tokentracker-cli 0.5.76 → 0.5.77

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tokentracker-cli",
-  "version": "0.5.76",
+  "version": "0.5.77",
   "description": "Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Kiro, Gemini, OpenCode, OpenClaw, Hermes, GitHub Copilot)",
   "main": "src/cli.js",
   "bin": {

package/src/commands/sync.js

@@ -385,7 +385,7 @@ async function cmdSync(argv) {
             if (!progress?.enabled) return;
             const pct = p.total > 0 ? p.index / p.total : 1;
             progress.update(
-              `Parsing Kiro CLI ${renderBar(pct)} ${formatNumber(p.index)}/${formatNumber(p.total)} convs | buckets ${formatNumber(p.bucketsQueued)}`,
+              `Parsing Kiro CLI ${renderBar(pct)} ${formatNumber(p.index)}/${formatNumber(p.total)} sessions | buckets ${formatNumber(p.bucketsQueued)}`,
             );
           },
         });

package/src/lib/diagnostics.js

@@ -16,7 +16,20 @@ const { normalizeState: normalizeUploadState } = require("./upload-throttle");
 const { probeOpenclawHookState } = require("./openclaw-hook");
 const { probeOpenclawSessionPluginState } = require("./openclaw-session-plugin");
 const { resolveTrackerPaths } = require("./tracker-paths");
-const { resolveKiroCliDbPath } = require("./rollout");
+// TASK-011: Kiro CLI DB path inlined here to avoid pulling the ~4000-line
+// rollout module on every `tokentracker status` / `diagnostics` call.
+// rollout.js still exports resolveKiroCliDbPath for external callers.
+function resolveKiroCliDbPathInline(env, home) {
+  if (env.KIRO_CLI_DB_PATH) return env.KIRO_CLI_DB_PATH;
+  const effectiveHome = env.HOME || home;
+  return path.join(
+    effectiveHome,
+    "Library",
+    "Application Support",
+    "kiro-cli",
+    "data.sqlite3",
+  );
+}
 
 async function collectTrackerDiagnostics({
   home = os.homedir(),
@@ -98,7 +111,7 @@ async function collectTrackerDiagnostics({
   const kiroIdePresent =
     (await safeStatSize(path.join(kiroIdeDevDataDir, "devdata.sqlite"))) > 0 ||
     (await safeStatSize(path.join(kiroIdeDevDataDir, "tokens_generated.jsonl"))) > 0;
-  const kiroCliDbPath = resolveKiroCliDbPath(process.env);
+  const kiroCliDbPath = resolveKiroCliDbPathInline(process.env, home);
   const kiroCliPresent = require("node:fs").existsSync(kiroCliDbPath);
 
   const lastSuccessAt = uploadThrottle.lastSuccessMs

package/src/lib/local-api.js

@@ -557,7 +557,7 @@ function createLocalApiHandler({ queuePath }) {
     try {
       // Sticky semantics: never replace an existing on-disk session with an empty cookie map.
       if (relayCookies.size === 0) return;
-      
+
       const json = JSON.stringify(Object.fromEntries(relayCookies));
       fs.writeFileSync(cookiePath, json, { encoding: "utf8", mode: 0o600 });
     } catch (e) {
@@ -565,6 +565,18 @@ function createLocalApiHandler({ queuePath }) {
     }
   }
 
+  function clearRelayCookies(reason) {
+    if (relayCookies.size === 0) return;
+    relayCookies.clear();
+    try {
+      if (fs.existsSync(cookiePath)) fs.unlinkSync(cookiePath);
+    } catch (e) {
+      console.error("[LocalAPI] Failed to clear relay cookies:", e.message);
+      return;
+    }
+    if (reason) console.warn(`[LocalAPI] Cleared relay cookies: ${reason}`);
+  }
+
   function captureSetCookies(headerValue) {
     if (!headerValue) return;
     const parts = headerValue.split(/,(?=\s*\w+=)/);
@@ -598,11 +610,17 @@ function createLocalApiHandler({ queuePath }) {
     if (changed) persistRelayCookies();
   }
 
