tokenrace 0.1.8 → 0.1.10

package/dist/index.html

@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>tokenrace</title>
-    <script type="module" crossorigin src="/assets/index-Bq_1mbQ9.js"></script>
+    <script type="module" crossorigin src="/assets/index-DQk3XNu9.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-B0dy8dWP.css">
   </head>
   <body>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tokenrace",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Monitor en tiempo real para Claude Code",
   "bin": {
     "tokenrace": "bin/cli.js"

package/src/api-routes.js

@@ -40,17 +40,37 @@ export function broadcast(type, payload) {
 
 /**
  * Crea y devuelve el router Express con todas las rutas /api/*.
+ * @param {{ port?: number }} options
  * @returns {Router}
  */
-export function createRouter() {
+export function createRouter({ port = 1337 } = {}) {
   const router = Router()
 
-  // Middleware CORS para todas las rutas del router
+  // Solo se permiten solicitudes del propio dashboard (mismo origen)
+  const allowedOrigins = new Set([
+    `http://localhost:${port}`,
+    `http://127.0.0.1:${port}`,
+  ])
+
+  // CORS: responder solo al origen del dashboard, nunca con wildcard
   router.use((req, res, next) => {
-    res.setHeader('Access-Control-Allow-Origin', '*')
+    const origin = req.headers.origin
+    if (origin && allowedOrigins.has(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin)
+    }
     next()
   })
 
+  // Guard CSRF: bloquea POST con Origin presente pero no permitido.
+  // Requests sin Origin (CLI, tests, curl) pasan sin restricción.
+  function requireSafeOrigin(req, res, next) {
+    const origin = req.headers.origin
+    if (origin && !allowedOrigins.has(origin)) {
+      return res.status(403).json({ error: 'origen no permitido' })
+    }
+    return next()
+  }
+
   // ── SSE ────────────────────────────────────────────────────────────────────
 
   /**
@@ -61,7 +81,6 @@ export function createRouter() {
     res.setHeader('Content-Type', 'text/event-stream')
     res.setHeader('Cache-Control', 'no-cache')
     res.setHeader('Connection', 'keep-alive')
-    res.setHeader('Access-Control-Allow-Origin', '*')
     res.flushHeaders()
 
     const clientId = ++_nextClientId
@@ -111,7 +130,7 @@ export function createRouter() {
   /** GET /api/sessions — lista de sesiones, acepta ?limit, ?project */
   router.get('/api/sessions', (req, res) => {
     res.json(getSessions({
-      limit: req.query.limit ? Number(req.query.limit) : 50,
+      limit: Math.min(Number(req.query.limit) || 50, 500),
       project: req.query.project || null
     }))
   })
@@ -124,7 +143,7 @@ export function createRouter() {
   /** GET /api/events — eventos filtrados, acepta ?limit, ?type, ?project */
   router.get('/api/events', (req, res) => {
     res.json(getEvents({
-      limit: req.query.limit ? Number(req.query.limit) : 200,
+      limit: Math.min(Number(req.query.limit) || 200, 500),
       type: req.query.type || null,
       project: req.query.project || null
     }))
@@ -150,10 +169,10 @@ export function createRouter() {
    * Asigna un proyecto a una sesión.
    * Body: { project: string }
    */
-  router.post('/api/sessions/:sessionId/label', (req, res) => {
+  router.post('/api/sessions/:sessionId/label', requireSafeOrigin, (req, res) => {
     const { project } = req.body
-    if (!project || typeof project !== 'string') {
-      return res.status(400).json({ error: 'project requerido' })
+    if (!project || typeof project !== 'string' || project.length > 200) {
+      return res.status(400).json({ error: 'project inválido' })
     }
     labelSession(req.params.sessionId, project)
     broadcast('label_updated', { sessionId: req.params.sessionId, project })
@@ -164,13 +183,13 @@ export function createRouter() {
    * POST /api/sessions/:sessionId/ignore
    * Marca una sesión como ignorada (no aparecerá en notificaciones ni en métricas).
    */
-  router.post('/api/sessions/:sessionId/ignore', (req, res) => {
+  router.post('/api/sessions/:sessionId/ignore', requireSafeOrigin, (req, res) => {
     ignoreSession(req.params.sessionId)
     res.json({ ok: true })
   })
 
