llm_cost_tracker 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 357a557efba70db48baf47dde01b0aec7ee8f17787c09276a608572037e1b405
-  data.tar.gz: dd91244e99ecbc531d592572ea419a6567d51980f1f95f9eedb0a929f52ffb71
+  metadata.gz: f17f618b28473afa871c9961a443a34152f4de81f7026d676d62b7e2bd1396d8
+  data.tar.gz: d024b23f0ca6cd117afa5d10faa0a0b96374391a4741ea330b924b5091f665f7
 SHA512:
-  metadata.gz: a9ef38be029273bb2df21e9837e92d166ccb3c931c859437a3e5ace57daebbfaf78db182b93a87aedd9be1df18ef26937cae47b3382a61489fe1e4b1cdd0b669
-  data.tar.gz: 852695ad7b07962ad540b16669e285324b1af5059e975ca645aa2670f8ed5069640e06207a06f170edcdfc19a22e9aacdab684caf831feaa7c334a3d52f41a67
+  metadata.gz: 0abf684c595b7bc84dfda26ffc62eaabc0c6d91d0b93f1065bf6e824c7867326b7978875d845d3df8be25bfa04ff9091150e0a4cac7f84d835ceaf2f1e2996bb
+  data.tar.gz: 5b9405bf332b2e9e1eae05f0e7d107d4bb76ea71a6602846a16198540f3e0f315f48dbb316bbda24812d4d66c56ba837a42bfe81aeea502238f09e1f0202c6b4

data/CHANGELOG.md

@@ -2,6 +2,114 @@
 
 Format: [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Versioning: [SemVer](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [0.9.0] - 2026-05-12
+
+0.9 leans the default install: only `calls`, `call_line_items`, and `call_tags`
+are mandatory. Durable ingestion, rollup-cached budget reads, and provider
+invoice reconciliation are opt-in behind config flags and dedicated generators.
+Plus expanded SDK capture (OpenAI embeddings/audio/images/moderation, RubyLLM
+paint/moderate), correct handling of Anthropic data residency and Priority
+Tier, and a security-hardened dashboard. Existing installs need a migration —
+see [Upgrading](docs/upgrading.md).
+
+### Added
+
+- **Experimental:** opt-in provider invoice reconciliation. Set `config.reconciliation_enabled = true` and run `bin/rails generate llm_cost_tracker:reconciliation`. Public surface: `LlmCostTracker::Reconciliation.import / .diff`, `config.register_reconciliation_importer(:source) { … }`, rake tasks `llm_cost_tracker:reconcile:import` and `:reconcile:diff`. Doctor warns when drift exceeds 5% or imports go stale past 14 days. See [Configuration](docs/configuration.md#reconciliation-experimental-opt-in).
+- Dashboard Data Quality page now shows a "Streaming health by provider" breakdown (streams, with-usage, unknown, unknown share) so a misconfigured OpenAI-compatible host shipping streams without `stream_options.include_usage` is visible at a glance.
+- Dashboard tag detail page drills into a single value via `?tag_value=…` with total cost, call count, average per call, and a daily spend timeseries.
+- Bundled rates for OpenAI embeddings (`text-embedding-3-small` / `-3-large` / `-ada-002`, including 50% batch discount) and token-priced transcription (`gpt-4o-transcribe`, `gpt-4o-mini-transcribe`). Token-priced transcription splits audio and text inputs at their separate rates. DALL-E and Whisper still record as zero-token visibility events until their per-image / per-minute pricing components land.
+- OpenAI `gpt-image-1` / `gpt-image-1-mini` / `gpt-image-1.5` / `gpt-image-2` priced per image-token at their published standard rates, with `batch_*` shadow rates for the 50% batch tier. (Earlier preview snapshots stored only the batch rates, which silently halved image-generation costs.) The SDK integration extracts `usage.input_tokens_details.image_tokens` for image-as-input flows (edits / variations) and treats `usage.output_tokens` as image output. Requires the new `bin/rails generate llm_cost_tracker:upgrade_image_tokens` migration on v0.8 → v0.9 upgrades.
+- OpenAI `tts-1` / `tts-1-hd` priced per character (request `input.length`). `gpt-4o-mini-tts` is left as a zero-cost visibility event because its tokens are not exposed to the client.
+- OpenAI SDK integration now also patches `Embeddings#create`, `Images#generate` / `#edit` / `#create_variation`, `Audio::Transcriptions#create`, `Audio::Speech#create`, `Moderations#create`, and `Chat::Completions#stream`. Calls without provider-reported usage record as zero-token visibility events.
+- RubyLLM SDK integration also records `Provider#paint` and `Provider#moderate`.
+- `bin/rails generate llm_cost_tracker:upgrade_call_rollups_provider` writes the v0.8 → v0.9 migration that adds the `provider` column and swaps the unique index. Re-runs are no-ops.
+- [EU AI Act record-keeping guide](docs/eu_ai_act.md) — maps the ledger fields and `llm_cost_tracker:prune` retention to Article 26(6) deployer obligations (≥ 6-month retention, traceability, attribution tags). Not legal advice.
