Prep v2.1.0 release: changelog, docs, version lock, config updates

AnExiledDev · AnExiledDev · commit 8972975397b9 · 2026-03-25T19:37:20.000Z
- Bump changelog to v2.1.0 with proxy feature, dashboard, hooks,
  scope guard fixes, and all unreleased changes
- Document codeforge proxy command in CLAUDE.md
- Add CLAUDE_VERSION_LOCK support to update script
- Add DISABLE_AUTOUPDATER to settings.json
- Export CLAUDE_VERSION_LOCK in setup.sh
- Add version lock docs to .env.example
- Fix syntax-validator.py formatting
diff --git a/container/.codeforge/config/settings.json b/container/.codeforge/config/settings.json
@@ -34,7 +34,8 @@
 		"CLAUDE_CODE_MAX_TOOL_USE_CONCURRENCY": "10",
 		"CLAUDE_CODE_MAX_RETRIES": "1",
 		"BASH_MAX_OUTPUT_LENGTH": "15000",
-		"TASK_MAX_OUTPUT_LENGTH": "64000"
+		"TASK_MAX_OUTPUT_LENGTH": "64000",
+		"DISABLE_AUTOUPDATER": "1"
 	},
 	"teammateMode": "auto",
 	"effortLevel": "high",
diff --git a/container/.devcontainer/.env.example b/container/.devcontainer/.env.example
@@ -30,6 +30,11 @@ SETUP_POSTSTART=true
 
 SETUP_PROJECTS=true
 
+# Version lock: set to a specific semver (e.g., 2.1.80) to pin Claude Code to that version.
+# When set, the update script installs this exact version instead of updating to latest.
+# Unset or empty = update to latest as normal.
+# CLAUDE_VERSION_LOCK=2.1.80
+
 # Plugin blacklist: comma-separated plugin names to skip during installation
 # Example: PLUGIN_BLACKLIST="ticket-workflow,auto-linter"
 PLUGIN_BLACKLIST=""
diff --git a/container/.devcontainer/CHANGELOG.md b/container/.devcontainer/CHANGELOG.md
@@ -1,30 +1,24 @@
 # CodeForge Devcontainer Changelog
 
-## Unreleased
+## v2.1.0 — 2026-03-25
 
-### Hooks
-- **Per-hook disable mechanism** — add script names to `.codeforge/config/disabled-hooks.json` to disable individual hooks without disabling the entire plugin. Takes effect immediately, no restart needed.
-- Disabled by default: `git-state-injector`, `ticket-linker`, `spec-reminder`
+### CLI
+
+- **`codeforge proxy`** — launch Claude Code through mitmproxy for full API traffic inspection. Starts mitmweb in the background, proxies all Claude API requests through it, and opens a browser UI at `http://localhost:8081` for real-time request/response inspection. Auto-installs mitmproxy via pipx on first use, handles CA certificate generation and system trust store installation. Supports `--no-web` for headless mitmdump output, `--setup` for install-only, and `-- <claude-args>` passthrough. Useful for monitoring token usage, cache behavior, and rate limit utilization — the `anthropic-ratelimit-unified-*` response headers on `/v1/messages` requests show 5-hour and 7-day quota utilization even with long-lived auth tokens.
+- **Version lock** — set `CLAUDE_VERSION_LOCK=<semver>` in `.env` to pin Claude Code to a specific version. The update script installs the exact version instead of updating to latest. Background auto-updater disabled via `DISABLE_AUTOUPDATER`.
 
 ### Dashboard
+
 - **First-party dashboard** — replaced third-party `claude-session-dashboard` npm package with `codeforge-dashboard` (built from monorepo `dashboard/` package)
 - Auto-launch on container start via poststart hook (controllable with `autostart` option)
 - Install switched from npm to Bun (`bun install -g`)
 - Command renamed: `claude-dashboard` → `codeforge-dashboard`
 - Removed persistence symlink hook (dashboard DB now lives on bind mount at `~/.codeforge/data/`)
 
-### Testing
-- **Plugin test suite** — 241 pytest tests covering 6 critical plugin scripts that previously had zero tests:
-  - `block-dangerous.py` (46 tests) — all 22 dangerous command patterns with positive/negative/edge cases
-  - `guard-workspace-scope.py` (40 tests) — blacklist, scope, allowlist, bash enforcement layers, primary command extraction
-  - `guard-protected.py` (55 tests) — all protected file patterns (secrets, locks, keys, credentials, auth dirs)
-  - `guard-protected-bash.py` (24 tests) — write target extraction and protected path integration
-  - `guard-readonly-bash.py` (63 tests) — general-readonly and git-readonly modes, bypass prevention
-  - `redirect-builtin-agents.py` (13 tests) — redirect mapping, passthrough, output structure
-- Added `test:plugins` and `test:all` npm scripts for running plugin tests
+### Hooks
 
