@cliftonc/finius 0.1.0

package/dist/client/favicon.svg

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- "Money with wings" emoji from OpenMoji (https://openmoji.org) — License: CC BY-SA 4.0 -->
+<svg width="72" height="72" viewBox="0 0 72 72" id="emoji" xmlns="http://www.w3.org/2000/svg">
+  <g id="color">
+    <rect x="29.1449" y="23.3542" width="18" height="28.5815" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -15.4466 37.9985)" fill="#FFFFFF" stroke="none"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M13.9792,56.7778 c0.3645,0.3645,0.8533,0.5189,1.325,0.4674c0,0,8.9017,0.0515,13.9615-4.8025C29.33,52.387,29.39,52.327,29.45,52.2669 c1.8352-1.8352,1.8309-4.8068,0-6.6377c-1.831-1.831-4.8025-1.8352-6.6377,0l-8.8331,8.8331 C13.3403,55.1013,13.3403,56.1389,13.9792,56.7778z"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M22.1465,53.0191 c0.12,0.81-0.36,1.98-1.31,2.98c-0.29,0.3-0.59,0.56-0.9,0.76"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M17.9665,55.6591 c-0.08,0.58-0.36,1.11-0.8,1.49"/>
+    <ellipse cx="34.4281" cy="24.1507" rx="2.328" ry="2.328" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -6.9934 31.4179)" fill="#5C9E31" stroke="none"/>
+    <ellipse cx="52.0767" cy="41.3611" rx="2.328" ry="2.328" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -13.9938 48.9382)" fill="#5C9E31" stroke="none"/>
+    <ellipse cx="24.3188" cy="34.2599" rx="2.328" ry="2.328" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -17.1026 27.2305)" fill="#5C9E31" stroke="none"/>
+    <ellipse cx="41.5796" cy="51.5206" rx="2.328" ry="2.328" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -24.2522 44.4912)" fill="#5C9E31" stroke="none"/>
+    <rect x="42.8977" y="18.1717" width="1.67" height="27.3291" transform="matrix(-0.7071 0.7071 -0.7071 -0.7071 97.1681 23.4242)" fill="#5C9E31" stroke="none"/>
+    <rect x="31.153" y="29.4453" width="1.67" height="27.3291" transform="matrix(-0.7071 0.7071 -0.7071 -0.7071 85.0901 50.9742)" fill="#5C9E31" stroke="none"/>
+    <rect x="27.9561" y="19.0196" width="1.6895" height="18.295" transform="matrix(0.7071 0.7071 -0.7071 0.7071 28.3527 -12.1153)" fill="#5C9E31" stroke="none"/>
+    <rect x="46.7884" y="37.8519" width="1.6895" height="18.295" transform="matrix(0.7071 0.7071 -0.7071 0.7071 47.185 -19.9159)" fill="#5C9E31" stroke="none"/>
+    <ellipse cx="38.1014" cy="37.4676" rx="5.7418" ry="9.277" transform="matrix(0.7071 -0.7071 0.7071 0.7071 -15.334 37.9158)" fill="#5C9E31" stroke="none"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" stroke-width="2" d="M47.425,35.1923L35.6923,46.925c-0.0422,0.0422-0.0886,0.0725-0.1392,0.0987c-0.2062,0.1007-0.4716,0.0578-0.6501-0.1206 l-6.2227-6.2227c-0.1785-0.1785-0.2214-0.4439-0.1206-0.6501c0.0262-0.0505,0.0565-0.097,0.0987-0.1392L40.391,28.1583 c0.0422-0.0422,0.0887-0.0725,0.1392-0.0987c0.2062-0.1007,0.4716-0.0578,0.6501,0.1206l6.2227,6.2227 c0.1785,0.1785,0.2214,0.4439,0.1206,0.6501C47.4974,35.1036,47.4672,35.1501,47.425,35.1923z"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M57.1856,13.5714 c0.3645,0.3645,0.5189,0.8533,0.4674,1.325c0,0,0.0515,8.9017-4.8025,13.9615c-0.0557,0.0643-0.1158,0.1243-0.1758,0.1844 c-1.8352,1.8352-4.8068,1.8309-6.6377,0c-1.831-1.831-1.8352-4.8025,0-6.6377l8.8331-8.8331 C55.5091,12.9325,56.5467,12.9325,57.1856,13.5714z"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M53.4268,21.7387 c0.81,0.12,1.98-0.36,2.98-1.31c0.3-0.29,0.56-0.59,0.76-0.9"/>
