@phnx-labs/agents-cli 1.20.16 → 1.20.18

package/dist/lib/secrets/drivers/rush.js

@@ -0,0 +1,84 @@
+/**
+ * Rush `SyncBackend` driver — the original (and currently default) transport
+ * for `agents secrets push/pull`. Talks to api.prix.dev and authenticates with
+ * the session token written by `rush login` (`~/.rush/user.yaml`).
+ *
+ * This is the ONE place in the secrets module allowed to reference Rush
+ * (api.prix.dev / ~/.rush). It is an opt-in driver kept for backwards
+ * compatibility with bundles already pushed to Rush; `sync.ts` selects it as
+ * the default but the transport seam (`SyncBackend`) lets other backends drop
+ * in without touching the crypto or push/pull logic.
+ */
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import * as yaml from 'yaml';
+const PROXY_BASE = 'https://api.prix.dev';
+const USER_YAML = path.join(os.homedir(), '.rush', 'user.yaml');
+const BUNDLE_ENDPOINT = '/api/v1/secrets/bundles';
+function readRushToken() {
+    if (!fs.existsSync(USER_YAML)) {
+        throw new Error('Not logged in to Rush. Run `rush login` first.');
+    }
+    const raw = fs.readFileSync(USER_YAML, 'utf-8');
+    const data = yaml.parse(raw);
+    const token = data?.session?.access_token;
+    if (!token) {
+        throw new Error('No session token in ~/.rush/user.yaml. Run `rush login` first.');
+    }
+    return token;
+}
+async function api(method, endpoint, body) {
+    const token = readRushToken();
+    const url = endpoint.startsWith('http') ? endpoint : `${PROXY_BASE}${endpoint}`;
+    return fetch(url, {
+        method,
+        headers: {
+            Authorization: `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: body === undefined ? undefined : JSON.stringify(body),
+    });
+}
+function bundlePath(name) {
+    return `${BUNDLE_ENDPOINT}/${encodeURIComponent(name)}`;
+}
+/** The Rush transport. Plaintext never reaches here — only ciphertext envelopes. */
+export const rushSyncBackend = {
+    async putEnvelope(name, payload) {
+        const res = await api('PUT', bundlePath(name), payload);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Push failed (${res.status} ${res.statusText}): ${body}`);
+        }
+    },
+    async getEnvelope(name) {
+        const res = await api('GET', bundlePath(name));
+        if (res.status === 404)
+            return null;
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Pull failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        return await res.json();
+    },
+    async deleteEnvelope(name) {
+        const res = await api('DELETE', bundlePath(name));
+        if (res.status === 404)
+            return false;
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`Delete failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        return true;
+    },
+    async listEnvelopes() {
+        const res = await api('GET', BUNDLE_ENDPOINT);
+        if (!res.ok) {
+            const body = await res.text().catch(() => '');
+            throw new Error(`List failed (${res.status} ${res.statusText}): ${body}`);
+        }
+        const data = await res.json();
+        return data.bundles ?? [];
+    },
+};

