Claude Code 2.1.166 adds fallbackModel, thinking disable, and deny-rule globs

• ClaudeCodeLog's release thread says Claude Code 2.1.166 adds a configurable fallbackModel, plus a second fallback retry path when the primary model is overloaded or unavailable.
• According to ClaudeCodeLog's changelog post, MAX_THINKING_TOKENS=0, --thinking disabled, and the per-model toggle now actually disable thinking on Claude API models that think by default.
• ClaudeCodeLog's changelog post also says deny rules now accept glob patterns in the tool-name slot, including "*" to deny all tools, which is a real permissions-system expansion rather than a cosmetic parser tweak.
• The same ClaudeCodeLog changelog hardens SendMessage so relayed cross-session messages no longer carry user authority, and receivers refuse relayed permission requests.

You can read the full official changelog, compare it with the CLI reference for --fallback-model, and check the permissions docs, which already explain why bare deny rules remove a tool from Claude's context entirely. The weirdest detail in this release is that Anthropic changed both sides of the reliability equation at once: more fallback paths when models fail, less thinking when users want token burn gone.

The headline feature is a new fallbackModel setting that can hold up to three fallback models, tried in order when the primary model is overloaded or unavailable, per ClaudeCodeLog's changelog post. The same release also makes --fallback-model apply to interactive sessions, extending an older CLI flag that the official CLI reference had previously documented as print-mode and background-session only.

Anthropic also added a second safety net: if the API returns an unexpected non-retryable error, Claude Code retries the turn once on the fallback model, again according to the changelog post. Auth, rate-limit, request-size, and transport errors still fail fast in the official changelog.

This release closes a gap that had become annoying for power users. ClaudeCodeLog's changelog post says MAX_THINKING_TOKENS=0, --thinking disabled, and the per-model toggle now disable thinking on Claude API models that think by default, while third-party providers stay unchanged.

That matters because Claude Code's own cost docs say thinking tokens are billed as output tokens and can run to tens of thousands of tokens per request. The model configuration docs also note that newer adaptive-reasoning models can ignore older fixed-budget controls, which helps explain why Anthropic had to spell out this behavior in a point release.

Two governance changes shipped together here:

• "*" in the deny-rule tool-name position can now deny all tools, per ClaudeCodeLog's changelog post.
• Allow rules reject non-MCP globs, and unknown tool names in deny rules now warn at startup, again per the changelog post.
• The official permissions docs say bare deny rules remove a tool from Claude's context entirely, while scoped rules like Bash(rm *) block matching calls at execution time.
• The channels reference says trusted sender paths can relay permission prompts remotely, which gives extra context for why 2.1.166 strips user authority from relayed SendMessage traffic.

The security change is concise but important: messages relayed from other Claude sessions no longer inherit user authority, receivers reject relayed permission requests, and auto mode blocks them, according to ClaudeCodeLog's changelog post.

Most of the remaining changes are operator paper cuts, but there are a lot of them. ClaudeCodeLog's changelog post lists fixes for JetBrains terminal flicker, non-ASCII Shift input under Kitty protocol terminals, PowerShell validation hangs on Windows, orphaned --bg-pty-host processes pegging CPU on macOS, and background agent sessions crash-looping after entering a git worktree.

ClaudeCodeLog's prompt stats post also notes how small this ship was mechanically: it landed less than 12 hours after 2.1.165, added about 70.4 kB to the bundle, and increased prompt tokens by 1,774, with tools still accounting for roughly 90 percent of prompt-token mix.