cctally 1.7.2 → 1.7.4

package/CHANGELOG.md

@@ -5,6 +5,33 @@ based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [1.7.4] - 2026-05-17
+
+### Changed
+- Extract leaf+mid kernel symbols (eprint, datetime/week helpers, alerts validation, open_db, make_week_ref, get_latest_usage_for_week) from `bin/cctally` into new `bin/_cctally_core.py`; rewrite ~200 sibling shim functions to honest top-level imports; the `c = _cctally()` accessor now survives only for residual Z-high cross-cutters (#50)
+
+### Fixed
+- `cctally blocks`: round-5 Bug J follow-up — `_load_recorded_five_hour_windows` now sorts `credit_moments` ascending before the inner credit-pick loop. The pre-fix loop broke on the first matching credit in `[next_bs, rs]` regardless of order; with two in-place credits inside the same pre-credit canonical 5h window and SQLite returning rows in insertion order (no `ORDER BY` on `week_reset_events`), pair `(A, B)` could latch onto credit_2 instead of credit_1, collapsing two distinct truncated anchors onto the same 10-minute floor and silently dropping one via override-map overwrite — re-introducing the phantom heuristic `~` row Bug J was meant to eliminate. Sorting once ensures the break consistently picks the earliest credit, which by construction is the one whose floor equals the next block's `block_start_at`. P2 (not seen in production; every observed in-place credit so far is one-per-week). Regressions: `tests/test_in_place_credit_detection.py::test_load_recorded_five_hour_windows_truncates_each_overlap_independently` (exercises reverse-time SQL order to prove the order-dependent bug) + `test_group_entries_into_blocks_no_phantom_between_two_credits` (renderer-side defense in depth — three canonical blocks render with `recorded` anchor and no `~` row in the gap). Issue [#44](https://github.com/omrikais/cctally-dev/issues/44).
+- `cctally record-usage`: in-place weekly credit race-defensive cleanup is now drift-tolerant. The DELETE that scrubs stale-replica snapshots out of the post-credit segment switched from strict `round(weekly_percent, 1) = round(prior_pct, 1)` equality to a `ABS(weekly_percent - ?) < 1.0` tolerance band around the observed pre-credit baseline. Today `claude-statusline` replays cctally's `hwm-7d` value byte-identically (its in-memory HWM equals the HWM we just wrote), so the existing strict predicate has worked — this is forward-looking defense. If Anthropic ever rounds the `--percent` payload differently from the OAuth API used by `record-usage`, or if `statusline` grows its own coarser rounding, a replay at e.g. `67.5` against a stored `prior_pct = 67.4` would slip past strict equality and then dominate the reset-aware clamp's MAX over the post-credit segment, masking legitimate post-credit values. 1.0pp band absorbs single-digit rounding drift; legitimate post-credit observations are ≥25pp away by the detection threshold's hypothesis so they're never caught. New schema migration `007_observed_pre_credit_pct` adds a nullable `observed_pre_credit_pct REAL` column to `week_reset_events`; the in-place credit INSERT stamps the value at write time so future cleanup tooling can re-derive the baseline without re-walking the snapshot stream. Simple `ALTER TABLE ADD COLUMN` — no UNIQUE constraint change, so no rename-recreate-copy (contrast migrations 005 / 006); live `CREATE TABLE` updated in lockstep so fresh installs land the new column directly via the dispatcher's fresh-install fast-stamp. Regression: `tests/test_in_place_credit_detection.py::test_credit_branch_cleanup_tolerates_rounding_drift` reproduces the drift scenario (stale replay at 67.5 vs prior_pct=67.4) — fails under strict-equality, passes under the band. P2 defensive hardening; not seen in production. Issue [#45](https://github.com/omrikais/cctally-dev/issues/45).
