Back to Research

Claude Code 2.1.205 Hardens Agent State

Claude Code 2.1.205 fixes session safety, schema output, background agents, MCP imports, and Windows edge cases.

The Parthenon, landscape painting by Frederic Edwin Church (1871).
Rogier MullerJuly 9, 202611 min read

Claude Code 2.1.205 is an official @anthropic changelog release for Claude Code, Anthropic’s coding agent. It deals with state safety: transcript tampering, invalid JSON schema output, dropped queued messages, Windows worktree deletion, background agent status, MCP imports, and plugin LSP failures. The takeaway is not a flashy feature; the release hardens the places where coding agents can lose context or report the wrong thing. For a Claude Code workshop, it also gives a concrete answer to how teams adopt Claude Code for coding workflows: make the fragile edges observable before trusting longer agent runs.

Claude Code is Anthropic’s terminal-based coding agent for working in real repositories. Version 2.1.205 matters because it tightens the boring seams: files that should not be edited, schemas that should fail clearly, jobs that should resume cleanly, and integrations that should degrade instead of wedging the session.

Read 2.1.205 as a state-integrity patch

The headline change is small but important: auto mode now blocks tampering with session transcript files. That sounds like housekeeping until you remember that the transcript is the session’s memory trail. If an agent can rewrite the trail while it is working, review gets mushy fast.

This is the kind of fix developers care about after the third “wait, why did it think that?” debugging session. A transcript should be evidence, not another editable work surface.

The trap is treating this as only a security fix. It is also a workflow fix. In a repo with a concise CLAUDE.md, scoped commands, and a background agent doing a refactor, the transcript is how you reconstruct what happened when the diff looks surprising.

A good local rule is simple: let Claude Code edit source, tests, docs, fixtures, and generated files you explicitly allow. Do not treat session files as part of the task surface.

Check output contracts before trusting automation

The changelog also fixes two output-contract bugs around --json-schema. Invalid schemas could silently produce unstructured output, and schemas using the format keyword could be rejected. That is exactly the kind of edge case that makes a review bot or slash-command workflow look reliable until it quietly is not.

A concrete example: suppose your repo has a slash command that asks Claude Code to summarize risky changes into a JSON object for CI to parse. If the schema is wrong, the command should fail loudly. It should not hand downstream tooling a polite paragraph that only looks structured to a human.

2.1.205 also fixes a message sent while Claude was working being silently lost when the turn ended at the --max-turns limit. That is another output-contract issue, just at the conversation layer. If a developer adds “also update the migration test” while the agent is still working, the instruction should not disappear at the boundary.

The trap is assuming a fixed CLI flag removes the need to validate your own contract. Keep one intentionally invalid schema in a scratch test. Keep one schema using format. Run both when you upgrade the repo’s agent tooling.

Treat background agents like jobs, not tabs

Several fixes in 2.1.205 are about background agent truthfulness. The agent list could keep showing resumed agents as “failed” or “completed.” Jobs that needed input could flip back to “working” when the turn had no readable text. Remote Control panels on web and mobile could show stale “Running” status.

Those are not cosmetic bugs when a developer is juggling two worktrees and a PR review. Status is how people decide whether to interrupt, attach, wait, or kill a job.

The release also fixes claude attach erroring when a background agent was in a mid-upgrade restart. It now waits for the agent to come back. That is the right behavior for a long-running tool: a restart should be a pause, not a broken handoff.

There is one more sharp edge here. Session-to-PR linking could miss a PR created in a Bash call when the output exceeded the 30K inline limit. If your flow asks Claude Code to create a PR from the terminal, do not use “the link appeared in chat” as your only proof. Check the branch and remote too.

For adjacent context on earlier workflow-control fixes, see claude-code 2.1.202 Tunes Dynamic Workflows. The pattern is the same: less drama, better state.

Watch the integration and filesystem edges

The MCP fix is practical. claude mcp add-from-claude-desktop could get stuck when a server name contained unsupported characters. In 2.1.205, invalid names are reported and the remaining servers still import.

That is the behavior you want from an integration importer. One bad server name should not block GitHub, Slack, docs, or database connections that are otherwise valid. A clean error plus partial success is much easier to repair than a stuck import.

There is also a plugin LSP fix. A plugin LSP server that fails to initialize no longer prevents a valid LSP server from another plugin handling the same file extension. In a polyglot repo, that matters more than it sounds. One broken plugin should not blind the editor-like layer for everyone else.

The Windows fixes are more serious. Worktree removal could delete files outside the worktree when an NTFS junction or directory symlink existed inside it. Claude Code also fixed crashes when the launch directory was deleted, locked, or unmounted during a command, and when a file watcher closed while a directory scan was still in flight.

The trap is testing agent workflows only on the happiest macOS path. If your repo has Windows developers, generated worktrees, symlinked fixtures, or mounted directories, this release is a reason to run one boring filesystem smoke test before the next big agent-assisted refactor.

Try it safely in one existing repo

Do this in one repo, not everywhere at once. The goal is to see whether 2.1.205 changes the failure modes you actually hit.