+  function normalizeCookieHeader(value) {
+    if (Array.isArray(value)) return value.filter(Boolean).join("; ");
+    return typeof value === "string" ? value : "";
+  }
+
   function buildRelayCookieHeader(clientCookieHeader) {
-    if (relayCookies.size === 0) return clientCookieHeader || "";
+    const normalizedClientCookieHeader = normalizeCookieHeader(clientCookieHeader);
+    if (relayCookies.size === 0) return normalizedClientCookieHeader;
     const clientPairs = new Map();
-    if (clientCookieHeader) {
-      for (const part of clientCookieHeader.split(";")) {
+    if (normalizedClientCookieHeader) {
+      for (const part of normalizedClientCookieHeader.split(";")) {
         const eqIdx = part.indexOf("=");
         if (eqIdx < 1) continue;
         const n = part.substring(0, eqIdx).trim();
@@ -672,8 +690,18 @@ function createLocalApiHandler({ queuePath }) {
           if (key === "host" || key === "connection") continue;
           proxyHeaders[key] = value;
         }
-        // Inject relay cookies so WebView benefits from browser's login session
-        const mergedCookie = buildRelayCookieHeader(proxyHeaders["cookie"]);
+        const hasClientCookie = normalizeCookieHeader(proxyHeaders["cookie"]).trim().length > 0;
+        const hasCsrfHeader = typeof proxyHeaders["x-csrf-token"] === "string" && proxyHeaders["x-csrf-token"].trim().length > 0;
+        const shouldInjectRelayCookies =
+          p !== "/api/auth/refresh" || hasClientCookie || hasCsrfHeader;
+
+        // Inject relay cookies so WebView benefits from browser's login session.
+        // Refresh requests need either a browser cookie or an explicit CSRF token;
+        // otherwise replaying a stale persisted refresh cookie just manufactures
+        // Invalid CSRF errors on startup.
+        const mergedCookie = shouldInjectRelayCookies
+          ? buildRelayCookieHeader(proxyHeaders["cookie"])
+          : normalizeCookieHeader(proxyHeaders["cookie"]);
         if (mergedCookie) proxyHeaders["cookie"] = mergedCookie;
 
         const bodyChunks = [];
@@ -697,8 +725,17 @@ function createLocalApiHandler({ queuePath }) {
             return [k, v];
           });
         res.writeHead(proxyRes.status, Object.fromEntries(responseHeaders));
-        const resBody = await proxyRes.arrayBuffer();
-        res.end(Buffer.from(resBody));
+        const resBody = Buffer.from(await proxyRes.arrayBuffer());
+        if (
+          p === "/api/auth/refresh"
+          && proxyRes.status === 403
+          && !hasClientCookie
+          && !hasCsrfHeader
+          && /invalid csrf token/i.test(resBody.toString("utf8"))
+        ) {
+          clearRelayCookies("stale refresh cookie without local CSRF context");
+        }
+        res.end(resBody);
       } catch (e) {
         json(res, { error: `Auth proxy error: ${e?.message || e}` }, 502);
       }

package/src/lib/rollout.js

@@ -3085,20 +3085,31 @@ function resolveKiroCliDbPath(env = process.env) {
   return path.join(home, "Library", "Application Support", "kiro-cli", "data.sqlite3");
 }
 
