npm - @rosh100yx/outlier - Versions diffs - 0.4.24 → 0.7.0 - Mend

@rosh100yx/outlier 0.4.24 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/src/cli.ts CHANGED Viewed

@@ -20,6 +20,74 @@ const ASCII_LOGO = `
 let finalReceipt = '';
+// Build a stable, machine-readable audit object. This is the contract agents,
+// swarms, and CI parse — everything the human receipt shows, as plain JSON.
+async function emitJson() {
+  const pkg = require('../package.json');
+  const [gitStats, carbon, caps] = await Promise.all([
+    getAuthorshipStats().catch(() => null),
+    getCarbonStats().catch(() => null),
+    getCapabilitiesStats().catch(() => null),
+  ]);
+  const aiRatio = gitStats ? gitStats.ratio : 0;
+  const cap = 0.70;
+  const writeOrDeploy = caps
+    ? caps.mcps.filter((m: any) => ['money', 'exec', 'deploy', 'write-remote', 'write-local'].includes(m.reach)).length
+    : 0;
+  const out = {
+    tool: 'outlier',
+    version: pkg.version,
+    repo: process.cwd().split('/').pop(),
+    generatedAt: new Date().toISOString(),
+    localFirst: true,
+    authorship: gitStats ? {
+      aiPercent: +(gitStats.ratio * 100).toFixed(1),
+      aiRatio: gitStats.ratio,
+      totalCommits: gitStats.total,
+      aiCommits: gitStats.ai,
+      nonMergePercent: +(gitStats.ratioNoMerges * 100).toFixed(1),
+      provenance: 'proxy',
+      note: 'git Co-Authored-By trailers; under-counts if the agent omits the trailer',
+    } : null,
+    cost: carbon ? {
+      totalTokens: carbon.totalTokens,
+      outputTokens: carbon.outputTokens,
+      cacheReusePercent: carbon.totalTokens ? +((carbon.cacheReadTokens / carbon.totalTokens) * 100).toFixed(1) : 0,
+      estUsd: +carbon.estUsd.toFixed(2),
+      costIsReal: carbon.costIsReal,
+      provenance: carbon.tokenProvenance,
+      source: carbon.sourceLabel,
+    } : null,
+    carbon: carbon ? {
+      energyKwh: +carbon.energyKwh.toFixed(4),
+      co2Kg: +carbon.localCo2Kg.toFixed(4),
+      region: carbon.localRegion,
+      provenance: carbon.carbonProvenance,
+      note: 'counterfactual: cloud inference runs on the provider grid, not yours',
+    } : null,
+    reach: caps ? {
+      blastRadius: caps.blastRadius,
+      reasons: caps.blastReasons,
+      toolCount: caps.mcps.length,
+      writeOrDeployCount: writeOrDeploy,
+      tools: caps.mcps,
+      subagents: caps.subagents,
+      hooks: caps.hooks,
+      skills: caps.skills.length,
+      orchestration: caps.hasOrchestration,
+    } : null,
+    policy: {
+      aiCapPercent: cap * 100,
+      status: aiRatio > cap ? 'over' : 'within',
+    },
+  };
+  // Only JSON on stdout — nothing else.
+  process.stdout.write(JSON.stringify(out, null, 2) + '\n');
+}
 async function runOnboarding() {
   console.log(pc.cyan(ASCII_LOGO));
   intro(pc.inverse(' outlier: Welcome '));
@@ -78,24 +146,38 @@ async function main() {
     action = 'status';
   }
+  // Agent / CI / swarm contract: --json emits a structured audit and nothing else
+  // (no logo, no spinner, no ANSI). This is how an agent perceives outlier.