+    <path fill="#FFFFFF" stroke="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M56.0668,17.5587 c0.58-0.08,1.11-0.36,1.49-0.8"/>
+  </g>
+  <g id="line">
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M13.9792,56.7778 c0.3645,0.3645,0.8533,0.5189,1.325,0.4674c0,0,8.9017,0.0515,13.9615-4.8025C29.33,52.387,29.39,52.327,29.45,52.2669 c1.8352-1.8352,1.8309-4.8068,0-6.6377c-1.831-1.831-4.8025-1.8352-6.6377,0l-8.8331,8.8331 C13.3403,55.1013,13.3403,56.1389,13.9792,56.7778z"/>
+    <line x1="17.2365" x2="17.2265" y1="57.1391" y2="57.1291" fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M22.1465,53.0191 c0.12,0.81-0.36,1.98-1.31,2.98c-0.29,0.3-0.59,0.56-0.9,0.76"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M17.9665,55.6591 c-0.08,0.58-0.36,1.11-0.8,1.49"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" stroke-width="2" d="M41.0551,53.3579L22.4424,34.7451c-0.3905-0.3905-0.3905-1.0237,0-1.4142l11.2424-11.2424c0.3905-0.3905,1.0237-0.3905,1.4142,0 l18.6127,18.6127c0.3905,0.3905,0.3905,1.0237,0,1.4142L42.4693,53.3579C42.0788,53.7484,41.4456,53.7484,41.0551,53.3579z"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" stroke-width="2" d="M47.425,35.1923L35.6923,46.925c-0.0422,0.0422-0.0886,0.0725-0.1392,0.0987c-0.2062,0.1007-0.4716,0.0578-0.6501-0.1206 l-6.2227-6.2227c-0.1785-0.1785-0.2214-0.4439-0.1206-0.6501c0.0262-0.0505,0.0565-0.097,0.0987-0.1392L40.391,28.1583 c0.0422-0.0422,0.0887-0.0725,0.1392-0.0987c0.2062-0.1007,0.4716-0.0578,0.6501,0.1206l6.2227,6.2227 c0.1785,0.1785,0.2214,0.4439,0.1206,0.6501C47.4974,35.1036,47.4672,35.1501,47.425,35.1923z"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M57.1856,13.5714 c0.3645,0.3645,0.5189,0.8533,0.4674,1.325c0,0,0.0515,8.9017-4.8025,13.9615c-0.0557,0.0643-0.1158,0.1243-0.1758,0.1844 c-1.8352,1.8352-4.8068,1.8309-6.6377,0c-1.831-1.831-1.8352-4.8025,0-6.6377l8.8331-8.8331 C55.5091,12.9325,56.5467,12.9325,57.1856,13.5714z"/>
+    <line x1="57.5468" x2="57.5368" y1="16.8287" y2="16.8187" fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M53.4268,21.7387 c0.81,0.12,1.98-0.36,2.98-1.31c0.3-0.29,0.56-0.59,0.76-0.9"/>
+    <path fill="none" stroke="#000000" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M56.0668,17.5587 c0.58-0.08,1.11-0.36,1.49-0.8"/>
+  </g>
+</svg>

package/dist/client/index.html

@@ -0,0 +1,38 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <title>Finius</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com" />
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+    <link
+      href="https://fonts.googleapis.com/css2?family=Fraunces:opsz,wght@9..144,400;9..144,500;9..144,600;9..144,700&family=Inter:wght@400;500;600;700;800&display=swap"
+      rel="stylesheet"
+    />
+    <script>
+      // Apply the persisted (or system) theme before paint to avoid a flash of the wrong palette.
+      // Keep in sync with src/client/theme.tsx (storage key + resolution order).
