Kai (Tam Nhu) TranGitHubgithub-actions[bot] <github-actions[bot]@users.noreply.github.com>
aed942f51b feat(release): promote dev to main — security hardening batch (#1351)
* fix(cliproxy): disable spoofable default bg keepalive probe (#1340)

* fix(dispatcher): treat --print as non-subcommand Claude session (#1341)

* fix(dispatcher): treat --print as non-subcommand Claude session

* style: apply prettier formatting

* fix(dispatcher): correct return type in subcommand detector

getClaudeSubcommandName returns string | null; return false (boolean)
was invalid after dev refactored isClaudeSubcommandInvocation to
delegate to it. Change to return null to preserve the --print safety
fix intent.

* fix(cliproxy): sanitize local port before config regeneration (#1342)

* fix(pricing): guard malformed models.dev model entries (#1344)

* fix(pricing): guard malformed models.dev model entries

* style: apply prettier formatting

* fix(codex-quota): guard feature label type in quota windows (#1346)

* fix(analytics): harden sqlite3 invocation for native Droid usage scan (#1347)

* fix(analytics): use trusted sqlite3 binary path

* style: apply prettier formatting

* fix(codex-auth): stop spawning powershell in shell detection (#1348)

* fix(ui-docs): remove third-party runtime assets from health report (#1349)

* fix(ui-docs): remove third-party runtime assets from health report

* style: apply prettier formatting

* fix(ci): prevent promote-release tag command injection (#1350)

* chore(release): 8.0.0-dev.1

* fix(models-dev): sanitize models.dev registry entries and harden pricing resolver (#1345)

* fix(models-dev): sanitize cached model entries before pricing lookup

* style: apply prettier formatting

* chore(release): 8.0.0-dev.2

* refactor(cliproxy): remove orphaned bg keepalive wiring (#1353)

Red-team review of #1340 found that backgroundProbe / shouldKeepSessionProxiesAlive /
startKeepAliveWatcher and related types were never reachable: the sole caller
(claude-launcher.ts) passed no hasBackgroundWorkerUsingBaseUrl detector, so
backgroundProbe was always undefined and the keepalive branch never executed.

Remove the unreachable scaffold:
- Delete CLAUDE_BG_WORKER_ARGS, hasClaudeBackgroundWorkerUsingBaseUrl{,InProcessList},
  shouldKeepSessionProxiesAlive, ShouldKeepSessionProxiesAliveOptions, and the
  SessionProxyKeepAliveOptions interface from session-bridge.ts
- Remove the backgroundProbe/startKeepAliveWatcher block and keepalive exit branch
  from setupCleanupHandlers; the function now always calls stopSessionResources on
  Claude exit
- Remove backgroundKeepAliveBaseUrl wiring from claude-launcher.ts
- Remove the execFileSync import (was only used by the deleted ps-based detector)
- Update test file: remove tests for deleted exports, keep placeholder

A trusted bg-worker detector can be re-added in a future PR if the feature is
actually needed; the keepalive logic in shouldKeepSessionProxiesAlive can be
restored then.

* fix(analytics): support sqlite3 path resolution on Windows and NixOS (#1354)

- Add CCS_SQLITE_BIN env-var override; validated with fs.realpathSync so
  symlinks are fully resolved before prefix check
- Reject any override whose realpath does not start under a trusted system
  prefix (prevents PATH-hijack reintroduction from #1347)
- Add TRUSTED_PREFIX_UNIX covering /nix/store/, /opt/local/ (MacPorts),
  /snap/, /run/current-system/ in addition to existing /usr/* and
  /opt/homebrew/ entries
- Add TRUSTED_PREFIX_WINDOWS covering Program Files, System32, and the
  Chocolatey managed bin dir (no canonical winget/Scoop path exists)
- Keep TRUSTED_SQLITE_PATHS_WINDOWS empty — Windows users set CCS_SQLITE_BIN
- Pass env as optional third param to querySqliteJson (backward compatible)
- Add 16-test suite covering env-var acceptance, /tmp rejection, symlink
  traversal, NixOS paths, MacPorts, Windows fallback, and prefix safety

* fix(dispatcher): also treat -p as non-subcommand short for --print (#1352)

Red-team follow-up to #1341: the original fix only guarded --print but
Claude accepts -p as the short form, and CCS itself passes -p in
headless-executor.ts. Without this check the security bypass survived
via the short flag.

Added regression tests: ['-p', 'agents'], ['-p', 'doctor'], ['-p']
alone, and injector short-circuit verification for -p form.

* chore(release): 8.0.0-dev.3

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-05-23 17:42:54 -04:00
2026-05-23 18:57:40 +00:00
2026-05-19 18:49:33 -04:00
2026-05-23 21:38:19 +00:00

CCS - Claude Code Switch

CCS Logo

The multi-provider profile and runtime manager for Claude Code and compatible CLIs

Run Claude, Codex, Droid-routed profiles, GLM, local models, and Anthropic-compatible APIs without config thrash.

License npm PoweredBy

Website | Documentation | Product Tour | CLI Reference

[Docker] ghcr.io/kaitranntt/ccs-dashboard:latest is deprecated. Use ghcr.io/kaitranntt/ccs:latest instead. See #1251 and docker/README.md for migration details. To wire a sibling container to CLIProxy, see Connect your app to CLIProxy.

