tokentracker-cli 0.6.0 → 0.6.1

package/src/lib/rollout.js

@@ -2952,10 +2952,13 @@ function resolveHermesDbPath() {
   return path.join(home, ".hermes", "state.db");
 }
 
-function readHermesSessions(dbPath, sinceEpoch) {
+function readHermesSessions(dbPath, lastCompletedEpoch) {
   if (!dbPath || !fssync.existsSync(dbPath)) return [];
-  const since = Number.isFinite(sinceEpoch) && sinceEpoch > 0 ? sinceEpoch : 0;
-  const sql = `SELECT id, model, started_at, ended_at, input_tokens, output_tokens, cache_read_tokens, cache_write_tokens, reasoning_tokens, message_count FROM sessions WHERE started_at > ${since} AND (input_tokens > 0 OR output_tokens > 0 OR cache_read_tokens > 0 OR reasoning_tokens > 0) ORDER BY started_at ASC`;
+  const since = Number.isFinite(lastCompletedEpoch) && lastCompletedEpoch > 0 ? lastCompletedEpoch : 0;
+  // Fetch sessions that started after the cursor, OR sessions that are still
+  // in-progress (ended_at IS NULL).  Hermes updates token counts in real-time,
+  // so an active session keeps growing and must be re-read on every sync.
+  const sql = `SELECT id, model, started_at, ended_at, input_tokens, output_tokens, cache_read_tokens, cache_write_tokens, reasoning_tokens, message_count FROM sessions WHERE (started_at > ${since} OR ended_at IS NULL) AND (input_tokens > 0 OR output_tokens > 0 OR cache_read_tokens > 0 OR reasoning_tokens > 0) ORDER BY started_at ASC`;
   let raw;
   try {
     raw = cp.execFileSync("sqlite3", ["-json", dbPath, sql], {
@@ -2979,17 +2982,25 @@ function readHermesSessions(dbPath, sinceEpoch) {
 async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }) {
   await ensureDir(path.dirname(queuePath));
   const hermesState = cursors.hermes && typeof cursors.hermes === "object" ? cursors.hermes : {};
-  const lastStartedAt =
-    typeof hermesState.lastStartedAt === "number" ? hermesState.lastStartedAt : 0;
+
+  // Only advance past sessions that have fully ended.  Active sessions
+  // (ended_at IS NULL) must be re-read every sync because Hermes updates
+  // their token counts in real-time after each turn.
+  const lastCompletedStartedAt =
+    typeof hermesState.lastCompletedStartedAt === "number" ? hermesState.lastCompletedStartedAt : 0;
+
+  // Per-session snapshot from the previous sync: { [sessionId]: { in, out, cacheRead, cacheWrite, reasoning } }
+  const prevSnapshots = (hermesState.snapshots && typeof hermesState.snapshots === "object")
+    ? hermesState.snapshots : {};
 
   const resolvedDbPath = dbPath || resolveHermesDbPath();
   if (!fssync.existsSync(resolvedDbPath)) {
     return { recordsProcessed: 0, eventsAggregated: 0, bucketsQueued: 0 };
   }
 
-  const rows = readHermesSessions(resolvedDbPath, lastStartedAt);
+  const rows = readHermesSessions(resolvedDbPath, lastCompletedStartedAt);
   if (rows.length === 0) {
-    cursors.hermes = { ...hermesState, lastStartedAt, updatedAt: new Date().toISOString() };
+    cursors.hermes = { ...hermesState, lastCompletedStartedAt, updatedAt: new Date().toISOString() };
     return { recordsProcessed: 0, eventsAggregated: 0, bucketsQueued: 0 };
   }
 
@@ -2997,7 +3008,8 @@ async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }
   const touchedBuckets = new Set();
   const cb = typeof onProgress === "function" ? onProgress : null;
   let eventsAggregated = 0;
-  let maxStartedAt = lastStartedAt;
+  let maxCompletedStartedAt = lastCompletedStartedAt;
+  const nextSnapshots = {};
 
   for (let i = 0; i < rows.length; i++) {
     const row = rows[i];
@@ -3008,6 +3020,28 @@ async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }
     const reasoning = toNonNegativeInt(row.reasoning_tokens);
     if (inputTokens === 0 && outputTokens === 0 && cacheRead === 0 && reasoning === 0) continue;
 
