ccusage 0.1.6__tar.gz → 0.1.7__tar.gz

{ccusage-0.1.6 → ccusage-0.1.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ccusage
-Version: 0.1.6
+Version: 0.1.7
 Summary: Claude Code usage monitor — fetches rate limits from Anthropic's API
 Project-URL: Homepage, https://github.com/wakamex/ccusage
 Project-URL: Source, https://github.com/wakamex/ccusage
@@ -145,7 +145,7 @@ The OAuth token lives at `~/.claude/.credentials.json`:
 }
 ```
 
-The access token expires roughly hourly. Claude Code refreshes it automatically — as long as you have an active Claude Code session, the token stays valid for ccusage to read.
+The access token expires roughly hourly. When it's expired (or rejected with a 401/403), ccusage refreshes it itself using the `refreshToken` and writes the rotated credentials back to `.credentials.json` — the same flow Claude Code uses, so the two stay in sync and no active Claude Code session is needed.
 
 ### Warning thresholds (from cli.js)
 

{ccusage-0.1.6 → ccusage-0.1.7}/README.md

@@ -136,7 +136,7 @@ The OAuth token lives at `~/.claude/.credentials.json`:
 }
 ```
 
-The access token expires roughly hourly. Claude Code refreshes it automatically — as long as you have an active Claude Code session, the token stays valid for ccusage to read.
+The access token expires roughly hourly. When it's expired (or rejected with a 401/403), ccusage refreshes it itself using the `refreshToken` and writes the rotated credentials back to `.credentials.json` — the same flow Claude Code uses, so the two stay in sync and no active Claude Code session is needed.
 
 ### Warning thresholds (from cli.js)
 

{ccusage-0.1.6 → ccusage-0.1.7}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "ccusage"
-version = "0.1.6"
+version = "0.1.7"
 description = "Claude Code usage monitor — fetches rate limits from Anthropic's API"
 readme = "README.md"
 requires-python = ">=3.12"

{ccusage-0.1.6 → ccusage-0.1.7}/src/ccusage/__init__.py

@@ -15,10 +15,12 @@ Usage:
 
 import argparse
 import json
+import os
 import signal
 import subprocess
 import sys
 import time
+import urllib.error
 import urllib.request
 from datetime import datetime, timezone
 from pathlib import Path
@@ -69,6 +71,8 @@ CLAUDE_DIR = Path.home() / ".claude"
 CREDENTIALS_FILE = _resolve_claude_path(".credentials.json")
 USAGE_FILE = _resolve_claude_path("usage-limits.json")
 DAEMON_INTERVAL = 300  # 5 minutes
+TOKEN_URL = "https://console.anthropic.com/v1/oauth/token"
+CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e"  # Claude Code's public OAuth client
 
 
 def get_credentials() -> dict | None:
@@ -90,10 +94,59 @@ def get_plan(creds: dict | None = None) -> str:
     return tier.removeprefix("default_claude_")
 
 
+def refresh_credentials(creds: dict) -> dict:
+    """Refresh the OAuth access token and persist updated credentials.
+
+    Anthropic rotates refresh tokens, so the new refreshToken MUST be written
+    back to .credentials.json or Claude Code's stored one goes stale and the
+    user gets logged out.
+    """
+    oauth = creds.get("claudeAiOauth", {})
+    refresh_token = oauth.get("refreshToken")
+    if not refresh_token:
+        raise RuntimeError("OAuth token expired and no refresh token — open Claude Code to log in")
+
+    payload = json.dumps({
+        "grant_type": "refresh_token",
+        "refresh_token": refresh_token,
+        "client_id": CLIENT_ID,
+    }).encode()
+    req = urllib.request.Request(
+        TOKEN_URL,
+        data=payload,
+        headers={"Content-Type": "application/json"},
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            result = json.loads(resp.read())
+    except urllib.error.HTTPError as e:
+        raise RuntimeError(f"Token refresh failed ({e.code}) — open Claude Code to refresh it") from e
+
+    oauth = dict(oauth)
+    oauth["accessToken"] = result["access_token"]
+    if result.get("refresh_token"):
+        oauth["refreshToken"] = result["refresh_token"]
+    oauth["expiresAt"] = int(time.time() * 1000 + int(result.get("expires_in", 3600)) * 1000)
+    updated = dict(creds)
+    updated["claudeAiOauth"] = oauth
+
+    try:
+        tmp = CREDENTIALS_FILE.parent / (CREDENTIALS_FILE.name + ".tmp")
+        fd = os.open(tmp, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+        with os.fdopen(fd, "w") as f:
+            f.write(json.dumps(updated))
+        os.replace(tmp, CREDENTIALS_FILE)
+    except OSError as e:
+        print(f"Warning: refreshed token but could not write {CREDENTIALS_FILE}: {e}", file=sys.stderr)
+
+    return updated
+
+
 def fetch_usage() -> dict:
     """Fetch usage from Anthropic's /api/oauth/usage endpoint.
 