+  if (process.argv.includes('--json')) {
+    await emitJson();
+    process.exit(0);
+  }
   console.log(pc.cyan(ASCII_LOGO));
   const pkg = require('../package.json');
   console.log(pc.dim(`  Outlier v${pkg.version} · AI Code Reliance & Telemetry Engine\n`));
   if (action === '--help' || action === '-h' || action === 'help') {
-    console.log(pc.bold('\nCOMMANDS:'));
-    console.log(`  ${pc.cyan('outlier')}              Interactive menu (Onboarding for first-timers)`);
-    console.log(`  ${pc.cyan('outlier status')}       Run full AI reliance & capability audit`);
-    console.log(`  ${pc.cyan('outlier authorship')}   Scan git history for AI co-authorship ratio`);
-    console.log(`  ${pc.cyan('outlier carbon')}       Scan local logs for token waste & carbon cost`);
-    console.log(`  ${pc.cyan('outlier policy')}       Configure CI/CD guardrails and thresholds`);
-    console.log(`  ${pc.cyan('outlier impact')}       See the compounding horizon of AI Deskilling`);
-    console.log(`  ${pc.cyan('outlier knowledge')}    Explore references, graphs, and the core literature`);
-    console.log(`  ${pc.cyan('outlier participate')}  Help build the academic literature on AI deskilling`);
-    console.log(`  ${pc.cyan('outlier init')}         Install the once-per-day shell greeting`);
-    console.log(`  ${pc.cyan('outlier uninit')}       Remove the shell greeting`);
-    console.log('\n' + pc.dim('Run without arguments to start the interactive wizard.'));
+    console.log(pc.bold('\nWHAT OUTLIER DOES'));
+    console.log(pc.dim('  Reads your local git history and AI logs — on your machine — to show'));
+    console.log(pc.dim('  how much of your code AI wrote, what it cost, and how to keep your skill.\n'));
+    console.log(pc.bold('COMMANDS:'));
+    console.log(`  ${pc.cyan('outlier')}              Run the audit (the default — same as 'status')`);
+    console.log(`  ${pc.cyan('outlier status')}       Full audit: who wrote the code, what it cost, your limit`);
+    console.log(`  ${pc.cyan('outlier status --save')} Save the audit to ./outlier-audit.txt`);
+    console.log(`  ${pc.cyan('outlier --json')}       Machine-readable audit (for agents, CI, swarms)`);
+    console.log(`  ${pc.cyan('outlier authorship')}   Just the AI-vs-human commit breakdown`);
+    console.log(`  ${pc.cyan('outlier carbon')}       Just the token spend, cache waste & carbon`);
+    console.log(`  ${pc.cyan('outlier capabilities')} What tools & skills your agents can reach`);
+    console.log(`  ${pc.cyan('outlier policy')}       Set an AI-authorship limit (local git hook / CI)`);
+    console.log(`  ${pc.cyan('outlier impact')}       What AI reliance compounds to over time`);
+    console.log(`  ${pc.cyan('outlier knowledge')}    The research behind the metrics`);
+    console.log(`  ${pc.cyan('outlier participate')}  Share anonymous feedback for the deskilling study`);
+    console.log(`  ${pc.cyan('outlier init')}         Show a once-per-day reliance greeting in new shells`);
+    console.log(`  ${pc.cyan('outlier uninit')}       Remove that greeting`);
+    console.log('\n' + pc.dim('Local-first: nothing ever leaves your machine.'));
+    console.log(pc.dim('How it works → https://github.com/rosh100yx/outlier#how-it-works'));
     process.exit(0);
   }
@@ -275,22 +357,45 @@ Conservative Floor: ${color(nmPct + '%')}`,
     try {
         let authPct = '0%';
+        let nmFloorStr = '';
         let ruleFailures = 0;
         if (gitStats) {
           authPct = `${(gitStats.ratio * 100).toFixed(1)}%`;
+          // Conservative floor: non-merge commits only (merges often lack the trailer).
+          nmFloorStr = ` ${pc.dim(`(${(gitStats.ratioNoMerges * 100).toFixed(0)}% excl. merges)`)}`;
           if (gitStats.ratio > 0.7) ruleFailures++;
         }
+        // Honesty: a very low ratio alongside heavy token use usually means the agent
+        // doesn't tag commits, not that the human wrote everything.
