tokentracker-cli 0.5.75 → 0.5.77

package/src/commands/sync.js

@@ -385,7 +385,7 @@ async function cmdSync(argv) {
             if (!progress?.enabled) return;
             const pct = p.total > 0 ? p.index / p.total : 1;
             progress.update(
-              `Parsing Kiro CLI ${renderBar(pct)} ${formatNumber(p.index)}/${formatNumber(p.total)} convs | buckets ${formatNumber(p.bucketsQueued)}`,
+              `Parsing Kiro CLI ${renderBar(pct)} ${formatNumber(p.index)}/${formatNumber(p.total)} sessions | buckets ${formatNumber(p.bucketsQueued)}`,
             );
           },
         });

package/src/lib/diagnostics.js

@@ -16,7 +16,20 @@ const { normalizeState: normalizeUploadState } = require("./upload-throttle");
 const { probeOpenclawHookState } = require("./openclaw-hook");
 const { probeOpenclawSessionPluginState } = require("./openclaw-session-plugin");
 const { resolveTrackerPaths } = require("./tracker-paths");
-const { resolveKiroCliDbPath } = require("./rollout");
+// TASK-011: Kiro CLI DB path inlined here to avoid pulling the ~4000-line
+// rollout module on every `tokentracker status` / `diagnostics` call.
+// rollout.js still exports resolveKiroCliDbPath for external callers.
+function resolveKiroCliDbPathInline(env, home) {
+  if (env.KIRO_CLI_DB_PATH) return env.KIRO_CLI_DB_PATH;
+  const effectiveHome = env.HOME || home;
+  return path.join(
+    effectiveHome,
+    "Library",
+    "Application Support",
+    "kiro-cli",
+    "data.sqlite3",
+  );
+}
 
 async function collectTrackerDiagnostics({
   home = os.homedir(),
@@ -98,7 +111,7 @@ async function collectTrackerDiagnostics({
   const kiroIdePresent =
     (await safeStatSize(path.join(kiroIdeDevDataDir, "devdata.sqlite"))) > 0 ||
     (await safeStatSize(path.join(kiroIdeDevDataDir, "tokens_generated.jsonl"))) > 0;
-  const kiroCliDbPath = resolveKiroCliDbPath(process.env);
+  const kiroCliDbPath = resolveKiroCliDbPathInline(process.env, home);
   const kiroCliPresent = require("node:fs").existsSync(kiroCliDbPath);
 
   const lastSuccessAt = uploadThrottle.lastSuccessMs

package/src/lib/local-api.js

@@ -557,7 +557,7 @@ function createLocalApiHandler({ queuePath }) {
     try {
       // Sticky semantics: never replace an existing on-disk session with an empty cookie map.
       if (relayCookies.size === 0) return;
-      
+
       const json = JSON.stringify(Object.fromEntries(relayCookies));
       fs.writeFileSync(cookiePath, json, { encoding: "utf8", mode: 0o600 });
     } catch (e) {
@@ -565,6 +565,18 @@ function createLocalApiHandler({ queuePath }) {
     }
   }
 
+  function clearRelayCookies(reason) {
+    if (relayCookies.size === 0) return;
+    relayCookies.clear();
+    try {
+      if (fs.existsSync(cookiePath)) fs.unlinkSync(cookiePath);
+    } catch (e) {
+      console.error("[LocalAPI] Failed to clear relay cookies:", e.message);
+      return;
+    }
+    if (reason) console.warn(`[LocalAPI] Cleared relay cookies: ${reason}`);
+  }
+
   function captureSetCookies(headerValue) {
     if (!headerValue) return;
     const parts = headerValue.split(/,(?=\s*\w+=)/);
@@ -598,11 +610,17 @@ function createLocalApiHandler({ queuePath }) {
     if (changed) persistRelayCookies();
   }
 
+  function normalizeCookieHeader(value) {
+    if (Array.isArray(value)) return value.filter(Boolean).join("; ");
+    return typeof value === "string" ? value : "";
+  }
+
   function buildRelayCookieHeader(clientCookieHeader) {
-    if (relayCookies.size === 0) return clientCookieHeader || "";
+    const normalizedClientCookieHeader = normalizeCookieHeader(clientCookieHeader);
+    if (relayCookies.size === 0) return normalizedClientCookieHeader;
     const clientPairs = new Map();
-    if (clientCookieHeader) {
-      for (const part of clientCookieHeader.split(";")) {
+    if (normalizedClientCookieHeader) {
+      for (const part of normalizedClientCookieHeader.split(";")) {
         const eqIdx = part.indexOf("=");
         if (eqIdx < 1) continue;
         const n = part.substring(0, eqIdx).trim();
@@ -672,8 +690,18 @@ function createLocalApiHandler({ queuePath }) {
           if (key === "host" || key === "connection") continue;
           proxyHeaders[key] = value;
         }
-        // Inject relay cookies so WebView benefits from browser's login session
-        const mergedCookie = buildRelayCookieHeader(proxyHeaders["cookie"]);
+        const hasClientCookie = normalizeCookieHeader(proxyHeaders["cookie"]).trim().length > 0;
+        const hasCsrfHeader = typeof proxyHeaders["x-csrf-token"] === "string" && proxyHeaders["x-csrf-token"].trim().length > 0;
+        const shouldInjectRelayCookies =
+          p !== "/api/auth/refresh" || hasClientCookie || hasCsrfHeader;
+
+        // Inject relay cookies so WebView benefits from browser's login session.
+        // Refresh requests need either a browser cookie or an explicit CSRF token;
+        // otherwise replaying a stale persisted refresh cookie just manufactures
+        // Invalid CSRF errors on startup.
+        const mergedCookie = shouldInjectRelayCookies
+          ? buildRelayCookieHeader(proxyHeaders["cookie"])
+          : normalizeCookieHeader(proxyHeaders["cookie"]);
         if (mergedCookie) proxyHeaders["cookie"] = mergedCookie;
 
         const bodyChunks = [];
@@ -697,8 +725,17 @@ function createLocalApiHandler({ queuePath }) {
             return [k, v];
           });
         res.writeHead(proxyRes.status, Object.fromEntries(responseHeaders));
-        const resBody = await proxyRes.arrayBuffer();
-        res.end(Buffer.from(resBody));
+        const resBody = Buffer.from(await proxyRes.arrayBuffer());
+        if (
+          p === "/api/auth/refresh"
+          && proxyRes.status === 403
+          && !hasClientCookie
+          && !hasCsrfHeader
+          && /invalid csrf token/i.test(resBody.toString("utf8"))
+        ) {
+          clearRelayCookies("stale refresh cookie without local CSRF context");
+        }
+        res.end(resBody);
       } catch (e) {
         json(res, { error: `Auth proxy error: ${e?.message || e}` }, 502);
       }