Claude Code 2.1.196 adds org default model and pending approval for repo-local MCP

• ClaudeCodeLog's changelog thread says Claude Code 2.1.196 adds org-level default model selection, so admins can set a default in the org console and users see it as "Org default" or "Role default" in /model.
• The changelog also adds two everyday UX fixes that will get noticed fast: readable default session names and Cmd/Ctrl-clickable file attachments in chat.
• The most important trust change is in the security note, where claude mcp list/get stops auto-starting repo-local .mcp.json servers and shows untrusted workspaces as pending approval.
• ClaudeCodeLog's release notes bundle a long list of recovery fixes around background jobs, remote sessions, and agent status, plus a /code-review cleanup that cuts token usage by roughly 25%.
• ClaudeCodeLog's follow-up post also shows quieter under-the-hood changes, including a new CLAUDE_RUNNER_ACTIVITY_FD env var, the removal of opus-fast-mode-deprecation, and a 28.3% jump in prompt-token count.

You can trace the whole release through ClaudeCodeLog's highlight post, then drop into the full changelog for the bug list and the metadata follow-up for bundle and prompt diffs. One odd little tell is that the prompt diff now explicitly recommends Grep for search tasks, while the same release quietly turns on a 5-minute streaming idle watchdog for all providers.

The headline feature is administrative. ClaudeCodeLog's changelog says org admins can set a default model in the org console, and Claude Code will surface it in /model when a user has not picked one manually.

The same release tightens up a few daily paper cuts:

• readable default session names at session start, per the changelog
• clickable file attachments in chat, where Cmd/Ctrl-click reveals the file in Finder or Explorer, per the same post
• a one-press left arrow to open the agents view from a foreground session, also in the release notes

The security change is narrow, but real. According to the changelog's security section, claude mcp list/get no longer spawns .mcp.json servers that a repository tried to self-approve via committed .claude/settings.json; untrusted workspaces now show ⏸ Pending approval instead.

That lands next to another boundary check. The same release notes say Remote Control is now disabled when ANTHROPIC_BASE_URL points to a non-Anthropic host, matching the existing restrictions on Bedrock, Vertex, and Foundry paths.

Most of 2.1.196 is stability work around long-running agent sessions. ClaudeCodeLog's changelog says background commands now survive process stops, restarts, and updates, including on Windows where background shells are handed off instead of killed.

The fix list is unusually specific. The release notes say Claude fixed a bug that could delete a background job's conversation when waking it, added auto-resume for remote sessions interrupted by a server restart, and cleaned up agent-side status glitches that flipped completed work between "Done" and "Needs your input."

There is also one direct efficiency claim: the /code-review note says Anthropic merged five cleanup finders into one, cutting token usage by about 25%.

The follow-up post exposes the smaller changes that did not make the highlight list. ClaudeCodeLog's metadata post says the CLI surface added CLAUDE_RUNNER_ACTIVITY_FD and removed the opus-fast-mode-deprecation model entry.

The prompt package also moved more than the binary did. According to the same post, the bundle grew by 0.5%, while prompt files grew 18.2% and prompt tokens grew 28.3%; the mix shifted from tool text toward system reminders, which rose from 34.8% to 40.9%.

One concrete prompt edit stands out. ClaudeCodeLog's Grep note says the tool description now explicitly recommends always using Grep for search tasks and spells out output-mode and limit behavior more clearly.