+- `cctally record-usage`: in-place 5h credit race-defensive cleanup is now drift-tolerant — symmetric follow-up to the weekly fix above. The DELETE that scrubs stale-replica snapshots out of the post-credit 5h segment switched from strict `round(five_hour_percent, 1) = round(prior_5h_pct, 1)` equality to a `ABS(five_hour_percent - ?) < 1.0` tolerance band around the observed pre-credit baseline. Pure predicate change — no migration needed because `five_hour_reset_events.prior_percent` (stamped at write time since v1.7.3, issue #43) already provides the durable pre-credit value that the weekly variant required migration 007 to add. Same forward-looking failure mode as the weekly path: if Anthropic ever rounds the `--five-hour-percent` payload differently from the OAuth API used by `record-usage`, or if `statusline` grows its own coarser rounding for the 5h dimension, a replay at e.g. `27.5` against a stored `prior_5h_pct = 27.4` would slip past strict equality and then dominate the reset-aware 5h clamp's MAX over the post-credit segment, masking legitimate post-credit 5h values. The 1.0pp band stays 4pp below the 5.0pp `_FIVE_HOUR_RESET_PCT_DROP_THRESHOLD` so legitimate post-credit observations (≥5pp away from `prior_5h_pct` by the detection threshold's hypothesis) are never caught. Regression: `tests/test_in_place_5h_credit_detection.py::test_credit_branch_5h_cleanup_tolerates_rounding_drift` reproduces the drift scenario (stale 27.5 replay vs `prior_5h_pct=27.4` → reset-aware 5h clamp masks the legitimate 4.0% post-credit seed up to 27.5 under strict equality; the band catches the replay and the seed lands). P2 defensive hardening; not seen in production. Issue [#48](https://github.com/omrikais/cctally-dev/issues/48).
+
+## [1.7.3] - 2026-05-16
+
+### Added
+- `cctally record-usage`: detect in-place 5h credits on a `>=5.0pp` drop within the same canonical `five_hour_window_key` while `prior_5h_resets_at > now_utc`; write a `five_hour_reset_events` row with the credit moment floored to a 10-minute slot on `effective_reset_at_utc` (supports stacked credits across DISTINCT 10-min slots up to ~30 per 5h block; same-slot collisions silently absorbed by `INSERT OR IGNORE` per spec §2.3 documented cap — an intentional bound, not a bug); force-write `hwm-5h` via the credit-only escape hatch since the normal monotonic-up write at `bin/_cctally_record.py:1722-1731` would refuse to decrease it; then DELETE stale-replica snapshots scoped to `(five_hour_window_key = ?, captured_at_utc >= effective_iso, round(five_hour_percent, 1) = round(prior_5h_pct, 1))` so `claude-statusline`'s in-memory replay of pre-credit `--percent` values across the credit moment cannot poison the post-credit clamp segment. Mirrors the v1.7.2 weekly credit-detection path parallel-not-identical; threshold is 5pp (not 25) because intra-block percents are smaller, and `effective_reset_at_utc` floor is 10 minutes (not the hour) so distinct intra-hour stacked credits stay reachable.
+- schema: new `five_hour_reset_events` table with columns `(detected_at_utc, five_hour_window_key, prior_percent, post_percent, effective_reset_at_utc)` and `UNIQUE(five_hour_window_key, effective_reset_at_utc)`. Payload diverges from the weekly precedent (`prior_percent` + `post_percent` instead of boundary keys) because the 5h variant has a stable canonical window key and only the percent moves — storing both lets renderers show `−Δpp` without re-querying snapshots and supports the rare stacked-credit chain across distinct 10-minute slots. Created adjacent to `week_reset_events` in `_apply_schema` (both are parallel concepts at different cadences); no FK on `five_hour_window_key` per the CLAUDE.md documentation-only-FK gotcha; no `_backfill_five_hour_reset_events` call (forward-only ship per spec Q5; historical backfill deferred).
+- migration `006_five_hour_milestones_reset_event_id`: adds `reset_event_id INTEGER NOT NULL DEFAULT 0` to `five_hour_milestones` and reshapes UNIQUE from `(five_hour_window_key, percent_threshold)` to `(five_hour_window_key, percent_threshold, reset_event_id)` so post-credit threshold crossings re-fire as distinct rows instead of being silently absorbed by `INSERT OR IGNORE` against the pre-credit row at the same threshold. SQLite can't ALTER a UNIQUE constraint in place — the handler uses the rename-recreate-copy idiom inside its own `BEGIN/COMMIT`. Live DDL at `bin/cctally:3902` is updated in lockstep with the migration handler so the dispatcher's fresh-install fast-stamp path lands the correct shape without invoking the handler; the `PRAGMA table_info` probe stamps the marker without redoing the rename when the column is already present (covers fresh-install + partial-failure-retry cases). Mirrors weekly migration 005's pattern. Sentinel `0` = pre-credit / no-event; existing rows backfill to 0 via the column DEFAULT.
