Expand the popup to show everything the TUI does: period switcher submenu,
top activities with one-shot rate, top models, provider breakdown when more
than one provider has data, optimize findings, and an updated-timestamp row.
Add per-period Open Full Report so the terminal view matches what the popup
was showing.
For theme compatibility, stop hardcoding colors that don't work on both
light and dark GNOME themes. Keep the brand orange (#ff8c42) for the header
and findings, let everything else inherit the shell palette, and express
dimming through opacity instead of rgba so the popup reads correctly on
Yaru Light, Yaru Dark, Adwaita, Adwaita Dark, and any other theme.
Add a listener on org.gnome.desktop.interface color-scheme so the indicator
re-applies its .codeburn-dark / .codeburn-light class when the user flips
the system theme, without waiting for a reload.
Ship a GJS extension in extensions/gnome-shell/codeburn@agentseal.org so
GNOME users get the same panel-anchored popover Ubuntu's Quick Settings
uses, rather than the floating window the Tauri tray is limited to through
StatusNotifierItem.
The extension lives inside gnome-shell as a PanelMenu.Button, so it has
direct access to its own icon coordinates and can open a PopupMenu docked
under it without any IPC or DBus plumbing. The tradeoff is it only works
on GNOME 45+; the Tauri app in desktop/ stays the cross-platform option
for KDE, Unity, wlroots, and Windows users.
Data flow: the extension shells out to codeburn status --format menubar-json
every 60 seconds, parses the payload, and renders a header, top 5 activities,
and optimize findings count. Refresh and Open Full Report actions live in
the popup menu; the Open Full Report action spawns gnome-terminal with the
codeburn report TUI.
The GNOME AppIndicator extension delivers Activate with (0, 0) instead of
real screen coordinates, which made the popover land in the top-left corner
because the centering math treated the bogus origin as a legitimate anchor.
Treat (0, 0) as no-anchor and reuse the top-right fallback the non-Linux
path already uses, so the popover lands near the StatusNotifier area on
hosts that don't pass coordinates.
Also cfg-gate the Emitter import since it is only used in the non-Linux
tray menu path.
Tauri's Linux tray uses libappindicator, which by design never fires
left-click events to the app and exposes no icon screen position. That
forced a menu-first UX on GNOME and made anchoring the popover near the
icon impossible (tauri-apps/tauri#7283, closed not-planned).
Drop libappindicator on Linux and talk StatusNotifierItem directly via
the ksni crate:
* new src-tauri/src/tray_linux.rs implements ksni::Tray. activate(x, y)
and secondary_activate(x, y) arrive with real screen coordinates. The
implementation exports no menu on purpose, so SNI hosts (notably the
gnome-shell-extension-appindicator) call Activate on left click instead
of opening a context menu.
* LinuxTrayHandle wraps the async ksni::Handle with a sync Mutex so the
Tauri command handler can push title updates without naming the
generic Handle<CodeburnTray> across module boundaries.
* lib.rs gates TrayIconBuilder behind cfg(not(target_os = "linux")) and
spawns ksni on the Tokio runtime Tauri already owns. Tray click events
go through codeburn://tray-activate with {x, y} so the positioning logic
can anchor the popover directly below the click, clamped to the monitor.
* new set_tray_title command pushes the hero cost to the tray label on
every payload fetch. On Linux that's the SNI title next to the icon;
on other platforms it's the TrayIcon::set_title.
* new quit_app command + popover-footer × button gives Linux users a way
to exit without a tray menu.
* empty-state copy already landed in a previous commit. Combined with the
footer Quit button, the popover is now self-contained on Linux.
Windows is unaffected: TrayIconBuilder there fires left-click events
correctly and set_title/tooltip work out of the box.
Known limitation: on vanilla GNOME without AppIndicator support, there is
no tray to click. Documentation will link to the AppIndicator extension
install, same caveat Slack, Discord and 1Password ship with.
window.outer_size() returns (0, 0) on the first show, so the previous
positioning snapped to top-left when the window had not been rendered yet.
Derive the target x from the popover width declared in tauri.conf.json and
scale margins by the monitor's scale factor so HiDPI displays land in the
right spot.
Linux window managers ignore tray icon screen coordinates, so we cannot
attach the popover to the icon the way macOS does. Snap it to the top-right
of the primary monitor on every show so it feels anchored to the tray area
on GNOME, KDE and Unity, which all host StatusNotifier icons at the top
right.
Linux tray implementations often do not deliver a distinct left-click event
through the AppIndicator path, so the popover could not be opened on GNOME.
Add an explicit Show Dashboard menu item that calls toggle_popover so the
UI is reachable via the tray menu on every platform.
