claude-pace 0.7.1 → 0.7.3

package/README.md

@@ -57,6 +57,14 @@ Restart Claude Code. Done.
 
 To remove: delete the `statusLine` block from `~/.claude/settings.json`.
 
+## Upgrade
+
+- **Plugin:** `/claude-pace:setup` (pulls the latest from GitHub)
+- **npx:** `npx claude-pace@latest`
+- **Manual:** Re-run the `curl` command above.
+
+Release notifications: Watch this repo → Custom → Releases.
+
 ## How It Compares
 
 |  | claude-pace | Node.js/TypeScript statuslines | Rust/Go statuslines |
@@ -80,11 +88,17 @@ Claude Code polls the statusline every ~300ms:
 |------|--------|-------|
 | Model, context, cost | stdin JSON (single `jq` call) | None needed |
 | Quota (5h, 7d, pace) | stdin `rate_limits` (CC >= 2.1.80) | None needed (real-time) |
-| Quota fallback | Anthropic Usage API (CC < 2.1.80) | `/tmp`, 300s TTL, async background refresh |
-| Git branch + diff | `git` commands | `/tmp`, 5s TTL |
+| Quota fallback | Anthropic Usage API (CC < 2.1.80) | Private cache dir, 300s TTL, async background refresh |
+| Git branch + diff | `git` commands | Private cache dir, 5s TTL |
 
 On Claude Code >= 2.1.80, usage data comes directly from stdin. No network calls. On older versions, it falls back to the Usage API in a background subshell so the statusline never blocks.
 
+Cache files live in a private per-user directory (`$XDG_RUNTIME_DIR/claude-pace` or `~/.cache/claude-pace`, mode 700). All cache reads are validated before use. No files are ever written to shared `/tmp`.
+
+## Also by the Author
+
+[**diffpane**](https://github.com/Astro-Han/diffpane) - Real-time TUI diff viewer for AI coding agents. See what Claude Code changes as it happens.
+
 ## License
 
 MIT

package/claude-pace.sh

@@ -94,6 +94,7 @@ _CD="" CACHE_OK=0
 for _BASE in "${XDG_RUNTIME_DIR:-}" "${HOME}/.cache"; do
   [ -n "$_BASE" ] || continue
   _CAND="${_BASE%/}/claude-pace"
+  # shellcheck disable=SC2174  # -p only creates leaf here; parent already exists
   [ -e "$_CAND" ] || mkdir -p -m 700 "$_CAND" 2>/dev/null || continue
   _cache_dir_ok "$_CAND" || continue
   _CD="$_CAND"
@@ -148,7 +149,7 @@ for ((i = F; i < 10; i++)); do BAR+='░'; done
 # Atomic write: write to a temp file first, then mv to avoid partial reads.
 BR="" FC=0 AD=0 DL=0
 if [[ "$CACHE_OK" == "1" ]]; then
-  GC="${_CD}/claude-sl-git-${DIR//[^a-zA-Z0-9]/_}"
+  GC="${_CD}/claude-sl-git-$(printf '%s' "$DIR" | { shasum 2>/dev/null || sha1sum; } | cut -c1-16)"
   if _stale "$GC" 5; then
     if _collect_git_info; then
       _write_cache_record "$GC" "$BR" "$FC" "$AD" "$DL"
@@ -201,8 +202,8 @@ if [[ "$HAS_RL" == "1" ]]; then
   RM5=$(_minutes_until "$R5")
   RM7=$(_minutes_until "$R7")
   # Extra usage (XO/XU/XL) only available via API fallback; stdin lacks this data
-else
-  # ── API fallback (remove when CC <2.1.80 no longer supported) ──
+elif [[ "${CLAUDE_PACE_API_FALLBACK:-1}" != "0" ]]; then
+  # ── API fallback (disable via CLAUDE_PACE_API_FALLBACK=0) ──
   UC="" UL=""
   [[ "$CACHE_OK" == "1" ]] && {
     UC="${_CD}/claude-sl-usage"
@@ -213,7 +214,7 @@ else
   # Check in order: env var → macOS Keychain → credentials file → secret-tool (Linux).
   _get_token() {
     [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ] && {
-      echo "$CLAUDE_CODE_OAUTH_TOKEN"
+      printf '%s' "$CLAUDE_CODE_OAUTH_TOKEN"
       return
     }
     local b=""
@@ -222,18 +223,30 @@ else
     [ -z "$b" ] && [ -f ~/.claude/.credentials.json ] && b=$(<~/.claude/.credentials.json)
     [ -z "$b" ] && command -v secret-tool >/dev/null &&
       b=$(timeout 2 secret-tool lookup service "Claude Code-credentials" 2>/dev/null)
-    [ -n "$b" ] && jq -r '.claudeAiOauth.accessToken//empty' <<<"$b" 2>/dev/null
+    [ -n "$b" ] && jq -j '.claudeAiOauth.accessToken//empty' <<<"$b" 2>/dev/null
   }
 
   # ── _fetch_usage_api: direct API read into usage globals ──
   # Used by both the cached background refresh path and the no-cache fallback.
   _fetch_usage_api() {
     local tk resp
-    tk=$(_get_token)
+    # Command substitution strips trailing newlines. Append a sentinel byte only
+    # on success so malformed tokens with a trailing LF remain detectable here.
+    tk=$(_get_token && printf '\001') || return 1
+    [[ "$tk" == *$'\001' ]] || return 1
+    tk=${tk%$'\001'}
     [ -n "$tk" ] || return 1
+    # OAuth bearer tokens must remain a single header line. Reject malformed
+    # credentials up front instead of letting curl parse injected CR/LF bytes.
+    case "$tk" in *$'\n'* | *$'\r'*) return 1 ;; esac
+    # Feed headers through process substitution so the bearer token stays out
+    # of curl argv while preserving literal bytes like quotes and backslashes.
     resp=$(curl -s --max-time 3 \
-      -H "Authorization: Bearer $tk" -H "anthropic-beta: oauth-2025-04-20" \
-      -H "Content-Type: application/json" \
+      -H @<(
+        printf 'Authorization: Bearer %s\n' "$tk"
+        printf '%s\n' 'anthropic-beta: oauth-2025-04-20'
+        printf '%s\n' 'Content-Type: application/json'
+      ) \
       "https://api.anthropic.com/api/oauth/usage" 2>/dev/null)
     IFS=$'\t' read -r U5 U7 XO XU XL RM5 RM7 < <(jq -r '
       def rmins: if . and . != "" then (sub("\\.[0-9]+"; "") | sub("\\+00:00$"; "Z") | fromdateiso8601) - (now|floor) | ./60|floor | if .<0 then 0 else . end else null end;
@@ -314,6 +327,9 @@ else
   [[ "$XU" =~ ^[0-9]+$ ]] || XU=0
   [[ "$XL" =~ ^[0-9]+$ ]] || XL=0
   # ── End API fallback ──
+else
+  # No stdin rate_limits and API fallback not enabled; show session cost only.
+  SHOW_COST=1
 fi
 
 # Combined usage formatter: used% [pace delta] (countdown)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-pace",
-  "version": "0.7.1",
+  "version": "0.7.3",
   "description": "A statusline for Claude Code. Pure Bash + jq, single file.",
   "bin": {
     "claude-pace": "cli.js"