+
+### Fixed
+
+- Subscriber failures during `Tracker.record` no longer lose the event — the ledger write happens first; subscriber errors are caught and logged.
+- Header `total_cost` no longer mixes currencies. Mismatched service-line costs keep their per-line currency and are excluded from the header total (with a warning).
+- Budget reads aggregate across all rollup currencies instead of being silently scoped to USD only.
+- `bin/rails llm_cost_tracker:setup` no longer fails with `Missing Thor class for invoke llm_cost_tracker:prices`, is idempotent on re-runs, and surfaces a friendly error when the database is unreachable.
+- Stream events are no longer lost when finalization raises. The collector retries on the next `finish!`. Abandoned streams (wrapped but never iterated) emit a usage event instead of disappearing.
+- Faraday streaming overflow keeps the buffer accumulated up to the limit (matching the SDK collector) instead of dropping all events.
+- Edits to `config.prices_file` are picked up without a gem reload — the lookup cache invalidates on file mtime changes.
+- Models flagged with `_source: "manual"` in the local prices file are preserved through `prices:refresh` when the remote registry does not claim the same key.
+- Anthropic Priority Tier no longer falls to `cost_status: unknown`. It's a throughput commitment, not a per-token surcharge — both the SDK integration and the Faraday parser treat `service_tier: "priority"` as standard pricing.
+- Anthropic `data_residency` mode triggers on `inference_geo: "us"` only — the documented +1.1x uplift tier. Earlier preview ranges that listed `"eu"` were incorrect; EU data residency runs through Bedrock Frankfurt or Vertex Belgium with separate pricing, not the Anthropic API.
+- Anthropic `web_fetch_request` is recorded with a `$0` rate (Anthropic bills web fetch via standard tokens, not per fetch). The scraper picks up the "no additional charges" wording so `prices:refresh` keeps it accurate.
+- OpenAI `web_search_call` is now priced model-aware. The legacy `web_search_preview` tool routes to `web_search_preview_request_reasoning` ($10/1k for gpt-5/o-series) or `web_search_preview_request_non_reasoning` ($25/1k for everything else), matching OpenAI's three published web-search billing paths. `gpt-5-chat-latest` and dotted variants (`gpt-5.1-chat-latest`, `gpt-5.2-chat-latest`, …) are classified as non-reasoning despite the `gpt-5` prefix.
+- Anthropic Cost API reconciliation now ingests rows against live admin payloads (preview builds expected obsolete field names and produced zero rows). `service_tier: "batch"` and `inference_geo: "us"` are the only dimensions that promote a row's `pricing_mode`.
+- Reconciliation diff windows are anchored in UTC; non-UTC servers no longer skew the window.
+- Reconciliation provider totals sum only invoices fully contained in the diff window. Partially overlapping invoices no longer count at their full `billed_amount`.
+- Reconciliation diff window upper bound is now exclusive of midnight on the day after `period_end`. Calls tracked at exactly `00:00:00.000` of the next month no longer get counted in both periods.
+- `Reconciliation.import` / `Reconciliation.diff` accept (and require, for unmapped sources) an explicit `provider:`. Built-in mappings cover `openai`, `openai_usage`, `anthropic`, `anthropic_usage`, `gemini`. CSV and other custom sources must pass `provider:` (or be derivable from a prior import's metadata) — the previous silent fall-through summed local calls across every provider.
+- Reconciliation import errors no longer echo the exception verbatim into the dashboard flash. The full trace goes to logs; the alert shows the exception class only.
+- `Reconciliation::Importer` works on MySQL/Trilogy installs (adapter-aware `upsert_all`).
+- Reconciliation `external_id` is namespaced by `source/provider` for sources that carry multiple providers (e.g. `csv/openai:row-1` vs `csv/anthropic:row-1`). The same CSV row id imported under two providers no longer collides on the unique index. Native sources keep their `openai:` / `anthropic:` / `gemini:` prefix.
+- Reconciliation dashboard groups latest-period and drill-down by source, provider, and currency. A second provider importing under the same source no longer hides its drift in the first provider's row.
+- OpenAI Cost API reconciliation tags the organization id under `provider_workspace_id` so org-level scope filters work.
+- Reconciliation diff drill-down is capped at the top 100 unmatched rows by amount with totals counted separately, so the dashboard stays responsive on large monthly reconciliations. Pass `DRILLDOWN_LIMIT=all` to `rake llm_cost_tracker:reconcile:diff` to see every row.
+- Period totals fall back to live aggregation from `llm_cost_tracker_calls` when `cache_rollups = true` but the rollups table has no row for the period. Budget reads and dashboard totals no longer read zero during a rollup rebuild window after the v0.9 upgrade migration.
+- OpenAI hosted-tool service line items (`web_search_call`, `file_search_call`, `code_interpreter_call`, `mcp_call`) are recorded when the SDK returns the type as a Symbol. Previously these line items were silently dropped on SDK-shaped responses.
