github alexgreensh/token-optimizer v5.7.3
on GitHub

2 hours ago

Security hardening + post-merge fixes

Merges @GalitGal's security review (PR #35) with additional hardening from our own gauntlet.

From PR #35 (GalitGal)

  • Path cross-check for CLAUDE_PLUGIN_ROOT in bash_hook.py
  • Glob boundary filter in structure_replay.py
  • Interpreter allowlist in python-launcher.sh
  • Credential redaction before disk write in archive_result.py
  • Archive TTL cleanup (48h)
  • Sensitive path filter in context_intel.py
  • UUID fallback for session isolation
  • proc.poll() guard before proc.kill()

Post-merge hardening

  • Python 3.9+ minimum: bumped from 3.8 (is_relative_to requires 3.9)
  • Brew allowlist hardened: replaced dynamic brew --prefix (circular trust) with hardcoded paths
  • Archive cleanup moved: runs only when archiving, not on every PostToolUse
  • SQLite preview redacted: compressed_preview now uses redacted response
  • Safe root validated: TOKEN_OPTIMIZER_SAFE_ROOT must be within ~/.claude
Check out latest releases or
releases around alexgreensh/token-optimizer v5.7.3

Don't miss a new token-optimizer release

NewReleases is sending notifications on new releases.

Get notifications