costhawk 1.5.18 → 1.5.20

package/README.md

@@ -32,6 +32,16 @@ By default, this creates one **hybrid token** with scopes:
 - `mcp:write`
 - `otel:ingest`
 
+### Codex Desktop usage tracking (non-CLI path)
+
+If you use Codex Desktop and do not want to set up each local CLI tool manually, use the Codex-specific setup path:
+
+```bash
+npm exec --yes costhawk@latest -- setup codex-desktop
+```
+
+This preflights the local runtime and writable Codex config, opens CostHawk browser login, then configures only Codex Desktop usage tracking. It does not write Claude Code, Gemini CLI, Cursor, or OpenCode config.
+
 ### Manual Token Mode (Fallback)
 
 ```bash
@@ -167,10 +177,13 @@ COSTHAWK_GIT_SHA=$(git rev-parse --short HEAD) npm run build
 
 | Tool | Description |
 |------|-------------|
+| `costhawk_get_company_brain_onboarding` | Get the workspace Company Brain destination and per-project sharing policies before writing learnings |
 | `costhawk_get_usage_summary` | Get usage and costs over a time period (by provider/model) |
 | `costhawk_get_usage_by_tag` | Get usage grouped by attribution fields and custom metadata (`project`, `feature`, `team`, `environment`, `user_id`, etc.) |
 | `costhawk_detect_anomalies` | Check for cost anomalies and unusual usage patterns |
 
+`costhawk_get_company_brain_onboarding` is the policy gate for Company Brain writes. Private projects must not submit shared learnings. Project memory projects can keep local/project-scoped memory. Company Brain projects can submit allowed entry types using the configured review mode.
+
 `costhawk_get_usage_by_tag` has two data sources:
 - Standard attribution fields like `feature`, `project`, `team`, and `environment` can come from wrapped-key or scoped API key attribution.
 - Arbitrary custom tag keys only appear when you send request metadata through the proxy, such as `costhawk_metadata.feature` or `costhawk_metadata.user_id`.
@@ -271,10 +284,19 @@ The cache read savings are significant - CostHawk tracks all 4 types to give you
 | `--tools` | Print the registered tool names and exit |
 | `--self-test` | Print version + tool list + local env checks and exit |
 | `--what-we-read` | Print local directories and sample files read by the MCP |
+| `brain status` | Show Company Brain sharing policy for the current repo/workspace |
+| `setup codex-desktop` | Configure Codex Desktop usage tracking only |
+| `--setup-codex-desktop` | Alias for `setup codex-desktop` |
 | `--setup` | Configure Claude Code, Codex CLI, and Gemini CLI MCP settings |
 | `--codex` / `--no-codex` | Include or skip Codex CLI config at `~/.codex/config.toml` |
 | `--opencode` / `--no-opencode` | Include or skip OpenCode config |
 
+Company Brain CLI example:
+
+```bash
+costhawk brain status --org-slug acme --git-repo github.com/acme/app
+```
+
 ## Privacy & Trust
 
 CostHawk’s MCP server is designed to be **local-first** and transparent:

package/dist/build-info.d.ts

@@ -1,2 +1,2 @@
-export declare const BUILD_COMMIT_SHA = "830fd8b";
+export declare const BUILD_COMMIT_SHA = "6547cd3";
 //# sourceMappingURL=build-info.d.ts.map

package/dist/build-info.js

@@ -1,3 +1,3 @@
 // Auto-generated during release builds. Values may be empty in dev.
-export const BUILD_COMMIT_SHA = "830fd8b";
+export const BUILD_COMMIT_SHA = "6547cd3";
 //# sourceMappingURL=build-info.js.map

package/dist/index.js

@@ -4,7 +4,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 import { createInterface } from "readline";
 import { spawn, spawnSync } from "child_process";
-import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { accessSync, chmodSync, constants, existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
 import { dirname, join } from "path";
 import { homedir, hostname, platform } from "os";
 // Claude Code local transcript parsing
@@ -94,6 +94,9 @@ function extractApiErrorMessage(errorText) {
     catch {
         // Fall through to the raw response body.
