@kontourai/flow-agents 2.0.1 → 2.1.1

package/scripts/hooks/stop-goal-fit.js

@@ -29,6 +29,16 @@ const path = require('path');
 const { spawnSync } = require('child_process');
 const crypto = require('crypto');
 
+// Hash-chain primitives + the exit-code-laundering heuristic come from ONE shared
+// module, so this verifier can never drift from the writer (evidence-capture.js).
+// CHAIN_GENESIS is re-aliased to CHAIN_GENESIS_VERIFY to preserve the long-standing
+// export name consumed by repair-command-log.js and the fork-classification eval.
+const {
+  CHAIN_GENESIS: CHAIN_GENESIS_VERIFY,
+  canonicalJsonForChain,
+  hasLaunderingOperator,
+} = require('../lib/command-log-chain.js');
+
 const MAX_STDIN = 1024 * 1024;
 const ACTIVE_STATUSES = new Set([
   'planning',
@@ -733,36 +743,10 @@ function claimAcknowledgesFailure(status, value) {
     || v === 'fail' || v === 'failed' || v === 'not_verified' || v === 'failing';
 }
 
-/**
- * Returns true when a command string contains an exit-code-neutralizing operator.
- * A claimed-pass check whose captured command uses one of these cannot be accepted as a
- * deterministic pass — the real sub-command may have failed silently.
- *
- * R6 extended logic (identical patterns used by scripts/ci/trust-reconcile.js — centralize
- * as a follow-up if drift becomes a maintenance concern):
- *   - ANY || operator is flagged. A legitimate verification command never needs || — its
- *     only purpose in a verification command is to mask the real exit code (e.g.
- *     `npm test || exit 0`, `npm test || echo ok`, `npm test || /bin/true`, `npm test || (exit 0)`).
- *   - | true  (single pipe into true — always exits 0)
- *   - Trailing ; or newline followed by: true  :  exit 0  /bin/true
- *
- * Fix D: applied in captureCrossReference's satisfied path and capturedFailReconciliation.
- */
-function hasLaunderingOperator(cmd) {
-  // ANY || in a claimed verification command is an exit-code mask.
-  // Legitimate verification commands never need || — its only purpose there is to
-  // suppress the real exit code (|| exit 0, || echo ok, || /bin/true, || (exit 0), etc.).
-  if (/\|\|/.test(cmd)) return true;
-  // | true  — single-pipe into true: `cmd | true` always exits 0 regardless of left-side exit code.
-  if (/\|\s*true\b/.test(cmd)) return true;
-  // Trailing ; or \n followed by exit-neutralizing commands (same threat, appended after the real cmd):
-  //   ; true    ; :    ; exit 0    ; /bin/true    (and \n variants)
-  if (/[;\n]\s*true\b/.test(cmd)) return true;
-  if (/[;\n]\s*:\s*(?:$|\s|;)/.test(cmd)) return true;
-  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
-  if (/[;\n]\s*\/bin\/true\b/.test(cmd)) return true;
-  return false;
-}
+// hasLaunderingOperator (the exit-code-mask heuristic) is imported from
+// ../lib/command-log-chain.js so this verifier and scripts/ci/trust-reconcile.js
+// share one normative definition. Applied in captureCrossReference's satisfied
+// path and capturedFailReconciliation.
 
 // ─── Hash-chain integrity verification (Increment B2, tamper-EVIDENCE) ────────
 //
@@ -786,20 +770,9 @@ function hasLaunderingOperator(cmd) {
 // The genesis prevHash is a fixed arbitrary sentinel — NOT the SHA256 of any
 // specific input string. The comment in evidence-capture.js previously (and
 // incorrectly) claimed it was sha256("flow-agents:command-log:genesis"); it is not.
-// Writer (evidence-capture.js CHAIN_GENESIS) and verifier (CHAIN_GENESIS_VERIFY here)
-// MUST use the same value. Do not change one without changing the other.
-const CHAIN_GENESIS_VERIFY = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
-
-/**
- * Canonical JSON for chain verification: record WITHOUT `_chain`, keys sorted.
- * Must be byte-identical to canonicalJsonForChain() in evidence-capture.js.
- */
-function canonicalJsonForVerify(record) {
-  const keys = Object.keys(record).filter(k => k !== '_chain').sort();
-  const obj = {};
-  for (const k of keys) obj[k] = record[k];
-  return JSON.stringify(obj);
-}
+// Both the genesis (CHAIN_GENESIS_VERIFY, imported above) and the canonical-JSON
+// helper (canonicalJsonForChain) come from ../lib/command-log-chain.js, the single
+// source the writer in evidence-capture.js imports too — so they cannot diverge.
 
