v0.1.1 — body/URL redaction (security fix)
Security fix
Header-only redaction could persist a live OAuth token. Claude Code refreshes its credential ~hourly against a host cctrace intercepts, and the refresh_token/access_token ride in the response body (auth codes in the URL), not the header — so a trace that crossed a refresh wrote a live token into the .html the UI invites you to share.
v0.1.1 redacts bodies and URLs too, at a single choke point (src/redact.ts) across all capture modes (mitm / base-url / node), so the .jsonl, the shareable .html, and the live WebSocket all get redacted data.
If you ran v0.1.0 and shared any trace, re-authenticate Claude Code (
/login) to rotate the token.
Also in this release
- Drop
SSL_CERT_FILE/HTTP_PROXYfrom Claude's env — they leaked into its subprocesses (curl/python/MCP) and broke their networking.NODE_EXTRA_CA_CERTSalone suffices (verified against the real 2.1.201 binary). - Record empty-body responses (204/304, 3xx redirects) instead of dropping them.
0600perms on the MITM CA/leaf keys.- Cross-platform browser open;
--modenow errors on typos. - Bilingual README (English + 简体中文), positioning table, branded preview asset.
SECURITY.md,CONTRIBUTING.md, CI (bun test), issue/PR templates.
Full notes in CHANGELOG.md.