+
+### Changed
+- 5h DB clamp at `bin/_cctally_record.py:1521-1527` becomes reset-aware via JOIN on `five_hour_reset_events` keyed on the canonical `five_hour_window_key`; the `COALESCE`-to-epoch-zero default keeps legacy clamp behavior byte-identical on DBs without any event rows, while a credited window's `MAX(five_hour_percent)` over the post-credit segment correctly excludes pre-credit snapshots so a fresh post-credit OAuth value (e.g. 4%) lands instead of being held back by stale pre-credit history (e.g. 28%). `unixepoch()` wraps both sides of the captured-vs-effective comparison so the `Z`-vs-`+00:00` offset mix in stored values doesn't break the bound under lex compare — same rule as the production weekly clamp from v1.7.2.
+- renderers: `cctally five-hour-blocks` shows an inline `⚡ credited −Xpp @ HH:MM` chip beside the block-start cell on credited block rows (multiple credits in one block concatenate as `⚡ −Xpp, −Ypp` across distinct 10-min slots); text + JSON envelope (new `credits[]` field per block) + share-output (`--format md` / `html` / `svg`) all carry the annotation via `_build_five_hour_blocks_snapshot`'s `__credits` side-channel piggy-backed on the existing `block_start` cell formatting. `cctally five-hour-breakdown` interleaves a `⚡ CREDIT −Xpp @ HH:MM` divider row between pre-credit and post-credit milestones (merged stream ordered by `captured_at_utc`); JSON gains `credits[]` parallel to `milestones[]` and each milestone now carries `resetEventId` (sentinel 0 = pre-credit, positive integer = post-credit segment id). Dashboard 5h panel chip + `CurrentWeekModal.tsx` 5h milestones section (new envelope key `current_week.five_hour_milestones` parallel to weekly's `current_week.milestones`) + dashboard alerts list row-identity widening (alert id becomes `five_hour:{window_key}:{threshold}:{reset_event_id}` mirroring the weekly precedent at `bin/_cctally_dashboard.py:2597` — NOT a filter, both segments stay in the list as distinct rows) + TUI 5h tile `[⚡ −Xpp]` badge.
+- migration `003_merge_5h_block_duplicates_v1`: defensive update to the milestone dedup loop — widens the dedup key from `percent_threshold` alone to `(percent_threshold, reset_event_id)` via a `PRAGMA table_info` probe so an operator-triggered re-run after migration 006 (`cctally db unskip 003_merge_5h_block_duplicates_v1`, fresh-DB-from-corrupted-backup, future tooling) doesn't silently collapse legitimately distinct pre/post-credit milestone rows at the same threshold inside one physical block. Byte-identical on the legacy upgrade path where the column doesn't yet exist (003 runs before 006 in migration order; `has_seg=False` collapses the key tuple to `(threshold, 0)`).
+- `cctally record-usage`: credit pivots (HWM force-write + stale-replica DELETE) now run UNCONDITIONALLY when a credit is detected on either axis — gating them on `INSERT OR IGNORE`'s `rowcount` (5h branch) or on the `already is None` pre-check (weekly branch) wedged the system permanently on pre-credit HWM + stale-replica rows if a prior invocation committed the event row but crashed before the pivots could run (memory `project_dedup_must_not_gate_side_effects.md`: "Skipping a no-op INSERT must NOT skip milestones/rollups/alerts; prior run may have died mid-flight"). The event-row INSERT stays gated against duplicates; pivots are individually idempotent so re-running them on the recovery tick is safe. Regressions: `tests/test_in_place_5h_credit_detection.py::test_pivots_run_when_event_row_already_committed` + `tests/test_in_place_credit_detection.py::test_weekly_pivots_run_when_event_row_already_committed`.