+// Bug-4: canonical UUID shape — 8-4-4-4-12 hex groups. The looser
+// /^[0-9a-f-]{36}\.json$/ form accepted `36 hyphens`.json or 36 hex with
+// no hyphens. kiro-cli writes proper UUIDs; lock to the canonical shape.
+const KIRO_CLI_SESSION_FILE_RE =
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.json$/i;
+
 // Lists ~/.kiro/sessions/cli/{uuid}.json files. Includes files whose sibling
 // .lock is present — we read those as tail-only snapshots so a running
 // session's completed turns still land in the queue on the next sync. The
 // .json files are rewritten atomically by kiro-cli on each turn flush, so
 // a stale read just means we'll pick up the rest next time.
+//
+// TASK-014: env.HOME is honored (symmetric with resolveKiroCliDbPath) so
+// callers can redirect to a tmp home for hermetic tests/CI.
 function resolveKiroCliSessionFiles(env = process.env) {
-  const home = require("node:os").homedir();
+  const home = env.HOME || require("node:os").homedir();
   const kiroHome = env.KIRO_HOME || path.join(home, ".kiro");
   const sessionsDir = path.join(kiroHome, "sessions", "cli");
   if (!fssync.existsSync(sessionsDir)) return [];
   const files = [];
   try {
     for (const entry of fssync.readdirSync(sessionsDir)) {
-      if (!entry.endsWith(".json")) continue;
+      // TASK-003: only canonical {uuid}.json files; backups, scratch,
+      // typos are skipped so they don't feed JSON.parse garbage.
+      if (!KIRO_CLI_SESSION_FILE_RE.test(entry)) continue;
       files.push(path.join(sessionsDir, entry));
     }
   } catch {
@@ -3126,63 +3137,73 @@ function resolveKiroCliSessionFiles(env = process.env) {
 // "claims" the buffered Prompt chars for its turn, and the buffer resets.
 // Later cycles within the same turn (Assistant → ToolResults → Assistant)
 // do not re-attribute.
-function readKiroCliMessageChars(jsonlPath, turnMessageIds) {
+async function readKiroCliMessageChars(jsonlPath, turnMessageIds) {
   const result = {
     byMessage: new Map(),
     messageKind: new Map(),
     turnPromptChars: new Map(),
   };
   if (!jsonlPath || !fssync.existsSync(jsonlPath)) return result;
-  let raw;
+  // TASK-005: stream via readline so multi-MB .jsonl files (heavy tool-use
+  // sessions) don't block the sync event loop by buffering whole-file.
+  let stream;
   try {
-    raw = fssync.readFileSync(jsonlPath, "utf8");
+    stream = fssync.createReadStream(jsonlPath, { encoding: "utf8" });
   } catch {
     return result;
   }
+  const rl = readline.createInterface({ input: stream, crlfDelay: Infinity });
   const midToTurn =
     turnMessageIds instanceof Map ? turnMessageIds : new Map();
   const attributedTurns = new Set();
   let pendingPromptChars = 0;
-  for (const line of raw.split("\n")) {
-    if (!line.trim()) continue;
-    let evt;
-    try {
-      evt = JSON.parse(line);
-    } catch {
-      continue;
-    }
-    const data = evt?.data;
-    if (!data || typeof data !== "object") continue;
-    const mid = data.message_id;
-    if (!mid) continue;
-    const content = Array.isArray(data.content) ? data.content : [];
-    let chars = 0;
-    for (const c of content) {
-      if (!c || typeof c !== "object") continue;
