Claude Code Week 22 Release Digest (May 18-20, 2026)

Source: raw/anthropic-watch-claude-code-tag-v2-1-144.md (CC v2.1.144 release notes), raw/anthropic-watch-anthropic-sdk-python-tag-v0-103-0.md (Python SDK v0.103.0), raw/anthropic-watch-anthropic-sdk-typescript-tag-sdk-v0-97-0.md (TS SDK v0.97.0), raw/anthropic-watch-anthropic-sdk-typescript-tag-bedrock-sdk-v0-29-2.md (TS Bedrock v0.29.2), raw/anthropic-watch-anthropic-sdk-typescript-tag-vertex-sdk-v0-16-1.md (TS Vertex v0.16.1), raw/anthropic-watch-skills-commit-690f15cac7f7b4c055c5ab109c79ed9259934081.md (skills #1164 — CMA claude-api skill updates), eight anthropics/claude-cookbooks commits (7d1dc7d0 original self-hosted sandbox worker-templates feat, 1a4f78a6 PR #640 merge, 67aadb7e rename + tool-demo drop, 74edd9e7 published-SDK switch + API correctness, 3c26fa88 review scrub, 01b041a6 artifact-rename completion, 2eed173a PR #643 merge, a102bbec PR #614 Slack stateless webhook bridge merge)

Week 22 is the Managed Agents self-hosted sandboxes week — Anthropic ships the long-promised customer-infrastructure-side execution model for CMA, plus mid-session agent updates and >100K MCP-output file offload, all wired through new SDK helpers and 8 cookbook scrubs that take the worker templates from prerelease to published-SDK-ready. The release lands as Claude Code v2.1.144 (May 19) cleans up four annoying terminal-corruption / startup-hang regressions, followed 24 hours later by v2.1.145 (May 20) which adds claude agents --json, OTEL subagent trace correctness, and a permission-prompt-bypass security fix. The Python v0.103.0 → v0.103.1 and TS v0.97.0 → v0.97.1 SDKs add sandbox helpers in lockstep and immediately patch a SessionToolRunner ownership edge case the same day, and the anthropics/skills repo absorbs the entire new doc surface under one PR (#1164).

Headline changes

Claude Code v2.1.144 (May 19)

Source: raw/anthropic-watch-claude-code-tag-v2-1-144.md (tagged 2026-05-19T00:48:51Z, author ashwin-ant).

• /resume support for background sessions. Sessions started via claude --bg or agent view now appear alongside interactive ones in the resume list, marked with bg. Closes the “interactive and background workflows live in two different surfaces” gap from W20-W21 — there is now one resume surface for both.
• Elapsed duration in background subagent completion notifications. Notifications now read e.g. "Agent completed · 3h 2m 5s" — at-a-glance signal for long-running agent-teams / subagents runs. Pair with the v2.1.143 spinner-warming-to-amber polish; both surfaces are converging on better “what state is this session in?” affordances.
• /plugin browse + /plugin discover panes show last-updated date. Visibility for stale-vs-fresh plugins before install. Companion to v2.1.143’s projected per-turn token cost in the marketplace browse pane.
• /model is now session-only. Press d in the model picker to set the default for new sessions. Previously, /model silently changed the per-user default — confusing when a temporary swap in one session leaked into the next.
• “Extra usage” → “usage credits” rename. /extra-usage is now /usage-credits across CLI copy; the old slash command still works. Lines up with the W21 claude --print → SDK credit billing split (effective June 15) — Anthropic is normalizing the “credits” surface across the consumer Pro/Max ledger and the programmatic SDK ledger.
• Fix: 75-second startup hang when api.anthropic.com is unreachable (captive portal, firewall, VPN). Side-channel API calls now time out after 15 seconds. Closes the “I opened Claude Code on the plane and it hung for a full minute before doing anything” failure mode.
• Fix: garbled terminal output after missed window-resize. Dragging a VS Code split-pane divider previously corrupted the terminal until Ctrl+L; now self-heals on the next frame.
• Fix: progressive terminal display corruption in very long sessions. Stale/garbled glyphs that previously required a terminal resize or restart to clear are now cleaned up automatically. Important for /loop and /goal long-runner patterns where session lifetime spans hours or days.
• Fix: macOS background sessions Full Disk Access regression. v2.1.143’s macOS FDA fix had a regression where background sessions crashed with "exit 1 before init" when the project lived under an FDA-protected folder (~/Documents, ~/Desktop, ~/Downloads). v2.1.144 closes the regression.
• Fix: image-extension-mismatch unrecoverable conversation. A file with an image extension that doesn’t match its contents (e.g., HTML saved as .png) previously broke the conversation irrecoverably. Now falls back to text. Edge case but expensive when it hit.
• Fix: VS Code spinner color reduction to reduce terminal rendering glitches when running Claude Code inside the VS Code terminal.
• Fewer spurious tool errors (changelog catch-all).