-    Requires a valid (non-expired) OAuth token from ~/.claude/.credentials.json.
+    Reads the OAuth token from ~/.claude/.credentials.json, auto-refreshing it
+    (and persisting the rotated credentials) when expired or rejected.
     The key header is `anthropic-beta: oauth-2025-04-20` — without it, the
     endpoint returns an auth error.
 
@@ -115,21 +168,33 @@ def fetch_usage() -> dict:
     if not token:
         raise RuntimeError("No OAuth access token in credentials")
 
-    expires_at = oauth.get("expiresAt", 0)
-    if time.time() * 1000 > expires_at:
-        raise RuntimeError("OAuth token expired — open Claude Code to refresh it")
+    # Refresh proactively if expired (or about to), then retry once on 401/403
+    # in case the token was revoked early.
+    if time.time() * 1000 > oauth.get("expiresAt", 0) - 60_000:
+        creds = refresh_credentials(creds)
+        token = creds["claudeAiOauth"]["accessToken"]
+
+    for attempt in range(2):
+        req = urllib.request.Request(
+            "https://api.anthropic.com/api/oauth/usage",
+            headers={
+                "Authorization": f"Bearer {token}",
+                "Content-Type": "application/json",
+                "User-Agent": "claude-code/2.1.71",
+                "anthropic-beta": "oauth-2025-04-20",
+            },
+        )
+        try:
+            with urllib.request.urlopen(req, timeout=10) as resp:
+                return json.loads(resp.read())
+        except urllib.error.HTTPError as e:
+            if e.code in (401, 403) and attempt == 0:
+                creds = refresh_credentials(creds)
+                token = creds["claudeAiOauth"]["accessToken"]
+            else:
+                raise
 
-    req = urllib.request.Request(
-        "https://api.anthropic.com/api/oauth/usage",
-        headers={
-            "Authorization": f"Bearer {token}",
-            "Content-Type": "application/json",
-            "User-Agent": "claude-code/2.1.71",
-            "anthropic-beta": "oauth-2025-04-20",
-        },
-    )
-    with urllib.request.urlopen(req, timeout=10) as resp:
-        return json.loads(resp.read())
+    raise RuntimeError("Failed to fetch usage after token refresh")
 
 
 def build_usage_json(api_data: dict, plan: str) -> dict:

