Claude Code tightens controls, cuts startup lag

This is the kind of release that quietly moves a product from power-user favorite to something procurement can actually bless. The feature list is less flashy than a model launch, but it matters more for real adoption.

• –`managed-settings.d/` lets admins split policy into modular fragments, which is far less brittle than one giant config file for every team.
• –The security posture is getting stricter: fail-closed sandbox startup, deep-link registration control, subprocess env scrubbing, and managed-only permission/MCP rules all reduce accidental leaks and policy bypasses.
• –The performance work is practical, not cosmetic: Bedrock cold-start latency drops, `--resume` gets lighter, plugins load from disk cache, and `claude -p` saves startup time with unauthenticated HTTP/SSE MCP servers.
• –Fixes around session history, background agents, and policy enforcement matter because flaky automation is what makes teams distrust a CLI in CI or production-adjacent workflows.