+- `cctally record-usage`: round-4 follow-up — 5h credit-detection dedup pre-check refined from a single-field `post_percent` compare to a pair-check against BOTH `prior_percent` AND `post_percent` of the most-recent stored event row, AND the post-detection pivots (HWM force-write + stale-replica DELETE) hoisted OUT of the `if not is_dup:` block so they fire on every detection entry. The round-3 single-field predicate false-positived on a legitimate second credit when the user was idle between credits (Credit 1 lands prior=20/post=5; Credit 2 arrives with new CLI percent=0 while prior_5h_pct still reads 5 from the post-Credit-1 snapshot — `5 == 5` matched the stored `post_percent` so the second credit was silently swallowed, no event row written, no HWM force-write, no DELETE). Pair-check disambiguates: a genuine replay matches BOTH fields; a new credit-with-idle matches at most ONE. Hoisting the pivots is the second half of the same fix — a recovery tick where the pair-check legitimately dedupes (event row already durable from a crashed prior invocation, snapshot rolled back so prior_5h_pct still reads the pre-credit value, pair `(20,5)` matches stored `(20,5)`) still needs to force HWM down and DELETE stale replicas; pre-fix those pivots sat INSIDE `if not is_dup:` and got skipped on every recovery tick, leaving the system wedged on the pre-credit HWM forever. Both pivots are individually idempotent (file overwrite, DELETE on stable predicate) so re-running on a replay or recovery tick is always safe. Codex r4 P1 finding ([PR #46 comment 3252721643](https://github.com/omrikais/cctally-dev/pull/46#discussion_r3252721643), issue [#43](https://github.com/omrikais/cctally-dev/issues/43)). Regressions: `tests/test_in_place_5h_credit_detection.py::test_consecutive_credits_with_idle_between` (proves pair-check lets Credit 2 land) + `tests/test_in_place_5h_credit_detection.py::test_replay_with_pair_match_still_runs_pivots` (proves pivots fire when pair-check dedupes).
+- `cctally record-usage`: 5h self-heal probe at `bin/_cctally_record.py:1958+` becomes segment-aware via `_resolve_active_five_hour_reset_event_id`, mirroring the weekly Probe 1 precedent at `bin/_cctally_record.py:1880-1908`. Without segment scoping a credited block's `MAX(percent_threshold)` over the whole ledger reads the pre-credit ceiling (e.g. 28%) and silently suppresses the post-credit ledger's heal even when it has zero rows; with scoping, post-credit threshold crossings inside a stale-`last_observed_at_utc` slot finally trigger heal. Regression: `tests/test_in_place_5h_credit_detection.py::test_5h_self_heal_probe_scoped_to_active_segment`.
+- dashboard alerts envelope: weekly alerts `context` block now exposes `reset_event_id` parallel to the 5h shape — pre-Round-3 the weekly path widened the row identity (`id` includes `:{reset_event_id}`) but did NOT include the segment in `context`, while the 5h path did. Round-3 adds `context.reset_event_id` to weekly so both axes mirror the same shape and downstream consumers (panel, modal, third-party) can discriminate pre- vs post-credit crossings of the same (week, threshold) without scraping the opaque `id` string. Regression: `tests/test_5h_milestone_segment_threading.py::test_weekly_alerts_context_exposes_reset_event_id`.
+- React component coverage: new credit-chip tests in `dashboard/web/__tests__/CurrentWeekPanel.test.tsx` (single + stacked deltas, `data-credit-count` analytics attr, in-row placement) + new 5h-milestone-section tests in `CurrentWeekModal.test.tsx` (section visibility gate, count pill, `⚡ CREDIT` divider row with `colspan=5`, React row key disambiguation by `reset_event_id` so post-credit threshold repeats render as distinct rows). Server-side envelope coverage extended in `tests/test_five_hour_block_envelope.py` (new `_seed_credit_event` helper + populated `credits[]` + empty-array contract + ascending-order chain across stacked credits). Share-output goldens: new `tests/fixtures/share/five-hour-blocks-credit-{md,html,svg}/` fixtures (one in-place credit seeded in `stats.db` via `bin/build-share-fixtures.py`) assert the `⚡ -20pp` chip carries uniformly through all three share-render formats. Dashboard CSS: new `.credit-chip` + `.mcw-5h-credit-row` + `.mcw-5h-credit-cell` + `.m-sec.sec-5h` rules in `dashboard/web/src/index.css` so the credit annotations match the rest of the panel/modal's accent-amber treatment.
+
 ## [1.7.2] - 2026-05-16
 
