Anthropic just shipped Claude Code 2.1.187, and while the version number sounds incremental, the features inside are not. This release delivers three capabilities that directly address the friction engineering leaders have been raising since AI coding tools went mainstream in enterprise environments: credential exposure in sandboxed execution, model governance at the org level, and basic UI interaction parity. These aren't cosmetic updates. They're the kind of hardening that moves Claude Code from "promising tool your engineers are using anyway" to "something your security team will actually approve."

Here's what shipped, why it matters, and what you should do about it.

The headline feature is the new `sandbox.credentials` setting, which blocks sandboxed commands from reading credential files and secret environment variables. This is a significant security control.

The problem it solves is real: when Claude Code executes commands in a sandbox environment, that sandbox by default has access to the same environment context as the developer running it. That means API keys, AWS credentials, `.env` files, SSH keys, and any secrets loaded into the shell environment are potentially readable by whatever the AI is executing. For individual developers working on personal projects, this is a tolerable risk. For engineers working inside enterprise environments with production credentials, internal API tokens, or customer data access, this is a non-starter.

The `sandbox.credentials` setting gives security teams a lever to enforce isolation at the configuration level rather than relying on individual developers to manage their own credential hygiene. That's the architectural shift that matters here. You're moving from "trust the engineer to do the right thing" to "the platform enforces the control." In practice, teams should expect to configure this at the org level and treat it as a baseline requirement before deploying Claude Code to engineers who have production access. The alternative is continuing to rely on ad-hoc developer practices, which is how credential leaks happen.

The second major feature is org-configured model restrictions applied to the model picker, the `--model` flag, and the `/model` command. This means your organization can now define which Claude models are available to engineers in the tool, and individual engineers cannot override that configuration. This addresses a governance problem that has been quietly growing as Anthropic expands its model lineup. Claude 3.5 Sonnet, Claude 3 Opus, and the various Haiku variants have meaningfully different cost profiles, capability levels, and in some cases different data handling considerations depending on your contract terms. Without org-level restrictions, you get engineers defaulting to the most powerful (and most expensive) model available because there's no friction stopping them. Beyond cost, there's a compliance dimension. Some enterprises have negotiated specific data processing agreements tied to particular model versions. An engineer switching to a newer model that falls outside that agreement creates a compliance gap your legal team will not enjoy discovering. Org-configured restrictions close that gap at the tooling layer. The competitive significance here is worth noting. GitHub Copilot has had organization-level policy controls for some time, and this has been a genuine advantage in enterprise sales conversations. Claude Code catching up on model governance removes a meaningful objection for CTOs evaluating the two tools head-to-head.

The third feature, mouse click support for selecting menus in permission prompts, is the least dramatic but consistently the most complained-about friction in day-to-day Claude Code usage. Permission prompts requiring keyboard-only navigation in a world where developers are context-switching constantly created small but cumulative friction that added up to engineers finding workarounds or approving prompts too quickly without reading them. Mouse support in permission dialogs sounds trivial. It is not. The more friction you add to security prompts, the more developers either avoid the tool or click through without reading. Reducing interaction friction on permission prompts means engineers will actually engage with them, which is the intended security behavior. This is good UX serving security outcomes.

The enterprise AI coding tool landscape in 2026 has consolidated around a handful of serious contenders: GitHub Copilot, Cursor, Windsurf, and Claude Code. Each has a distinct positioning.

Claude Code's differentiated position is its terminal-native, agentic architecture. It's not an IDE plugin competing on autocomplete quality. It's an autonomous coding agent that executes multi-step tasks, which is exactly why credential isolation in the sandbox is a more pressing concern for Claude Code than for Copilot's suggestion-based model. Cursor and Windsurf are IDE-first tools with strong developer experience but limited enterprise governance features. They're winning individual developer adoption. Claude Code is increasingly making the case for enterprise deployment at the team and org level, and 2.1.187 is a deliberate step in that direction. GitHub Copilot remains the default choice for enterprises already deep in the Microsoft ecosystem, particularly those running Azure DevOps and GitHub Enterprise. The advantage is integration depth, not capability. Copilot's underlying model quality has consistently trailed Anthropic's best work, and the gap in agentic task completion is significant. For teams doing complex, multi-file refactors or infrastructure-as-code work, Claude Code's agentic execution delivers meaningfully better outcomes.

This release is not a "wait and see" situation. The security features in 2.1.187 are practical and deployable now. Here's the prioritized action list:

The AI coding tool market is not going to be won on raw benchmark performance. It's going to be won on enterprise readiness: governance, security, cost control, and compliance. Anthropic knows this, and 2.1.187 reflects a deliberate strategy to compete at the organizational deployment layer, not just the individual developer layer. The most important thing for engineering leaders to understand about this release is the signal it sends about Anthropic's product direction. Credential isolation and org-level model governance are not features that individual developers request. They're features that CTOs, VPs of Engineering, and security teams require before approving broad deployment. Anthropic is building the features that unlock enterprise scale, and they're doing it at a pace that should concern the incumbent tools. The teams that will win in the next 18 months are not the ones with the largest engineering headcounts. They're the ones with the best-equipped engineers running the best-governed AI tooling. A 12-person engineering team with Claude Code properly deployed across every workflow can outship a 60-person team that's still debating whether AI tools are "ready for production." The security controls in 2.1.187 are what "ready for production" looks like in practice. For engineering leaders who have been waiting for Claude Code to mature enough to trust at the enterprise level: 2.1.187 is a meaningful step in that direction. It won't be the last, but it's the one worth acting on now.

Primary source: Claude Code Changelog, version 2.1.187