+      (function () {
+        try {
+          var stored = localStorage.getItem("finius-theme");
+          var theme =
+            stored === "light" || stored === "dark"
+              ? stored
+              : window.matchMedia("(prefers-color-scheme: dark)").matches
+                ? "dark"
+                : "light";
+          var root = document.documentElement;
+          root.classList.add(theme);
+          root.style.colorScheme = theme;
+        } catch (e) {}
+      })();
+    </script>
+    <script type="module" crossorigin src="/assets/index-CVYmd4Bm.js"></script>
+    <link rel="stylesheet" crossorigin href="/assets/index-Bijt5al-.css">
+  </head>
+  <body>
+    <div id="root"></div>
+  </body>
+</html>

package/dist/server/app.js

@@ -0,0 +1,285 @@
+import { createHash, randomBytes, timingSafeEqual } from "node:crypto";
+import { appendFileSync, existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { resolve } from "node:path";
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { streamSSE } from "hono/streaming";
+const GRANULARITIES = ["minute", "five_minute", "quarter_hour", "hour", "day", "week"];
+export function createApp({ storage, events, cronToken, rawRetentionDays = 7, authSecret }) {
+    const app = new Hono();
+    const secure = !!authSecret;
+    // JSONL uploads are processed on a background queue; publish the SSE 'ingest' event when each
+    // queued job actually completes (not when it was accepted).
+    storage.setProcessingListener((signal, result) => events.publish("ingest", { signal, ...result }));
+    app.use("*", cors());
+    // Single pluggable auth gate. In open mode it's a no-op; in Secure Mode it admits only
+    // minted+non-revoked session tokens. The master password is a bootstrap secret for /api/auth/login
+    // and is never accepted as a runtime API credential.
+    const isValidCredential = (cred) => {
+        if (!cred)
+            return false;
+        const row = storage.findAuthToken(sha256(cred));
+        return !!row && row.revoked === 0;
+    };
+    app.use("*", async (c, next) => {
+        if (!secure)
+            return next();
+        if (!isProtectedPath(c.req.path))
+            return next();
+        const cred = bearerToken(c.req.header("authorization")) || eventSourceToken(c) || "";
+        if (isValidCredential(cred))
+            return next();
+        return c.json({ error: "unauthorized" }, 401);
+    });
+    // Public so setup/doctor can probe Secure Mode without a credential, and so the dashboard knows
+    // whether to show the login screen.
+    app.get("/api/health", (c) => c.json({ ok: true, now: Date.now(), secure }));
+    // Exchange the master password for a client session token. Public (it's the bootstrap),
+    // constant-time. The minted token is stored hashed in auth_tokens; browsers persist the returned
+    // token in localStorage and send it as Authorization: Bearer on API requests.
+    app.post("/api/auth/login", async (c) => {
+        if (!secure)
+            return c.json({ error: "auth is not enabled on this server" }, 400);
+        const body = (await c.req.json().catch(() => ({})));
+        if (!timingSafeEqualStr(body.password ?? "", authSecret ?? "")) {
+            return c.json({ error: "invalid password" }, 401);
+        }
+        const token = randomBytes(32).toString("hex");
+        const label = typeof body.label === "string" && body.label.trim() ? body.label.trim().slice(0, 200) : "client";
+        storage.createAuthToken(sha256(token), label, Date.now());
+        return c.json({ token });
+    });
+    // Cron-driven cleanup of old raw_batches. Secured by a bearer token; fails closed when no token
+    // is configured. Wire a cron to: curl -X POST -H "Authorization: Bearer $FINIUS_CRON_TOKEN" …
+    app.post("/api/maintenance/prune-raw-batches", async (c) => {
+        if (!cronToken)
+            return c.json({ error: "maintenance endpoints are disabled (set FINIUS_CRON_TOKEN)" }, 503);
+        if (!timingSafeEqualStr(bearerToken(c.req.header("authorization")), cronToken)) {
+            return c.json({ error: "unauthorized" }, 401);
+        }
+        const days = Number(c.req.query("olderThanDays") ?? rawRetentionDays);
+        const olderThanDays = Number.isFinite(days) && days >= 0 ? days : rawRetentionDays;
+        const cutoff = Date.now() - olderThanDays * 86_400_000;
+        const result = await storage.pruneRawBatches(cutoff);
+        return c.json({ ...result, olderThanDays, cutoff });
+    });
+    app.post("/otlp/v1/metrics", async (c) => {
+        const body = await readOtlpBody(c, "metrics");
+        if (body === null)
+            return c.json({ error: "expected an OTLP/JSON body" }, 415);
+        const result = await storage.ingestOtelMetrics(body);
+        if (!result.duplicate)
+            events.publish("ingest", { signal: "metrics", ...result });
+        return c.json(result);
+    });
+    app.post("/otlp/v1/logs", async (c) => {
+        const body = await readOtlpBody(c, "logs");
+        if (body === null)
+            return c.json({ error: "expected an OTLP/JSON body" }, 415);
+        const result = await storage.ingestOtelLogs(body);
+        if (!result.duplicate)
+            events.publish("ingest", { signal: "logs", ...result });
+        return c.json(result);
+    });
+    // Cron-driven recompute of synthesized cost (e.g. after a pricing update). Same bearer guard /
+    // fail-closed semantics as prune-raw-batches.
