Sato Hub
← Back to blogClaude Code v2.1.196: the MCP fix agent builders should actually read

Claude Code v2.1.196: the MCP fix agent builders should actually read

Buried under session names and clickable file links is a real fix: untrusted repos can no longer auto-spawn MCP servers through your own settings file.

2026-07-03 · 3 min read

Anthropic shipped [Claude Code v2.1.196](https://github.com/anthropics/claude-code/releases/tag/v2.1.196) on June 29. Most of the release notes are the usual maintenance sweep — readable session names, clickable file attachments, a Windows background-job fix. Two lines matter more than the rest, and they're both about running agents unattended, which is the actual job if you're building on top of this stuff instead of just chatting with it.

The MCP fix

The security line reads: claude mcp list/get no longer spawn .mcp.json servers that a repo self-approved via a committed .claude/settings.json.

Read that twice. A repo could ship its own .mcp.json (which server to run) *and* its own .claude/settings.json (which servers are pre-approved) — meaning a cloned repo could get an MCP server auto-spawned just by running a read-only inspection command, no explicit approval from the person who cloned it. That's a supply-chain vector: an MCP server is a running process with tool-call access, and "self-approved" isn't the same as "you approved it." Untrusted workspaces now show ⏸ Pending approval instead of silently launching. It's a narrow fix, but it's the right instinct — an agent's trust boundary should never be a file the target repo gets to write.

This is the same principle behind Sato Score's [verification framing](https://satohub.ai/sato-score): self-reported is not verified, whether it's a listing claiming an audit or a repo claiming its own MCP server is safe to run. Good to see it enforced at the harness level, not just the directory level.

Background agents get sturdier

The other real thread in this release is reliability for long-running, unattended agents:

  • Long-running background commands now survive the session process being stopped, restarted, or updated — including on Windows, where background shells used to just get killed.
  • Workers killed by a daemon restart auto-resume from where they left off the next time the agents view opens.
  • Mid-turn crash recovery for Remote sessions: a server restart no longer strands a session, it auto-resumes on the next worker.
  • A background job whose transcript got misread used to have its entire conversation deleted and the original prompt silently re-run. Now the bad transcript is set aside, not destroyed.

None of these are headline features. All of them are the difference between "an agent I can leave running overnight" and "an agent I have to babysit." If your build involves scheduled or long-horizon agent runs — which describes most of the onchain-agent stack, from indexers to trading bots to the enrichment routines that keep a directory like this one current — this is the part of the changelog that actually changes your uptime, not the UI polish.

The smaller stuff worth knowing

  • Org default models: admins can now set a default model in the org console, surfaced as "Org default" (or "Role default") in /model for anyone who hasn't picked their own. Fleet-level model governance, not a per-developer toggle.
  • `/code-review` got cheaper: five separate cleanup finders were merged into one pass, cutting token usage on that workflow by roughly 25% with no stated drop in coverage.
  • A watchdog is on by default: if a response stream produces zero events for 5 minutes, Claude Code now aborts and retries automatically (CLAUDE_ENABLE_STREAM_WATCHDOG=0 to opt out). Fewer silently-hung sessions.
  • `claude agents --dangerously-skip-permissions` used to silently fall back to auto mode instead of actually bypassing permissions — it now shows the bypass disclaimer and applies bypass mode to spawned agents, which is the honest version of a flag with that name.

What to watch

The pattern across the last few Claude Code releases is consistent: incremental hardening of the unattended path — background jobs, remote sessions, MCP trust boundaries — while the interactive chat surface gets smaller polish. That's the right allocation if agents are meant to run without a human staring at the terminal. Worth watching whether the .mcp.json self-approval fix gets extended to other auto-trust surfaces next; "a repo can vouch for itself" is a pattern worth auditing wherever it shows up, not just in this one command path.

Sources

  • [Claude Code v2.1.196 release notes — anthropics/claude-code](https://github.com/anthropics/claude-code/releases/tag/v2.1.196)

Sources

Join the Sato Hub Briefing

One email a week — the agents, tools, and infrastructure that actually shipped, and why they matter.