[Reddit signal — r/ClaudeAI 2026-05-18] Source: raw/reddit-1tgzjrm.md (102 score / 38 comments, OP alOOshXL, Claude Code Workflow flair). Operator screenshot confirms that Fast mode in Claude Code now defaults to Opus 4.7, not Sonnet — a model-tier shift that lands quietly alongside the v2.1.144 surface changes above (no entry in the published changelog). Operationally significant for anyone selecting Fast for cost reasons assuming a cheaper default tier; the W22 baseline is Opus 4.7 across both default and Fast unless explicitly switched via /model.

Claude Code v2.1.145 (May 20)

Source: raw/anthropic-watch-claude-code-tag-v2-1-145.md (tagged 2026-05-20T01:02:24Z, author ashwin-ant). Shipped roughly 24 hours after v2.1.144 — a tighter cadence than the typical 3-5 day rhythm, suggesting Anthropic is pushing fixes for the v2.1.144 regression set fast and layering in fresh scripting / observability surfaces while the CMA self-hosted-sandbox rollout is hot.

New observability + scripting surfaces:

• claude agents --json — lists live Claude sessions as JSON. Built for scripting: tmux-resurrect, custom status bars, session pickers, and any tooling that wants programmatic visibility into “what agents are running right now.” Pair with the v2.1.144 --bg + /resume bg unification — there is now a JSON wire format for the same surface that became human-discoverable in v2.1.144.
• OTEL trace correctness for subagents. Added agent_id and parent_agent_id attributes to claude_code.tool OTEL spans, and fixed trace parenting so background subagent spans nest under the dispatching Agent tool span. Before this fix, background-subagent spans floated at the top level of the trace tree, making it impossible to reconstruct the parent-child relationship in OTEL backends like Honeycomb / Datadog / Grafana Tempo. Significant for anyone running agent-teams in production and trying to attribute cost / latency back to the dispatching agent.
• Status line GitHub context. Status line JSON input now includes GitHub repo and PR information when detected. Plugs into the status line surface — custom status-line scripts can now show repo / PR context without inferring it from cwd.
• /plugin Discover + Browse pre-install detail. Both screens now show a plugin’s commands, agents, skills, hooks, and MCP/LSP servers before installation. Continuation of the v2.1.143 / v2.1.144 marketplace-transparency arc (projected per-turn token cost in v2.1.143, last-updated date in v2.1.144). The full pre-install surface is now visible — operators can audit what they’re about to install without trusting the plugin name.
• Agent terminal tab title — awaiting-input count. claude agents terminal tab title now shows the awaiting-input count so an alt-tabbed window tells you when an agent needs attention. Closes the “I forgot a background agent was waiting on me” failure mode — same family as v2.1.144’s elapsed-duration completion notifications.
• Mouse hover/click in slash + @-mention suggestion list. Slash command and @-mention suggestion lists now support mouse hover and click in fullscreen mode. Affordance polish.
• Stop / SubagentStop hook input expansion. Hook input JSON now includes background_tasks and session_crons fields — Stop/SubagentStop hook authors can now see what background work / scheduled work was running when the session ended. Material for scheduled tasks introspection and the broader hook ecosystem.

