cc-cream 0.1.16 → 0.1.18

package/CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to cc-cream are documented here. Format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/); versions follow
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.18] — 2026-05-29
+
+### Security
+- **Status-line text is now stripped of terminal control characters before output.** Three stdin-derived fields — `model.display_name`, `session_name`, and `effort.level` — were written to the terminal verbatim on every render. Because `session_name` can be derived from conversation content (which may include untrusted material), an embedded ANSI/OSC escape sequence would have been interpreted by the terminal (window-title/clipboard rewrites via OSC, or cursor/erase sequences that spoof or hide output). `paint()` now passes every segment through a `sanitize()` pass that drops C0/C1 control bytes (incl. ESC, BEL, DEL) while preserving the tool's own color codes, which are added afterward. The bar is purely visual, so the strip is lossless.
+- **A crafted `session_id` can no longer corrupt the session-state map.** `session_id` is used as an object key; values of `__proto__`/`constructor`/`prototype` are now rejected in `getSessionState`/`patchSessionState`, and reads use `Object.hasOwn`.
+
+### Fixed
+- **Writes to `settings.json` (and the state file) are now atomic.** `install.js`, the `SessionStart` auto-setup hook, and `state.js` wrote via a direct `writeFileSync` over the live file; an interruption (crash, `ENOSPC`) mid-write could truncate `settings.json` and erase the user's permissions/hooks/plugins/MCP config — the very loss `readSettings` works to avoid. They now write a sibling temp file and `rename` it over the target (atomic within a filesystem; the temp shares the target's directory so the rename never crosses devices).
+- **The plugin auto-update command now quotes the node binary path** (`exec "${nodePath}"`), so a node path containing spaces no longer breaks the status line.
+
+### Changed
+- **The session-state map is capped at 50 entries**, evicting the least-recently-touched sessions. It previously gained one key per `session_id` and was never pruned, growing without bound.
+
+## [0.1.17] — 2026-05-29
+
+### Fixed
+- **`cc-cream-setup` and the `/cc-cream:*` slash commands silently did nothing when `~/.claude` is a symlink.** `install.js` had the same symlink-fragile entrypoint guard fixed in the renderer for 0.1.16 (`import.meta.url` is canonicalized by Node's ESM loader; `process.argv[1]` is not), so running it from a symlinked path skipped `main()` entirely — exit 0, no output, settings.json untouched. The "am-I-the-entrypoint?" check is now a single symlink-robust helper (`isEntrypoint` in `src/utils.js`) shared by both `cc-cream.js` and `install.js`. Caught by the new install-journey smoke tests.
+
+### Added
+- **End-to-end install/uninstall journey smoke tests** (`features/27-install-journey.feature`, CREAM-fxsusmgd). They stage a real plugin cache the way `/plugin install` lays it out, run the actual `SessionStart` hook and `install.js` as child processes, and execute the baked statusLine command through `sh -c` exactly as Claude Code does — guarding the *seams* unit specs can't: cache layout, the settings.json lifecycle, command order, the empty-cache guard (0.1.15), and symlinked config dirs (0.1.16). CI-safe; no live `claude` CLI needed.
+
 ## [0.1.16] — 2026-05-29
 
 ### Fixed
@@ -134,6 +155,8 @@ line and prints a colored ≤3-row bar — zero tokens, the model never sees it.
 - Supports **macOS and Linux**; Windows is a planned fast-follow.
 - Requires Claude Code **2.1.132+** (`effort` / `thinking` need 2.1.145+).
 
+[0.1.18]: https://github.com/bart-turczynski/cc-cream/compare/v0.1.17...v0.1.18
+[0.1.17]: https://github.com/bart-turczynski/cc-cream/compare/v0.1.16...v0.1.17
 [0.1.16]: https://github.com/bart-turczynski/cc-cream/compare/v0.1.15...v0.1.16
 [0.1.15]: https://github.com/bart-turczynski/cc-cream/compare/v0.1.14...v0.1.15
 [0.1.6]: https://github.com/bart-turczynski/cc-cream/compare/v0.1.5...v0.1.6

package/README.md

@@ -1,5 +1,11 @@
 # cc-cream
 
+[![CI](https://img.shields.io/github/actions/workflow/status/bart-turczynski/cc-cream/ci.yml?branch=main&label=CI)](https://github.com/bart-turczynski/cc-cream/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/cc-cream)](https://www.npmjs.com/package/cc-cream)
+[![Socket Badge](https://socket.dev/api/badge/npm/package/cc-cream)](https://socket.dev/npm/package/cc-cream)
+[![install size](https://img.shields.io/bundlephobia/minzip/cc-cream)](https://bundlephobia.com/package/cc-cream)
+[![License: MIT](https://img.shields.io/npm/l/cc-cream)](https://github.com/bart-turczynski/cc-cream/blob/main/LICENSE)
+
 **C.R.E.A.M. — Cache Rules Everything Around Me.**
 
