tokentrace 0.10.1 → 0.12.0

package/CHANGELOG.md

@@ -4,7 +4,69 @@ All notable changes to TokenTrace are documented here.
 
 ## Unreleased
 
-No unreleased changes yet.
+## [0.12.0] - 2026-05-19
+
+### Added
+
+- 0.12.0 Local Sources & Trust roadmap, rolling the 0.13.0 Evidence Portability, 0.14.0 Local Operations, 0.15.0 Governance & Guardrails, 0.16.0 Parser Studio, 0.17.0 Reports, and 0.18.0 Agent Handoff themes into one larger release.
+- Native structured usage log ingestion for local wrappers and team JSONL/NDJSON logs with session, model, token, and source-cost fields.
+- Native Cursor-style chat/composer export ingestion with local source evidence and no raw prompt storage by default.
+- Source Catalog and Source Coverage in Scan Health so users can distinguish native, profile-assisted, fallback, and unsupported local files.
+- Privacy-safe Evidence Packs exported as JSON or Markdown with totals, confidence drivers, source files, parser notes, model-rate state, repair links, and an explicit redaction manifest.
+- Local scan scheduling settings for manual-only, on-open, hourly, and daily scans, plus scan-history retention and last scheduled scan status.
+- Scoped project/model/tool guardrails with per-guardrail warning thresholds and anomaly notes.
+- Import Profile preview for sampling a local file, checking parser fit, reviewing detected fields, and applying recommended matchers without exposing raw content.
+- Saved report definitions and export endpoints for weekly usage, high-cost sessions, unknown-cost repair, confidence trends, guardrail status, and source coverage in Markdown, JSON, and CSV.
+- Operating metadata export for settings, source catalog, schedules, guardrails, report definitions, and roadmap status without raw usage records.
+- Agent-readable Roadmap V2 with current release, next planned release, rolled-up release themes, action recipes, evidence paths, verification gates, and release status.
+
+### Changed
+
+- Settings now includes Scan Scheduling, Scoped Guardrails, Import Profile preview, and Local Exports.
+- Evidence pages now offer one-click JSON and Markdown evidence-pack exports.
+- Evidence remains a contextual drill-down from Overview, Sessions, Repair, and exports, with direct-entry guidance for users who open `/evidence` manually.
+- Scan, setup, guardrail, package-trust, folder, import-profile, and export CTAs now deep-link to the exact Settings section instead of dropping users at the top of Settings.
+- Settings scan feedback now reports files checked, records imported, warnings, errors, recalculated costs, unknown cost, stale support imports, model aliases, and next-step links to Scan Health, Repair, Discovery, and Model Rates.
+- Browser-triggered Scan now responses now return compact warning/error previews with full counts, keeping large duplicate-file scans from shipping megabytes of warning text back to the UI.
+- Settings now has sticky section navigation, and Scan Controls shows a persisted Last scan result from local scan history after reload.
+- Overview now includes a compact Last verified trust strip near the accounting totals for latest scan, package IOC, model-rate coverage, and evidence-pack availability.
+- Evidence pages now include opened-from breadcrumbs, safe return behavior, and explicit Export JSON pack / Export Markdown pack actions.
+- Route transitions now show a subtle top loading bar, and route loading states explain what is happening plus the next useful action.
+- Scan and evidence follow-up actions now consistently use Scan now, Open Scan Health, Open repair, Set model rate, View evidence, and Export pack language.
+- Period filters stay attached to the current page, preserve Evidence context, and keep desktop controls in one compact row while retaining horizontal scrolling for narrow widths.
+- Chart cards now show lightweight loading placeholders during client hydration instead of appearing blank while Recharts initializes.
+- Session Explorer now paginates large local result sets to keep dense session tables responsive.
+- Repair now opens as a capped workbench of the top visible unknown-cost groups, while keeping full summary counts and focused repair links for deep review.
+- Roadmap CLI/API now report the 0.12.0 Local Sources & Trust release contract and the next planned 0.19.0 direction.
+
+### Fixed
+
+- Overview, Evidence, and Settings now avoid full raw-row scans and oversized scan-health payloads on large local databases by using covering indexes, scoped scan-file reads, and a summary session path on Overview.
+- Repair no longer serializes the entire unknown-cost queue on first load and uses a dedicated cost-repair index for large local databases.
+- Scan Health no longer loads all scan-file evidence and full session details just to render summary panels.
+- Overview no longer blocks initial render on due scheduled scans, so opening localhost does not wait for scan work before showing the dashboard.
+
+## [0.11.0] - 2026-05-18
+
+### Added
+
+- `npm run security:ioc` scans project files and local Claude/VS Code hook files for high-signal Mini Shai-Hulud/TanStack supply-chain indicators before release.
+- Tokenizer-backed estimates for recognized OpenAI/Codex and Claude-family model names, with explicit `tokenizer estimate` and `simple estimate` confidence labels.
+- Native SQLite history ingestion for local usage databases with usage-shaped tables, source-file evidence, import-profile metadata, and source-provided cost preservation.
+- Data Confidence scoring on Overview, Projects, Sessions, and Session Timeline views, combining token source, cost coverage, parser confidence, and scan freshness.
+- Import Profiles in Settings so users can define safe local wrapper-log matchers without writing parser code.
+- Repair Workbench bulk actions for marking visible unknown-cost groups verified, parser-review, ignored, or reopened.
+- Supply-chain IOC status in Scan Health, backed by the same local `security:ioc` scanner used by release checks.
+
+### Changed
+
+- Session Timeline pages now explain token spikes, model changes, cache activity, cost coverage, confidence drivers, and direct unknown-cost repair links.
+- Scan Health now distinguishes exact, tokenizer-estimated, simple-estimated, high-confidence, low-confidence, and unknown token rows.
+- The roadmap API and CLI now report the 0.11.0 Accuracy & Evidence release contract.
+
+### Fixed
+
+- Source-provided interaction costs are no longer overwritten as unknown during post-scan cost recalculation when model rates are missing.
 
