v2.1.118 shipped April 23. It reads like a hotfix — it isn't. Nine feature bullets, 20+ bug fixes, and a surprising amount of muscle rearrangement under the hood.
The slash-command consolidation lands first. /cost and /stats are now /usage — typing either shortcut opens the relevant tab of the unified panel. Update any muscle memory, screencasts, and team docs. The old names still work as routers, but the canonical command is now singular.
Vim users get v (visual mode) and V (visual-line mode) with selection, operators, and visual feedback. That closes a long-standing gap for anyone who navigates the prompt in vim keymap. Themes get first-class persistence: create named themes from /theme, hand-edit JSON under ~/.claude/themes/, and plugins can now ship a themes/ directory alongside their commands.
Three env-var and settings-file additions worth logging:
DISABLE_UPDATES=1blocks every update path — including a manualclaude update. Stricter thanDISABLE_AUTOUPDATER. If your fleet needs a frozen version, this is the new lever.wslInheritsWindowsSettings(policy key) lets WSL sessions inherit Windows-side managed settings. Cross-boundary governance without duplicating config./modelpicker now honorsANTHROPIC_DEFAULT_*_MODEL_NAME/_DESCRIPTIONwhen you point at a customANTHROPIC_BASE_URLgateway — useful for LiteLLM and OpenRouter setups.
Also shipped: claude plugin tag (git-tag release helper for plugin authors with version validation), /fork no longer writes the full parent conversation to disk per fork (pointer + hydrate-on-read), and a pile of MCP OAuth fixes that quietly kill most of the "please re-authenticate" loops from the last two weeks.
Buried in the v2.1.118 changelog: *"Hooks can now invoke MCP tools directly via type: "mcp_tool"."*
Before today, hooks had four action types — command (shell), http (POST), prompt (LLM), and agent (subagent). If you wanted a hook to call an MCP tool, your only paths were: spawn a subagent that happens to call the tool, or write a shell command that shells out to something that talks MCP. Both are clunky. Both cost tokens.
The new type: "mcp_tool" action collapses that path. A PreToolUse or PostToolUse hook can now invoke any MCP tool from your configured servers directly — no subagent, no side process, no extra model turns. Think of this as hooks finally becoming first-class citizens of the MCP graph.
Where this matters:
- Policy enforcement. A
PreToolUsehook that gates everyWriteagainst a policy MCP server (SpiceDB, OPA, your own authorizer) now runs in one round-trip instead of spinning up a subagent. - Observability. Drop a
PostToolUsehook that pushes a structured event to your logging MCP server (Sentry, Datadog, your own). No shell-out, no token cost. - Audit logging.
Stophooks that record session metadata into a memory MCP server become trivial.
One note: the schema for type: "mcp_tool" hasn't landed in code.claude.com/docs/en/hooks yet at time of writing — the docs page still lists only four hook types. The feature ships in the CLI; the reference catches up in the next doc push. Until then, use the release notes as authoritative and watch for the updated spec.
If you've been running an "MCP bridge" subagent just to let hooks talk to your servers, you can retire it this week.
Arcade's April 22 playbook reframes Claude Code's strongest operator use case: not coding, but the SRE *outer loop* — the correlation, assembly, and drafting work that surrounds incidents. The thesis is worth internalizing: *"Claude Code does not replace the on-call. It just lets them start on page 5 instead of page 1."*
The five patterns:
- Incident triage — correlate PagerDuty pages with Datadog signals, recent GitHub deploys, and Slack history. Arcade's claim: archaeology collapses from 8+ minutes to 2–3.
- Runbook execution — index Confluence runbooks by alert metadata, lay out diagnostic sequences with expected outputs, propose safe commands. The engineer executes with their own credentials.
- Postmortem drafting — reconstruct timelines from Slack, PagerDuty, Datadog, and deploy logs into a template with source-linked evidence. Humans write the root-cause narrative.
- SLO investigation — pull SLO/SLA deltas, join incidents to regressions, extract postmortem root causes, group by theme.
- On-call handoffs — auto-generate shift-boundary briefings covering pages, active incidents, deploys in flight, and burn thresholds.
