octarin-cli 0.3.1 → 0.3.3

package/assets/backfill.py

@@ -44,6 +44,7 @@ import getpass
 import json
 import os
 import re
+import ssl
 import subprocess
 import sys
 import urllib.error
@@ -289,6 +290,14 @@ def parse_claude_transcript(  # noqa: PLR0915 - top-down jsonl parser; splitting
                                     :_OUTPUT_CAP
                                 ],
                                 "status": "ok",
+                                # subagent turns bill against the session model;
+                                # carry it so per-model analytics can attribute
+                                # their tokens
+                                **(
+                                    {"model": model}
+                                    if stype == "agent" and model
+                                    else {}
+                                ),
                             }
                         )
         prev_ts = ts
@@ -940,6 +949,49 @@ def _filter_spans_by_cutoff(event: dict, cutoff: datetime | None) -> dict | None
     return event
 
 
+_SSL_CTX: ssl.SSLContext | None = None
+
+
+def _ssl_context() -> ssl.SSLContext:
+    """A cert-verifying TLS context that also works on Pythons whose default
+    trust store is empty — the cause of ``CERTIFICATE_VERIFY_FAILED: unable to
+    get local issuer certificate`` on many macOS (python.org) installs. Resolves
+    a CA bundle, all options verifying: ``OCTARIN_CA_BUNDLE`` / ``SSL_CERT_FILE``
+    env, then ``certifi`` if importable, then known system bundles, then the
+    interpreter default. Built once and reused.
+    """
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile: str | None = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi  # noqa: PLC0415 - optional, used only if present
+
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",  # macOS base system, many Linux
+                "/opt/homebrew/etc/openssl@3/cert.pem",  # Apple-silicon Homebrew
+                "/usr/local/etc/openssl@3/cert.pem",  # Intel Homebrew
+                "/etc/ssl/certs/ca-certificates.crt",  # Debian/Ubuntu
+                "/etc/pki/tls/certs/ca-bundle.crt",  # RHEL/CentOS
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
+
+
 def post_event(
     url: str, key: str, event: dict, timeout: float = 20.0
 ) -> tuple[bool, str]:
@@ -955,7 +1007,7 @@ def post_event(
         method="POST",
     )
     try:
-        with urllib.request.urlopen(req, timeout=timeout) as resp:
+        with urllib.request.urlopen(req, timeout=timeout, context=_ssl_context()) as resp:
             raw = resp.read().decode("utf-8", "replace")
             try:
                 n = json.loads(raw).get("span_count")

package/assets/claude_code/hook.py

@@ -24,9 +24,9 @@ import getpass
 import hashlib
 import json
 import os
+import ssl
 import subprocess
 import sys
-import time
 import urllib.request
 import uuid
 from datetime import datetime, timezone
@@ -476,6 +476,46 @@ def user_ref() -> str:
         return "unknown"
 
 
+_SSL_CTX = None
+
+
+def _ssl_context():
+    """Cert-verifying TLS context resilient to empty trust stores (the macOS
+    python.org ``CERTIFICATE_VERIFY_FAILED`` issue). Resolves a CA bundle —
+    OCTARIN_CA_BUNDLE / SSL_CERT_FILE env, certifi if importable, known system
+    bundles, else the interpreter default — and reuses it."""
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi
+
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",
+                "/opt/homebrew/etc/openssl@3/cert.pem",
+                "/usr/local/etc/openssl@3/cert.pem",
+                "/etc/ssl/certs/ca-certificates.crt",
+                "/etc/pki/tls/certs/ca-bundle.crt",
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
+
+
 def post_event(event: dict) -> bool:
     """POST the IngestEvent. Returns True on 2xx, False otherwise (fail-open)."""
     url = os.environ.get("OCTARIN_INGEST_URL")
@@ -491,25 +531,48 @@ def post_event(event: dict) -> bool:
     if api_key:
         req.add_header("Authorization", f"Bearer {api_key}")
     try:
-        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S) as resp:
+        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S, context=_ssl_context()) as resp:
             return 200 <= resp.status < 300
     except Exception:
         return False
 
 
-def load_state() -> dict:
+def _state_file(key: str) -> Path:
+    """Per-session state file.
+
+    One file per session key, NOT one shared JSON: with the shared file two
+    concurrent sessions raced load→save and the last writer clobbered the other
+    session's offset back, so its next fire re-read (and re-sent) transcript
+    chunks it had already shipped.
+    """
+    return STATE_DIR / f"claude_code_state.{key[:32]}.json"
+
+
+def load_state(key: str) -> dict:
+    f = _state_file(key)
     try:
-        return json.loads(STATE_FILE.read_text(encoding="utf-8")) if STATE_FILE.exists() else {}
+        if f.exists():
+            return {key: json.loads(f.read_text(encoding="utf-8"))}
     except Exception:
         return {}
+    # One-time migration: pick this session's entry out of the legacy shared file.
+    try:
+        if STATE_FILE.exists():
+            legacy = json.loads(STATE_FILE.read_text(encoding="utf-8"))
+            if key in legacy:
+                return {key: legacy[key]}
+    except Exception:
+        pass
+    return {}
 