+    app.post("/api/maintenance/recompute-cost", async (c) => {
+        if (!cronToken)
+            return c.json({ error: "maintenance endpoints are disabled (set FINIUS_CRON_TOKEN)" }, 503);
+        if (!timingSafeEqualStr(bearerToken(c.req.header("authorization")), cronToken)) {
+            return c.json({ error: "unauthorized" }, 401);
+        }
+        return c.json(await storage.recomputeComputedCost());
+    });
+    // Inspection surface for captured OTLP log records (Codex telemetry is logs-only): one entry per
+    // distinct event name with a count + a sample, so we can see the real shape before parsing it.
+    app.get("/api/logs/events", async (c) => c.json(await storage.getLogEventSummary()));
+    // The model pricing currently loaded (for debugging cost computation).
+    app.get("/api/pricing", async (c) => c.json(await storage.getPricing()));
+    app.get("/api/metrics/summary", async (c) => c.json(await storage.getSummary(readFilters(c.req.query()))));
+    app.get("/api/metrics/timeseries", async (c) => {
+        const query = c.req.query();
+        return c.json(await storage.getTimeseries({ ...readFilters(query), granularity: readGranularity(query.granularity) }));
+    });
+    app.get("/api/metrics/timeseries/by-model", async (c) => {
+        const query = c.req.query();
+        return c.json(await storage.getModelTimeseries({ ...readFilters(query), granularity: readGranularity(query.granularity) }));
+    });
+    app.get("/api/sessions", async (c) => c.json(await storage.listSessions(readFilters(c.req.query()))));
+    app.get("/api/people", async (c) => c.json(await storage.listPeople(readFilters(c.req.query()))));
+    app.get("/api/models", async (c) => c.json(await storage.listModels(readFilters(c.req.query()))));
+    app.get("/api/meta", async (c) => c.json(await storage.getFilterOptions()));
+    app.get("/api/sessions/:id", async (c) => {
+        const session = await storage.getSession(Number(c.req.param("id")));
+        return session ? c.json(session) : c.json({ error: "Session not found" }, 404);
+    });
+    app.get("/api/sessions/:id/transcript/info", async (c) => {
+        const info = await storage.getSessionTranscriptInfo(Number(c.req.param("id")));
+        return info ? c.json(info) : c.json({ error: "No transcript stored for this session" }, 404);
+    });
+    app.get("/api/sessions/:id/transcript", async (c) => {
+        const transcript = await storage.getSessionTranscript(Number(c.req.param("id")));
+        if (!transcript)
+            return c.json({ error: "No transcript stored for this session" }, 404);
+        return c.body(transcript.content, 200, { "content-type": "application/x-ndjson; charset=utf-8" });
+    });
+    app.post("/api/import/jsonl", async (c) => {
+        const contentType = c.req.header("content-type") ?? "";
+        let content = "";
+        let source = "manual-jsonl";
+        let sessionId;
+        let format;
+        let identity = {};
+        if (contentType.includes("application/json")) {
+            const body = (await c.req.json());
+            content = body.content ?? "";
+            source = body.source ?? source;
+            sessionId = body.sessionId;
+            format = body.format;
+            identity = identityHint(body);
+        }
+        else {
+            content = await c.req.text();
+        }
+        // Persist + queue; the blob is stored immediately and processing happens on the background queue.
+        const result = await storage.enqueueImport(source, { sessionId, ...identity }, content, format);
+        return c.json(result);
+    });
+    app.post("/api/import/claude-hook", async (c) => {
+        const body = (await c.req.json());
+        const sessionHint = { sessionId: body.session_id ?? body.sessionId ?? undefined, ...identityHint(body) };
+        // Preferred path: the client (e.g. the `finius` CLI hook) sends the transcript inline, so the
+        // server never needs to share a filesystem with Claude Code. Works for remote servers too.
+        let content = typeof body.transcript === "string" ? body.transcript : undefined;
+        // Fallback: read a local transcript file. Only safe when the server runs on the same machine as
+        // Claude Code, so it is restricted to known Claude/project directories.
