Anthropic Guts CLI Tooling, Bleeds Custom Configs

The press cycle on this one is going to read it as another point release, a few flags tweaked, some paste behavior fixed, another notch on the CLI's belt. The actual signal for dev teams running agent workloads isn't in the changelog's top line; it's in the quiet redefinition of how settings propagate, how permissions cascade, and how audit trails now auto-generate. Anthropic didn't just patch the tooling; they rewired the governance model underneath, and every team with a pinned dependency just got a new compliance surface to inspect.

This isn't the first time we've seen a vendor use a patch to shift the operational burden downstream. Remember OpenAI's quiet deprecation of the stream flag in early 2024? Same rhythm: minor fix, major implication. The difference now is that agent frameworks aren't experimental, they're in CI/CD pipelines, in SOC2 reviews, in procurement questionnaires. A tweak to permissionMode isn't a developer convenience; it's a risk vector that legal teams now have to sign off on.

Anthropic's v2.1.119, released April 23, doesn’t announce itself as a policy layer. But that’s what it is. The headline changes, persistent config in ~/.claude/settings.json, support for non-GitHub PR systems, PowerShell auto-approval, are just the delivery mechanism. What changed is the hierarchy: settings now participate in "project/local/policy override precedence." That phrase alone should trigger a calendar invite with your security lead.

What Shipped

The release notes list 42 changes, but only a handful matter for operator teams. First, configuration settings, theme, editor mode, verbosity, now persist to ~/.claude/settings.json. That’s not just user preference; it’s the first time a global config file becomes part of the enforcement chain, subject to project-level and policy-level overrides. If your org has a central policy repo that pushes config defaults, those now take precedence over individual settings, and the precedence order is now codified.

Second, --from-pr now accepts GitLab merge requests, Bitbucket pull requests, and GitHub Enterprise URLs. This looks like inclusivity, but it’s really about control: Anthropic’s tooling now normalizes across VCS platforms, meaning the agent’s behavior in a GitLab MR is governed by the same hooks and permissions as a GitHub PR. Cross-platform parity is useful, but it also means fewer escape hatches for teams relying on platform-specific quirks.

Third, PowerShell commands can now be auto-approved in permission mode, matching Bash behavior. This reduces friction, yes, but it also means any agent with elevated permissions can execute PowerShell scripts without interactive approval. In environments where PowerShell is a known attack vector (read: most Windows shops), this is a meaningful surface expansion.

Fourth, and most quietly, hooks like PostToolUse and PostToolUseFailure now include duration_ms, the exact execution time of a tool, excluding permission prompts. That’s telemetry that wasn’t logged before. It’s framed as a debugging aid, but in practice, it’s a forensic record. If an agent runs a grep or curl for 17 seconds, that’s now in the transcript. Not estimated. Not sampled. Logged.

Other fixes are real but second-order: slash command UI tweaks, paste handling in terminals, MCP server connection order. The security patch for blockedMarketplaces enforcing hostPattern and pathPattern is necessary but expected, what’s telling is that the fix was needed at all.

[[IMG: a software engineering lead in a Toronto office reviewing agent config files on a dual monitor setup, terminal windows showing config hierarchy and override precedence]]

Why It Matters

We’ve been here before, not with agents, but with containers. Remember when Docker's --privileged flag seemed like a convenience until it showed up in a pentest report? Or when Kubernetes admission controllers went from "nice-to-have" to "SOC2 requirement" overnight? This is that inflection point: the moment when developer tooling becomes compliance infrastructure.

The shift from "local config" to "policy override precedence" is the core move. Until now, agent settings were largely ad hoc, a .claude file here, an env var there. Now, they’re part of a chain of authority. If your firm has a security policy repo that pushes down config defaults, those can override team-level or individual settings. That’s good for consistency, but it also means every config change now has to be reviewed through a governance lens. Is that dark mode preference really worth a policy exception?