package/dist/lib/secrets/linux.js

@@ -38,6 +38,7 @@ let isAvailable = false;
 // ---------- file fallback state ----------
 let useFileFallback = false;
 let warnedFallback = false;
+let warnedAutoPassphrase = false;
 let fileDirOverride = null;
 let cachedPassphrase = null;
 function fileDir() {
@@ -87,7 +88,13 @@ function preflight() {
         checkedAvailability = true;
     }
     if (!isAvailable) {
-        if (process.env.AGENTS_SECRETS_PASSPHRASE) {
+        // No secret-tool. Route to the encrypted-file fallback whenever a passphrase
+        // source exists or can be auto-provisioned: an explicit
+        // AGENTS_SECRETS_PASSPHRASE, an already-provisioned machine-local passphrase,
+        // or a headless context (no TTY) where getPassphrase() auto-provisions one.
+        // Only an INTERACTIVE session with none of these gets the install hint —
+        // installing libsecret is the better fix when someone is at the keyboard.
+        if (process.env.AGENTS_SECRETS_PASSPHRASE || machinePassphraseExists() || !process.stdin.isTTY) {
             activateFileFallback();
             return 'file';
         }
@@ -141,6 +148,67 @@ function readPassphraseFromTty() {
         fs.closeSync(fd);
     }
 }
+/** Path of the auto-provisioned machine-local passphrase. Lives alongside the
+ *  encrypted items but is never itself an item (no `.enc` suffix, so it's
+ *  excluded from list/has/get and from fileFallbackPreviouslyActivated). */
+function passphraseFilePath() {
+    return path.join(fileDir(), '.passphrase');
+}
+/** True if a machine-local passphrase has already been provisioned. */
+function machinePassphraseExists() {
+    try {
+        return fs.readFileSync(passphraseFilePath(), 'utf8').trim().length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+function readMachinePassphrase() {
+    try {
+        const p = fs.readFileSync(passphraseFilePath(), 'utf8').trim();
+        return p.length > 0 ? p : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Provision (or read back) a stable machine-local passphrase for the encrypted
+ * file store, so `agents secrets` works out of the box on a headless box where
+ * the keyring is locked and no AGENTS_SECRETS_PASSPHRASE is set.
+ *
+ * Security model: this is encryption-at-rest with the key held in a 0600 file —
+ * the same posture as an SSH private key, and identical to the common
+ * "export AGENTS_SECRETS_PASSPHRASE=… in ~/.zshenv (chmod 600)" workaround. The
+ * keyring (key in a daemon's locked memory) is stronger but is unavailable
+ * without a graphical/unlocked session. For an off-disk key, set
+ * AGENTS_SECRETS_PASSPHRASE (it always takes precedence) or unlock the keyring.
+ */
+function provisionMachinePassphrase() {
+    const existing = readMachinePassphrase();
+    if (existing)
+        return existing;
+    ensureFileDir();
+    const generated = randomBytes(32).toString('base64');
+    const fp = passphraseFilePath();
+    try {
+        // wx: fail if a concurrent process created it first (then we read theirs).
+        fs.writeFileSync(fp, generated, { mode: 0o600, flag: 'wx' });
+    }
+    catch {
+        const raced = readMachinePassphrase();
+        if (raced)
+            return raced;
+        throw new Error(`Failed to provision machine-local passphrase at ${fp}.`);
+    }
+    if (!warnedAutoPassphrase) {
+        warnedAutoPassphrase = true;
+        process.stderr.write(`[agents] keyring locked and no AGENTS_SECRETS_PASSPHRASE set; provisioned a ` +
+            `machine-local passphrase at ${fp} (mode 0600). Set AGENTS_SECRETS_PASSPHRASE ` +
+            `for a key held off disk.\n`);
+    }
+    return generated;
+}
 function getPassphrase() {
     if (cachedPassphrase !== null)
         return cachedPassphrase;
@@ -149,16 +217,25 @@ function getPassphrase() {
         cachedPassphrase = env;
         return env;
     }
-    if (!process.stdin.isTTY) {
-        throw new Error('Secret-service collection is locked and no AGENTS_SECRETS_PASSPHRASE is set.\n' +
-            'Set AGENTS_SECRETS_PASSPHRASE in your environment to use the encrypted-file fallback,\n' +
-            'or unlock the keyring (e.g. configure pam_gnome_keyring for SSH login).');
+    // A previously-provisioned machine-local passphrase is this machine's stable
+    // file-store key — prefer it for both interactive and headless runs so they
+    // always agree (a TTY run won't re-prompt once the file exists).
+    const onDisk = readMachinePassphrase();
+    if (onDisk) {
+        cachedPassphrase = onDisk;
+        return onDisk;
+    }
+    // First run, no env, no provisioned key: prompt when interactive, otherwise
+    // (headless — the reported bug) auto-provision instead of hard-failing.
+    if (process.stdin.isTTY) {
+        const p = readPassphraseFromTty();
+        if (!p)
+            throw new Error('No passphrase entered.');
+        cachedPassphrase = p;
+        return p;
     }
-    const p = readPassphraseFromTty();
-    if (!p)
-        throw new Error('No passphrase entered.');
-    cachedPassphrase = p;
-    return p;
+    cachedPassphrase = provisionMachinePassphrase();
+    return cachedPassphrase;
 }
 function deriveKey(passphrase, salt) {
     return scryptSync(passphrase, salt, 32);
@@ -423,6 +500,7 @@ export function _resetForTest(opts = {}) {
     fileDirOverride = opts.fileDir ?? null;
     useFileFallback = opts.forceFileFallback ?? false;
     warnedFallback = false;
+    warnedAutoPassphrase = false;
     cachedPassphrase = opts.passphrase ?? null;
     checkedAvailability = false;
     isAvailable = false;

