This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+7 more
Affected surfaces
Summary
AI summaryStrict quota guard blocks native Claude processing unless explicitly permitted, fixing several routing leakage issues.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Adds strict quota guard via zero_claude mode setting. Adds strict quota guard via zero_claude mode setting. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Feature | Low |
Adds explicit native escalation prefixes (claude:, native:, opus:). Adds explicit native escalation prefixes (claude:, native:, opus:). Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Fixes continuation quota leakage for transition prompts. Fixes continuation quota leakage for transition prompts. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Prevents fail‑open execution; blocks in strict mode on failures. Prevents fail‑open execution; blocks in strict mode on failures. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Medium |
Updates legacy shell install script to use canonical auto‑route hook. Updates legacy shell install script to use canonical auto‑route hook. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Low |
Ignores whitespace‑only prompts in strict mode. Ignores whitespace‑only prompts in strict mode. Source: llm_adapter@2026-05-25 Confidence: high |
— |
| Bugfix | Low |
Ensures release staging includes documentation and installer changes. Ensures release staging includes documentation and installer changes. Source: llm_adapter@2026-05-25 Confidence: high |
— |
Full changelog
v9.1.0 - Strict Zero-Claude Routing (2026-05-25)
Added
- Strict quota guard - set
mode: zero_claudein~/.llm-router/routing.yaml, or setLLM_ROUTER_ZERO_CLAUDE=true, to ensure automatic routes either execute externally or block before native Claude can process the prompt. - Explicit native escalation - prefix a prompt with
claude:,native:, oropus:to intentionally permit a native Claude Code turn while strict mode is enabled.
Fixed
- Continuation quota leakage - substantive requests beginning with transitions such as
"great, now I want..."no longer bypass routing as continuations. - Fail-open execution - failed direct execution, unavailable external tool-agent execution, and MCP-only handoffs now block in strict mode instead of exposing the prompt to native Claude.
- Blank prompt handling - whitespace-only submissions are ignored in strict mode instead of producing a misleading block message.
- Legacy shell install path -
scripts/install.shnow installs the canonical packaged auto-route hook rather than the stale project hook copy. - Release staging -
scripts/release.pynow includes documentation and installer script changes in its release commit staging set.
Security Fixes
- Prevents continuation prompts from bypassing routing (continuation quota leakage)
- Blocks fail‑open execution paths in strict mode, avoiding unintended Claude processing
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About ypollak2/llm-router
Subscription-aware LLM router for Claude Code. Routes tasks to 20+ providers (OpenAI, Gemini, Groq, Ollama, Codex) based on complexity classification, Claude subscription pressure, and cost. Free tasks stay on Claude subscription; expensive tasks fall back to the cheapest capable model. Includes 30 MCP tools, 6 auto-routing hooks, semantic dedup cache, prompt caching, daily spend cap, and a live web dashboard.
Related context
Related tools
Beta — feedback welcome: [email protected]