-      if (c.kind === "text" && typeof c.data === "string") {
-        chars += c.data.length;
-      } else if (c.kind === "toolUse" && c.data && typeof c.data === "object") {
-        // tool-use invocations count toward output; stringify the input payload
-        try {
-          chars += JSON.stringify(c.data.input || {}).length;
-        } catch {
-          // ignore
+  // Bug-5: wrap the streamed iteration. Mid-read errors (file deleted or
+  // truncated while kiro-cli is writing) would otherwise propagate up and
+  // crash the whole sync pass. On error we return the partial result and
+  // let the next sync re-read fresh.
+  try {
+    for await (const line of rl) {
+      if (!line || !line.trim()) continue;
+      let evt;
+      try {
+        evt = JSON.parse(line);
+      } catch {
+        continue;
+      }
+      const data = evt && evt.data;
+      if (!data || typeof data !== "object") continue;
+      const mid = data.message_id;
+      if (!mid) continue;
+      const content = Array.isArray(data.content) ? data.content : [];
+      let chars = 0;
+      for (const c of content) {
+        if (!c || typeof c !== "object") continue;
+        if (c.kind === "text" && typeof c.data === "string") {
+          chars += c.data.length;
+        } else if (c.kind === "toolUse" && c.data && typeof c.data === "object") {
+          try {
+            chars += JSON.stringify(c.data.input || {}).length;
+          } catch {
+            // ignore
+          }
         }
       }
-    }
-    result.byMessage.set(mid, (result.byMessage.get(mid) || 0) + chars);
-    if (!result.messageKind.has(mid)) result.messageKind.set(mid, evt.kind);
-
-    if (evt.kind === "Prompt") {
-      pendingPromptChars += chars;
-    } else if (evt.kind === "AssistantMessage" && midToTurn.has(mid)) {
-      const turnIdx = midToTurn.get(mid);
-      if (!attributedTurns.has(turnIdx)) {
-        result.turnPromptChars.set(turnIdx, pendingPromptChars);
-        attributedTurns.add(turnIdx);
-        pendingPromptChars = 0;
+      result.byMessage.set(mid, (result.byMessage.get(mid) || 0) + chars);
+      if (!result.messageKind.has(mid)) result.messageKind.set(mid, evt.kind);
+
+      if (evt.kind === "Prompt") {
+        pendingPromptChars += chars;
+      } else if (evt.kind === "AssistantMessage" && midToTurn.has(mid)) {
+        const turnIdx = midToTurn.get(mid);
+        if (!attributedTurns.has(turnIdx)) {
+          result.turnPromptChars.set(turnIdx, pendingPromptChars);
+          attributedTurns.add(turnIdx);
+          pendingPromptChars = 0;
+        }
       }
     }
+  } catch {
+    // partial data — return what we have.
   }
   return result;
 }
@@ -3192,7 +3213,7 @@ function readKiroCliMessageChars(jsonlPath, turnMessageIds) {
 // input_tokens, output_tokens }]. We use the same request_id dedup slot as
 // the SQLite path so mutations (turn rewritten on next flush) go through
 // the subtract-old/add-new path in parseKiroCliIncremental.
-function readKiroCliSessionTurns(jsonPath) {
+async function readKiroCliSessionTurns(jsonPath) {
   if (!jsonPath || !fssync.existsSync(jsonPath)) return [];
   let parsed;
   try {
@@ -3229,14 +3250,19 @@ function readKiroCliSessionTurns(jsonPath) {
 
