Anthropic Claude Code v2.1.149 brings per-category breakdown in /usage and closes PowerShell permission bypass

Anthropic released Claude Code CLI version v2.1.149 on May 22, 2026, at 22:09 UTC. The release introduces practical iterations on the /usage command and /diff view, and closes two security vulnerabilities — one in the PowerShell permission system, another in the git worktree sandbox allowlist. A new enterprise setting allowAllClaudeAiMcps was also added for easier connection with cloud MCP connectors from the claude.ai interface.

What does the /usage breakdown by category look like now?

Before v2.1.149, the /usage command showed only aggregated numbers: total tokens consumed, total cost in USD, and remaining daily quota. This was sufficient for basic situational awareness but did not help developers identify which class of Claude Code functionality consumes the most resources.

The new version adds a breakdown by four categories: skills (custom skills defined in .claude/skills/), subagents (Agent tool calls), plugins (third-party plugin extensions), and a separate per-MCP-server breakdown. The output now shows for each MCP server how many tokens were consumed in queries to it, which is especially useful for teams running five or more MCPs simultaneously. If one MCP server jumps to 40 percent of daily token consumption, /usage now clearly shows it.

How does /diff now work with the keyboard?

The /diff command received complete keyboard navigation support: arrow keys for scrolling, j/k for vim-style movement, PgUp/PgDn to jump through hunks, Space to select, and Home/End to jump to the beginning or end of the diff. The detail view shows individual hunks with the option to expand context — especially useful when Claude Code modifies large files and the developer wants to review each hunk before committing.

What is the PowerShell permission bypass and how was it closed?

The old version of Claude Code on Windows did not intercept certain PowerShell built-in functions that change the working directory: Set-Location, Push-Location, Pop-Location, the cd alias, and some variants that write directly to the $PWD provider. If a script was run through the Bash tool, it could execute cd …\sensitive-dir and run commands in a directory that was not on the permission allowlist — without triggering a permission dialog.

v2.1.149 now intercepts all PowerShell working directory change mechanisms at the provider hook level. Every such change requests explicit user permission if it exits the permitted scope. Anthropic classified the flaw in the release notes as “low impact, easy to exploit by determined attacker” — it had not been actively exploited in known cases, but represented a deviation from the documented security guarantee.

What does the git worktree sandbox allowlist fix correct?

The second security fix concerns the git worktree workflow. Claude Code v2.1.139 introduced a sandbox for git worktree calls (for isolating multi-agent work on the same repository), but the write allowlist was too broad: it allowed writing to the entire .git directory of the worktree, which includes config, hooks, and the shared object database. v2.1.149 now restricts the allowlist to only the shared .git directory belonging to the main repository that the worktree needs for sync — preventing unauthorized configuration modifications that could affect other worktrees.

What is the allowAllClaudeAiMcps enterprise setting?

The new setting allowAllClaudeAiMcps in .claude/settings.json allows enterprise users to load all MCP connectors from their claude.ai cloud account with a single flag, without needing to manually enumerate them in the config file. The setting is disabled by default — Anthropic recommends it only for enterprise tenants with centralized governance of their MCP integrations. For individual users, the standard explicit mcpServers config still applies.