Quick Start (Docker)

With Docker installed:

curl -fsSL https://ccs.kaitran.ca/docker-compose.yaml -o docker-compose.yaml
docker compose up -d

Dashboard at http://localhost:3000 · CLIProxy at http://localhost:8317.

Need a corporate-proxy alternative? Download directly: https://raw.githubusercontent.com/kaitranntt/ccs/main/docker/compose.yaml

Install on Host (npm)

npm install -g @kaitranntt/ccs
ccs config

Then launch whatever runtime fits the task:

ccs
ccs codex
ccs --target droid glm
ccs glm
ccs ollama

Why CCS

CCS gives you one stable command surface while letting you switch between:

  • multiple runtimes such as Claude Code, Factory Droid, and Codex CLI
  • multiple Claude subscriptions and isolated account contexts
  • OAuth providers like Codex, Kiro, Claude, Qwen, Kimi, and more, with legacy Copilot compatibility for existing setups
  • API and local-model profiles like GLM, Kimi, OpenRouter, Ollama, llama.cpp, Novita, and Alibaba Coding Plan

The goal is simple: stop rewriting config files, stop breaking active sessions, and move between providers in seconds.

OpenAI-Compatible Routing

CCS can now bridge Claude Code into OpenAI-compatible providers through a local Anthropic-compatible proxy instead of requiring a native Anthropic upstream.

ccs api create --preset hf
ccs hf

Need to manage the proxy manually?

ccs proxy start hf
eval "$(ccs proxy activate)"

The proxy also supports request-time profile:model selectors, scenario-based model routing through proxy.routing, and explicit activation helpers such as ccs proxy activate --fish.

Guide: OpenAI-Compatible Provider Routing

claude-code-router is an excellent standalone tool for routing Claude Code requests to OpenAI-compatible providers. CCS's local proxy and SSE transformation work was directly informed by CCR's transformer architecture.

Use CCR when you want a standalone router without CCS profile management. Use CCS when you want the routing flow integrated with CCS profiles, runtime bridges, and the existing ccs command surface.

Need the full setup path instead of the short version?

Need Start here
Install and verify CCS /getting-started/installation
First successful session /getting-started/first-session
Visual walkthrough /getting-started/product-tour
Provider selection /providers/concepts/overview
Full command reference /reference/cli-commands
Troubleshooting /reference/troubleshooting

See CCS In Action

Usage Analytics

Analytics Dashboard

Track usage, costs, and session patterns across profiles. Deep dive: Dashboard Analytics.

Live Auth And Health Monitoring

Live Auth Monitor

See auth state, account health, and provider readiness without dropping into raw config. Deep dive: Live Auth Monitor.

OAuth Provider Control Center

CLIProxy API

Manage OAuth-backed providers, quota visibility, and proxy-wide routing from one place. CCS now surfaces round-robin vs fill-first natively in both CLI and dashboard flows instead of hiding that choice inside raw upstream controls. The original CLIProxyAPI backend remains the default; the community-maintained CLIProxyAPIPlus fork is opt-in for plus-only providers. When Plus is selected, CCS points the embedded management panel at the maintained CPAMC dashboard fork by default. Deep dive: CLIProxy API.

Managed Tooling And Fallbacks

WebSearch Fallback

CCS can provision first-class local tools like WebSearch and image analysis for third-party launches instead of leaving you to wire them by hand. Browser automation now has a first-class setup path as well. Deep dive: WebSearch | Browser Automation.

Docs Matrix

The README stays short on purpose. The docs site owns the detailed guides and reference material.

If you want to... Read this
Understand what CCS is and how the pieces fit together Introduction
Install CCS cleanly on a new machine Installation
Go from install to a successful first run Your First CCS Session
See the dashboard and workflow surfaces before setup Product Tour
Compare OAuth providers, Claude accounts, and API profiles Provider Overview
Learn the dashboard structure and feature pages Dashboard Overview
Configure profiles, paths, and environment variables Configuration
Understand browser attach vs Codex browser tooling Browser Automation
Keep OpenCode aligned with your live CCS setup OpenCode Sync Plugin
Browse every command and flag CLI Commands
Recover from install, auth, or provider failures Troubleshooting
Understand storage, config, and architecture details Reference

Example Workflow

# Design with default Claude
ccs "design the auth flow"

# Implement with a different provider
ccs codex "implement the user service"

# Use a cheaper API profile for routine work
ccs glm "clean up tests and docs"

# Run a local model when you need privacy or offline access
ccs ollama "summarize these logs"

Community Projects

Project Author Description
opencode-ccs-sync @JasonLandbridge Auto-sync CCS providers into OpenCode

Contribute And Report Safely

  • Contributing guide: CONTRIBUTING.md
  • Daily local gate: bun run format && bun run lint:fix && bun run validate (validate is the fast path only)
  • Before review or merge confidence: bun run validate:ci-parity
  • If PR checks stay queued for more than 10 minutes, assume the self-hosted runner is offline and notify a maintainer instead of retrying blindly
  • Starter work: good first issue, help wanted
  • Questions: open a question issue
  • Security reports: SECURITY.md and the private advisory form

Star History

Star History Chart

S
Description
Switch between Claude accounts, Gemini, Copilot, OpenRouter (300+ models) via CLIProxyAPI OAuth proxy. Visual dashboard, remote proxy support, WebSearch fallback. Zero-config to production-ready.
Readme MIT
33 MiB
Languages
TypeScript 81.4%
HTML 8.1%
JavaScript 7.1%
Swift 1.7%
Shell 1%
Other 0.6%