ccgauge 1.0.2 → 1.0.4

package/.next/standalone/node_modules/semver/internal/re.js

@@ -0,0 +1,223 @@
+'use strict'
+
+const {
+  MAX_SAFE_COMPONENT_LENGTH,
+  MAX_SAFE_BUILD_LENGTH,
+  MAX_LENGTH,
+} = require('./constants')
+const debug = require('./debug')
+exports = module.exports = {}
+
+// The actual regexps go on exports.re
+const re = exports.re = []
+const safeRe = exports.safeRe = []
+const src = exports.src = []
+const safeSrc = exports.safeSrc = []
+const t = exports.t = {}
+let R = 0
+
+const LETTERDASHNUMBER = '[a-zA-Z0-9-]'
+
+// Replace some greedy regex tokens to prevent regex dos issues. These regex are
+// used internally via the safeRe object since all inputs in this library get
+// normalized first to trim and collapse all extra whitespace. The original
+// regexes are exported for userland consumption and lower level usage. A
+// future breaking change could export the safer regex only with a note that
+// all input should have extra whitespace removed.
+const safeRegexReplacements = [
+  ['\\s', 1],
+  ['\\d', MAX_LENGTH],
+  [LETTERDASHNUMBER, MAX_SAFE_BUILD_LENGTH],
+]
+
+const makeSafeRegex = (value) => {
+  for (const [token, max] of safeRegexReplacements) {
+    value = value
+      .split(`${token}*`).join(`${token}{0,${max}}`)
+      .split(`${token}+`).join(`${token}{1,${max}}`)
+  }
+  return value
+}
+
+const createToken = (name, value, isGlobal) => {
+  const safe = makeSafeRegex(value)
+  const index = R++
+  debug(name, index, value)
+  t[name] = index
+  src[index] = value
+  safeSrc[index] = safe
+  re[index] = new RegExp(value, isGlobal ? 'g' : undefined)
+  safeRe[index] = new RegExp(safe, isGlobal ? 'g' : undefined)
+}
+
+// The following Regular Expressions can be used for tokenizing,
+// validating, and parsing SemVer version strings.
+
+// ## Numeric Identifier
+// A single `0`, or a non-zero digit followed by zero or more digits.
+
+createToken('NUMERICIDENTIFIER', '0|[1-9]\\d*')
+createToken('NUMERICIDENTIFIERLOOSE', '\\d+')
+
+// ## Non-numeric Identifier
+// Zero or more digits, followed by a letter or hyphen, and then zero or
+// more letters, digits, or hyphens.
+
+createToken('NONNUMERICIDENTIFIER', `\\d*[a-zA-Z-]${LETTERDASHNUMBER}*`)
+
+// ## Main Version
+// Three dot-separated numeric identifiers.
+
+createToken('MAINVERSION', `(${src[t.NUMERICIDENTIFIER]})\\.` +
+                   `(${src[t.NUMERICIDENTIFIER]})\\.` +
+                   `(${src[t.NUMERICIDENTIFIER]})`)
+
+createToken('MAINVERSIONLOOSE', `(${src[t.NUMERICIDENTIFIERLOOSE]})\\.` +
+                        `(${src[t.NUMERICIDENTIFIERLOOSE]})\\.` +
+                        `(${src[t.NUMERICIDENTIFIERLOOSE]})`)
+
+// ## Pre-release Version Identifier
+// A numeric identifier, or a non-numeric identifier.
+// Non-numeric identifiers include numeric identifiers but can be longer.
+// Therefore non-numeric identifiers must go first.
+
+createToken('PRERELEASEIDENTIFIER', `(?:${src[t.NONNUMERICIDENTIFIER]
+}|${src[t.NUMERICIDENTIFIER]})`)
+
+createToken('PRERELEASEIDENTIFIERLOOSE', `(?:${src[t.NONNUMERICIDENTIFIER]
+}|${src[t.NUMERICIDENTIFIERLOOSE]})`)
+
+// ## Pre-release Version
+// Hyphen, followed by one or more dot-separated pre-release version
+// identifiers.
+
+createToken('PRERELEASE', `(?:-(${src[t.PRERELEASEIDENTIFIER]
+}(?:\\.${src[t.PRERELEASEIDENTIFIER]})*))`)
+
+createToken('PRERELEASELOOSE', `(?:-?(${src[t.PRERELEASEIDENTIFIERLOOSE]
+}(?:\\.${src[t.PRERELEASEIDENTIFIERLOOSE]})*))`)
+
+// ## Build Metadata Identifier
+// Any combination of digits, letters, or hyphens.