   /** POST /api/reset — resetea todo el estado en memoria */
-  router.post('/api/reset', (req, res) => {
+  router.post('/api/reset', requireSafeOrigin, (req, res) => {
     reset()
     res.json({ ok: true })
   })

package/src/otlp-parser.js

@@ -21,6 +21,7 @@ export function extractAttributes(attrs) {
   for (const attr of attrs) {
     const { key, value } = attr
     if (!key || !value) continue
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
 
     if ('stringValue' in value) {
       result[key] = value.stringValue

package/src/server.js

@@ -31,6 +31,14 @@ export async function startServer({ port = 1337 } = {}) {
   const app = express()
   app.use(express.json({ limit: '10mb' }))
 
+  // Headers de seguridad HTTP mínimos
+  app.use((_req, res, next) => {
+    res.setHeader('X-Content-Type-Options', 'nosniff')
+    res.setHeader('X-Frame-Options', 'DENY')
+    res.setHeader('Referrer-Policy', 'no-referrer')
+    next()
+  })
+
   // ── Endpoints OTLP ──────────────────────────────────────────────────────────
 
   /**
@@ -83,7 +91,7 @@ export async function startServer({ port = 1337 } = {}) {
   })
 
   // ── API REST + SSE ──────────────────────────────────────────────────────────
-  app.use(createRouter())
+  app.use(createRouter({ port }))
 
   // ── Archivos estáticos (web compilada) ──────────────────────────────────────
   // dist/ está en la raíz del proyecto (un nivel arriba de src/)
@@ -111,7 +119,7 @@ export async function startServer({ port = 1337 } = {}) {
 
   // ── Arrancar servidor ───────────────────────────────────────────────────────
   return new Promise((resolve) => {
-    const server = app.listen(port, () => {
+    const server = app.listen(port, '127.0.0.1', () => {
       resolve({ app, server, autoSaveInterval })
     })
   })

package/src/store.js

@@ -28,23 +28,90 @@ export function setDataPathForTesting(newPath) {
 // ─── Estado en memoria ───────────────────────────────────────────────────────
 
 const state = {
-  timeseries:      new Map(),  // metricName → [{ ts, value, labels }]
-  sessions:        new Map(),  // sessionId  → SessionData
-  sessionMappings: new Map(),  // sessionId  → projectName
-  ignoredSessions: new Set(),  // sessionIds ignorados
-  events:          [],         // buffer circular, max 1000
-  eventIndex:      0,
-  projects:        new Map(),  // projectName → ProjectAggregates
-  tools:           new Map(),  // toolName    → ToolStats
-  agents:          new Map(),  // agentId     → AgentData
-  models:          new Map(),  // modelName   → ModelStats
-  lastSeen:        null,
-  startTime:       Date.now(),
-  totalEvents:     0
+  timeseries:       new Map(),  // metricName → [{ ts, value, labels }]
+  sessions:         new Map(),  // sessionId  → SessionData
+  sessionMappings:  new Map(),  // sessionId  → projectName
+  ignoredSessions:  new Set(),  // sessionIds ignorados
+  events:           [],         // buffer circular, max 1000
+  eventIndex:       0,
+  projects:         new Map(),  // projectName → ProjectAggregates
+  tools:            new Map(),  // toolName    → ToolStats
+  agents:           new Map(),  // agentId     → AgentData
+  models:           new Map(),  // modelName   → ModelStats
+  cumulativeValues: new Map(),  // clave → último valor acumulativo (no persiste)
+  lastSeen:         null,
+  startTime:        Date.now(),
+  totalEvents:      0
 }
 
