npm - tokentracker-cli - Versions diffs - 0.5.79 → 0.5.81 - Mend

tokentracker-cli 0.5.79 → 0.5.81

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dashboard/dist/assets/{use-limits-display-prefs-C-Y8vFA9.js → use-limits-display-prefs-CPfPbjXC.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{r as a}from"./main-~~CPsqG3PW~~.js";const d=["claude","codex","cursor","gemini","kiro","copilot","antigravity"],v={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},k={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function y(){if(typeof window>"u")return[...d];try{const r=window.localStorage.getItem(l);if(!r)return[...d];const s=JSON.parse(r);if(!Array.isArray(s))return[...d];const n=s.filter(c=>d.includes(c));for(const c of d)n.includes(c)\|\|n.push(c);return n}catch{return[...d]}}function m(){const r=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return r;try{const s=window.localStorage.getItem(g);if(!s)return r;const n=JSON.parse(s);if(!n\|\|typeof n!="object")return r;const c={...r};for(const u of d)typeof n[u]=="boolean"&&(c[u]=n[u]);return c}catch{return r}}function C(){const[r,s]=a.useState(y),[n,c]=a.useState(m);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(n))}catch{}},[n]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(y()),t.key===g&&c(m())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const i=[...t];return[i[e-1],i[e]]=[i[e],i[e-1]],i})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0\|\|e>=t.length-1)return t;const i=[...t];return[i[e],i[e+1]]=[i[e+1],i[e]],i})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const i=e.indexOf(o),w=e.indexOf(t);if(i<0\|\|w<0)return e;const f=[...e],[E]=f.splice(i,1);return f.splice(w,0,E),f})},[]),x=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),I=a.useMemo(()=>r.filter(o=>n[o]!==!1),[r,n]);return{order:r,visibility:n,visibleOrdered:I,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:x}}export{k as L,v as a,C as u};
1	+ import{r as a}from"./main-MimZZsgW.js";const d=["claude","codex","cursor","gemini","kiro","copilot","antigravity"],v={claude:"Claude",codex:"Codex",cursor:"Cursor",gemini:"Gemini",kiro:"Kiro",copilot:"GitHub Copilot",antigravity:"Antigravity"},k={claude:"/brand-logos/claude-code.svg",codex:"/brand-logos/codex.svg",cursor:"/brand-logos/cursor.svg",gemini:"/brand-logos/gemini.svg",kiro:"/brand-logos/kiro.svg",copilot:"/brand-logos/copilot.svg",antigravity:"/brand-logos/antigravity.svg"},l="tt.limits.providerOrder",g="tt.limits.providerVisibility";function y(){if(typeof window>"u")return[...d];try{const r=window.localStorage.getItem(l);if(!r)return[...d];const s=JSON.parse(r);if(!Array.isArray(s))return[...d];const n=s.filter(c=>d.includes(c));for(const c of d)n.includes(c)\|\|n.push(c);return n}catch{return[...d]}}function m(){const r=Object.fromEntries(d.map(s=>[s,!0]));if(typeof window>"u")return r;try{const s=window.localStorage.getItem(g);if(!s)return r;const n=JSON.parse(s);if(!n\|\|typeof n!="object")return r;const c={...r};for(const u of d)typeof n[u]=="boolean"&&(c[u]=n[u]);return c}catch{return r}}function C(){const[r,s]=a.useState(y),[n,c]=a.useState(m);a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(l,JSON.stringify(r))}catch{}},[r]),a.useEffect(()=>{if(!(typeof window>"u"))try{window.localStorage.setItem(g,JSON.stringify(n))}catch{}},[n]),a.useEffect(()=>{if(typeof window>"u")return;const o=t=>{t.key===l&&s(y()),t.key===g&&c(m())};return window.addEventListener("storage",o),()=>window.removeEventListener("storage",o)},[]);const u=a.useCallback(o=>{c(t=>({...t,[o]:!t[o]}))},[]),b=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<=0)return t;const i=[...t];return[i[e-1],i[e]]=[i[e],i[e-1]],i})},[]),p=a.useCallback(o=>{s(t=>{const e=t.indexOf(o);if(e<0\|\|e>=t.length-1)return t;const i=[...t];return[i[e],i[e+1]]=[i[e+1],i[e]],i})},[]),O=a.useCallback((o,t)=>{o!==t&&s(e=>{const i=e.indexOf(o),w=e.indexOf(t);if(i<0\|\|w<0)return e;const f=[...e],[E]=f.splice(i,1);return f.splice(w,0,E),f})},[]),x=a.useCallback(()=>{s([...d]),c(Object.fromEntries(d.map(o=>[o,!0])))},[]),I=a.useMemo(()=>r.filter(o=>n[o]!==!1),[r,n]);return{order:r,visibility:n,visibleOrdered:I,toggle:u,moveUp:b,moveDown:p,moveToward:O,reset:x}}export{k as L,v as a,C as u};