package/dist/lib/secrets/sync-backend.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Transport seam for encrypted secrets-bundle sync.
+ *
+ * A `SyncBackend` moves opaque ciphertext envelopes to and from some remote.
+ * It NEVER sees plaintext: encryption (`encryptBlob`) happens in `sync.ts`
+ * before `putEnvelope`, and decryption (`decryptBlob`) happens after
+ * `getEnvelope`. This mirrors the `KeychainBackend` storage seam
+ * (`src/lib/secrets/index.ts`) but abstracts *transport* rather than at-rest
+ * storage — so the high-level push/pull logic in `sync.ts` is decoupled from
+ * any specific backend (Rush's api.prix.dev, a future Supabase driver, an
+ * in-memory test double, …).
+ */
+/** Encrypted bundle envelope (AES-256-GCM, key via PBKDF2-SHA256). All byte
+ *  fields are base64. The server only ever stores/returns this — never plaintext. */
+export interface EncryptedEnvelope {
+    v: 1;
+    kdf: 'pbkdf2-sha256';
+    iter: number;
+    salt: string;
+    iv: string;
+    ct: string;
+    tag: string;
+}
+/** A stored bundle object: the ciphertext envelope plus a last-updated stamp. */
+export interface SyncEnvelope {
+    envelope: EncryptedEnvelope;
+    updated_at: string;
+}
+/** Lightweight listing entry returned by `listEnvelopes`. */
+export interface RemoteBundleSummary {
+    name: string;
+    updated_at: string;
+}
+/**
+ * Pluggable transport for encrypted bundles. Implementations handle only the
+ * wire/storage; the crypto and bundle snapshot/restore stay backend-agnostic
+ * in `sync.ts`.
+ */
+export interface SyncBackend {
+    /** Store (create or overwrite) the envelope for `name`. */
+    putEnvelope(name: string, payload: SyncEnvelope): Promise<void>;
+    /** Fetch the envelope for `name`, or `null` if the remote has none. */
+    getEnvelope(name: string): Promise<SyncEnvelope | null>;
+    /** Delete `name` on the remote. Returns false if it didn't exist. */
+    deleteEnvelope(name: string): Promise<boolean>;
+    /** List every bundle the authenticated user has on the remote. */
+    listEnvelopes(): Promise<RemoteBundleSummary[]>;
+}

package/dist/lib/secrets/sync-backend.js

@@ -0,0 +1,13 @@
+/**
+ * Transport seam for encrypted secrets-bundle sync.
+ *
+ * A `SyncBackend` moves opaque ciphertext envelopes to and from some remote.
+ * It NEVER sees plaintext: encryption (`encryptBlob`) happens in `sync.ts`
+ * before `putEnvelope`, and decryption (`decryptBlob`) happens after
+ * `getEnvelope`. This mirrors the `KeychainBackend` storage seam
+ * (`src/lib/secrets/index.ts`) but abstracts *transport* rather than at-rest
+ * storage — so the high-level push/pull logic in `sync.ts` is decoupled from
+ * any specific backend (Rush's api.prix.dev, a future Supabase driver, an
+ * in-memory test double, …).
+ */
+export {};