   // Load sibling .jsonl for char-count fallback.
   const jsonlPath = jsonPath.replace(/\.json$/, ".jsonl");
-  const charMap = readKiroCliMessageChars(jsonlPath, turnMessageIds);
+  const charMap = await readKiroCliMessageChars(jsonlPath, turnMessageIds);
 
   const flat = [];
   for (let turnIdx = 0; turnIdx < turns.length; turnIdx++) {
     const turn = turns[turnIdx];
     if (!turn || typeof turn !== "object") continue;
+    // TASK-001: preserve the integer 0. `|| null` would coerce a valid
+    // loop_id.rand=0 into a message_id fallback, splitting the dedup
+    // namespace across runs that see 0 vs runs that don't.
     const loopRand =
-      (turn.loop_id && (turn.loop_id.rand ?? turn.loop_id.seed)) || null;
+      turn.loop_id && typeof turn.loop_id === "object"
+        ? turn.loop_id.rand ?? turn.loop_id.seed ?? null
+        : null;
     const messageIds = Array.isArray(turn.message_ids) ? turn.message_ids : [];
     const requestId = loopRand != null ? `${sessionId}:${loopRand}` : (messageIds[0] || null);
     if (!requestId) continue;
@@ -3261,17 +3287,42 @@ function readKiroCliSessionTurns(jsonPath) {
       outputTokens = Math.floor(assistantChars / KIRO_CLI_CHARS_PER_TOKEN);
     }
 
-    // Timestamp: end_timestamp is an ISO string; coerce to ms.
-    const tsRaw = turn.end_timestamp || turn.start_timestamp;
-    const tsMs = tsRaw ? Date.parse(tsRaw) : NaN;
+    // TASK-006: timestamp precedence matches SQLite's
+    // request_start_timestamp_ms so a turn that migrates SQLite ↔
+    // session-file buckets identically across tiers (previously a turn
+    // straddling a half-hour boundary bucketed differently per source
+    // because session files use end_timestamp while SQLite uses start).
+    //   1. turn.request_start_timestamp_ms   (numeric ms, SQLite shape)
+    //   2. turn.start_timestamp              (ISO string)
+    //   3. turn.end_timestamp                (ISO string, legacy fallback)
+    let tsMs = NaN;
+    if (Number.isFinite(Number(turn.request_start_timestamp_ms))) {
+      tsMs = Number(turn.request_start_timestamp_ms);
+    } else if (turn.start_timestamp) {
+      tsMs = Date.parse(turn.start_timestamp);
+    } else if (turn.end_timestamp) {
+      tsMs = Date.parse(turn.end_timestamp);
+    }
     if (!Number.isFinite(tsMs) || tsMs <= 0) continue;
 