 ## [0.10.1] - 2026-05-18
 

package/README.md

@@ -4,13 +4,13 @@
 
 # TokenTrace CLI
 
-Local-first AI CLI usage analytics. TokenTrace scans local CLI logs, normalizes token usage, estimates missing counts, and shows cost, model, project, and session analytics in a browser dashboard.
+Local-first AI CLI usage analytics. TokenTrace scans local CLI logs and local usage databases, normalizes token usage, estimates missing counts with confidence labels, and shows cost, model, project, session, repair, and evidence analytics in a browser dashboard.
 
 TokenTrace is designed for local development machines first, with macOS-oriented defaults. It does not require a cloud account and does not send telemetry or logs anywhere.
 
 [Website](https://www.abhiyoheswaran.com/apps/tokentrace) · [Source](https://github.com/abhiyoheswaran1/tokentrace)
 
-![TokenTrace overview dashboard](docs/assets/overview-0.10.0.png)
+![TokenTrace overview dashboard](docs/assets/overview-0.12.0.png)
 
 ## Start In Seconds
 
@@ -40,7 +40,7 @@ tokentrace agent --json # Print machine-readable agent discovery manifest
 tokentrace capabilities --json
                         # Alias for agent discovery manifest
 tokentrace roadmap --json
-                        # Print Guided Operator release implementation status
+                        # Print Local Sources & Trust release handoff
 tokentrace scan         # Scan local AI CLI usage logs
 tokentrace doctor --json
                         # Inspect scan health and repair recommendations
@@ -114,7 +114,7 @@ curl http://127.0.0.1:3030/api/agent
 curl http://127.0.0.1:3030/api/capabilities
 ```
 
-The Guided Operator release status is also machine-readable:
+The Local Sources & Trust release handoff is also machine-readable:
 