 /**
  * Verify the hash chain of command-log.jsonl.
@@ -870,7 +843,7 @@ function verifyCommandLogChain(artifactDir) {
     // (a) Self-consistency. A content edit without rehashing fails here.
     if (typeof chain.prevHash !== 'string') return { status: 'broken', brokenAt: i, forkAt: null };
     const selfHash = crypto.createHash('sha256')
-      .update(chain.prevHash + canonicalJsonForVerify(entry), 'utf8')
+      .update(chain.prevHash + canonicalJsonForChain(entry), 'utf8')
       .digest('hex');
     if (chain.hash !== selfHash) return { status: 'broken', brokenAt: i, forkAt: null };
 

package/scripts/lib/command-log-chain.js

@@ -0,0 +1,73 @@
+'use strict';
+//
+// Single normative source for the command-log hash-chain primitives and the
+// exit-code-laundering heuristic.
+//
+// These were previously copy-pasted across the writer (hooks/evidence-capture.js),
+// the verifier (hooks/stop-goal-fit.js), the repair tool (repair-command-log.js),
+// and CI reconcile (ci/trust-reconcile.js) under "keep byte-identical" comments —
+// the most security-sensitive path in the bundle, since the chain's integrity
+// claim rests on writer and verifier canonicalizing identically. The copies had
+// ALREADY drifted (ci/trust-reconcile's hasLaunderingOperator was missing the
+// trailing `/bin/true` check), which is exactly the failure mode duplication
+// invites. Importing from one module makes that divergence structurally impossible.
+//
+const crypto = require('crypto');
+
+// The genesis prevHash is a FIXED ARBITRARY SENTINEL — NOT the SHA256 of any
+// specific input string. (An earlier comment incorrectly claimed it was
+// sha256("flow-agents:command-log:genesis"); that is wrong.) Writer and verifier
+// MUST share this exact value — existing chained logs depend on it.
+//
+// HONEST FRAMING: this makes alteration DETECTABLE, not impossible. An agent that
+// rewrites all hashes can still forge the chain. The real tamper-proof boundary is
+// the signed checkpoint (B1). We do not oversell this boundary.
+const CHAIN_GENESIS = 'a3f9e2b7d5c84f1e6a0d2c3b9f7e1a4d8c6b5f2e9a0d3c7b1f4e8a2d6c0b9f3';
+
+/**
+ * Stable canonical JSON for a chain link: the record WITHOUT its `_chain` field,
+ * keys sorted alphabetically. This makes the hash independent of key insertion
+ * order and keeps `_chain` from contributing to its own hash.
+ */
+function canonicalJsonForChain(record) {
+  const keys = Object.keys(record).filter((k) => k !== '_chain').sort();
+  const obj = {};
+  for (const k of keys) obj[k] = record[k];
+  return JSON.stringify(obj);
+}
+
+/** Chain link hash: sha256(prevHash + canonicalJsonForChain(record)), hex. */
+function computeChainHash(prevHash, record) {
+  return crypto
+    .createHash('sha256')
+    .update(prevHash + canonicalJsonForChain(record), 'utf8')
+    .digest('hex');
+}
+
+/**
+ * True when a claimed verification command contains an exit-code-laundering
+ * operator. Legitimate verification commands never need these — their only
+ * purpose is to suppress a real non-zero exit:
+ *   - ANY `||`             (e.g. `npm test || exit 0`, `|| echo ok`, `|| /bin/true`)
+ *   - `| true`             (pipe into true — the pipeline absorbs the exit code)
+ *   - trailing `; true` / `; :` / `; exit 0` / `; /bin/true` (and `\n` variants)
+ */
+function hasLaunderingOperator(cmd) {
+  // ANY || in a claimed verification command is an exit-code mask.
+  if (/\|\|/.test(cmd)) return true;
+  // | true — single-pipe into true always exits 0 regardless of the left side.
+  if (/\|\s*true\b/.test(cmd)) return true;
+  // Trailing ; or \n followed by an exit-neutralizing command:
+  if (/[;\n]\s*true\b/.test(cmd)) return true;
+  if (/[;\n]\s*:\s*(?:$|\s|;)/.test(cmd)) return true;
+  if (/[;\n]\s*exit\s+0\b/.test(cmd)) return true;
+  if (/[;\n]\s*\/bin\/true\b/.test(cmd)) return true;
+  return false;
+}
+
+module.exports = {
+  CHAIN_GENESIS,
+  canonicalJsonForChain,
+  computeChainHash,
+  hasLaunderingOperator,
+};