     flat.push({
       request_id: requestId,
       session_model_id: sessionModelId,
       message_id: messageIds[0] || null,
+      // Turn-granular migration match: surface the full list so the
+      // cross-source retraction in parseKiroCliIncremental can drop this
+      // specific turn iff any of its assistant/tool_result message_ids
+      // appears in SQLite. Session-level matching over-retracts newer
+      // turns in an active session whose older turns have already
+      // flushed to SQLite.
+      all_message_ids: messageIds.slice(),
       model_id: turn.model_id || sessionModelId,
       request_start_timestamp_ms: tsMs,
+      // D-1 / Bug-2: tag with session_id so the retraction pass can match
+      // session-origin entries even when the requestId format has no
+      // colon (no-loop_id fallback uses a bare message_id UUID that would
+      // otherwise be indistinguishable from SQLite's UUID keys).
+      session_id: sessionId,
       // For the parser, we feed the ALREADY-approximated tokens directly via
       // a special sentinel field. The parser will divide chars by
       // KIRO_CLI_CHARS_PER_TOKEN; bypass that by pre-multiplying here.
@@ -3319,7 +3370,14 @@ function canonicalizeKiroCliModelId(raw) {
 
 // Read Kiro CLI requests using SQL-side json_extract so we don't pull the
 // full (93 MB-ish) conversations_v2 blob back through sqlite3 -json.
-function readKiroCliRequests(dbPath) {
+//
+// D-1: also surfaces `user_turn_metadata.continuation_id` so the cross-
+// source retraction pass (parseKiroCliIncremental) can match whichever
+// UUID kiro-cli used as the session link. The SQL column
+// `conversation_id` and the inner JSON `continuation_id` are different
+// UUIDs on observed data; covering both means retraction fires whichever
+// side matches the live session's `session_id`.
+function readKiroCliRequests(dbPath, env = process.env) {
   if (!dbPath || !fssync.existsSync(dbPath)) return [];
   let raw;
   try {
@@ -3330,13 +3388,23 @@ function readKiroCliRequests(dbPath) {
         dbPath,
         "SELECT conversation_id, " +
           "json_extract(value, '$.model_info.model_id') AS session_model_id, " +
+          "json_extract(value, '$.user_turn_metadata.continuation_id') AS continuation_id, " +
           "json_extract(value, '$.user_turn_metadata.requests') AS requests_json " +
           "FROM conversations_v2 " +
           "WHERE json_extract(value, '$.user_turn_metadata.requests') IS NOT NULL",
       ],
       { encoding: "utf8", maxBuffer: 128 * 1024 * 1024, timeout: 120_000 },
     );
-  } catch {
+  } catch (err) {
+    // TASK-012 / D-8: debug-gated stderr log so a missing sqlite3 binary
+    // is distinguishable from an empty DB. Silent by default. env is
+    // threaded so tests can toggle debug hermetically.
+    const dbg = String((env && env.TOKENTRACKER_DEBUG) || "").toLowerCase();
+    if (dbg === "1" || dbg === "true") {
+      process.stderr.write(
+        `[kiro-cli] sqlite3 read failed: ${err?.message || err}\n`,
+      );
+    }
     return [];
   }
   if (!raw || !raw.trim()) return [];
@@ -3360,6 +3428,7 @@ function readKiroCliRequests(dbPath) {
       if (!r || typeof r !== "object") continue;
       flat.push({
         conversation_id: row.conversation_id,
+        continuation_id: row.continuation_id || null,
         session_model_id: row.session_model_id || null,
         request_id: r.request_id || null,
         message_id: r.message_id || null,
@@ -3400,18 +3469,22 @@ async function parseKiroCliIncremental({ sessionFiles, cursors, queuePath, onPro
   // Combine two sources under the same (source='kiro', cursors.kiroCli)
   // namespace: historical rows from the SQLite DB plus live session state
   // from ~/.kiro/sessions/cli/{uuid}.json (covers turns from a running
-  // session that hasn't flushed to SQLite yet). Request IDs are disjoint
-  // (SQLite uses request_id UUID; sessions use {sessionId}:{loop_id.rand}),
-  // so no cross-source dedup is needed.
-  const flatDb = fssync.existsSync(dbPath) ? readKiroCliRequests(dbPath) : [];
+  // session that hasn't flushed to SQLite yet). Request ID shapes differ:
+  // SQLite carries a persisted request_id UUID; session files synthesize
+  // `${sessionId}:${loop_id.rand}`. When kiro-cli migrates a live session
+  // into SQLite the same turn lands under a new request_id — the cross-
+  // source retraction pass below (D-1 + TASK-007) matches session_id ↔
+  // SQLite conversation_id OR continuation_id to subtract the orphan
+  // session-file cursor entry before the new SQLite row is processed.
+  const flatDb = fssync.existsSync(dbPath)
+    ? readKiroCliRequests(dbPath, resolvedEnv)
+    : [];
   const sessionFilesList = resolveKiroCliSessionFiles(resolvedEnv);
-  const flatSessions = [];
+  let flatSessions = [];
   for (const jsonPath of sessionFilesList) {
-    for (const turn of readKiroCliSessionTurns(jsonPath)) {
-      flatSessions.push(turn);
-    }
+    const turns = await readKiroCliSessionTurns(jsonPath);
+    for (const turn of turns) flatSessions.push(turn);
   }
-  const flat = flatDb.concat(flatSessions);
   // Per-request state replaces the old seenIds set. Each entry captures
   // what we contributed for that request_id last time, so a later mutation
   // (same request_id, different fingerprint) can subtract-old/add-new
@@ -3421,17 +3494,146 @@ async function parseKiroCliIncremental({ sessionFiles, cursors, queuePath, onPro
       ? { ...kiroCliState.requests }
       : {};
 
