Claude Code 2.1.187 adds sandbox.credentials and 5-minute MCP aborts

• ClaudeCodeLog's release post says Claude Code 2.1.187 shipped 21 CLI changes, led by a new sandbox.credentials control and a 5 minute abort for remote MCP calls that would otherwise hang.
• In the full 2.1.187 changelog, sandbox.credentials blocks sandboxed commands from reading credential files and secret environment variables.
• The changelog also adds org-configured model restrictions across the model picker, --model, /model, and ANTHROPIC_MODEL, with an explicit "restricted by your organization's settings" message.
• According to ClaudeCodeLog's thread, structured output calls in --json-schema and workflow agent({schema}) no longer re-call StructuredOutput indefinitely after a successful call, and remote MCP hangs now fail fast after 5 minutes.

You can jump straight to the release thread, compare it with the 2.1.186 release one day earlier, and check the metadata follow-up for the small bundle delta: +49.8 kB, with prompt files and prompt tokens unchanged.

The headline change is a tighter sandbox boundary. In the changelog, the new sandbox.credentials setting blocks reads from credential files and secret env vars by sandboxed commands.

The other new surface changes are smaller, but practical:

• The changelog adds org-level model restrictions to the picker, CLI flag, slash command, and ANTHROPIC_MODEL env var.
• The same thread adds mouse click support for fullscreen selection menus such as permissions, /model, and /config.

The other big fix is timeout behavior for remote MCP. ClaudeCodeLog's summary says calls that hang without a response now abort after 5 minutes instead of blocking indefinitely.

The same patch cleans up a few agent failure modes that were easy to trip:

• The changelog says structured output can no longer loop by repeatedly re-calling StructuredOutput after success.
• The same source says background jobs in the agents view no longer stay stuck in working when a turn ends without structured output.
• ClaudeCodeLog also fixed resumed subagent depth tracking and automatic cleanup for leaked .git/worktrees/ entries from killed agents.

The metadata update puts 2.1.187 just 1 day, 16 minutes, and 46 seconds after 2.1.186, with bundle size up 0.2 percent and prompt token mix unchanged. That makes this look like a quick follow-up patch, not a prompt or model behavior shift.

The previous release was the larger operational drop. In the 2.1.186 notes, Claude Code added claude mcp login/logout, made ! shell commands trigger automatic replies, enforced named subagent allow and deny rules, and changed background subagents to surface permission prompts in the main session instead of auto-denying them.