skimpyclaw 0.3.6 → 0.3.9

package/dist/tools/execute-context.d.ts

@@ -1,13 +1,13 @@
 export interface ExecuteToolContext {
-    /** Task ID for file lock acquisition (subagent writes) */
+    /** Task ID for file lock acquisition (concurrent writes) */
     lockTaskId?: string;
     /** Abort signal for cancelling long-running tool loops */
     abortSignal?: AbortSignal;
-    /** Chat ID for spawn_subagent dispatch */
+    /** Chat ID for channel routing */
     chatId?: number;
-    /** Full config for spawn_subagent */
+    /** Full config for agent tools */
     fullConfig?: import('../types.js').Config;
-    /** Conversation history for spawn_subagent */
+    /** Conversation history */
     history?: import('../types.js').ChatMessage[];
     /** Audit trace ID for recording tool events */
     auditTraceId?: string;

package/dist/tools/file-tools.d.ts

@@ -1,7 +1,7 @@
 import type { ToolConfig } from '../types.js';
 export declare function executeReadFile(path: string, config: ToolConfig): string;
 /**
- * Write with file locking when a lockTaskId is provided (subagent context).
+ * Write with file locking when a lockTaskId is provided (concurrent context).
  * Falls back to unlocked write when no lockTaskId.
  */
 export declare function executeWriteFileLocked(path: string, content: string, config: ToolConfig, lockTaskId?: string): Promise<string>;

package/dist/tools/file-tools.js

@@ -26,7 +26,7 @@ function executeWriteFile(path, content, config) {
     return `Written: ${path} (${content.length} bytes)`;
 }
 /**
- * Write with file locking when a lockTaskId is provided (subagent context).
+ * Write with file locking when a lockTaskId is provided (concurrent context).
  * Falls back to unlocked write when no lockTaskId.
  */
 export async function executeWriteFileLocked(path, content, config, lockTaskId) {

package/dist/tools.d.ts

@@ -1,21 +1,21 @@
 import type { ToolConfig } from './types.js';
-import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, SPAWN_SUBAGENT_TOOL, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL } from './tools/definitions.js';
+import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL } from './tools/definitions.js';
 import type { ExecuteToolContext } from './tools/execute-context.js';
 import { cleanupBrowser } from './tools/browser-tool.js';
 export { getActiveCodeAgents, getRecentCodeAgents, getAllCodeAgents, getCodeAgent, cancelCodeAgent, restoreCodeAgentTasks, setCodeAgentConfig, computeWaves, decomposeTask, synthesizeResults, runValidation, runCodeAgentBackground, buildCodeAgentArgs, readTeamState, parseStreamJsonForLive, } from './code-agents/index.js';
-export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, SPAWN_SUBAGENT_TOOL, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, cleanupBrowser, };
+export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, cleanupBrowser, };
 export type { ExecuteToolContext };
 export type { CodeAgentTask, DecomposedSubtask } from './code-agents/index.js';
 export declare function discoverMcpTools(): Promise<any[]>;
 export declare function clearMcpToolCache(): void;
 /**
- * Get all available tool definitions: built-ins + browser (if enabled) + MCP (auto-discovered) + spawn_subagent.
+ * Get all available tool definitions: built-ins + browser (if enabled) + MCP (auto-discovered) + agent tools.
  * This is the primary way to get tools — replaces the static TOOL_DEFINITIONS export.
- * Pass includeSpawnSubagent: true to include the spawn_subagent tool (e.g. for Telegram conversations).
+ * Pass includeAgentTools: true to include code_with_agent, code_with_team, check_code_agent.
  * Results are cached for 60s to avoid rebuilding the array on every agent turn.
  */
 export declare function getToolDefinitions(config?: ToolConfig, options?: {
-    includeSpawnSubagent?: boolean;
+    includeAgentTools?: boolean;
     includeMcp?: boolean;
     projects?: Record<string, string>;
 }): Promise<any[]>;