 A lightweight status-line tool for [Claude Code](https://claude.com/claude-code)
@@ -116,6 +122,13 @@ The installer:
 After install, Claude Code must be **trusted** for the directory (if prompted),
 and you may need to **restart** it for the bar to appear.
 
+> **Pick one install method.** If you wire cc-cream via npm/manual (Options 2–3)
+> and *then* install the plugin, the plugin won't take over the existing wiring —
+> it points at your home copy, so `/plugin update` won't auto-update the bar. To
+> switch to the auto-updating plugin, run `/cc-cream:setup` (or `cc-cream-setup
+> --uninstall` first). Nothing breaks either way; it just stays on whichever
+> method wired it.
+
 ### Uninstall
 
 Plugin users — two steps, **in this order** (Claude Code can't clean

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-cream",
-  "version": "0.1.16",
+  "version": "0.1.18",
   "description": "Claude Code cache/context/cost status-line tool",
   "directories": {
     "doc": "docs"

package/src/cc-cream.js

@@ -3,11 +3,9 @@
 // Reads the session JSON Claude Code pipes on stdin and prints a colored
 // <=3-row bar. Hard rule: degrade, never crash.
 
-import { realpathSync } from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import process from 'node:process';
-import { fileURLToPath, pathToFileURL } from 'node:url';
 import { loadConfig, readConfigFile } from './config.js';
 import { render } from './render.js';
 import {
@@ -17,6 +15,7 @@ import {
   readState,
   writeState,
 } from './state.js';
+import { isEntrypoint } from './utils.js';
 
 export { DEFAULTS } from './defaults.js';
 export { loadConfig } from './config.js';
@@ -73,23 +72,9 @@ async function main() {
   process.exit(0);
 }
 
-// Robust "is this module the entrypoint?" check. Node's ESM loader canonicalizes
-// import.meta.url (symlinks resolved), but process.argv[1] stays as it was invoked.
-// A plain href comparison therefore fails silently when cc-cream runs from a
-// symlinked path — e.g. a ~/.claude managed by a dotfile manager (stow/chezmoi/yadm)
-// or synced via iCloud/Dropbox — skipping main() so the bar renders NOTHING with no
-// error. Comparing realpaths makes the symlinked and canonical paths match. Falls
-// back to the href comparison if realpath fails (e.g. a path that no longer exists).
-function isEntrypoint() {
-  const arg = process.argv[1];
-  if (!arg) return false;
-  try {
-    return realpathSync(fileURLToPath(import.meta.url)) === realpathSync(arg);
-  } catch {
-    return import.meta.url === pathToFileURL(arg).href;
-  }
-}
-
-if (isEntrypoint()) {
+// isEntrypoint (src/utils.js) is symlink-robust — see its comment. A plain
+// import.meta.url === pathToFileURL(argv[1]) check fails under a symlinked path and
+// renders nothing with no error.
+if (isEntrypoint(import.meta.url)) {
   main();
 }

package/src/install.js

@@ -14,7 +14,7 @@ import os from 'node:os';
 import path from 'node:path';
 import process from 'node:process';
 import readline from 'node:readline';
-import { pathToFileURL } from 'node:url';
+import { isEntrypoint } from './utils.js';
 
 const TRUST_NOTE =
   'Claude Code must be trusted and possibly restarted for the status line to appear.';
@@ -37,7 +37,7 @@ const TRUST_NOTE =
 // MODULE_NOT_FOUND on every render. "Degrade, never crash" (CLAUDE.md). `exec`
 // replaces the shell so stdin/stdout pass straight through to the renderer.
 export function autoUpdateCommand(nodePath) {
-  return `d="$(ls -1d "\${CLAUDE_CONFIG_DIR:-$HOME/.claude}"/plugins/cache/*/cc-cream/*/ 2>/dev/null | grep -E '/[0-9]+(\\.[0-9]+)+/$' | sort -V | tail -1)"; [ -z "$d" ] && exit 0; exec ${nodePath} "\${d}src/cc-cream.js"`;
+  return `d="$(ls -1d "\${CLAUDE_CONFIG_DIR:-$HOME/.claude}"/plugins/cache/*/cc-cream/*/ 2>/dev/null | grep -E '/[0-9]+(\\.[0-9]+)+/$' | sort -V | tail -1)"; [ -z "$d" ] && exit 0; exec "${nodePath}" "\${d}src/cc-cream.js"`;
 }
 