package/scripts/repair-command-log.js

@@ -26,17 +26,10 @@ const path = require('path');
 const crypto = require('crypto');
 
 const gate = require(path.join(__dirname, 'hooks', 'stop-goal-fit.js'));
-const GENESIS = gate.CHAIN_GENESIS_VERIFY;
-
-function canon(rec) {
-  const keys = Object.keys(rec).filter((k) => k !== '_chain').sort();
-  const obj = {};
-  for (const k of keys) obj[k] = rec[k];
-  return JSON.stringify(obj);
-}
-function hashLink(prev, rec) {
-  return crypto.createHash('sha256').update(prev + canon(rec), 'utf8').digest('hex');
-}
+// Genesis + canonicalization/hash come from the single shared module, so a repaired
+// chain is re-linked byte-identically to how the writer/verifier compute it.
+const { CHAIN_GENESIS, canonicalJsonForChain, computeChainHash } = require('./lib/command-log-chain.js');
+const GENESIS = CHAIN_GENESIS;
 
 function main() {
   const dir = process.argv[2];
@@ -77,8 +70,8 @@ function main() {
   records.sort((a, b) => {
     const ta = String(a.capturedAt || ''), tb = String(b.capturedAt || '');
     if (ta !== tb) return ta < tb ? -1 : 1;
-    const ha = crypto.createHash('sha256').update(canon(a)).digest('hex');
-    const hb = crypto.createHash('sha256').update(canon(b)).digest('hex');
+    const ha = crypto.createHash('sha256').update(canonicalJsonForChain(a)).digest('hex');
+    const hb = crypto.createHash('sha256').update(canonicalJsonForChain(b)).digest('hex');
     return ha < hb ? -1 : ha > hb ? 1 : 0;
   });
 
@@ -87,7 +80,7 @@ function main() {
   let prev = GENESIS;
   let seq = 0;
   for (const rec of records) {
-    const h = hashLink(prev, rec);
+    const h = computeChainHash(prev, rec);
     out.push(JSON.stringify({ ...rec, _chain: { seq, prevHash: prev, hash: h } }));
     prev = h; seq += 1;
   }
@@ -100,7 +93,7 @@ function main() {
     source: 'chain-repair',
     repair: { reason, entries: records.length, forkAt: verdict.forkAt },
   };
-  const mh = hashLink(prev, marker);
+  const mh = computeChainHash(prev, marker);
   out.push(JSON.stringify({ ...marker, _chain: { seq, prevHash: prev, hash: mh } }));
 
   fs.copyFileSync(file, file + '.prebackup-repair');

