Claude Code v2.1.100 — 3 New Environment Variables: Context Token Limits, Perforce VCS, and Script Capability Controls#

Published on April 10, 2026

Part of the Claude Code Version Tracker series. | Official Env Vars | Official Changelog

Claude Code v2.1.100 adds 3 new environment variables and removes 3 since v2.1.96. This release spans four version increments (v2.1.97–v2.1.100, with v2.1.99 skipped) and packs a dense changelog: a Google Vertex AI setup wizard, Perforce VCS support, PID namespace sandboxing, a focus view for flicker-free mode, the Monitor tool for streaming background script events, and over 30 security fixes hardening the Bash permission system. The breadth of changes positions this as one of the most significant releases in weeks — even though the env var count nets to zero.

Note: At the time of writing, the official changelog includes entries through v2.1.98. Versions v2.1.99 and v2.1.100 do not yet have published release notes. This post will be updated when those entries appear.

What Changed#

	v2.1.96	v2.1.100
Environment variables	222	222 (0 net)
Model IDs	16	16
Feature gates	0	0
Dynamic configs	29	29
Slash commands	24	24

New Environment Variables#

Variable	Likely Purpose
`CLAUDE_CODE_MAX_CONTEXT_TOKENS`	Sets an explicit ceiling on the context window size used during a session. Rather than relying on the model's default maximum, this variable lets operators cap token consumption — useful for cost-conscious teams, rate-limited API plans, or environments where shorter context windows improve latency. The changelog^[1] notes it honors `DISABLE_COMPACT` when set, meaning the cap works in concert with the existing compaction system: you can limit context and disable automatic compaction, forcing sessions to stay small rather than summarizing and continuing. This gives enterprise admins a hard budget lever per session to prevent runaway context accumulation in long-running agents.
`CLAUDE_CODE_PERFORCE_MODE`	Activates Perforce VCS integration. The changelog^[1] specifies: "when set, Edit/Write/NotebookEdit fail on read-only files with a `p4 edit` hint instead of silently overwriting them." Claude Code has been git-centric since launch, and Perforce is an unusual choice for the first alternative VCS. Perforce (Helix Core) dominates game development, semiconductor design, and large binary-asset pipelines — verticals with massive codebases and strict checkout-before-edit workflows. The appearance of this flag likely signals a specific enterprise onboarding effort rather than general VCS abstraction. Someone with a Perforce shop is deploying Claude Code at scale, and this is the minimum viable accommodation: respect file locking, don't silently overwrite read-only files. Expect this to mature alongside that engagement.
`CLAUDE_CODE_SCRIPT_CAPS`	Limits per-session script invocations. The changelog^[1] pairs this with subprocess sandboxing via PID namespace isolation on Linux (when `CLAUDE_CODE_SUBPROCESS_ENV_SCRUB` is set). This variable defines capability boundaries for script execution — likely a numeric cap or capability set controlling how many scripts (or which types) a session can launch. Combined with the PID namespace isolation, this creates a defense-in-depth model: sandboxed subprocesses that are also rate-limited, preventing both privilege escalation and resource exhaustion from runaway script loops.

Notable Changelog Highlights (v2.1.97–v2.1.98)#

Beyond environment variables, these releases pack substantial feature and security work.

New Features#

Google Vertex AI setup wizard — interactive wizard on the login screen when selecting "3rd-party platform," guiding through GCP authentication, project/region configuration, credential verification, and model pinning. This mirrors the Bedrock wizard from v2.1.92, completing the trifecta of first-party API, Bedrock, and Vertex as guided setup paths.
Focus view toggle (Ctrl+O) — in NO_FLICKER mode, shows only the prompt, one-line tool summary with edit diffstats, and the final response. A "heads-up display" for when full streaming output is noise.
Monitor tool — streams events from background scripts, giving agents real-time visibility into long-running processes. Previously, background scripts were fire-and-forget; now agents can watch and react.
Status line refreshInterval — re-runs the status line command every N seconds, enabling live dashboards (build status, test runners, deployment progress) in the terminal footer.
/agents tabbed layout — Running tab shows live subagents; Library tab adds "Run agent" and "View running instance" actions. The agent system is becoming a first-class management surface.
Cedar policy syntax highlighting — .cedar and .cedarpolicy files get syntax highlighting, signaling that AWS Cedar authorization policies are showing up in Claude Code users' workflows.
TRACEPARENT in Bash subprocesses — when OTEL tracing is enabled, child processes inherit W3C trace context, connecting shell command spans to Claude Code's trace tree. Essential for enterprise observability.

Bash Permission Overhaul#

This is the most extensive Bash security update in any release to date — over 15 individual fixes spanning two versions. The changes fall into two categories:

Closing bypass vectors: Backslash-escaped flags could be auto-allowed as read-only and lead to arbitrary code execution. Compound commands bypassed forced permission prompts in auto mode. Redirects to /dev/tcp/... and /dev/udp/... were auto-allowed instead of prompting. Piped commands mixing cd with other segments downgraded deny rules to prompts. grep -f / rg -f didn't prompt when reading pattern files outside the working directory. Permission rules named toString (or other JS prototype properties) caused settings.json to be silently ignored. --dangerously-skip-permissions was silently downgraded after approving a protected-path write. All fixed.