Security fix (notable):

• Permission-prompt bypass fix. Closed a permission-prompt bypass where bare variable assignments to non-allowlisted environment variables in Bash commands were auto-approved. The class of bug: FOO=bar claude-not-allowlisted-command previously slipped past the permission prompt because the bash parser flagged the leading FOO=bar as a “variable assignment” and not a command invocation. Now the underlying command is correctly subject to allowlist checks. Operators who tightened Bash permissions assuming this surface was already locked should treat v2.1.145 as a security-relevant upgrade.

Fixes:

• MCP prompt slash command error messages. Previously surfaced raw server validation errors when a required argument was omitted; the error now names the missing argument and shows expected usage. UX polish for MCP prompt authors and consumers.
• Spinner / elapsed-time freeze after resize or refocus. The v2.1.144 fix for “garbled terminal output after missed window-resize” had a sibling bug — spinner + elapsed-time displays would freeze until a keypress after a terminal resize or refocus. Now self-heals on the next frame.
• Windows PowerShell 5.1 cross-project resume hint. Cross-project resume hint failed in default Windows PowerShell 5.1; Windows now uses ; as the command separator instead of &&. Closes the regression for Windows users on the default shell (PS 5.1, not PS 7+).
• Voice push-to-talk in agent view reply pane. PTT was not working in the agent view’s reply pane; now functional. Pair with the v2.1.144 agent-view fixes — the agent view is converging on full parity with the main session view.
• Task list rendering (truncated in the stub — final fix unclear). The raw stub cuts off at “Fixed task lists rendering in random” so the exact resolution is not captured here. Confirm via the GitHub release page if the detail matters.

Managed Agents self-hosted sandboxes (skills #1164, May 19)

Source: raw/anthropic-watch-skills-commit-690f15cac7f7b4c055c5ab109c79ed9259934081.md (commit 690f15ca, PR #1164, author rlancemartin, merged 2026-05-19T14:11:06Z).

The headline story for W22. PR #1164 wires three big additions into the Managed Agents claude-api skill:

(a) Self-hosted sandboxes. New shared doc shared/managed-agents-self-hosted-sandboxes.md documenting config: {type: "self_hosted"} — the agent loop runs on Anthropic’s orchestration; tool execution runs on customer infrastructure via an outbound-polling worker. This is the data-sovereignty / regulated-industry deployment model CMA was missing.

• Worker primitives. EnvironmentWorker.run() / .run_one() (Py/TS) — high-level worker loop. ant beta:worker poll/run — CLI equivalents. work.poller() / WorkPoller (Py/TS/Go) — mid-level poller for custom integration loops. Go has no auto_stop opt-out; Py/TS do.
• Tool execution. AgentToolContext, beta_agent_toolset, tool_runner() — the surface a worker uses to receive a tool-use block, run it locally, and post the result back to Anthropic’s orchestration.
• Monitoring (external). environments.work.stats / environments.work.stop — REST endpoints authed with x-api-key, called from outside the worker host (e.g., a monitoring dashboard or admin script). Not callable from inside the polling worker process.
• Cloud-vs-self_hosted delta table. New table in the shared doc enumerating which knobs change between hosted and self-hosted modes — credentials, security ownership split, tool surface.
• Cross-refs. The PR threads the new concept through every existing doc: environments.md, overview.md (Reading Guide + rewrote the cloud-only pitfall), api-reference.md (SDK row + naming quirks + schema + work REST rows), tools.md (Who-runs-it carve-out), onboarding.md, live-sources.md.

(b) Mid-session agent updates. New sessions.update(session_id, agent={tools, mcp_servers}, vault_ids=[...]) call — session-local override that does not bump the agent version. Full-replacement semantics (the new tools list replaces the prior one outright). The session must be idle when the update lands.

• Unlocks per-conversation override patterns previously requiring a whole agent-config redeploy. Example: a triage agent picks up extra Linear tools mid-conversation when escalation is detected, then drops them on next session.
• New core.md section + pointers in tools.md, api-reference.md (UpdateSession row), overview.md.

(c) Large MCP tool outputs → automatic file offload. Tool outputs >100K tokens are automatically offloaded to a sandbox file; the agent gets a truncated preview + a path. Closes a major MCP failure mode where a tool that returned a big JSON blob would blow up the context window and crash mid-turn. See Essential MCP Servers for the surface this affects.