-  if (flat.length === 0) {
-    cursors.kiroCli = {
-      ...kiroCliState,
-      requests: requestState,
-      updatedAt: new Date().toISOString(),
-    };
-    return { recordsProcessed: 0, eventsAggregated: 0, bucketsQueued: 0 };
-  }
-
   const hourlyState = normalizeHourlyState(cursors?.hourly);
   const touchedBuckets = new Set();
+  const debugEnabled = ["1", "true"].includes(
+    String(resolvedEnv.TOKENTRACKER_DEBUG || "").toLowerCase(),
+  );
+
+  // ── TASK-007 + D-1: cross-source retraction. When a conversation has
+  //    migrated from the session-file tier into SQLite, the cursor's
+  //    prior session-file entry (keyed `${sessionId}:${loopRand}` OR a
+  //    bare message_id UUID when loop_id is absent) never matches the
+  //    new SQLite request_id. Without retraction the old contribution
+  //    stays in the bucket absolute and the new SQLite row is added on
+  //    top — permanent double-count. D-6: typed non-empty check so a
+  //    corrupt NULL/empty conv_id can't poison the match set.
+  //
+  // Two match sets are built:
+  //   • migratedConvIds  — session_id → any row in SQLite. Used to scope
+  //                        cursor retraction (coarse but safe because
+  //                        un-migrated turns still present in the session
+  //                        file are re-added later in this same run).
+  //   • migratedMsgIds   — r.message_id → exact turn in SQLite. Used to
+  //                        filter flatSessions at TURN granularity. An
+  //                        active session with older migrated turns +
+  //                        newer session-file-only turns must keep the
+  //                        newer turns; session-level filtering dropped
+  //                        them and caused Kiro CLI under-count.
+  const migratedConvIds = new Set();
+  const migratedMsgIds = new Set();
+  for (const row of flatDb) {
+    if (!row) continue;
+    if (typeof row.conversation_id === "string" && row.conversation_id)
+      migratedConvIds.add(row.conversation_id);
+    if (typeof row.continuation_id === "string" && row.continuation_id)
+      migratedConvIds.add(row.continuation_id);
+    if (typeof row.message_id === "string" && row.message_id)
+      migratedMsgIds.add(row.message_id);
+  }
+  if (migratedConvIds.size > 0) {
+    // Pre-collect to retract so mutation during iteration is safe.
+    // Retraction stays session-level: for every cursor entry whose
+    // session_id has any row in SQLite, subtract its prior contribution.
+    // This is provably correct because turns still live in the session
+    // file get re-added in this same run via the (turn-granular) filter
+    // below, producing a net delta of zero for un-migrated turns.
+    const toRetract = [];
+    for (const [reqId, prev] of Object.entries(requestState)) {
+      if (!prev || typeof prev !== "object") continue;
+      // Bug-2: prefer the stored session_id tag (new schema); fall back
+      // to colon-split for legacy cursors pre-dating this change.
+      let sid = null;
+      if (typeof prev.session_id === "string" && prev.session_id) {
+        sid = prev.session_id;
+      } else {
+        const colon = reqId.indexOf(":");
+        if (colon > 0) sid = reqId.slice(0, colon);
+      }
+      if (!sid || !migratedConvIds.has(sid)) continue;
+      toRetract.push([reqId, prev, sid]);
+    }
+    for (const [reqId, prev, sid] of toRetract) {
+      if (prev.input_tokens || prev.output_tokens) {
+        const prevBucket = getHourlyBucket(
+          hourlyState,
+          "kiro",
+          prev.model,
+          prev.bucketStart,
+        );
+        addTotals(prevBucket.totals, {
+          input_tokens: -prev.input_tokens,
+          cached_input_tokens: 0,
+          cache_creation_input_tokens: 0,
+          output_tokens: -prev.output_tokens,
+          reasoning_output_tokens: 0,
+          total_tokens: -(prev.input_tokens + prev.output_tokens),
+          conversation_count: -1,
+        });
+        touchedBuckets.add(bucketKey("kiro", prev.model, prev.bucketStart));
+      }
+      delete requestState[reqId];
+      if (debugEnabled) {
+        process.stderr.write(
+          `[kiro-cli] retracted migrated session entry (conv ${sid})\n`,
+        );
+      }
+    }
+    // Turn-granular filter: drop a session-file turn only when at least
+    // one of its assistant/tool_result message_ids is present in SQLite
+    // (i.e. this specific turn has been flushed). Newer turns in the
+    // same session that haven't yet landed in SQLite survive.
+    //
+    // Edge: a turn with no message_ids at all cannot be matched. We keep
+    // it — preferring a rare potential double-count (narrow, since such
+    // a turn would also have no request_id under the no-loop_id path and
+    // be discarded upstream) over the reported regression of dropping
+    // legitimate newer turns wholesale. D-14: still O(N) single-pass.
+    const before = flatSessions.length;
+    flatSessions = flatSessions.filter((s) => {
+      if (!s) return false;
+      const mids = Array.isArray(s.all_message_ids)
+        ? s.all_message_ids
+        : s.message_id
+        ? [s.message_id]
+        : [];
+      for (const mid of mids) {
+        if (typeof mid === "string" && mid && migratedMsgIds.has(mid)) {
+          return false;
+        }
+      }
+      return true;
+    });
+    if (debugEnabled && flatSessions.length !== before) {
+      process.stderr.write(
+        `[kiro-cli] dropped ${before - flatSessions.length} migrated session-file turn(s)\n`,
+      );
+    }
+  }
+
+  const flat = flatDb.concat(flatSessions);
+
+  if (flat.length === 0) {
+    // Bug-1: retraction may have touched buckets even with empty flat.
+    // Clamp + cap BEFORE flushing so the early-return path applies the
+    // same guarantees as the main path (fixes a skip that flushed
+    // negative conversation_counts and left the cap unapplied).
+    const cappedEarly = clampAndCapKiroCliState({
+      requestState,
+      hourlyState,
+      touchedBuckets,
+    });
+    const bucketsQueued = await enqueueTouchedBuckets({
+      queuePath,
+      hourlyState,
+      touchedBuckets,
+    });
+    const updatedAt = new Date().toISOString();
+    hourlyState.updatedAt = updatedAt;
+    cursors.hourly = hourlyState;
+    cursors.kiroCli = { ...kiroCliState, requests: cappedEarly, updatedAt };
+    return { recordsProcessed: 0, eventsAggregated: 0, bucketsQueued };
+  }
   const cb = typeof onProgress === "function" ? onProgress : null;
   let recordsProcessed = 0;
   let eventsAggregated = 0;
@@ -3497,12 +3699,17 @@ async function parseKiroCliIncremental({ sessionFiles, cursors, queuePath, onPro
 