+        const lowTrailerWarn =
+          gitStats && gitStats.ratio < 0.1 && carbon && carbon.totalTokens > 1_000_000
+            ? `\n ${pc.dim('│')}   ${pc.dim('Low %? Your agent may not tag commits — outlier counts only')}\n ${pc.dim('│')}   ${pc.dim('commits with a Co-Authored-By trailer.')}`
+            : '';
         let cachePct = '0';
         let co2Str = '0.0kg';
         let regionStr = 'Global Average';
+        let sourceLabel = 'no local AI logs found';
+        let noData = true;
         if (carbon) {
           if (carbon.totalTokens > 0) {
             cachePct = ((carbon.cacheReadTokens / carbon.totalTokens) * 100).toFixed(1);
+            noData = false;
           }
           co2Str = `${carbon.localCo2Kg.toFixed(2)}kg CO2`;
           regionStr = carbon.localRegion;
+          sourceLabel = carbon.sourceLabel;
+        }
+        // One-line agent-reach summary (full detail in `outlier capabilities`).
+        let reachStr = pc.dim('run: outlier capabilities');
+        if (capabilities) {
+          const rc = capabilities.blastRadius;
+          const col = rc === 'CRITICAL' || rc === 'HIGH' ? pc.red : rc === 'MEDIUM' ? pc.yellow : pc.green;
+          const risky = capabilities.mcps.filter((m: any) => ['money','exec','deploy','write-remote','write-local'].includes(m.reach)).length;
+          reachStr = `${col(pc.bold(rc))} · ${capabilities.mcps.length} tools` + (risky ? pc.dim(`, ${risky} can write/deploy`) : '');
         }
         // The thermal receipt below is the single canonical output for `status`.
@@ -344,25 +449,32 @@ Conservative Floor: ${color(nmPct + '%')}`,
  ${pc.dim('│')} ${pc.cyan('█▄█ █▄█ ░█░ █▄▄ █ ██▄ █▀▄')}  ${pc.dim(`:: ${repoName} · ${dateStr}`)}
  ${pc.dim('├────────────────────────────────────────────────────────')}
  ${pc.dim('│')} ${pc.bold(pc.bgBlue(' WHO WROTE THE CODE '))}
- ${pc.dim('│')} AI    ${aiBar} ${authorshipStr}
+ ${pc.dim('│')} AI    ${aiBar} ${authorshipStr}${nmFloorStr}
  ${pc.dim('│')} You   ${humanBar} ${pc.bold(humanSov)}
+ ${pc.dim('│')} ${pc.dim('Typical: solo devs 10–40% · AI-framework repos up to ~80%')}
  ${pc.dim('│')}
- ${pc.dim('│')} ${verdictZone} — ${verdictText.split('\n').join('\n ' + pc.dim('│') + '   ')}
+ ${pc.dim('│')} ${verdictZone} — ${verdictText.split('\n').join('\n ' + pc.dim('│') + '   ')}${lowTrailerWarn}
  ${pc.dim('├────────────────────────────────────────────────────────')}
  ${pc.dim('│')} ${pc.bold(pc.bgMagenta(' WHAT IT COST '))}
  ${pc.dim('│')} Tokens used      ${pc.bold(totalTokensStr)}
  ${pc.dim('│')} Est. spend       ${pc.bold(estUsdStr)}
  ${pc.dim('│')} Re-used context  ${cacheBar} ${pc.bold(cachePct + '%')}
- ${pc.dim('│')} Energy           ${pc.bold(co2Str)} ${pc.dim(`(${regionStr} grid, rough)`)}
+ ${pc.dim('│')} Energy           ${pc.bold(co2Str)} ${pc.dim(`(${regionStr} grid)`)}
+ ${pc.dim('│')} ${pc.dim(`Source: ${sourceLabel}`)}
  ${pc.dim('│')}
  ${pc.dim('│')} ${cacheVerdict} — ${cacheText.split('\n').join('\n ' + pc.dim('│') + '   ')}
  ${pc.dim('├────────────────────────────────────────────────────────')}
+ ${pc.dim('│')} ${pc.bold(pc.bgCyan(pc.black(' WHAT YOUR AGENTS CAN REACH ')))}
+ ${pc.dim('│')} Blast radius   ${reachStr}
+ ${pc.dim('│')} ${pc.dim('Full map (deploy/push/write tools): outlier capabilities')}
+ ${pc.dim('├────────────────────────────────────────────────────────')}
  ${pc.dim('│')} ${pc.bold(pc.bgYellow(pc.black(' YOUR LIMIT ')))}