package/scripts/telemetry/lib/config.sh

@@ -38,6 +38,11 @@ CONSOLE_TELEMETRY_URL="${CONSOLE_TELEMETRY_URL:-${CONSOLE_URL:-}}"
 CONSOLE_TELEMETRY_ENDPOINT_URL="${CONSOLE_TELEMETRY_ENDPOINT_URL:-}"
 CONSOLE_TELEMETRY_TOKEN="${CONSOLE_TELEMETRY_TOKEN:-${CONSOLE_AUTH_TOKEN:-}}"
 CONSOLE_TENANT_ID="${CONSOLE_TENANT_ID:-}"
+# Pricing registry source (consumed by lib/pricing.sh). Explicit file/URL win;
+# otherwise the URL is derived from the console below so all runtimes read one
+# live pricing source. Falls back to the bundled pricing.json offline.
+TELEMETRY_PRICING_FILE="${TELEMETRY_PRICING_FILE:-${FLOW_AGENTS_PRICING_FILE:-}}"
+TELEMETRY_PRICING_URL="${TELEMETRY_PRICING_URL:-${FLOW_AGENTS_PRICING_URL:-}}"
 
 # Load config file if it exists
 if [[ -f "$TELEMETRY_CONFIG_FILE" ]]; then
@@ -78,6 +83,9 @@ if [[ -f "$TELEMETRY_CONFIG_FILE" ]]; then
         console_telemetry_token) CONSOLE_TELEMETRY_TOKEN="$value" ;;
         console_tenant_id) CONSOLE_TENANT_ID="$value" ;;
         console_telemetry_redact) CONSOLE_TELEMETRY_REDACT="$value" ;;
+        console_pricing_url) TELEMETRY_PRICING_URL="$value" ;;
+        pricing_url) TELEMETRY_PRICING_URL="$value" ;;
+        pricing_file) TELEMETRY_PRICING_FILE="$value" ;;
       esac
     fi
   done < "$TELEMETRY_CONFIG_FILE"
@@ -85,5 +93,12 @@ fi
 
 CONSOLE_TELEMETRY_REDACT="${CONSOLE_TELEMETRY_REDACT:-${TELEMETRY_CHANNEL_ANALYTICS_REDACT}}"
 
+# Derive the live pricing source from the console when not set explicitly, the
+# same way the transport derives /api/telemetry/records. One live source for
+# bash/Python/TS runtimes; lib/pricing.sh caches it and falls back to bundled.
+if [[ -z "${TELEMETRY_PRICING_URL:-}" && -n "${CONSOLE_TELEMETRY_URL:-}" ]]; then
+  TELEMETRY_PRICING_URL="${CONSOLE_TELEMETRY_URL%/}/api/telemetry/pricing"
+fi
+
 # Ensure directories exist
 mkdir -p "$TELEMETRY_DATA_DIR" "$TELEMETRY_SESSION_DIR" 2>/dev/null

package/scripts/telemetry/lib/pricing.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# pricing.sh — single-source pricing registry loader.
+#
+# Resolves the versioned pricing registry (pricing.json) from, in priority:
+#   1. explicit local file   TELEMETRY_PRICING_FILE / FLOW_AGENTS_PRICING_FILE
+#   2. remote URL (cached)   TELEMETRY_PRICING_URL  / FLOW_AGENTS_PRICING_URL
+#   3. bundled snapshot      <telemetry>/pricing.json
+# This is the one source every runtime + the console read from — local for
+# air-gapped use, remote for a single live registry shared across machines.
+
+PRICING_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Echo the raw registry JSON. Returns non-zero if nothing resolvable.
+pricing_registry() {
+  local f="${TELEMETRY_PRICING_FILE:-${FLOW_AGENTS_PRICING_FILE:-}}"
+  if [[ -n "$f" && -f "$f" ]]; then cat "$f"; return 0; fi
+
+  local url="${TELEMETRY_PRICING_URL:-${FLOW_AGENTS_PRICING_URL:-}}"
+  if [[ -n "$url" ]] && command -v curl >/dev/null 2>&1; then
+    local cache="${TMPDIR:-/tmp}/flow-agents-pricing-cache.json"
+    local ttl="${TELEMETRY_PRICING_TTL_SEC:-3600}"
+    if [[ -f "$cache" ]]; then
+      local mtime now age
+      mtime=$(stat -f %m "$cache" 2>/dev/null || stat -c %Y "$cache" 2>/dev/null || echo 0)
+      now=$(date +%s)
+      age=$(( now - mtime ))
+      if [[ "$age" -lt "$ttl" ]]; then cat "$cache"; return 0; fi
+    fi
+    if curl -fsS --max-time 5 "$url" -o "${cache}.tmp" 2>/dev/null && [[ -s "${cache}.tmp" ]]; then
+      mv "${cache}.tmp" "$cache"
+      cat "$cache"
+      return 0
+    fi
+    rm -f "${cache}.tmp" 2>/dev/null
+    [[ -f "$cache" ]] && { cat "$cache"; return 0; }  # stale cache beats nothing
+  fi
+
+  local bundled
+  bundled="$(cd "${PRICING_LIB_DIR}/.." && pwd)/pricing.json"
+  [[ -f "$bundled" ]] && { cat "$bundled"; return 0; }
+  return 1
+}

