oh-my-claudecode v4.8.0
Highlights
- Tracer Agent & Trace Skill — Evidence-driven causal tracing with competing hypotheses, evidence ranking, and discriminating probe recommendations
- Security Hardening — 21 security vulnerabilities patched including SSRF, command injection, prototype pollution, and shell injection
- HUD Token Usage Tracking — Real-time token usage display in HUD with optional transcript token totals
- OMX Team Governance Backport — Hardened team runtime with leader nudge guidance and governance enforcement
- AI-Slop-Cleaner Skill Hardening — Refreshed guidance for cleaning AI-generated code slop (#1604)
New Features
- Tracer agent and trace skill for systematic root-cause analysis (#1568)
- HUD real-time token usage tracking (#1589, #1592)
- Unified MCP registry sync to codex config (#1579)
- Verilog/SystemVerilog LSP support (#1551)
- Team governance enforcement and leader nudge guidance (#1584)
Security Fixes
- Patch 21 security vulnerabilities and logic bugs (#1558):
- SSRF guard bypass via IPv6-mapped IPv4 addresses
- Command injection in tmux launchCmd
- Prototype pollution in deepMerge
- Shell injection in tsc-runner
- And 17 additional security and logic issues
Bug Fixes
- Windows hook paths with spaces (#1602, #1603)
- ExitPlanMode context safety (#1597, #1598)
- Codex worker status sync (#1593, #1594)
- Various team runtime and hook fixes
Contributors
Thanks to all contributors for this release:
- @Yeachan-Heo (features, fixes, release)
- @riftzen-bit (security patch #1558)
- @2233admin (OMX runtime hardening #1584)
- @Gdm0714 (notification fixes #1596)
- @Wooklae-cho (Verilog LSP support #1551)
Install / Update
npm install -g oh-my-claude-sisyphus@4.8.0Or reinstall the plugin:
claude /install-plugin oh-my-claudecodeFull Changelog: v4.7.10...v4.8.0