+
+createToken('BUILDIDENTIFIER', `${LETTERDASHNUMBER}+`)
+
+// ## Build Metadata
+// Plus sign, followed by one or more period-separated build metadata
+// identifiers.
+
+createToken('BUILD', `(?:\\+(${src[t.BUILDIDENTIFIER]
+}(?:\\.${src[t.BUILDIDENTIFIER]})*))`)
+
+// ## Full Version String
+// A main version, followed optionally by a pre-release version and
+// build metadata.
+
+// Note that the only major, minor, patch, and pre-release sections of
+// the version string are capturing groups.  The build metadata is not a
+// capturing group, because it should not ever be used in version
+// comparison.
+
+createToken('FULLPLAIN', `v?${src[t.MAINVERSION]
+}${src[t.PRERELEASE]}?${
+  src[t.BUILD]}?`)
+
+createToken('FULL', `^${src[t.FULLPLAIN]}$`)
+
+// like full, but allows v1.2.3 and =1.2.3, which people do sometimes.
+// also, 1.0.0alpha1 (prerelease without the hyphen) which is pretty
+// common in the npm registry.
+createToken('LOOSEPLAIN', `[v=\\s]*${src[t.MAINVERSIONLOOSE]
+}${src[t.PRERELEASELOOSE]}?${
+  src[t.BUILD]}?`)
+
+createToken('LOOSE', `^${src[t.LOOSEPLAIN]}$`)
+
+createToken('GTLT', '((?:<|>)?=?)')
+
+// Something like "2.*" or "1.2.x".
+// Note that "x.x" is a valid xRange identifer, meaning "any version"
+// Only the first item is strictly required.
+createToken('XRANGEIDENTIFIERLOOSE', `${src[t.NUMERICIDENTIFIERLOOSE]}|x|X|\\*`)
+createToken('XRANGEIDENTIFIER', `${src[t.NUMERICIDENTIFIER]}|x|X|\\*`)
+
+createToken('XRANGEPLAIN', `[v=\\s]*(${src[t.XRANGEIDENTIFIER]})` +
+                   `(?:\\.(${src[t.XRANGEIDENTIFIER]})` +
+                   `(?:\\.(${src[t.XRANGEIDENTIFIER]})` +
+                   `(?:${src[t.PRERELEASE]})?${
+                     src[t.BUILD]}?` +
+                   `)?)?`)
+
+createToken('XRANGEPLAINLOOSE', `[v=\\s]*(${src[t.XRANGEIDENTIFIERLOOSE]})` +
+                        `(?:\\.(${src[t.XRANGEIDENTIFIERLOOSE]})` +
+                        `(?:\\.(${src[t.XRANGEIDENTIFIERLOOSE]})` +
+                        `(?:${src[t.PRERELEASELOOSE]})?${
+                          src[t.BUILD]}?` +
+                        `)?)?`)
+
+createToken('XRANGE', `^${src[t.GTLT]}\\s*${src[t.XRANGEPLAIN]}$`)
+createToken('XRANGELOOSE', `^${src[t.GTLT]}\\s*${src[t.XRANGEPLAINLOOSE]}$`)
+
+// Coercion.
+// Extract anything that could conceivably be a part of a valid semver
+createToken('COERCEPLAIN', `${'(^|[^\\d])' +
+              '(\\d{1,'}${MAX_SAFE_COMPONENT_LENGTH}})` +
+              `(?:\\.(\\d{1,${MAX_SAFE_COMPONENT_LENGTH}}))?` +
+              `(?:\\.(\\d{1,${MAX_SAFE_COMPONENT_LENGTH}}))?`)
+createToken('COERCE', `${src[t.COERCEPLAIN]}(?:$|[^\\d])`)
+createToken('COERCEFULL', src[t.COERCEPLAIN] +
+              `(?:${src[t.PRERELEASE]})?` +
+              `(?:${src[t.BUILD]})?` +
+              `(?:$|[^\\d])`)
+createToken('COERCERTL', src[t.COERCE], true)
+createToken('COERCERTLFULL', src[t.COERCEFULL], true)
+
+// Tilde ranges.