 
-def save_state(state: dict) -> None:
+def save_state(state: dict, key: str) -> None:
     try:
         STATE_DIR.mkdir(parents=True, exist_ok=True)
-        tmp = STATE_FILE.with_suffix(".tmp")
-        tmp.write_text(json.dumps(state, sort_keys=True), encoding="utf-8")
-        os.replace(tmp, STATE_FILE)
+        f = _state_file(key)
+        tmp = f.with_suffix(".tmp")
+        tmp.write_text(json.dumps(state.get(key) or {}, sort_keys=True), encoding="utf-8")
+        os.replace(tmp, f)
     except Exception:
         pass
 
@@ -520,10 +583,10 @@ def build_event(payload: dict) -> dict | None:
     if not session_id or path is None:
         return None
 
-    state = load_state()
     key = hashlib.sha256(f"{session_id}::{path}".encode()).hexdigest()
+    state = load_state(key)
     entries = read_new_entries(path, state, key)
-    save_state(state)
+    save_state(state, key)
     if not entries:
         return None
 
@@ -532,7 +595,12 @@ def build_event(payload: dict) -> dict | None:
         return None
 
     repo = Path(cwd).name if cwd else None
-    src_trace = f"{session_id}:{int(time.time())}"
+    # Day-stable trace id (like the Cursor hook): every fire for a session
+    # upserts the SAME trace, so a re-sent chunk (offset race, retry) replaces
+    # its span rows in the ReplacingMergeTree instead of minting a new trace
+    # per second and double-counting. The date suffix splits multi-day sessions.
+    day = datetime.now(timezone.utc).strftime("%Y-%m-%d")
+    src_trace = f"{session_id}:{day}"
     trace_id = str(uuid.uuid5(_TRACE_NAMESPACE, f"{SOURCE}:{src_trace}"))
     times = [s["start_time"] for s in spans]
 

package/assets/cursor/lib/canonical.js

@@ -128,6 +128,9 @@ function toolSpanId(input) {
 function fromPostToolUse(input) {
   const tool = input.tool_name || "tool";
   const span = baseSpan(toolSpanId(input), tool, "tool");
+  // Cursor never exposes token usage, so the backend estimates tool spans from
+  // their I/O — stamp the session model so the estimate prices at its real rate.
+  span.model = input.model || null;
   span.input = truncate(asText(input.tool_input));
   span.output = truncate(asText(input.tool_output));
   span.attributes = {
@@ -144,6 +147,7 @@ function fromPostToolUse(input) {
 function fromPostToolUseFailure(input) {
   const tool = input.tool_name || "tool";
   const span = baseSpan(toolSpanId(input), tool, "tool");
+  span.model = input.model || null;
   span.status = "error";
   span.error_message = input.error_message || input.failure_type || "tool failed";
   span.input = truncate(asText(input.tool_input));

package/assets/repo-template/dot-claude/octarin/hook.py

@@ -42,6 +42,7 @@ import getpass
 import hashlib
 import json
 import os
+import ssl
 import subprocess
 import sys
 import time
@@ -547,6 +548,46 @@ def _notify_auth_required_once(project: str) -> None:
     )
 
 
+_SSL_CTX = None
+
+
+def _ssl_context():
+    """Cert-verifying TLS context resilient to empty trust stores (the macOS
+    python.org ``CERTIFICATE_VERIFY_FAILED`` issue). Resolves a CA bundle —
+    OCTARIN_CA_BUNDLE / SSL_CERT_FILE env, certifi if importable, known system
+    bundles, else the interpreter default — and reuses it."""
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi
+
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",
+                "/opt/homebrew/etc/openssl@3/cert.pem",
+                "/usr/local/etc/openssl@3/cert.pem",
+                "/etc/ssl/certs/ca-certificates.crt",
+                "/etc/pki/tls/certs/ca-bundle.crt",
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
+
+
 def post_event(event: dict) -> bool:
     """POST the IngestEvent. Returns True on 2xx, False otherwise (fail-open).
 
@@ -585,7 +626,7 @@ def post_event(event: dict) -> bool:
     elif project:
         req.add_header("X-Octarin-Project", project)
     try:
-        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S) as resp:
+        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S, context=_ssl_context()) as resp:
             return HTTP_OK <= resp.status < HTTP_MULTIPLE_CHOICES
     except urllib.error.HTTPError as exc:
         # Strict-auth signal from the server: print the login.sh hint, once.

package/assets/repo-template/dot-cursor/hooks/lib/canonical.js

@@ -128,6 +128,9 @@ function toolSpanId(input) {
 function fromPostToolUse(input) {
   const tool = input.tool_name || "tool";
   const span = baseSpan(toolSpanId(input), tool, "tool");
+  // Cursor never exposes token usage, so the backend estimates tool spans from
+  // their I/O — stamp the session model so the estimate prices at its real rate.
+  span.model = input.model || null;
   span.input = truncate(asText(input.tool_input));
   span.output = truncate(asText(input.tool_output));
   span.attributes = {
@@ -144,6 +147,7 @@ function fromPostToolUse(input) {
 function fromPostToolUseFailure(input) {
   const tool = input.tool_name || "tool";
   const span = baseSpan(toolSpanId(input), tool, "tool");
+  span.model = input.model || null;
   span.status = "error";
   span.error_message = input.error_message || input.failure_type || "tool failed";
   span.input = truncate(asText(input.tool_input));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "octarin-cli",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "Octarin's per-user CLI: install AI-coding capture (`octarin init` / `init-repo`) and authorize a machine (`octarin login`). Streams your Claude Code / Cursor / Codex usage to your Octarin workspace.",
   "keywords": [
     "octarin",