     }
+    if (/^<!doctype html/i.test(trimmed) || /^<html/i.test(trimmed)) {
+        return "HTML error page returned. Check COSTHAWK_API_URL and confirm this MCP route is deployed.";
+    }
     return trimmed;
 }
 function formatApiErrorMessage(status, errorText) {
@@ -411,6 +414,26 @@ async function apiRequest(endpoint, options) {
         clearTimeout(timeoutId);
     }
 }
+function buildCompanyBrainOnboardingEndpoint(input) {
+    const queryParams = new URLSearchParams();
+    if (input.orgId)
+        queryParams.set("orgId", input.orgId);
+    if (input.orgSlug)
+        queryParams.set("orgSlug", input.orgSlug);
+    if (input.projectId)
+        queryParams.set("projectId", input.projectId);
+    if (input.projectSlug)
+        queryParams.set("projectSlug", input.projectSlug);
+    if (input.gitRepo)
+        queryParams.set("gitRepo", input.gitRepo);
+    const query = queryParams.toString();
+    return query ? `/api/mcp/brain/onboarding?${query}` : "/api/mcp/brain/onboarding";
+}
+async function fetchCompanyBrainOnboardingState(input) {
+    return apiRequest(buildCompanyBrainOnboardingEndpoint(input), {
+        apiKey: input.apiKey,
+    });
+}
 function isModelPricingEntry(value) {
     if (!value || typeof value !== "object")
         return false;
@@ -731,6 +754,31 @@ function getArgValue(args, flag) {
     }
     return undefined;
 }
+function normalizeGitRemoteForProject(rawRemote) {
+    const trimmed = rawRemote.trim();
+    if (!trimmed)
+        return null;
+    const sshMatch = trimmed.match(/^git@([^:]+):(.+?)(?:\.git)?$/);
+    if (sshMatch) {
+        return `${sshMatch[1]}/${sshMatch[2].replace(/\.git$/, "")}`;
+    }
+    try {
+        const parsed = new URL(trimmed);
+        return `${parsed.hostname}${parsed.pathname.replace(/^\/+/, "").replace(/\.git$/, "")}`;
+    }
+    catch {
+        return trimmed.replace(/\.git$/, "");
+    }
+}
+function detectGitRepoFromCurrentDirectory() {
+    const result = spawnSync("git", ["config", "--get", "remote.origin.url"], {
+        encoding: "utf8",
+        stdio: ["ignore", "pipe", "ignore"],
+    });
+    if (result.status !== 0 || typeof result.stdout !== "string")
+        return undefined;
+    return normalizeGitRemoteForProject(result.stdout) ?? undefined;
+}
 function parseBooleanFlag(args, flag) {
     const negated = `--no-${flag}`;
     if (args.includes(negated))
@@ -795,8 +843,21 @@ function resolveCodexConfigPath() {
     return primary;
 }
 function resolveNpmCommand() {
+    return findNpmCommand() ?? (platform() === "win32" ? "npm.cmd" : "npm");
+}
+function findNpmCommand() {
     if (platform() === "win32") {
-        return "npm.cmd";
+        const whereResult = spawnSync("where", ["npm.cmd"], { encoding: "utf8" });
+        if (whereResult.status === 0 && typeof whereResult.stdout === "string") {
+            const npmPath = whereResult.stdout.split(/\r?\n/)[0]?.trim();
+            if (npmPath)
+                return npmPath;
+        }
+        const checkResult = spawnSync("npm.cmd", ["--version"], {
+            encoding: "utf8",
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        return checkResult.status === 0 ? "npm.cmd" : null;
     }
     const result = spawnSync("which", ["npm"], { encoding: "utf8" });
     if (result.status === 0 && typeof result.stdout === "string") {
@@ -804,7 +865,7 @@ function resolveNpmCommand() {
         if (npmPath)
             return npmPath;
     }
-    return "npm";
+    return null;
 }
 function escapeTomlString(value) {
     return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
@@ -1022,6 +1083,32 @@ function persistApiKey(apiKey) {
         savedAt: new Date().toISOString(),
     });
 }
+function assertWritableTarget(filePath) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+    if (existsSync(filePath)) {
+        accessSync(filePath, constants.W_OK);
+        return;
+    }