+// Meaning is "reasonably at or greater than"
+createToken('LONETILDE', '(?:~>?)')
+
+createToken('TILDETRIM', `(\\s*)${src[t.LONETILDE]}\\s+`, true)
+exports.tildeTrimReplace = '$1~'
+
+createToken('TILDE', `^${src[t.LONETILDE]}${src[t.XRANGEPLAIN]}$`)
+createToken('TILDELOOSE', `^${src[t.LONETILDE]}${src[t.XRANGEPLAINLOOSE]}$`)
+
+// Caret ranges.
+// Meaning is "at least and backwards compatible with"
+createToken('LONECARET', '(?:\\^)')
+
+createToken('CARETTRIM', `(\\s*)${src[t.LONECARET]}\\s+`, true)
+exports.caretTrimReplace = '$1^'
+
+createToken('CARET', `^${src[t.LONECARET]}${src[t.XRANGEPLAIN]}$`)
+createToken('CARETLOOSE', `^${src[t.LONECARET]}${src[t.XRANGEPLAINLOOSE]}$`)
+
+// A simple gt/lt/eq thing, or just "" to indicate "any version"
+createToken('COMPARATORLOOSE', `^${src[t.GTLT]}\\s*(${src[t.LOOSEPLAIN]})$|^$`)
+createToken('COMPARATOR', `^${src[t.GTLT]}\\s*(${src[t.FULLPLAIN]})$|^$`)
+
+// An expression to strip any whitespace between the gtlt and the thing
+// it modifies, so that `> 1.2.3` ==> `>1.2.3`
+createToken('COMPARATORTRIM', `(\\s*)${src[t.GTLT]
+}\\s*(${src[t.LOOSEPLAIN]}|${src[t.XRANGEPLAIN]})`, true)
+exports.comparatorTrimReplace = '$1$2$3'
+
+// Something like `1.2.3 - 1.2.4`
+// Note that these all use the loose form, because they'll be
+// checked against either the strict or loose comparator form
+// later.
+createToken('HYPHENRANGE', `^\\s*(${src[t.XRANGEPLAIN]})` +
+                   `\\s+-\\s+` +
+                   `(${src[t.XRANGEPLAIN]})` +
+                   `\\s*$`)
+
+createToken('HYPHENRANGELOOSE', `^\\s*(${src[t.XRANGEPLAINLOOSE]})` +
+                        `\\s+-\\s+` +
+                        `(${src[t.XRANGEPLAINLOOSE]})` +
+                        `\\s*$`)
+
+// Star ranges basically just allow anything at all.
+createToken('STAR', '(<|>)?=?\\s*\\*')
+// >=0.0.0 is like a star
+createToken('GTE0', '^\\s*>=\\s*0\\.0\\.0\\s*$')
+createToken('GTE0PRE', '^\\s*>=\\s*0\\.0\\.0-0\\s*$')

package/.next/standalone/node_modules/semver/package.json

@@ -0,0 +1,78 @@
+{
+  "name": "semver",
+  "version": "7.7.4",
+  "description": "The semantic version parser used by npm.",
+  "main": "index.js",
+  "scripts": {
+    "test": "tap",
+    "snap": "tap",
+    "lint": "npm run eslint",
+    "postlint": "template-oss-check",
+    "lintfix": "npm run eslint -- --fix",
+    "posttest": "npm run lint",
+    "template-oss-apply": "template-oss-apply --force",
+    "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\""
+  },
+  "devDependencies": {
+    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/template-oss": "4.29.0",
+    "benchmark": "^2.1.4",
+    "tap": "^16.0.0"
+  },
+  "license": "ISC",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/npm/node-semver.git"
+  },
+  "bin": {
+    "semver": "bin/semver.js"
+  },
+  "files": [
+    "bin/",
+    "lib/",
+    "classes/",
+    "functions/",
+    "internal/",
+    "ranges/",
+    "index.js",
+    "preload.js",
+    "range.bnf"
+  ],
+  "tap": {
+    "timeout": 30,
+    "coverage-map": "map.js",
+    "nyc-arg": [
+      "--exclude",
+      "tap-snapshots/**"
+    ]
+  },
+  "engines": {
+    "node": ">=10"
+  },
+  "author": "GitHub Inc.",
+  "templateOSS": {
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "4.29.0",
+    "engines": ">=10",
+    "distPaths": [
+      "classes/",
+      "functions/",
+      "internal/",
+      "ranges/",
+      "index.js",
+      "preload.js",
+      "range.bnf"
+    ],
+    "allowPaths": [
+      "/classes/",
+      "/functions/",
+      "/internal/",
+      "/ranges/",
+      "/index.js",
+      "/preload.js",
+      "/range.bnf",
+      "/benchmarks"
+    ],
+    "publish": "true"
+  }
+}

package/.next/standalone/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ccgauge",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Local web dashboard for Claude Code and OpenAI Codex CLI token usage and cost",