 ```bash
 tokentrace roadmap --json
@@ -149,12 +149,53 @@ npm run verify       # Run Vitest, TypeScript, and ESLint checks
 npm run package:test # Verify, build, and dry-run the npm package
 npm run package:inspect
                     # Check package transparency guardrails
+npm run security:ioc
+                    # Scan lockfiles, workflows, and local AI-tool hooks for supply-chain IOCs
 npm run smoke:packed
                     # Inspect packed tarball and smoke test packed CLI
 tokentrace roadmap --json
-                    # Inspect evidence gates and release status
+                    # Inspect roadmap handoff, action recipes, and release status
 ```
 
+## Local Sources And Trust
+
+TokenTrace 0.12.0 rolls the next several roadmap themes into one larger
+release: local source expansion, evidence portability, local operations,
+scoped guardrails, parser profile preview, saved reports, and agent-readable
+roadmap handoff.
+
+New trust surfaces include:
+
+- native structured usage log and Cursor-style chat export ingestion
+- Source Coverage in Scan Health for native, profile-assisted, fallback, and
+  unsupported files
+- privacy-safe Evidence Packs as JSON or Markdown
+- local scan scheduling: manual, on-open, hourly, or daily
+- project/model/tool scoped guardrails with warning thresholds
+- Import Profile preview before saving matchers
+- saved report exports for weekly usage, source coverage, guardrails, unknown
+  cost, high-cost sessions, and confidence trends
+- operating metadata export without raw usage records
+
+The 0.12.0 dashboard also tightens the daily operator path: setup buttons now
+open the exact Settings section, scan results show what changed and where to go
+next, and Evidence explains when it is being opened as a contextual drill-down
+rather than a sidebar destination.
+
+## Accuracy And Evidence
+
+TokenTrace labels the trust level behind imported numbers:
+
+- exact provider token counts
+- tokenizer estimates for recognized OpenAI/Codex and Claude-family model names
+- simple estimates when only text-like content is available
+- source-provided costs from local SQLite histories
+- unknown cost repair groups when model, token, or rate evidence is missing
+
+The dashboard surfaces a Data Confidence score on Overview, Projects, Sessions,
+and Session Timeline pages. Scan Health also includes a supply-chain IOC check
+so package trust is visible in the product, not only in release scripts.
+
 Release work uses internal milestone commits until the next public minor
 release. See [docs/RELEASE_CHECKLIST.md](docs/RELEASE_CHECKLIST.md) before
 bumping versions, tagging, creating GitHub releases, or publishing npm.
@@ -286,13 +327,13 @@ Codex CLI status-line integration is intentionally deferred until its status-lin
 
 Dashboard views:
 
-![TokenTrace overview dashboard](docs/assets/overview-0.10.0.png)
+![TokenTrace overview dashboard](docs/assets/overview-0.12.0.png)
 
-![TokenTrace processed tokens evidence trail](docs/assets/evidence-0.10.0.png)
+![TokenTrace processed tokens evidence trail](docs/assets/evidence-0.12.0.png)
 
-![TokenTrace unknown cost repair queue](docs/assets/repair-0.10.0.png)
+![TokenTrace unknown cost repair queue](docs/assets/repair-0.12.0.png)
 
-![TokenTrace Scan Health parser review](docs/assets/scan-health-0.10.0.png)
+![TokenTrace Scan Health parser review](docs/assets/scan-health-0.12.0.png)
 
 CLI startup and help:
 
@@ -324,6 +365,7 @@ Stop the server with `Ctrl+C` in the terminal where `tokentrace` is running.
 - The published package ships readable application source and the compiled CLI runtime, not generated `.next/server` route bundles.
 - `tokentrace serve` prepares the local dashboard build in the user's TokenTrace app-data directory the first time it is needed.
 - `npm run package:inspect` fails if generated Next.js build output appears in the published tarball.
+- `npm run security:ioc` scans lockfiles, workflows, and local Claude/VS Code hook files for high-signal supply-chain compromise indicators.
 - Public npm publishing is configured through GitHub Actions Trusted Publishing and provenance from version tags.