Plus: invalid vault credentials no longer block sessions.create() — a session.error event fires instead. Same shape as the W21 background-agent permission-mode preservation fixes — Anthropic is moving error surfaces from “hard fail at boundary” to “soft fail with a typed event the worker can act on.”

Python SDK v0.103.0/v0.103.1 + TS SDK v0.97.0/v0.97.1 + Bedrock + Vertex (May 19-20)

Sources: raw/anthropic-watch-anthropic-sdk-python-tag-v0-103-0.md, raw/anthropic-watch-anthropic-sdk-python-tag-v0-103-1.md, raw/anthropic-watch-anthropic-sdk-typescript-tag-sdk-v0-97-0.md, raw/anthropic-watch-anthropic-sdk-typescript-tag-sdk-v0-97-1.md, raw/anthropic-watch-anthropic-sdk-typescript-tag-bedrock-sdk-v0-29-2.md, raw/anthropic-watch-anthropic-sdk-typescript-tag-vertex-sdk-v0-16-1.md. All six by stainless-app[bot]; v0.103.0 / v0.97.0 / Bedrock / Vertex tagged 2026-05-19, v0.103.1 / v0.97.1 tagged 2026-05-19 (same day, hours later).

The version-locked headline across both SDKs:

• Python v0.103.0 — single feature: client: Add support for self-hosted sandboxes in CMA with sandbox helpers (e5625b0). This is the SDK-side wire-up of the skills #1164 doc surface above — EnvironmentWorker, work.poller(), AgentToolContext, tool_runner(), plus the new sessions.update() and the >100K tool output → file behavior land here.
• TS sdk v0.97.0 — same headline feature Add support for self-hosted sandboxes in CMA with sandbox helpers (659a343), plus a TS-specific bug fix upgrade tsc-multi so that it works with Node 26 (623f71c) and a remove redundant File import chore.
• TS bedrock-sdk v0.29.2 — single bug fix align @types/node in sub-packages to fix CI build (#1017) (9888c76). Pure plumbing.
• TS vertex-sdk v0.16.1 — same fix as Bedrock: align @types/node in sub-packages to fix CI build (#1017) (9888c76). Cuts Bedrock and Vertex from the same commit.
• Python v0.103.1 (May 19, hours later) — patch. Single bug fix: runner: skip tool calls SessionToolRunner does not own (#1817) (9425c6a). This is a SessionToolRunner correctness fix for the sandbox helpers introduced in v0.103.0 — when a worker processes a session it doesn’t own (e.g., overlapping pollers, or a stale poller continuing after a session migrated), the runner now skips the tool call instead of executing it. Bumps the upgrade recommendation: don’t ship v0.103.0 to production; jump directly to v0.103.1.
• TS sdk v0.97.1 (May 19, same hour as Python patch) — patch. Same fix, ported: runner: skip tool calls SessionToolRunner does not own (9987379). Confirms the Stainless lockstep observation — bug fixes now reach Python + TS within the same Stainless run, not just feature work. Caveat: the same-day .0 → .1 patch cadence on a brand-new feature surface (sandbox helpers) reads as “shipped before the worker-ownership edge case was exercised,” which is itself a useful signal — early adopters who picked up v0.103.0 / v0.97.0 should patch immediately.

Net effect: anyone calling Managed Agents from a Python or TS client should bump SDK versions this week — the sandbox helpers are not back-ported to v0.102.0 / v0.96.0, and the corrected SessionToolRunner behavior only ships in v0.103.1 / v0.97.1. Bedrock / Vertex bumps are CI-only and can wait. See Anthropic SDK Releases — May 2026 for the full May rollup including this week.