+- Image generation streams (`gpt-image-1.5`, `gpt-image-2`) and audio streams no longer overflow on a single base64 chunk; the final usage event is captured and tokens get priced.
+- Interrupted Anthropic and Gemini streams record the right provider name instead of `provider: "unknown"`.
+- Tag sanitizer redacts secrets before truncating, so the leading bytes of a secret can't survive a small `max_tag_value_bytesize`. Nested `[REDACTED]` markers stay whole regardless of the byte budget.
+- `Pricing::Registry` rejects non-finite price values (`Infinity` / `NaN`) alongside negatives.
+- Reconciliation `ProviderInvoiceImport.started_at` is the wall-clock import time. Backfills with a historical `imported_at` no longer invert `resume_cursor_for` ordering.
+- Reconciliation install migration is re-runnable on installs that already carry the v0.8 placeholder tables.
+- Pre-release v0.9 deployers who imported reconciliation rows before these fixes need `LlmCostTracker::ProviderInvoice.delete_all` and a re-import — the `external_id` prefix and the OpenAI organization-id field both changed shape.
+- Budget reads survive the v0.9 upgrade migration's rollup truncation — a partial rollup row no longer hides historical pre-migration spend in the same period.
+- Streaming requests that hit `unknown_pricing_behavior = :raise` after the response is received raise without recording a synthetic zero-token event.
+- Reconciliation doctor checks each `source / provider / currency` combination separately; a stale Anthropic CSV import no longer hides behind a fresh OpenAI one on the same source.
+- Reconciliation imports normalise `currency` to upper case so `usd` and `USD` no longer split the diff.
+- Reconciliation dashboard and CLI render `n/a` for invoice rows imported with no `billed_amount` instead of `$0.00`.
+- Reconciliation diff drill-down shows the actual unmatched rows even when most invoices match — small-amount unmatched rows are no longer hidden by a wall of matched big-amount rows.
+- OpenAI SDK Responses calls bill image and text tokens separately for `gpt-image-*` models, matching the Faraday parser.
+- OpenAI SDK integration captures the request when the caller passes a typed request object (anything that responds to `to_h`) instead of dropping it.
+- Custom prices files with `Infinity` / `NaN` service-charge rates fail to load with a clear error instead of silently corrupting cost math.
+- High-cardinality tag filters (`Call.by_tag(:tenant_id, …)`) now hit a composite index instead of scanning. Existing installs run `bin/rails generate llm_cost_tracker:upgrade_call_tags_key_value_index && bin/rails db:migrate`.
+- Reconciliation diff over a large invoice set uses an index scan on the new `(source, currency, period_start)` composite.
+- Doctor warns when provider invoice rows are stored with non-uppercase currency and points at the one-line backfill SQL, instead of the dashboard silently zeroing out diffs against legacy lowercase data.
+- A request-level `pricing_mode` no longer overrides what the provider reports back on a streamed response. Provider-reported standard wins over a request that asked for priority.
+- The new generators (`call_rollups`, `durable_ingestion`, `reconciliation`, `upgrade_call_rollups_provider`) are reachable through `bin/rails generate llm_cost_tracker:<name>`.
+- Faraday streaming captures no longer silently degrade to `usage_source: :unknown`.
+- Dashboard filters apply the default 30-day range when `from`/`to` params are missing.
+- `provider_api_key_id` and `provider_workspace_id` are masked on the call detail page and CSV export. Host apps that added a `metadata` column written as a JSON string now flow through the same masking instead of rendering the raw column.
+- Faraday parser tracks OpenAI `/v1/images/*` and `/v1/audio/transcriptions`/`/v1/audio/translations` so raw-Faraday image generations and transcriptions land in the ledger. `/v1/audio/speech` and `/v1/moderations` are also matched so `Tracker.enforce_budget!` gates them; they do not record a row because OpenAI does not return token usage for those endpoints.
+- OpenAI SDK `Audio::Translations#create` is now patched alongside `Audio::Transcriptions#create`.
+- OpenAI SDK `Images#generate` / `#edit` / `#create_variation` no longer double-counts cached input tokens.
+- OpenAI SDK `Responses.create` and Faraday parser both route output to `image_output_tokens` for `gpt-image-*` models even when the response omits `output_tokens_details.image_tokens`.
+- OpenAI SDK `Images#generate` / `#edit` / `#create_variation` no longer drops the text-output remainder when `output_tokens_details` reports only `image_tokens`. The remainder lands as `output_tokens`, matching the Faraday parser.
+- RubyLLM `Provider#paint` for `gpt-image-*` models records image output tokens under `image_output_tokens` so image rates apply.
+- RubyLLM integration treats Anthropic `service_tier: "priority"` as standard pricing (Priority Tier is committed throughput, not a surcharge). Previously these calls fell to `cost_status: unknown` because the literal `"priority"` was passed through as `pricing_mode`.
+- Reconciliation diff falls back to live `llm_cost_tracker_call_line_items` aggregation when the rollup fast path finds no row for the period. Without the fallback, past-month diffs after the v0.9 `upgrade_call_rollups_provider` migration (which truncates rollups) would report `local_total = $0` until events repopulate the new schema.
