Fetching from the wire…
Top 5 · 2026-07-18 · source-backed
Your Edit(src/**) allow rule doesn't mean what you think it means. Until today, it matched any directory named src at any depth in the repo. Not <cwd>/src. Any src/. Including one an agent just created three levels down, or one that arrived in a dependency checkout.
The v2.1.214 changelog fixes six distinct permission-check bypasses in a single release. The glob one is the headline, but the others are worse in aggregate. A PowerShell 5.1 session bypass. File-descriptor redirect forms that bash parses one way and the permission analyzer parses another. Commands over 10,000 characters getting misjudged (they now always prompt). Zsh variable subscripts and modifiers inside [[ ]] treated as inert text when they're anything but. And help/man auto-allowed despite both being able to run unsafe options and command substitutions. Man pages can execute pagers. That's been true since 1979 and it's still catching people.
Separately in the same release: Docker commands carrying daemon-redirect flags (--url, --connection, --identity, plus Podman's docker shim in remote mode) now require permission. Before, an allowed docker invocation could be pointed at an arbitrary remote daemon and nobody would ask. And file with -m/--magic-file or -f/--files-from flipped from auto-allowed-as-read-only to permission-required, because a "read-only" command that reads an attacker-chosen file path is not read-only in any sense that matters.
Here's what I find more interesting than any individual bug. Every one of these six shares a root cause, and it isn't policy. Nobody wrote a bad rule. The permission analyzer's model of what a command does diverged from what the shell actually executes. That's a parser mismatch, six times over, in six different grammars.
Which means it'll happen again. An allowlist over a Turing-complete shell is a reimplementation of that shell's grammar, and reimplementations drift. If you're building agent sandboxes, this is the load-bearing takeaway: broad allow patterns are a bet that your analyzer reads the same string your shell does, and that bet keeps losing. Deny-by-default with narrow explicit commands is uglier to maintain and structurally sounder.
Do this today. Grep your settings for dir/** patterns. Any of them that you intended as any-depth matching now needs **/dir/**, because the fix changed hook if: conditions to match only <cwd>/dir. That means some of you are about to have hooks silently stop firing on paths they used to catch. Check both directions.
Also in v2.1.214: session cost and token telemetry were double-counting on streams emitting multiple cumulative message_delta frames. If you've been budgeting agent runs off /cost or your OTel token metrics, your baselines are inflated. Long, heavily-streamed sessions were the worst hit, which is precisely where you'd be looking at cost numbers in the first place.
Each link below shares sources, entities, or timing with this story.
Docker supports Claude Code / Shared entities / Same source / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code, OTel, PowerShell; cite the same source (v2.1.214 changelog).
Docker supports Claude Code / Shared entities / Same source / Shared topic / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Check, Claude Code; cite the same source (v2.1.214 changelog).
Docker supports Claude Code / Shared entity: Claude Code / Same source / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code; cite the same source (v2.1.214 changelog).
Docker supports Claude Code / Shared entity: Claude Code / Same source / Shared topic / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code; cite the same source (v2.1.214 changelog).
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code; cite the same source (v2.1.214 changelog).
Docker supports Claude Code / Shared entities / Same source domain / Shared topic / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code, Which; reported by the same outlet (code.claude.com).
Docker supports Claude Code / Shared entity: Claude Code / Same source / Shared topic / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code; cite the same source (v2.1.214 changelog).
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code; cite the same source (v2.1.214 changelog).