RepoJournal
Anthropic

@anthropics

Claude SDKs and developer tooling

Pick a date

  1. Fri 1 may
  2. Sat 2 may
  3. Sun 3 may
  4. Mon 4 may
  5. Tue 5 may
  6. Wed 6 may
  7. Thu 7 may
  8. Fri 8 may
  9. Sat 9 may
  10. Sun 10 may
  11. Tue 12 may
  12. Wed 13 may
  13. Thu 14 may
  14. Sat 16 may
  15. Sun 17 may
  16. Tue 19 may
  17. Wed 20 may
  18. Thu 21 may
  19. Sat 23 may
  20. Mon 25 may
  21. Tue 26 may
  22. Thu 28 may
  23. Fri 29 may
  24. Sat 30 may
  25. Sun 31 may
  26. Mon 1 jun
  27. Mon 8 jun
  28. Tue 9 jun
  29. Today 10 jun

The Wire · Showcase

CONNECT-RUST CLOSES STREAMING RPC SECURITY GAP, INTERCEPTOR CHAIN NOW COVERS ALL CALL SHAPES

By RepoJournal · Filed · About Anthropic

Streaming RPCs have been bypassing the entire interceptor chain in connect-rust - a security hole that's fixed as of today with full Stream-shaped intercept support.

The interceptor chain in connect-rust covered only unary RPCs [1], leaving server-streaming, client-streaming, and bidirectional streaming calls to skip authorization entirely. That's not a gap, that's a vulnerability. PR #121 adds Interceptor::intercept_streaming, a Stream-shaped interceptor that covers all three streaming shapes and closes the chain. In parallel, the stack is tightening around message decoding efficiency: Payload now type-erases and lazily decodes message bodies [2], so when an interceptor reads the request body, that decode is cached and reused by handlers instead of decoding twice [3]. HttpClientBuilder gets connect_timeout control [4], letting callers on flaky network paths (NAT gateways under churn, silent SYN drops) fail fast instead of waiting 130 seconds on kernel defaults. And Server now proxies with_interceptor and with_interceptor_arc directly [5], so standalone Server users don't have to drop down to ConnectRpcService constructors. On the Claude plugins side, first-party integrations from Apollo, Appwrite, Atlassian, and 21 other major-brand orgs are now promoted and SHA-pinned [6]. A separate sweep bumps 25 plugin pins to upstream HEAD across the h-r range [7]. Over on claude-code-action, the allowed_bots check now fires after actor account type resolution [8], keeping the allowlist correctly scoped to bot/app accounts. Three point releases shipped: v1.0.127 with the actor resolution refactor [9], plus v1.0.126 and v1.0.125 [10], [11]. One critical fix: claude-plugins-official now quotes CLAUDE_PLUGIN_ROOT in all five hook commands [12], unblocking Windows paths with spaces that were erroring on every tool call.

Action items

References

  1. [1] interceptor: streaming RPC support via Stream-shaped intercept_streaming (#121) anthropics/connect-rust
  2. [2] payload: AnyMessage and Payload — type-erased, lazily-decoded message bodies (#113) anthropics/connect-rust
  3. [3] dispatcher: pass Payload to call_unary so handlers reuse the interceptor decode (#119) anthropics/connect-rust
  4. [4] client: HttpClientBuilder with connect_timeout (#117) anthropics/connect-rust
  5. [5] server: proxy with_interceptor / with_interceptor_arc to ConnectRpcService (#123) anthropics/connect-rust
  6. [6] Add 24 first-party plugins from major-brand orgs (#1919) anthropics/claude-plugins-official
  7. [7] Bump 25 plugin SHA pins to upstream HEAD (huggingface–railway) ↗ anthropics/claude-plugins-official
  8. [8] Resolve actor account type before applying allowed_bots (#1330) anthropics/claude-code-action
  9. [9] v1.0.127 ↗ anthropics/claude-code-action
  10. [10] v1.0.126 ↗ anthropics/claude-code-action
  11. [11] v1.0.125 ↗ anthropics/claude-code-action
  12. [12] fix: quote \${CLAUDE_PLUGIN_ROOT} in hookify and security-guidance hook commands anthropics/claude-plugins-official

FAQ

What changed in Anthropic on May 20, 2026?
Streaming RPCs have been bypassing the entire interceptor chain in connect-rust - a security hole that's fixed as of today with full Stream-shaped intercept support.
What should Anthropic teams do about it?
Merge and deploy interceptor streaming support (#121) before adding any new streaming RPC handlers • Pin the CLAUDE_PLUGIN_ROOT quote fix if running plugins on Windows • Review Payload caching behavior in your request body inspection interceptors
Which Anthropic repositories shipped on May 20, 2026?
anthropics/connect-rust, anthropics/claude-plugins-official, anthropics/claude-code-action

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.