package/dist/tools.js

@@ -1,13 +1,16 @@
 // Tool definitions and executors for Anthropic API tool_use
-import { join } from 'path';
+import { join, resolve } from 'path';
 import { homedir } from 'os';
 import { TTLCache } from './cache.js';
-import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, SPAWN_SUBAGENT_TOOL, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, } from './tools/definitions.js';
+import { toErrorMessage } from './utils.js';
+import { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, } from './tools/definitions.js';
 import { executeReadFile, executeWriteFileLocked, executeListDirectory } from './tools/file-tools.js';
 import { executeBash } from './tools/bash-tool.js';
 import { executeBrowser, cleanupBrowser } from './tools/browser-tool.js';
 import { ensureContainer, SANDBOX_DEFAULTS, translatePath, validateMountPaths } from './sandbox/index.js';
 import { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob } from './sandbox/index.js';
+import { isBashCommandSafe } from './security.js';
+import { classifyCommandRisk, requiresApproval } from './exec-approval.js';
 // Re-export from code-agents module for backward compatibility
 export { 
 // Registry functions
@@ -23,7 +26,7 @@ buildCodeAgentArgs, readTeamState,
 // Parsers
 parseStreamJsonForLive, } from './code-agents/index.js';
 // Re-export from definitions
-export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, SPAWN_SUBAGENT_TOOL, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, cleanupBrowser, };
+export { fromClaudeCodeName, toClaudeCodeName, BUILTIN_TOOL_DEFINITIONS, BROWSER_TOOL_DEFINITION, TOOL_DEFINITIONS, CODE_WITH_AGENT_TOOL, CODE_WITH_TEAM_TOOL, CHECK_CODE_AGENT_TOOL, cleanupBrowser, };
 // --- MCP (mcporter) ---
 let mcpRuntime = null;
 async function getMcpRuntime() {
@@ -82,83 +85,78 @@ export function clearMcpToolCache() {
     discoveredMcpTools = null;
 }
 const toolDefsCache = new TTLCache(60_000);
+/** Inject project names into a tool's workdir description, or return the tool unchanged. */
+function injectProjects(tool, projects) {
+    if (!projects || Object.keys(projects).length === 0)
+        return tool;
+    const projectList = Object.entries(projects)
+        .map(([name, path]) => `"${name}" → ${path}`)
+        .join(', ');
+    return {
+        ...tool,
+        input_schema: {
+            ...tool.input_schema,
+            properties: {
+                ...tool.input_schema.properties,
+                workdir: {
+                    type: 'string',
+                    description: `Working directory or project name. Named projects: ${projectList}. Default: SkimpyClaw repo root.`,
+                },
+            },
+        },
+    };
+}
 /**
- * Get all available tool definitions: built-ins + browser (if enabled) + MCP (auto-discovered) + spawn_subagent.
+ * Get all available tool definitions: built-ins + browser (if enabled) + MCP (auto-discovered) + agent tools.
  * This is the primary way to get tools — replaces the static TOOL_DEFINITIONS export.
- * Pass includeSpawnSubagent: true to include the spawn_subagent tool (e.g. for Telegram conversations).
+ * Pass includeAgentTools: true to include code_with_agent, code_with_team, check_code_agent.
  * Results are cached for 60s to avoid rebuilding the array on every agent turn.
  */
 export async function getToolDefinitions(config, options) {
     const includeMcp = options?.includeMcp !== false; // default true for backwards compat
+    const profile = config?.toolProfile ?? 'full';
     const cacheKey = JSON.stringify({
         browser: config?.browser?.enabled,
-        spawn: options?.includeSpawnSubagent,
+        agentTools: options?.includeAgentTools,
         mcp: includeMcp,
         projects: options?.projects,
+        profile,
     });
     const cached = toolDefsCache.get(cacheKey);
     if (cached)
         return cached;
     const tools = [...BUILTIN_TOOL_DEFINITIONS];
+    // Minimal profile: only the 4 built-in tools (Read, Write, Glob, Bash).
+    // Used by orchestrator decompose/synthesize calls.
+    if (profile === 'minimal') {
+        toolDefsCache.set(cacheKey, tools);
+        return tools;
+    }
     // Include browser tool only when explicitly enabled
     if (config?.browser?.enabled) {
         tools.push(BROWSER_TOOL_DEFINITION);
     }
+    // Coding profile: built-ins + browser + code_with_agent + check_code_agent.
+    // Skips MCP discovery and code_with_team.
+    if (profile === 'coding') {
+        if (options?.includeAgentTools) {
+            tools.push(injectProjects(CODE_WITH_AGENT_TOOL, options.projects));
+            tools.push(CHECK_CODE_AGENT_TOOL);
+        }
+        toolDefsCache.set(cacheKey, tools);