   "keywords": [
     "claude",
@@ -64,10 +64,16 @@
     "start:next": "next start -p 3737",
     "lint": "eslint .",
     "typecheck": "tsc --noEmit",
-    "test": "node --experimental-strip-types --no-warnings scripts/test-codex-parser.mjs",
+    "test": "node --experimental-strip-types --no-warnings scripts/test-codex-parser.mjs && node --experimental-strip-types --no-warnings scripts/test-turns.mjs && node --experimental-strip-types --no-warnings scripts/test-source-merge.mjs && node --experimental-strip-types --no-warnings scripts/test-cost-from-usage.mjs && node --experimental-strip-types --no-warnings scripts/test-range.mjs && node scripts/check-parser-versions.mjs && node scripts/check-readme-images.mjs",
     "test:mcp": "node scripts/test-mcp-server.mjs",
     "clean": "node -e \"for (const p of ['.next','node_modules','tsconfig.tsbuildinfo']) require('node:fs').rmSync(p,{recursive:true,force:true})\"",
     "screenshots": "node scripts/screenshots.mjs",
+    "site:dev": "cd site && astro dev --port 4321",
+    "site:build": "cd site && astro build",
+    "site:preview": "cd site && astro preview --port 4322",
+    "site:check": "cd site && astro check",
+    "site:gen:placeholders": "node site/scripts/gen-placeholders.mjs",
+    "site:clean": "node -e \"for (const p of ['site/dist','site/.astro','site/node_modules']) require('node:fs').rmSync(p,{recursive:true,force:true})\"",
     "prepack": "pnpm build"
   },
   "dependencies": {
@@ -77,10 +83,15 @@
     "open": "^10.1.0"
   },
   "devDependencies": {
+    "@astrojs/check": "^0.9.4",
+    "@astrojs/tailwind": "^5.1.4",
     "@eslint/eslintrc": "^3.3.5",
+    "@fontsource-variable/geist": "^5.1.1",
+    "@fontsource-variable/geist-mono": "^5.1.1",
     "@types/node": "^22.10.0",
     "@types/react": "^19.0.0",
     "@types/react-dom": "^19.0.0",
+    "astro": "^4.16.18",
     "autoprefixer": "^10.4.20",
     "clsx": "^2.1.1",
     "date-fns": "^4.1.0",

package/.next/standalone/public/favicon.svg

@@ -1,7 +1,21 @@
 <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64" fill="none">
-  <rect width="64" height="64" rx="14" fill="#4F46E5"/>
-  <path d="M14 41 A18 18 0 0 1 50 41" stroke="#fff" stroke-opacity="0.32" stroke-width="4.5" stroke-linecap="round"/>
-  <path d="M14 41 A18 18 0 0 1 43.2 25.4" stroke="#fff" stroke-width="4.5" stroke-linecap="round"/>
-  <line x1="32" y1="41" x2="42" y2="27" stroke="#fff" stroke-width="2.5" stroke-linecap="round"/>
-  <circle cx="32" cy="41" r="3" fill="#fff"/>
+  <title>ccgauge</title>
+  <rect x="3" y="3" width="58" height="58" rx="16" fill="#6366F1"/>
+  <rect x="3.75" y="3.75" width="56.5" height="56.5" rx="15.25" stroke="#FFFFFF" stroke-opacity="0.18" stroke-width="1.5"/>
+  <path d="M15 39.5 A17 17 0 0 1 49 39.5" stroke="#FFFFFF" stroke-opacity="0.24" stroke-width="5" stroke-linecap="round"/>
+  <path d="M20.8 39.5 A11.2 11.2 0 0 1 43.2 39.5" stroke="#FFFFFF" stroke-opacity="0.2" stroke-width="1.8" stroke-linecap="round"/>
+  <path d="M15 39.5 A17 17 0 0 1 42.8 26" stroke="#FFFFFF" stroke-width="5" stroke-linecap="round"/>
+  <g stroke="#FFFFFF" stroke-linecap="round" stroke-width="2" stroke-opacity="0.54">
+    <path d="M18.1 34.2 L15 32.4"/>
+    <path d="M24 28.5 L22.3 25.5"/>
+    <path d="M32 26.2 L32 22.8"/>
+    <path d="M40 28.5 L41.7 25.5"/>
+    <path d="M45.9 34.2 L49 32.4"/>
+  </g>
+  <path d="M32 39.5 L42.8 26" stroke="#FFFFFF" stroke-width="3.4" stroke-linecap="round"/>
+  <circle cx="32" cy="39.5" r="4.8" fill="#FFFFFF"/>
+  <circle cx="32" cy="39.5" r="2" fill="#4F46E5"/>
+  <rect x="17" y="46" width="7" height="5" rx="2" fill="#34D399"/>
+  <rect x="28.5" y="43" width="7" height="8" rx="2" fill="#FBBF24"/>
+  <rect x="40" y="45" width="7" height="6" rx="2" fill="#93C5FD"/>
 </svg>

package/CHANGELOG.md

@@ -5,6 +5,217 @@ All notable changes to **ccgauge** are documented here.
