v5.4.26

v5.4.26

Bug fix

• Bash compression savings now recorded to trends.db. bash_compress.py performed output compression but never called _log_compression_event, so all bash compress savings showed as 0 in the dashboard. Now records to compression_events after each successful compression.

Docs

• Fold install troubleshooting subsections (Unknown skill, Windows, macOS/Linux script install) behind expandable titles.

Tests

• Fix _load_measure() in all 11 test files to resolve ModuleNotFoundError: No module named 'hook_io' after the hook_io extraction refactor.

v5.4.25

Context Intelligence shadow mode, session-aware compaction guidance, shared hook I/O module, and review-driven hardening (injection sanitization, SQLite-backed cooldown, connection leak fixes).

v5.4.24

Smarter compression, broader coverage, cache-aligned hooks

• Range-aware read cache: Whole-file reads now cover subsequent partial reads of the same unchanged file, preventing redundant re-reads
• Non-code structure maps: Heading outlines for .md, key trees for .json and .yaml, section lists for .toml
• Expanded bash compression: sqlite3 queries, docker exec/logs/inspect, kubectl get/describe/logs, du/df/wc
• Structure-aware MCP compression: JSON key trees, path directory grouping, and table preservation replace flat truncation
• Session Knowledge Store: SQLite-backed per-session cache with WAL mode for concurrent hook access, replacing JSON file cache
• Cache-aligned injection: Structure map messages are now stable per file state, preserving prompt cache prefix stability
• Fail-open safety: All error paths verified to allow tool calls, never block them

v5.4.23 — plugin_env resolver + hardened plugin-data discovery

What's new

Plugin-data discovery just works. Token Optimizer now finds your live session data even when the plugin context is not active — running measure.py or the dashboard from a plain terminal walks ~/.claude/plugins/installed_plugins.json and lands on the right install. Dashboards stop showing stale snapshots.

User-level config edits take effect. Direct edits to ~/.claude/token-optimizer/config.json now win over plugin-data config in the priority chain. If you flip a v5 flag in your own config file, the hooks honor it on the next call.

Env var booleans are forgiving. TOKEN_OPTIMIZER_BASH_COMPRESS=true, TOKEN_OPTIMIZER_READ_CACHE_DELTA=yes, and TOKEN_OPTIMIZER_QUALITY_NUDGES=on all work as expected (case-insensitive). Tri-state flags like TOKEN_OPTIMIZER_STRUCTURE_MAP=beta keep their exact-match semantics.

Atomic config writes everywhere. Pricing-tier and quality-bar opt-out writes now use the same advisory-flock + tempfile + os.replace path as the dashboard toggle, so concurrent writers can never leave partial JSON on disk.

SessionStart legacy data migration also fires for CLI-discovered installs, so first-run dashboard users in a CLI shell get their trends.db and snapshots copied into the active plugin-data dir.

Hardened

The new plugin_env.py resolver is built for adversarial input. Marketplace names from installed_plugins.json are validated against [A-Za-z0-9._-]+ before being concatenated into a path. All resolved candidates must be real directories under ~/.claude/plugins/data/ — symlinks are rejected, traversal attempts are confined out via resolve().is_relative_to(). JSON reads are bounded at 1 MB and protected against RecursionError from pathological nesting. The CLAUDE_PLUGIN_DATA env var must itself resolve under ~/.claude/. Multi-key installs (e.g., -inline and -marketplace variants both registered) sort candidates by mtime so the freshest install wins instead of whatever Python's dict ordering surfaces first. Discovery is lru_cache(maxsize=1) so each hook process makes one filesystem traversal per call, not four.

Internals

A single plugin_env.py module is now the source of truth for plugin-data discovery and v5 feature flag resolution; bash_hook.py, read_cache.py, archive_result.py, and measure.py all consult it instead of inlining their own copies. The previous module name paths.py is renamed to make the two responsibilities self-evident.

Compatibility

OpenClaw stays at 2.3.0; this release only touches the Token Optimizer plugin. README badges and the OpenClaw version line are aligned across all surfaces.

v5.4.21

Dashboard v5 toggles now update visually without losing the feature descriptions. Merge instead of replace preserves label, risk_level, and desc metadata.

v5.4.20

Dashboard v5 feature toggles now stay visually in-sync with config state on the daemon path. Python 3.14 test suite compatibility restored — 140 tests passing.

v5.4.19

Dashboard daemon hardening for safe install-by-default flip.

v5.4.17

All license headers unified under PolyForm-Noncommercial-1.0.0 across install.sh, measure.py, plugin.json, marketplace.json, openclaw/package.json, LICENSE, README badge. Third-party dependency licenses in lockfiles are preserved as upstream authors declared them.

v5.4.16

Version alignment across all surfaces: plugin.json, marketplace.json, measure.py, README badge, git tag, GitHub release. OpenClaw lockfile synced with package.json (2.3.0).

v5.4.15

Performance Oracle found the 256KB head read missed the version marker at byte 4.8MB in the 4.75MB dashboard HTML, triggering a full 24-second dashboard regeneration on EVERY SessionStart. Fix: read the full file (2ms). Also removes dead seen_request_ids variable.