  ${pc.dim('│')} AI cap   ${pc.bold('70%')} ${pc.dim('· change with: outlier policy')}
  ${pc.dim('│')} Status   ${policyStatus} ${pc.dim('·')} ${policyAction}
  ${pc.dim('├────────────────────────────────────────────────────────')}
- ${pc.dim('│')} ${pc.dim(pc.italic('Run this before you start. Keep the skill while you'))}
- ${pc.dim('│')} ${pc.dim(pc.italic('use the speed.'))}
+ ${pc.dim('│')} ${pc.dim('Numbers are local estimates — authorship is a proxy and')}
+ ${pc.dim('│')} ${pc.dim('carbon is rough. How it works: outlier --help')}
+ ${pc.dim('│')} ${pc.dim(pc.italic('Run this before you start. Keep the skill while you use the speed.'))}
  ${pc.dim('└────────────────────────────────────────────────────────')}`;
         } else {
             note(
@@ -376,24 +488,42 @@ Conservative Floor: ${color(nmPct + '%')}`,
     }
   } else if (action === 'capabilities') {
-    s.start('Auditing AI surface area (MCPs, Skills, Orchestrators)...');
+    s.start('Mapping what your agents can reach...');
     try {
       const caps = await getCapabilitiesStats();
-      s.stop('Capabilities Scan Complete');
+      s.stop('Reach map complete');
+      const radiusColor = caps.blastRadius === 'CRITICAL' ? pc.red
+        : caps.blastRadius === 'HIGH' ? pc.red
+        : caps.blastRadius === 'MEDIUM' ? pc.yellow : pc.green;
+      // Group tools by reach so the risky ones stand out.
+      const order: string[] = ['money', 'exec', 'deploy', 'write-remote', 'write-local', 'data', 'network', 'model', 'read'];
+      const reachLabel: Record<string, string> = {
+        money: 'can move money', exec: 'can run shell', deploy: 'can deploy', 'write-remote': 'can push to repos',
+        'write-local': 'can write files', data: 'data stores', network: 'network', model: 'models', read: 'read-only',
+      };
+      const riskyReaches = new Set(['money', 'exec', 'deploy', 'write-remote', 'write-local']);
+      const toolLines = caps.mcps.length === 0 ? '  None detected'
+        : order.filter(r => caps.mcps.some(m => m.reach === r)).map(r => {
+            const names = caps.mcps.filter(m => m.reach === r).map(m => m.name).join(', ');
+            const tag = riskyReaches.has(r) ? pc.red(`[${reachLabel[r]}]`) : pc.dim(`[${reachLabel[r]}]`);
+            return `  ${tag} ${names}`;
+          }).join('\n');
       note(
-        `Orchestration Policy: ${caps.hasOrchestration ? pc.green('Detected (AGENTS.md)') : pc.yellow('None')}
+        `${pc.bold('BLAST RADIUS:')} ${radiusColor(pc.bold(caps.blastRadius))}  ${pc.dim('— if an agent or a prompt injection drives your tools')}
+${caps.blastReasons.length ? caps.blastReasons.map(r => `  ${pc.red('•')} ${r}`).join('\n') : pc.green('  • read-only — limited reach')}
-Active Skills (${caps.skills.length}):
-${caps.skills.length > 0 ? pc.cyan(caps.skills.map(s => `  • ${s}`).join('\n')) : '  None'}
+${pc.bold(`What your agents can reach (${caps.mcps.length} MCP tools):`)}
+${toolLines}
-Active MCP Servers (${caps.mcps.length}):
-${caps.mcps.length > 0 ? pc.magenta(caps.mcps.map(m => `  • ${m}`).join('\n')) : '  None'}
+${pc.bold('Automation & agents:')}
+  Hooks that fire for you: ${caps.hooks.length ? pc.yellow(caps.hooks.join(', ')) : 'none'}
+  Sub-agents: ${caps.subagents}   Skills: ${caps.skills.length}   Orchestration policy: ${caps.hasOrchestration ? pc.green('yes') : pc.yellow('no')}
-${pc.bold('Governance Assessment:')}
-This repository provides agents with ${caps.mcps.length} toolsets and ${caps.skills.length} skills.