Cookbook scrub: private-sandbox → self-hosted-sandbox (8 commits, May 18-19)

The anthropic-cookbooks repo took the worker templates from “first cut with prerelease SDK build URLs” all the way to “published SDK + production naming” inside 24 hours. Read in commit order:

• 7d1dc7d0 (2026-05-19T04:21:55Z, rlancemartin) — feat(managed_agents): self-hosted sandbox worker templates. The original feature commit. Adds reference implementations for running CMA sessions against self-hosted execution sandboxes via the session-webhook + tool_result pattern. Six platforms in the first cut: privatesandbox-{cf, cf-worker, docker, daytona, modal, vercel}. Three custom-tool demos: cloudrepl (QuickJS-WASM REPL persisted to Durable Object storage), livepage (live-editable page with SSE push to viewers), browseruse (headless Chromium via Cloudflare Browser Rendering). Plus docs/: usage guide + upgrade guide for the self-hosted worker contract.
• 67aadb7e (2026-05-19T04:40:30Z, rlancemartin) — refactor(self_hosted_sandboxes): drop tool demos, rename privatesandbox* → self_hosted_sandbox*. Removes browseruse/, cloudrepl/, livepage/ as out-of-scope (custom-tool demos, not sandbox patterns). Renames privatesandbox-* → self_hosted_sandbox-* for all six providers. Rewrites the top-level README around the self-hosted sandbox contract. Repoints onboarding-guide links to docs/usage-guide.md.
• 3c26fa88 (2026-05-19T04:44:09Z, rlancemartin) — fix(self_hosted_sandboxes): address review. Scrub staging / internal refs: wrangler.toml (cf, cf-worker) defaults ANTHROPIC_BASE_URL to prod (not staging); replaces real env_01… ids with placeholders + guidance comments; docs/usage-guide.md replaces real env ids with env_01... placeholders. Tightens exception handling — modal/daytona webhook catches (WebhookVerificationError, KeyError) instead of bare Exception so real bugs propagate. Documents the ~10-15s Daytona pip-install cold start and pre-bake recommendation. Strips all api-staging.anthropic.com hints (docker README, vercel README + .env.example, modal README) — external readers can’t use staging.
• 74edd9e7 (2026-05-19T05:55:37Z, moeseifan) — refactor(self_hosted_sandboxes): use published SDK releases; fix worker API usage. Switches installs to published versions: ant CLI from GitHub releases (v1.9.0 tarball) instead of pinned prerelease build URLs (drops the Dockerfile unzip step); Python / TS SDKs from PyPI / npm (anthropic, @anthropic-ai/sdk ^0.97.0 — the SDK shipped the same day) instead of prerelease build URLs. Drops the committed package-lock.json files (regenerated on install) and gitignores them. Layout: renames per-platform demo dirs, dropping the redundant self_hosted_sandbox- prefix → cf, cf-worker, daytona, docker, modal, vercel. API correctness (validated against the current SDK): daytona webhook uses AsyncAnthropic with client.beta.environments.work.poller (the sync client has no poller); catches WebhookVerificationError from standardwebhooks (anthropic.WebhookVerificationError does not exist); uses client.beta.sessions not client.sessions; beta_agent_toolset_20260401 not default_tools; drops stale tool_dispatcher / toolDispatcher references; fixes the toolRunner / BetaToolRunContext.toolUseBlock notes in the docs.
• 1a4f78a6 (2026-05-19T07:51:49Z, michael-cohen-io) — merge of PR #640 rlm/private-sandbox-updates with title feat(managed_agents): sandbox worker templates. Brings the above feature + scrub work to main.
• 01b041a6 (2026-05-19T13:40:31Z, rlancemartin) — refactor(self_hosted_sandboxes): rename private-sandbox → self-hosted-sandbox in artifacts and titles. Renames the deploy artifacts (not just the directory): six README H1s (“CMA Private Sandboxes” → “Self-Hosted Sandboxes”), wrangler.toml names (cf, cf-worker), package.json names (cf, cf-worker, vercel), the Vercel runner package name in api/webhook.ts, Modal APP_NAME / SECRET_NAME + README/docstring refs, Docker image default in start.sh / on-work.sh + comment.
• 2eed173a (2026-05-19T13:49:46Z, rlancemartin) — merge of PR #643 rlm/scrub-cma-notebooks with title refactor(self_hosted_sandboxes): rename private-sandbox → self-hosted-sandbox. Lands the rename in main.
• a102bbec (2026-05-18T21:33:14Z, rlancemartin) — merge of PR #614 lance/managed-agents-slack with title feat(managed_agents): Slack stateless webhook bridge template. Sibling pattern to the W21 Linear bridge — the same stateless-webhook + session.metadata-as-foreign-key approach now wired into Slack’s bot platform. Confirms the prediction from the W21 digest (“expect similar bridges for Slack agents, GitHub agents, Notion agents over the next quarter”) — first one landed within a week.