+        return tools;
+    }
+    // Full profile (default): everything including MCP and code_with_team.
     // Auto-discover MCP tools from mcporter config (only for Anthropic models)
     if (includeMcp) {
         const mcpTools = await discoverMcpTools();
         tools.push(...mcpTools);
     }
-    // Include spawn_subagent, code_with_agent, and check_code_agent tools when requested
-    if (options?.includeSpawnSubagent) {
-        tools.push(SPAWN_SUBAGENT_TOOL);
-        // Inject project names into code_with_agent description so the model knows what to use
+    // Include code_with_agent, code_with_team, and check_code_agent when requested
+    if (options?.includeAgentTools) {
         const projects = options.projects;
-        if (projects && Object.keys(projects).length > 0) {
-            const projectList = Object.entries(projects)
-                .map(([name, path]) => `"${name}" → ${path}`)
-                .join(', ');
-            const codeAgentWithProjects = {
-                ...CODE_WITH_AGENT_TOOL,
-                input_schema: {
-                    ...CODE_WITH_AGENT_TOOL.input_schema,
-                    properties: {
-                        ...CODE_WITH_AGENT_TOOL.input_schema.properties,
-                        workdir: {
-                            type: 'string',
-                            description: `Working directory or project name. Named projects: ${projectList}. Default: SkimpyClaw repo root.`,
-                        },
-                    },
-                },
-            };
-            tools.push(codeAgentWithProjects);
-        }
-        else {
-            tools.push(CODE_WITH_AGENT_TOOL);
-        }
-        // Inject project names into code_with_team description too
-        if (projects && Object.keys(projects).length > 0) {
-            const projectList = Object.entries(projects)
-                .map(([name, path]) => `"${name}" → ${path}`)
-                .join(', ');
-            const codeTeamWithProjects = {
-                ...CODE_WITH_TEAM_TOOL,
-                input_schema: {
-                    ...CODE_WITH_TEAM_TOOL.input_schema,
-                    properties: {
-                        ...CODE_WITH_TEAM_TOOL.input_schema.properties,
-                        workdir: {
-                            type: 'string',
-                            description: `Working directory or project name. Named projects: ${projectList}. Default: SkimpyClaw repo root.`,
-                        },
-                    },
-                },
-            };
-            tools.push(codeTeamWithProjects);
-        }
-        else {
-            tools.push(CODE_WITH_TEAM_TOOL);
-        }
+        tools.push(injectProjects(CODE_WITH_AGENT_TOOL, projects));
+        tools.push(injectProjects(CODE_WITH_TEAM_TOOL, projects));
         tools.push(CHECK_CODE_AGENT_TOOL);
     }
     toolDefsCache.set(cacheKey, tools);
@@ -250,8 +248,6 @@ export async function executeTool(name, input, config, context) {
                 const { isPathAllowed } = await import('./tools/path-utils.js');
                 for (const [key, value] of Object.entries(input)) {
                     if (typeof value === 'string' && (value.startsWith('/') || value.startsWith('~/') || value.startsWith('./'))) {
-                        const { resolve } = await import('path');
-                        const { homedir } = await import('os');
                         const resolved = value.startsWith('~/') ? resolve(homedir(), value.slice(2)) : resolve(value);
                         if (!isPathAllowed(resolved, config.allowedPaths)) {
                             return `Error: MCP tool argument "${key}" references path outside allowed directories: ${value}`;
@@ -261,10 +257,6 @@ export async function executeTool(name, input, config, context) {
             }
             return await executeMcpToolGeneric(name, input);
         }
-        // Route spawn_subagent
-        if (name === 'spawn_subagent') {
-            return await executeSpawnSubagent(input, context);
-        }
         // Route code_with_agent - delegate to code-agents module
         if (name === 'code_with_agent') {
             const { executeCodeWithAgent } = await import('./code-agents/index.js');
@@ -330,8 +322,39 @@ export async function executeTool(name, input, config, context) {
                     return reversed;
                 };
                 switch (normalized) {
-                    case 'bash':
-                        return await sandboxBash(containerName, translateBashPaths(input.command), input.cwd ? tp(input.cwd) : undefined, config.bashTimeout);
+                    case 'bash': {