-${caps.skills.length > 5 ? pc.red('⚠ High Surface Area: Ensure strict authorship review is enabled.') : pc.green('✓ Low Surface Area: Risk contained.')}`,
-        'AI Capabilities Map'
+${pc.dim('This is your attack surface. Fewer write/deploy tools per session = smaller blast radius.')}`,
+        'Agent Reach & Blast Radius'
       );
     } catch (e: any) {
       s.stop('Audit failed');
@@ -566,10 +696,20 @@ Artifact:     ${pc.cyan(reportPath)}`,
     console.log(`\nRead the full academic foundation at: ${pc.underline('https://github.com/rosh100yx/outlier')}\n`);
   }
-  outro('Local telemetry run completed. No data left your machine.');
+  outro('Done — nothing left your machine. (How it works: outlier --help)');
   if (typeof finalReceipt !== 'undefined' && finalReceipt) {
     console.log(finalReceipt);
+    // --save: write a plain-text (no color) copy of the receipt next to the repo.
+    if (process.argv.includes('--save')) {
+      const stripAnsi = (s: string) => s.replace(/\x1b\[[0-9;]*m/g, '');
+      const savePath = join(process.cwd(), 'outlier-audit.txt');
+      try {
+        writeFileSync(savePath, stripAnsi(finalReceipt).trimStart() + '\n');
+        console.log(pc.dim(`\n 💾 Saved to ${savePath}`));
+      } catch {}
+    }
   }
   if (action === 'status') {
@@ -586,13 +726,20 @@ Artifact:     ${pc.cyan(reportPath)}`,
     }
     console.log('');
     console.log(
-      pc.bold(pc.cyan(' └ Research: ')) + 'Contribute to the AI deskilling study ➔ ' + pc.bold('outlier participate')
+      pc.bold(pc.green(' 📸 Share: ')) + 'Screenshot this receipt, or post your score ➔ ' +
+      pc.underline('https://x.com/intent/tweet?text=I+just+audited+my+codebase+with+%23Outlier')
     );
     console.log(
-      pc.bold(pc.green(' └ Share: ')) + pc.underline('https://x.com/intent/tweet?text=I+just+audited+my+codebase+with+%23Outlier')
+      pc.bold(pc.cyan(' 🔬 Research: ')) + 'Help the AI-deskilling study — type:  ' + pc.bold('outlier participate')
+    );
+    if (!process.argv.includes('--save')) {
+      console.log(pc.dim(' 💾 Save: outlier status --save'));
+    }
+    console.log(
+      pc.dim('\n outlier does more than this audit — see how you adopt AI, what it')
     );
     console.log(
-      pc.dim('\n (To see all local governance modules, run: ') + pc.dim(pc.bold('outlier --help')) + pc.dim(')')
+      pc.dim(' costs, and what is actually working:  ') + pc.bold(pc.cyan('outlier --help'))
     );
   }
 }

package/src/emissions.ts ADDED Viewed

@@ -0,0 +1,69 @@
+// Offline, model-aware emissions engine.
+//
+// Local-first means NO network: no Electricity Maps / WattTime API calls. We bundle
+// the coefficients and look them up. This is the same approach CodeCarbon uses for its
+// offline tracker. Two inputs:
+//   1. per-model energy  (kWh per 1M output tokens) — output tokens dominate inference cost
+//   2. grid carbon intensity (gCO2 per kWh) for the assumed region
+//
+// All numbers are estimates with wide uncertainty (inference energy varies ~4-20x in the
+// literature). We expose the method so the UI can label provenance honestly. We never
+// claim precision we don't have.