+- Provider-invoice reconciliation falls back to `match_basis: "model"` (was `period_only`) when an invoice carries only a model identifier.
+- `prices:refresh` bootstraps a missing local pricing file instead of failing with `Errno::ENOENT`.
+- Doctor's durable-inbox verification no longer leaves a synthetic inbox row behind when `Tracker.track` raises `BudgetExceededError`.
+- Install-generator snippet in [Upgrading](docs/upgrading.md) for the reconciliation table now matches the shipped index (`(source, currency, period_start)`).
+- Doctor catches schema drift on required columns, required indexes, and the foreign key on `call_line_items` before the first row is inserted.
+- Service-charge rows render `n/a` instead of `$0.00` when `cost_status` is `unknown`, so unpriced charges don't masquerade as zero-cost.
+- Enabling `:ruby_llm` together with `:openai` / `:anthropic` logs a warning at install — RubyLLM routes through HTTP, so calls would otherwise be double-counted. Pick one path per provider.
+
+### Changed
+
+- BREAKING: `bin/rails generate llm_cost_tracker:install --dashboard` no longer writes the `mount LlmCostTracker::Engine` line into `config/routes.rb`. The CLI prints the snippet wrapped in your auth instead — leaving the dashboard auto-mounted would expose spend, tags, and provider IDs to anyone who can reach the host. Add the route under your authentication block.
+- BREAKING: `config.durable_ingestion` defaults to `false`. Tracking writes go directly to the ledger from the request thread; the durable inbox + worker + leases tables are no longer created by the install generator. Existing installs keep their tables — set `config.durable_ingestion = true` to keep the inbox path. Fresh installs that need durability run `bin/rails generate llm_cost_tracker:durable_ingestion` and flip the flag.
+- BREAKING: `config.cache_rollups` defaults to `false`. Budget reads aggregate live from `llm_cost_tracker_calls`; the rollup table is no longer created by the install generator. Existing installs keep their table — set `config.cache_rollups = true` to keep the rollup fast path. Fresh installs run `bin/rails generate llm_cost_tracker:call_rollups` and flip the flag.
+- BREAKING: `llm_cost_tracker_call_rollups` gains a `provider` column; unique index moves from `(period, period_start, currency)` to `(period, period_start, currency, provider)`. See [Upgrading](docs/upgrading.md).
+- BREAKING: `llm_cost_tracker_calls` gains `image_input_tokens` and `image_output_tokens` columns (default 0) so OpenAI `gpt-image-*` models can bill image-token rates separately from text. Run `bin/rails generate llm_cost_tracker:upgrade_image_tokens && bin/rails db:migrate`. CSV exports include the new columns between `audio_input_tokens` / `output_tokens` and `audio_output_tokens` / `total_tokens` respectively — downstream consumers indexing by header name keep working; positional consumers shift by two.
+- BREAKING: `LlmCostTracker::Call.by_tag(key, value)` encodes Hash and Array values with `JSON.generate` to match how `Ledger::Store` writes them. The previous `value.to_s` path produced `"{:k=>v}"`-shaped strings that never matched stored JSON, so filtering by nested attribution silently returned zero rows.
+- Faraday middleware auto-injects `stream_options: { include_usage: true }` on OpenAI and OpenAI-compatible chat-completions streaming requests when the caller hasn't set it. Disable with `config.auto_enable_stream_usage = false`.
+- Header `total_cost` and per-line-item rates can no longer disagree on the context-tier boundary or the resolved pricing mode.
+- OpenAI-compatible chat-completions streams without a final usage chunk log a warning instead of recording silently as `usage_source: "unknown"`.
+- `Tags::Sanitizer` redacts tag values matching known secret patterns (OpenAI/Anthropic, GitHub, AWS, JWT, Slack, Stripe, Google API key, `Bearer …`) regardless of tag key, recurses into nested Hash/Array leaves, and on tag-count overflow keeps the most recently added tags. `Tags::Context` sanitises at block entry so raw values never reach notification subscribers, the Faraday request env, or in-flight stream collectors.
+- Engine dashboard adds CSRF protection on the reconciliation import endpoint, sets `Cache-Control: no-store` on CSV exports, registers `tag` / `tag_value` in `config.filter_parameters`, and emits `X-Frame-Options: DENY` / `Referrer-Policy: same-origin` / a baseline `Content-Security-Policy` on every dashboard response. CSV export is capped at 10,000 rows and respects the requested sort.
+- Dashboard schema drift check runs once per process instead of on every request, cutting per-request DB metadata load. Code reloads in development still trigger a re-check.
+- Dashboard dynamic widths (progress bars, budget fills, stack segments) render via a per-request CSP-nonced `<style>` block instead of inline `style="…"` attributes. Strict `style-src 'self' 'nonce-…'` no longer collapses the visualisations.