Reducing false prompts for legitimate use: Commands with safe env-var prefixes (LANG=C rm foo, timeout 5 mkdir out) now auto-approve in accept-edits mode. Wildcard permission rules like Bash(cmd:*) and Bash(git commit *) correctly match commands with extra whitespace. cut -d /, paste -d /, column -s /, awk '{print $1}' file, and filenames containing % no longer trigger false prompts. This is the other side of the security coin — tighter where it matters, but less annoying for everyday commands that were wrongly flagged. Users who've been hitting "allow" on obviously safe operations should see noticeably fewer interruptions.

Stability and UX#

MCP memory leak fixed — HTTP/SSE connections were accumulating ~50 MB/hr of unreleased buffers on reconnect. A significant fix for long-running sessions with MCP servers.
429 retry backoff — retries were burning all attempts in ~13 seconds when the server returns small Retry-After values. Exponential backoff now applies as a minimum floor.
/resume picker overhaul — at least 6 distinct bugs fixed: uneditable sessions, search state loss, empty list trapping arrow keys, cross-project staleness, task-status text replacing summaries, and cache misses.
NO_FLICKER mode stabilization — memory leaks from API retries, scroll artifacts in zellij, CJK text garbling on Windows, slow mouse scrolling on Windows Terminal, and crashes on MCP tool hover all fixed. Flicker-free mode is getting production-hardened.
Live permissions — permissions.additionalDirectories changes now apply mid-session without restart, and managed-settings allow rules properly deactivate when an admin removes them.
Vim mode — j/k in NORMAL mode now navigate history and select the footer pill at the input boundary.

What These Tell Us#

The Bash security surface was wider than expected. The sheer count of permission bypass fixes reveals that the auto-allow heuristic for "safe" shell commands was built on pattern matching that couldn't keep up with shell's combinatorial complexity. The fixes aren't adding new features; they're closing gaps in a system that was too permissive by default. For anyone running Claude Code in auto mode or with --dangerously-skip-permissions, this release is a mandatory upgrade.

The false-prompt problem is real and they're fixing both sides. Security hardening usually means more prompts. What's notable here is that Anthropic is simultaneously tightening bypass vectors and reducing false positives — commands like LANG=C sort file.txt or cut -d / that were triggering unnecessary permission dialogs now auto-approve. This matters for adoption: every false prompt trains users to click "allow" without reading, which undermines the entire permission model. Getting the boundary right — prompt for genuinely dangerous operations, stay quiet for safe ones — is harder than it looks, and the volume of fixes here shows how much iteration it takes.

Perforce mode is almost certainly customer-driven. Adding Perforce support isn't on any typical product roadmap for a developer tool in 2026. Git won the VCS wars everywhere except a handful of verticals — game development (Unreal/Unity pipelines), semiconductor EDA, film/VFX, and a few legacy enterprise shops. The specificity of the implementation (fail on read-only files with a p4 edit hint) reads like a minimum viable feature built for a specific deployment, not a general-purpose VCS abstraction. Watch for this to evolve quickly if the engagement succeeds, or stay minimal if it was a one-off accommodation.

Context control is moving from implicit to explicit. CLAUDE_CODE_MAX_CONTEXT_TOKENS fills a gap that power users have felt since the 1M context window shipped. More context isn't always better — cost, latency, and relevance all degrade when sessions accumulate noise. Its interaction with DISABLE_COMPACT is the interesting design choice: you can enforce a hard cap and disable compaction, creating sessions that simply stop rather than summarize. Expect this to become a standard enterprise deployment knob.

The REPL experiment is over. Three removals — CLAUDE_CODE_REPL, CLAUDE_REPL_MODE, and CLAUDE_CODE_SAVE_HOOK_ADDITIONAL_CONTEXT — clean up variables that appeared as recently as v2.1.88. The REPL variables suggested an interactive evaluation loop distinct from the main conversation flow; their removal indicates the feature was either absorbed into the standard tool execution pipeline or abandoned after internal testing.

Sources#

Claude Code Official Changelog — v2.1.97, v2.1.98 release notes

This analysis is conducted for independent security research and interoperability purposes under fair use principles. All trademarks belong to their respective owners. The information presented here documents publicly observable behavior of installed software and is not intended to circumvent any technological protection measures, infringe on intellectual property rights, or encourage unauthorized use. Use these findings at your own discretion.

Claude Code v2.1.96 — No New Environment Variables — Bedrock auth hotfix
Claude Code v2.1.94 — 5 New Environment Variables — Mantle auth, MCP sandboxing, team onboarding
Claude Code v2.1.92 — 5 New Environment Variables — proxy simulation, fast mode bypass, remote session naming
Claude Code v2.1.91 — 1 New Environment Variable — MCP 500K results, plugin binaries, shell execution lockdown
Claude Code v2.1.88 — 7 New Environment Variables — mouse control, REPL mode, flicker-free rendering

Let's Connect

Bluesky LinkedIn Threads