 - Socket GitHub checks and ProjScan are used as release guardrails, alongside `npm audit --audit-level=moderate`.
 - Release notes are published directly in GitHub Releases from the relevant changelog section, not as a link-only summary.
@@ -371,6 +413,9 @@ Adapters live under `src/ingestion/adapters/`:
 
 - `claude-code.ts`
 - `codex-cli.ts`
+- `structured-usage-log.ts`
+- `cursor-chat.ts`
+- `sqlite-history.ts`
 - `generic-jsonl.ts`
 - `generic-json.ts`
 - `generic-log.ts`
@@ -385,6 +430,9 @@ TokenTrace keeps a visible support contract so daily scans are easier to trust:
 | --- | --- | --- |
 | Claude Code project transcripts | Stable | Primary local CLI ingestion source. |
 | Codex CLI session artifacts | Best-effort | Parsed defensively while CLI formats evolve. |
+| Structured usage JSONL/NDJSON | Stable | Local wrapper and team logs with session, model, token, and source-cost fields. |
+| Cursor-style chat exports | Best-effort | Imports local editor chat/composer exports without storing raw prompt text by default. |
+| Usage-shaped SQLite histories | Best-effort | Reads local databases that expose session, model, token, or cost-like columns. |
 | Generic JSONL, JSON, and text logs | Best-effort | Conservative usage-shaped records only. |
 | Claude/Codex cache, plugin, todo, config, and support files | Ignored | Tracked as non-usage files, not parser failures. |
 | Editable model pricing | Stable | Local pricing rows drive costs and unknown-cost repair queues. |
@@ -409,8 +457,8 @@ Contributions are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for local setu
 ## Known Limitations
 
 - Claude Code and Codex CLI log formats are inferred defensively and may need refinement with real sample logs.
-- Token estimation uses a simple conservative `characters / 4` approximation.
-- SQLite log ingestion is not implemented yet, though the adapter boundary is ready for it.
+- Tokenizer-backed estimates are available for recognized OpenAI/Codex and Claude-family model names. Unrecognized text-only records still fall back to a conservative simple estimate.
+- SQLite-history ingestion expects usage-shaped local tables and skips arbitrary databases that do not expose session, model, token, or cost-like fields.
 - Seed prices are editable and should be verified manually for your account, region, and provider plan.
 
 ## License
@@ -419,7 +467,7 @@ Open source by [Abhi Yoheswaran](https://www.abhiyoheswaran.com). Released under
 
 ## Next Improvements
 
-- Add tokenizer-backed estimates per provider/model.
-- Add native SQLite-history adapters for tools that store usage in local databases.
-- Add richer drilldowns for individual sessions and tool calls.
-- Add import profiles for teams that use shared local log conventions.
+- Expand first-class native adapters for more local AI tools and editor histories.
+- Add provider-specific tokenizer refinements where public tokenizer behavior is stable enough to label clearly.
+- Make Import Profile preview more interactive for teams with custom wrapper logs.
+- Stream scan progress into the UI for very large local folders.

package/SECURITY.md

@@ -40,8 +40,12 @@ When running from source, the default development database is
 ## Release Trust
 
 Public package releases are built from Git tags. The release flow includes
-package inspection, production dependency audit, ProjScan checks, and npm
-Trusted Publishing through GitHub Actions.
+package inspection, supply-chain IOC scanning, production dependency audit,
+ProjScan checks, and npm Trusted Publishing through GitHub Actions.
+
+Run `npm run security:ioc` to check lockfiles, GitHub Actions workflows, and
+local Claude/VS Code hook files for high-signal Mini Shai-Hulud/TanStack-style
+indicators before release or after a dependency scare.
 
 ## Reporting
 

package/TOKENTRACE_AGENT.md

@@ -28,7 +28,7 @@ curl http://127.0.0.1:3030/api/capabilities
 
 ## Roadmap Status
 
-Inspect the current 0.10.0 implementation pipeline and release blockers:
+Inspect the current 0.12.0 Local Sources & Trust handoff, action recipes, and release blockers:
 