+
 ## [0.8.0] - 2026-05-07
 
 0.8 is a storage rebuild. Tokens and tool/runtime charges share one shape

data/README.md

@@ -29,8 +29,7 @@ gem "openai"
 bin/rails llm_cost_tracker:setup
 ```
 
-That runs the install generator with the dashboard and pricing snapshot,
-migrates the database, then verifies via `llm_cost_tracker:doctor`.
+Runs the install generator, drops a price snapshot, migrates the database, and verifies via `llm_cost_tracker:doctor`.
 
 ```ruby
 # config/initializers/llm_cost_tracker.rb
@@ -49,8 +48,15 @@ LlmCostTracker.with_tags(user_id: Current.user&.id, feature: "chat") do
 end
 ```
 
-Mount the dashboard at `/llm-costs` and put it behind your app's auth — it
-ships without one.
+Mount the dashboard in `config/routes.rb`, behind your auth:
+
+```ruby
+authenticate :admin do
+  mount LlmCostTracker::Engine => "/llm-costs"
+end
+```
+
+The engine ships without authentication on purpose.
 
 ## What lands in the ledger
 
@@ -81,7 +87,7 @@ need `stream_options: { include_usage: true }`.
 
 - No proxy. Direct calls only.
 - No prompts. Token counts and metadata only.
-- Not invoice-grade. Provider response IDs are stored for reconciliation.
+- No traces, evals, or prompt management. Different product, different gem.
 - Not multi-service. Built for a Rails monolith.
 
 ## Manual tracking
@@ -110,6 +116,7 @@ LlmCostTracker.track(
 - [Extending](docs/extending.md)
 - [Operations](docs/operations.md)
 - [Architecture](docs/architecture.md)
+- [EU AI Act record-keeping](docs/eu_ai_act.md)
 - [Upgrading](docs/upgrading.md)
 - [Changelog](CHANGELOG.md)
 

data/app/assets/llm_cost_tracker/application.css

@@ -163,6 +163,31 @@
 
   .lct-panel + .lct-panel,
   .lct-stat-grid + .lct-panel { margin-top: 16px; }
+  .lct-grid > .lct-panel + .lct-panel,
+  .lct-grid > .lct-stat-grid + .lct-panel { margin-top: 0; }
+
+  .lct-breadcrumb {
+    align-items: center;
+    color: var(--lct-muted);
+    display: flex;
+    font-size: var(--fs-sm);
+    gap: 8px;
+    margin-bottom: 14px;
+  }
+  .lct-breadcrumb-link {
+    color: var(--lct-muted);
+    text-decoration: none;
+    transition: color 0.15s ease;
+  }
+  .lct-breadcrumb-link:hover { color: var(--lct-text); }
+  .lct-breadcrumb-link:focus-visible {
+    color: var(--lct-text);
+    outline: 2px solid var(--lct-accent-soft);
+    outline-offset: 2px;
+    border-radius: 2px;
+  }
+  .lct-breadcrumb-sep { color: var(--lct-border-strong); }
+  .lct-breadcrumb-current { color: var(--lct-text); font-weight: 500; }
 
   .lct-banner {
     align-items: center;
@@ -229,7 +254,7 @@
 
   .lct-hero-side .lct-stat-grid { grid-template-columns: repeat(3, minmax(0, 1fr)); }
   .lct-stat-grid-spaced { margin-bottom: 16px; }
-  .lct-two-col { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
+  .lct-two-col { align-items: start; grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
 
   .lct-stat {
     align-items: flex-start;
@@ -256,7 +281,6 @@
 
   .lct-stat-label,
   .lct-field label,
-  .lct-dl dt,
   .lct-call-summary-label,
   .lct-call-breakdown-title,
   .lct-chip-label {
@@ -301,6 +325,21 @@
   .lct-table-compact th,
   .lct-table-compact td { padding: 10px 12px; }
 
+  .lct-badge {
+    align-items: center;
+    border-radius: 999px;
+    display: inline-flex;
+    font-size: var(--fs-xs);
+    font-weight: 600;
+    letter-spacing: 0.02em;
+    line-height: 1;
+    padding: 4px 10px;
+    text-transform: uppercase;
+    vertical-align: middle;
+  }
+  .lct-badge-ok { background: var(--lct-success-soft); color: var(--lct-success); }
+  .lct-badge-warn { background: var(--lct-warning-soft); color: var(--lct-warning-strong); }
+
   .lct-delta-badge {
     align-items: center;
     border-radius: 999px;
@@ -387,8 +426,10 @@
   .lct-stack-fill-cache-write { background: #f59e0b; }
   .lct-stack-fill-cache-write-extended { background: #a855f7; }
   .lct-stack-fill-audio-input { background: #ec4899; }
+  .lct-stack-fill-image-input { background: #f97316; }
   .lct-stack-fill-output { background: #0ea5e9; }