 // ─── Helpers internos ────────────────────────────────────────────────────────
 
+/**
+ * Convierte un valor acumulativo en un delta desde la última lectura.
+ * Se usa para métricas que Claude Code exporta con temporalidad cumulativa.
+ */
+function cumulativeDelta(key, newValue) {
+  const last = state.cumulativeValues.get(key) ?? 0
+  const delta = Math.max(0, newValue - last)
+  state.cumulativeValues.set(key, newValue)
+  return delta
+}
+
+/**
+ * Normaliza los nombres de métricas nuevos de Claude Code a los nombres
+ * canónicos que usa el store, convirtiendo valores cumulativos a deltas.
+ * Devuelve { name, value } normalizado, o null para ignorar la métrica.
+ */
+function normalizeIncoming(name, value, labels) {
+  const sid = labels['session.id'] ?? ''
+
+  switch (name) {
+    case 'claude_code.token.usage': {
+      const type = labels.type
+      const key  = `token:${sid}:${type}:${labels.model ?? ''}:${labels.query_source ?? ''}`
+      const delta = cumulativeDelta(key, value)
+      const nameMap = {
+        'input':         'claude_code.tokens.input',
+        'output':        'claude_code.tokens.output',
+        'cacheRead':     'claude_code.tokens.cache.read',
+        'cacheCreation': 'claude_code.tokens.cache.creation',
+      }
+      const canonical = nameMap[type]
+      return canonical ? { name: canonical, value: delta } : null
+    }
+
+    case 'claude_code.cost.usage': {
+      const key   = `cost:${sid}:${labels.model ?? ''}:${labels.query_source ?? ''}:${labels.effort ?? ''}`
+      const delta = cumulativeDelta(key, value)
+      return { name: 'claude_code.cost', value: delta }
+    }
+
+    case 'claude_code.lines_of_code.count': {
+      const type  = labels.type
+      const key   = `lines:${sid}:${type}`
+      const delta = cumulativeDelta(key, value)
+      if (type === 'added')   return { name: 'claude_code.lines_added',   value: delta }
+      if (type === 'removed') return { name: 'claude_code.lines_removed', value: delta }
+      return null
+    }
+
+    case 'claude_code.commit.count': {
+      const key   = `commit:${sid}`
+      const delta = cumulativeDelta(key, value)
+      return { name: 'claude_code.commits', value: delta }
+    }
+
+    // Métricas que no necesitamos agregar (activo ya se calcula desde eventos)
+    case 'claude_code.session.count':
+    case 'claude_code.active_time.total':
+    case 'claude_code.code_edit_tool.decision':
+      return null
+
+    default:
+      return { name, value }
+  }
+}
+
 /**
  * Resuelve el proyecto de una sesión.
  * Prioridad: mapping manual > resource project > null
@@ -137,7 +204,12 @@ function scheduleSave() {
  * Procesa un punto de métrica normalizado.
  * @param {{ name, value, timestamp, labels }} metric
  */
-export function processMetric({ name, value, timestamp, labels }) {
+export function processMetric(raw) {
+  const normalized = normalizeIncoming(raw.name, raw.value, raw.labels)
+  if (!normalized) return
+
+  const { name, value } = normalized
+  const { timestamp, labels } = raw
   const sessionId = labels['session.id']
 
   // Saltar sesiones ignoradas
@@ -148,7 +220,10 @@ export function processMetric({ name, value, timestamp, labels }) {
 
   // ── Timeseries ──
   if (!state.timeseries.has(name)) state.timeseries.set(name, [])
-  state.timeseries.get(name).push({ ts: timestamp, value, labels })
+  const tsPoints = state.timeseries.get(name)
+  tsPoints.push({ ts: timestamp, value, labels })
+  // Cap por métrica para prevenir DoS por agotamiento de memoria
+  if (tsPoints.length > 10_000) tsPoints.splice(0, tsPoints.length - 10_000)
 
   // ── Sesiones ──
   if (sessionId) {
@@ -364,15 +439,9 @@ export function labelSession(sessionId, project) {
     state.sessions.get(sessionId).project = project
   }
 
-  // Aplicar retroactivamente en timeseries
-  for (const points of state.timeseries.values()) {
-    for (const point of points) {
-      if (point.labels['session.id'] === sessionId) {
-        point.labels.project = project
-      }
-    }
-  }
-
+  // No es necesario propagar retroactivamente a los labels de timeseries:
+  // resolveProject() consulta sessionMappings primero, por lo que todos los
+  // lectores de labels.project ya obtendrán el valor correcto.
   rebuildProjectAggregates()
   scheduleSave()
 }
@@ -400,6 +469,7 @@ export function reset() {
   state.tools.clear()
   state.agents.clear()
   state.models.clear()
+  state.cumulativeValues.clear()
   state.lastSeen    = null
   state.startTime   = Date.now()
   state.totalEvents = 0
@@ -413,13 +483,16 @@ export function reset() {
  * Estado de conexión del servidor.
  */
 export function getStatus() {
+  let sessionCount = 0
+  for (const id of state.sessions.keys()) {
+    if (!state.ignoredSessions.has(id)) sessionCount++
+  }
   return {
-    connected:    state.lastSeen !== null,
-    lastSeen:     state.lastSeen,
-    sessionCount: Array.from(state.sessions.keys())
-      .filter(id => !state.ignoredSessions.has(id)).length,
-    totalEvents:  state.totalEvents,
-    uptime:       Date.now() - state.startTime
+    connected:   state.lastSeen !== null,
+    lastSeen:    state.lastSeen,
+    sessionCount,
+    totalEvents: state.totalEvents,
+    uptime:      Date.now() - state.startTime
   }
 }
 