package/scripts/telemetry/lib/usage.sh

@@ -1,6 +1,12 @@
 #!/usr/bin/env bash
 # usage.sh — Session usage metric functions
 
+# Module directory, resolved once at source time (cwd-independent).
+USAGE_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Single-source pricing registry loader (local / remote / bundled).
+source "${USAGE_LIB_DIR}/pricing.sh"
+
 # Resolve model from agent-spec.json
 usage_get_model() {
   local agent_name="$1"
@@ -27,3 +33,105 @@ usage_count_delegations() {
   [[ ! -f "$jsonl_path" ]] && echo 0 && return
   grep -c "\"session_id\":\"${session_id}\".*\"event_type\":\"agent.delegate\"" "$jsonl_path" 2>/dev/null || echo 0
 }
+
+# Parse a runtime transcript (JSONL) into real per-model token + cost usage.
+# Ground truth lives in each assistant message's `.message.usage` block:
+#   input_tokens (uncached), output_tokens, cache_creation_input_tokens,
+#   cache_read_input_tokens — plus `.message.model`.
+# Cost is derived from the versioned pricing registry: cache writes bill at
+# input*write_5m, cache reads at input*read. Cost uses the registry's
+# current_version (override with arg $2) and the result stamps `pricing_version`
+# so the console can reproduce or recompute it. Emits a compact JSON object:
+#   { by_model: [ {model, input_tokens, output_tokens,
+#                  cache_creation_input_tokens, cache_read_input_tokens,
+#                  estimated_cost_usd} ],
+#     input_tokens, output_tokens, cache_creation_input_tokens,
+#     cache_read_input_tokens, estimated_cost_usd, pricing_version }
+# Prints nothing (non-zero) when the transcript is missing/unparseable so the
+# caller can fall back to null usage. Never blocks agent work.
+# Expected transcript usage path (Claude Code / Anthropic usage object). Bumped
+# if the on-disk schema changes so drift is logged rather than silently zeroed.
+USAGE_TRANSCRIPT_SCHEMA="message.usage.input_tokens"
+
+# Append a one-line schema-drift warning (transcript carried usage data we could
+# not parse). Goes to TELEMETRY_DRIFT_LOG if set, else stderr. Never fatal.
+usage_log_drift() {
+  local transcript="$1"
+  local msg="[telemetry] pricing/usage drift: ${transcript} has usage data but expected path '${USAGE_TRANSCRIPT_SCHEMA}' parsed 0 tokens — transcript schema may have changed"
+  if [[ -n "${TELEMETRY_DRIFT_LOG:-}" ]]; then
+    echo "$msg" >> "${TELEMETRY_DRIFT_LOG}" 2>/dev/null || echo "$msg" >&2
+  else
+    echo "$msg" >&2
+  fi
+}
+
+usage_parse_transcript() {
+  local transcript="$1" version="${2:-}"
+  [[ -z "$transcript" || ! -f "$transcript" ]] && return 1
+  command -v jq >/dev/null 2>&1 || return 1
+  local registry
+  registry="$(pricing_registry)" || return 1
+  [[ -z "$registry" ]] && return 1
+
+  local out
+  out="$(jq -n --argjson registry "$registry" --arg version "$version" '
+    $registry as $reg