 The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.4] — 2026-05-18
+
+Correctness fixes + much stronger test coverage, plus a brand refresh
+and a marketing-site restructure. No new runtime features.
+
+### Fixed
+
+- **Windows path sanitization.** `sanitizeForUser` now also strips
+  forward-slashed, JSON-escaped, and long-path (`\\?\`) variants of
+  `homedir()`, not just the literal `C:\Users\<name>` form. macOS /
+  Linux behaviour unchanged.
+- **5h-block empty state** follows the active source —
+  `?source=codex` no longer says "Send a message in Claude Code".
+  Same fix on the Codex tab inside the All view.
+- **`combineTimeBuckets` shared-reference bug.** Shallow-cloned model
+  entries were aliased back into the indexer's aggregator cache, so
+  downstream mutations could poison subsequent reads. Deep-cloned on
+  insertion; pinned by a new test.
+- **`safeMcpHandler` non-Error throws** are now wrapped + scrubbed
+  before re-throw; the previous branch silently fell through, shipping
+  unscrubbed payloads into the MCP envelope.
+
+### Added
+
+- **6 test / drift scripts**, all wired into `pnpm test`:
+  `test-turns`, `test-source-merge`, `test-cost-from-usage`,
+  `test-range` (fixture-based unit tests for the four core code
+  paths), plus `check-parser-versions` and `check-readme-images` (CI
+  drift guards for silently-stale-cache and broken-npm-image
+  regressions).
+
+### Changed
+
+- **Refined gauge brand mark**, unified across the dashboard, the
+  marketing site, and both favicons. Cleaner geometry (centre at
+  (32, 41), radius 18; arc + needle terminating on the dial rim),
+  Indigo-400 → -600 gradient background, white-ring pivot. New shared
+  `<LogoMark>` component on the marketing site so its Nav + Footer
+  now use the same mark as the dashboard.
+- **Marketing site is source-only.** Removed `site/package.json` and
+  `site/pnpm-lock.yaml`; Astro deps live in root `devDependencies`,
+  commands are explicit `pnpm site:*`. Still excluded from the npm
+  tarball (`pnpm pack --dry-run | grep -c '^site/'` → `0`).
+- **Theme-aware product screenshots.** New `<ThemedScreenshot>`
+  component swaps between dark / light captures via the
+  `.theme-light` class on `<html>`. 24 captures (6 pages × 2 locales
+  × 2 themes) generated by an expanded `scripts/screenshots.mjs`.
+- **OG cards** regenerated at higher fidelity.
+- **`cost_estimator` MCP tool** description spells out that reasoning
+  tokens are already counted inside `output_tokens` — don't
+  double-count.
+- **Activity heatmap tooltip** finally renders the share / of-peak
+  labels that were defined but never used.
+- **`CacheCreationBlock` type** extracted in `parse-jsonl.ts`.
+- **CLI `readState()`** type-guards `pid` / `url` / `logFile`.
+
+### Internal
+
+- MCP server warm-up comment clarifies the fire-and-forget
+  `getMcpIndexerReady()` is a cold-start shave — tool handlers still
+  await the same memoized init promise.
