What changed in v2.1.198 — read this first
claude agents finish their work. Before, an agent that finished coding in a worktree would stop and ask you what to do next. Now it does the last mile on its own. Straight from the v2.1.198 release notes: "Background agents launched from claude agents now commit, push, and open a draft PR when they finish code work in a worktree, instead of stopping to ask."- The agent commits its work — a real git commit, unattended.
- It pushes that commit to your remote.
- It opens a draft PR — so the code is on GitHub before you've looked at a single line.
The companion change: an agent's message is not your approval
- A subagent will follow a parent agent's direction as a task to do.
- But it will never read that parent agent's message as if you had approved something.
- Net effect: approval still has to come from a human. One agent can't manufacture consent for another.
The containment lever: one deny rule
git push and the agent physically cannot push or open a PR — it'll do its work and commit locally in the worktree, then stop. Add this to your settings.json:{
"permissions": {
"deny": [
"Bash(git push:*)"
]
}
}permissions → deny → Bash(git push:). The : matches git push with any arguments. Because it's a deny rule, it takes priority over anything in allow — the agent's push is stopped before it runs, and with nothing pushed there's no draft PR either.Choose your containment level
permissions.deny:| You want | Deny rule(s) to add | What the agent can still do |
|---|---|---|
| Nothing leaves your machine unreviewed | Bash(git push:*) | Work, then commit locally in the worktree — you push |
| No commits either (fully hands-off review) | Bash(git commit:), Bash(git push:) | Make the file changes; you stage, commit and push |
| No PR opened even if pushed elsewhere | Bash(git push:), Bash(gh pr create:) | Everything up to the remote; PR stays yours to open |
Bash(git push:*) if you're unsure — it's the single highest-impact line. It keeps the auto-commit convenience (fast local checkpoints) while making sure nothing reaches your remote until you say so.The 3-step pre-deploy checklist
- Read the v2.1.198 release note. Confirm you're on v2.1.198 or later and that you understand the new finish-the-work-and-open-a-draft-PR behaviour. If you didn't know it until now, that's the whole point of this step.
- Add the deny rule. Open your
settings.jsonand addBash(git push:*)underpermissions.deny(plus any rows from the table above that fit your risk appetite). A deny rule is absolute — the push simply can't run. - Make reviewing draft PRs a habit. The design is sound: the agent opens the draft, you still merge. So build the muscle — check the draft PR, read the diff, and only then click merge. Autonomy on the work, a human on the gate.
Get the next drop
One AI operator-safety habit a week, plus the occasional bonus template. No spam, unsubscribe anytime.
By submitting you agree to our Privacy Policy & Terms. Unsubscribe anytime.
Frequently asked questions
What exactly changed in Claude Code v2.1.198 for background agents?
claude agents now commit, push, and open a draft PR when they finish code work in a worktree, instead of stopping to ask. It's the last-mile plumbing done automatically — which is convenient, but means unreviewed code can reach your remote if you deploy an agent unattended without knowing this.How do I stop a Claude Code agent from pushing code?
settings.json permissions: deny Bash(git push:*). A deny rule is absolute — it takes priority over any allow rule, so the agent physically cannot run git push. With nothing pushed, no draft PR is opened either. The agent still does its work and can commit locally in the worktree.Is this a new setting introduced in v2.1.198?
permissions.deny mechanism is the standard Claude Code permission model, not new in v2.1.198. What's new in v2.1.198 is the auto-commit/push/draft-PR behaviour of background agents. The deny rule is simply the existing lever you use to contain that new behaviour.Does denying git push break the agent?
git commit) commits them locally in its worktree. It just can't send anything to your remote. You review the local work — or the draft PR if you allow pushing — and you do the merge.