v0.7.3

• API fallback can now be disabled: set CLAUDE_PACE_API_FALLBACK=0 to turn off usage polling for CC <2.1.80
• Fix git cache key collision: paths like /foo-bar and /foo/bar no longer share a cache file (now uses SHA-1 hash)
• Old-style git cache files (path-based names like claude-sl-git-_Users_*) are orphaned; safe to delete from your cache directory ($XDG_RUNTIME_DIR/claude-pace/ or ~/.cache/claude-pace/)

v0.7.2

v0.7.2 fixes a security issue in the legacy Usage API fallback path.

Highlights:

• avoid exposing the OAuth bearer token in curl argv / process listings
• reject malformed tokens containing CR/LF before invoking curl
• add regression coverage for argv exposure and malformed-token handling

Verification:

• bash test.sh
• 33 passed, 0 failed

v0.7.1

What's Changed

• Harden /tmp cache handling against local attacks. Moves all cache files from shared /tmp to a private per-user directory ($XDG_RUNTIME_DIR/claude-pace or ~/.cache/claude-pace). Adds numeric validation on all cache-read fields before arithmetic evaluation, replaces echo -e with printf '%s\n' to prevent terminal escape injection, and switches the cache record delimiter from | to ASCII Unit Separator so branch names containing | cannot corrupt field parsing. When no safe cache directory is available, caching is disabled entirely and the script falls back to live computation.

  Thanks to @mairas for flagging the /tmp safety concern in #6.

Full Changelog: v0.7.0...v0.7.1

v0.6.2

What's Changed

• Fix arithmetic expressions unsafe under set -e: ((PASS++)) and ((FAIL++)) in test.sh return exit status 1 when the variable is 0 (post-increment evaluates to the old value), causing immediate script termination under set -euo pipefail. Replaced with PASS=$((PASS + 1)) across 4 call sites. Also split the comma expression ((_FC++, _AD += a, _DL += d)) in claude-lens.sh into separate assignments to prevent the same class of issue.

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

• Remove ±5% silent zone for pace delta — pace delta now shows for any non-zero value. Previously, deltas between -5% and +5% were hidden, which caused confusion (users thought the feature was broken). Pace delta is a gauge, not an alarm; any deviation from expected pace is useful information.
• Add 3 regression tests for pace delta boundaries (d=+1, d=-1, d=0)

Full Changelog: v0.6.0...v0.6.1

v0.6.0

What's Changed

• Display usage as used% instead of remaining% (lower = better)
• Use ⇡/⇣ arrows for pace delta trend (⇡ = overspend, ⇣ = surplus)
• Invert pace delta sign to match intuitive convention
• Color constants for cleaner code

Full Changelog: v0.5.0...v0.6.0