+    | (if $version == "" then ($reg.current_version) else $version end) as $ver
+    | ($reg.versions[$ver]) as $p
+    | if $p == null then empty else . end
+    | ($p.cache_multipliers) as $cm
+    | (reduce inputs as $l ({};
+        ($l.message.usage) as $u
+        | if $u then
+            (($l.message.model) // "unknown") as $m
+            | .[$m].input          = ((.[$m].input // 0)          + (($u.input_tokens) // 0))
+            | .[$m].output         = ((.[$m].output // 0)         + (($u.output_tokens) // 0))
+            | .[$m].cache_creation = ((.[$m].cache_creation // 0) + (($u.cache_creation_input_tokens) // 0))
+            | .[$m].cache_read     = ((.[$m].cache_read // 0)     + (($u.cache_read_input_tokens) // 0))
+          else . end)) as $agg
+    | ($agg | to_entries
+        | map(
+            .key as $m | .value as $u
+            | (($p.models[$m]) // $p.default) as $rate
+            | (if ([$m] | inside($p.zero_cost_models)) then 0 else 1 end) as $billable
+            | {
+                model: $m,
+                input_tokens: ($u.input // 0),
+                output_tokens: ($u.output // 0),
+                cache_creation_input_tokens: ($u.cache_creation // 0),
+                cache_read_input_tokens: ($u.cache_read // 0),
+                estimated_cost_usd: (
+                  $billable * (
+                    ($u.input // 0)          * $rate.input
+                    + ($u.output // 0)         * $rate.output
+                    + ($u.cache_creation // 0) * $rate.input * $cm.write_5m
+                    + ($u.cache_read // 0)     * $rate.input * $cm.read
+                  ) / 1000000
+                )
+              })) as $by_model
+    | {
+        by_model: $by_model,
+        input_tokens: ([$by_model[].input_tokens] | add // 0),
+        output_tokens: ([$by_model[].output_tokens] | add // 0),
+        cache_creation_input_tokens: ([$by_model[].cache_creation_input_tokens] | add // 0),
+        cache_read_input_tokens: ([$by_model[].cache_read_input_tokens] | add // 0),
+        estimated_cost_usd: (([$by_model[].estimated_cost_usd] | add // 0) * 1000000 | round / 1000000),
+        pricing_version: $ver
+      }
+  ' < "$transcript" 2>/dev/null)"
+
+  [[ -z "$out" ]] && return 1
+
+  # Drift / emptiness check: if we parsed zero tokens but the transcript clearly
+  # contains usage data, the schema drifted — warn and fall back to null usage.
+  local total
+  total="$(printf '%s' "$out" | jq -r '((.input_tokens // 0) + (.output_tokens // 0) + (.cache_creation_input_tokens // 0) + (.cache_read_input_tokens // 0))' 2>/dev/null)"
+  if [[ -z "$total" || "$total" == "0" ]]; then
+    if grep -q '"input_tokens"' "$transcript" 2>/dev/null; then
+      usage_log_drift "$transcript"
+    fi
+    return 1
+  fi
+
+  printf '%s\n' "$out"
+}