+// Energy per 1M OUTPUT tokens, by model class (kWh). Anchor: the paper measured ~10 kWh
+// across 15.1M output tokens on Opus-class (~0.66). Smaller/faster models use materially
+// less. These are order-of-magnitude class estimates, not vendor figures.
+const MODEL_ENERGY_KWH_PER_M_OUTPUT: Record<string, number> = {
+  'opus':    0.66,  // large frontier (Claude Opus, GPT-4 class)
+  'sonnet':  0.30,  // mid (Claude Sonnet, GPT-4o)
+  'haiku':   0.10,  // small/fast (Claude Haiku, GPT-4o-mini)
+  'gpt-4':   0.55,
+  'gpt-4o':  0.30,
+  'gpt-5':   0.45,
+  'gemini':  0.35,  // Gemini Pro class
+  'flash':   0.10,  // Gemini Flash class
+  'local':   0.50,  // self-hosted / unknown open weights
+  'default': 0.45,  // unknown model -> conservative mid
+};
+// Map a raw model id (e.g. "claude-opus-4-8", "gpt-4o-mini", "gemini-2.5-flash") to a class.
+export function modelClass(modelId: string): string {
+  const m = (modelId || '').toLowerCase();
+  if (m.includes('opus')) return 'opus';
+  if (m.includes('sonnet')) return 'sonnet';
+  if (m.includes('haiku')) return 'haiku';
+  if (m.includes('flash') || m.includes('mini')) return 'haiku';
+  if (m.includes('gpt-5')) return 'gpt-5';
+  if (m.includes('gpt-4o')) return 'gpt-4o';
+  if (m.includes('gpt-4')) return 'gpt-4';
+  if (m.includes('gemini')) return 'gemini';
+  if (m.includes('llama') || m.includes('qwen') || m.includes('mistral') || m.includes('local')) return 'local';
+  return 'default';
+}
+export function energyKwhForModel(modelId: string, outputTokens: number): number {
+  const cls = modelClass(modelId);
+  const coeff = MODEL_ENERGY_KWH_PER_M_OUTPUT[cls] ?? 0.45;
+  return (outputTokens / 1_000_000) * coeff;
+}
+// Sum energy across a per-model output-token breakdown. Falls back to 'default' when the
+// model is unknown. Returns total kWh.
+export function energyKwhByModel(outputByModel: Record<string, number>): number {
+  let kwh = 0;
+  for (const [model, out] of Object.entries(outputByModel)) {
+    kwh += energyKwhForModel(model, out);
+  }
+  return kwh;
+}
+export interface EmissionsResult {
+  energyKwh: number;
+  co2Kg: number;
+  gridFactor: number;
+  method: string; // human-readable provenance for the UI
+}
+export function co2FromEnergy(energyKwh: number, gridFactorGPerKwh: number): number {
+  return (energyKwh * gridFactorGPerKwh) / 1000; // kg
+}

package/src/sources.ts ADDED Viewed

@@ -0,0 +1,110 @@
+// Source Detector — the foundation for being tool-agnostic.
+//
+// outlier reads whatever AI telemetry the developer's tools already leave on disk, then
+// uses the richest source per metric and labels its provenance. This keeps us local-first
+// (we never call a tool's API — we read the local trace it writes) and lets us add new
+// tools without changing the receipt.
+//
+// Provenance ladder (per metric): MEASURED  > ESTIMATED > PROXY > NONE.
+import { homedir } from 'os';
+import { join } from 'path';
+import { existsSync } from 'fs';
+import { execSync } from 'child_process';
+export type Provenance = 'measured' | 'estimated' | 'proxy' | 'none';
+export interface DetectedSources {
+  tools: string[];                 // tools/CLIs found on this machine
+  tokenSource: { name: string; provenance: Provenance };
+  carbonSource: { name: string; provenance: Provenance };
+  capabilitySource: { name: string; provenance: Provenance };
+}
+const HOME = homedir();
+function hasCli(cmd: string): boolean {
+  try {
+    // `command -v` is POSIX and does not execute the target.
