codeburn

vrr/codeburn

Fork 0

mirror of https://github.com/AgentSeal/codeburn.git synced 2026-05-17 12:20:43 +00:00

Commit graph

Author	SHA1	Message	Date
Resham Joshi	daa673449c	Menubar and CLI hardening from multi-agent audit (#257 ) Some checks are pending CI / semgrep (push) Waiting to run Details Two passes of validators across CLI accuracy, dashboard UX, menubar Swift, performance, security, and end-to-end smoke tests on real session data. Data-correctness fixes: - parseLocalDate rejects month/day overflow. JS Date silently rolled Feb 31 to Mar 3, so --from 2026-02-31 --to 2026-03-15 quietly dropped sessions on Feb 28 - Mar 2. Now throws "Invalid date" with a clear reason. Leap-day case covered (2024-02-29 valid, 2025-02-29 rejected). - CSV/JSON exports use the active currency's natural decimal places. The previous round2 helper produced ¥412.37 in CSV while the dashboard rendered ¥412 — finance teams comparing the two surfaces saw a discrepancy. New roundForActiveCurrency consults Intl.NumberFormat for the right precision (0 for JPY/KRW/CLP, 2 for USD/EUR, etc). - Copilot toolRequests is Array.isArray-guarded in both modern and legacy event branches. Previously a corrupt session with toolRequests=null or a string aborted the whole file's parse loop and silently dropped every legitimate call after it. - Codex token_count dedup uses a null sentinel for prevCumulativeTotal so the first event is never confused with a duplicate. Sessions that emit only last_token_usage (no total_token_usage) report cumulativeTotal=0 on every event; with the previous 0-initialized prev, the first event matched the dedup guard and was dropped. - LiteLLM pricing values are clamped to [0, 1] per token via safePerTokenRate. Defense in depth against a tampered upstream JSON shipping negative or absurdly large per-token costs that would otherwise propagate into all cost totals. Performance: - Cursor SQLite parse no longer pegs at minutes on multi-GB DBs. Two changes: per-conversation user-message buffer uses an index pointer instead of Array.shift() (which was O(n) per call); and a real ROWID cutoff via subquery limits the scan to the most recent 250k bubbles with a stderr warning so power users get a partial report rather than a stalled CLI. - Spawned codeburn CLI subprocesses are terminated when the calling Task is cancelled. Without this, rapid period/provider tab clicks in the menubar cancelled the Task but left the subprocess running to completion, piling up zombie processes. UX: - Dashboard period switch flips to loading and clears projects synchronously before reloadData runs, eliminating the frame where the new period label rendered over the old period's projects. - Optimize findings tab paginates 3-at-a-time with j/k scroll. With 4 new detectors plus 7 originals, 8-10 findings * 6 lines was scrolling the StatusBar off the alt buffer top. - Custom --from/--to ranges hide the period tab strip and disable the 1-5 / arrow keys so a stray period press no longer abandons the user's explicit range. A "Custom range: X to Y" banner replaces the tab strip. - OpenCode storage-format warning is per-table-set, rate-limited to once per process, and points the user at OpenCode's migration step or the issue tracker. The previous all-or-nothing check fired the generic "format not recognized" string for any schema mismatch. Menubar / OAuth: - Both Claude and Codex bootstrap (Reconnect button) now honour the usageBlockedUntil 429 backoff that refreshIfBootstrapped respects. Spamming Reconnect during sustained rate-limit windows previously hammered the upstream endpoint on every click. - Codex Retry-After HTTP header is parsed (delta-seconds plus IMF-fixdate fallback) so we don't over-back-off when ChatGPT tells us a shorter window than our 5-minute floor. - Both credential cache files are written via SafeFile.write (O_CREAT \| O_EXCL \| O_NOFOLLOW with explicit 0600) so there is no race window where the temp file briefly exists at default umask, and a symlink at the destination cannot redirect the write. Reads now route through SafeFile.read with a 64 KiB cap, closing the symlink-follow gap on Data(contentsOf:). CI signal: - TypeScript strict typecheck (tsc --noEmit) is now zero errors. The six errors in src/providers/copilot.ts came from a discriminated-union catch-all branch whose `data: Record<string, unknown>` shape TS picked over the specific event branches when narrowing on `type`. Removed the catch-all; runtime falls through unknown event types via the existing if/else chain. Tests added: 16 new (now 555 total) - date-range-filter: month/day/year overflow rejection, leap-day correctness - currency-rounding: convertCost no-rounding contract, roundForActiveCurrency for USD/JPY/KRW/EUR - providers/copilot: malformed toolRequests does not abort the parse - providers/cursor-bubble-dedup: re-parse after token mutation does not double-count, single parse yields one call per bubble - providers/codex: first event with cumulativeTotal=0 not dropped, consecutive zero-cumulative duplicates still deduped	2026-05-06 22:15:11 -07:00