-### Skills
-- Added `agent-browser` skill to skill-engine plugin — guides headless browser automation with CLI reference, workflow patterns, and authentication
+- **Per-hook disable mechanism** — add script names to `.codeforge/config/disabled-hooks.json` to disable individual hooks without disabling the entire plugin. Takes effect immediately, no restart needed.
+- Disabled by default: `git-state-injector`, `ticket-linker`, `spec-reminder`
 
 ### Scope Guard
 
@@ -35,17 +29,43 @@
 
 - Remove system directory write redirect blocks (`> /usr/`, `> /etc/`, `> /bin/`, `> /sbin/`) — caused false positives on text content in command arguments (e.g. PR body text containing paths); write location enforcement is the scope guard's responsibility
 
-### CLI Integration
+### Skills
 
-- Add codeforge-cli devcontainer feature — installs the CodeForge CLI (`codeforge` command) globally via npm
-- Remove dead `codeforge` alias from setup-aliases.sh (was pointing to obsolete `setup.js`)
+- Added `agent-browser` skill to skill-engine plugin — guides headless browser automation with CLI reference, workflow patterns, and authentication
+
+### Configuration
+
+- Add `autoMemoryDirectory` setting — auto-memory now stored in project-local `.claude/memory/` instead of deep inside `~/.claude/projects/`, making it visible and version-controllable
+- Enhanced system prompts with auto-memory system, hooks awareness, safety rules, and anti-over-engineering guidance
+
+### Status Bar
+
+- Replace `ccburn-compact` statusline widget with native `session-usage` and `weekly-usage` ccstatusline widgets — eliminates external command dependency and 8s timeout
+- Comment out `ccburn` devcontainer feature (disabled by default) — functionality replaced by native widgets
 
 ### Windows Compatibility
 
 - Fix `claude-code-native` install failure on Windows/macOS Docker Desktop — installer now falls back to `HOME` override when `su` is unavailable
 - Remove `preflight.sh` runtime check — redundant with Docker's own error reporting and caused failures on Windows
 
+### CLI Integration
+
+- Add codeforge-cli devcontainer feature — installs the CodeForge CLI (`codeforge` command) globally via npm
+- Remove dead `codeforge` alias from setup-aliases.sh (was pointing to obsolete `setup.js`)
+
+### Testing
+
+- **Plugin test suite** — 241 pytest tests covering 6 critical plugin scripts that previously had zero tests:
+  - `block-dangerous.py` (46 tests) — all 22 dangerous command patterns with positive/negative/edge cases
+  - `guard-workspace-scope.py` (40 tests) — blacklist, scope, allowlist, bash enforcement layers, primary command extraction
+  - `guard-protected.py` (55 tests) — all protected file patterns (secrets, locks, keys, credentials, auth dirs)
+  - `guard-protected-bash.py` (24 tests) — write target extraction and protected path integration
+  - `guard-readonly-bash.py` (63 tests) — general-readonly and git-readonly modes, bypass prevention
+  - `redirect-builtin-agents.py` (13 tests) — redirect mapping, passthrough, output structure
+- Added `test:plugins` and `test:all` npm scripts for running plugin tests
+
 ### Documentation
+
 - **DevContainer CLI guide** — dedicated Getting Started page for terminal-only workflows without VS Code
 - **v2 Migration Guide** — path changes, automatic migration, manual steps, breaking changes, and troubleshooting
 - Documented 4 previously undocumented agents in agents.md: implementer, investigator, tester, documenter
@@ -54,19 +74,6 @@
 - Added cc-orc orchestrator command to first-session launch commands table
 - Tabbed client-specific instructions on the installation page
 - Dedicated port forwarding reference page covering VS Code auto-detect, devcontainer-bridge, and SSH tunneling
-
-### Configuration
-
-- Add `autoMemoryDirectory` setting — auto-memory now stored in project-local `.claude/memory/` instead of deep inside `~/.claude/projects/`, making it visible and version-controllable
-- Enhanced system prompts with auto-memory system, hooks awareness, safety rules, and anti-over-engineering guidance
-
-### Status Bar
-
-- Replace `ccburn-compact` statusline widget with native `session-usage` and `weekly-usage` ccstatusline widgets — eliminates external command dependency and 8s timeout
-- Comment out `ccburn` devcontainer feature (disabled by default) — functionality replaced by native widgets
-
-### Documentation
-
 - Document `${CLAUDE_PLUGIN_DATA}` variable in CLAUDE.md for future plugin persistent storage
 
