From fe514ecdde566d18f6cdaee8bc2f78881a8cc61b Mon Sep 17 00:00:00 2001 From: dadachi Date: Fri, 12 Jun 2026 19:16:42 +0900 Subject: [PATCH] docs(README): fix stale version + 'future' mobile-mcp wording MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two inaccuracies surfaced by an audit against the code: - Contributing section said "stable now (v0.1.x)" and "CONTRIBUTING.md will land alongside v0.2" — but the package is 0.2.1 (tags v0.2.0/ v0.2.1 exist) and the header already says "0.2.1 stable". Update to v0.2.x and drop the shipped-version reference. - Security section listed "the future mobile-mcp client" among scrubbed subprocesses, but mobile-mcp is already spawned with scrubbedEnv() (src/mobile.ts:89). Drop "future". --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1574804..fbb1544 100644 --- a/README.md +++ b/README.md @@ -284,7 +284,7 @@ Report flags: **Don't** paste a real key into shell history (`HISTFILE` captures it), commit a `.env`, or echo the key into a non-private channel. -The agent strips `ANTHROPIC_API_KEY`, `ANTHROPIC_AUTH_TOKEN`, and `NATIVEAPPTEMPLATE_AGENT_ANTHROPIC_KEY` from the environment of every subprocess it spawns — Ruby scripts, `git`, `psql`, `xcodebuild`, `gradlew`, the future mobile-mcp client. Keys are only seen by the Anthropic SDK in the Node process. Set spend limits on your API workspace as a backstop, and rotate the key if you suspect leak. +The agent strips `ANTHROPIC_API_KEY`, `ANTHROPIC_AUTH_TOKEN`, and `NATIVEAPPTEMPLATE_AGENT_ANTHROPIC_KEY` from the environment of every subprocess it spawns — Ruby scripts, `git`, `psql`, `xcodebuild`, `gradlew`, the mobile-mcp client. Keys are only seen by the Anthropic SDK in the Node process. Set spend limits on your API workspace as a backstop, and rotate the key if you suspect leak. ## Project docs @@ -294,7 +294,7 @@ The agent strips `ANTHROPIC_API_KEY`, `ANTHROPIC_AUTH_TOKEN`, and `NATIVEAPPTEMP ## Contributing -Issues and PRs welcome. The repository is stable now (v0.1.x) — no more hackathon-pace rewrites. A `CONTRIBUTING.md` with detailed guidelines will land alongside v0.2. +Issues and PRs welcome. The repository is stable now (v0.2.x) — no more hackathon-pace rewrites. A `CONTRIBUTING.md` with detailed guidelines is still to come. For now, the simplest path is: open an issue describing what you're trying to do, and we'll figure out the right shape together before code lands. Bug reports with reproducible commands (and the `/tmp//tmp/trace/` log) are especially welcome.