Action safety and truthful reporting - what's new in CC 2.1.136 (+525 tokens)

Detailed Analysis

Claude Code version 2.1.136 introduces a set of coordinated safety and transparency enhancements aimed at making autonomous agentic operation more reliable and trustworthy. The most significant system-level change establishes a mandatory confirmation requirement for irreversible or outward-facing actions, unless such authorization has been durably granted in advance. Complementing this, agents are now instructed to inspect the target of any deletion or overwrite operation before executing it — a procedural safeguard designed to prevent destructive actions taken on incorrect or misidentified targets. The update also codifies an expectation of faithful reporting, explicitly requiring agents to surface skipped steps, failed tests, and verified outcomes rather than presenting a sanitized or incomplete picture of what actually occurred during a task.

The agent-prompt changes represent a more architecturally significant development: the introduction of a four-tier classification system for action safety rules. Where previous versions of the auto-mode rule reviewer operated with three categories, version 2.1.136 adds `hard_deny` as a distinct, unconditional category that cannot be overridden by user intent or in-session authorization. The `soft_deny` category is simultaneously narrowed to cover only destructive or irreversible actions where a sufficiently clear expression of user intent can grant permission. This separation is conceptually important — it draws a firm line between security-boundary violations that no runtime signal should be able to unlock and genuinely risky-but-legitimate operations that a user might reasonably authorize.

The security monitor prompts further operationalize this hard/soft split by relocating data exfiltration into the unconditional hard-block category and adding explicit hard-block coverage for attempts to bypass safety checks. Critically, any external service or download source that an agent has inferred or guessed — rather than received from an explicit, trusted source — is now treated as untrusted by default. This reflects a growing awareness in agentic AI development that prompt injection and supply-chain-style attacks represent real threat vectors, particularly when agents operate autonomously across network boundaries or interact with third-party systems.

Taken together, these changes reflect a maturing philosophy at Anthropic around what it means for an AI agent to be safe in practice, not merely in principle. The dual-block architecture mirrors patterns from established security engineering — analogous to mandatory access controls that cannot be overridden by user-space processes — applied to the novel domain of autonomous AI agents. The transparency requirements around reporting are equally telling: rather than trusting that agents will volunteer accurate accounts of their actions, the update makes faithful disclosure an explicit behavioral norm baked into the system prompt layer, acknowledging that agentic opacity is itself a safety risk. The "+525 tokens" noted in the title indicates these protections come at a measurable context-window cost, a tradeoff Anthropic is evidently willing to accept as autonomous coding agents take on longer-horizon, higher-stakes tasks.