Yeachan-Heo/oh-my-claudecode v3.7.1

v3.7.1 - Security and Stability Bugfixes

on GitHub

Security & Stability Fixes

Daemon Credential Leakage Prevention (#155)

• New createMinimalDaemonEnv() with allowlist-based environment filtering
• Blocks ANTHROPIC_API_KEY, GITHUB_TOKEN, AWS credentials from daemon subprocess
• Adds proxy variable support (HTTP_PROXY, HTTPS_PROXY, NO_PROXY)

Permission Handler Cleanup (#157)

• Removed unreachable dead code block (isActiveModeRunning && isSafeCommand)
• Added swarm-active.marker detection for swarm mode auto-approval
• Generic .marker suffix support for future marker-based state files

Subagent Tracker CPU Fix (#159)

• Replaced CPU-spinning busy-wait loops with Atomics.wait-based syncSleep
• Fixed race condition in cleanupStaleAgents with proper lock acquisition
• Complete state path migration to .omc/state/ across all hooks and templates

Session End JSON Validation (#161)

• Removed hookSpecificOutput with unrecognized SessionEnd event name
• Fixes JSON validation errors on every session exit
• Metrics still persist to disk, cleanup still runs

Cross-Platform Date Conversion (#151)

• New iso_to_epoch() function with GNU/BSD date fallback chain
• Safer jq usage with // empty for missing timestamps

Cleanup

• Removed submodule artifacts (omc-pr134, omc-pr135)
• Removed benchmark cache and pycache files
• Closed PR #153 (superseded by upcoming PR #158)

Remaining: PR #158 (extended DANGEROUS_SHELL_CHARS regex) requires cleanup before merge - will be included in v3.7.2.

Full Changelog: v3.7.0...v3.7.1