Added
- CC-SET-014: autoMode Setting Ignored in settings.local.json (#1203). Claude Code v2.1.207 stopped reading
autoModefrom repo-resident.claude/settings.local.json; the new rule warns when the key is present there so users move it to~/.claude/settings.json. - CC-SET-015: Dead pluginConfigs in Project-Level Settings (#1203). Claude Code v2.1.207 removed support for
pluginConfigsin project-level.claude/settings.jsonand.claude/settings.local.json; plugin option values are now only read from user settings,--settingsfiles, and managed settings. The new rule warns on presence in the wrong tier. - CC-HK-028: Rejected user_config Interpolation in Shell-Form Command (#1203). Claude Code v2.1.207 rejects
${user_config.*}in shell-form hook command strings at load time as a shell-injection fix; the rule flags (error) any command string containing the pattern and directs users to$CLAUDE_PLUGIN_OPTION_<KEY>or environment-passing instead. Rule count 432 → 435.
Changed
- Tool release baselines (2026-07-15 sweep). Advanced Claude Code to
v2.1.207, Cline tocli-v3.0.40, Codex CLI torust-v0.144.4, Cursor to3.11.19, and OpenCode tov1.17.20(closes #1198 through #1202); the three rule-worthy v2.1.207 changes landed as CC-SET-014/015 and CC-HK-028 above. - Tool release baselines. Triaged the current release-watch batch and advanced Claude Code to
v2.1.206, Codex CLI torust-v0.144.1, OpenCode tov1.17.18, Kiro CLI to2.12.0, Cline tocli-v3.0.39, Cursor to3.11.13, amp tothe-dial, and Gemini CLI tov0.50.0(closes #1181 through #1188). Releases without validated schema changes were classified as runtime, UI, provider, packaging, or news updates.
Fixed
- Rust 1.97 CI compatibility. Apply the new Clippy simplifications in YAML parsing and CLI result destructuring so the warnings-denied Linux gate remains clean.
- Crossbeam advisory remediation. Update the locked
crossbeam-epochdependency to0.9.20, resolving RUSTSEC-2026-0204 in both dependency security gates. - Codex 0.144.1 config compatibility. Accept the current feature and MCP server keys, including session authentication, and recognize the managed
marketplacesrequirements table so valid Codex configuration no longer triggers unknown-key diagnostics. - Kiro 2.12 OAuth validation. Treat
oauth.clientIdas optional for Dynamic Client Registration, validate the newclientSecret,redirectUri, andoauthScopesfields, and enforce documented HTTP loopback redirect forms. - Locale mirror parity. Reconcile the canonical locale files with recently added panic, config-load, and hook-timeout messages, then resync all crate-local copies so the locale parity gate passes on Linux.