package/dashboard/dist/assets/{use-usage-limits-CiHD5lbg.js → use-usage-limits-BvCjl0IL.js} RENAMED Viewed

	@@ -1 +1 @@
1	- import{r,aM as l}from"./main-~~CPsqG3PW~~.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message\|\|String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message\|\|String(t))}finally{e\|\|f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};
1	+ import{r,aM as l}from"./main-MimZZsgW.js";function y(i){const[o,a]=r.useState(null),[u,s]=r.useState(null),[c,f]=r.useState(!0),n=!!i?.initialRefresh,g=r.useCallback(async()=>{try{const e=await l({refresh:!0});a(e&&typeof e=="object"?e:null),s(null)}catch(e){s(e?.message\|\|String(e))}},[]);return r.useEffect(()=>{let e=!1;return(async()=>{try{const t=await l(n?{refresh:!0}:{});if(e)return;a(t&&typeof t=="object"?t:null),s(null)}catch(t){if(e)return;s(t?.message\|\|String(t))}finally{e\|\|f(!1)}})(),()=>{e=!0}},[n]),{data:o,error:u,isLoading:c,refresh:g}}export{y as u};

package/dashboard/dist/index.html CHANGED Viewed

@@ -135,7 +135,7 @@
         ]
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-CPsqG3PW.js"></script>
+    <script type="module" crossorigin src="/assets/main-MimZZsgW.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-DRf20yyJ.css">
   </head>
   <body>

package/dashboard/dist/share.html CHANGED Viewed

@@ -51,7 +51,7 @@
         "description": "Shareable Token Tracker dashboard snapshot."
       }
     </script>
-    <script type="module" crossorigin src="/assets/main-CPsqG3PW.js"></script>
+    <script type="module" crossorigin src="/assets/main-MimZZsgW.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/main-DRf20yyJ.css">
   </head>
   <body>

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "tokentracker-cli",
-  "version": "0.5.79",
+  "version": "0.5.81",
   "description": "Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Kiro, Gemini, OpenCode, OpenClaw, Hermes, GitHub Copilot)",
   "main": "src/cli.js",
   "bin": {

package/src/commands/serve.js CHANGED Viewed

@@ -11,11 +11,16 @@ const { openInBrowser } = require("../lib/browser-auth");
 const DEFAULT_PORT = 7680;
 const NPM_PACKAGE_NAME = "tokentracker-cli";
+const LOCAL_BIND_HOST = "127.0.0.1";
 function buildPortInUseHint(port) {
   return `Port ${port} is still in use after cleanup. Try: npx ${NPM_PACKAGE_NAME} serve --port ${port + 1}\n`;
 }
+function getLocalServerUrl(port) {
+  return `http://${LOCAL_BIND_HOST}:${port}`;
+}
 async function cmdServe(argv) {
   const opts = parseArgs(argv);
@@ -85,7 +90,6 @@ async function cmdServe(argv) {
       // CORS preflight
       if (req.method === "OPTIONS") {
         res.writeHead(204, {
-          "Access-Control-Allow-Origin": "*",
           "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
           "Access-Control-Allow-Headers": "Content-Type, Authorization",
         });
@@ -116,8 +120,8 @@ async function cmdServe(argv) {
   // 4. Listen (kill stale process on same port if needed)
   const port = opts.port;
   await ensurePortFree(port);
-  server.listen(port, () => {
-    const url = `http://localhost:${port}`;
+  server.listen(port, LOCAL_BIND_HOST, () => {
+    const url = getLocalServerUrl(port);
     process.stdout.write(
       [
         "",
@@ -226,4 +230,10 @@ function parseArgs(argv) {
   return opts;
 }
-module.exports = { cmdServe, buildPortInUseHint, NPM_PACKAGE_NAME };
+module.exports = {
+  cmdServe,
+  buildPortInUseHint,
+  NPM_PACKAGE_NAME,
+  LOCAL_BIND_HOST,
+  getLocalServerUrl,
+};

