Claude Code 2.1.133: `worktree.baseRef` Default Returns to `origin/<default>`, MCP OAuth Proxy Honored Across the Whole Flow

Anthropic shipped Claude Code 2.1.133 on May 7, 2026. The most consequential change is a worktree-base behavior reversal: a new worktree.baseRef setting defaults EnterWorktree's base back to origin/<default> after several months of branching from local HEAD. Behind that, the release lands the kind of plumbing fixes that matter most to users running Claude Code in real environments -- proxy and mTLS honored across the entire MCP OAuth flow, a refresh-token race that was 401-ing parallel sessions, allow rules at drive roots, mapped network drives, and Remote Control interrupts that did not actually interrupt.

For where Claude Code sits this quarter, our post-mortem of the spring quality regression is the right context for how Anthropic is shipping changes now, and the Codex CLI vs Claude Code vs Cursor architecture comparison is the comparison anchor.

Key Takeaways

• worktree.baseRef (fresh | head). New setting controlling whether --worktree, EnterWorktree, and agent-isolation worktrees branch from origin/<default> or local HEAD. Default is fresh. This reverses 2.1.128's behavior change. If you rely on unpushed HEAD commits being in new worktrees, set worktree.baseRef: "head".
• MCP OAuth proxy + mTLS, end to end. HTTP(S)_PROXY, NO_PROXY, and mTLS now apply to the full MCP OAuth flow: discovery, dynamic client registration, token exchange, token refresh.
• $CLAUDE_EFFORT for hooks and Bash. Hooks receive effort.level as JSON input; Bash tool commands can read $CLAUDE_EFFORT. Lets hooks and scripts branch on the active effort level.
• Linux/WSL sandbox path overrides. sandbox.bwrapPath and sandbox.socatPath for non-default binary locations.
• parentSettingsBehavior admin key. 'first-wins' | 'merge' lets admins opt SDK managedSettings into the policy merge.
• Refresh-token race fix. Parallel sessions no longer all dead-end at 401 after a refresh-token race wiped shared credentials.
• Drive-root and network-drive allow rules. Edit/Write allow rules scoped to C:\ or POSIX / no longer always prompt; mapped network drives via --add-dir are no longer denied.
• /effort isolated per session. Changing effort in one session no longer leaks into other concurrent sessions.

The worktree.baseRef Reversal

The most consequential single change is the new worktree.baseRef setting and the default behavior shift it implies. The official wording from the changelog:

Added worktree.baseRef setting (fresh | head) to choose whether --worktree, EnterWorktree, and agent-isolation worktrees branch from origin/<default> or local HEAD. Note: the default fresh changes EnterWorktree's base back to origin/<default> (it has been local HEAD since 2.1.128) -- set worktree.baseRef: "head" to keep unpushed commits in new worktrees.

Two ways to read this:

• From a clean-state perspective. A worktree based on origin/<default> is reproducible across machines and team members. If two engineers spawn a worktree on the same project, they get the same starting point. That is the right default for a tool whose worktrees are increasingly used as agent sandboxes that other people will inherit.
• From a workflow perspective. Anyone who built workflow muscle memory on 2.1.128 - 2.1.132 had EnterWorktree and --worktree branch from local HEAD. That meant unpushed commits came along automatically into the new worktree. With the default flipping back, those commits stay behind unless you push first or set worktree.baseRef: "head" explicitly.

The right action depends on which model you were depending on:

• Stayed on origin/<default> mentally. No change needed; the new default matches your model.
• Got used to HEAD-based worktrees and have unpushed work. Add worktree.baseRef: "head" to your settings before the next worktree spawn, or push first.
• Want both options available. Leave the default at fresh and pass the override explicitly when you need it.

The behavior-reversal language ("changes... back to") in the changelog is unusually direct. Read it as an admission that 2.1.128's default change caused enough confusion in real use to be worth reverting at the cost of yet another behavior change in the opposite direction.

MCP OAuth: Proxy and mTLS Honored Across the Whole Flow

The MCP OAuth fix is the change most enterprise users will care about. The bug it fixes is a familiar one in any OAuth-against-corporate-network setup: proxy and mTLS settings are honored for some HTTP calls in the flow but not all, and the flow breaks at whichever stage was missing the configuration.

2.1.133 routes HTTP(S)_PROXY, NO_PROXY, and mTLS through:

• Discovery. Hitting the MCP server's .well-known endpoints to find the auth endpoints.
• Dynamic client registration. Registering the Claude Code instance as an OAuth client at runtime.
• Token exchange. Trading an authorization code for tokens.
• Token refresh. Renewing a token before it expires.

If any one of those four was being made directly to the public internet rather than through your proxy, your MCP OAuth flow would either fail outright or fail intermittently in a way that looked like flaky token state. Now they all go through the same network configuration.

The practical reading: if you tried to wire up an OAuth-protected MCP server through a corporate proxy on an earlier 2.1.x and gave up, this is the version to retry on. The configuration story is now consistent across the whole flow.