   .lct-stack-fill-audio-output { background: #14b8a6; }
+  .lct-stack-fill-image-output { background: #84cc16; }
 
   .lct-budget { display: grid; gap: 10px; }
   .lct-budget-head { align-items: baseline; display: flex; gap: 10px; justify-content: space-between; }
@@ -491,6 +532,20 @@
   }
   .lct-state-title { font-size: var(--fs-lg); font-weight: 600; margin: 0 0 6px; letter-spacing: -0.005em; }
   .lct-state-copy { color: var(--lct-muted); margin: 0 auto; max-width: 480px; font-size: var(--fs-sm); line-height: 1.55; }
+  .lct-state-pre {
+    background: var(--lct-bg);
+    border: 1px solid var(--lct-border);
+    border-radius: 6px;
+    color: var(--lct-text);
+    font-family: var(--mono);
+    font-size: var(--fs-sm);
+    line-height: 1.55;
+    margin: 12px auto 0;
+    max-width: 560px;
+    overflow: auto;
+    padding: 12px 14px;
+    text-align: left;
+  }
   .lct-state-actions { display: flex; gap: 8px; justify-content: center; margin-top: 20px; }
 
   .lct-toolbar {
@@ -832,16 +887,21 @@
 
   .lct-nowrap { white-space: nowrap; }
 
-  .lct-detail-grid { display: grid; gap: 16px; grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
+  .lct-detail-grid { align-items: start; display: grid; gap: 16px; grid-template-columns: repeat(3, minmax(0, 1fr)); }
 
   .lct-dl {
     display: grid;
     gap: 12px;
-    grid-template-columns: minmax(120px, 0.4fr) minmax(0, 1fr);
+    grid-template-columns: minmax(120px, 0.45fr) minmax(0, 1fr);
     margin: 0;
   }
 
-  .lct-dl dd { margin: 0; min-width: 0; overflow-wrap: anywhere; word-break: break-word; }
+  .lct-dl dt {
+    color: var(--lct-muted);
+    font-size: var(--fs-sm);
+    font-weight: 500;
+  }
+  .lct-dl dd { color: var(--lct-text); font-size: var(--fs-sm); margin: 0; min-width: 0; overflow-wrap: anywhere; word-break: break-word; }
 
   .lct-pre {
     background: #0f172a;

data/app/controllers/llm_cost_tracker/application_controller.rb

@@ -1,53 +1,33 @@
 # frozen_string_literal: true
 
+require "securerandom"
+
 module LlmCostTracker
   class ApplicationController < ActionController::Base
     layout "llm_cost_tracker/application"
 
+    protect_from_forgery with: :exception
+
+    before_action :set_dashboard_security_headers
     before_action :ensure_current_schema
 
+    helper_method :dashboard_csp_nonce
+
     rescue_from ActiveRecord::ConnectionNotEstablished, with: :render_database_error
+    rescue_from ActiveRecord::AdapterNotSpecified, with: :render_database_error
     rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
     rescue_from ActiveRecord::StatementInvalid, with: :render_database_error
     rescue_from LlmCostTracker::InvalidFilterError, with: :render_invalid_filter
 
-    SCHEMA_CHECKS = [
-      [
-        LlmCostTracker::Ledger::Schema::Calls,
-        "The llm_cost_tracker_calls table does not match the current LLM Cost Tracker schema."
-      ],
-      [
-        LlmCostTracker::Ledger::Schema::CallRollups,
-        "The llm_cost_tracker_call_rollups table does not match the current LLM Cost Tracker schema."
-      ],
-      [
-        LlmCostTracker::Ledger::Schema::CallLineItems,
-        "The llm_cost_tracker_call_line_items table does not match the current LLM Cost Tracker schema."
-      ],
-      [
-        LlmCostTracker::Ledger::Schema::CallTags,
-        "The llm_cost_tracker_call_tags table does not match the current LLM Cost Tracker schema."
-      ]
-    ].freeze
-
-    private_constant :SCHEMA_CHECKS
-
     private
 
     def ensure_current_schema
-      unless LlmCostTracker::Call.table_exists?
-        @setup_message = "The llm_cost_tracker_calls table is not available yet."
-        return render template: "llm_cost_tracker/shared/setup_required"
-      end
+      drift = LlmCostTracker::DashboardSetupState.current
+      return unless drift
 
-      SCHEMA_CHECKS.each do |schema, message|
-        errors = schema.current_schema_errors
-        next if errors.empty?
-
-        @setup_message = message
-        @setup_details = errors + ["See docs/upgrading.md for the migration path."]