+                        const translatedCmd = translateBashPaths(input.command);
+                        // Apply hard safety blocks and exec-approval inside sandbox.
+                        // The sandbox provides filesystem isolation but not command-level policy.
+                        if (!isBashCommandSafe(translatedCmd)) {
+                            return 'Error: Command blocked by safety filter.';
+                        }
+                        const classification = classifyCommandRisk(translatedCmd);
+                        const approvalConfig = config.execApproval;
+                        if (requiresApproval(classification, approvalConfig)) {
+                            const isUnattended = context?.channel === 'subagent' ||
+                                context?.isCronJob === true ||
+                                (!context?.approverUserId && !context?.channelTargetId && !context?.chatId);
+                            if (isUnattended) {
+                                return `⛔ Command blocked — tier ${classification.tier} commands require approval but no approver is available in this context (${classification.reason}). Use safer alternatives or request approval via an interactive channel.`;
+                            }
+                            // Attended context — run full approval flow before executing in sandbox
+                            const { createApprovalRequest: sbxCreate, waitForApproval: sbxWait } = await import('./exec-approval.js');
+                            const ttlMs = approvalConfig?.ttlMs ?? 5 * 60 * 1000;
+                            const channelMeta = context?.channel ? {
+                                channel: context.channel,
+                                chatId: context.channelTargetId ?? context.chatId,
+                                userId: context.approverUserId,
+                                username: context.approverUsername,
+                            } : context?.chatId ? { channel: 'telegram', chatId: context.chatId } : undefined;
+                            const sbxReq = sbxCreate(translatedCmd, input.cwd, classification, approvalConfig, channelMeta);
+                            const sbxResolved = await sbxWait(sbxReq.id, ttlMs);
+                            if (sbxResolved.status !== 'approved') {
+                                return `⛔ Command not executed — approval ${sbxResolved.status} (tier ${classification.tier}: ${classification.reason}).`;
+                            }
+                        }
+                        return await sandboxBash(containerName, translatedCmd, input.cwd ? tp(input.cwd) : undefined, config.bashTimeout);
+                    }
                     case 'read_file':
                         return await sandboxReadFile(containerName, tp(input.file_path || input.path));
                     case 'write_file':
@@ -365,41 +388,7 @@ export async function executeTool(name, input, config, context) {
         }
     }
     catch (err) {
-        return `Error: ${err instanceof Error ? err.message : String(err)}`;
+        return `Error: ${toErrorMessage(err)}`;
     }
 }
 // --- Individual Tool Implementations ---
-/**
- * Execute spawn_subagent tool — dispatches a background subagent.
- */
-async function executeSpawnSubagent(input, context) {
-    if (!context?.fullConfig || !context?.chatId) {
-        return 'Error: spawn_subagent requires a chat context (not available in this mode)';
-    }
-    const { dispatchSubagent } = await import('./subagent.js');
-    const task = input.task;
-    const type = input.type;
-    const model = input.model;
-    const label = input.label;
-    // NOTE: allowedPaths deliberately NOT accepted from model input (security — prevents path escalation).
-    // Subagents inherit their preset's allowedPaths from config.
-    if (!task || !type) {
-        return 'Error: task and type are required';
-    }
-    if (!['coding', 'research'].includes(type)) {
-        return `Error: Invalid type "${type}". Must be coding or research.`;
-    }
-    try {
-        const subagentTask = dispatchSubagent(type, task, context.chatId, context.fullConfig, model, context.history, { label });
-        const labelStr = label ? ` "${label}"` : '';
-        return JSON.stringify({
-            status: 'accepted',
-            runId: subagentTask.id,
-            label: label || subagentTask.type,
-            message: `Subagent ${subagentTask.id}${labelStr} dispatched (${subagentTask.type}, model: ${subagentTask.model}). Results will be announced when done.`,
-        });
-    }
-    catch (err) {
-        return `Error: ${err instanceof Error ? err.message : String(err)}`;
-    }
-}