package/src/lib/local-api.js CHANGED Viewed

@@ -2,6 +2,8 @@ const fs = require("node:fs");
 const os = require("node:os");
 const path = require("node:path");
 const { spawn } = require("node:child_process");
+const crypto = require("node:crypto");
+const { DEFAULT_BASE_URL, resolveRuntimeConfig } = require("./runtime-config");
 const SYNC_TIMEOUT_MS = 120_000;
 const TRACKER_BIN = path.resolve(__dirname, "../../bin/tracker.js");
@@ -106,12 +108,22 @@ function getModelPricing(model) {
 function computeRowCost(row) {
   const pricing = getModelPricing(row.model);
+  // For OpenAI/Codex-family rollouts, `output_tokens` already includes any
+  // reasoning tokens (the OpenAI API's `completion_tokens` is inclusive),
+  // so adding a separate `reasoning_output_tokens * output_rate` term
+  // double-charges that slice. ccusage models this the same way. For other
+  // sources we keep the explicit reasoning term because `reasoning` is not
+  // guaranteed to be folded into `output_tokens`.
+  const reasoningIncludedInOutput = row.source === "codex" || row.source === "every-code";
+  const reasoningCost = reasoningIncludedInOutput
+    ? 0
+    : (row.reasoning_output_tokens || 0) * (pricing.output || 0);
   return (
     ((row.input_tokens || 0) * (pricing.input || 0) +
       (row.output_tokens || 0) * (pricing.output || 0) +
       (row.cached_input_tokens || 0) * (pricing.cache_read || 0) +
       (row.cache_creation_input_tokens || 0) * (pricing.cache_write || 0) +
-      (row.reasoning_output_tokens || 0) * (pricing.output || 0)) /
+      reasoningCost) /
     1_000_000
   );
 }
@@ -149,6 +161,29 @@ function readProjectQueueData(projectQueuePath) {
   return Array.from(seen.values());
 }
+function isLegacyInclusiveCodexRow(row) {
+  if (!row || (row.source !== "codex" && row.source !== "every-code")) return false;
+  const inputTokens = Number(row.input_tokens || 0);
+  const cachedInputTokens = Number(row.cached_input_tokens || 0);
+  const outputTokens = Number(row.output_tokens || 0);
+  const totalTokens = Number(row.total_tokens || 0);
+  if (!Number.isFinite(inputTokens) || !Number.isFinite(cachedInputTokens)) return false;
+  if (cachedInputTokens <= 0 || inputTokens < cachedInputTokens) return false;
+  // Legacy Codex queue rows stored input inclusive of cache reads, while
+  // total_tokens remained input + output. Canonical rows keep input as pure
+  // non-cached input, so cache-heavy legacy rows can be identified by this
+  // exact invariant.
+  return totalTokens === inputTokens + outputTokens;
+}
+function normalizeQueueRow(row) {
+  if (!isLegacyInclusiveCodexRow(row)) return row;
+  return {
+    ...row,
+    input_tokens: Number(row.input_tokens || 0) - Number(row.cached_input_tokens || 0),
+  };
+}
 function readQueueData(queuePath) {
   let raw;
   try {
@@ -184,7 +219,7 @@ function readQueueData(queuePath) {
   const seen = new Map();
   for (const row of parsed) {
     const key = `${row.source || ""}|${row.model || ""}|${row.hour_start || ""}`;
-    seen.set(key, row);
+    seen.set(key, normalizeQueueRow(row));
   }
   return Array.from(seen.values());
 }
@@ -351,6 +386,67 @@ function trimOutput(value, max = 4000) {
   return t.length <= max ? t : t.slice(t.length - max);
 }
+function normalizeRemoteHttpBaseUrl(value) {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  if (!trimmed) return null;
+  try {
+    const url = new URL(trimmed);
+    if (url.protocol !== "http:" && url.protocol !== "https:") return null;
+    url.username = "";
+    url.password = "";
+    url.hash = "";
+    return url.toString().replace(/\/$/, "");
+  } catch (_e) {
+    return null;
+  }
+}
+function resolveAllowedInsforgeBaseUrl(value) {
