New Features

• Settings rail surfaces the new prUrlTemplate top-level key from Claude Code 2.1.119, rendered in the Attribution section alongside the commit and PR templates.
• Settings rail gains a Themes section that enumerates ~/.claude/themes/*.json (introduced in Claude Code 2.1.118), showing each theme by name with its modification date and an "active" badge for the theme referenced in ~/.claude.json.
• Hooks rail detail view links to the official Anthropic hooks documentation and notes that PostToolUse and PostToolUseFailure hook stdin includes duration_ms as of Claude Code 2.1.119.
• Secret scanning: new SEC009 detector for Slack incoming webhook URLs (ERROR severity, supports services/workflows/triggers paths).
• Secret scanning: new SEC010 critical-credential tier (ERROR severity) for account-level platform tokens, covering Stripe live/prod keys, Stripe webhook signing secrets, OpenAI service-account and admin keys, Anthropic admin keys, Azure storage AccountKeys, and Vault tokens. The latter four were previously WARNING under SEC007.

Improvements

• Cold-cache initial scan is 34.9% faster: SessionParser collapses the prior two-disk-pass design into a single streaming pass with in-memory replay. Measured on a 2,052-session install: 37.3s → 24.3s cold (median, n=5), ~39s → ~26s warm.
• Analytics charts on 30-day and all-time ranges no longer render garbled X-axis labels. A new stridedDateXAxis modifier picks ~7 evenly spaced dates (always keeping the last) and is shared across the I/O, cache, hit-ratio, model-cost, and effort charts.
• File watcher now treats edits under ~/.claude/themes/ as config changes, so the new Themes section live-reloads on edit.
• SEC007 platform-token detection extended with verified vendor formats from gitleaks: GitHub OAuth/server/user/refresh tokens (gho_/ghs_/ghu_/ghr_), OpenAI project keys (sk-proj- with the T3BlbkFJ literal anchor), legacy OpenAI keys (\bsk-…{48}\b with word boundaries), SendGrid (SG.x.y), Shopify (shp[atspc]_ all four prefixes), DigitalOcean (dop_v1_), Linear (lin_api_), and PyPI (pypi-AgEIcHlwaS5vcmcC… macaroons).
• SEC004 keyword group extended to recognize aws_secret_access_key and aws_secret_key assignments.
• SEC007 sk-ant- alternation now uses a negative lookahead to avoid double-matching admin01 keys (which live in SEC010).

Bug Fixes

• Fix cost overcount on tool-heavy sessions where Claude Code re-persists the same Anthropic API response across tool-use turn boundaries. Each copy shared message.id but carried a unique uuid, so the prior uuid-only dedup missed them. Now deduped by message.id with uuid as fallback. One observed case: $1616 → $898 (matching the actual Anthropic bill).
• Recover hidden cost from subagent records and aborted streams. Subagent JSONL files share the parent's sessionId and were being skipped by the continuation parent-skip branch (~14% of cost dropped on heavy-subagent setups); now detected via per-record isSidechain with a path-based fallback. Aborted streams produce orphan message.ids with no stop_reason record anywhere in the file; a first pass collects stop-reason ids, the second pass bills records carrying either stop_reason or an orphan id. Combined, the gap from a real Vertex bill closes from ~10% to <5%.
• Fix existing GitHub token regex (ghp_[A-Za-z0-9_]{36}) which incorrectly allowed underscores in the token body. Per GitHub's published spec, token bodies are base62 only.

New Features

• Hooks rail now merges rules from all five sources (user, project, project-local, plugin, managed) with a SOURCE label per rule. Previously only ~/.claude/settings.json was read, silently hiding hooks shipped by plugins or defined per-project.
• Hook events beyond the legacy whitelist (SessionEnd, PostToolUseFailure, PreCompact, FileChanged, etc.) now surface automatically.

Improvements

• Startup no longer saturates CPU on large session directories: streaming JSONL reader, lightweight metadata-only decode pass, bounded parallel parsing (cap 8), and cooperative cancellation. Scan progress banner during initial load.
• Config live-reload: edits to ~/.claude/settings.json and the plugin cache now reflect without app restart (debounced 250ms pipeline).
• Plugin, command, and skill version selection switched from lex sort to mtime, so 1.10.0 correctly beats 1.9.0 and timestamped builds beat "unknown".
• Multi-day sessions split across UTC days proportionally by elapsed seconds; tier costs computed per-session so the breakdown reconciles with actualCost.
• Unrecognized models no longer silently priced as Sonnet; analytics skip them via an isUnknown sentinel.

Bug Fixes

• Fix EXC_BAD_ACCESS crash from concurrent dictionary mutation in delta reads (added @mainactor isolation, NSLock-protected DeltaTracker).
• Fix FSEvents callback use-after-free during teardown via a StreamBox weak-reference pattern.
• Recover from FSEvents overflow (MustScanSubDirs, KernelDropped, UserDropped) instead of silently losing events.
• Fix sidebar "COST BY PROJECT" stuck on a hardcoded 30-day window while displaying the user-selected time range label.
• Fix silent parse errors making projects disappear from the UI; failures now log to Console.app.
• Fix ISO8601 timestamp parsing falling back inconsistently across four call sites.
• Fix sluggishness from @SceneStorage in views hosted outside the SwiftUI scene lifecycle (replaced with @AppStorage).
• Fix Custom date pickers being clipped in the TimeRangePicker header.
• Fix per-session view state leaking between sessions in Tools and Agent Tree panels.
• Fix update-check tasks orphaning on popover dismissal.
• Fix cache-tier attribution treating present-but-empty breakdown as authoritative; legacy total now wins, attributed to the 5m tier.
• Fix tool-result dedup ordering (now first-write-wins).
• Fix AnyCodable mis-decoding numeric 1/0 as Bool.