package/dist/lib/secrets/sync.d.ts

@@ -1,28 +1,21 @@
 /**
- * Remote sync client for secrets bundles.
+ * Remote sync for secrets bundles — backend-agnostic.
  *
  * Replaces the previous "leave it to iCloud Keychain" model with explicit
- * push/pull against api.prix.dev. Bundle contents (vars + secret values) are
- * encrypted client-side with AES-256-GCM under a key derived from a
- * user-supplied passphrase via PBKDF2-SHA256. Plaintext never leaves the
- * machine — api.prix.dev only ever sees the ciphertext + KDF parameters.
+ * push/pull. Bundle contents (vars + secret values) are encrypted client-side
+ * with AES-256-GCM under a key derived from a user-supplied passphrase via
+ * PBKDF2-SHA256; only the resulting ciphertext envelope is handed to the
+ * transport. The transport itself is a pluggable `SyncBackend` (see
+ * `sync-backend.ts`) — the Rush driver (`drivers/rush.ts`, api.prix.dev) is the
+ * default for backwards compatibility, swappable via `setSyncBackend`. Plaintext
+ * never leaves this module; the backend only ever sees ciphertext + KDF params.
  */
 import { type SecretsBundle } from './bundles.js';
+import type { SyncBackend, RemoteBundleSummary, EncryptedEnvelope } from './sync-backend.js';
+export type { EncryptedEnvelope, RemoteBundleSummary } from './sync-backend.js';
 export declare const MIN_PASSPHRASE_LEN = 12;
-/** Envelope for an encrypted bundle. All byte fields are base64. */
-export interface EncryptedEnvelope {
-    v: 1;
-    kdf: 'pbkdf2-sha256';
-    iter: number;
-    salt: string;
-    iv: string;
-    ct: string;
-    tag: string;
-}
-interface RemoteBundleSummary {
-    name: string;
-    updated_at: string;
-}
+/** Override the sync transport. Returns the previous backend (restore in tests). */
+export declare function setSyncBackend(next: SyncBackend): SyncBackend;
 /** Encrypt a JSON-serializable payload with a passphrase. */
 export declare function encryptBlob(plaintext: string, passphrase: string): EncryptedEnvelope;
 /** Decrypt an envelope. Throws on bad passphrase (auth tag mismatch). */
@@ -37,7 +30,7 @@ export interface BundleSnapshot {
 export interface PushOptions {
     passphrase: string;
 }
-/** Push a local bundle to api.prix.dev. Encrypts client-side; server only sees ciphertext. */
+/** Push a local bundle to the remote. Encrypts client-side; the backend only sees ciphertext. */
 export declare function pushBundle(name: string, opts: PushOptions): Promise<{
     updated_at: string;
 }>;
@@ -47,10 +40,9 @@ export interface PullOptions {
     /** When true, overwrite an existing local bundle. */
     force?: boolean;
 }
-/** Pull a bundle by name from api.prix.dev and materialize it locally. */
+/** Pull a bundle by name from the remote and materialize it locally. */
 export declare function pullBundle(name: string, opts: PullOptions): Promise<SecretsBundle>;
 /** Delete a bundle on the remote. */
 export declare function deleteRemoteBundle(name: string): Promise<boolean>;
-/** List bundles currently stored on api.prix.dev for this user. */
+/** List bundles currently stored on the remote for this user. */
 export declare function listRemoteBundles(): Promise<RemoteBundleSummary[]>;
-export {};

