Claude Code logs partial keystrokes/plaintext email address in –/.claude.json

I discovered that Claude Code's ~/.claude.json file logs partial/unsent keystrokes and stores OAuth metadata (emails, user IDs) in plaintext. The metadata isn't even needed after initial auth - you can delete it and stay logged in.

This creates an unencrypted, ever-growing log of sensitive user activity. Filed an issue and wrote a cleanup script that deletes this info instantly when it tries to save it.

Verified on WSL, but likely affects all platforms.