Why the cookbook scrub matters operationally. The 7 self-hosted-sandbox commits + 1 Slack-bridge commit collectively move the CMA worker template surface from “demo-grade with prerelease build URLs” to “production-ready against published SDK versions.” Anyone who pulled the cookbook between W21 and W22 picked up prerelease URLs that will now 404; re-cloning after 74edd9e7 is the only safe path. Also worth noting that the three tool demos dropped by 67aadb7e (cloudrepl, livepage, browseruse) were arguably the most interesting in-progress code in the repo — they’re now gone from anthropics/claude-cookbooks main. If you cloned before the scrub, keep the local copy.

Why It Matters

• Self-hosted sandboxes close the data-sovereignty gap for CMA. Pre-W22, Managed Agents was a hosted-only surface — both the agent loop and tool execution lived on Anthropic infrastructure. That blocked CMA adoption in regulated industries (healthcare, finance, defense) where outbound network egress from customer data systems requires the data plane to stay in customer infrastructure. The new config: {type: "self_hosted"} model splits the responsibility: Anthropic runs the model + orchestration loop; the customer runs an outbound-polling worker that executes tools locally. The customer’s data plane never leaves the customer’s network, but they still get the hosted agent loop. This is the deployment shape Anthropic has been pointing at for months — it’s now shipping.
• Mid-session agent updates unlock dynamic per-conversation tool surfaces. Pre-W22, changing an agent’s tool list required a new agent version + a redeploy + (usually) a new session. The new sessions.update() lets a session override its agent’s tools / mcp_servers / vault_ids in-place without versioning the agent. Use cases include triage agents picking up escalation-only tools mid-conversation, security agents stripping sensitive tools when context shifts, and operator-driven runtime overrides for one-off debugging.
• >100K MCP output offload closes a real failure mode. Tools that returned large JSON / large search results would previously blow up the context window mid-turn. Auto-offloading to a sandbox file + truncated preview means a Tavily multi-page extract, a SEOmator 251-rule audit dump, or a long log file no longer kills the session. Pair with the Context Management in Claude Code surface — Anthropic is closing context-management failure modes from both ends (UX with /btw, /rewind, /compact instructions; infra with file-offload).
• Stainless acquisition context. Anthropic acquired Stainless (the SDK auto-generator) in May 2026 — see Anthropic SDK Releases May 2026 for the M&A side. This week is the first visible result of the integration: same-day Python + TS feature parity, with the cookbook ecosystem (also same-day) immediately bumping to the published versions. Pre-Stainless, the Python and TS clients often shipped feature-for-feature with several days of skew; post-acquisition, lockstep is becoming the norm.
• Cookbook discipline signal. The 8 cookbook commits in a single day — including a same-day scrub of staging refs, a same-day rename of artifacts to match feature naming, and a same-day switch to published SDK versions — is a much tighter release cycle than the cookbook ran in W19 or W20. Worth tracking as a signal that the CMA surface is on Anthropic’s critical path post-conference.
• Slack bridge confirms the predicted pattern. The W21 digest predicted “expect similar bridges for Slack agents, GitHub agents, Notion agents.” The Slack bridge merge (a102bbec, PR #614) landed within a week. Operator pattern: when a new agent-platform integration template appears in anthropics/claude-cookbooks, expect the same stateless-webhook + session.metadata-as-foreign-key shape — making integrations cheap to template across surfaces.
• v2.1.145 permission-prompt-bypass is a security upgrade, not just a polish release. Operators running Claude Code with carefully-tuned Bash permission allowlists should treat v2.1.145 as security-relevant — pre-v2.1.145, a command of the form FOO=bar non-allowlisted-cmd would slip past the allowlist because the parser saw the leading FOO=bar as a variable assignment, not a command. Worth a git log --all -- .claude/settings.json audit to confirm whether any allowlist relied (intentionally or accidentally) on this surface.
• Same-day patch cadence on the SDKs is a Stainless-acquisition signal. Python v0.103.0 → v0.103.1 and TS v0.97.0 → v0.97.1 both ship the same SessionToolRunner ownership fix on 2026-05-19 — within hours of the original release. Pre-Stainless-acquisition, the SDK pipeline had multi-day skew between Python and TS for both features and fixes. This week confirms that lockstep now extends to patch releases, not just feature work. Watch for this cadence to become the default. Adoption rule of thumb: treat any same-day .0 release as “wait for the .1.” Brand-new feature surfaces (sandbox helpers, in this case) often hit edge cases the test matrix didn’t cover.