Resham Joshi	efac2bfa15	Live quota bar inside AgentTab + Claude OAuth refresh gate (#255 ) Some checks are pending CI / semgrep (push) Waiting to run Details * Gate Claude OAuth refresh attempts on terminal failures Anthropic returns invalid_grant (HTTP 400) when the user's refresh token has been revoked or rotated, typically after they re-ran claude login on another device. The previous code rethrew the raw error every refresh cycle, leaving the Plan UI stuck on a Swift error string and pummeling Anthropic's token endpoint forever. The new SubscriptionRefreshGate captures a fingerprint of ~/.claude/.credentials.json on terminal failure and stops trying until that fingerprint changes (the user re-logs-in). Transient 5xx/network failures get exponential backoff capped at 6 hours. Two new SubscriptionError cases let the UI distinguish "user must reconnect" from "Anthropic is flaky right now" and show a clean reconnect CTA instead of raw HTTP guts. * Inline live-quota progress bar inside each AgentTab chip When a provider exposes a live quota source, the AgentTab chip grows by ~3pt to host a thin weekly-utilization bar directly under the label. Hovering the chip reveals a popover with all four Anthropic windows (5-hour, weekly, weekly Opus, weekly Sonnet) plus reset countdowns. Click still switches the tab as before. Today only Claude has a quota source (the existing /api/oauth/usage path); other providers' chips render unchanged. The QuotaSummary abstraction lets us bolt on Cursor/Copilot/Codex meters in follow-up commits. Subscription is now refreshed eagerly on the periodic loop so the bar lights up without forcing the user to open a deep view first. The previous SubscriptionRefreshGate keeps a dead refresh token from spamming Anthropic. Adds two new SubscriptionLoadState cases (terminalFailure, transientFailure) so the deep Plan view shows a "reconnect" message instead of a raw Swift error string when the user's claude login expired. * Replace SubscriptionClient with credential-store + service architecture The previous SubscriptionClient never persisted refreshed access tokens, so every 30s tick read the expired token from Keychain, refreshed it (1 call), fetched usage with the new token (2nd call), and threw the new token away — 3 API calls per cycle, which burned through Anthropic's per-account rate budget and produced the 429s and `invalid_grant` loops users were seeing. The replacement mirrors CodexBar's proven pattern: - ClaudeCredentialStore owns the credential lifecycle. Bootstrap is strictly user-initiated (Connect button in the Plan tab); the menubar does not touch Claude's keychain at startup. After bootstrap, refreshed tokens — including rotated refresh tokens — are persisted to a local cache file under ~/Library/Application Support/CodeBurn (mode 0600). Using a file instead of our own keychain item means rebuild signature changes don't trigger a startup keychain prompt; the only prompt the user ever sees is the one for Claude Code-credentials on Connect. - ClaudeUsageFetcher (folded into the service) is a pure /api/oauth/usage call with one allowed 401-recovery roundtrip. 429s record an explicit backoff window honouring Retry-After. - ClaudeSubscriptionService orchestrates bootstrap / refresh / disconnect, applies the 429 backoff, and surfaces terminal vs transient failures so the UI can show the right CTA. - Reading Claude's keychain now tries the entry keyed by NSUserName() first and falls back to the unscoped query, so users who re-ran /login and ended up with two Claude Code-credentials items pick up the fresh one. This was the actual cause of "I logged in but the menubar still shows stale data". User-facing additions: - A proper Settings window (right-click → Settings…) with General / Claude / About tabs. Provider quota cadence is configurable (Manual / 1m / 2m / 5m / 15m). New providers plug in as additional tabs. - Plan tab: notBootstrapped → "Connect Claude subscription" CTA; terminalFailure → "Reconnect Claude" with the correct /login instruction for Claude Code 2.1; transientFailure preserves the last loaded view with a retrying badge. - AgentTab quota bar slot is always reserved so chip height doesn't jitter when the user connects for the first time. Hover popover has 250ms enter / 150ms exit debounce so swiping across chips doesn't pop a popover for every chip touched. - Disconnect requires confirmation, clears capacityEstimates and the subscription snapshot store so a reconnect under a different account doesn't surface "Based on last cycle" projections from the old account. Validator findings applied: cadence anchor only updates on successful refresh (not every attempt), refresh-token rotation persists in memory before keychain write so a write failure doesn't lock the user out, server error bodies are sanitized (token redaction + 240-char cap) before they reach the UI or NSLog, and Refresh Now refreshes both the menubar payload and quota. * Add Codex live quota + multi-provider warning, with validator fixes CodexCredentialStore reads ~/.codex/auth.json (ChatGPT-mode only) on user-initiated Connect, caches under Application Support like Claude. CodexSubscriptionService hits chatgpt.com/backend-api/wham/usage with the bearer token + ChatGPT-Account-Id header, parses primary/secondary windows, additional per-model rate limits (e.g. GPT-5.3-Codex-Spark), and credits balance with a Double-or-String fallback. Plan-tier enum captures the full ChatGPT plan list including prolite, free_workspace, education, quorum, k12, plus an unknown(String) case that preserves the raw plan name when OpenAI ships a tier we haven't mapped yet. Multi-provider warning system: - Menubar flame tints from neutral to yellow (70%) → orange (90%) → red (100%) based on the worst-affected connected provider's worst window. Uses NSImage.SymbolConfiguration palette colors. - Popover header gains a warning row when any provider is at 70%+. "Claude 79% of quota used", "Claude 79% · Codex 92%", or "Claude over limit (105%)" when severity hits .danger. - Hover popover gains a plan-name badge in the top-right corner so users know which subscription is feeding the bar. - Codex chip surfaces the credits balance and any non-zero per-model additional rate limits as footer rows. Validator fixes applied in the same commit: - Provider-specific reconnect / disconnected copy in QuotaDetailPopover (was hardcoded to Claude). - Generation-token guard on refreshSubscriptionReportingSuccess and refreshCodexReportingSuccess so a Disconnect during an in-flight fetch can't resume after the await and re-populate the cleared state. - Codex codexQuotaSummary promotes secondary to primary when only one window is returned, so free / guest tiers don't render an empty bar. - Memory-cache TTL is now actually consulted in currentRecord (the isFresh check was dead code, leaving cached records valid forever). - sanitizeForUI now redacts OpenAI sk-* keys, JWT tokens, and Bearer headers in addition to Claude sk-ant-. - Removed diagnostic NSLog that wrote raw chatgpt.com response bodies to the unified log. - Codex Connect / Reconnect copy in Settings explains the auth.json prerequisite and the API-key vs ChatGPT-mode distinction. - Disconnect dialogs now state explicitly that the auth.json / credentials keychain entry is left untouched. - Plan badge in the popover gets line-limit + truncation + max-width so a long unknown plan name can't overflow the row. - Renamed shadowing `let max` to `let worst` in aggregateQuotaStatus. Add Codex Plan tab + size plan badge to content The Plan tab is now visible when the Codex chip is selected, mirroring the Claude tab's deep view. CodexPlanInsight renders the user's plan tier ("Pro Lite", "Plus", etc.), the primary and secondary rate-limit windows with reset countdowns, and any non-zero per-model additional limits (e.g. GPT-5.3-Codex-Spark) so power users see them. The "On pace at reset" projection that Claude's Plan view shows is not included here — that math feeds from local Claude per-message spend extrapolated against API quota windows, and our local Codex spend is not a 1:1 signal for the ChatGPT-subscription rate windows reported by wham/usage. Wiring a Codex extrapolator is a follow-up. Drop the maxWidth=90 frame on the plan badge in the hover popover. It was stretching short labels like "Pro Lite" to fill the full 90pt slot; fixedSize makes the badge hug the text. Plan names are bounded short strings, so truncation is a non-issue in practice.	2026-05-06 19:57:17 -07:00

