You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: hunter — Windows App Store paths and cross-platform credential scan
Fix 1 (Windows): Add glob expansion in _get_known_paths() for Microsoft Store
(UWP) Claude Desktop. Path pattern Packages/Claude_*/LocalCache/Roaming/Claude/
claude_desktop_config.json covers any signing-cert hash suffix without hardcoding.
Fix 2 (Windows): Add LOCALAPPDATA to _get_config_roots() so the targeted glob
also searches %LocalAppData% in balanced/deep modes, covering apps that store
configs under LocalAppData rather than Roaming AppData.
Fix 3 (all platforms): Scan full file text for credentials before the mcpServers
gate in _scan_config_file(). Credentials in ~/.claude/settings.json env blocks
or other non-mcpServers structures are now reported as a PlaintextCredential
finding even when no MCP servers are declared in the file.
Fix 4 (Windows): In _exhaustive_crawl(), explicitly walk %LOCALAPPDATA%\Packages\
before the main home-dir walk. AppData remains in SKIP_DIRS (prevents thrashing
node_modules/site-packages) but UWP Store app configs are now reachable in deep mode.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>