 ### Fixed

package/bin/_cctally_alerts.py

@@ -76,6 +76,14 @@ _build_alert_payload_weekly = _lib_alerts_payload._build_alert_payload_weekly
 _build_alert_payload_five_hour = _lib_alerts_payload._build_alert_payload_five_hour
 
 
+# === Honest imports from extracted homes ===================================
+# Spec 2026-05-17-cctally-core-kernel-extraction.md §3.3: kernel symbols
+# import from _cctally_core. `LOG_DIR` stays on the _cctally() accessor
+# per Q1=B (path constants propagate via monkeypatch.setitem against the
+# cctally namespace).
+from _cctally_core import now_utc_iso
+
+
 def _alerts_log_path() -> "pathlib.Path":
     """Return ``~/.local/share/cctally/logs/alerts.log`` (parent dirs created).
 
@@ -167,7 +175,7 @@ def _dispatch_alert_notification(
             or ""
         )
         line = (
-            f"{_cctally().now_utc_iso()}\t{axis}\t{payload.get('threshold')}\t{window_key}"
+            f"{now_utc_iso()}\t{axis}\t{payload.get('threshold')}\t{window_key}"
             f"\t{mode}\t{status}\n"
         )
         with open(log_path, "a") as f:
@@ -194,7 +202,6 @@ def cmd_alerts_test(args: argparse.Namespace) -> int:
       2  --threshold out of [1, 100] range
       3  other spawn error (PermissionError, OSError, ...)
     """
-    c = _cctally()
     axis = "weekly" if args.axis == "weekly" else "five_hour"
     threshold = int(args.threshold)
     if not (1 <= threshold <= 100):
@@ -206,7 +213,7 @@ def cmd_alerts_test(args: argparse.Namespace) -> int:
     if axis == "weekly":
         payload = _build_alert_payload_weekly(
             threshold=threshold,
-            crossed_at_utc=c.now_utc_iso(),
+            crossed_at_utc=now_utc_iso(),
             week_start_date=dt.date.today().isoformat(),
             cumulative_cost_usd=1.23,
             dollars_per_percent=0.01,
@@ -214,9 +221,9 @@ def cmd_alerts_test(args: argparse.Namespace) -> int:
     else:
         payload = _build_alert_payload_five_hour(
             threshold=threshold,
-            crossed_at_utc=c.now_utc_iso(),
+            crossed_at_utc=now_utc_iso(),
             five_hour_window_key=int(dt.datetime.now(dt.timezone.utc).timestamp()),
-            block_start_at=c.now_utc_iso(),
+            block_start_at=now_utc_iso(),
             block_cost_usd=1.23,
             primary_model="claude-sonnet-4-6",
         )

package/bin/_cctally_cache.py

@@ -118,17 +118,18 @@ def _cctally():
     return sys.modules["cctally"]
 