 ```bash
 tokentrace roadmap --json

package/app/api/evidence-pack/route.ts

@@ -0,0 +1,64 @@
+import { NextResponse } from "next/server";
+import { getAnalyticsData } from "@/src/lib/analytics";
+import { buildEvidencePack, renderEvidencePackMarkdown } from "@/src/lib/evidence-pack";
+import { buildEvidenceTrail, parseEvidenceMetric } from "@/src/lib/evidence-trail";
+
+export const dynamic = "force-dynamic";
+
+export async function GET(request: Request) {
+  const url = new URL(request.url);
+  const format = url.searchParams.get("format") === "markdown" ? "markdown" : "json";
+  const metric = parseEvidenceMetric(url.searchParams.get("metric"));
+  const trail = buildEvidenceTrail({ metric });
+  const analytics = getAnalyticsData();
+  const pack = buildEvidencePack({
+    scope: {
+      type: "metric",
+      id: metric,
+      label: trail.title
+    },
+    totals: trail.totals,
+    confidenceDrivers: [
+      `${trail.confidence.exact.toLocaleString()} exact interactions`,
+      `${trail.confidence.estimated.toLocaleString()} estimated interactions`,
+      `${trail.confidence.unknown.toLocaleString()} unknown interactions`,
+      `Data confidence ${analytics.dataConfidence.score}/100`
+    ],
+    sourceFiles: trail.sourceFiles.map((source) => source.sourceFile),
+    parserNotes: trail.sessions
+      .map((session) => `${session.parser ?? "unknown parser"}: ${session.parserStatus ?? "unknown status"}`)
+      .slice(0, 20),
+    modelRateState: trail.sessions
+      .map((session) =>
+        session.pricingHref ? `${session.model}: model-rate link available` : `${session.model}: no model-rate link`
+      )
+      .slice(0, 20),
+    repairLinks: trail.sessions
+      .filter((session) => session.unknownCostInteractions > 0)
+      .map((session) => `/repair?source=${encodeURIComponent(session.sourceFile)}`),
+    records: trail.sessions.map((session) => ({
+      id: session.id,
+      role: "session",
+      model: session.model,
+      sourceFile: session.sourceFile,
+      totalTokens: session.totalTokens,
+      cost: session.cost,
+      interactions: session.interactions
+    }))
+  });
+
+  if (format === "markdown") {
+    return new NextResponse(renderEvidencePackMarkdown(pack), {
+      headers: {
+        "content-type": "text/markdown; charset=utf-8",
+        "content-disposition": `attachment; filename="tokentrace-${metric}-evidence.md"`
+      }
+    });
+  }
+
+  return NextResponse.json(pack, {
+    headers: {
+      "content-disposition": `attachment; filename="tokentrace-${metric}-evidence.json"`
+    }
+  });
+}

package/app/api/import-profile-preview/route.ts

@@ -0,0 +1,26 @@
+import { NextResponse } from "next/server";
+import { readJsonObject } from "@/src/lib/api-json";
+import { buildImportProfilePreview } from "@/src/lib/import-profile-preview";
+
+export const dynamic = "force-dynamic";
+
+export async function POST(request: Request) {
+  const parsed = await readJsonObject(request);
+  if (!parsed.ok) return NextResponse.json({ error: parsed.error }, { status: 400 });
+  const filePath = parsed.body.filePath;
+  if (typeof filePath !== "string" || !filePath.trim()) {
+    return NextResponse.json({ error: "filePath is required." }, { status: 400 });
+  }
+  try {
+    const preview = await buildImportProfilePreview({
+      filePath: filePath.trim(),
+      storeRawMessageContent: parsed.body.storeRawMessageContent === true
+    });
+    return NextResponse.json(preview);
+  } catch (error) {
+    return NextResponse.json(
+      { error: error instanceof Error ? error.message : "Preview failed." },
+      { status: 400 }
+    );
+  }
+}

package/app/api/operating-metadata/route.ts

@@ -0,0 +1,13 @@
+import { NextResponse } from "next/server";
+import { getAppVersion } from "@/src/lib/app-version";
+import { buildOperatingMetadata } from "@/src/lib/operating-metadata";
+
+export const dynamic = "force-dynamic";
+
+export async function GET() {
+  return NextResponse.json(buildOperatingMetadata(getAppVersion()), {
+    headers: {
+      "content-disposition": "attachment; filename=\"tokentrace-operating-metadata.json\""
+    }
+  });
+}

package/app/api/repair-items/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import {
+  bulkUpdateUnknownCostRepairs,
   buildUnknownCostRepairWorkbench,
   getUnknownCostReview,
   saveUnknownCostReview,
@@ -40,9 +41,30 @@ export async function PUT(request: Request) {
     return NextResponse.json({ error: parsed.error }, { status: 400 });
   }
   const body = parsed.body;
+  const keys = Array.isArray(body.keys)
+    ? body.keys.map((value) => text(value, 1000)).filter(Boolean)
+    : [];
   const key = text(body.key, 1000);
   const status = reviewState(body.status ?? body.state);
 