 // `desired` is considered already installed if it matches the planned command
@@ -143,6 +143,22 @@ function destinationPath() {
   return path.join(os.homedir(), '.claude', 'cc-cream', 'cc-cream.js');
 }
 
+// Write `contents` to `file` atomically: write a sibling temp file, then rename
+// over the target (rename is atomic within a filesystem). settings.json holds
+// the user's permissions/hooks/plugins/MCP config — a direct writeFileSync that
+// is interrupted (crash, ENOSPC) could truncate it and erase all of that. The
+// temp file shares the target's directory so the rename never crosses devices.
+export function writeFileAtomic(file, contents) {
+  const tmp = `${file}.tmp-${process.pid}`;
+  fs.writeFileSync(tmp, contents);
+  try {
+    fs.renameSync(tmp, file);
+  } catch (err) {
+    try { fs.rmSync(tmp, { force: true }); } catch {}
+    throw err;
+  }
+}
+
 // Read settings.json safely. A MISSING or empty file -> {} (fresh start, nothing
 // to lose). A file that exists with content but fails to parse, or parses to a
 // non-object, is REFUSED: we exit rather than overwrite and erase the user's
@@ -221,7 +237,7 @@ async function uninstall({ purge }) {
   const result = planUninstall(settings);
   for (const m of result.messages) console.log(m);
   if (result.changed) {
-    fs.writeFileSync(file, `${JSON.stringify(result.settings, null, 2)}\n`);
+    writeFileAtomic(file, `${JSON.stringify(result.settings, null, 2)}\n`);
     console.log(`\nUpdated ${file}.`);
   }
 
@@ -323,11 +339,14 @@ async function main() {
   for (const m of result.messages) console.log(m);
   if (result.changed) {
     fs.mkdirSync(path.dirname(file), { recursive: true });
-    fs.writeFileSync(file, `${JSON.stringify(result.settings, null, 2)}\n`);
+    writeFileAtomic(file, `${JSON.stringify(result.settings, null, 2)}\n`);
     console.log(`\nWrote ${file}.`);
   }
 }
 
-if (import.meta.url === pathToFileURL(process.argv[1] || '').href) {
+// isEntrypoint (src/utils.js) is symlink-robust: a plain href comparison fails when
+// install.js runs from a symlinked path (e.g. a dotfile-managed ~/.claude), which
+// would make `cc-cream-setup` / the slash commands silently do nothing.
+if (isEntrypoint(import.meta.url)) {
   main();
 }

package/src/state.js

@@ -1,6 +1,17 @@
 import fs from 'node:fs';
+import process from 'node:process';
 import { isNum, numOr } from './utils.js';
 
+// Cap on retained per-session entries. The state file gains one key per
+// session_id and is never otherwise pruned, so without a cap it grows without
+// bound. We keep the most-recently-touched sessions (by `ts`) and drop the rest.
+const MAX_SESSIONS = 50;
+
+// session_id is used as an object key. A value of __proto__/constructor/prototype
+// would mutate the object's prototype instead of storing data; reject those so a
+// crafted or poisoned id can't corrupt the session map.
+const isUnsafeKey = (k) => k === '__proto__' || k === 'constructor' || k === 'prototype';
+
 export function readState(stateFilePath) {
   try {
     const raw = fs.readFileSync(stateFilePath, 'utf8');
@@ -13,25 +24,45 @@ export function readState(stateFilePath) {
 }
 
 export function writeState(stateFilePath, state) {
+  // Atomic write: a direct writeFileSync interrupted mid-write (crash, ENOSPC)
+  // would truncate the state file. Write a sibling temp file, then rename over
+  // the target (atomic within a filesystem; the temp shares the target's dir so
+  // the rename never crosses devices). State is regenerable, so any failure
+  // degrades silently — a stateless render is fine.
+  const tmp = `${stateFilePath}.tmp-${process.pid}`;
   try {
-    fs.writeFileSync(stateFilePath, JSON.stringify(state));
+    fs.writeFileSync(tmp, JSON.stringify(state));
+    fs.renameSync(tmp, stateFilePath);
   } catch {
-    // degrade silently — stateless render is fine
+    try { fs.rmSync(tmp, { force: true }); } catch {}
   }
 }
 