Author

SHA1

Message

Date

Resham Joshi

daa673449c

Menubar and CLI hardening from multi-agent audit (#257 )

CI / semgrep (push) Waiting to run

Details

Two passes of validators across CLI accuracy, dashboard UX, menubar Swift,
performance, security, and end-to-end smoke tests on real session data.

Data-correctness fixes:

- parseLocalDate rejects month/day overflow. JS Date silently rolled
  Feb 31 to Mar 3, so --from 2026-02-31 --to 2026-03-15 quietly dropped
  sessions on Feb 28 - Mar 2. Now throws "Invalid date" with a clear
  reason. Leap-day case covered (2024-02-29 valid, 2025-02-29 rejected).

- CSV/JSON exports use the active currency's natural decimal places. The
  previous round2 helper produced ¥412.37 in CSV while the dashboard
  rendered ¥412 — finance teams comparing the two surfaces saw a
  discrepancy. New roundForActiveCurrency consults Intl.NumberFormat for
  the right precision (0 for JPY/KRW/CLP, 2 for USD/EUR, etc).

- Copilot toolRequests is Array.isArray-guarded in both modern and legacy
  event branches. Previously a corrupt session with toolRequests=null or
  a string aborted the whole file's parse loop and silently dropped every
  legitimate call after it.

- Codex token_count dedup uses a null sentinel for prevCumulativeTotal so
  the first event is never confused with a duplicate. Sessions that emit
  only last_token_usage (no total_token_usage) report cumulativeTotal=0
  on every event; with the previous 0-initialized prev, the first event
  matched the dedup guard and was dropped.

- LiteLLM pricing values are clamped to [0, 1] per token via safePerTokenRate.
  Defense in depth against a tampered upstream JSON shipping negative or
  absurdly large per-token costs that would otherwise propagate into all
  cost totals.

Performance:

- Cursor SQLite parse no longer pegs at minutes on multi-GB DBs. Two
  changes: per-conversation user-message buffer uses an index pointer
  instead of Array.shift() (which was O(n) per call); and a real ROWID
  cutoff via subquery limits the scan to the most recent 250k bubbles
  with a stderr warning so power users get a partial report rather than
  a stalled CLI.

- Spawned codeburn CLI subprocesses are terminated when the calling Task
  is cancelled. Without this, rapid period/provider tab clicks in the
  menubar cancelled the Task but left the subprocess running to
  completion, piling up zombie processes.

UX:

- Dashboard period switch flips to loading and clears projects
  synchronously before reloadData runs, eliminating the frame where the
  new period label rendered over the old period's projects.

- Optimize findings tab paginates 3-at-a-time with j/k scroll. With 4
  new detectors plus 7 originals, 8-10 findings * 6 lines was scrolling
  the StatusBar off the alt buffer top.

- Custom --from/--to ranges hide the period tab strip and disable the
  1-5 / arrow keys so a stray period press no longer abandons the user's
  explicit range. A "Custom range: X to Y" banner replaces the tab strip.

- OpenCode storage-format warning is per-table-set, rate-limited to once
  per process, and points the user at OpenCode's migration step or the
  issue tracker. The previous all-or-nothing check fired the generic
  "format not recognized" string for any schema mismatch.

Menubar / OAuth:

- Both Claude and Codex bootstrap (Reconnect button) now honour the
  usageBlockedUntil 429 backoff that refreshIfBootstrapped respects.
  Spamming Reconnect during sustained rate-limit windows previously
  hammered the upstream endpoint on every click.

- Codex Retry-After HTTP header is parsed (delta-seconds plus IMF-fixdate
  fallback) so we don't over-back-off when ChatGPT tells us a shorter
  window than our 5-minute floor.

- Both credential cache files are written via SafeFile.write
  (O_CREAT | O_EXCL | O_NOFOLLOW with explicit 0600) so there is no race
  window where the temp file briefly exists at default umask, and a
  symlink at the destination cannot redirect the write. Reads now route
  through SafeFile.read with a 64 KiB cap, closing the symlink-follow gap
  on Data(contentsOf:).

CI signal:

- TypeScript strict typecheck (tsc --noEmit) is now zero errors. The
  six errors in src/providers/copilot.ts came from a discriminated-union
  catch-all branch whose `data: Record<string, unknown>` shape TS picked
  over the specific event branches when narrowing on `type`. Removed the
  catch-all; runtime falls through unknown event types via the existing
  if/else chain.