+    // Save current snapshot for next sync
+    nextSnapshots[row.id] = { in: inputTokens, out: outputTokens, cacheRead, cacheWrite, reasoning };
+
+    // Compute delta from previous snapshot (if any) so that we only count
+    // new tokens since the last sync.  First time we see a session the
+    // previous snapshot is absent, so the full amount is the delta.
+    const prev = prevSnapshots[row.id];
+    let dInput = inputTokens;
+    let dOutput = outputTokens;
+    let dCacheRead = cacheRead;
+    let dCacheWrite = cacheWrite;
+    let dReasoning = reasoning;
+    if (prev) {
+      dInput = Math.max(0, inputTokens - (prev.in || 0));
+      dOutput = Math.max(0, outputTokens - (prev.out || 0));
+      dCacheRead = Math.max(0, cacheRead - (prev.cacheRead || 0));
+      dCacheWrite = Math.max(0, cacheWrite - (prev.cacheWrite || 0));
+      dReasoning = Math.max(0, reasoning - (prev.reasoning || 0));
+    }
+    // Skip if delta is zero (session unchanged since last sync)
+    if (dInput === 0 && dOutput === 0 && dCacheRead === 0 && dCacheWrite === 0 && dReasoning === 0) continue;
+
     // Prefer ended_at for bucket placement; fall back to started_at
     const epochSec = row.ended_at || row.started_at;
     if (!epochSec || !Number.isFinite(epochSec)) continue;
@@ -3018,12 +3052,12 @@ async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }
     const model = normalizeModelInput(row.model) || "hermes-agent";
 
     const delta = {
-      input_tokens: inputTokens,
-      cached_input_tokens: cacheRead,
-      cache_creation_input_tokens: cacheWrite,
-      output_tokens: outputTokens,
-      reasoning_output_tokens: reasoning,
-      total_tokens: inputTokens + outputTokens + cacheRead + cacheWrite + reasoning,
+      input_tokens: dInput,
+      cached_input_tokens: dCacheRead,
+      cache_creation_input_tokens: dCacheWrite,
+      output_tokens: dOutput,
+      reasoning_output_tokens: dReasoning,
+      total_tokens: dInput + dOutput + dCacheRead + dCacheWrite + dReasoning,
       conversation_count: toNonNegativeInt(row.message_count) || 1,
     };
 
@@ -3032,7 +3066,10 @@ async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }
     touchedBuckets.add(bucketKey("hermes", model, bucketStart));
     eventsAggregated++;
 
-    if (row.started_at > maxStartedAt) maxStartedAt = row.started_at;
+    // Only advance cursor past sessions that have ended
+    if (row.ended_at && row.started_at > maxCompletedStartedAt) {
+      maxCompletedStartedAt = row.started_at;
+    }
 
     if (cb) {
       cb({
@@ -3049,7 +3086,13 @@ async function parseHermesIncremental({ dbPath, cursors, queuePath, onProgress }
   const updatedAt = new Date().toISOString();
   hourlyState.updatedAt = updatedAt;
   cursors.hourly = hourlyState;
-  cursors.hermes = { ...hermesState, lastStartedAt: maxStartedAt, updatedAt };
+  cursors.hermes = {
+    ...hermesState,
+    lastStartedAt: maxCompletedStartedAt, // keep for backward compat
+    lastCompletedStartedAt: maxCompletedStartedAt,
+    snapshots: nextSnapshots,
+    updatedAt,
+  };
 
   return { recordsProcessed: rows.length, eventsAggregated, bucketsQueued };
 }

package/src/lib/subscriptions.js

@@ -341,8 +341,49 @@ async function readCodexAccessToken({ home, env } = {}) {
   }
 }
 