Also render a friendly empty state in the popover when no session data is
found, pointing at the supported source paths instead of showing a bare
$0 hero with an empty activity list.
desktop/Scripts/provision-linux.sh: one-shot apt + Node 20 + Rust stable
+ codeburn CLI + repo clone + npm install. Leaves the user one command
away from `npm run tauri dev`.
desktop/Scripts/autoinstall/: cloud-init user-data + meta-data plus a
README for building the CIDATA ISO. Mount that ISO alongside the Ubuntu
Server ISO in UTM and the installer runs without any prompts. Default
test credentials codeburn/codeburn; README calls out changing them for
non-throwaway VMs.
Adds desktop/ with a native tray app that mirrors the macOS popover via
a shared tokens.json and the same codeburn status --format menubar-json
data source. Same security posture as the Swift app: argv-validated CLI
spawn, O_NOFOLLOW cache writes, flock on config.json, FX rate clamping
to [0.0001, 1_000_000].
Stack:
- Tauri 2.x (Rust) for tray + window lifecycle, shells out to the CLI
- React + TypeScript + Vite for the popover UI
- libayatana-appindicator on Linux, system tray on Windows
- Produces .deb / .rpm / .AppImage on ubuntu-latest, .msi on
windows-latest. Both workflows run on free GitHub Actions minutes.
Rust modules (src-tauri/src/):
- lib.rs: tray icon, menu events, popover toggle, state wiring
- cli.rs: CodeburnCli with argv allowlist and bounded pipe drain
(20 MB stdout / 256 KB stderr / 60 s wall time)
- config.rs: flock-guarded read-modify-write of ~/.config/codeburn/config.json
- fx.rs: Frankfurter fetch with 24 h disk cache, bounds check
Frontend:
- App.tsx with agent tabs, period switcher, hero cost, activity rows,
optimize findings CTA, footer (currency picker / refresh / Open
Full Report). Listens for `codeburn://refresh` tray events.
- lib/payload.ts mirrors the CLI's MenubarPayload shape
- lib/currency.ts mirrors the Swift Double.asCurrency helpers
- styles.css with design tokens as CSS custom properties
CLI:
- `codeburn menubar` now platform-dispatches: macOS (.app zip),
Linux (.AppImage into ~/.local/bin), Windows (.msi via msiexec).
macOS behaviour preserved exactly.
Release workflow:
- .github/workflows/release-desktop-linux.yml triggers on `linux-v*`
tags, builds all three Linux formats, uploads to GitHub Releases.
Scaffold verified:
- cargo check -> clean
- tsc --noEmit -> clean
- npm run build (CLI) -> 205 KB
- Existing test suite: 230 / 230 still pass
The prior rename commit moved the PNG but forgot to stage the matching
README edit, leaving the live image tag pointing at a path that no
longer existed. This fixes it.
The ?v=0.7.2 query bust wasn't enough; GitHub's Camo proxy was still
serving the SwiftBar-era image to viewers. Renaming the asset to a
new path forces every downstream cache to treat it as a new resource.
Appends ?v=0.7.2 to the image URL so GitHub's Camo proxy re-fetches
the new 0.7.2 screenshot instead of serving its stale copy of the
SwiftBar-era one.
Removes references to future signing decisions, dollar amounts, and
star thresholds from the menubar README, the CHANGELOG, the release
workflow (its YAML comments and the auto-generated release body), and
the packaging script. The technical description stays; the 'we are
not paying for X right now' framing is out.
See CHANGELOG.md for the full breakdown. Highlights:
- Native Swift + SwiftUI menubar app under mac/ replaces the SwiftBar
plugin. Install via `npx codeburn menubar`.
- `status --format menubar-json` payload builder.
- `export -f csv` now writes a folder of clean per-table CSVs; `-o`
path guard prevents arbitrary deletion.
- `status` terminal Today/Month bucketed by local date instead of UTC.
- FX rate values clamped to sane bounds in both runtimes.
- SwiftBar plugin, install-menubar / uninstall-menubar, and
`--format menubar` removed.
renderStatusBar computed `today` via `new Date().toISOString().slice(0,10)`,
which is the UTC date. Session timestamps are also UTC ISO strings, but
the user's expectation of "today" is their wall-clock day. During the
window between local midnight and UTC midnight (e.g. 17:00 PDT on
2026-04-17, which is already 00:00 UTC on 2026-04-18), every session
bucketed under local April 17 missed the UTC-April-18 filter and the
status bar read `Today $0.00 0 calls` even while `--format json`
and the menubar app correctly showed the spend.
Both sides of the comparison now use the local date of each session
timestamp, so the terminal status and the JSON / menubar paths agree.
Verified at UTC midnight (the regression moment that surfaced the bug):
Before: Today $0.0000 0 calls
After: Today $339.87 1839 calls
Caught during the fresh-clone review of the menubar PR.