ccusage-0.1.7/tests/test_ccusage.py

@@ -0,0 +1,179 @@
+from __future__ import annotations
+
+import io
+import json
+import tempfile
+import time
+import unittest
+import urllib.error
+from pathlib import Path
+from unittest import mock
+
+import ccusage
+
+USAGE_URL = "https://api.anthropic.com/api/oauth/usage"
+
+
+def _creds(expires_at: int) -> dict:
+    return {
+        "claudeAiOauth": {
+            "accessToken": "old-token",
+            "refreshToken": "old-refresh",
+            "expiresAt": expires_at,
+            "scopes": ["user:inference"],
+            "subscriptionType": "max",
+        },
+        "otherTopLevel": "keep-me",
+    }
+
+
+class _FakeResponse(io.BytesIO):
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *args):
+        pass
+
+
+def _json_response(payload: dict) -> _FakeResponse:
+    return _FakeResponse(json.dumps(payload).encode())
+
+
+REFRESH_RESULT = {
+    "access_token": "new-token",
+    "refresh_token": "new-refresh",
+    "expires_in": 28800,
+}
+
+
+class FetchUsageTests(unittest.TestCase):
+    def setUp(self):
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self.credfile = Path(self._tmp.name) / ".credentials.json"
+        patcher = mock.patch.object(ccusage, "CREDENTIALS_FILE", self.credfile)
+        patcher.start()
+        self.addCleanup(patcher.stop)
+
+    def _write_creds(self, expires_at: int):
+        self.credfile.write_text(json.dumps(_creds(expires_at)))
+
+    def test_valid_token_skips_refresh(self):
+        self._write_creds(int(time.time() * 1000) + 3_600_000)
+        calls = []
+
+        def fake_urlopen(req, timeout=None):
+            calls.append(req.full_url)
+            self.assertEqual(req.headers["Authorization"], "Bearer old-token")
+            return _json_response({"five_hour": {"utilization": 4.0}})
+
+        with mock.patch.object(ccusage.urllib.request, "urlopen", fake_urlopen):
+            data = ccusage.fetch_usage()
+
+        self.assertEqual(data, {"five_hour": {"utilization": 4.0}})
+        self.assertEqual(calls, [USAGE_URL])
+
+    def test_expired_token_refreshes_and_persists_rotated_credentials(self):
+        self._write_creds(0)
+        calls = []
+
+        def fake_urlopen(req, timeout=None):
+            calls.append(req.full_url)
+            if req.full_url == ccusage.TOKEN_URL:
+                self.assertEqual(
+                    json.loads(req.data),
+                    {
+                        "grant_type": "refresh_token",
+                        "refresh_token": "old-refresh",
+                        "client_id": ccusage.CLIENT_ID,
+                    },
+                )
+                return _json_response(REFRESH_RESULT)
+            self.assertEqual(req.headers["Authorization"], "Bearer new-token")
+            return _json_response({"five_hour": {"utilization": 4.0}})
+
+        with mock.patch.object(ccusage.urllib.request, "urlopen", fake_urlopen):
+            ccusage.fetch_usage()
+
+        self.assertEqual(calls, [ccusage.TOKEN_URL, USAGE_URL])
+
+        on_disk = json.loads(self.credfile.read_text())
+        oauth = on_disk["claudeAiOauth"]
+        self.assertEqual(oauth["accessToken"], "new-token")
+        self.assertEqual(oauth["refreshToken"], "new-refresh")
+        self.assertGreater(oauth["expiresAt"], time.time() * 1000)
+        # Fields not returned by the token endpoint must survive the rewrite
+        self.assertEqual(oauth["scopes"], ["user:inference"])
+        self.assertEqual(oauth["subscriptionType"], "max")
+        self.assertEqual(on_disk["otherTopLevel"], "keep-me")
+        self.assertEqual(self.credfile.stat().st_mode & 0o777, 0o600)
+
+    def test_rejected_token_retries_once_after_refresh(self):
+        self._write_creds(int(time.time() * 1000) + 3_600_000)
+        state = {"rejected": False}
+
+        def fake_urlopen(req, timeout=None):
+            if req.full_url == ccusage.TOKEN_URL:
+                return _json_response(REFRESH_RESULT)
+            if not state["rejected"]:
+                state["rejected"] = True
+                raise urllib.error.HTTPError(req.full_url, 401, "Unauthorized", {}, io.BytesIO(b""))
+            self.assertEqual(req.headers["Authorization"], "Bearer new-token")
+            return _json_response({"ok": True})
+
+        with mock.patch.object(ccusage.urllib.request, "urlopen", fake_urlopen):
+            self.assertEqual(ccusage.fetch_usage(), {"ok": True})
+
+        on_disk = json.loads(self.credfile.read_text())
+        self.assertEqual(on_disk["claudeAiOauth"]["accessToken"], "new-token")
+
+    def test_persistent_rejection_raises(self):
+        self._write_creds(int(time.time() * 1000) + 3_600_000)
+
+        def fake_urlopen(req, timeout=None):
+            if req.full_url == ccusage.TOKEN_URL:
+                return _json_response(REFRESH_RESULT)
+            raise urllib.error.HTTPError(req.full_url, 401, "Unauthorized", {}, io.BytesIO(b""))
+
+        with mock.patch.object(ccusage.urllib.request, "urlopen", fake_urlopen):
+            with self.assertRaises(urllib.error.HTTPError):
+                ccusage.fetch_usage()
+
+    def test_expired_token_without_refresh_token_raises(self):
+        creds = _creds(0)
+        del creds["claudeAiOauth"]["refreshToken"]
+        self.credfile.write_text(json.dumps(creds))
+
+        with self.assertRaisesRegex(RuntimeError, "no refresh token"):
+            ccusage.fetch_usage()
+
+    def test_refresh_endpoint_error_raises_runtime_error(self):
+        self._write_creds(0)
+
+        def fake_urlopen(req, timeout=None):
+            raise urllib.error.HTTPError(req.full_url, 429, "Too Many Requests", {}, io.BytesIO(b""))
+
+        with mock.patch.object(ccusage.urllib.request, "urlopen", fake_urlopen):
+            with self.assertRaisesRegex(RuntimeError, "Token refresh failed \\(429\\)"):
+                ccusage.fetch_usage()
+
+
+class BuildUsageJsonTests(unittest.TestCase):
+    def test_maps_buckets_and_extra_usage(self):
+        api_data = {
+            "five_hour": {"utilization": 35.0, "resets_at": "2026-06-12T00:00:00+00:00"},
+            "seven_day": {"utilization": 14.0, "resets_at": None},
+            "seven_day_sonnet": None,
+            "seven_day_opus": None,
+            "extra_usage": {"is_enabled": True, "monthly_limit": 100000},
+        }
+        result = ccusage.build_usage_json(api_data, "max_20x")
+        self.assertEqual(result["plan"], "max_20x")
+        self.assertEqual(result["5h"], {"pct": 35.0, "resets_at": "2026-06-12T00:00:00+00:00"})
+        self.assertEqual(result["7d"], {"pct": 14.0, "resets_at": None})
+        self.assertNotIn("7d_sonnet", result)
+        self.assertEqual(result["extra_usage"], {"is_enabled": True, "monthly_limit": 100000})
+
+
+if __name__ == "__main__":
+    unittest.main()