package/dist/types.d.ts

@@ -60,10 +60,16 @@ export interface Config {
         token?: string;
         frontend?: 'framework';
     };
-    subagents?: {
+    codeAgents?: {
         maxConcurrent?: number;
-        maxRetries?: number;
-        defaultCodeAgent?: string;
+        defaultAgent?: string;
+        timeoutMinutes?: number;
+        teamTimeoutMinutes?: number;
+        maxTurns?: number;
+        skipPlaywright?: boolean;
+        /** Per-project validation commands. Keys match project names from `projects` config.
+         *  Values are shell commands run in the project dir. Overrides auto-detected build+test. */
+        validationCommands?: Record<string, string>;
     };
     langfuse?: {
         enabled?: boolean;
@@ -150,6 +156,11 @@ export interface ToolConfig {
     maxIterations?: number;
     bashTimeout?: number;
     maxTurnTokens?: number;
+    toolProfile?: 'minimal' | 'coding' | 'full';
+    contextManagement?: {
+        enabled?: boolean;
+        maxContextTokens?: number;
+    };
     browser?: {
         enabled?: boolean;
         type?: 'chromium' | 'firefox' | 'webkit';
@@ -200,25 +211,6 @@ export interface ModelProvider {
     name: string;
     chat(messages: ChatMessage[], options: ChatOptions): Promise<string>;
 }
-export type SubagentType = 'coding' | 'research';
-export type SubagentStatus = 'pending' | 'running' | 'completed' | 'failed' | 'cancelled';
-export interface SubagentTask {
-    id: string;
-    type: SubagentType;
-    prompt: string;
-    status: SubagentStatus;
-    chatId: number;
-    model: string;
-    label?: string;
-    createdAt: Date;
-    startedAt?: Date;
-    completedAt?: Date;
-    result?: string;
-    error?: string;
-    retryCount?: number;
-    maxRetries?: number;
-    abortController: AbortController;
-}
 export type ImageContentBlock = {
     type: 'image';
     source: {

package/dist/usage.d.ts

@@ -72,5 +72,6 @@ export declare function readUsageRecords(options?: ReadUsageOptions): {
 export declare function aggregateUsage(startDate: string, endDate: string): UsageAggregation;
 /**
  * Get usage summary for today, last 7 days, and last 30 days.
+ * Reads files once for the full 30-day window, then partitions in memory.
  */
 export declare function getUsageSummary(): UsageSummary;