 export function getSessionState(state, sessionId) {
-  if (!sessionId || typeof sessionId !== 'string') return null;
+  if (!sessionId || typeof sessionId !== 'string' || isUnsafeKey(sessionId)) return null;
   const sessions = state?.sessions;
   if (!sessions || typeof sessions !== 'object') return null;
-  return sessions[sessionId] ?? null;
+  return Object.hasOwn(sessions, sessionId) ? sessions[sessionId] : null;
+}
+
+// Keep at most MAX_SESSIONS entries, evicting the lowest `ts` (oldest touched)
+// first. Sessions without a numeric ts sort oldest.
+function prune(sessions) {
+  const keys = Object.keys(sessions);
+  if (keys.length <= MAX_SESSIONS) return sessions;
+  const keep = keys
+    .sort((a, b) => numOr(sessions[b]?.ts, 0) - numOr(sessions[a]?.ts, 0))
+    .slice(0, MAX_SESSIONS);
+  const out = {};
+  for (const k of keep) out[k] = sessions[k];
+  return out;
 }
 
 export function patchSessionState(state, sessionId, patch) {
-  if (!sessionId || typeof sessionId !== 'string') return state;
+  if (!sessionId || typeof sessionId !== 'string' || isUnsafeKey(sessionId)) return state;
   const sessions = { ...(state?.sessions ?? {}) };
   sessions[sessionId] = { ...(sessions[sessionId] ?? {}), ...patch };
-  return { ...state, sessions };
+  return { ...state, sessions: prune(sessions) };
 }
 
 export function nextSessionPatch(data, prevSessionState, cfg, now) {

package/src/utils.js

@@ -1,5 +1,25 @@
+import { realpathSync } from 'node:fs';
+import process from 'node:process';
+import { fileURLToPath, pathToFileURL } from 'node:url';
 import { ANSI } from './defaults.js';
 
+// Robust "is this module the process entrypoint?" check, shared by every module
+// that may run both as a script and as an import (cc-cream.js, install.js). Node's
+// ESM loader canonicalizes import.meta.url (symlinks resolved) but leaves
+// process.argv[1] as-invoked, so a plain href comparison fails when the module runs
+// from a symlinked path — e.g. a ~/.claude managed by a dotfile manager
+// (stow/chezmoi/yadm) or synced via iCloud/Dropbox — silently skipping main().
+// Comparing realpaths fixes it; falls back to the href compare if realpath throws
+// (e.g. a path that no longer exists). Pass the caller's import.meta.url.
+export function isEntrypoint(metaUrl, arg = process.argv[1]) {
+  if (!arg) return false;
+  try {
+    return realpathSync(fileURLToPath(metaUrl)) === realpathSync(arg);
+  } catch {
+    return metaUrl === pathToFileURL(arg).href;
+  }
+}
+
 export const clone = (o) => JSON.parse(JSON.stringify(o));
 export const isNum = (v) => typeof v === 'number' && Number.isFinite(v);
 export const numOr = (v, d) => (isNum(v) ? v : d);
@@ -12,8 +32,19 @@ export function fmtNum(n, mode) {
   return String(n);
 }
 
+// Strip C0/C1 control characters (incl. ESC, BEL, DEL) from any text bound for
+// the terminal. stdin fields like session_name, model.display_name, and
+// effort.level are echoed into the status line verbatim; without this, escape
+// sequences smuggled into them would be interpreted by the terminal (title/OSC
+// rewrites, clipboard writes, cursor moves that spoof or hide output). The bar
+// is purely visual, so dropping control bytes is lossless. The tool's own ANSI
+// color codes are added AFTER sanitizing, so they survive.
+// biome-ignore lint/suspicious/noControlCharactersInRegex: stripping control bytes is the intent
+const sanitize = (text) => String(text).replace(/[\x00-\x1f\x7f-\x9f]/g, '');
+
 export function paint(text, color) {
-  return color && ANSI[color] ? `${ANSI[color]}${text}\x1b[0m` : text;
+  const clean = sanitize(text);
+  return color && ANSI[color] ? `${ANSI[color]}${clean}\x1b[0m` : clean;
 }
 
 // 3-arg form: band(value, amber, red) — used by ttl / rate limits.