+  if (keys.length) {
+    if (!status) {
+      return NextResponse.json({ error: "status must be unresolved, ignored, resolved, or needs-parser-review" }, { status: 400 });
+    }
+    const currentKeys = new Set(buildUnknownCostRepairWorkbench().groups.map((group) => group.key));
+    const missingKey = keys.find((item) => !currentKeys.has(item) && !getUnknownCostReview(item)?.updatedAt);
+    if (missingKey) {
+      return NextResponse.json({ error: "one or more repair keys were not found in current workbench evidence" }, { status: 404 });
+    }
+    return NextResponse.json(
+      bulkUpdateUnknownCostRepairs({
+        keys,
+        status,
+        notes: text(body.notes ?? body.note, 500)
+      })
+    );
+  }
+
   if (!key) {
     return NextResponse.json({ error: "key is required" }, { status: 400 });
   }

package/app/api/reports/route.ts

@@ -0,0 +1,72 @@
+import { NextResponse } from "next/server";
+import { getAnalyticsData, getScanTrustData } from "@/src/lib/analytics";
+import { buildSourceCatalog, summarizeSourceCoverage } from "@/src/lib/source-catalog";
+import { buildSavedReportDefinitions, renderSavedReport, type SavedReportFormat } from "@/src/lib/saved-reports";
+
+export const dynamic = "force-dynamic";
+
+function reportRows(definitionId: string) {
+  const analytics = getAnalyticsData();
+  const trust = getScanTrustData();
+  const sourceCoverage = summarizeSourceCoverage(trust.scanFiles);
+  if (definitionId === "source-coverage") {
+    return [
+      { label: "Native files", value: sourceCoverage.nativeFiles.toLocaleString(), detail: "First-class adapters" },
+      { label: "Profile-assisted files", value: sourceCoverage.profileAssistedFiles.toLocaleString(), detail: "Import profile or generic parser" },
+      { label: "Fallback files", value: sourceCoverage.fallbackFiles.toLocaleString(), detail: "Low-confidence text or generic fallback" },
+      { label: "Imported records", value: sourceCoverage.importedRecords.toLocaleString(), detail: "Records imported from scan files" }
+    ];
+  }
+  if (definitionId === "guardrail-status") {
+    return [
+      { label: "Cost guardrail", value: analytics.usageGuardrails.cost.status, detail: `${analytics.usageGuardrails.cost.used.toFixed(2)} used` },
+      { label: "Token guardrail", value: analytics.usageGuardrails.tokens.status, detail: `${analytics.usageGuardrails.tokens.used.toLocaleString()} tokens used` },
+      { label: "Scoped guardrails", value: analytics.usageGuardrails.scoped.length.toLocaleString(), detail: "Project/model/tool limits" },
+      { label: "Anomalies", value: analytics.usageGuardrails.anomalies.length.toLocaleString(), detail: "Warning or exceeded scoped guardrails" }
+    ];
+  }
+  return [
+    { label: "Tokens", value: analytics.summary.totalTokens.toLocaleString(), detail: "Selected local data" },
+    { label: "Cost", value: `$${analytics.summary.totalCost.toFixed(2)}`, detail: "Provider estimate or source cost" },
+    { label: "Sessions", value: analytics.summary.sessions.toLocaleString(), detail: "Imported sessions" },
+    { label: "Unknown cost", value: analytics.summary.unknownCostInteractions.toLocaleString(), detail: "Repair queue candidates" },
+    { label: "Source catalog", value: buildSourceCatalog().entries.length.toLocaleString(), detail: "Known import paths" }
+  ];
+}
+
+export async function GET(request: Request) {
+  const url = new URL(request.url);
+  const definitions = buildSavedReportDefinitions();
+  const definitionId = url.searchParams.get("type") ?? "weekly-usage";
+  const definition = definitions.find((item) => item.id === definitionId);
+  if (!definition) return NextResponse.json({ error: "Unknown report type." }, { status: 400 });
+  const format = (url.searchParams.get("format") ?? "json") as SavedReportFormat;
+  if (!definition.formats.includes(format)) {
+    return NextResponse.json({ error: "Unsupported report format." }, { status: 400 });
+  }
+  const rendered = renderSavedReport({
+    definitionId,
+    format,
+    generatedAt: new Date().toISOString(),
+    rows: reportRows(definitionId)
+  });
+  if (format === "json") {
+    return new NextResponse(rendered, {
+      headers: { "content-type": "application/json; charset=utf-8" }
+    });
+  }
+  if (format === "csv") {
+    return new NextResponse(rendered, {
+      headers: {
+        "content-type": "text/csv; charset=utf-8",
+        "content-disposition": `attachment; filename="tokentrace-${definitionId}.csv"`
+      }
+    });
+  }
+  return new NextResponse(rendered, {
+    headers: {
+      "content-type": "text/markdown; charset=utf-8",
+      "content-disposition": `attachment; filename="tokentrace-${definitionId}.md"`
+    }
+  });
+}