+        if (content === undefined) {
+            const transcriptPath = body.transcript_path;
+            if (!transcriptPath)
+                return c.json({ error: "transcript or transcript_path is required" }, 400);
+            const resolvedPath = resolve(transcriptPath.replace(/^~(?=$|\/)/, homedir()));
+            if (!isAllowedTranscriptPath(resolvedPath, body.cwd)) {
+                return c.json({ error: "transcript_path is outside allowed local Claude/project directories" }, 403);
+            }
+            if (!existsSync(resolvedPath))
+                return c.json({ error: "transcript_path does not exist" }, 404);
+            content = readFileSync(resolvedPath, "utf8");
+        }
+        const result = await storage.enqueueImport("claude-code-jsonl", sessionHint, content);
+        return c.json(result);
+    });
+    app.get("/events", (c) => streamSSE(c, async (stream) => {
+        let id = 0;
+        const unsubscribe = events.subscribe((event, data) => {
+            void stream.writeSSE({ id: String(++id), event, data: JSON.stringify(data) });
+        });
+        await stream.writeSSE({ id: String(++id), event: "ready", data: JSON.stringify({ ok: true }) });
+        const keepAlive = setInterval(() => {
+            void stream.writeSSE({ event: "ping", data: JSON.stringify({ now: Date.now() }) });
+        }, 25_000);
+        await new Promise((resolve) => {
+            stream.onAbort(() => {
+                clearInterval(keepAlive);
+                unsubscribe();
+                resolve();
+            });
+        });
+    }));
+    return app;
+}
+function readFilters(query) {
+    return {
+        from: parseTime(query.from),
+        to: parseTime(query.to),
+        user: query.user,
+        model: query.model,
+        source: query.source,
+        session: parseId(query.session)
+    };
+}
+function parseId(value) {
+    if (!value)
+        return undefined;
+    const numeric = Number(value);
+    return Number.isInteger(numeric) ? numeric : undefined;
+}
+function identityHint(body) {
+    return {
+        userEmail: body.user_email ?? body.userEmail ?? undefined,
+        userAccountId: body.user_account_id ?? body.userAccountId ?? undefined,
+        userId: body.user_id ?? body.userId ?? undefined,
+        githubLogin: body.github_login ?? body.githubLogin ?? undefined,
+        displayName: body.display_name ?? body.displayName ?? undefined
+    };
+}
+function readGranularity(value) {
+    return GRANULARITIES.includes(value) ? value : "hour";
+}
+function bearerToken(header) {
+    const match = /^Bearer\s+(.+)$/i.exec(header ?? "");
+    return match ? match[1].trim() : "";
+}
+function eventSourceToken(c) {
+    return c.req.path === "/events" ? (c.req.query("token") ?? "") : "";
+}
+// Reads an OTLP request body as text (so a debug dump can capture the exact bytes the agent sent —
+// even non-JSON), optionally captures it, then parses JSON. Returns null when the body isn't valid
+// OTLP/JSON (e.g. an agent that sends protobuf). Set FINIUS_DEBUG_OTEL to a file path to append every
+// batch as `{kind, at, contentType, raw}` NDJSON — used to discover what a new agent (e.g. Codex)
+// actually emits before writing a parser for it.
+async function readOtlpBody(c, kind) {
+    const raw = await c.req.text();
+    const debugPath = process.env.FINIUS_DEBUG_OTEL;
+    if (debugPath) {
+        const line = JSON.stringify({ kind, at: Date.now(), contentType: c.req.header("content-type") ?? null, raw });
+        try {
+            appendFileSync(debugPath, `${line}\n`);
+            console.log(`[finius] OTLP ${kind} batch captured -> ${debugPath} (${raw.length} bytes)`);
+        }
+        catch (err) {
+            console.error(`[finius] OTLP debug capture failed: ${err.message}`);
+        }
+    }
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+function sha256(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+// Which paths the Secure Mode gate guards. Data + ingest + the live stream require a credential;
+// everything else (static client assets, index.html, /api/health, /api/auth/login) is public so the
+// login page can load and clients can bootstrap. /api/auth/login is under /api/ but allow-listed.
+function isProtectedPath(path) {
+    if (path === "/api/health" || path === "/api/auth/login")
+        return false;
+    return path.startsWith("/api/") || path.startsWith("/otlp/") || path === "/events";
+}
+// Constant-time string compare that doesn't leak length via early return.