 ## v2.1.1 — 2026-03-13
diff --git a/container/.devcontainer/CLAUDE.md b/container/.devcontainer/CLAUDE.md
@@ -27,6 +27,7 @@ Config files deploy via `.codeforge/file-manifest.json` on every container start
 | `ccw` | Claude Code with writing system prompt |
 | `cc-orc` | Claude Code in orchestrator mode (delegation-first) |
 | `ccms` | Session history search _(disabled — requires Rust toolchain; uncomment in devcontainer.json to enable)_ |
+| `codeforge proxy` | Launch Claude Code through mitmproxy — inspect API traffic in browser (port 8081) |
 | `ccusage` / `ccburn` | Token usage analysis / burn rate |
 | `agent-browser` | Headless Chromium (Playwright-based) |
 | `check-setup` | Verify CodeForge setup health |
@@ -79,7 +80,8 @@ The `~/.claude/` directory is backed by a Docker named volume (`codeforge-claude
 5. **Disable features**: Set `"version": "none"` in the feature's config
 6. **Disable setup steps**: Set flags to `false` in `.env`
 7. **Customize status bar**: Edit `.codeforge/config/ccstatusline-settings.json`
-8. **Disable individual hooks**: Add script name (without `.py`) to `disabled` array in `.codeforge/config/disabled-hooks.json` — takes effect immediately, no restart needed
+8. **Lock Claude Code version**: Set `CLAUDE_VERSION_LOCK=2.1.80` in `.env` — the update script installs that exact version on container start instead of updating to latest. Unset to resume auto-updates.
+9. **Disable individual hooks**: Add script name (without `.py`) to `disabled` array in `.codeforge/config/disabled-hooks.json` — takes effect immediately, no restart needed
 
 ## Plugin Development Notes
 
diff --git a/container/.devcontainer/plugins/devs-marketplace/plugins/auto-code-quality/scripts/syntax-validator.py b/container/.devcontainer/plugins/devs-marketplace/plugins/auto-code-quality/scripts/syntax-validator.py
@@ -19,7 +19,9 @@
 _dh = os.path.join(os.getcwd(), ".codeforge", "config", "disabled-hooks.json")
 if os.path.exists(_dh):
     with open(_dh) as _f:
-        if os.path.basename(__file__).replace(".py", "") in json.load(_f).get("disabled", []):
+        if os.path.basename(__file__).replace(".py", "") in json.load(_f).get(
+            "disabled", []
+        ):
             sys.exit(0)
 
 EXTENSIONS = {".json", ".jsonc", ".yaml", ".yml", ".toml"}
diff --git a/container/.devcontainer/scripts/setup-update-claude.sh b/container/.devcontainer/scripts/setup-update-claude.sh
@@ -56,6 +56,26 @@ fi
 CURRENT_VERSION=$("$NATIVE_BIN" --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 log "Current version: ${CURRENT_VERSION}"
 
+# === VERSION LOCK ===
+# If CLAUDE_VERSION_LOCK is set to a semver, pin to that exact version
+# instead of updating to latest. Set in .env alongside SETUP_UPDATE_CLAUDE.
+if [ -n "${CLAUDE_VERSION_LOCK:-}" ] && echo "$CLAUDE_VERSION_LOCK" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+	if [ "$CURRENT_VERSION" = "$CLAUDE_VERSION_LOCK" ]; then
+		log "Version locked at ${CLAUDE_VERSION_LOCK} (current matches)"
+		exit 0
+	fi
+
+	log "Version lock: ${CURRENT_VERSION} → ${CLAUDE_VERSION_LOCK}"
+	if curl -fsSL https://claude.ai/install.sh | bash -s -- "$CLAUDE_VERSION_LOCK" 2>&1 | tee -a "$LOG_FILE"; then
+		LOCKED_VERSION=$("$NATIVE_BIN" --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
+		log "Installed locked version: ${LOCKED_VERSION}"
+	else
+		log "WARNING: Failed to install locked version ${CLAUDE_VERSION_LOCK}"
+	fi
+	exit 0
+fi
+
+# === UPDATE TO LATEST ===
 # Use the official update command with timeout (handles download, verification, and versioned install)
 timeout 60 "$NATIVE_BIN" update 2>&1 | tee -a "$LOG_FILE"
 UPDATE_STATUS=${PIPESTATUS[0]}
diff --git a/container/.devcontainer/scripts/setup.sh b/container/.devcontainer/scripts/setup.sh
@@ -67,7 +67,7 @@ fi
 : "${SETUP_TERMINAL:=true}"
 : "${SETUP_POSTSTART:=true}"
 
-export CLAUDE_CONFIG_DIR CONFIG_SOURCE_DIR CODEFORGE_DIR SETUP_CONFIG SETUP_ALIASES SETUP_AUTH SETUP_PLUGINS SETUP_UPDATE_CLAUDE SETUP_PROJECTS SETUP_TERMINAL SETUP_POSTSTART
+export CLAUDE_CONFIG_DIR CONFIG_SOURCE_DIR CODEFORGE_DIR SETUP_CONFIG SETUP_ALIASES SETUP_AUTH SETUP_PLUGINS SETUP_UPDATE_CLAUDE CLAUDE_VERSION_LOCK SETUP_PROJECTS SETUP_TERMINAL SETUP_POSTSTART
 
 # Fix named volume ownership — Docker creates named volumes as root:root
 # regardless of remoteUser. This is the only setup script requiring sudo.