package/app/api/scan/route.ts

@@ -23,5 +23,16 @@ export async function POST(request: Request) {
     folders: stringList(body.folders),
     force: jsonBooleanFlag(body.force)
   });
+  if (jsonBooleanFlag(body.compact)) {
+    const warnings = Array.isArray(result.warnings) ? result.warnings : [];
+    const errors = Array.isArray(result.errors) ? result.errors : [];
+    return NextResponse.json({
+      ...result,
+      warningCount: warnings.length,
+      errorCount: errors.length,
+      warnings: warnings.slice(0, 25),
+      errors: errors.slice(0, 25)
+    });
+  }
   return NextResponse.json(result);
 }

package/app/api/settings/route.ts

@@ -2,6 +2,8 @@ import { NextResponse } from "next/server";
 import { getDatabasePath } from "@/src/db/client";
 import { getAppSettings, normalizeUsageGuardrails, saveAppSettings } from "@/src/db/settings";
 import { jsonBooleanFlag, readJsonObject } from "@/src/lib/api-json";
+import { normalizeImportProfiles } from "@/src/lib/import-profiles";
+import { normalizeScanSchedule } from "@/src/lib/scan-schedule";
 
 export const dynamic = "force-dynamic";
 
@@ -27,7 +29,9 @@ export async function PUT(request: Request) {
   const saved = saveAppSettings({
     customFolders,
     storeRawMessageContent: jsonBooleanFlag(body.storeRawMessageContent),
-    usageGuardrails: normalizeUsageGuardrails(body.usageGuardrails)
+    usageGuardrails: normalizeUsageGuardrails(body.usageGuardrails),
+    importProfiles: normalizeImportProfiles(body.importProfiles),
+    scanSchedule: normalizeScanSchedule(body.scanSchedule)
   });
 
   return NextResponse.json(saved);

package/app/diagnostics/page.tsx

@@ -7,8 +7,11 @@ import { DataValue, FieldLabel, MonoText, PageHeader } from "@/components/ui/typ
 import { ScanHealthSummary } from "@/components/scan-health-summary";
 import { getAnalyticsData, getScanTrustData, type DebugScanRun } from "@/src/lib/analytics";
 import { buildDoctorReport, type DoctorReport } from "@/src/lib/doctor";
+import { buildScanHealth } from "@/src/lib/scan-health";
 import { getDefaultSearchRoots } from "@/src/ingestion/discovery";
 import { formatDate } from "@/src/lib/format";
+import { getSupplyChainHealth } from "@/src/lib/supply-chain-health";
+import { buildSourceCatalog, summarizeSourceCoverage } from "@/src/lib/source-catalog";
 
 export const dynamic = "force-dynamic";
 