+    const testPath = join(dir, `.costhawk-write-test-${process.pid}-${Date.now()}`);
+    writeFileSync(testPath, "ok", { mode: SECRET_FILE_MODE });
+    rmSync(testPath, { force: true });
+}
+function runCodexDesktopPreflight() {
+    const npmCommand = findNpmCommand();
+    if (!npmCommand) {
+        throw new Error([
+            "Codex Desktop setup needs npm on PATH before CostHawk can install tracking.",
+            "Install Node.js/npm or open Codex from an environment where npm is available, then run setup again.",
+        ].join(" "));
+    }
+    const codexConfigPath = resolveCodexConfigPath();
+    assertWritableTarget(AUTH_STATE_PATH);
+    assertWritableTarget(codexConfigPath);
+    return { codexConfigPath, npmCommand };
+}
 async function promptInput(question) {
     const rl = createInterface({
         input: process.stdin,
@@ -1143,6 +1230,8 @@ async function runDeviceLoginFlow(args) {
 async function runSetup(args) {
     const apiKeyArg = getArgValue(args, "--api-key") || getArgValue(args, "--key");
     const nonInteractive = args.includes("--non-interactive");
+    const codexDesktopMode = args.includes("--codex-desktop");
+    const codexLabel = codexDesktopMode ? "Codex Desktop" : "OpenAI Codex CLI";
     let writeClaude = parseBooleanFlag(args, "claude");
     if (writeClaude === undefined) {
         writeClaude = true;
@@ -1396,7 +1485,7 @@ async function runSetup(args) {
         console.log("✅ CostHawk MCP server added to Gemini CLI!");
     }
     if (writeCodex) {
-        console.log("✅ CostHawk MCP server added to OpenAI Codex CLI!");
+        console.log(`✅ CostHawk MCP server added to ${codexLabel}!`);
     }
     if (writeOpenCode) {
         console.log("✅ CostHawk MCP server added to OpenCode!");
@@ -1409,15 +1498,20 @@ async function runSetup(args) {
         console.log(`   OpenCode config: ${openCodePath}`);
     }
     if (codexPath) {
-        console.log(`   OpenAI Codex CLI config: ${codexPath}`);
+        console.log(`   ${codexLabel} config: ${codexPath}`);
     }
     if (geminiPath) {
         console.log(`   Gemini CLI config: ${geminiPath}`);
     }
     console.log(`   Stored auth: ${AUTH_STATE_PATH}`);
     console.log(`   Local tool auto-sync: ${autoSync ? "enabled" : "disabled"}`);
-    console.log(`   OpenAI Codex CLI auto-sync: ${autoSync && codexSync ? "enabled" : "disabled"}`);
-    console.log("   Note: Auto-sync only applies to local Claude Code / Codex CLI / Cursor logs. Gemini CLI gets MCP tools, but Gemini local transcripts are not auto-synced yet.");
+    console.log(`   ${codexLabel} auto-sync: ${autoSync && codexSync ? "enabled" : "disabled"}`);
+    if (codexDesktopMode) {
+        console.log("   Note: CostHawk tracks Codex session activity after Codex writes local usage logs.");
+    }
+    else {
+        console.log("   Note: Auto-sync only applies to local Claude Code / Codex CLI / Cursor logs. Gemini CLI gets MCP tools, but Gemini local transcripts are not auto-synced yet.");
+    }
     console.log("");
     if (writeClaude) {
         console.log("👉 Next step: Restart Claude Code, then ask:");
@@ -1428,8 +1522,13 @@ async function runSetup(args) {
         console.log("   gemini mcp list");
     }
     if (writeCodex) {
-        console.log("👉 Next step: Restart Codex, then run:");
-        console.log("   codex mcp get costhawk");
+        if (codexDesktopMode) {
+            console.log("👉 Next step: Restart Codex Desktop, then start a new Codex chat.");
+        }
+        else {
+            console.log("👉 Next step: Restart Codex, then run:");
+            console.log("   codex mcp get costhawk");
+        }
     }
     if (writeOpenCode) {
         console.log("👉 Next step: Restart OpenCode to load MCP servers.");
@@ -1571,9 +1670,12 @@ async function syncCursorSessionsToApi(sessions, options) {
     };
 }
 // Perform a one-time sync during --login so data appears in the dashboard immediately.