+function timingSafeEqualStr(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length)
+        return false;
+    return timingSafeEqual(bufA, bufB);
+}
+function parseTime(value) {
+    if (!value)
+        return undefined;
+    const numeric = Number(value);
+    if (Number.isFinite(numeric))
+        return numeric;
+    const parsed = Date.parse(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+}
+function isAllowedTranscriptPath(path, cwd) {
+    const home = homedir();
+    const allowedRoots = [resolve(home, ".claude", "projects")];
+    if (cwd)
+        allowedRoots.push(resolve(cwd));
+    return allowedRoots.some((root) => path === root || path.startsWith(`${root}/`));
+}

package/dist/server/claude.js

@@ -0,0 +1,124 @@
+// Parser for Claude Code transcripts (`~/.claude/projects/**/<session>.jsonl`). Pure / side-effect-free
+// so it stays unit-testable; the Codex equivalent is codex.ts and both are dispatched from transcripts.ts.
+export function parseClaudeTranscript(source, sessionHint, lines) {
+    const result = { importedLines: 0, malformedLines: 0, metricPoints: 0, rawEvents: 0 };
+    const points = [];
+    const rawEvents = [];
+    // Claude Code writes one API response across several transcript lines (one per content
+    // block — text, tool_use, thinking) and stamps the SAME `usage` object on each. Summing
+    // every usage-bearing line double-counts tokens ~2-3.6x. Dedupe by the request identity so
+    // each API request contributes its tokens exactly once.
+    const seenRequests = new Set();
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let event;
+        try {
+            event = JSON.parse(trimmed);
+        }
+        catch {
+            result.malformedLines += 1;
+            continue;
+        }
+        result.importedLines += 1;
+        result.rawEvents += 1;
+        rawEvents.push(event);
+        const extracted = extractUsage(source, sessionHint, event, seenRequests);
+        points.push(...extracted);
+        result.metricPoints += extracted.length;
+    }
+    return { result, points, rawEvents };
+}
+function extractUsage(source, sessionHint, event, seenRequests) {
+    const obj = event;
+    const usage = findUsageObject(obj);
+    if (!usage)
+        return [];
+    // One token/cost record per API request. `requestId` (or the API `message.id`) is repeated
+    // across the split lines of a single response; the first occurrence wins, the rest are skipped.
+    // No stable id → fall back to never-deduping rather than risk merging distinct requests.
+    const message = obj.message;
+    const requestKey = stringValue(obj.requestId) ?? stringValue(message?.id);
+    if (requestKey !== undefined) {
+        if (seenRequests.has(requestKey))
+            return [];
+        seenRequests.add(requestKey);
+    }
+    const timestamp = parseTimestamp(obj.timestamp) ?? parseTimestamp(obj.created_at) ?? Date.now();
+    const sessionId = String(obj.session_id ?? obj.sessionId ?? sessionHint.sessionId ?? "unknown-session");
+    const model = stringValue(obj.model) ?? stringValue(obj.message?.model) ?? sessionHint.model ?? null;
+    const base = {
+        source,
+        signal: "jsonl",
+        sessionId,
+        userId: sessionHint.userId ?? null,
+        userEmail: sessionHint.userEmail ?? null,
+        userAccountId: sessionHint.userAccountId ?? null,
+        githubLogin: sessionHint.githubLogin ?? null,
+        displayName: sessionHint.displayName ?? null,
+        model,
+        timestamp,
+        attributes: obj
+    };
+    const points = [];
+    const tokenMap = [
+        ["input_tokens", "input"],
+        ["output_tokens", "output"],
+        ["cache_creation_input_tokens", "cache_creation"],
+        ["cache_read_input_tokens", "cache_read"]
+    ];
+    for (const [field, tokenType] of tokenMap) {
+        const value = numberValue(usage[field]);
+        if (value === undefined)
+            continue;
+        points.push({
+            ...base,
+            metricName: "claude_code.token.usage",
+            kind: "tokens",
+            tokenType,
+            value,
+            unit: "tokens"
+        });
+    }
+    const cost = numberValue(obj.cost_usd) ?? numberValue(obj.total_cost_usd) ?? numberValue(usage.cost_usd);
+    if (cost !== undefined) {
+        points.push({
+            ...base,
+            metricName: "claude_code.cost.usage",
+            kind: "cost",
+            tokenType: null,
+            value: cost,
+            unit: "USD"
+        });
+    }
+    return points;
+}
+function findUsageObject(value) {
+    if (!value || typeof value !== "object")
+        return null;
+    const obj = value;