+- `AGENTS.md` + bundled READMEs updated for the source-only site
+  layout and the new `pnpm site:*` command set.
+
+## [1.0.3] — 2026-05-15
+
+A focused **MCP server** correctness + performance + ergonomics pass,
+plus a docs catch-up for the marketing site and the bundled READMEs.
+Dashboard runtime is unchanged from 1.0.2. The MCP server adds a 9th
+tool (`cost_estimator`), gets ~4× faster on weekly summaries, halves
+its bundle size, and ships a `ccgauge mcp --check` self-test.
+
+### Highlights
+
+- **9 MCP tools** — added `cost_estimator(source, model, input_tokens,
+  output_tokens, …)` for pure pricing what-ifs (no record lookup).
+  Pairs with `usage_summary` for "if I run X more on Opus 4.7, what
+  does it add to my month-to-date?".
+- **`weekly_summary` is ~4× faster.** Rewrote the per-day trend from
+  8 full record-set passes (1 totals + 7 daily totals × 2 internal
+  source filters) down to a single `timeBuckets('day')` call + a
+  7-slot skeleton merge. Same JSON shape out, including zero-fill
+  for empty days.
+- **MCP bundle 810 KB → 379 KB.** esbuild `minify: true` +
+  `external: ['fsevents']` shaves 53% off the published tarball's
+  MCP slice with no runtime behaviour change.
+- **`ccgauge mcp --check`** — verifies the bundle, boots the indexer,
+  and prints one line per provider (files / records / scanned dirs).
+  Lets users debug "Claude Desktop doesn't see ccgauge tools"
+  without spinning up an MCP client first.
+
+### Added
+
+- `cost_estimator` MCP tool — uses the provider's built-in
+  per-1M-token pricing table; does NOT consult usage history.
+  Useful for budgeting and cap planning.
+- `ccgauge mcp --check` self-test command.
+- README cross-references for both new entry points (`mcp --check`,
+  `cost_estimator`) in en + zh.
+- `__SERVER_VERSION__` injected by esbuild from `package.json#version`
+  so the server's MCP handshake always agrees with the npm release.
+
+### Changed
+
+- **`ccgauge mcp` runs in-process.** The CLI subcommand used to
+  spawn a second Node process for the bundled server (`spawn(node,
+  [bundle])`); it now `await import()`s the bundle and calls
+  `runStdioServer()` directly. Saves ~80–150 ms per invocation and
+  removes a brittle signal-forwarding shim.
+- **MCP responses are compact JSON.** Drop the `JSON.stringify(...,
+  null, 2)` pretty-print on every tool response — LLMs don't read
+  indentation but pay for it. ~30–50% smaller responses for the
+  heavier tools (`weekly_summary`, `usage_by_session`).
+  `CCGAUGE_MCP_PRETTY=1` re-enables.
+- **Default limits on `usage_by_model` (20) and `usage_by_project`
+  (20).** The cap existed as a max; the default is now the same
+  value. A user asking "what did I work on this year" with hundreds
+  of projects no longer gets a 200-entry payload.
+- **`recent_activity` defaults to a 30-day window** (`days` arg to
+  widen). Previously aggregated every session across the user's
+  full CLI lifetime just to return the top 10 by `end_time` — cost
+  grew linearly with history.
+- **Day-aligned named ranges.** `7d` / `30d` / `90d` now map to
+  `[start-of(N-1 days ago), end-of-today]` like `today` /
+  `yesterday` / `this_week` already did. Previously `7d` was a
+  rolling 7×24h window, so summing seven `daily_summary` calls
+  didn't equal one `usage_summary({range:"7d"})` — they do now.
+- **README Highlights refreshed** (en + zh). New top-level subsections
+  for `ccgauge report` (CLI) and `ccgauge mcp` (MCP server) so the
+  two no-server entry points are visible in the first scroll.
+  Cross-provider section updated for 1.0.2's tri-state switcher +
+  real provider logos + worktree-aware Projects collapsing.
+  Drill-down section mentions the Tokens / Conversations trend toggle.
+
+### Fixed
+
+- **`parseDateLike` no longer accepts calendar-overflow dates with
+  a time suffix.** `2026-02-31T00:00:00` used to silently roll
+  forward to March 3 (JS `new Date()` normalises invalid dates);
+  now both the bare-date branch and the time-suffix branch reject
+  it. Affects every MCP date arg, the dashboard's `from`/`to` URL
+  params, and `ccgauge report --since`/`--until`.