package/dist/usage.js

@@ -1,18 +1,10 @@
 // Usage tracking — JSONL append-only storage at ~/.skimpyclaw/logs/usage/YYYY-MM-DD.jsonl
 import { randomUUID } from 'crypto';
-import { readFileSync, appendFileSync, existsSync, mkdirSync, readdirSync } from 'fs';
+import { appendFileSync, existsSync, mkdirSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
+import { formatDate, readJsonlDir } from './utils.js';
 const USAGE_DIR = join(homedir(), '.skimpyclaw', 'logs', 'usage');
-function formatDate(date) {
-    const y = date.getFullYear();
-    const m = String(date.getMonth() + 1).padStart(2, '0');
-    const d = String(date.getDate()).padStart(2, '0');
-    return `${y}-${m}-${d}`;
-}
-function getUsageFilePath(dateStr) {
-    return join(USAGE_DIR, `${dateStr}.jsonl`);
-}
 /** For testing: override the usage directory */
 let usageDirOverride = null;
 export function setUsageDirForTesting(dir) {
@@ -67,45 +59,15 @@ export function buildUsageRecord(opts) {
  */
 export function readUsageRecords(options = {}) {
     const dir = getUsageDir();
-    if (!existsSync(dir)) {
-        return { records: [], total: 0 };
-    }
     const limit = options.limit ?? 50;
     const offset = options.offset ?? 0;
     const now = new Date();
     const endDate = options.endDate ?? formatDate(now);
     const startDate = options.startDate ?? formatDate(new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000));
-    const files = readdirSync(dir)
-        .filter(f => f.endsWith('.jsonl'))
-        .sort()
-        .reverse(); // newest first
-    const allRecords = [];
-    for (const file of files) {
-        const dateStr = file.replace('.jsonl', '');
-        if (dateStr < startDate || dateStr > endDate)
-            continue;
-        const filePath = join(dir, file);
-        try {
-            const content = readFileSync(filePath, 'utf-8');
-            const lines = content.trim().split('\n').filter(Boolean);
-            for (let i = lines.length - 1; i >= 0; i--) {
-                try {
-                    const record = JSON.parse(lines[i]);
-                    if (options.model && record.model !== options.model)
-                        continue;
-                    allRecords.push(record);
-                }
-                catch {
-                    // Skip malformed lines
-                }
-            }
-        }
-        catch {
-            // Skip unreadable files
-        }
-    }
+    const modelFilter = options.model;
+    const allRecords = readJsonlDir(dir, startDate, endDate, modelFilter ? (r) => r.model === modelFilter : undefined);
     // Sort newest first
-    allRecords.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    allRecords.sort((a, b) => Date.parse(b.timestamp) - Date.parse(a.timestamp));
     const total = allRecords.length;
     const paged = allRecords.slice(offset, offset + limit);
     return { records: paged, total };
@@ -136,15 +98,37 @@ export function aggregateUsage(startDate, endDate) {
 }
 /**
  * Get usage summary for today, last 7 days, and last 30 days.
+ * Reads files once for the full 30-day window, then partitions in memory.
  */
 export function getUsageSummary() {
     const now = new Date();
     const todayStr = formatDate(now);
     const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
     const monthAgo = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
+    const weekAgoStr = formatDate(weekAgo);
+    const monthAgoStr = formatDate(monthAgo);
+    // Read all records once for the full 30-day range
+    const { records: allRecords } = readUsageRecords({ startDate: monthAgoStr, endDate: todayStr, limit: 100000 });
+    const aggregate = (records) => {
+        const agg = emptyAggregation();
+        for (const r of records) {
+            agg.totalCost += r.totalCost;
+            agg.totalInputTokens += r.inputTokens;
+            agg.totalOutputTokens += r.outputTokens;
+            agg.totalCalls++;
+            if (!agg.byModel[r.model]) {
+                agg.byModel[r.model] = { calls: 0, inputTokens: 0, outputTokens: 0, cost: 0 };
+            }
+            agg.byModel[r.model].calls++;
+            agg.byModel[r.model].inputTokens += r.inputTokens;
+            agg.byModel[r.model].outputTokens += r.outputTokens;
+            agg.byModel[r.model].cost += r.totalCost;
+        }
+        return agg;
+    };
     return {
-        today: aggregateUsage(todayStr, todayStr),
-        week: aggregateUsage(formatDate(weekAgo), todayStr),
-        month: aggregateUsage(formatDate(monthAgo), todayStr),
+        today: aggregate(allRecords.filter(r => r.timestamp.slice(0, 10) === todayStr)),
+        week: aggregate(allRecords.filter(r => r.timestamp.slice(0, 10) >= weekAgoStr)),
+        month: aggregate(allRecords),
     };
 }