+  const requested = normalizeRemoteHttpBaseUrl(value);
+  if (!requested) return null;
+  const runtime = resolveRuntimeConfig();
+  const allowed = new Set(
+    [runtime.baseUrl, DEFAULT_BASE_URL]
+      .map((entry) => normalizeRemoteHttpBaseUrl(entry))
+      .filter(Boolean),
+  );
+  return allowed.has(requested) ? requested : null;
+}
+function parseCookieHeader(value) {
+  const out = new Map();
+  if (typeof value !== "string" || !value.trim()) return out;
+  for (const part of value.split(";")) {
+    const idx = part.indexOf("=");
+    if (idx < 1) continue;
+    const key = part.slice(0, idx).trim();
+    const rawValue = part.slice(idx + 1).trim();
+    if (key) out.set(key, rawValue);
+  }
+  return out;
+}
+function isLoopbackHostname(hostname) {
+  return hostname === "127.0.0.1" || hostname === "localhost" || hostname === "::1" || hostname === "[::1]";
+}
+function hasAllowedLoopbackOrigin(headers = {}) {
+  const candidates = [headers.origin, headers.referer];
+  for (const raw of candidates) {
+    if (raw == null || raw === "") continue;
+    try {
+      const url = new URL(String(raw));
+      if (url.protocol !== "http:" || !isLoopbackHostname(url.hostname)) return false;
+    } catch (_e) {
+      return false;
+    }
+  }
+  return true;
+}
 function readJsonBody(req) {
   return new Promise((resolve, reject) => {
     const chunks = [];
@@ -516,7 +612,7 @@ function scanClaudeProjects(projectMap) {
 // ---------------------------------------------------------------------------
 function json(res, data, status) {
-  res.writeHead(status || 200, { "Content-Type": "application/json", "Access-Control-Allow-Origin": "*" });
+  res.writeHead(status || 200, { "Content-Type": "application/json" });
   res.end(JSON.stringify(data));
 }
@@ -531,6 +627,7 @@ function createLocalApiHandler({ queuePath }) {
   // so that both browser and WKWebView share the same login session via the proxy.
   // Persisted to disk so cookies survive server restarts.
   let relayCookies = new Map();
+  const localAuthToken = crypto.randomBytes(24).toString("hex");
   const trackerDataDir = path.join(os.homedir(), ".tokentracker", "tracker");
   const cookiePath = path.join(trackerDataDir, "relay-cookies.json");
@@ -643,13 +740,40 @@ function createLocalApiHandler({ queuePath }) {
   let _nativeAuthPending = false;
   let _nativeAuthExpiry = 0;
+  function isAuthorizedLocalMutation(req) {
+    const headerToken = req?.headers?.["x-tokentracker-local-auth"];
+    const cookieToken = parseCookieHeader(req?.headers?.cookie).get("tokentracker_local_auth");
+    const token = typeof headerToken === "string" && headerToken.trim()
+      ? headerToken.trim()
+      : cookieToken || "";
+    if (!token || token !== localAuthToken) return false;
+    return hasAllowedLoopbackOrigin(req?.headers || {});
+  }
   return async function handleLocalApi(req, res, url) {
     const p = url.pathname;
+    if (p === "/api/local-auth") {
+      if (String(req.method || "GET").toUpperCase() !== "GET") {
+        json(res, { error: "Method Not Allowed" }, 405);
+        return true;
+      }
+      res.writeHead(200, {
+        "Content-Type": "application/json",
+        "Cache-Control": "no-store",
+      });
+      res.end(JSON.stringify({ token: localAuthToken }));
+      return true;
+    }
     // --- Auth bridge: native OAuth flag (WebView ↔ system browser) ---
     if (p === "/api/auth-bridge/verifier") {
       const method = String(req.method || "GET").toUpperCase();
       if (method === "PUT" || method === "POST") {
+        if (!isAuthorizedLocalMutation(req)) {
+          json(res, { error: "Unauthorized" }, 401);