The PowerShell auto-approval is another example of convenience outpacing risk modeling. Bash auto-approval already existed; extending it to PowerShell closes a gap, but it also assumes that both shells have equivalent risk profiles. They don’t. PowerShell’s access to Windows internals, WMI, and .NET makes it a higher-risk execution environment. Anthropic’s decision to treat them as equivalent is a judgment call, one that shifts the burden to the operator to add compensating controls.

And then there’s the telemetry. duration_ms in PostToolUse hooks isn’t just data, it’s evidence. In a breach investigation, that log could prove whether an agent was used to exfiltrate data via a slow tail or a long-running curl. It’s the kind of detail that wasn’t considered six months ago but is now table stakes for audit readiness.

The broader category move here is the quiet erosion of the "developer sandbox" myth. In 2022, AI agents were playthings, used for code gen, maybe a quick refactor. Now they’re in PR flows, in CI pipelines, in production runbooks. Every new capability, every new integration, expands the attack surface. Anthropic isn't ignoring that, they're institutionalizing it. This release doesn't add flashy features; it adds guardrails, logging, and policy enforcement. That’s not exciting. It is, however, necessary.

What to Migrate

If you're running claude-code in any capacity, dev, staging, or production, here’s what to do before the next patch hits:

1. Pin your version immediately. If you’re not already pinning to a specific version in your lockfile or container image, do it now. The next update could enforce stricter defaults or remove deprecated flags. Use v2.1.119 as your baseline until you’ve audited the implications.

2. Map your config hierarchy. Identify where settings are defined: global (~/.claude/settings.json), project-level (.claude/config), or policy-controlled (via centralized config push). Test the override precedence, what happens when a project setting conflicts with a policy setting? Document it. Share it with security.

3. Audit all agent definitions for permissionMode. Specifically, check built-in agents. If any have auto-approve enabled for Bash, they now inherit that for PowerShell. That may be acceptable in a dev environment; it’s likely not in staging or prod. Disable auto-approval by default and require explicit opt-in per agent.

4. Evaluate your logging pipeline. The new duration_ms field in PostToolUse hooks will appear in session transcripts. If your logging system parses these, ensure it can handle the new field without dropping messages. Test in staging with synthetic tool use.

5. Review prUrlTemplate usage. If you’re using the PR badge in output, update it to point to your internal code review URL (GitLab, Bitbucket, GHE). This is low-risk but high-visibility, teams will notice if the badge still points to github.com.

6. Check MCP server configs. The fix for ${ENV_VAR} substitution in headers means any MCP server relying on environment variables must now have them properly set before startup. Verify that secrets and endpoints are resolved correctly.

The real cost of v2.1.119 isn’t the migration, it’s the audit trail every compliance-bound team now has to run.

7. Test Windows behavior. If you have Windows-based agents, validate that MCP servers spawn correctly when the plugin cache is incomplete. The fix for this edge case was needed, but it may expose other dependency issues.

8. Update your runbook. Add a step for verifying settings.json persistence after restart. The fix for non-persistent verbosity settings means configs should survive restarts, but test it. A lost setting in production could break expected behavior.

[[IMG: an engineering manager in a London-based startup conducting a post-mortem on agent configuration drift, whiteboard showing override precedence and policy layers]]

Looking Ahead

Twelve weeks from now, the signal will be clear: how many teams have been forced to roll back due to unexpected policy overrides or PowerShell execution incidents. If the number is high, it means Anthropic moved too fast on permission parity. If it’s low, it means the operator community has finally internalized that agent tooling isn’t just dev convenience, it’s infrastructure.

The next release will likely tighten the screws further: mandatory policy hooks, stricter default deny for tools, or even a signing requirement for agent definitions. The trend is undeniable. The question isn’t whether governance will come, it’s whether your team will be ready when it does.

Pin tight. Audit early. Treat the config file as production infrastructure, because at this point in the agent-deployment cycle, it is exactly that.

• GitHub Releases (anthropics/claude-code), accessed 2026-04-29
• Anthropic CLI Documentation, accessed 2026-04-29
• OpenTelemetry Integration Guide for AI Agents, accessed 2026-04-29