Tests added: 16 new (now 555 total)
- date-range-filter: month/day/year overflow rejection, leap-day correctness
- currency-rounding: convertCost no-rounding contract, roundForActiveCurrency
  for USD/JPY/KRW/EUR
- providers/copilot: malformed toolRequests does not abort the parse
- providers/cursor-bubble-dedup: re-parse after token mutation does not
  double-count, single parse yields one call per bubble
- providers/codex: first event with cumulativeTotal=0 not dropped,
  consecutive zero-cumulative duplicates still deduped

2026-05-06 22:15:11 -07:00

Resham Joshi

efac2bfa15

Live quota bar inside AgentTab + Claude OAuth refresh gate (#255 )

CI / semgrep (push) Waiting to run

Details

* Gate Claude OAuth refresh attempts on terminal failures

Anthropic returns invalid_grant (HTTP 400) when the user's refresh token has
been revoked or rotated, typically after they re-ran claude login on another
device. The previous code rethrew the raw error every refresh cycle, leaving
the Plan UI stuck on a Swift error string and pummeling Anthropic's token
endpoint forever.

The new SubscriptionRefreshGate captures a fingerprint of
~/.claude/.credentials.json on terminal failure and stops trying until that
fingerprint changes (the user re-logs-in). Transient 5xx/network failures
get exponential backoff capped at 6 hours.

Two new SubscriptionError cases let the UI distinguish "user must reconnect"
from "Anthropic is flaky right now" and show a clean reconnect CTA instead
of raw HTTP guts.

* Inline live-quota progress bar inside each AgentTab chip

When a provider exposes a live quota source, the AgentTab chip grows by ~3pt
to host a thin weekly-utilization bar directly under the label. Hovering the
chip reveals a popover with all four Anthropic windows (5-hour, weekly, weekly
Opus, weekly Sonnet) plus reset countdowns. Click still switches the tab as
before.

Today only Claude has a quota source (the existing /api/oauth/usage path);
other providers' chips render unchanged. The QuotaSummary abstraction lets
us bolt on Cursor/Copilot/Codex meters in follow-up commits.

Subscription is now refreshed eagerly on the periodic loop so the bar lights
up without forcing the user to open a deep view first. The previous
SubscriptionRefreshGate keeps a dead refresh token from spamming Anthropic.

Adds two new SubscriptionLoadState cases (terminalFailure, transientFailure)
so the deep Plan view shows a "reconnect" message instead of a raw Swift
error string when the user's claude login expired.

* Replace SubscriptionClient with credential-store + service architecture

The previous SubscriptionClient never persisted refreshed access tokens, so
every 30s tick read the expired token from Keychain, refreshed it (1 call),
fetched usage with the new token (2nd call), and threw the new token away —
3 API calls per cycle, which burned through Anthropic's per-account rate
budget and produced the 429s and `invalid_grant` loops users were seeing.

The replacement mirrors CodexBar's proven pattern:

- ClaudeCredentialStore owns the credential lifecycle. Bootstrap is strictly
  user-initiated (Connect button in the Plan tab); the menubar does not touch
  Claude's keychain at startup. After bootstrap, refreshed tokens — including
  rotated refresh tokens — are persisted to a local cache file under
  ~/Library/Application Support/CodeBurn (mode 0600). Using a file instead of
  our own keychain item means rebuild signature changes don't trigger a
  startup keychain prompt; the only prompt the user ever sees is the one for
  Claude Code-credentials on Connect.

- ClaudeUsageFetcher (folded into the service) is a pure /api/oauth/usage
  call with one allowed 401-recovery roundtrip. 429s record an explicit
  backoff window honouring Retry-After.

- ClaudeSubscriptionService orchestrates bootstrap / refresh / disconnect,
  applies the 429 backoff, and surfaces terminal vs transient failures so
  the UI can show the right CTA.

- Reading Claude's keychain now tries the entry keyed by NSUserName() first
  and falls back to the unscoped query, so users who re-ran /login and ended
  up with two Claude Code-credentials items pick up the fresh one. This was
  the actual cause of "I logged in but the menubar still shows stale data".

User-facing additions:

- A proper Settings window (right-click → Settings…) with General / Claude /
  About tabs. Provider quota cadence is configurable (Manual / 1m / 2m / 5m /
  15m). New providers plug in as additional tabs.

- Plan tab: notBootstrapped → "Connect Claude subscription" CTA;
  terminalFailure → "Reconnect Claude" with the correct /login instruction
  for Claude Code 2.1; transientFailure preserves the last loaded view with
  a retrying badge.

