities of Claude Mythos Preview have sparked broad conversations—both within the software industry and with governments—about how AI is changing cybersecurity. These conversations have informed how we’ve expanded the program. They’ve also shaped our thinking about the very purpose of Project Glasswing.

Cheap, fast AI models with powerful cyber capabilities are around the corner. We want Project Glasswing to spur institutions toward operating norms that reflect this reality.

Mythos Preview continues a long-term trend that we’ve been warning about for some time: within 6 to 12 months, we expect that many other AI companies will have Mythos-class models, and they could release them without safeguards that prevent misuse. In that world, cyberattacks could occur much more often, and in much more unpredictable forms. It’s imperative that cyberdefenders adapt to maintain pace.

We see our role as twofold. First, to help the software industry adapt by safely providing wide access to better models, tools, and common infrastructure. Second, to steadily shift the support we provide, from finding vulnerabilities to disclosing, fixing, and deploying patched software. We’ll now discuss each of these in turn.

So far, companies, nonprofits, maintainers, and researchers have acted quickly. Within the first weeks of Project Glasswing, each member began using Mythos Preview at large scale, sharing information and best practices with other partners, and working with third parties to triage the model’s findings. These organizations’ methods for adapting to new tools can, and should, be replicated widely across the millions of organizations and developers who are vulnerable to cyberattacks.

To support this, we recently released Claude Security, a product that uses our latest public frontier models, like Claude Opus 4.8, to scan codebases and suggest patches. We're also releasing—on request, to trusted security teams—the tools we developed to help Project Glasswing’s partners find vulnerabilities more quickly.

We intend to go much further: our longer-term aim is to support the industry in creating new initiatives, standards, and infrastructure for the era of powerful cyber models.

Accelerating patching and the rest of security

As we’ve previously discussed, the bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities that Mythos-class models can surface.

Mythos Preview itself can help. Many of Project Glasswing’s partners now use the model to write patches, as well as for pre-release checks that prevent vulnerabilities from appearing in the first place. Models like Mythos Preview can also be used for penetration testing (simulating a cyberattack to identify how vulnerabilities might be exploited), automating threat detection and response, and rebuilding legacy codebases in memory-safe languages, among many other defensive tasks.

We’re in discussions with third parties about how we might substantially scale up the reviewing and patching of vulnerabilities in open-source software. We’re also working on sharing ideas and best practices for disclosing vulnerabilities to open-source maintainers, with the intent of making these reports easier to triage and to act upon.

The path ahead

To address the scale of this coming challenge, hundreds of thousands of organizations, researchers, and maintainers will likely need access to the most advanced cyber capabilities and tools available.

We’re working as quickly as we can to safely release Mythos-level capabilities in general access. To do so, we’ll need highly robust safeguards that prevent the model’s cyber capabilities from being misused—safeguards that we (and, to our knowledge, all other AI developers) have yet to develop. Because cybersecurity has both helpful and destructive uses, making safeguards that are both strong and precise enough is a major challenge.

In the meantime, we plan to expand Project Glasswing even further—prioritizing additional essential infrastructure providers, maintainers of critical open-source software, and safety testers. We intend for future expansions to cover organizations in the US and overseas, just as this one does. We also intend to scale up our Cyber Verification Program, which would grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks.

In the future, frontier model releases will become increasingly high-stakes. Capabilities will continue to improve across all domains, including many that—like cybersecurity—can empower attackers and defenders alike. This will not be the last time we need to confront a challenge like this one. But Project Glasswing has taught us a great deal about how to respond when models cross important capability thresholds. If we’re successful, we hope to enable a permanent advantage for defenders.

• Added a prompt before writing to shell startup files (.zshenv, .zlogin, .bash_login) and ~/.config/git/, which could otherwise lead to unintended command execution
• acceptEdits mode now prompts before writing build-tool config files that grant code execution (.npmrc, .yarnrc*, bunfig.toml, .bazelrc, .pre-commit-config.yaml, .devcontainer/, etc.)
• Edit no longer requires a separate Read after viewing a file with grep: single-file grep/egrep/fgrep commands now satisfy the read-before-edit check
• Fixed copy-on-select not writing to the Windows clipboard on WSL — now uses PowerShell interop instead of OSC 52, which terminals like MobaXterm don't support
• Fixed restoring a completed session from claude agents dropping chat history and re-running the original prompt
• Fixed background sessions re-attached after overnight retire losing their conversation and re-running the original prompt
• Fixed claude --bg occasionally failing with "socket missing" when the background daemon was cold-starting on a loaded machine
• Fixed an issue on Windows where the directory a background session was started in could not be deleted after claude rm until the background daemon exited
• Fixed background agents that resumed work being shown under Completed in the agents list
• Fixed claude agents freezing for several seconds when returning to the session list due to the auto-updater re-checking on every exit
• Fixed Esc, arrow keys, and typing becoming unresponsive on Windows when attached to a background session or in the agent view while the host is under heavy CPU load
• Fixed background agents emitting terminal sync-output markers to terminals that don't support them (Apple Terminal, tmux), causing render artifacts when entering a running agent
• Fixed mouse wheel scrolling prompt history instead of the transcript right after opening a session from the agents list
• Fixed CJK IME composition appearing at the bottom-left of the screen instead of at the input caret in the claude agents view
• Fixed valid file:///C:/... links being rewritten to a broken path on Windows terminals with hyperlink support
• Fixed voice mode failing to connect when the project directory or branch name contains non-ASCII or special characters
• Fixed the auto mode unavailability message on third-party providers (Bedrock/Vertex/Foundry) to point to the CLAUDE_CODE_ENABLE_AUTO_MODE opt-in instead of incorrectly blaming the model
• Fixed /effort ultracode incorrectly blaming the dynamic workflows setting when the model cannot run xhigh; ultracode is no longer offered on models that do not support it
• Fixed model-not-found errors suggesting --model when running via the SDK or other hosts where the CLI flag doesn't apply
• Fixed Claude's past replies disappearing from scrollback when resuming a brief mode session with brief mode turned off
• Fixed vim mode p pasting on the line below instead of at the cursor when the register was yanked with v$
• Improved performance of opening recently-inactive background agent sessions in claude agents
• Improved auto mode classifier latency by reducing reasoning on routine actions, lowering the chance of "could not evaluate this action" blocks
• Improved background-session teardown (claude rm/stop, idle reap) to send SIGTERM to running shell subprocesses before SIGKILL, so cleanup handlers run
• Removed CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE; the environment variable is now a no-op
• Removed the JetBrains plugin install suggestion from startup
• Renamed the dynamic-workflow trigger keyword from workflow to ultracode. The word "workflow" no longer triggers a run; asking for one in your own words still works. The trigger keyword is highlighted in violet in the prompt input