Try It

1. Read shared/managed-agents-self-hosted-sandboxes.md in anthropics/skills before writing any new CMA integration. The cloud-vs-self_hosted delta table is the single most useful artifact for deciding which mode your workload should use.
2. Try sessions.update() mid-conversation. Spin up a CMA session with a small initial tool list, then call sessions.update(session_id, agent={tools: [...expanded list]}) when the conversation crosses an escalation threshold. Session must be idle; full-replacement semantics. Use case: a customer-support agent that picks up Linear / GitHub / Slack tools only after the conversation has been classified as a real escalation.
3. Audit existing MCP servers for >100K output bloat. Any tool that returns large JSON, long log dumps, or full HTML pages now auto-offloads to a sandbox file with truncated preview + path. The behavior is automatic, but knowing which tools hit the threshold helps with cost forecasting (each file write counts against sandbox storage) — grep -rE 'return.*json|return.*content' . against any custom MCP server source to surface candidates.
4. Upgrade SDKs to the patched versions. pip install --upgrade anthropic (target v0.103.1 — SessionToolRunner fix is required for sandbox workers); npm install @anthropic-ai/sdk@^0.97.1 (same SessionToolRunner patch). Bedrock/Vertex bumps are CI-only and can wait unless your @types/node alignment is currently breaking. Re-clone the anthropic-cookbooks repo after 74edd9e7 if your local copy is older — the prerelease build URLs in earlier commits will 404.
5. Upgrade Claude Code to v2.1.145. claude update; confirm --version shows 2.1.145. From v2.1.144: /resume bg-session unification, /usage-credits rename, 75s startup-hang fix, terminal-corruption self-heal, macOS FDA regression fix. New in v2.1.145: claude agents --json scripting surface, OTEL subagent trace parenting + agent_id/parent_agent_id attributes, status-line GitHub repo/PR context, /plugin Discover/Browse full pre-install detail (commands/agents/skills/hooks/MCP/LSP), agent-view PTT fix, permission-prompt-bypass security fix (bare FOO=bar non-allowlisted-cmd no longer auto-approved). Update muscle memory: /extra-usage → /usage-credits; /model is now session-only (press d to set default).
6. Audit your Bash permission allowlist after upgrading. The v2.1.145 permission-prompt-bypass fix means commands previously slipping through via leading variable assignments will now correctly prompt. If you’ve been relying on this surface (intentionally or accidentally), your CI / agent runs may suddenly hit permission prompts where they previously didn’t.

Related

• Managed Agents — entity article; the self-hosted sandbox surface, mid-session updates, and >100K offload all ship inside this surface
• Week 21 Digest — context for the W21 → W22 release-cadence arc; CMA Sessions API MCP server + Linear stateless webhook bridge from W21 are the direct ancestors of this week’s Slack bridge + self-hosted sandbox work
• Anthropic SDK Releases May 2026 — Python v0.103.0 + TS v0.97.0 detail + Stainless acquisition context
• Essential MCP Servers — surface affected by the >100K tool-output auto-offload behavior
• Context Management in Claude Code — pairs with the >100K offload as the other half of Anthropic’s context-management discipline
• CLI Reference — /resume, /usage-credits, /model, agent-view surface changes from v2.1.144