+          return true;
+        }
         const body = await readJsonBody(req);
         _nativeAuthPending = Boolean(body?.native);
         _nativeAuthExpiry = Date.now() + 5 * 60 * 1000; // 5 min TTL
@@ -669,20 +793,8 @@ function createLocalApiHandler({ queuePath }) {
     // --- auth proxy: forward /api/auth/* to InsForge cloud ---
     if (p.startsWith("/api/auth/")) {
-      const { DEFAULT_BASE_URL } = require("./runtime-config.js");
-      let insforgeBase = process.env.TOKENTRACKER_INSFORGE_BASE_URL
-        || process.env.INSFORGE_BASE_URL
-        || "";
-      if (!insforgeBase) {
-        try {
-          const cfgPath = path.join(os.homedir(), ".tokentracker", "tracker", "config.json");
-          const cfg = JSON.parse(fs.readFileSync(cfgPath, "utf8"));
-          insforgeBase = cfg?.baseUrl || "";
-        } catch { /* ignore */ }
-      }
-      if (!insforgeBase) {
-        insforgeBase = DEFAULT_BASE_URL;
-      }
+      const runtime = resolveRuntimeConfig();
+      const insforgeBase = runtime.baseUrl || DEFAULT_BASE_URL;
       try {
         const targetUrl = `${insforgeBase.replace(/\/$/, "")}${p}${url.search || ""}`;
         const proxyHeaders = {};
@@ -748,6 +860,10 @@ function createLocalApiHandler({ queuePath }) {
         json(res, { ok: false, error: "Method Not Allowed" }, 405);
         return true;
       }
+      if (!isAuthorizedLocalMutation(req)) {
+        json(res, { ok: false, error: "Unauthorized" }, 401);
+        return true;
+      }
       try {
         let body = {};
         try {
@@ -759,8 +875,13 @@ function createLocalApiHandler({ queuePath }) {
         if (typeof body.deviceToken === "string" && body.deviceToken.trim()) {
           extraEnv.TOKENTRACKER_DEVICE_TOKEN = body.deviceToken.trim();
         }
-        if (typeof body.insforgeBaseUrl === "string" && /^https?:\/\//i.test(body.insforgeBaseUrl.trim())) {
-          extraEnv.TOKENTRACKER_INSFORGE_BASE_URL = body.insforgeBaseUrl.trim();
+        if (body.insforgeBaseUrl != null) {
+          const allowedBaseUrl = resolveAllowedInsforgeBaseUrl(body.insforgeBaseUrl);
+          if (!allowedBaseUrl) {
+            json(res, { ok: false, error: "Unsupported insforgeBaseUrl override" }, 400);
+            return true;
+          }
+          extraEnv.TOKENTRACKER_INSFORGE_BASE_URL = allowedBaseUrl;
         }
         const result = await runSyncCommand(extraEnv);
         try {
@@ -939,14 +1060,11 @@ function createLocalApiHandler({ queuePath }) {
       const sources = Array.from(bySource.values()).map((s) => {
         s.models = Array.from(s.models.values())
           .map((m) => {
-            const p = getModelPricing(m.model);
-            const cost =
-              ((m.totals.input_tokens || 0) * (p.input || 0) +
-                (m.totals.output_tokens || 0) * (p.output || 0) +
-                (m.totals.cached_input_tokens || 0) * (p.cache_read || 0) +
-                (m.totals.cache_creation_input_tokens || 0) * (p.cache_write || 0) +
-                (m.totals.reasoning_output_tokens || 0) * (p.output || 0)) /
-              1_000_000;
+            const cost = computeRowCost({
+              ...m.totals,
+              model: m.model,
+              source: s.source,
+            });
             return { ...m, totals: { ...m.totals, total_cost_usd: cost.toFixed(6) } };
           })
           .sort((a, b) => b.totals.total_tokens - a.totals.total_tokens);
@@ -1109,6 +1227,7 @@ function createLocalApiHandler({ queuePath }) {
 module.exports = {
   createLocalApiHandler,
+  resolveAllowedInsforgeBaseUrl,
   resolveQueuePath,
   // Exported for cross-consumer tests (pricing + native contract lock).
   MODEL_PRICING,