     // Always record the cursor entry (even for zero-token requests) so we
     // don't re-count later if Kiro rewrites this request with real data.
+    // Bug-2: tag session-origin entries with session_id so the retraction
+    // pass can identify them regardless of request_id format (the
+    // no-loop_id fallback produces a bare UUID with no colon, which would
+    // otherwise be indistinguishable from SQLite's UUID keys).
     requestState[requestId] = {
       fingerprint,
       bucketStart,
       model,
       input_tokens: approxInput,
       output_tokens: approxOutput,
+      ...(r.session_id ? { session_id: r.session_id } : {}),
     };
 
     if (cb && i % 50 === 0) {
@@ -3516,15 +3723,59 @@ async function parseKiroCliIncremental({ sessionFiles, cursors, queuePath, onPro
     }
   }
 
+  const cappedState = clampAndCapKiroCliState({
+    requestState,
+    hourlyState,
+    touchedBuckets,
+  });
+
   const bucketsQueued = await enqueueTouchedBuckets({ queuePath, hourlyState, touchedBuckets });
   const updatedAt = new Date().toISOString();
   hourlyState.updatedAt = updatedAt;
   cursors.hourly = hourlyState;
-  cursors.kiroCli = { ...kiroCliState, requests: requestState, updatedAt };
+  cursors.kiroCli = { ...kiroCliState, requests: cappedState, updatedAt };
 
   return { recordsProcessed, eventsAggregated, bucketsQueued };
 }
 
+// TASK-004 + TASK-010 + Bug-1: shared end-of-run clamp + cap for
+// parseKiroCliIncremental. Centralized so the main path AND the
+// retraction-only early-return path both apply the same guarantees.
+// Mutates hourlyState bucket totals in place (clamp) and returns a new
+// capped requestState object (cap).
+const KIRO_CLI_CURSOR_MAX_AGE_MS = 90 * 24 * 60 * 60 * 1000;
+const KIRO_CLI_CURSOR_MAX_ENTRIES = 20_000;
+
+function clampAndCapKiroCliState({ requestState, hourlyState, touchedBuckets }) {
+  // TASK-010: clamp conversation_count to >= 0 on Kiro-touched buckets
+  // only. The shared enqueueTouchedBuckets is left untouched so
+  // legitimate negatives from the 10 other parsers are not masked. Kiro
+  // negatives come from the subtract-old pass on mutation or retraction.
+  for (const key of touchedBuckets) {
+    const bucket = hourlyState.buckets && hourlyState.buckets[key];
+    if (bucket && bucket.totals && bucket.totals.conversation_count < 0) {
+      bucket.totals.conversation_count = 0;
+    }
+  }
+  // TASK-004: cap cursors.kiroCli.requests by age + count. Runs LAST so
+  // nothing active or just-retracted is pruned mid-flight.
+  const ageCutoffMs = Date.now() - KIRO_CLI_CURSOR_MAX_AGE_MS;
+  const cappedEntries = [];
+  for (const [reqId, entry] of Object.entries(requestState)) {
+    if (!entry || typeof entry !== "object") continue;
+    const ts = entry.bucketStart ? Date.parse(entry.bucketStart) : NaN;
+    if (!Number.isFinite(ts) || ts < ageCutoffMs) continue;
+    cappedEntries.push([reqId, entry, ts]);
+  }
+  if (cappedEntries.length > KIRO_CLI_CURSOR_MAX_ENTRIES) {
+    cappedEntries.sort((a, b) => b[2] - a[2]); // newest first
+    cappedEntries.length = KIRO_CLI_CURSOR_MAX_ENTRIES;
+  }
+  const capped = {};
+  for (const [reqId, entry] of cappedEntries) capped[reqId] = entry;
+  return capped;
+}
+
 // Back-compat path: per-session .json files (the old fixture shape). Emits
 // exact tokens if the fixture happens to carry them (which the test fixture
 // does). Used only by the test/rollout-parser.test.js fixture tests.