CLAUDE LABJP
FORK — Claude Code 2.1.212 changes what /fork does: it copies your conversation into a new background session with its own row in claude agents, so you can keep working. The old in-session subagent is now /subtaskLIMITS — WebSearch calls are now capped at 200 per session by default, and subagent spawns get the same 200 ceiling, so a runaway search or delegation loop stops on its ownMCPBG — MCP tool calls running past two minutes now move to the background automatically, keeping the session usable. Tune the threshold with CLAUDE_CODE_MCP_AUTO_BACKGROUND_MSPLANFIX — Fixed plan mode auto-running file-modifying Bash commands such as touch and rm without a permission prompt or an SDK canUseTool callbackSONNET5 — Claude Sonnet 5 is running on introductory pricing of $2 per million input tokens and $10 per million output. After August 31 it moves to $3 and $15IPO — Bankers are reportedly lining up investor meetings for Anthropic ahead of a possible public listing as soon as OctoberFORK — Claude Code 2.1.212 changes what /fork does: it copies your conversation into a new background session with its own row in claude agents, so you can keep working. The old in-session subagent is now /subtaskLIMITS — WebSearch calls are now capped at 200 per session by default, and subagent spawns get the same 200 ceiling, so a runaway search or delegation loop stops on its ownMCPBG — MCP tool calls running past two minutes now move to the background automatically, keeping the session usable. Tune the threshold with CLAUDE_CODE_MCP_AUTO_BACKGROUND_MSPLANFIX — Fixed plan mode auto-running file-modifying Bash commands such as touch and rm without a permission prompt or an SDK canUseTool callbackSONNET5 — Claude Sonnet 5 is running on introductory pricing of $2 per million input tokens and $10 per million output. After August 31 it moves to $3 and $15IPO — Bankers are reportedly lining up investor meetings for Anthropic ahead of a possible public listing as soon as October
Articles/Claude Code
Claude Code/2026-07-18Advanced

I Believed Plan Mode Only Read — Replacing That Belief With Machinery

Claude Code 2.1.212 fixed a bug where plan mode ran file-modifying Bash commands without the permission prompt or the SDK canUseTool callback. Here is what could happen while that assumption was broken, how to verify your own setup, and how to stop leaning on a mode name for safety.

Claude Code198Permissions3Plan Mode2Unattended Automation2Security9

Premium Article

One line in the changelog stopped me.

"Fixed a bug where plan mode executed file-modifying Bash commands such as touch and rm without going through the permission prompt or the SDK's canUseTool callback."

I am an indie developer, and I run research jobs overnight while I sleep. I had been treating plan mode as a mode that only reads. So I relaxed my deny rules there, and I skimmed the canUseTool logs rather than watching them. The place I thought was guarded had been open the whole time. I did not find good words for the small cold feeling that followed.

Nothing broke in my environment, as far as I can tell. But "I found nothing" and "nothing happened" are different sentences. This is a record of the work I did to close that gap.

What was actually slipping through

The facts first. Claude Code 2.1.212, released on July 18, 2026, fixed this path:

Path Before the fix After the fix
Interactive permission prompt Not shown for file-modifying Bash in plan mode Asks for confirmation as usual
SDK canUseTool callback Never invoked; the command ran anyway Invoked like any other tool call
deny rules in settings Evaluated — this path held Still evaluated

The third row is the one worth sitting with. Deny rules kept working. What broke was only the part I had assumed from the mode's character. Explicit prohibitions survived; implicit expectations did not.

That asymmetry maps exactly onto my own mistake. The rules I had relaxed were the ones I skipped because "plan mode is read-only, so I don't need them here." The hole was precisely the shape of the assumption.

"Read-only" was never written down

Afterwards I went looking for where my belief came from.

The documentation describes plan mode as a mode for forming a plan before you start implementing. Reading that, the picture that forms naturally is "a mode that investigates and proposes." In daily use, writes almost never happen, which reinforces it.

But nowhere does it say that file-modifying tools are mechanically blocked. I had read a tendency as a specification.

That was the real lesson. A mode name expresses intent, not a guarantee. And because intent holds nearly all the time, it is easy to mistake it for a guarantee — then drop your defenses, and let the first exception through in full.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A throwaway probe script that reproduces the write-bypass boundary in about eight seconds on your own machine
Concrete settings that move the guarantee out of the mode name and into deny rules plus canUseTool
A five-step audit for finding the other places where a feeling became a specification
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Claude Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Claude Code2026-07-17
The String I Approved Wasn't the String I Read — Testing a Relayed Permission Prompt with Deceptive Characters
I pushed bidi overrides and zero-width characters through my own approval relay. NFKC normalization caught 0%. Here is why, and the implementation that catches 100% with zero false positives.
Claude Code2026-07-16
The Permission Rules You Added for Safety Are Taxing Every Turn — Auditing the Ruleset Without Loosening It
Version 2.1.209 fixed the per-turn slowdown from large deny/ask rulesets, but the design debt in your rules is still yours. Here are the audit scripts, a shadowing detector, a turn-timing harness, and how to fold enumerated rules into prefix rules safely.
Claude Code2026-07-05
Rolling Out Trusted Devices for a Small Team: Enrollment, Preflight, and Rotation
How to introduce Team/Enterprise Trusted Devices for a 2-5 person team: device enrollment, an unattended-run preflight gate, and closing the gaps that appear during device rotation and offboarding.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →