Bump the version, document the Zed provider (logo, provider doc, data
table row), add the audit and context commands to the README, and
refresh the stale Cursor data-source description to the composer-meter
accounting.
Browser dashboard (codeburn web), device sharing (share/devices), new providers (Grok Build, ZCode, Hermes Agent, Kiro CLI, zerostack), Codex credit usage, plus CLI and menubar fixes. See CHANGELOG for the full list and contributor credits.
Document codeburn web and device sharing in the README and bump the package version.
* feat(sharing): pairing, token, and device-identity core
First piece of local device sharing: self-cert fingerprint identity
(trust-on-first-use), a one-time expiring pairing PIN, fingerprint-bound
tokens, and a peer store that authorizes a pull only when both the token
and the TLS peer fingerprint match the same paired device. Pure logic,
fully unit-tested; the TLS share server and host pull build on this.
* feat(sharing): secure mutual-TLS transport + pairing handshake
Add device identity (self-signed cert, persisted; fingerprint = sha256 of
the cert DER), an HTTPS share server (mutual TLS: presents its cert, reads
the client's, and serves /api/usage only when the bearer token AND the
client fingerprint match the same paired peer), a one-time-PIN pairing
endpoint, and a fingerprint-pinning client. Verified end to end on
loopback: PIN pairing, pinned authed pull, and rejection of a wrong PIN,
a token replayed from another device, and a mismatched server
fingerprint. Adds the selfsigned dep (Node cannot generate certs natively).
* feat(sharing): share + devices CLI (pair, pull, combine)
Phase 3 terminal flow: codeburn share runs the secure server on-demand
(stops after 10 min idle; --always to persist, --pair to add a device),
and codeburn devices add <host> --pin <pin> pairs and pins a remote.
codeburn devices pulls this machine plus every paired device, keeps each
separate, and prints a per-device table with a simple summed Combined
row (no server-side merge). Persists identity and peers under the config
dir. Host pair-and-pull flow covered by a loopback integration test.
* feat(sharing): mDNS discovery + approve-style (no-PIN) pairing
Add bonjour-service discovery (advertise/browse over the LAN), a short
confirmation code derived from both cert fingerprints (Bluetooth-style
'do these match?' check), and an approve-style pairing endpoint that
prompts the owner instead of requiring a typed PIN. Loopback-tested:
approved device gets a working token with a matching code on both sides,
declined device is rejected.
* feat(sharing): AirDrop-style discover + approve UX
codeburn share now advertises on the LAN and approves incoming devices
interactively (confirm the matching code, no typed PIN). codeburn devices
add (no args) discovers nearby devices, lets you pick one, shows the
confirmation code, and waits for the owner to approve. Manual
add <host> --pin stays as a fallback for networks that block mDNS.
* feat(sharing): share only aggregates, never project names or paths
Sanitize each device's payload before it leaves the machine: drop
topProjects and topSessions (project names + session detail) and send
only aggregate numbers (cost, tokens, models, tools, activities, daily).
What you are working on stays local; only the totals travel.
Add a Vite + React 19 + Tailwind v4 + Recharts SPA (dash/) and a 'web'
command that serves the built UI plus a local /api/usage endpoint backed
by the existing menubar aggregation. Midnight theme with CodeBurn's
orange chart ramp: hero cost, a stacked-by-model daily bar chart with a
custom tooltip and hover-dim, metric cards, by-tool and by-activity bar
lists, and top-projects and tools tables. Period and provider filters,
react-query with skeleton loading. Stays 100% local.
build:dash builds the SPA into dist/dash (shipped via package files,
served at runtime); a missing build falls back to a helpful message.
Node 26 flags tsx's loader use of module.register() as deprecated, which
prints DEP0205 on every npm run dev. Run dev with
NODE_OPTIONS=--no-deprecation so the output stays clean. Dev-only; the
built dist is unaffected.
Follow-up to #516, which was merged before these two commits had landed on the branch, so they did not make it into `main`.
Adds the remaining parts of the overhaul:
- Collapse **Commands**, **Features**, **Reading the dashboard**, **How it reads your data**, and **Environment Variables** behind `<details>` toggles so the README is short by default.
- Replace "AI coding tools" with "AI tools" in the README (3 places) and the `package.json` description.
Route the menubar installer's GitHub downloads through an undici ProxyAgent when HTTP(S)_PROXY is set, honoring NO_PROXY for bypass. Falls back to direct fetch when no proxy is configured. Closes#473.
Changelog for 0.9.12, README node badge aligned to the real >=22 requirement
(node:sqlite for Cursor/OpenCode), and ws lockfile bumped to patched 8.21.0
(npm audit clean). No source changes.
The fallback daily history path (used when rangeStartStr = todayStr)
was missing cache-based historical data, showing only today's bar in
the trend chart. Now includes allCacheDays filtered by provider.
Strip heavy fields from JournalEntry immediately after JSON.parse in the
JSONL hot loop. Keeps only what downstream consumers need: type, timestamp,
sessionId, cwd, compacted user text (2000 char total cap), assistant
model/usage/id, tool_use names with Skill and Bash inputs, and MCP
inventory attachments. Text, thinking, and tool_result blocks are dropped.
Also removes redundant hydrateCache() from status --format json and
terminal status paths, and clears the session cache between period
parses to avoid pinning both today and month result sets.
This is a mitigation, not a full fix. Very large month ranges still
materialize full ProjectSummary.turns arrays. The real fix is the
streaming single-pass parser refactor.
Split CLI into a tiny launcher (src/cli.ts) that checks for Node >= 22.13.0
before dynamically importing the full CLI (src/main.ts). Users on Node 18
now get a clear upgrade message instead of a cryptic regex parse error from
string-width. Closes#232.
* Add IBM Bob provider
* Add workspace extraction for Cline-family providers
Extract project name from workspace directory in api_conversation_history.json
so sessions show actual folder names instead of the provider display name.
Thread projectPath through ParsedProviderCall to avoid unsanitizePath mangling
hyphenated folder names.
---------
Co-authored-by: ozymandiashh <234437643+ozymandiashh@users.noreply.github.com>
Co-authored-by: iamtoruk <hello@agentseal.org>
node:sqlite calls v8::String::NewFromUtf8 with kAbort on TEXT columns.
Cursor chat blobs often contain truncated multi-byte chars from streaming
boundaries, which triggers a V8 CHECK abort (not a JS exception).
Select all text-content columns as CAST(col AS BLOB) so node:sqlite
returns Uint8Array instead. Decode in JS with TextDecoder fatal:false
which replaces bad bytes with U+FFFD. Covers all three SQLite providers
(Cursor, Goose, OpenCode).
Removes the version blocklist (MIN_NODE_22_PATCH) and lowers engines
requirement from >=22.20 to >=22 since the BLOB cast approach works
on all Node 22.x versions.
Closes#264Closes#250
Reported in #264 as a V8 CHECK abort with `Check failed: (location_) != nullptr`
inside `node::sqlite::StatementSync::ColumnToValue`. The crash happens when
SQLite returns a TEXT column whose bytes V8's String::NewFromUtf8 rejects
(invalid UTF-8 — common for Cursor's stored chat text where multi-byte chars
are truncated at streaming boundaries). Node 22.x prior to 22.20 does not
check the resulting MaybeLocal<String> for empty before dereferencing,
aborting the whole process with a trace trap.
A try/catch in JS can't recover — the abort runs in the C++ extension before
the V8 exception handler. So we refuse to load node:sqlite at all when we
detect a buggy Node version, surface a clear "upgrade Node" diagnostic, and
let the rest of the CLI run with the file-based providers (Claude, Codex,
Copilot, Gemini, etc.) instead of taking the whole tool down.
- engines.node bumped to >=22.20 so npm warns at install time
- src/sqlite.ts: checkBuggyNodeVersion() detects Node 22.x < 22.20 and routes
through the existing isSqliteAvailable() / loadError diagnostic path
Use strip-ansi (already in dep tree via Ink) in extractBashCommands
to prevent terminal escape codes from leaking into dashboard bash
breakdown keys. Route goose, gemini, qwen, and openclaw through
extractBashCommands instead of inline split, which also gives them
multi-command extraction (matching claude/codex/droid behavior).
Resolves merge conflicts with main (README.md, src/providers/index.ts,
tests/provider-registry.test.ts, package-lock.json) and addresses PR
review feedback from Qodo-Free-For-OSS:
- Codebuff sessionId now includes the channel root name (manicode,
manicode-dev, manicode-staging) derived from the chat directory
structure, preventing the same chatId from colliding across channels
when downstream aggregation keys by (provider, sessionId, project).
- Uses '/' as the channel/chatId separator to avoid clashing with
src/parser.ts's colon-delimited session key format.
