- [changed] Tightened instructions for detecting exfiltration attempts, including tracing full destination paths, evaluating provenance of content, and treating bulk repo or package pushes as sensitive regardless of branch or claimed privacy.
- [changed] Clarified rules around creating public surfaces (repositories, releases, packages, container images) and handling outbound sensitive details such as identifiers, credentials, and infrastructure data.
- [new] Added optional
present_to_userfield toproject_writeoperations in the SDK to mark files the user should see or act on. - [changed] Updated plan mode, focus mode, and context management guidance to reduce unnecessary narration and improve handling of long-running tasks and user interruptions.
Models & prompts
Prompt wording was updated around plan mode restrictions, focus mode behavior, ambient context, task verification steps, and rejection handling for tool use. These changes affect how the agent communicates status and respects user intent during edits and multi-turn work.
Under the hood
- New environment variables were added:
CLAUDE_CODE_DISABLE_NESTED_CHAIN_IDLE,CLAUDE_CODE_EXPERIMENTAL_OBSERVER_AGENTS,CLAUDE_REMOTE_WORKFLOW_ARGS,CLAUDE_REMOTE_WORKFLOW_SCRIPT,CLAUDE_RUNNER_DISABLE_AWAITING_ACTION_OVERRIDE,CLAUDE_WORKFLOW_NAME_ONLY, and theCLAUDE_WORKFLOWgroup. - A new internal backend route (
/api/frame/contract/latest) was introduced. - Additional Statsig feature gates were added, including
tengu_observer_agents_enabled.
Upgrade notes
No manual steps required.