package/scripts/telemetry/pricing.golden.json

@@ -0,0 +1,15 @@
+{
+  "_note": "Cross-runtime cost golden vectors. Keep IN SYNC with console-telemetry/test/golden-vectors.json (identical content). Asserted by the flow-agents bash usage tests, the Python sink tests, and the console-telemetry package so every runtime that prices tokens produces the SAME cost. If these drift between repos, a runtime's cost math has diverged.",
+  "pricing_version": "2026-06-28",
+  "cases": [
+    { "name": "opus cache-read-dominated", "model": "claude-opus-4-8", "tokens": { "input": 1000, "output": 2000, "cache_creation": 0, "cache_read": 500000 }, "expected_cost_usd": 0.305 },
+    { "name": "opus output only", "model": "claude-opus-4-8", "tokens": { "input": 0, "output": 1000, "cache_creation": 0, "cache_read": 0 }, "expected_cost_usd": 0.025 },
+    { "name": "fable output", "model": "claude-fable-5", "tokens": { "input": 0, "output": 100, "cache_creation": 0, "cache_read": 0 }, "expected_cost_usd": 0.005 },
+    { "name": "haiku output", "model": "claude-haiku-4-5", "tokens": { "input": 0, "output": 1000, "cache_creation": 0, "cache_read": 0 }, "expected_cost_usd": 0.005 },
+    { "name": "sonnet input 1M", "model": "claude-sonnet-4-6", "tokens": { "input": 1000000, "output": 0, "cache_creation": 0, "cache_read": 0 }, "expected_cost_usd": 3.0 },
+    { "name": "opus cache-write 5m tier", "model": "claude-opus-4-8", "tokens": { "input": 0, "output": 0, "cache_creation": 1000000, "cache_read": 0 }, "expected_cost_usd": 6.25 },
+    { "name": "opus billion-scale", "model": "claude-opus-4-8", "tokens": { "input": 200000, "output": 1600000, "cache_creation": 9000000, "cache_read": 1000000000 }, "expected_cost_usd": 597.25 },
+    { "name": "synthetic is free", "model": "<synthetic>", "tokens": { "input": 999, "output": 999, "cache_creation": 999, "cache_read": 999 }, "expected_cost_usd": 0 },
+    { "name": "unknown model uses default rate", "model": "some-unlisted-model", "tokens": { "input": 1000000, "output": 0, "cache_creation": 0, "cache_read": 0 }, "expected_cost_usd": 5.0 }
+  ]
+}

package/scripts/telemetry/pricing.json

@@ -0,0 +1,31 @@
+{
+  "schema_version": "2.0",
+  "current_version": "2026-06-28",
+  "source": "Anthropic public list pricing; cache multipliers per prompt-caching docs",
+  "versions": {
+    "2026-06-28": {
+      "effective_date": "2026-06-28",
+      "currency": "USD",
+      "unit": "per_1m_tokens",
+      "cache_multipliers": {
+        "write_5m": 1.25,
+        "write_1h": 2.0,
+        "read": 0.1
+      },
+      "models": {
+        "claude-fable-5": { "input": 10.0, "output": 50.0 },
+        "claude-mythos-5": { "input": 10.0, "output": 50.0 },
+        "claude-opus-4-8": { "input": 5.0, "output": 25.0 },
+        "claude-opus-4-7": { "input": 5.0, "output": 25.0 },
+        "claude-opus-4-6": { "input": 5.0, "output": 25.0 },
+        "claude-opus-4-5": { "input": 5.0, "output": 25.0 },
+        "claude-opus-4-1": { "input": 15.0, "output": 75.0 },
+        "claude-sonnet-4-6": { "input": 3.0, "output": 15.0 },
+        "claude-sonnet-4-5": { "input": 3.0, "output": 15.0 },
+        "claude-haiku-4-5": { "input": 1.0, "output": 5.0 }
+      },
+      "default": { "input": 5.0, "output": 25.0 },
+      "zero_cost_models": ["<synthetic>", "synthetic", "unknown", ""]
+    }
+  }
+}

package/scripts/telemetry/telemetry.conf

@@ -8,6 +8,10 @@ channel.analytics.redact=tool.input,tool.output,turn.prompt_text,delegation.targ
 # The transport derives /api/telemetry/records from console_telemetry_url.
 # console_telemetry_token=
 # console_tenant_id=
+# Live pricing registry source. If unset, derived from console_telemetry_url as
+# <console>/api/telemetry/pricing so bash/Python/TS runtimes read one live
+# source; lib/pricing.sh caches it and falls back to bundled pricing.json.
+# console_pricing_url=https://console.kontourai.io/api/telemetry/pricing
 enrich_system=true
 enrich_workspace=true
 enrich_auth=true

package/scripts/telemetry/telemetry.sh

@@ -309,13 +309,35 @@ add_stop_data_and_emit_usage() {
     tool_count=$(usage_count_tool_calls "$session_id" "$full_log")
     delegation_count=$(usage_count_delegations "$session_id" "$full_log")
 
