claudekit / updates / claude-code-2-1-166
[ PATCH · ]

Claude Code 2.1.166

The new `fallbackModel` setting takes up to three fallback models tried in order when the primary is overloaded or unavailable, and `--fallback-model` now also applies to interactive sessions. Deny rules accept glob patterns in the tool-name position (`"*"` denies all tools), and messages relayed via `SendMessage` from other Claude sessions no longer carry user authority. `MAX_THINKING_TOKENS=0`, `--thinking disabled`, and the per-model thinking toggle now disable thinking on default-thinking models via the Claude API, and Claude Code retries a turn once on the fallback model when the API returns an unexpected non-retryable error. Plus fixes for remote sessions stuck during worker registration, JetBrains 2026.1+ terminal flicker, Shift+non-ASCII characters dropped under the Kitty keyboard protocol, and managed settings whose single invalid entry silently disabled enforcement of the rest.

Claude Code
Official announcement →

This article is a summary based on official documentation.

What changed

Claude Code 2.1.166 shipped on June 6, 2026. Fallback model behavior is now a first-class setting, the deny rule tool-name position accepts globs, and the cross-session message authority model is tightened. A long list of regressions across remote sessions, JetBrains 2026.1+ terminals, the Kitty keyboard protocol, and managed-settings validation also lands together.

New features

  • fallbackModel setting and interactive-session fallback

    Falling back when the primary model was overloaded or unavailable was inconsistent, and --fallback-model did not apply to interactive sessions. The new fallbackModel setting configures up to three fallback models tried in order, and --fallback-model now also applies to interactive sessions.

  • Glob pattern support in the deny rule tool-name position

    Deny rules required listing tools by exact name, so blocking everything meant enumerating each rule. Glob patterns are now supported in the deny rule tool-name position, with "*" denying all tools. Allow rules reject non-MCP globs, and unknown tool names in deny rules warn at startup.

  • Hardened cross-session messaging

    Messages relayed via SendMessage from other Claude sessions carried user authority, so receivers could be tricked into permission prompts and auto mode could act on them. Relayed messages now no longer carry user authority — receivers refuse relayed permission requests, and auto mode blocks them.

  • MAX_THINKING_TOKENS=0/--thinking disabled apply to default-thinking models

    On models that think by default, MAX_THINKING_TOKENS=0, --thinking disabled, and the per-model thinking toggle did not actually disable thinking. They now disable thinking on default-thinking models via the Claude API (3P providers are unchanged).

  • Auto-retry once on the fallback model for unexpected non-retryable API errors

    An unexpected non-retryable error from the API failed the turn outright, leaving no chance for a fallback. Claude Code now retries a turn once on the fallback model when the API rejects an unexpected non-retryable error. Auth, rate-limit, request-size, and transport errors still surface immediately.

  • claude update announces the target version before downloading

    claude update went silent during downloads, with no indication of what version was being installed. It now announces the target version before downloading.

  • claude agents URL filter

    Finding a session by the URL in its first prompt meant scrolling the list manually. Typing a URL into the claude agents list now filters to the session whose first prompt contained it.

Bug fixes

Sessions & remote

  • Recurring “image could not be processed” error and extra token usage when an unprocessable image was sent in a session — fixed.
  • Remote sessions becoming permanently stuck when a brief backend disruption occurred during worker registration at startup — fixed.
  • Background agent sessions that entered a git worktree crash-looping with “No conversation found” when reopened from claude agents — fixed.
  • /doctor showing a contradictory failed “Not inside a remote session” check when run inside a remote session — fixed.

Permissions & managed settings

  • Managed settings with an invalid entry silently disabling enforcement of their remaining valid policies — fixed.
  • Managed-settings allowedMcpServers/deniedMcpServers predicates not matching when they use ${VAR} references — fixed.
  • Voice mode requiring /login to clear a stale auth check after toggling /voice — fixed.

Terminal & UI

  • Flickering in JetBrains IDE terminals (IntelliJ, PyCharm, WebStorm, etc.) on 2026.1+ — fixed by enabling synchronized output.
  • Shift+non-ASCII characters (e.g. Shift+ä → Ä) being dropped in terminals using the Kitty keyboard protocol (WezTerm, Ghostty, kitty) — fixed.
  • Cursor sticking at the end of the first line when typing a multiline prompt in the claude agents dispatch and reply inputs — fixed.
  • Blank lines appearing between background agent rows in the task list on terminals without Unicode support — fixed.
  • Duplicated thinking text in the Ctrl+O transcript view while streaming — fixed.

Platform

  • PowerShell command validation occasionally hanging far past its time budget on Windows when a killed process’s children held its output pipes — fixed.
  • Orphaned claude --bg-pty-host processes spinning at 100% CPU after the daemon dies while connected on macOS — fixed.

Notes

  • 2.1.164 not released; 2.1.165 was a one-line reliability patch — 2.1.164 was never published to GitHub Releases, and 2.1.165’s changelog was just “Bug fixes and reliability improvements,” so neither is covered as a standalone post.
  • Cross-session message authority model changed — messages relayed via SendMessage no longer carry user authority. Receivers refuse relayed permission requests, so any automation that chains sessions should re-verify its permission flow.
  • Using fallbackModel — set up to three fallback models in order; Claude Code tries them when the primary is overloaded or unavailable. --fallback-model also works in interactive sessions.
  • Managed settings validation impact — a single invalid entry no longer silently disables the rest of the policies. Environments where managed enforcement quietly stopped applying should re-verify that the rules now take effect after upgrading.
  • Using deny rule globs"*" denies all tools, and patterns can group tools. Allow rules reject non-MCP globs, and unknown tool names in deny rules warn at startup, so check the startup log after writing new patterns.