What separates the pattern from a weekend hack: *managed OAuth* (credentials refresh automatically and never reach the model), *hosted compute* (tools run on shared infrastructure regardless of trigger source — scheduled, API, Slack), *per-tool governance* (permission policies, cost budgets, query limits enforced at the MCP layer), and *persistent audit logs* (OpenTelemetry, tracking triggering user + arguments + response + timestamp).
None of these require Arcade specifically — the patterns transfer to any MCP runtime that gives you those four properties. But the reminder that an MCP *runtime* is not the same as an MCP *gateway* is the most useful takeaway. A gateway routes. A runtime hosts, authenticates, governs, and logs. For any automation that runs without a human on the other end, you need the runtime.
Yesterday we covered Anthropic's A/B test of removing Claude Code from the Pro plan. Today, a pointed contrast: an open-source self-hosted coworker that deploys to your own GCP project, uses your keys, and holds your data in your own Postgres.
Broccoli (besimple-oss/broccoli, 161 stars, MIT, Python) automates the journey from Linear ticket to merged PR. Assign a ticket to the Broccoli bot; it plans, writes code, opens a PR, and handles review feedback. The interesting detail: it shells out to both codex and claude CLIs, so you're not locked into one vendor's model — swap either leg independently.
Deployment is weightier than an npm install. You stand up two Cloud Run workloads (service + job runner), a Postgres instance, Secret Manager entries, a GitHub App, a Linear bot user, and Anthropic + OpenAI API keys. Bootstrap script runs in roughly 30 minutes if you have GCP billing already wired. "Your infra. Your keys. Your data." is the explicit pitch.
What this is not: vendor-neutral — changing the underlying agent requires forking the runner handlers and the vendored prompt templates. Single-contributor (epiclychee). No test suite or production references in the README.
What it is: a credible architectural answer to the "what if Anthropic moves Claude Code behind a $100 paywall" question that dominated yesterday's feeds. If portability is a priority, Broccoli is worth reading even if you never deploy it — the webhook deduplication, durable job state, and Postgres-backed resumption patterns are all transferable to any agent harness you might build yourself.
Before v2.1.118, if you added a custom rule to autoMode.allow, you replaced Anthropic's built-in allowlist. No composition — your list *was* the list. That meant either maintaining a brittle superset (copy all the built-ins, add yours) or shipping a narrower safety surface than Claude Code does by default.
v2.1.118 adds "$defaults" as a sentinel token. Include it in any autoMode.allow, autoMode.soft_deny, or autoMode.environment list and your custom rules get *added* to the built-ins instead of replacing them. Small change, large footprint.
Prerequisites: Claude Code v2.1.118 or newer (claude --version). Auto mode opt-in accepted at least once. Edit access to ~/.claude/settings.json (user scope) or your project's .claude/settings.json.
What you'll do: Add your own always-allow rules on top of Anthropic's built-ins and confirm both sets take effect.
Steps:
- Confirm your version:
# Must be 2.1.118 or newer
- Open
~/.claude/settings.jsonand add or extend theautoModeblock. Put"$defaults"first and your own rules after:
"autoMode": {
"allow": [
"$defaults",
"Bash(pnpm test:*)",
"Bash(pnpm lint)",
"Bash(jq:*)"
],
"soft_deny": [
"$defaults",
"Bash(git push:*)"
]
}
}
(Substitute for your own test/lint commands and tools you trust to auto-run.)
- Start a session and verify auto mode is on:
# Shift+Tab until the status line shows "auto"
- Ask Claude to run one of your custom allow-list commands (e.g.,
pnpm lint). It should execute without a permission prompt.
- Ask Claude to run something outside the allow-list (e.g.,
rm -rf node_modules). It should still prompt — proving the built-in safety surface is intact.
- Try one of the built-in allowed commands (a read-only
ls, aGlobsearch). It should also auto-run — confirming"$defaults"pulled in Anthropic's built-ins.
Expected outcome: Your custom always-allow rules fire without prompts, Anthropic's built-in read-only allowlist still fires, and destructive/network commands still prompt. Before v2.1.118, steps 5 and 6 would have required you to either accept prompts on every ls or manually enumerate every read-only tool in your allow-list.
Verify: Remove "$defaults" from the allow array and restart. Step 6 (the ls/Glob) should now prompt — because your custom allow-list replaced the built-ins. Re-add "$defaults" and it stops prompting again. That flip is the whole feature.