+    if (obj.usage && typeof obj.usage === "object")
+        return obj.usage;
+    if (obj.message && typeof obj.message === "object") {
+        const nested = findUsageObject(obj.message);
+        if (nested)
+            return nested;
+    }
+    return null;
+}
+function numberValue(value) {
+    const numeric = Number(value);
+    return Number.isFinite(numeric) ? numeric : undefined;
+}
+function stringValue(value) {
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function parseTimestamp(value) {
+    if (typeof value === "number" && Number.isFinite(value))
+        return value;
+    if (typeof value !== "string")
+        return undefined;
+    const parsed = Date.parse(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+}

package/dist/server/codex.js

@@ -0,0 +1,94 @@
+export function parseCodexTranscript(source, sessionHint, lines) {
+    const result = { importedLines: 0, malformedLines: 0, metricPoints: 0, rawEvents: 0 };
+    const points = [];
+    const rawEvents = [];
+    let sessionId = sessionHint.sessionId ?? undefined;
+    let model = sessionHint.model ?? null;
+    const prev = { input: 0, output: 0, cached: 0 };
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let event;
+        try {
+            event = JSON.parse(trimmed);
+        }
+        catch {
+            result.malformedLines += 1;
+            continue;
+        }
+        result.importedLines += 1;
+        result.rawEvents += 1;
+        rawEvents.push(event);
+        const obj = event;
+        const type = stringValue(obj.type);
+        const payload = obj.payload;
+        if (!payload)
+            continue;
+        if (type === "session_meta") {
+            sessionId = stringValue(payload.id) ?? sessionId;
+            continue;
+        }
+        if (type === "turn_context") {
+            model = stringValue(payload.model) ?? model;
+            continue;
+        }
+        if (type !== "event_msg" || stringValue(payload.type) !== "token_count")
+            continue;
+        const info = payload.info;
+        const total = info?.total_token_usage;
+        if (!total)
+            continue;
+        const curInput = numberValue(total.input_tokens) ?? 0;
+        const curOutput = numberValue(total.output_tokens) ?? 0;
+        const curCached = numberValue(total.cached_input_tokens) ?? 0;
+        // Cumulative -> delta. Clamp at 0 to guard the (unobserved) case of a non-monotonic reset.
+        const dInput = Math.max(0, curInput - prev.input);
+        const dOutput = Math.max(0, curOutput - prev.output);
+        const dCached = Math.max(0, curCached - prev.cached);
+        prev.input = curInput;
+        prev.output = curOutput;
+        prev.cached = curCached;
+        const timestamp = parseTimestamp(obj.timestamp) ?? Date.now();
+        const sid = String(sessionId ?? "unknown-session");
+        const base = {
+            source,
+            signal: "jsonl",
+            sessionId: sid,
+            userId: sessionHint.userId ?? null,
+            userEmail: sessionHint.userEmail ?? null,
+            userAccountId: sessionHint.userAccountId ?? null,
+            githubLogin: sessionHint.githubLogin ?? null,
+            displayName: sessionHint.displayName ?? null,
+            model,
+            timestamp,
+            attributes: info ?? obj
+        };
+        const emit = (tokenType, value) => {
+            if (value <= 0)
+                return;
+            points.push({ ...base, metricName: "codex.token.usage", kind: "tokens", tokenType, value, unit: "tokens" });
+            result.metricPoints += 1;
+        };
+        emit("input", Math.max(0, dInput - dCached)); // fresh (non-cached) input
+        emit("cache_read", dCached);
+        emit("output", dOutput); // includes reasoning tokens
+        void model;
+    }
+    return { result, points, rawEvents };
+}
+function numberValue(value) {
+    const numeric = Number(value);
+    return Number.isFinite(numeric) ? numeric : undefined;
+}
+function stringValue(value) {
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function parseTimestamp(value) {
+    if (typeof value === "number" && Number.isFinite(value))
+        return value;
+    if (typeof value !== "string")
+        return undefined;
+    const parsed = Date.parse(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+}

package/dist/server/events.js

@@ -0,0 +1,12 @@
+export class EventBus {
+    listeners = new Set();
+    subscribe(listener) {
+        this.listeners.add(listener);
+        return () => this.listeners.delete(listener);
+    }
+    publish(event, data) {
+        for (const listener of this.listeners) {
+            listener(event, data);
+        }
+    }
+}