• The advisor tool now supports a max_tokens parameter to cap the advisor model's output per call, reducing latency and output token cost for workloads that don't need full-length advisor responses. Set tools[].max_tokens on the advisor tool definition; see Capping advisor output.

• On the Claude API, you are no longer billed for a request when it returns stop_reason: "refusal" without Claude having generated any output. See Streaming refusals for detecting and handling refusals.

• Plugins in .claude/skills directories are now automatically loaded, no marketplace required
• Added claude plugin init <name> to scaffold a new plugin in .claude/skills
• Added autocomplete for /plugin arguments: subcommands, installed plugin names, and plugins from known marketplaces
• claude agents: the agent field in settings.json is now honored for dispatched sessions, with --agent <name> to override it
• EnterWorktree can now switch between Claude-managed worktrees mid-session
• tool_decision telemetry events now include tool_parameters (bash commands, MCP/skill names) when OTEL_LOG_TOOL_DETAILS=1
• Worktrees managed by Claude are now left unlocked when the agent finishes, so git worktree remove/prune can clean them up
• Fixed unprocessable images (zero-byte, corrupt) attached via paste, MCP, or dialog crashing the request instead of becoming a text placeholder
• Fixed sandbox network permission prompts appearing in auto and bypass-permissions mode when using the desktop app, IDE extensions, or SDK
• Fixed claude agents completed sessions not retiring when an idle subagent was still parked or had leaked a backgrounded shell
• Fixed claude agents pressing Esc not cancelling a slow "opening…", leaving the list unresponsive
• Fixed background agent worktrees under .claude/worktrees/ being orphaned after the 30-day job retention sweep
• Fixed background sessions re-attached after a sleep/wake not telling the model the correct date
• Fixed copy-on-select in claude agents not reaching the system clipboard inside tmux with set-clipboard on (regression in 2.1.153)
• Fixed --resume not reporting background subagents that were running when the previous Claude Code process exited
• Fixed the --resume session picker leaving its contents on the terminal after exiting in fullscreen mode
• Fixed --worktree and --worktree --tmux returning to the canonical repo root instead of the current linked worktree
• Fixed the /model picker showing an incorrect "Newer version available" hint when the selected model is already the newest in its family; the pinned-model row now shows the model's description instead of its raw ID
• Fixed literal markdown markers (backticks, asterisks) appearing in the in-progress message text in fullscreen mode
• Fixed the terminal freezing after approving the managed-settings security dialog at startup
• Fixed a rare duplicate line appearing in scrollback after the terminal UI redraws
• Fixed right-click paste duplicating the clipboard in the VS Code, Cursor, and Windsurf integrated terminals
• WSL: fixed image paste (alt+v keybinding), screenshot paste on Windows 11, and added support for dragging images from Windows Explorer
• Improved performance of long and resumed conversations by eliminating redundant message-rendering recomputations
• /terminal-setup now disables GPU acceleration in VS Code/Cursor/Windsurf integrated terminals to prevent garbled-text rendering
• The Feature of the Week credit-claim status now appears as a notification in the status area instead of a line above the prompt
• claude agents: slash-command autocomplete in the dispatch input now matches substrings
• Removed the "bash commands will be sandboxed" startup banner — sandbox status still shows in /status and when a command is blocked
• Removed the "/ide for …" startup hint toast
• [IDE] Fixed clicking Stop while a background subagent is running not actually stopping it
• [VSCode] Fixed the fast mode indicator not appearing on Opus 4.8
• Pressing backspace right after a workflow trigger keyword now dismisses the workflow request (same as alt+w) instead of deleting a character
• Added a "Workflow keyword trigger" setting in /config to stop the word "workflow" in a prompt from triggering a dynamic workflow