-async function performLoginSync(apiKey) {
+async function performLoginSync(apiKey, options = {}) {
     let totalSynced = 0;
-    if (claudeCodeDirectoryExists()) {
+    const syncClaudeCode = options.claudeCode ?? true;
+    const syncCodex = options.codex ?? true;
+    const syncCursor = options.cursor ?? true;
+    if (syncClaudeCode && claudeCodeDirectoryExists()) {
         try {
             const sessions = parseAllTranscriptsDetailed(LOGIN_SYNC_MAX_AGE_HOURS);
             const result = await syncSessionsToApi(sessions, {
@@ -1590,7 +1692,7 @@ async function performLoginSync(apiKey) {
             console.error(`   Warning: Claude Code sync failed: ${error instanceof Error ? error.message : "Unknown error"}`);
         }
     }
-    if (codexDirectoryExists()) {
+    if (syncCodex && codexDirectoryExists()) {
         try {
             const sessions = parseAllCodexSessionsDetailed(LOGIN_SYNC_MAX_AGE_HOURS);
             const result = await syncSessionsToApi(sessions, {
@@ -1608,7 +1710,7 @@ async function performLoginSync(apiKey) {
             console.error(`   Warning: Codex sync failed: ${error instanceof Error ? error.message : "Unknown error"}`);
         }
     }
-    if (cursorDbExists()) {
+    if (syncCursor && cursorDbExists()) {
         try {
             // parseCursorUsage() reads the whole Cursor SQLite in one pass. The
             // LOGIN_SYNC_MAX_AGE_HOURS window is applied client-side below to
@@ -1645,6 +1747,62 @@ async function performLoginSync(apiKey) {
         console.log("\n   No local sessions found to sync (this is normal for first-time users).");
     }
 }
+function getCodexDesktopSetupArgs(apiKey) {
+    return [
+        "--api-key",
+        apiKey,
+        "--codex",
+        "--no-claude",
+        "--no-gemini",
+        "--no-opencode",
+        "--auto-sync",
+        "--codex-sync",
+        "--no-cursor-sync",
+        "--non-interactive",
+        "--codex-desktop",
+    ];
+}
+function withDefaultArg(args, flag, value) {
+    if (args.includes(flag) || args.some((arg) => arg.startsWith(`${flag}=`))) {
+        return args;
+    }
+    return [...args, flag, value];
+}
+async function runCodexDesktopSetup(args) {
+    let preflight;
+    try {
+        preflight = runCodexDesktopPreflight();
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Codex Desktop setup preflight failed."}`);
+        process.exit(1);
+    }
+    console.log("✅ Codex Desktop setup preflight passed.");
+    console.log(`   npm: ${preflight.npmCommand}`);
+    console.log(`   Codex config: ${preflight.codexConfigPath}`);
+    console.log(`   CostHawk auth: ${AUTH_STATE_PATH}`);
+    let apiKey = getArgValue(args, "--api-key") || getArgValue(args, "--key") || DEFAULT_API_KEY || "";
+    if (!apiKey) {
+        const loginArgs = withDefaultArg(args, "--client-name", "Codex Desktop");
+        try {
+            apiKey = await runDeviceLoginFlow(loginArgs);
+        }
+        catch (error) {
+            console.error(`Error: ${error instanceof Error ? error.message : "Browser login failed."}`);
+            process.exit(1);
+        }
+    }
+    if (!apiKey) {
+        console.error("Error: API key is required to complete Codex Desktop setup.");
+        process.exit(1);
+    }
+    persistApiKey(apiKey);
+    await runSetup(getCodexDesktopSetupArgs(apiKey));
+    await performLoginSync(apiKey, { claudeCode: false, codex: true, cursor: false });
+    console.log("✅ CostHawk Codex Desktop tracking is configured.");
+    console.log("   Restart Codex Desktop if the CostHawk MCP server is not visible yet.");
+    console.log("");
+}
 async function runLoginCommand(args) {
     const shouldRunSetup = parseBooleanFlag(args, "setup") ?? true;
     let apiKey;
@@ -1698,6 +1856,84 @@ async function runLoginCommand(args) {
     await performLoginSync(apiKey);
 }
 // Markdown formatters
+function formatPolicyMode(mode) {
+    switch (mode) {
+        case "company_brain":
+            return "Company Brain";
+        case "project_memory":
+            return "Project memory";
+        case "private":
+        default:
+            return "Private";
+    }
+}
+function formatReviewMode(mode) {
+    switch (mode) {
+        case "auto_all":
+            return "Auto approve all";