-        return render template: "llm_cost_tracker/shared/setup_required"
-      end
+      @setup_message = drift.message
+      @setup_details = drift.details
+      render template: "llm_cost_tracker/shared/setup_required"
     end
 
     def render_database_error(error)
@@ -63,5 +43,17 @@ module LlmCostTracker
     def render_not_found
       render "llm_cost_tracker/errors/not_found", status: :not_found
     end
+
+    def set_dashboard_security_headers
+      nonce = dashboard_csp_nonce
+      response.headers["X-Frame-Options"] = "DENY"
+      response.headers["Referrer-Policy"] = "same-origin"
+      response.headers["Content-Security-Policy"] =
+        "default-src 'self'; style-src 'self' 'nonce-#{nonce}'; img-src 'self' data:; frame-ancestors 'none'"
+    end
+
+    def dashboard_csp_nonce
+      request.env["llm_cost_tracker.csp_nonce"] ||= SecureRandom.base64(16)
+    end
   end
 end

data/app/controllers/llm_cost_tracker/assets_controller.rb

@@ -3,7 +3,7 @@
 module LlmCostTracker
   class AssetsController < ActionController::Base
     def stylesheet
-      response.set_header("Cache-Control", cache_control_header)
+      response.headers["Cache-Control"] = cache_control_header
       send_file LlmCostTracker::Assets::STYLESHEET_PATH, type: "text/css", disposition: "inline"
     end
 

data/app/controllers/llm_cost_tracker/calls_controller.rb

@@ -22,6 +22,7 @@ module LlmCostTracker
           @calls = ordered_scope.includes(:tag_records).limit(@page.limit).offset(@page.offset).to_a
         end
         format.csv do
+          response.headers["Cache-Control"] = "no-store"
           send_data render_csv(ordered_scope.limit(CSV_EXPORT_LIMIT)),
                     type: "text/csv",
                     disposition: %(attachment; filename="llm_calls_#{Time.now.utc.strftime('%Y%m%d_%H%M%S')}.csv")
@@ -74,8 +75,9 @@ module LlmCostTracker
       case field
       when :tracked_at
         call.tracked_at&.utc&.iso8601
-      when :provider, :model, :provider_response_id, :provider_project_id, :provider_api_key_id,
-           :provider_workspace_id, :cost_status
+      when :provider_api_key_id, :provider_workspace_id, :provider_project_id
+        csv_safe(LlmCostTracker::Masking.mask_value(field, call[field]))
+      when :provider, :model, :provider_response_id, :cost_status
         csv_safe(call[field])
       when :pricing_snapshot
         csv_safe(csv_json(call.pricing_snapshot))
@@ -87,11 +89,7 @@ module LlmCostTracker
     end
 
     def csv_json(value)
-      return value.transform_keys(&:to_s).to_json if value.is_a?(Hash)
-
-      JSON.parse(value || "{}").to_json
-    rescue JSON::ParserError
-      "{}"
+      Hash(value).deep_stringify_keys.to_json
     end
 
     def csv_safe(value)

data/app/controllers/llm_cost_tracker/data_quality_controller.rb

@@ -16,6 +16,10 @@ module LlmCostTracker
         total_calls: @summary.total
       )
       @service_charge_rows = Dashboard::DataQuality.service_charge_rows(scope).to_a
+      @streaming_health_rows = Dashboard::DataQuality.streaming_health_rows(
+        scope,
+        total_streaming: @summary.streaming_count
+      )
     end
   end
 end

data/app/controllers/llm_cost_tracker/reconciliation_controller.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module LlmCostTracker
+  class ReconciliationController < ApplicationController
+    def index
+      @reconciliation_enabled = LlmCostTracker::Reconciliation.enabled?
+      @reconciliation_installed = LlmCostTracker::ProviderInvoice.table_exists?
+      if @reconciliation_enabled && @reconciliation_installed
+        @scopes = invoice_scopes
+        @sources = @scopes.map { |scope| scope[:source] }.uniq
+        @diffs = @scopes.filter_map { |scope| diff_for(scope) }
+        @last_imported_at = LlmCostTracker::ProviderInvoice.maximum(:imported_at)
+      else
+        @scopes = []
+        @sources = []
+        @diffs = []
+        @last_imported_at = nil
+      end
+      @threshold = LlmCostTracker::Reconciliation::DEFAULT_THRESHOLD_PERCENT
+      @configured_importers = @reconciliation_enabled ? configured_importers : {}
+    end
+
+    def trigger_import
+      unless LlmCostTracker::Reconciliation.enabled?
+        return redirect_to reconciliation_path, alert: "Reconciliation is disabled"
+      end
+
+      source = params[:source].to_s
+      importer = configured_importers[source.to_sym]
+      return redirect_to reconciliation_path, alert: "No importer configured for #{source}" if importer.nil?
+
+      result = importer.call
+      if result.respond_to?(:errors) && result.errors.any?
+        LlmCostTracker::Logging.warn(
+          "Reconciliation import for #{source} returned #{result.errors.size} row error(s)"
+        )
+        return redirect_to(
+          reconciliation_path,
+          alert: "Imported #{result.respond_to?(:total_imported) ? result.total_imported : 0} " \
+                 "#{source} rows with #{result.errors.size} row error(s); see Rails logs for details."
+        )
+      end
+      message = if result.respond_to?(:total_imported)
+                  "Imported #{result.total_imported} #{source} rows"
+                else
+                  "Triggered #{source} importer"
+                end
+      redirect_to reconciliation_path, notice: message
+    rescue StandardError => e
+      LlmCostTracker::Logging.warn("Reconciliation import failed for #{source}: #{e.class}: #{e.message}")
+      redirect_to reconciliation_path,
+                  alert: "Import failed (#{e.class.name}); see Rails logs for details."
