Claude Code v2.1.104 — 2 New Environment Variables: Enterprise TLS and SDK OAuth#
Published on April 12, 2026
Part of the Claude Code Version Tracker series. | Official Env Vars | Official Changelog
Claude Code v2.1.104 adds 2 new environment variables since v2.1.100. The official changelog covers v2.1.101 (versions 2.1.102–2.1.104 have no published entries yet), which is dominated by enterprise infrastructure work — OS CA certificate store trust by default, a /team-onboarding command, dozens of /resume and plugin stability fixes, and a command injection security fix in LSP binary detection. The env var additions are small but architecturally telling: both target the SDK and enterprise deployment surface.
What Changed#
| v2.1.100 | v2.1.104 | |
|---|---|---|
| Environment variables | 222 | 224 (+2) |
| Model IDs | 16 | 16 |
| Feature gates | 41 | 41 |
| Dynamic configs | 29 | 29 |
| Slash commands | 24 | 24 |
New Environment Variables#
| Variable | Likely Purpose |
|---|---|
CLAUDE_CODE_CERT_STORE | Controls which certificate authority store Claude Code uses for TLS verification. The v2.1.101 changelog[1] explains that the OS CA certificate store is now trusted by default, "so enterprise TLS proxies work without extra setup." Setting this to bundled reverts to using only the bundled CA certificates shipped with the Node.js runtime. This is the escape hatch for the new default — if your organization's OS-level certificate store contains CAs that cause verification issues (expired internal CAs, test certificates, or certificates that conflict with pinned expectations), you can force Claude Code back to the known-good bundled set. For the vast majority of enterprise deployments behind corporate TLS inspection proxies (Zscaler, Netskope, Palo Alto), the new default eliminates the single most common setup friction: Claude Code failing to connect because Node.js doesn't trust the proxy's re-signing CA. |
CLAUDE_CODE_SDK_HAS_OAUTH_REFRESH | Signals to the Claude Code runtime that the SDK caller has already provided an OAuth refresh token. This is an SDK-internal coordination flag — when set, it likely adjusts authentication flow behavior so the runtime skips its own token refresh logic and trusts that the embedding application (VS Code extension, JetBrains plugin, or custom SDK integration) will handle token lifecycle. This prevents double-refresh races where both the SDK host and the Claude Code subprocess attempt to refresh an expiring token simultaneously, which can invalidate the token for both parties. The naming convention (SDK_HAS_) suggests a capability advertisement pattern: the SDK host declares what it manages, and the runtime adapts accordingly. |
Notable Changelog Highlights (v2.1.101)#
Beyond environment variables, this release packs a dense set of fixes and improvements.
New Features#
/team-onboardingcommand — generates a teammate ramp-up guide from your local Claude Code usage. This introspects your configuration, memory files, and workflow patterns to produce onboarding documentation for new team members adopting Claude Code.- OS CA certificate trust by default — enterprise TLS proxies now work out of the box. Previously, deployments behind Zscaler or similar inspection proxies required manual certificate configuration.
/ultraplanauto-provisioning — remote-session features now auto-create a default cloud environment instead of requiring web setup first, removing a friction point for plan mode adoption.- Session title resume —
claude -p --resume <name>now accepts session titles set via/renameor--name, not just session IDs.
Security#
- Command injection fix — a vulnerability in the POSIX
whichfallback used by LSP binary detection has been patched. This affected the code path that locates language server binaries on systems without a nativewhichcommand. - Permission deny enforcement —
permissions.denyrules now properly override a PreToolUse hook'spermissionDecision: "ask", closing a vector where hooks could downgrade a deny into a prompt.
Stability#
- Virtual scroller memory leak — long sessions were retaining dozens of historical copies of the message list. Fixed.
/btwdisk writes — was writing a copy of the entire conversation to disk on every use. Fixed.--resumechain recovery — multiple fixes for conversation context loss on large sessions, stale directory cleanup, and cross-conversation bridging bugs.- Plugin system — fixes for slash command resolution with duplicate frontmatter names,
ENAMETOOLONGon plugin update, stale version caches, and skill frontmatter fields not being honored. - Hardcoded 5-minute timeout removed — slow backends (local LLMs, extended thinking, slow gateways) were being aborted regardless of
API_TIMEOUT_MS. Now respects the configured timeout.
What These Tell Us#
Enterprise TLS is the #1 deployment blocker, and it just got solved. The CLAUDE_CODE_CERT_STORE variable and its corresponding default-to-OS-store behavior addresses what has been the single most reported friction point in corporate Claude Code deployments. Every enterprise with a TLS inspection proxy — and that's most of them — had to manually configure certificate trust before Claude Code would connect. Making this automatic with a fallback escape hatch is a mature infrastructure decision. The fact that it shipped alongside the /team-onboarding command reinforces the read: Anthropic is optimizing for organizational adoption, not just individual developer experience.
SDK auth coordination is getting more sophisticated. CLAUDE_CODE_SDK_HAS_OAUTH_REFRESH is a small flag with architectural implications. It means the boundary between "Claude Code the CLI" and "Claude Code the embedded runtime" is being formalized — the SDK host and the runtime now negotiate who manages token lifecycle rather than both trying independently. This matters as Claude Code ships in more IDE extensions and custom integrations where the host application has its own auth flow. Expect more SDK_HAS_ or SDK_ prefix variables as this capability advertisement pattern expands.
Sources#
- Claude Code Official Changelog — v2.1.101 release notes
This analysis is conducted for independent security research and interoperability purposes under fair use principles. All trademarks belong to their respective owners. The information presented here documents publicly observable behavior of installed software and is not intended to circumvent any technological protection measures, infringe on intellectual property rights, or encourage unauthorized use. Use these findings at your own discretion.
Related Versions#
- Claude Code v2.1.100 — 3 New Environment Variables — context token limits, Perforce VCS, script caps
- Claude Code v2.1.96 — No New Environment Variables — Bedrock auth hotfix
- Claude Code v2.1.94 — 5 New Environment Variables — Mantle auth, MCP sandboxing, team onboarding
- Claude Code v2.1.92 — 5 New Environment Variables — proxy simulation, fast mode bypass, remote session naming
- Claude Code v2.1.91 — 1 New Environment Variable — MCP 500K results, plugin binaries, shell execution lockdown
Related: Context Window Management Guide | Claude Code Productivity Tips | The Agentic Engineering Playbook