+        case "auto_low_risk":
+            return "Auto approve low risk";
+        case "manual":
+        default:
+            return "Manual review";
+    }
+}
+function formatCompanyBrainOnboardingMarkdown(data) {
+    let output = `# Company Brain Project Policies\n\n`;
+    output += `**Organization:** ${data.organization.name} (${data.organization.slug})\n`;
+    output += `**Company Brain:** ${data.companyBrain.name}\n`;
+    output += `**Raw content stored by default:** ${data.companyBrain.rawContentStorage ? "yes" : "no"}\n\n`;
+    output += `## Summary\n`;
+    output += `| Metric | Value |\n|--------|-------|\n`;
+    output += `| Active projects | ${formatNumber(data.summary.totalProjects)} |\n`;
+    output += `| Explicit policies | ${formatNumber(data.summary.explicitPolicies)} |\n`;
+    output += `| Private | ${formatNumber(data.summary.privateProjects)} |\n`;
+    output += `| Project memory | ${formatNumber(data.summary.projectMemoryProjects)} |\n`;
+    output += `| Company Brain | ${formatNumber(data.summary.companyBrainProjects)} |\n`;
+    output += `| Needs review | ${formatNumber(data.summary.unreviewedProjects)} |\n`;
+    if (data.summary.matchedProjects !== null) {
+        output += `| Current repo matches | ${formatNumber(data.summary.matchedProjects)} |\n`;
+    }
+    output += `\n## Project Policies\n`;
+    if (data.projects.length === 0) {
+        output += `No active projects found for this organization.\n\n`;
+    }
+    else {
+        output += `| Project | Policy | Review | Sensitivity | Writes | Entries | Match |\n`;
+        output += `|---------|--------|--------|-------------|--------|---------|-------|\n`;
+        for (const project of data.projects) {
+            const policy = project.policy;
+            const writes = policy.canWriteCompanyBrain
+                ? "company brain"
+                : policy.canWriteProjectMemory
+                    ? "project memory"
+                    : "blocked";
+            const match = project.currentProjectMatch === null ? "" : project.currentProjectMatch ? "current" : "";
+            output += `| ${project.name} | ${formatPolicyMode(policy.mode)}${policy.isExplicit ? "" : " (default)"} | ${formatReviewMode(policy.reviewMode)} | ${policy.defaultSensitivity} | ${writes} | ${policy.allowedEntryTypes.join(", ")} | ${match} |\n`;
+        }
+    }
+    const currentMatches = data.projects.filter((project) => project.currentProjectMatch);
+    if (currentMatches.length > 0) {
+        output += `\n## Current Project\n`;
+        for (const project of currentMatches) {
+            output += `- ${project.name}: ${formatPolicyMode(project.policy.mode)}. `;
+            if (project.policy.canWriteCompanyBrain) {
+                output += `Agents may submit allowed entries to the Company Brain with ${formatReviewMode(project.policy.reviewMode).toLowerCase()}.\n`;
+            }
+            else if (project.policy.canWriteProjectMemory) {
+                output += `Agents may write project memory, but not shared Company Brain entries.\n`;
+            }
+            else {
+                output += `Agents must not write shared learnings from this project.\n`;
+            }
+        }
+    }
+    output += `\n## Next Actions\n`;
+    for (const action of data.nextActions) {
+        output += `- ${action}\n`;
+    }
+    return truncateResponse(output);
+}
 function formatUsageSummaryMarkdown(data) {
     let output = `# API Usage Summary\n\n`;
     output += `This report covers CostHawk-tracked API requests from wrapped/proxied keys and provider-ingested API usage. It does not include local Claude Code, Codex, or Cursor sessions; use the local usage, sync, ROI, or savings tools for those.\n\n`;
@@ -3066,7 +3302,57 @@ const GetProxyGuideSchema = {
 const ListIntegrationsSchema = {
     apiKey: z.string().optional().describe("CostHawk API key (falls back to COSTHAWK_API_KEY env var)"),
 };
+const CompanyBrainOnboardingSchema = {
+    apiKey: z.string().optional().describe("CostHawk API key (falls back to COSTHAWK_API_KEY env var)"),
+    orgId: z.string().optional().describe("Organization ID to inspect. Required only when the API key has access to multiple organizations."),