Caught in a fresh-clone smoke test: SwiftPM refused to build because
.process("../../Resources") pointed at an empty directory that git
does not track. The bundle has no assets to ship yet (icon will land
with signing work), so the reference is gone. Build passes on a clean
checkout and the packaging script produces the universal .app zip as
expected.
Sets CODEBURN_VERBOSE=1 via commander preAction, which the fs-utils
helpers check before emitting stderr lines on skipped or failed reads.
Closes LOW-1 from the 2026-04-16 audit.
Replaces any character outside [A-Za-z0-9 ._/-] with ? in model and
category labels and truncates to 14 chars before padEnd. Closes the
MEDIUM-2 finding from the 2026-04-16 audit: an attacker-controlled
JSONL with a crafted model name no longer injects SwiftBar directives
or ANSI escapes.
Three cases (pipe-in-model, ANSI-in-model, pipe-in-category) reproduce
the audit's SwiftBar directive-separator attack. Tests fail against
current menubar.ts -- Task 13 will close with an allowlist sanitizer.
All four read paths in the optimizer (async session scan + three sync
config/import/profile scans) now pass through the 128 MB-capped
helpers. JSON.parse in readJsonFile stays wrapped in try/catch.
MEDIUM-1 coverage for the optimize module.
Config JSON, CLAUDE.md scans, and session-discovery reads now pass
through the 128 MB-capped helper. JSON.parse remains wrapped in
try/catch to preserve the previous 'null on malformed JSON' contract.
MEDIUM-1 coverage for the context-budget module.
Events JSONL and workspace.yaml reads now pass through the 128 MB-capped
helper. The workspace.yaml path stays non-fatal: a null read skips cwd
derivation but still pushes the session with sessionId as the fallback
project label. MEDIUM-1 coverage for the Copilot provider.
Both Codex session read paths (first-line meta and full-session parse)
now pass through the 128 MB-capped helper. MEDIUM-1 coverage for the
Codex provider.
Replaces the unbounded readFile in parseSessionFile with the 128 MB-capped
helper from src/fs-utils. Addresses MEDIUM-1 for the Claude provider
hot path.
Verbose-mode stderr output replaces the previous silent catch,
closing LOW-1 as a side effect.
Adds readSessionFile / readSessionFileSync / readSessionLines with a
128 MB hard cap and 8 MB streaming threshold. Verbose mode
(CODEBURN_VERBOSE=1) logs skipped and failed reads to stderr.
Prepares the MEDIUM-1 migration of all provider read paths.
Initialize the four breakdown maps (model, tool, mcp, bash) with null
prototype so attacker-controlled keys named __proto__ create own
properties on the map instead of mutating Object.prototype.
Closes the HIGH-1 finding from the 2026-04-16 external security audit.
Three PoC fixtures (tool name, bash command, model name) reproduce
the audit's HIGH-1 attack. Tests assert Object.prototype.calls stays
undefined after parsing. They fail against current parser.ts -- Task 3
will close the pollution sink with Object.create(null).
Claude Code does not document or implement a .claudeignore feature.
The junk-reads detector's fix is now a CLAUDE.md instruction asking
Claude to avoid generated/dependency directories. The separate
detectMissingClaudeignore finding and its tests are removed; checking
for the presence of a non-existent file has no signal.
Closes#61.
SwiftBar/xbar launch plugins with a minimal environment. If an older
system Node (e.g. v18.x from Homebrew) appears earlier on PATH than the
NVM-managed Node used to install codeburn, the plugin silently fails
because string-width uses the /v regex flag (requires Node >= 20.11).
Resolve the node binary directory at install time via process.execPath
and prepend it to PATH in the generated plugin script. Also explicitly
set HOME, which SwiftBar does not always inherit.
Fixes#63
Sits between 'Reading the dashboard' (what the numbers mean) and
'How it reads data' (where the data comes from) so the feature lands
as the natural next step: here is how to act on the patterns you saw.
Rename slice(0, N) and length - N literals used in waste-finding
preview strings to GHOST_NAMES_PREVIEW, GHOST_CLEANUP_COMMANDS_LIMIT,
TOP_ITEMS_PREVIEW, MISSING_IGNORE_PATHS_PREVIEW, JUNK_DIRS_IGNORE_PREVIEW.
Drop the punctuation double-hyphen from the config-health header.
The menubar status output computes per-provider today costs by iterating
all providers after the main period blocks. That loop bypassed the
project filter, so --project/--exclude affected the main totals but not
the provider breakdown shown below them.
Adds unit tests for the project-filter helper: include OR semantics,
exclude AND-negation, case-insensitive matching against both project name
and projectPath, ordering (exclude applied after include), empty-string
edge case, and input immutability.
