@leo000001/claude-code-mcp 1.5.0 → 1.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/CHANGELOG.md +38 -0
  2. package/CODE_OF_CONDUCT.md +4 -4
  3. package/CONTRIBUTING.md +2 -2
  4. package/README.md +220 -129
  5. package/SECURITY.md +3 -3
  6. package/dist/index.js +1684 -1055
  7. package/dist/index.js.map +1 -1
  8. package/package.json +5 -3
  9. package/DESIGN.md +0 -238
package/SECURITY.md CHANGED
@@ -18,9 +18,9 @@ We aim to acknowledge reports within 48 hours and provide a fix or mitigation pl
18
18
 
19
19
  ## Security Considerations
20
20
 
21
- - `bypassPermissions` mode is disabled by default and requires explicit opt-in via the `claude_code_configure` tool at runtime
21
+ - This server uses an async permission flow: when a tool call needs approval, the session pauses (`waiting_permission`) and surfaces requests via `claude_code_check` (`actions[]`). Callers must explicitly approve/deny via `respond_permission`.
22
22
  - The MCP server uses the Claude Agent SDK's bundled CLI (`cli.js`), not the system-installed `claude` binary
23
23
  - Session metadata is held in-memory only and is not persisted to disk by the MCP server (the SDK's CLI persists conversation history separately)
24
- - Disk resume is disabled by default. If you set `CLAUDE_CODE_MCP_ALLOW_DISK_RESUME=1`, the server may resume sessions from the CLI's on-disk transcript even if in-memory metadata is missing.
25
- - `claude_code_session` redacts sensitive fields by default; `includeSensitive` requires `CLAUDE_CODE_MCP_ALLOW_SENSITIVE_SESSION_DETAILS=1`
24
+ - Disk resume is disabled by default (`CLAUDE_CODE_MCP_ALLOW_DISK_RESUME=0`). If you set `CLAUDE_CODE_MCP_ALLOW_DISK_RESUME=1`, disk resume fallback also requires `CLAUDE_CODE_MCP_RESUME_SECRET` (default: unset) and a valid `resumeToken` from `claude_code`/`claude_code_reply`.
25
+ - `claude_code_session` redacts sensitive fields (cwd, systemPrompt, agents, additionalDirectories) by default; use `includeSensitive=true` to include them
26
26
  - Sessions auto-expire after 30 minutes of inactivity