Claude Code 2.1.121 adds MCP alwaysLoad, plugin prune, and fixes multi-GB leaks

• ClaudeCodeLog's release thread says Claude Code 2.1.121 shipped 39 CLI changes and 3 system prompt changes, with alwaysLoad for MCP servers, plugin prune, and tool-output replacement hooks as the headline additions.
• According to ClaudeCodeLog's changelog post, the release also fixes several high-impact stability bugs, including unbounded image-session memory growth and a /usage leak that could consume roughly 2 GB on machines with large transcript histories.
• ClaudeCodeLog's system-prompt diff summary says Bash calls now preserve working directory but not shell state, and prior commands should be rerun with a footer token instead of being retyped.
• The same ClaudeCodeLog system-prompt summary says Anthropic removed a long "Doing tasks" rubric and explicit prompt-injection flagging guidance from the system prompt, replacing some of that space with Git workflow constraints.

You can skim the GitHub repo, inspect the prompt diff around the new Git rules, and compare it with the later Bash rule changes. The weird bit is how much of this release sits below the headline features: memory behavior, shell semantics, permission behavior, and prompt rules all moved in the same patch.

The biggest operator-facing addition is alwaysLoad for MCP server config. Per ClaudeCodeLog's changelog post, tools from a server with that flag skip search deferral and load immediately, which changes when tools appear in the session and removes one layer of lazy discovery.

The same release adds claude plugin prune, plus plugin uninstall --prune, according to the changelog post. That is a small feature with very practical cleanup value: it targets orphaned auto-installed plugin dependencies instead of leaving plugin state to accumulate.

Other scan-friendly additions from ClaudeCodeLog's inventory:

• A type-to-filter search box in /skills
• New OpenTelemetry fields including stop_reason and gen_ai.response.finish_reasons
• user_system_prompt logging behind OTEL_LOG_USER_PROMPTS
• Auto-retry for MCP servers that fail transiently during startup

This patch is also a cleanup release disguised as a feature release. ClaudeCodeLog's changelog post lists three memory fixes that are hard to ignore:

• Unbounded RSS growth while processing many images in one session
• /usage leaking up to about 2 GB on machines with large transcript histories
• A memory leak triggered when long-running tools fail to emit a clear progress event

The same post also bundles several resume and session-hardening fixes: corrupted transcript lines are now skipped instead of crashing resume, stale OAuth tokens no longer leave /usage stuck on a rate-limit error, and built-in tool allow rules in remote sessions now survive worker restarts.

LLMpsycho's short release summary picked the same two items most people will care about first, alwaysLoad and the multi-GB leak fix, which is a decent tell for what actually stands out in day-to-day use.

The Bash tool semantics changed in a way harness authors will notice. According to ClaudeCodeLog's system-prompt diff summary, the working directory now persists across Bash calls, but shell state does not, so exported variables and functions should not be assumed to survive between runs.

The same system-prompt summary says prior commands should be rerun via a {rerun:'bN'} footer token. That is more structured than freehand command repetition, and it gives the model a distinct mechanism for retrying or replaying earlier shell work.

Hooks also got more powerful. ClaudeCodeLog's release thread and the changelog post both say PostToolUse hooks can now replace output for all tools through hookSpecificOutput.updatedToolOutput, where that override used to be MCP-only.

The prompt diff is the most interesting quiet change in the release. ClaudeCodeLog's system-prompt diff summary says Anthropic removed explicit system guidance on permission prompts and denials, system-tag handling, and flagging prompt injection in tool output. In its place, the prompt now adds Git constraints, including no interactive git flags and a preference for gh on GitHub operations.

The same system-prompt summary says Claude is no longer bound by a long "Doing tasks" rubric that previously discouraged extra abstractions, preferred edits over new files, defaulted to no comments, and included OWASP vigilance plus verified-versus-assumed reporting. That is a real behavior-surface change, even though it ships as prompt text rather than a CLI flag.

At the CLI surface, ClaudeCodeLog's additional updates says 2.1.121 adds the prune command, --prune, --yes, and -y, plus two env vars, CLAUDE_CODE_DISABLE_AGENTS_FLEET and CLAUDE_COWORK_MEMORY_SKIP_DEFAULT_ENTRYPOINT. The same post says it removes CLAUDE_CODE_LEAN_PROMPT and INVOCATION_ID, bumps bundle size by 272.6 kB, and adds 443 prompt tokens.