$CLAUDE_EFFORT Exposed to Hooks and Bash

Claude Code's effort level is a global knob (low / medium / high) that affects how hard the model thinks. 2.1.133 exposes the active level to two surfaces that previously did not see it:

• Hooks receive the active level via the effort.level JSON input field.
• Bash tool commands can read it via the $CLAUDE_EFFORT environment variable.

The effect is small but meaningful: hooks can branch on effort, and shell commands invoked by Claude can pick behavior based on it. A pre-tool hook can run a faster lint at low effort and a more thorough one at high; a Bash command that wraps a model call can pick a smaller model when effort is low. None of this was impossible before, but it required a side channel; now the value is right there in the hook input and the env.

Linux/WSL Sandbox Path Overrides

sandbox.bwrapPath and sandbox.socatPath are new managed settings on Linux and WSL. They let you point Claude Code at custom paths for the bubblewrap and socat binaries that the Linux sandbox depends on. The use case is straightforward: not every environment puts those binaries in the standard $PATH. Packaged distributions, container images with non-standard root layouts, and mixed-toolchain setups all benefit.

This is a "make sandbox enablement actually possible" fix more than a feature. Anyone who hit a "binary not found" wall trying to enable the Linux sandbox in a non-standard environment can now wire it up explicitly.

parentSettingsBehavior for Admin Policy Merge

parentSettingsBehavior is a new admin-tier key with two values: 'first-wins' (the existing default) and 'merge'. It controls whether SDK managedSettings -- the parent settings tier -- participates in the policy merge or is short-circuited by a more-local setting.

The use case: organizations that ship Claude Code with SDK-managed defaults but want those defaults to layer with project/user settings rather than be overridden whenever a user sets a value. With parentSettingsBehavior: "merge", the SDK tier's settings stay in the merge result instead of being skipped.

For most users this is invisible. For SDK-distributed Claude Code deployments inside companies, it is the missing knob that makes layered policy actually work.

The Refresh-Token Race Fix

Among the bug fixes, the refresh-token race is the one most likely to have caused real outages in real workflows:

Fixed parallel sessions all dead-ending at 401 after a refresh-token race wiped shared credentials.

The mechanism: parallel Claude Code sessions share credential state. If two sessions try to refresh the token at the same time, the race could end with shared credentials in a state where every session got 401 on its next request. Once that happened, the only fix was to re-authenticate manually.

If you have ever had a tile of Claude Code panes in tmux suddenly all start failing at the same time after a long session, this was likely the cause. 2.1.133 makes the refresh path race-safe.

The Other Fixes Worth Noting

A few more from the changelog list that matter for daily use:

• Drive-root allow rules. Edit/Write allow rules scoped to a drive root (C:\ or POSIX /) no longer always prompt. If you ever wrote an allow rule that was supposed to cover an entire drive and got the prompt anyway, that is fixed.
• Mapped network drives. Read/Write/Edit on mapped network drives passed via --add-dir or SDK additionalDirectories no longer get denied. Significant for users on Windows networks where source lives on a mapped drive.
• Remote Control stop/interrupt. Stop/interrupt from claude.ai now fully cancels the CLI session the same way local Esc does. Before, queued messages could fail to advance after interrupting a stuck tool or prompt.
• /effort per-session isolation. Changing effort in one session no longer changes it in other concurrent sessions. Before, an IDE effort change could also be silently dropped.
• Subagents and skills. Subagents now discover project, user, and plugin skills via the Skill tool. Earlier versions could leave subagents skill-blind.
• Compaction Esc. Pressing Esc during conversation compaction no longer shows a spurious "Error compacting conversation" notification.
• History/session-log file lock ECOMPROMISED. No longer an unhandled rejection when a lock is compromised by clock skew or slow disk.
• VSCode extension on minimal builds. claudeCode.claudeProcessWrapper no longer fails with "Unsupported platform" when the extension build does not bundle a Claude binary.

Why This Release Matters

Two threads run through 2.1.133. The worktree-base reversal is an admission that defaults matter, and that the right default for a worktree is "reproducible" rather than "convenient for the current user's unpushed work." Most teams will land back on the new default and not notice; the people who do notice will appreciate the explicit head override more than the silent prior behavior.

The MCP OAuth and proxy fixes, plus the parallel-session refresh-token race, are the kind of plumbing that determines whether Claude Code is a viable choice for enterprise teams in restrictive network environments. None of them are headline features, but together they are the difference between "we tried Claude Code and it half-worked" and "we are running Claude Code across the team."

Pair this with the post-mortem on the spring quality regression and the trajectory is clear: Anthropic is currently shipping Claude Code releases focused on the engineering substrate -- defaults that match real workflows, network behavior that respects enterprise constraints, sandbox knobs that allow non-standard environments, and concurrency that does not blow up when more than one session is open. That is the right thing to be doing right now. The competitive frontier is shifting toward agents you can actually leave running in real environments without nursing them; Codex CLI is making the same bet from the other side with 0.129's modal Vim composer and /hooks browser.

For the canonical reference, the Claude Code changelog is the durable source for everything in 2.1.133.