package/dist/utils.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Format a Date as YYYY-MM-DD string.
+ */
+export declare function formatDate(date: Date): string;
+/**
+ * Extract an error message from an unknown caught value.
+ */
+export declare function toErrorMessage(err: unknown): string;
+/**
+ * Read JSONL files from a dated directory (YYYY-MM-DD.jsonl), filtered by date range.
+ * Returns records in reverse chronological order (newest first).
+ */
+export declare function readJsonlDir<T>(dir: string, startDate: string, endDate: string, filter?: (record: T) => boolean): T[];
+/**
+ * Timing-safe bearer token validation.
+ * Returns true if the provided token matches the expected token.
+ */
+export declare function validateBearerToken(expected: string, authHeader: string | undefined): boolean;

package/dist/utils.js

@@ -0,0 +1,71 @@
+// Shared utilities used across modules
+import { readFileSync, readdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { timingSafeEqual } from 'crypto';
+/**
+ * Format a Date as YYYY-MM-DD string.
+ */
+export function formatDate(date) {
+    const y = date.getFullYear();
+    const m = String(date.getMonth() + 1).padStart(2, '0');
+    const d = String(date.getDate()).padStart(2, '0');
+    return `${y}-${m}-${d}`;
+}
+/**
+ * Extract an error message from an unknown caught value.
+ */
+export function toErrorMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+/**
+ * Read JSONL files from a dated directory (YYYY-MM-DD.jsonl), filtered by date range.
+ * Returns records in reverse chronological order (newest first).
+ */
+export function readJsonlDir(dir, startDate, endDate, filter) {
+    if (!existsSync(dir))
+        return [];
+    const files = readdirSync(dir)
+        .filter(f => f.endsWith('.jsonl'))
+        .sort()
+        .reverse(); // newest first
+    const allRecords = [];
+    for (const file of files) {
+        const dateStr = file.replace('.jsonl', '');
+        if (dateStr < startDate || dateStr > endDate)
+            continue;
+        const filePath = join(dir, file);
+        try {
+            const content = readFileSync(filePath, 'utf-8');
+            const lines = content.trim().split('\n').filter(Boolean);
+            for (let i = lines.length - 1; i >= 0; i--) {
+                try {
+                    const record = JSON.parse(lines[i]);
+                    if (filter && !filter(record))
+                        continue;
+                    allRecords.push(record);
+                }
+                catch {
+                    // Skip malformed lines
+                }
+            }
+        }
+        catch {
+            // Skip unreadable files
+        }
+    }
+    return allRecords;
+}
+/**
+ * Timing-safe bearer token validation.
+ * Returns true if the provided token matches the expected token.
+ */
+export function validateBearerToken(expected, authHeader) {
+    if (!authHeader || !authHeader.startsWith('Bearer '))
+        return false;
+    const provided = authHeader.slice(7);
+    const expectedBuf = Buffer.from(expected, 'utf8');
+    const providedBuf = Buffer.from(provided, 'utf8');
+    if (expectedBuf.length !== providedBuf.length)
+        return false;
+    return timingSafeEqual(expectedBuf, providedBuf);
+}