 
-# Module-level back-ref shims for the four bare-name helpers consumed
-# throughout the moved bodies. Each shim resolves
-# ``sys.modules['cctally'].X`` at CALL TIME (not bind time), so
-# monkeypatches on cctally's namespace propagate into the moved code
-# unchanged. Mirrors the precedent established in ``bin/_cctally_db.py``
-# (``now_utc_iso`` / ``parse_iso_datetime`` / ``_compute_block_totals``
-# / ``eprint`` shims).
-def eprint(*args, **kwargs):
-    return sys.modules["cctally"].eprint(*args, **kwargs)
-
-
+# === Honest imports from extracted homes ===================================
+# Spec 2026-05-17-cctally-core-kernel-extraction.md §3.3: kernel symbols
+# (Z-leaf + Z-mid) import from _cctally_core. The legacy shim function
+# for ``eprint`` is deleted.
+from _cctally_core import eprint
+
+
+# Module-level back-ref shims for the three out-of-scope JSONL/project
+# discovery helpers that STAY in bin/cctally per spec §3.7. Each shim
+# resolves ``sys.modules['cctally'].X`` at CALL TIME (not bind time),
+# so monkeypatches on cctally's namespace propagate into the moved code
+# unchanged.
 def _decode_escaped_cwd(*args, **kwargs):
     return sys.modules["cctally"]._decode_escaped_cwd(*args, **kwargs)
 

package/bin/_cctally_config.py

@@ -48,6 +48,25 @@ def _cctally():
     return sys.modules["cctally"]
 
 
+# === Honest imports from extracted homes ===================================
+# Spec 2026-05-17-cctally-core-kernel-extraction.md §3.3: kernel symbols
+# import from _cctally_core; the Bucket-X helper `normalize_display_tz_value`
+# imports from `_lib_display_tz`. Path constants (`CONFIG_PATH`,
+# `CONFIG_LOCK_PATH`) plus out-of-scope validators
+# (`_normalize_alerts_enabled_value`, `_validate_dashboard_bind_value`,
+# `_validate_update_check_ttl_hours_value`, `_normalize_update_check_enabled_value`,
+# `get_display_tz_pref`, `UPDATE_DEFAULT_TTL_HOURS`) stay on the
+# _cctally() accessor.
+from _cctally_core import (
+    eprint,
+    ensure_dirs,
+    DEFAULT_WEEK_START,
+    _get_alerts_config,
+    _AlertsConfigError,
+)
+from _lib_display_tz import normalize_display_tz_value
+
+
 _CONFIG_CORRUPT_WARNED = False  # one-shot warn flag for load_config
 
 
@@ -61,20 +80,19 @@ def _warn_config_corrupt_once(reason: str) -> None:
         return
     _CONFIG_CORRUPT_WARNED = True
     c = _cctally()
-    c.eprint(
+    eprint(
         f"warning: ignoring corrupt {c.CONFIG_PATH} ({reason}); "
         "using in-memory defaults"
     )
 
 
 def _default_config_data() -> dict[str, Any]:
-    c = _cctally()
     return {
         "collector": {
             "host": "127.0.0.1",
             "port": 17321,
             "token": secrets.token_hex(16),
-            "week_start": c.DEFAULT_WEEK_START,
+            "week_start": DEFAULT_WEEK_START,
         }
     }
 
