github alexgreensh/token-optimizer v5.11.38

3 hours ago

Token Optimizer v5.11.38

Reliability + security release. Merges two community PRs (with hardening), lands a verified-safe subset of a third, and closes out two long-running cross-runtime issues.

Security

  • Redact credentials in URL parameters (community PR #84, @nointerview1548). Secrets passed as URL query/matrix/fragment params (?token=, ?api_key=, ;password=, #access_token=, and more) are now redacted before anything is written to the read cache or tool archive. Hardened beyond the original PR: OAuth implicit-flow fragment tokens, additional param names (password/secret/client_secret/refresh_token/session_token/sig/signature/authorization/…), and a fix so a secret containing a [ is redacted whole instead of leaking past the bracket. 23 credential pattern types total.

Copilot (issue #78)

  • Fixed the capability matrix getting stuck at "unknown" on Windows/WSL. copilot --version can't resolve in the WSL-root install/hook environment, which was gating postToolUse context injection (and more) off on fully capable CLIs. The runtime no longer downgrades a known-good matrix on a failed probe, and copilot-doctor now self-heals by reseeding the version it resolves natively.

OpenCode (issue #57)

  • Fixed the slash-command / skill runtime detection reaching into ~/.claude under OpenCode on hosts that also have Claude Code or Codex installed. The preamble now detects OpenCode (env signals ahead of directory heuristics), searches the OpenCode plugin cache for its scripts, and stops hardcoding the Codex runtime on the run line. Covers /quick, /health, and the token-coach / fleet-auditor / token-dashboard skills.

Performance

  • Hook dispatch via module_runner.py (community PR #85, @danikdanik) so CPython reuses __pycache__ bytecode instead of recompiling measure.py on every hook call (~55% cut on the PostToolUse hot path). Hardened with defense-in-depth path validation and a signal when the plugin dir is read-only.
  • Async hooks (from community PR #86, @danikdanik — reduced, verified-safe subset). Non-blocking on checkpoint-trigger, compact-capture, archive_result (non-MCP), and context_intel. The quality-cache / read-cache / keepwarm flips were kept synchronous to avoid dropping quality warnings and cache-ordering races.

Thanks to @nointerview1548, @danikdanik, @GuyKh, and @assafbem — this release is the direct result of their reports, PRs, and detailed traces.

Don't miss a new token-optimizer release

NewReleases is sending notifications on new releases.