+    orgSlug: z.string().optional().describe("Organization slug to inspect. Required only when the API key has access to multiple organizations."),
+    projectId: z.string().optional().describe("Optional project ID to mark as the current project in the response."),
+    projectSlug: z.string().optional().describe("Optional project slug to mark as the current project in the response."),
+    gitRepo: z
+        .string()
+        .optional()
+        .describe("Optional git repository identifier for the current local project, such as github.com/acme/app or acme/app."),
+    format: z.enum(["markdown", "json"]).optional().default("markdown").describe("Response format"),
+};
 // Register tools
+server.registerTool("costhawk_get_company_brain_onboarding", {
+    description: `Get the Company Brain onboarding state for the authenticated workspace. Use this before proposing or writing any Company Brain or project-memory entry. It returns the organization brain destination, active projects, each project's sharing policy (Private, Project memory, or Company Brain), review mode, sensitivity, allowed entry types, and whether the current repo/project is allowed to write. Agents must treat Private projects as a hard stop for shared brain writes.`,
+    inputSchema: CompanyBrainOnboardingSchema,
+    annotations: READ_ONLY_ANNOTATIONS,
+}, async (args, _extra) => {
+    const apiKey = getApiKey(args.apiKey);
+    if (!apiKey) {
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: "Error: No API key provided. Run `costhawk --login` or set COSTHAWK_API_KEY in your MCP configuration.",
+                },
+            ],
+            isError: true,
+        };
+    }
+    try {
+        const data = await fetchCompanyBrainOnboardingState({
+            apiKey,
+            orgId: args.orgId,
+            orgSlug: args.orgSlug,
+            projectId: args.projectId,
+            projectSlug: args.projectSlug,
+            gitRepo: args.gitRepo,
+        });
+        const text = args.format === "json" ? JSON.stringify(data, null, 2) : formatCompanyBrainOnboardingMarkdown(data);
+        return {
+            content: [{ type: "text", text }],
+        };
+    }
+    catch (error) {
+        return {
+            content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : "Unknown error"}` }],
+            isError: true,
+        };
+    }
+});
 server.registerTool("costhawk_get_usage_summary", {
     description: `Get a summary of CostHawk-tracked API request usage over a time period. This covers wrapped/proxied keys and provider-ingested API usage stored as API requests. It does NOT include local Claude Code, Codex, or Cursor sessions; for local AI-tool token usage, use costhawk_get_local_claude_code_usage, costhawk_get_local_codex_usage, costhawk_get_local_cursor_usage, costhawk_get_local_roi_report, or costhawk_get_savings after syncing. Returns total API costs, API calls, and API token usage broken down by provider and model. Supports preset periods (last_24h, today, yesterday, last_7d, last_30d) or custom date ranges.\n\nIMPORTANT: Always display the COMPLETE output in your response using markdown tables. Render every section (Overview, By Provider, By Model). Never summarize or truncate. If this report is zero, do not say the user's local AI-tool usage is zero; explain that local Claude Code, Codex, and Cursor usage is reported separately.`,
     inputSchema: UsageSummarySchema,
@@ -4870,8 +5156,74 @@ function stopAutoSync() {
         console.error("[Auto-sync] Stopped");
     }
 }
+async function runBrainCommand(args) {
+    const hasExplicitSubcommand = Boolean(args[1] && !args[1].startsWith("-"));
+    const subcommand = hasExplicitSubcommand ? args[1] : "status";
+    const commandArgs = args.slice(hasExplicitSubcommand ? 2 : 1);
+    if (subcommand === "help" || commandArgs.includes("--help") || commandArgs.includes("-h")) {
+        console.log(`CostHawk Company Brain
+
+USAGE:
+  costhawk brain status [OPTIONS]
+
+OPTIONS:
+  --org-id          Organization ID
+  --org-slug        Organization slug
+  --project-id      Current project ID
+  --project-slug    Current project slug
+  --git-repo        Current git repository identifier
+  --no-detect-git   Do not auto-detect git remote.origin.url
+  --json            Print raw JSON