package/dist/lib/secrets/sync.js

@@ -1,22 +1,19 @@
 /**
- * Remote sync client for secrets bundles.
+ * Remote sync for secrets bundles — backend-agnostic.
  *
  * Replaces the previous "leave it to iCloud Keychain" model with explicit
- * push/pull against api.prix.dev. Bundle contents (vars + secret values) are
- * encrypted client-side with AES-256-GCM under a key derived from a
- * user-supplied passphrase via PBKDF2-SHA256. Plaintext never leaves the
- * machine — api.prix.dev only ever sees the ciphertext + KDF parameters.
+ * push/pull. Bundle contents (vars + secret values) are encrypted client-side
+ * with AES-256-GCM under a key derived from a user-supplied passphrase via
+ * PBKDF2-SHA256; only the resulting ciphertext envelope is handed to the
+ * transport. The transport itself is a pluggable `SyncBackend` (see
+ * `sync-backend.ts`) — the Rush driver (`drivers/rush.ts`, api.prix.dev) is the
+ * default for backwards compatibility, swappable via `setSyncBackend`. Plaintext
+ * never leaves this module; the backend only ever sees ciphertext + KDF params.
  */
 import * as crypto from 'crypto';
-import * as fs from 'fs';
-import * as os from 'os';
-import * as path from 'path';
-import * as yaml from 'yaml';
 import { getKeychainToken, hasKeychainToken, secretsKeychainItem, setKeychainToken, } from './index.js';
 import { readBundle, writeBundle, keychainItemsForBundle, validateBundleName, } from './bundles.js';
-const PROXY_BASE = 'https://api.prix.dev';
-const USER_YAML = path.join(os.homedir(), '.rush', 'user.yaml');
-const BUNDLE_ENDPOINT = '/api/v1/secrets/bundles';
+import { rushSyncBackend } from './drivers/rush.js';
 // PBKDF2 cost. 600k SHA-256 iters matches OWASP 2023+ guidance and keeps a
 // passphrase prompt under a second on the hardware the CLI targets.
 const PBKDF2_ITER = 600_000;
@@ -24,29 +21,19 @@ export const MIN_PASSPHRASE_LEN = 12;
 const KEY_LEN = 32;
 const SALT_LEN = 16;
 const IV_LEN = 12;
-function readRushToken() {
-    if (!fs.existsSync(USER_YAML)) {
-        throw new Error('Not logged in to Rush. Run `rush login` first.');
-    }
-    const raw = fs.readFileSync(USER_YAML, 'utf-8');
-    const data = yaml.parse(raw);
-    const token = data?.session?.access_token;
-    if (!token) {
-        throw new Error('No session token in ~/.rush/user.yaml. Run `rush login` first.');
-    }
-    return token;
-}
-async function api(method, endpoint, body) {
-    const token = readRushToken();
-    const url = endpoint.startsWith('http') ? endpoint : `${PROXY_BASE}${endpoint}`;
-    return fetch(url, {
-        method,
-        headers: {
-            Authorization: `Bearer ${token}`,
-            'Content-Type': 'application/json',
-        },
-        body: body === undefined ? undefined : JSON.stringify(body),
-    });
+/**
+ * Active transport backend. Defaults to the Rush driver for backwards
+ * compatibility with bundles already pushed to api.prix.dev; `setSyncBackend`
+ * swaps it (a future Supabase driver, or an in-memory double in tests). The
+ * crypto + snapshot/restore below stay backend-agnostic — the backend only
+ * ever moves ciphertext envelopes, never plaintext.
+ */
+let backend = rushSyncBackend;
+/** Override the sync transport. Returns the previous backend (restore in tests). */
+export function setSyncBackend(next) {
+    const prev = backend;
+    backend = next;
+    return prev;
 }
 function deriveKey(passphrase, salt) {
     return crypto.pbkdf2Sync(passphrase, salt, PBKDF2_ITER, KEY_LEN, 'sha256');
@@ -115,32 +102,23 @@ function restoreSnapshot(snap) {
     }
     writeBundle(bundle);
 }
-/** Push a local bundle to api.prix.dev. Encrypts client-side; server only sees ciphertext. */
+/** Push a local bundle to the remote. Encrypts client-side; the backend only sees ciphertext. */
 export async function pushBundle(name, opts) {
     validateBundleName(name);
     const snap = snapshotBundle(name);
     const envelope = encryptBlob(JSON.stringify(snap), opts.passphrase);
     const updated_at = new Date().toISOString();
     const payload = { envelope, updated_at };
-    const res = await api('PUT', `${BUNDLE_ENDPOINT}/${encodeURIComponent(name)}`, payload);
-    if (!res.ok) {
-        const body = await res.text().catch(() => '');
-        throw new Error(`Push failed (${res.status} ${res.statusText}): ${body}`);
-    }
+    await backend.putEnvelope(name, payload);
     return { updated_at };
 }
-/** Pull a bundle by name from api.prix.dev and materialize it locally. */
+/** Pull a bundle by name from the remote and materialize it locally. */
 export async function pullBundle(name, opts) {
     validateBundleName(name);
-    const res = await api('GET', `${BUNDLE_ENDPOINT}/${encodeURIComponent(name)}`);
-    if (res.status === 404) {
-        throw new Error(`Remote bundle '${name}' not found on api.prix.dev.`);
-    }
-    if (!res.ok) {
-        const body = await res.text().catch(() => '');
-        throw new Error(`Pull failed (${res.status} ${res.statusText}): ${body}`);
+    const data = await backend.getEnvelope(name);
+    if (!data) {
+        throw new Error(`Remote bundle '${name}' not found.`);
     }
-    const data = await res.json();
     const plaintext = decryptBlob(data.envelope, opts.passphrase);
     const snap = JSON.parse(plaintext);
     if (!snap || !snap.bundle || snap.bundle.name !== name) {
@@ -159,22 +137,9 @@ export async function pullBundle(name, opts) {
 /** Delete a bundle on the remote. */
 export async function deleteRemoteBundle(name) {
     validateBundleName(name);
-    const res = await api('DELETE', `${BUNDLE_ENDPOINT}/${encodeURIComponent(name)}`);
-    if (res.status === 404)
-        return false;
-    if (!res.ok) {
-        const body = await res.text().catch(() => '');
-        throw new Error(`Delete failed (${res.status} ${res.statusText}): ${body}`);
-    }
-    return true;
+    return backend.deleteEnvelope(name);
 }
-/** List bundles currently stored on api.prix.dev for this user. */
+/** List bundles currently stored on the remote for this user. */
 export async function listRemoteBundles() {
-    const res = await api('GET', BUNDLE_ENDPOINT);
-    if (!res.ok) {
-        const body = await res.text().catch(() => '');
-        throw new Error(`List failed (${res.status} ${res.statusText}): ${body}`);
-    }
-    const data = await res.json();
-    return data.bundles ?? [];
+    return backend.listEnvelopes();
 }