package/src/lib/rollout.js CHANGED Viewed

@@ -2150,12 +2150,12 @@ function pickDelta(lastUsage, totalUsage, prevTotals) {
   const hasTotal = isNonEmptyObject(totalUsage);
   const hasPrevTotals = isNonEmptyObject(prevTotals);
-  // Codex rollout logs sometimes emit duplicate token_count records where total_token_usage does not
-  // change between adjacent entries. Counting last_token_usage in those cases will double-count.
-  if (hasTotal && hasPrevTotals && sameUsage(totalUsage, prevTotals)) {
-    return null;
-  }
+  // NOTE: We used to guard against "duplicate token_count records where
+  // total_token_usage is unchanged" by returning null here. We removed that
+  // guard to align token counts with ccusage exactly (audited against 10 days
+  // of real rollouts). When last_token_usage is present we trust it as the
+  // per-turn delta; when it's absent the cumulative-subtract path naturally
+  // yields an all-zero delta on duplicates and is still filtered below.
   if (!hasLast && hasTotal && hasPrevTotals && totalsReset(totalUsage, prevTotals)) {
     const normalized = normalizeUsage(totalUsage);
     return isAllZeroUsage(normalized) ? null : normalized;
@@ -2203,6 +2203,19 @@ function normalizeUsage(u) {
     const n = Number(u[k] || 0);
     out[k] = Number.isFinite(n) && n >= 0 ? Math.floor(n) : 0;
   }
+  // Codex rollouts (and Every Code, which shares the format) report
+  // `input_tokens` as the TOTAL prompt, with `cached_input_tokens` as the
+  // cached subset — i.e. the cached slice is INSIDE the input count. Our
+  // queue schema (CLAUDE.md → Token Normalization Convention) stores
+  // `input_tokens` as pure non-cached input and `cached_input_tokens`
+  // separately. Without this subtraction the cost formula bills the cached
+  // bytes twice: once at the full input rate and again at the cache_read
+  // rate, producing ~6–7x cost inflation on cache-heavy Codex sessions
+  // (verified against ccusage's per-day numbers on the same rollouts).
+  // We intentionally leave `total_tokens` unchanged: Codex reports
+  // total = input(inclusive of cached) + output, which numerically equals
+  // our schema's non_cached + cached + output + 0 (cache_creation=0 here).
+  out.input_tokens = Math.max(0, out.input_tokens - out.cached_input_tokens);
   return out;
 }
@@ -2241,20 +2254,6 @@ function isAllZeroUsage(u) {
   return true;
 }
-function sameUsage(a, b) {
-  for (const k of [
-    "input_tokens",
-    "cached_input_tokens",
-    "cache_creation_input_tokens",
-    "output_tokens",
-    "reasoning_output_tokens",
-    "total_tokens",
-  ]) {
-    if (toNonNegativeInt(a?.[k]) !== toNonNegativeInt(b?.[k])) return false;
-  }
-  return true;
-}
 function totalsReset(curr, prev) {
   const currTotal = curr?.total_tokens;
   const prevTotal = prev?.total_tokens;

package/src/lib/static-server.js CHANGED Viewed

@@ -46,7 +46,6 @@ async function serveStaticFile(baseDir, pathname, res) {
       "Content-Type": contentType,
       "Content-Length": stat.size,
       "Cache-Control": isHtml ? "no-cache" : "public, max-age=31536000, immutable",
-      "Access-Control-Allow-Origin": "*",
     });
     const stream = fs.createReadStream(filePath);