New Features

• Claude Code v2.1.90+ support: recognize Monitor, EnterWorktree, ExitWorktree tools with proper icons and exec-category classification
• PermissionDenied hook event displayed in Hooks rail
• Git worktree badge: sessions that use worktree tools show a cyan branch icon in the sidebar
• CFG007 lint rule: flags when skill shell execution is unrestricted (scoped to users with plugins)
• Pre-release security audit pipeline: scans npm and Swift/SPM dependencies against GHSA and OSV databases, gating releases on HIGH+ CVEs
• MDM-managed auto-update preference: respects macOS Configuration Profiles, disables toggle with "Managed by your organization" label

Improvements

• disableSkillShellExecution status surfaced in Settings > Security
• Auto-update reworked: async process execution, .bak rollback safety, improved cleanup on failure or cancellation
• Secret scanning hardened with new patterns, real-time tail scanning fixes, and unit tests
• Secret alert deduplication and detection UX improvements
• Download counter validates release asset existence before counting
• README updated: 45 lint rules, all hook event types, session badges, CFG checks documented

Bug Fixes

• Fix wrangler 3.x CVEs by upgrading to 4.81.0

New Features

• 9 observability features: turn duration analytics (histogram + percentiles), effort level classification with donut chart and cost breakdown, subagent tree visualization in session detail, error pattern detection with sidebar badges, idle/zombie session detection, config health linter expansion (CFG001-CFG006), parallel tool call badges, SEC008 ENV_SCRUB correlation
• Timeline overhaul: time-gutter layout with project color strips, adaptive gap spacing, message type differentiation, collapsed project badges, clickable session navigation
• Config health auto-fix: one-click Apply Fix for CFG006 (subprocess env scrub)
• Rich markdown rendering in plans detail panel
• Resizable sidebar (180-400pt) with persistence and double-click reset
• Tooltips on truncated project names in sessions and analytics sidebars

Improvements

• Wider rail buttons for better label readability
• Secret alerts fire immediately via App.init() callback, no longer require popover to be open; alert panel centered on screen

Bug Fixes

• Fix crash in cache analytics when all sessions have zero cache tokens
• Fix UUID dedup bug (scoped per parseMetadata call) and streaming intermediate filtering

• Tabbed analytics view with Overview, Cache, and Models segments
• Actionable cache dashboard: busting detection, stability callout, 5m/1h TTL tier breakdown, per-session efficiency table, model-aware savings
• Model analysis tab: daily cost by model chart, model efficiency table, what-if Opus-to-Sonnet calculator
• Tools rail: per-session tool call extraction, category breakdown (Read/Write/Exec/Other), tool analytics
• Command palette (Cmd+K) for quick navigation between rails
• Subagent session content loading and badge for secret scan findings
• Replaced NSPanel update dialogs with native SwiftUI Window scenes
• Improved health check scoring and popover UX

• Added Config Health screen: 19 lint rules across CLAUDE.md, rules, and skills with group-by-rule view, severity filters, health gauge, and one-click rescan
• Added session health checks (SES001-SES004) surfacing expensive, long, or idle sessions
• Added secret detection scanning session files for leaked credentials with entropy filtering, context lines, and reveal toggle
• Added real-time secret alerts with settings toggle
• Redesigned Config Health with category navigation and human-readable rule names
• Added What's New button and full release notes in Settings > Updates
• Replaced loading skeleton with animated logo in menu bar popover
• Improved typography: bumped scale +1pt across all views
• Refactored 9 monolithic source files into ~40 focused modules

What's New

v0.4.5

• Added "Skip This Version" option to update popup
• "Later" now clears badge and re-prompts on next check cycle
• Fixed update popup showing twice on manual "Check for Updates"
• Fixed Dock icon disappearing when dismissing update popup while main window is open
• Fixed download cancel button not working
• Fixed URLSession leak during update downloads
• Skip redundant update check on launch if checked within the last hour

v0.4.4

• Support tracking multiple active sessions simultaneously in the menu bar popover
• Active sessions display in a unified card with compact rows and a pulsing indicator
• Scrollable active sessions section when more than 4 sessions are running

Fixes

• Release notes text now renders correctly in update and What's New popups
• Improved auto-update relaunch to avoid overlapping processes

Full Changelog: https://github.com/cordwainersmith/Claudoscope/blob/master/CHANGELOG.md

Fixes

• Dock icon now renders correctly after auto-update (set icon image before activation policy change)
• Dock icon appears reliably when opening Dashboard
• Release notes text renders correctly in update and What's New popups

Full Changelog: https://github.com/cordwainersmith/Claudoscope/blob/master/CHANGELOG.md

Fixes

• Dock icon now appears reliably when opening Dashboard
• Release notes text now renders correctly in update/What's New popups (was invisible due to a SwiftUI ScrollView sizing bug)

Full Changelog: https://github.com/cordwainersmith/Claudoscope/blob/master/CHANGELOG.md