package/dist/lib/session/db.d.ts

@@ -23,6 +23,8 @@ export interface SessionRow {
     label: string | null;
     message_count: number | null;
     token_count: number | null;
+    cost_usd: number | null;
+    duration_ms: number | null;
     file_path: string;
     file_mtime_ms: number | null;
     file_size: number | null;
@@ -50,6 +52,12 @@ export interface QueryOptions {
     excludeTeamOrigin?: boolean;
     /** Keep only team-origin rows (for hidden-count queries). */
     onlyTeamOrigin?: boolean;
+    /**
+     * Column to order by, all descending. 'timestamp' (default) sorts newest
+     * first; 'cost' and 'duration' put the priciest / longest sessions on top,
+     * with NULLs sorted last so unpriced rows never crowd out real data.
+     */
+    sortBy?: 'timestamp' | 'cost' | 'duration';
 }
 /** Open (or return the cached) sessions database, applying migrations as needed. */
 export declare function getDB(): Database.Database;
@@ -114,6 +122,38 @@ export declare function syncLabels(labelMap: Map<string, string | null>): number
 export declare function querySessions(options?: QueryOptions): SessionMeta[];
 /** Count sessions matching the given filter options. */
 export declare function countSessions(options?: QueryOptions): number;
+/** One grouped row in a cost/duration rollup. */
+export interface UsageRollupRow {
+    /** Grouping key value: the agent id, project name, or ISO date (YYYY-MM-DD). */
+    key: string;
+    costUsd: number;
+    durationMs: number;
+    sessionCount: number;
+    tokenCount: number;
+}
+/** What to group a usage rollup by. */
+export type UsageRollupGroup = 'agent' | 'project' | 'day';
+/**
+ * Aggregate cost / duration / tokens across sessions, grouped by agent,
+ * project, or calendar day. Honors the same filter shape as querySessions
+ * (agent, since/until, team-origin) so `agents cost --since 7d --by day`
+ * lines up with what `agents sessions` would list. Ordered by cost desc.
+ */
+export declare function queryUsageRollup(options: QueryOptions & {
+    groupBy: UsageRollupGroup;
+}): UsageRollupRow[];
+/** A session with its cost, for the top-N-by-cost listing. */
+export interface TopCostSession {
+    meta: SessionMeta;
+    costUsd: number;
+    durationMs: number;
+}
+/**
+ * Return the N most expensive sessions (cost_usd DESC, NULLs excluded),
+ * honoring the same filter shape as querySessions. Drops rows whose JSONL
+ * vanished, mirroring querySessions' liveness filter.
+ */
+export declare function topSessionsByCost(n: number, options?: QueryOptions): TopCostSession[];
 /** Return the set of all file paths currently tracked in the sessions table. */
 export declare function getAllFilePaths(): Set<string>;
 /** Look up sessions by their source file paths. */