+  --api-key         Provide API key non-interactively
+
+EXAMPLES:
+  costhawk brain status
+  costhawk brain status --org-slug acme --git-repo github.com/acme/app
+`);
+        process.exit(0);
+    }
+    if (subcommand !== "status" && subcommand !== "onboarding") {
+        console.error(`Error: unknown brain command "${subcommand}". Use "costhawk brain status".`);
+        process.exit(1);
+    }
+    const apiKey = getApiKey(getArgValue(commandArgs, "--api-key"));
+    if (!apiKey) {
+        console.error("Error: No API key provided. Run `costhawk --login` or set COSTHAWK_API_KEY.");
+        process.exit(1);
+    }
+    const explicitGitRepo = getArgValue(commandArgs, "--git-repo");
+    const gitRepo = explicitGitRepo ?? (commandArgs.includes("--no-detect-git") ? undefined : detectGitRepoFromCurrentDirectory());
+    try {
+        const data = await fetchCompanyBrainOnboardingState({
+            apiKey,
+            orgId: getArgValue(commandArgs, "--org-id"),
+            orgSlug: getArgValue(commandArgs, "--org-slug"),
+            projectId: getArgValue(commandArgs, "--project-id"),
+            projectSlug: getArgValue(commandArgs, "--project-slug"),
+            gitRepo,
+        });
+        if (commandArgs.includes("--json")) {
+            console.log(JSON.stringify(data, null, 2));
+        }
+        else {
+            console.log(formatCompanyBrainOnboardingMarkdown(data));
+        }
+        process.exit(0);
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+}
 async function handleCliFlags() {
     const args = process.argv.slice(2);
+    if (args[0] === "brain") {
+        await runBrainCommand(args);
+    }
+    if (args[0] === "setup" && args[1] === "codex-desktop") {
+        await runCodexDesktopSetup(args.slice(2));
+        process.exit(0);
+    }
     if (args.includes("--version") || args.includes("-v")) {
         console.log(formatVersion());
         process.exit(0);
@@ -4888,6 +5240,9 @@ OPTIONS:
   --tools          List all available MCP tools
   --self-test      Output diagnostic JSON for debugging
   --what-we-read   Show local directories and sample files the MCP reads
+  brain status     Show Company Brain project sharing policy for this workspace/repo
+  setup codex-desktop
+                   Configure Codex Desktop usage tracking only
   --login          Browser/device login (recommended)
   --no-setup       With --login, skip writing MCP config files
   --open           With --login, force opening the browser
@@ -4895,6 +5250,8 @@ OPTIONS:
   --client-name    Optional device/client label for login approval screen
   --scopes         Optional comma-separated scopes for login token (default: mcp:read,mcp:write,otel:ingest)
   --setup          Configure MCP settings (Claude Code / Codex CLI / Gemini CLI / OpenCode)
+  --setup-codex-desktop
+                   Alias for "setup codex-desktop"
   --codex          Write OpenAI Codex CLI config during setup
   --opencode       Also write OpenCode config during setup
   --no-claude      Skip writing Claude Code config during setup
@@ -4918,11 +5275,13 @@ ENVIRONMENT VARIABLES:
 SETUP:
   1. Recommended (browser login + auto-setup):
      npm exec --yes costhawk@latest -- --login
-  2. Manual API key mode (Claude Code):
+  2. Codex Desktop usage tracking only:
+     npm exec --yes costhawk@latest -- setup codex-desktop
+  3. Manual API key mode (Claude Code):
      claude mcp add -s user -e COSTHAWK_API_KEY=your_key -e COSTHAWK_AUTO_SYNC=true costhawk -- npx --yes costhawk@latest
      Manual API key mode (Gemini CLI):
      gemini mcp add -s user -e COSTHAWK_API_KEY=your_key costhawk npx --yes costhawk@latest
-  3. Interactive setup (writes Claude Code + Codex CLI + Gemini CLI config, optional OpenCode):
+  4. Interactive setup (writes Claude Code + Codex CLI + Gemini CLI config, optional OpenCode):
      npm exec --yes costhawk@latest -- --setup --opencode
 
 DOCUMENTATION:
@@ -4934,6 +5293,10 @@ DOCUMENTATION:
         await runLoginCommand(args);
         process.exit(0);
     }
+    if (args.includes("--setup-codex-desktop")) {
+        await runCodexDesktopSetup(args);
+        process.exit(0);
+    }
     if (args.includes("--setup")) {
         await runSetup(args);
         process.exit(0);