A new security-guidance plugin is now available to all Claude Code users via the plugin marketplace (/plugins). It identifies and surfaces vulnerabilities inline as you write code.
Teams can add a claude-security-guidance.md file to their repo (or push it via MDM) to layer org-specific security rules on top of the plugin's built-in checks.
Internal rollout at Anthropic showed a 30-40% drop in security-related PR review comments when the plugin was used. It's designed as a lightweight first pass before full human review, not a replacement.
The plugin runs checks at three points: on file edits (flagging risky patterns and dangerous libraries), after model turns (reviewing the full diff for subtler issues), and on commits (reading surrounding context to validate potential vulnerabilities).
Something is coming June 9. The image is the only real signal here; the tweet itself is just a date and the word "soon."
A thread summarizing the full set of recent responsiveness and reliability improvements shipped to Claude Code, covering the TUI renderer, compaction, MCP, error messages, streaming, and session recovery.
The new full-screen renderer, which eliminates screen flickering, has received environment and terminal compatibility fixes. It can be toggled with /tui feedback and is coming as the default soon.
Thinking and tool calls are now streamed as they happen, and several bugs that made it look like Claude had hung (when it was actually just thinking) have been resolved.
Compaction now displays a progress indicator, and the "prompt too long" error that previously blocked compaction has been fixed. More speed improvements are still rolling out.
Images or media files that were too large or unreadable used to require a full session restart. Sessions now detect the problem and recover automatically.
Several root causes behind errors like "tool result doesn't match tool use" have been identified and fixed. Remaining error messages have been rewritten to be more readable and actionable.
A round of fixes addresses MCP connection failures, OAuth flow breakages, and proxy rate-limiting issues that had been making the integration unreliable.
The /feedback command lets you attach the last day or week of sessions in one go, so you no longer have to hunt down which specific session contained the bug you wanted to report.