+    # Ground-truth token + cost usage from the runtime transcript, when the
+    # runtime exposes one (Claude Code, Codex, etc. set hook.transcript_path).
+    # Tokens are source-of-truth; estimated_cost_usd is derived from pricing.json
+    # (recomputed authoritatively console-side, so pricing updates are retroactive).
+    local transcript_path transcript_usage
+    transcript_path=$(echo "$event" | jq -r '.hook.transcript_path // ""')
+    transcript_usage=$(usage_parse_transcript "$transcript_path")
+    [[ -z "$transcript_usage" ]] && transcript_usage='null'
+
     local usage_event
     usage_event=$(echo "$event" | jq -c \
       --arg m "$model" \
       --argjson tc "$tool_count" \
       --argjson dc "$delegation_count" \
+      --argjson tu "$transcript_usage" \
       '.event_type = "session.usage" | .event_id = (.event_id + "-usage") | . + {
-        usage: {model: $m, duration_s: .session.duration_s, tool_invocations: $tc, delegations: $dc, input_tokens: null, output_tokens: null, estimated_cost_usd: null}
+        usage: ({
+          model: $m,
+          duration_s: .session.duration_s,
+          tool_invocations: $tc,
+          delegations: $dc,
+          input_tokens: ($tu.input_tokens // null),
+          output_tokens: ($tu.output_tokens // null),
+          cache_creation_input_tokens: ($tu.cache_creation_input_tokens // null),
+          cache_read_input_tokens: ($tu.cache_read_input_tokens // null),
+          estimated_cost_usd: ($tu.estimated_cost_usd // null),
+          pricing_version: ($tu.pricing_version // null),
+          by_model: ($tu.by_model // null)
+        })
       }')
     transport_emit "$usage_event"
   fi

package/src/cli/workflow-sidecar.ts

@@ -19,11 +19,17 @@ export const verdicts = new Set(["pass", "partial", "fail", "not_verified"]);
 function now(): string { return new Date().toISOString().replace(/\.\d{3}Z$/, "Z"); }
 function read(file: string): string { return fs.readFileSync(file, "utf8"); }
 export function writeJson(file: string, payload: AnyObj): void { fs.mkdirSync(path.dirname(file), { recursive: true }); fs.writeFileSync(file, `${JSON.stringify(payload, null, 2)}\n`); }
-function printJson(payload: AnyObj): void { console.log(JSON.stringify(payload).replace(/":/g, '": ').replace(/,"/g, ', "')); }
+// Single-line but readable "key": "value" form. Built by collapsing the
+// structural whitespace from an indented stringify — corruption-proof, unlike a
+// regex that would also rewrite ":"/"," sequences inside string values.
+function spacedLine(payload: AnyObj, replacer?: (string | number)[]): string {
+  return JSON.stringify(payload, replacer as never, 1).replace(/\n\s*/g, " ");
+}
+function printJson(payload: AnyObj): void { console.log(spacedLine(payload)); }
 export function loadJson(file: string, fallback: AnyObj = {}): AnyObj { return fs.existsSync(file) ? JSON.parse(read(file)) : { ...fallback }; }
 export function appendJsonl(file: string, payload: AnyObj): void {
   fs.mkdirSync(path.dirname(file), { recursive: true });
-  const line = JSON.stringify(payload, Object.keys(payload).sort()).replace(/":/g, '": ').replace(/,"/g, ', "');
+  const line = spacedLine(payload, Object.keys(payload).sort());
   fs.appendFileSync(file, `${line}\n`);
 }
 function die(message: string): never { throw new Error(message); }