+    execSync(`command -v ${cmd}`, { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function hasPath(p: string): boolean {
+  try { return existsSync(p); } catch { return false; }
+}
+// Fingerprint the local environment. Cheap checks only (no file reads here).
+export function detectSources(cwd: string = process.cwd()): DetectedSources {
+  const tools: string[] = [];
+  const add = (t: string) => { if (!tools.includes(t)) tools.push(t); };
+  // AI coding agents (CLI on PATH or a config dir)
+  const cliTools: Record<string, string> = {
+    claude: 'claude', cursor: 'cursor', aider: 'aider', gemini: 'gemini',
+    opencode: 'opencode', cody: 'cody', continue: 'continue', codex: 'codex',
+  };
+  for (const [name, cmd] of Object.entries(cliTools)) {
+    if (hasCli(cmd)) add(name);
+  }
+  for (const [name, dir] of Object.entries({
+    claude: '.claude', cursor: '.cursor', gemini: '.gemini',
+    codeium: '.codeium', continue: '.continue', aider: '.aider.conf.yml',
+  })) {
+    if (hasPath(join(HOME, dir))) add(name);
+  }
+  // Carbon/cost tooling that writes local data we can trust
+  if (hasCli('codecarbon')) add('codecarbon');
+  if (hasCli('ccusage')) add('ccusage');
+  // ---- Token / cost source (richest first) ----
+  const slug = cwd.replace(/\//g, '-');
+  const claudeProjectDir = join(HOME, '.claude', 'projects', slug);
+  const tokenomicsLog = join(HOME, '.claude', 'tokenomics-log.jsonl');
+  let tokenSource: DetectedSources['tokenSource'];
+  if (hasPath(tokenomicsLog)) {
+    // Custom Stop hook: carries a real cost_usd field -> measured cost.
+    tokenSource = { name: 'caveman tokenomics log', provenance: 'measured' };
+  } else if (hasPath(claudeProjectDir)) {
+    // Standard transcripts: real tokens, estimated cost.
+    tokenSource = { name: 'Claude Code transcripts', provenance: 'estimated' };
+  } else if (tools.includes('ccusage')) {
+    tokenSource = { name: 'ccusage', provenance: 'estimated' };
+  } else {
+    tokenSource = { name: 'none', provenance: 'none' };
+  }
+  // ---- Carbon source ----
+  // Baseline is our bundled offline model+grid ESTIMATE. CodeCarbon, when it has actually
+  // written an emissions.csv, is a higher-accuracy MEASURED path (parser wired in a later
+  // pass). We do not claim "measured" just because the CLI is installed.
+  let carbonSource: DetectedSources['carbonSource'];
+  const codecarbonData = hasPath(join(cwd, 'emissions.csv')) || hasPath(join(HOME, '.codecarbon', 'emissions.csv'));
+  if (codecarbonData) {
+    carbonSource = { name: 'CodeCarbon emissions.csv', provenance: 'measured' };
+  } else if (tokenSource.provenance !== 'none') {
+    carbonSource = { name: 'model+grid estimate', provenance: 'estimated' };
+  } else {
+    carbonSource = { name: 'none', provenance: 'none' };
+  }
+  // ---- Capability source ----
+  let capabilitySource: DetectedSources['capabilitySource'];
+  if (hasPath(join(HOME, '.claude', 'settings.json')) || hasPath(join(cwd, 'AGENTS.md')) || hasPath(join(cwd, '.mcp.json'))) {
+    capabilitySource = { name: 'local config (settings/AGENTS/MCP)', provenance: 'measured' };
+  } else {
+    capabilitySource = { name: 'none', provenance: 'none' };
+  }
+  return { tools, tokenSource, carbonSource, capabilitySource };
+}
+// Short label for the receipt, e.g. "measured · caveman tokenomics log".
+export function provLabel(s: { name: string; provenance: Provenance }): string {
+  if (s.provenance === 'none') return 'no local data';
+  return `${s.provenance} · ${s.name}`;
+}