- AgentTab quota bar slot is always reserved so chip height doesn't jitter
  when the user connects for the first time. Hover popover has 250ms enter
  / 150ms exit debounce so swiping across chips doesn't pop a popover for
  every chip touched.

- Disconnect requires confirmation, clears capacityEstimates and the
  subscription snapshot store so a reconnect under a different account
  doesn't surface "Based on last cycle" projections from the old account.

Validator findings applied: cadence anchor only updates on successful
refresh (not every attempt), refresh-token rotation persists in memory
before keychain write so a write failure doesn't lock the user out, server
error bodies are sanitized (token redaction + 240-char cap) before they
reach the UI or NSLog, and Refresh Now refreshes both the menubar payload
and quota.

* Add Codex live quota + multi-provider warning, with validator fixes

CodexCredentialStore reads ~/.codex/auth.json (ChatGPT-mode only) on
user-initiated Connect, caches under Application Support like Claude.
CodexSubscriptionService hits chatgpt.com/backend-api/wham/usage with
the bearer token + ChatGPT-Account-Id header, parses primary/secondary
windows, additional per-model rate limits (e.g. GPT-5.3-Codex-Spark),
and credits balance with a Double-or-String fallback.

Plan-tier enum captures the full ChatGPT plan list including prolite,
free_workspace, education, quorum, k12, plus an unknown(String) case
that preserves the raw plan name when OpenAI ships a tier we haven't
mapped yet.

Multi-provider warning system:
- Menubar flame tints from neutral to yellow (70%) → orange (90%) →
  red (100%) based on the worst-affected connected provider's worst
  window. Uses NSImage.SymbolConfiguration palette colors.
- Popover header gains a warning row when any provider is at 70%+.
  "Claude 79% of quota used", "Claude 79% · Codex 92%", or
  "Claude over limit (105%)" when severity hits .danger.
- Hover popover gains a plan-name badge in the top-right corner so
  users know which subscription is feeding the bar.
- Codex chip surfaces the credits balance and any non-zero per-model
  additional rate limits as footer rows.

Validator fixes applied in the same commit:

- Provider-specific reconnect / disconnected copy in QuotaDetailPopover
  (was hardcoded to Claude).
- Generation-token guard on refreshSubscriptionReportingSuccess and
  refreshCodexReportingSuccess so a Disconnect during an in-flight
  fetch can't resume after the await and re-populate the cleared state.
- Codex codexQuotaSummary promotes secondary to primary when only one
  window is returned, so free / guest tiers don't render an empty bar.
- Memory-cache TTL is now actually consulted in currentRecord (the
  isFresh check was dead code, leaving cached records valid forever).
- sanitizeForUI now redacts OpenAI sk-* keys, JWT tokens, and Bearer
  headers in addition to Claude sk-ant-*.
- Removed diagnostic NSLog that wrote raw chatgpt.com response bodies
  to the unified log.
- Codex Connect / Reconnect copy in Settings explains the auth.json
  prerequisite and the API-key vs ChatGPT-mode distinction.
- Disconnect dialogs now state explicitly that the auth.json /
  credentials keychain entry is left untouched.
- Plan badge in the popover gets line-limit + truncation + max-width
  so a long unknown plan name can't overflow the row.
- Renamed shadowing `let max` to `let worst` in aggregateQuotaStatus.

* Add Codex Plan tab + size plan badge to content

The Plan tab is now visible when the Codex chip is selected, mirroring
the Claude tab's deep view. CodexPlanInsight renders the user's plan
tier ("Pro Lite", "Plus", etc.), the primary and secondary rate-limit
windows with reset countdowns, and any non-zero per-model additional
limits (e.g. GPT-5.3-Codex-Spark) so power users see them.

The "On pace at reset" projection that Claude's Plan view shows is not
included here — that math feeds from local Claude per-message spend
extrapolated against API quota windows, and our local Codex spend is
not a 1:1 signal for the ChatGPT-subscription rate windows reported by
wham/usage. Wiring a Codex extrapolator is a follow-up.

Drop the maxWidth=90 frame on the plan badge in the hover popover. It
was stretching short labels like "Pro Lite" to fill the full 90pt slot;
fixedSize makes the badge hug the text. Plan names are bounded short
strings, so truncation is a non-issue in practice.

2026-05-06 19:57:17 -07:00

2 commits