@@ -460,9 +463,74 @@ function ScanHistoryPanel({ scanRuns }: { scanRuns: DebugScanRun[] }) {
   );
 }
 
+function SourceCoveragePanel({ scanFiles }: { scanFiles: ReturnType<typeof getScanTrustData>["scanFiles"] }) {
+  const catalog = buildSourceCatalog();
+  const coverage = summarizeSourceCoverage(scanFiles);
+  const summary = [
+    ["Native", coverage.nativeFiles],
+    ["Profile-assisted", coverage.profileAssistedFiles],
+    ["Fallback", coverage.fallbackFiles],
+    ["Unsupported", coverage.unsupportedFiles]
+  ];
+
+  return (
+    <Card>
+      <CardHeader className="flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
+        <div>
+          <CardTitle>Source Coverage</CardTitle>
+          <CardDescription>
+            Import support is grouped by native adapters, profile-assisted parsers, fallback parsers, and unsupported files.
+          </CardDescription>
+        </div>
+        <Link href="/api/reports?type=source-coverage&format=markdown" className="text-sm font-medium text-primary underline-offset-4 hover:underline">
+          Export source report
+        </Link>
+      </CardHeader>
+      <CardContent className="space-y-4">
+        <div className="grid border-y sm:grid-cols-2 lg:grid-cols-4">
+          {summary.map(([label, value]) => (
+            <div key={label} className="p-3">
+              <FieldLabel>{label}</FieldLabel>
+              <DataValue className="mt-1" size="md">{Number(value).toLocaleString()}</DataValue>
+            </div>
+          ))}
+        </div>
+        <div className="grid gap-2 lg:grid-cols-2">
+          {catalog.entries.map((entry) => (
+            <div key={entry.id} className="rounded-md border p-3">
+              <div className="flex flex-wrap items-center gap-2">
+                <div className="text-sm font-semibold">{entry.label}</div>
+                <Badge variant={entry.tier === "native" ? "success" : entry.tier === "profile-assisted" ? "warning" : "secondary"}>
+                  {entry.tier}
+                </Badge>
+              </div>
+              <p className="mt-1 text-xs leading-relaxed text-muted-foreground">{entry.description}</p>
+              <div className="mt-2 flex flex-wrap gap-1">
+                {entry.matchers.map((matcher) => (
+                  <code key={matcher} className="rounded bg-muted px-1.5 py-0.5 text-xs">{matcher}</code>
+                ))}
+              </div>
+            </div>
+          ))}
+        </div>
+      </CardContent>
+    </Card>
+  );
+}
+
 export default async function DiagnosticsPage() {
-  const data = getScanTrustData();
-  const analytics = getAnalyticsData();
+  const baseData = getScanTrustData({}, { scanFileScope: "recent" });
+  const supplyChain = getSupplyChainHealth();
+  const data = {
+    ...baseData,
+    health: buildScanHealth({
+      scanRuns: baseData.scanRuns,
+      scanFiles: baseData.scanFiles,
+      confidence: baseData.confidence,
+      supplyChain
+    })
+  };
+  const analytics = getAnalyticsData({}, { scanFileScope: "none", sessionDetail: "summary" });
   const roots = await getDefaultSearchRoots();
   const doctorReport = buildDoctorReport({
     ...data,
@@ -507,6 +575,8 @@ export default async function DiagnosticsPage() {
 
       <ScanHistoryPanel scanRuns={data.scanRuns} />
 
+      <SourceCoveragePanel scanFiles={data.scanFiles} />
+
       <ScanHealthSummary health={data.health} />
 
       <div className="grid gap-4 md:grid-cols-3">

package/app/discovery/page.tsx

@@ -58,7 +58,7 @@ export default function DiscoveryPage() {
           title="No files discovered yet"
           description="Run a scan from Settings to populate Discovery. If expected folders are missing, add them in Settings."
           actions={[
-            { label: "Add folder", href: "/settings", variant: "outline" }
+            { label: "Add folder", href: "/settings#custom-folders", variant: "outline" }
           ]}
         >
           <ScanNowButton size="sm" />