+- **`SERVER_VERSION` no longer hardcoded** to `0.4.0`. Now sourced
+  from `package.json#version` at bundle time, so the MCP server's
+  `initialize` response reports the same version as the npm release
+  it shipped in.
+- **README `range: "14d"` example was bogus** — the schema enum
+  doesn't accept `14d`, so following the README's project-breakdown
+  prompt produced an error. Replaced with the explicit-`from`/`to`
+  form. Same fix in `README.zh-CN.md`.
+
+### Performance
+
+| Metric | Before | After |
+| --- | --- | --- |
+| `dist/mcp/server.mjs` size | 810 KB | **379 KB** (-53%) |
+| `weekly_summary` record-set passes | 8 (+ 2 internal source filters each) | **2** |
+| `recent_activity` aggregation scope | every session ever | **last 30 days** |
+| MCP response JSON byte count (typical) | indented | **~half** |
+| Aggregator `withinRange` Date#toISOString() calls | per record × N filters | **once per call** |
+
+### Security / privacy
+
+- **MCP tool errors are scrubbed of `$HOME` paths** before they
+  reach the SDK's error envelope. Belt-and-suspenders today (the
+  only user-visible throws are clean date-arg validators), but
+  defends against future error paths that might wrap an indexer
+  error. Extracted the existing `sanitizeForUser` from the indexer
+  module into a shared `lib/sanitize` so both layers use one
+  definition.
+
+### Internal
+
+- `lib/aggregator/index.ts` — entry-point functions now hoist
+  `from/to → ISO string` and `models/projects → Set` once per
+  call instead of recomputing them per record. Measurable on the
+  `weekly_summary` hot path; invisible for the dashboard's
+  single-pass aggregators.
+- New `lib/mcp/text-result.ts` — single source of truth for the
+  MCP response wrapper. `lib/mcp/safe-handler.ts` — HOF that wraps
+  tool callbacks with the path-scrub guard.
+- `parseDayArg` moved from `tools/activity.ts` to `mcp/context.ts`
+  next to `parseDateRange` so the two share a single implementation
+  of the "today / yesterday / monday / YYYY-MM-DD" parser.
+- 30 s polling fallback in the indexer is now **off by default for
+  the MCP instance** and **on by default for the dashboard**.
+  Override with `CCGAUGE_POLL_FALLBACK={0,1}`. The MCP server runs
+  in a background daemon spawned by an LLM client and shouldn't
+  keep the host warm just to catch the rare `fs.watch(recursive)`
+  miss.
+- `AGENTS.md` documents the `site/` sub-project, the v4 sidechain
+  merge invariant, a release checklist, and the
+  `raw.githubusercontent.com` hero-image fragility. Two new
+  "intentionally NOT supported" items: folding `site/` into a pnpm
+  workspace, and letting `site/` leak into the npm tarball.
+
+### Docs (doesn't ship to npm)
+
+- Marketing site (`site/`) catches up to 1.0.2: features page
+  covers All view + conversation-count toggle + worktree merging;
+  homepage hero, "Multi-source analytics" card, and ScreenshotFrame
+  now use three distinct screenshots; hardcoded `v1.0.0` eyebrows
+  removed.
+- `site/public/images/README.md` rewritten as a single-source-of-
+  truth inventory (file → used-by → source), with the prompt
+  catalogue trimmed to filenames that actually exist. Legacy
+  placeholder SVGs moved to an explicit "kept but unused"
+  subsection.
+- `site/public/robots.txt` no longer points at a non-existent
+  `sitemap-index.xml`.
+
 ## [1.0.2] — 2026-05-15
 
 This release brings the dashboard the long-requested **All view** (one
@@ -531,6 +742,7 @@ of HTML to the browser.
 - Initial public release as `ccgauge`: local Next.js dashboard for
   Claude Code token usage, cost, and 5-hour block tracking.
 
+[1.0.3]: https://github.com/chengzuopeng/ccgauge/compare/v1.0.2...v1.0.3
 [1.0.2]: https://github.com/chengzuopeng/ccgauge/compare/v1.0.1...v1.0.2
 [1.0.1]: https://github.com/chengzuopeng/ccgauge/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/chengzuopeng/ccgauge/compare/v0.4.0...v1.0.0