@@ -514,8 +587,24 @@ export function getProjects(from) {
   const minTs  = parseTimeRange(from)
   const result = []
 
+  // Pre-agregar commits/líneas desde timeseries en un único recorrido O(puntos)
+  // en lugar de O(proyectos × puntos)
+  const tsAgg = new Map() // projectName → { commits, linesAdded, linesRemoved }
+  for (const [metric, field] of [
+    ['claude_code.commits',       'commits'],
+    ['claude_code.lines_added',   'linesAdded'],
+    ['claude_code.lines_removed', 'linesRemoved'],
+  ]) {
+    for (const point of state.timeseries.get(metric) ?? []) {
+      if (point.ts < minTs) continue
+      const proj = resolveProject(point.labels['session.id'], point.labels.project)
+      if (!proj) continue
+      if (!tsAgg.has(proj)) tsAgg.set(proj, { commits: 0, linesAdded: 0, linesRemoved: 0 })
+      tsAgg.get(proj)[field] += point.value
+    }
+  }
+
   for (const [project, proj] of state.projects.entries()) {
-    // Filtrar sesiones activas en el rango
     const activeSessions = new Set()
     let cost = 0, tokensInput = 0, tokensOutput = 0, tokensCache = 0
 
@@ -531,20 +620,7 @@ export function getProjects(from) {
 
     if (activeSessions.size === 0 && minTs > 0) continue
 
-    // Commits y líneas filtrados por rango
-    let commits = 0, linesAdded = 0, linesRemoved = 0
-    const tsMap = {
-      'claude_code.commits':       (v) => { commits += v },
-      'claude_code.lines_added':   (v) => { linesAdded += v },
-      'claude_code.lines_removed': (v) => { linesRemoved += v }
-    }
-    for (const [metric, accum] of Object.entries(tsMap)) {
-      for (const point of state.timeseries.get(metric) ?? []) {
-        const pointProject = resolveProject(point.labels['session.id'], point.labels.project)
-        if (pointProject === project && point.ts >= minTs) accum(point.value)
-      }
-    }
-
+    const { commits, linesAdded, linesRemoved } = tsAgg.get(project) ?? { commits: 0, linesAdded: 0, linesRemoved: 0 }
     const cacheHitRate = tokensInput > 0 ? tokensCache / tokensInput : 0
 
     result.push({
@@ -693,7 +769,7 @@ export function getModels(from) {
  */
 export function saveSync() {
   try {
-    fs.mkdirSync(dataDir, { recursive: true })
+    fs.mkdirSync(dataDir, { recursive: true, mode: 0o700 })
 
     const data = {
       timeseries:      Array.from(state.timeseries.entries()),
@@ -706,7 +782,11 @@ export function saveSync() {
       startTime:       state.startTime
     }
 
-    fs.writeFileSync(dataFile, JSON.stringify(data))
+    fs.writeFileSync(dataFile, JSON.stringify(data), { mode: 0o600 })
+    // Forzar permisos en archivos ya existentes (mode en writeFileSync
+    // solo aplica al crear el archivo, no al sobreescribirlo)
+    try { fs.chmodSync(dataDir,  0o700) } catch {}
+    try { fs.chmodSync(dataFile, 0o600) } catch {}
   } catch (err) {
     console.error('[store] Error guardando datos en disco:', err.message)
   }
@@ -763,18 +843,12 @@ export function loadFromDisk() {
       state.startTime = data.startTime
     }
 
-    // Re-aplicar mappings a sesiones y timeseries
+    // Re-aplicar mappings a sesiones (timeseries no necesitan propagación:
+    // resolveProject() consulta sessionMappings primero en todos los lectores)
     for (const [sessionId, project] of state.sessionMappings.entries()) {
       if (state.sessions.has(sessionId)) {
         state.sessions.get(sessionId).project = project
       }
-      for (const points of state.timeseries.values()) {
-        for (const point of points) {
-          if (point.labels['session.id'] === sessionId) {
-            point.labels.project = project
-          }
-        }
-      }
     }
 
     rebuildProjectAggregates()