Skip to content

v0.1.1 — body/URL redaction (security fix)

Choose a tag to compare

@lroolle lroolle released this 06 Jul 09:58

Security fix

Header-only redaction could persist a live OAuth token. Claude Code refreshes its credential ~hourly against a host cctrace intercepts, and the refresh_token/access_token ride in the response body (auth codes in the URL), not the header — so a trace that crossed a refresh wrote a live token into the .html the UI invites you to share.

v0.1.1 redacts bodies and URLs too, at a single choke point (src/redact.ts) across all capture modes (mitm / base-url / node), so the .jsonl, the shareable .html, and the live WebSocket all get redacted data.

If you ran v0.1.0 and shared any trace, re-authenticate Claude Code (/login) to rotate the token.

Also in this release

  • Drop SSL_CERT_FILE / HTTP_PROXY from Claude's env — they leaked into its subprocesses (curl/python/MCP) and broke their networking. NODE_EXTRA_CA_CERTS alone suffices (verified against the real 2.1.201 binary).
  • Record empty-body responses (204/304, 3xx redirects) instead of dropping them.
  • 0600 perms on the MITM CA/leaf keys.
  • Cross-platform browser open; --mode now errors on typos.
  • Bilingual README (English + 简体中文), positioning table, branded preview asset.
  • SECURITY.md, CONTRIBUTING.md, CI (bun test), issue/PR templates.

Full notes in CHANGELOG.md.