- Adds tests: collision across channels, channel inclusion, and
fallback when the path doesn't match the expected shape.
- Updates README dedup paragraph to mention Codebuff's strategy.
Skips 0.8.6 to match mac-v0.8.7 and keep CLI + menubar versions aligned.
CLI change: MiniMax-M2.7 and MiniMax-M2.7-highspeed pricing. macOS menubar
change: three stability fixes culminating in the App Nap opt-out that keeps
the refresh loop ticking while the icon is idle in the background.
Adds the Codebuff provider (formerly Manicode) as a single-file plugin
under src/providers/codebuff.ts, following the conventions used by the
pi and opencode providers.
Data source:
- Walks ~/.config/manicode/projects/<project>/chats/<chatId>/
- chat-messages.json holds the serialized ChatMessage[]
- run-state.json is consulted to recover the real cwd so sessions group
by the originating project directory
- manicode-dev and manicode-staging channels are walked automatically
- Honors CODEBUFF_DATA_DIR for a custom root
Cost model:
- Codebuff bills in credits, not tokens. Each completed assistant message
records credits on message.credits; CodeBurn approximates cost using
the public PAYG rate ($0.01 / credit) as a conservative upper bound.
- When Codebuff routes a call through an upstream provider and the
stashed RunState records real token totals (providerOptions.usage or
providerOptions.codebuff.usage in messageHistory), the LiteLLM-based
calculation takes precedence.
Tool normalization maps Codebuff-native names (read_files, str_replace,
run_terminal_command, spawn_agents, etc.) to the canonical set used by
the classifier (Read, Edit, Bash, Agent, TodoWrite, ...).
Tests:
- 18 provider tests covering discovery, parsing, multi-turn sessions,
providerOptions fallback, dedup, malformed files, display names
- provider-registry.test.ts updated to assert codebuff is registered
and its tool/model display names
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Reverts the persistent source cache added in 0.8.2 back to v0.8.1's
full-reparse path for Claude sessions; keeps the plan pill, pricing fix,
cursor-agent provider, and the Mac menubar prefetch+timezone work added
between 0.8.2 and 0.8.4.
Add package.json repository/bugs/homepage fields. Swap hardcoded
AgentSeal/codeburn URLs to getagentseal/codeburn across README,
mac README, macOS menubar star banner, and the menubar installer's
release-API endpoint. 301 redirects keep old URLs working, but
canonical links now point at the current org.
Co-authored-by: AgentSeal <hello@agentseal.org>
Pre-release bump to validate npm OIDC trusted publishing end to end:
workflow trigger, Environment approval gate, Trusted Publisher match,
provenance attestation. Will not be tagged as `latest` on npm (npm
auto-excludes SemVer pre-releases from dist-tags). After this RC
succeeds, cut 0.7.4 proper.
npm was warning on every install that prebuild-install@7.1.3 is no
longer maintained. prebuild-install ships as a transitive dependency
of better-sqlite3 and upstream PR #1446 to replace it is still open,
so we switch to Node's built-in node:sqlite module (stable in Node 24,
experimental in Node 22/23) and remove the better-sqlite3 dep entirely.
- src/sqlite.ts: uses DatabaseSync from node:sqlite. The one-shot
ExperimentalWarning about SQLite on Node 22/23 is silenced for that
specific warning; other warnings pass through unchanged.
- package.json: engines.node bumped to >=22 (Node 20 EOL 2026-04-30),
better-sqlite3 and @types/better-sqlite3 removed, @types/node added
(it was coming in transitively via @types/better-sqlite3).
- tests/providers/opencode.test.ts: fixture DB creation switched to
node:sqlite (API parity for the CREATE TABLE + INSERT + prepare
path we use).
End-user install footprint shrinks from 167 to 40 packages and prints
zero deprecation warnings.
Credit: @primeminister for the report.
See CHANGELOG.md for the full breakdown. Highlights:
- Native Swift + SwiftUI menubar app under mac/ replaces the SwiftBar
plugin. Install via `npx codeburn menubar`.
- `status --format menubar-json` payload builder.
- `export -f csv` now writes a folder of clean per-table CSVs; `-o`
path guard prevents arbitrary deletion.
- `status` terminal Today/Month bucketed by local date instead of UTC.
- FX rate values clamped to sane bounds in both runtimes.
- SwiftBar plugin, install-menubar / uninstall-menubar, and
`--format menubar` removed.