@@ -122,7 +140,7 @@ def config_writer_lock():
     either the pre-rename or post-rename file, never partial bytes.
     """
     c = _cctally()
-    c.ensure_dirs()
+    ensure_dirs()
     c.CONFIG_LOCK_PATH.touch()
     fh = open(c.CONFIG_LOCK_PATH, "w")
     try:
@@ -154,7 +172,7 @@ def load_config() -> dict[str, Any]:
     #17 fix).
     """
     c = _cctally()
-    c.ensure_dirs()
+    ensure_dirs()
     parsed = _try_read_config()
     if parsed is not None:
         return parsed
@@ -186,8 +204,7 @@ def _load_config_unlocked() -> dict[str, Any]:
     do its own save_config call atomically. Corrupt-file path returns
     in-memory defaults (caller's save will overwrite cleanly).
     """
-    c = _cctally()
-    c.ensure_dirs()
+    ensure_dirs()
     parsed = _try_read_config()
     if parsed is not None:
         return parsed
@@ -208,7 +225,7 @@ def save_config(data: dict[str, Any]) -> None:
     not the read-modify-write semantics of `cctally config set`.
     """
     c = _cctally()
-    c.ensure_dirs()
+    ensure_dirs()
     payload = (json.dumps(data, indent=2) + "\n").encode("utf-8")
     tmp = c.CONFIG_PATH.with_name(f"{c.CONFIG_PATH.name}.tmp.{os.getpid()}")
     fd = os.open(str(tmp), os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o644)
@@ -248,7 +265,7 @@ def cmd_config(args: argparse.Namespace) -> int:
         return _cmd_config_set(args)
     if action == "unset":
         return _cmd_config_unset(args)
-    c.eprint(f"cctally config: unknown action {action!r}")
+    eprint(f"cctally config: unknown action {action!r}")
     return 2
 
 
@@ -265,7 +282,7 @@ def _config_known_value(config: dict, key: str) -> "object":
     if key == "display.tz":
         return c.get_display_tz_pref(config)
     if key == "alerts.enabled":
-        return bool(c._get_alerts_config(config)["enabled"])
+        return bool(_get_alerts_config(config)["enabled"])
     if key == "dashboard.bind":
         # Default semantic alias is 'loopback' (resolves to 127.0.0.1 at
         # bind time). LAN exposure is opt-in via `set dashboard.bind lan`
@@ -306,10 +323,9 @@ def _config_known_value(config: dict, key: str) -> "object":
 
 
 def _cmd_config_get(args: argparse.Namespace, config: dict) -> int:
-    c = _cctally()
     key = args.key
     if key is not None and key not in ALLOWED_CONFIG_KEYS:
-        c.eprint(f"cctally config: unknown config key {key!r}")
+        eprint(f"cctally config: unknown config key {key!r}")
         return 2
     pairs: "list[tuple[str, object]]" = []
     if key is None:
@@ -350,13 +366,13 @@ def _cmd_config_set(args: argparse.Namespace) -> int:
     c = _cctally()
     key, raw = args.key, args.value
     if key not in ALLOWED_CONFIG_KEYS:
-        c.eprint(f"cctally config: unknown config key {key!r}")
+        eprint(f"cctally config: unknown config key {key!r}")
         return 2
     if key == "display.tz":
         try:
-            canonical = c.normalize_display_tz_value(raw)
+            canonical = normalize_display_tz_value(raw)
         except ValueError:
-            c.eprint(f"cctally config: invalid IANA zone {raw!r}")
+            eprint(f"cctally config: invalid IANA zone {raw!r}")
             return 2
         with config_writer_lock():
             config = _load_config_unlocked()
@@ -399,8 +415,8 @@ def _cmd_config_set(args: argparse.Namespace) -> int:
             # Validate the would-be merged block before persisting so
             # we never write a config that fails subsequent reads.
             try:
-                c._get_alerts_config({**config, "alerts": alerts_block})
-            except c._AlertsConfigError as exc:
+                _get_alerts_config({**config, "alerts": alerts_block})
+            except _AlertsConfigError as exc:
                 print(f"cctally: alerts config error: {exc}", file=sys.stderr)
                 return 2
             config["alerts"] = alerts_block
@@ -489,10 +505,9 @@ def _cmd_config_set(args: argparse.Namespace) -> int:
 
 
 def _cmd_config_unset(args: argparse.Namespace) -> int:
-    c = _cctally()
     key = args.key
     if key not in ALLOWED_CONFIG_KEYS:
-        c.eprint(f"cctally config: unknown config key {key!r}")
+        eprint(f"cctally config: unknown config key {key!r}")
         return 2
     if key == "display.tz":
         with config_writer_lock():