+// Returns the access token + ChatGPT account id + plan type + auth.json path so callers can
+// also trigger a refresh if the tokens are stale (issue #52: stale tokens → wham 401 →
+// "Fetch failed" error after ~7-8 days of not running `codex`).
+async function readCodexAuthBundle({ home, env } = {}) {
+  try {
+    const codexHome = resolveCodexHome({ home, env });
+    const authPath = path.join(codexHome, "auth.json");
+    const auth = await readJson(authPath);
+    if (!auth || typeof auth !== "object") return null;
+
+    const accessToken = normalizeString(auth?.tokens?.access_token);
+    if (!accessToken) return null;
+
+    const accessPayload = decodeJwtPayload(auth?.tokens?.access_token);
+    const idPayload = decodeJwtPayload(auth?.tokens?.id_token);
+    const accountId =
+      normalizeString(auth?.tokens?.account_id) ||
+      normalizeString(extractOpenAiAuthNamespace(accessPayload)?.chatgpt_account_id) ||
+      normalizeString(extractOpenAiAuthNamespace(idPayload)?.chatgpt_account_id) ||
+      null;
+
+    const accessInfo = extractChatgptSubscriptionFromPayload(accessPayload);
+    const idInfo = extractChatgptSubscriptionFromPayload(idPayload);
+    const merged = mergeSubscription(accessInfo, idInfo);
+    const planType = merged?.planType ? merged.planType.toLowerCase() : null;
+
+    return {
+      accessToken,
+      accountId,
+      planType,
+      refreshToken: normalizeString(auth?.tokens?.refresh_token) || null,
+      lastRefresh: normalizeString(auth?.last_refresh) || null,
+      authPath,
+      authJson: auth,
+    };
+  } catch (_e) {
+    return null;
+  }
+}
+
 module.exports = {
   collectLocalSubscriptions,
   readClaudeCodeAccessToken,
   readCodexAccessToken,
+  readCodexAuthBundle,
 };

package/src/lib/usage-limits.js

@@ -5,7 +5,16 @@ const path = require("node:path");
 const http = require("node:http");
 const https = require("node:https");
 
-const { readClaudeCodeAccessToken, readCodexAccessToken } = require("./subscriptions");
+const {
+  readClaudeCodeAccessToken,
+  readCodexAccessToken,
+  readCodexAuthBundle,
+} = require("./subscriptions");
+const {
+  isTokenStale,
+  refreshCodexTokens,
+  persistRefreshedAuth,
+} = require("./codex-token-refresh");
 const {
   isCursorInstalled,
   extractCursorSessionToken,
@@ -122,23 +131,72 @@ async function fetchClaudeUsageLimits(accessToken, { fetchImpl = fetch, maxAttem
   }
 }
 
-async function fetchCodexUsageLimits(accessToken, { fetchImpl = fetch } = {}) {
+// Classify a wham window by `limit_window_seconds` rather than its slot name.
+// 18000s = 5h session window. 604800s = 7d weekly window. Free-tier accounts only get a
+// weekly window, often delivered in the `primary_window` slot — naive position-based
+// reading mislabels it as "5h". Aligned with steipete/CodexBar's rate-window normalizer.
+const CODEX_SESSION_WINDOW_SECONDS = 18000;
+const CODEX_WEEKLY_WINDOW_SECONDS = 604800;
+
+function classifyCodexWindow(window) {
+  if (!window || typeof window !== "object") return null;
+  const seconds = Number(window.limit_window_seconds);
+  if (!Number.isFinite(seconds)) return null;
+  if (seconds === CODEX_SESSION_WINDOW_SECONDS) return "session";
+  if (seconds === CODEX_WEEKLY_WINDOW_SECONDS) return "weekly";
+  return null;
+}
+
+function normalizeCodexRateWindows(rateLimit) {
+  const candidates = [rateLimit?.primary_window, rateLimit?.secondary_window].filter(
+    (w) => w && typeof w === "object",
+  );
+  let session = null;
+  let weekly = null;
+  for (const w of candidates) {
+    const kind = classifyCodexWindow(w);
+    if (kind === "session" && !session) session = w;
+    else if (kind === "weekly" && !weekly) weekly = w;
+  }
+  // Fall back to positional read only if classification failed for both — preserves data
+  // from unexpected window durations rather than dropping it silently.
+  if (!session && !weekly && candidates.length > 0) {
+    return {
+      primary_window: candidates[0] ?? null,
+      secondary_window: candidates[1] ?? null,
+    };
+  }
+  return { primary_window: session, secondary_window: weekly };
+}
+
+async function fetchCodexUsageLimits(
+  accessToken,
+  { fetchImpl = fetch, accountId = null } = {},
+) {
+  const headers = {
+    Authorization: `Bearer ${accessToken}`,
+    Accept: "application/json",
+  };
+  // The wham endpoint rejects some plan tiers without an explicit account id — match
+  // CodexBar's request shape so free / multi-account users don't see opaque 4xx.
+  if (accountId) {
+    headers["ChatGPT-Account-Id"] = accountId;
+  }
+
   const res = await fetchImpl("https://chatgpt.com/backend-api/wham/usage", {
     method: "GET",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      Accept: "application/json",
-    },
+    headers,
   });
+  // 401/403/404 from wham means "no usage data available for this auth state" — render
+  // a neutral empty state instead of a red "Fetch failed" error.
+  if (res.status === 401 || res.status === 403 || res.status === 404) {
+    return { primary_window: null, secondary_window: null };
+  }
   if (!res.ok) {
     throw new Error(`Codex API returned ${res.status}`);
   }
   const body = await res.json();
-  const rateLimit = body.rate_limit || {};
-  return {
-    primary_window: rateLimit.primary_window ?? null,
-    secondary_window: rateLimit.secondary_window ?? null,
-  };
+  return normalizeCodexRateWindows(body.rate_limit || {});
 }
 