Prerequisites:

  • A repo where you already use Claude Code.
  • One background-agent workflow or long-running command.
  • One MCP import path from Claude Desktop, if you use MCP.
  • One structured-output command that uses --json-schema, if you have one.
  • A scratch branch or disposable worktree.

Step 1: pick the riskiest edge you already use.
Choose background agents, MCP import, JSON schema output, or Windows worktrees. Do not invent a new process for the test. The best signal comes from a workflow that already annoys you.

Step 2: run the existing command once on the current repo state.
Capture what “normal” looks like: terminal output, agent status, PR link behavior, or schema validation. A tiny handoff receipt is enough. For example: branch name, command run, expected artifact, and where the result appeared.

Step 3: test one failure path on purpose.
For MCP imports, run the actual importer and confirm invalid server names are reported without blocking valid servers:

claude mcp add-from-claude-desktop

For schema output, try an invalid schema in a scratch session and confirm the failure is visible. For background agents, send a message while Claude is working near a turn limit and confirm it is not lost.

Step 4: write one repo-local convention, not a policy book.
Keep it close to the workflow. A short note in your repo’s existing conventions is enough: “Do not edit Claude session transcript files,” “Validate --json-schema schemas before using parsed output,” or “Check remote PR state when Bash output is very large.” More examples belong in the related training topic, but the repo note should stay small.

Step 5: verify the result with evidence.
The setup works when you can point to one concrete artifact: a visible schema failure, an MCP import report that skips only invalid names, a resumed background agent with a correct status, or a worktree removal test that leaves outside files alone.

Copy this one-repo smoke checklist

Use this after upgrading Claude Code to 2.1.205 in a repo where agent state matters.

Area What to try Pass condition
Session transcript safety In a scratch session, confirm auto mode does not treat transcript files as editable task files. Transcript files are protected from tampering.
JSON schema output Run your existing --json-schema flow with one invalid schema and one schema using format. Invalid schema fails clearly; valid schema with format is accepted.
Message boundary Send a follow-up instruction while Claude is working near a --max-turns boundary. The message is preserved when the turn ends.
Background agent status Resume a background agent with SendMessage and inspect the agent list. Status reflects the resumed job, not stale “failed” or “completed” state.
Attach during restart Attach to a background agent during an upgrade restart if you can reproduce it safely. claude attach waits for the agent to return.
MCP import Run claude mcp add-from-claude-desktop with at least one unsupported server name present. Invalid names are reported and remaining servers import.
Plugin LSP Open a file extension handled by two plugins, one of which has a failing LSP server. A valid LSP server from another plugin can still handle the file.
Windows worktree In a disposable Windows checkout, remove a worktree containing a junction or directory symlink. Files outside the worktree are not deleted.
PR linking Create a PR from a Bash call with large output, if this is part of your flow. The session still links to the PR, or you verify it directly in Git.

Keep the checklist boring. Boring is the point. A coding agent earns longer jobs by surviving the small boundaries cleanly.

One methodology lens

One useful way to read this through our methodology is the Plan step: delegate first-pass decomposition and dependency mapping, review the sequencing and assumptions, and keep ownership of scope and priorities. If that split is still fuzzy, the workflow usually is too.

Practical starter checklist

- [ ] Name the Claude Code artifact first: a hook boundary, an MCP permission note, a slash-command workflow, a Claude skill outline, a review checklist, or a concise CLAUDE.md note when repository memory is the topic.
- [ ] Write the review checklist before generation starts: scope, owner, tests, rollback.
- [ ] Keep the first step small enough that a reviewer can inspect the receipt without replaying the whole chat.

Common questions

  • What should teams know about claude code workshop?

    Start by writing down one visible team rule for Claude Code, not a loose preference. That is the practical core of claude code workshop. That usually means a short repository convention, a review checklist, and one owner who can reject agent output when the evidence is missing.

  • Which Claude Code artifact should teams standardize first?

    Standardize the smallest artifact that reviewers already touch: a hook checklist, MCP permission rule, slash-command workflow, skill outline, or concise CLAUDE.md note. The point is not documentation volume; it is a shared place where scope, allowed tools, expected tests, and rollback notes are visible before generated code reaches review.

  • How do teams know the convention is working?

    The convention is working when reviewers can approve or reject agent output from the artifact and evidence alone. Track whether pull requests name the rule used, include the promised checks, and avoid replaying long sessions just to understand what changed.

Best ways to use this research

  • Best for: Claude Code teams deciding which hook, skill, MCP boundary, slash-command workflow, review habit, or repository-memory convention to standardize next around “Claude Code 2.1.205 Hardens Agent State.”
  • Best first artifact: turn the named fix into a hook checklist, skill note, MCP permission note, review receipt, or concise CLAUDE.md convention when repository memory is the real topic before the next automated run.
  • Best comparison angle: compare the workflow against the current Claude Code handoff, hook behavior, and MCP scope; keep the path that leaves the shortest auditable trail.

Further reading

What to do next

Take this into the related training topic and test whether a new reviewer can defend the merge without replaying the chat.

Related training topics

Related research

Continue through the research archive

Ready to start?

Transform how your team builds software.

Get in touch