+    end
+
+    private
+
+    def configured_importers
+      LlmCostTracker.configuration.reconciliation_importers
+    end
+
+    def invoice_scopes
+      connection = LlmCostTracker::ProviderInvoice.connection
+      provider_expr =
+        if LlmCostTracker::Ledger::Schema::Adapter.postgresql?(connection)
+          Arel.sql("metadata->>'provider'")
+        else
+          Arel.sql("JSON_UNQUOTE(JSON_EXTRACT(metadata, '$.provider'))")
+        end
+      LlmCostTracker::ProviderInvoice
+        .group(:source, provider_expr, :currency)
+        .order(:source, :currency)
+        .pluck(:source, provider_expr, :currency)
+        .map { |source, provider, currency| { source: source, provider: provider, currency: currency.upcase } }
+    end
+
+    def diff_for(scope)
+      window = scope_invoices(scope)
+               .order(period_end: :desc, period_start: :desc)
+               .limit(1)
+               .pick(:period_start, :period_end)
+      return nil unless window
+
+      LlmCostTracker::Reconciliation.diff(
+        source: scope[:source], provider: scope[:provider], currency: scope[:currency],
+        period_start: window[0], period_end: window[1]
+      )
+    rescue ArgumentError => e
+      LlmCostTracker::Logging.warn("Reconciliation diff skipped for #{scope.inspect}: #{e.message}")
+      nil
+    end
+
+    def scope_invoices(scope)
+      relation = LlmCostTracker::ProviderInvoice
+                 .where(source: scope[:source], currency: scope[:currency])
+      connection = LlmCostTracker::ProviderInvoice.connection
+      provider = scope[:provider]
+      return relation if provider.nil? || provider.empty?
+
+      if LlmCostTracker::Ledger::Schema::Adapter.postgresql?(connection)
+        relation.where("metadata->>'provider' = ?", provider)
+      else
+        relation.where("JSON_UNQUOTE(JSON_EXTRACT(metadata, '$.provider')) = ?", provider)
+      end
+    end
+  end
+end

data/app/controllers/llm_cost_tracker/tags_controller.rb

@@ -7,7 +7,21 @@ module LlmCostTracker
     end
 
     def show
-      @breakdown = Dashboard::TagBreakdown.call(scope: Dashboard::Filter.call(params: params), key: params[:key])
+      scope = Dashboard::Filter.call(params: params)
+      @value = params[:tag_value].to_s
+
+      if @value.empty?
+        @breakdown = Dashboard::TagBreakdown.call(scope: scope, key: params[:key])
+      else
+        @key = LlmCostTracker::Tags::Key.validate!(
+          params[:key],
+          error_class: LlmCostTracker::InvalidFilterError
+        )
+        value_scope = scope.by_tag(@key, @value)
+        @value_total_cost = value_scope.sum(:total_cost).to_f
+        @value_calls = value_scope.count
+        @value_points = Dashboard::TimeSeries.call(scope: value_scope)
+      end
     end
   end
 end

data/app/helpers/llm_cost_tracker/application_helper.rb

@@ -13,6 +13,7 @@ module LlmCostTracker
     include ChartHelper
     include PaginationHelper
     include TokenUsageHelper
+    include InlineStyleHelper
 
     def coverage_percent(numerator, denominator)
       denominator = denominator.to_f
@@ -104,6 +105,15 @@ module LlmCostTracker
       value.to_s
     end
 
+    def masked_metadata_hash(value)
+      return value if value.is_a?(Hash)
+      return {} if value.nil?
+
+      JSON.parse(value.to_s)
+    rescue JSON::ParserError, TypeError
+      {}
+    end
+
     def tag_chip_entries(tags, limit: 3)
       normalized = normalized_tags(tags)
       return [] if normalized.empty?

data/app/helpers/llm_cost_tracker/inline_style_helper.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module LlmCostTracker
+  module InlineStyleHelper
+    UNSAFE_CSS_CHARS = /[<>{}"]/
+
+    def inline_style(declarations)
+      registry = inline_style_registry
+      token = "lct-i-#{registry.length}"
+      registry << [token, declarations.to_s.gsub(UNSAFE_CSS_CHARS, "")]
+      token
+    end
+
+    def inline_style_block
+      registry = inline_style_registry
+      return "".html_safe if registry.empty?
+
+      rules = registry.map { |token, decl| %([data-lct-style="#{token}"]{#{decl}}) }.join("\n")
+      content_tag(:style, rules.html_safe, nonce: dashboard_csp_nonce)
+    end
+
+    private
+
+    def inline_style_registry
+      @inline_style_registry ||= []
+    end
+  end
+end

data/app/helpers/llm_cost_tracker/reconciliation_helper.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module LlmCostTracker
+  module ReconciliationHelper
+    def attribution_summary(attribution)
+      LlmCostTracker::Masking.format_attribution(attribution)
+    end
+
+    def mask_secret(value)
+      LlmCostTracker::Masking.mask_value(:provider_api_key_id, value)
+    end
+  end
+end