 function cursorPercentFromCentsUsedLimit(usedRaw, limitRaw) {
@@ -1471,11 +1529,45 @@ async function getUsageLimits({
     return cache.data;
   }
 
-  const [claudeToken, codexToken] = await Promise.all([
+  const [claudeToken, codexAuth] = await Promise.all([
     Promise.resolve().then(() => readClaudeCodeAccessToken({ platform, securityRunner })),
-    readCodexAccessToken({ home, env }),
+    readCodexAuthBundle({ home, env }),
   ]);
 
+  // Proactively refresh Codex tokens that are >8 days stale, mirroring CodexBar's
+  // CodexTokenRefresher.swift. Without this, users who logged in once and didn't run
+  // `codex` for >a week get wham 401 → "Fetch failed" (issue #52). Best-effort: any
+  // refresh failure falls through to using the existing (possibly stale) token, then the
+  // 4xx graceful path in fetchCodexUsageLimits surfaces a neutral state instead of red.
+  let refreshError = null;
+  let codexAuthRefreshed = codexAuth;
+  if (codexAuth && isTokenStale(codexAuth.lastRefresh) && codexAuth.refreshToken) {
+    try {
+      const newTokens = await refreshCodexTokens({
+        refreshToken: codexAuth.refreshToken,
+        fetchImpl,
+      });
+      const updatedAuth = await persistRefreshedAuth(
+        codexAuth.authPath,
+        codexAuth.authJson,
+        newTokens,
+      );
+      codexAuthRefreshed = {
+        ...codexAuth,
+        accessToken: newTokens.access_token,
+        refreshToken: newTokens.refresh_token,
+        lastRefresh: updatedAuth.last_refresh,
+        authJson: updatedAuth,
+      };
+    } catch (err) {
+      refreshError = err;
+    }
+  }
+
+  const codexToken = codexAuthRefreshed?.accessToken || null;
+  const codexAccountId = codexAuthRefreshed?.accountId || null;
+  const codexPlanType = codexAuthRefreshed?.planType || null;
+
   const providerFetch = withFetchTimeout(fetchImpl, providerTimeoutMs);
   const [claudeResult, codexResult, cursor, kimi, gemini, kiro, antigravity, copilot] = await Promise.all([
     claudeToken
@@ -1485,7 +1577,11 @@ async function getUsageLimits({
         )
       : Promise.resolve(null),
     codexToken
-      ? withProviderTimeout(fetchCodexUsageLimits(codexToken, { fetchImpl: providerFetch }), "Codex", providerTimeoutMs).then(
+      ? withProviderTimeout(
+          fetchCodexUsageLimits(codexToken, { fetchImpl: providerFetch, accountId: codexAccountId }),
+          "Codex",
+          providerTimeoutMs,
+        ).then(
           (value) => ({ status: "fulfilled", value }),
           (reason) => ({ status: "rejected", reason }),
         )
@@ -1521,12 +1617,21 @@ async function getUsageLimits({
   let codex;
   if (!codexToken) {
     codex = { configured: false };
+  } else if (refreshError && refreshError.code === "REFRESH_TOKEN_EXPIRED") {
+    // Refresh token is dead — the user must re-run `codex` to log in again. Surface a
+    // specific, actionable message rather than the generic "Fetch failed".
+    codex = {
+      configured: true,
+      error: refreshError.message,
+      auth_action_required: "reauth",
+    };
   } else if (!codexResult || codexResult.status === "rejected") {
     codex = { configured: true, error: codexResult?.reason?.message || "Unknown error" };
   } else {
     codex = {
       configured: true,
       error: null,
+      plan_type: codexPlanType || null,
       primary_window: codexResult.value.primary_window,
       secondary_window: codexResult.value.secondary_window,
     };