npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

tokentrace

v0.21.2

Published

Local-first dashboard for AI CLI token, cost, and session analytics.

Readme

TokenTrace CLI

Local-first AI CLI usage analytics for developers and coding agents.

TokenTrace answers one practical question before the next expensive AI CLI run: is your local usage evidence ready to trust? It scans local Claude Code, Codex, structured usage logs, and usage-shaped local databases, then labels token and cost data as exact, estimated, unknown, cached, or non-cache. The dashboard opens on Today, with direct paths into Sessions, Evidence, and Fix Data.

TokenTrace is designed for local development machines first, with macOS-oriented defaults. It does not require a cloud account and does not send telemetry or logs anywhere.

Website · Source

TokenTrace Today dashboard

What TokenTrace Helps You Do

  • Check readiness before another coding-agent run with tokentrace preflight --json or MCP get_preflight.
  • See today’s local cost, tokens, sessions, confidence, anomalies, and repair signals in one first screen.
  • Trace every important number back to local files, parser state, sessions, model rates, and confidence labels.
  • Fix missing cost data through a guided repair queue without uploading prompts or message bodies.

Start In Seconds

Run without installing:

npx tokentrace

Or install globally:

npm install -g tokentrace
tokentrace

The command starts the local dashboard, chooses an available localhost port starting at 3030, opens your default browser, and keeps the server running until you press Ctrl+C.

CLI commands:

tokentrace              # Start local dashboard
tokentrace serve        # Start local dashboard
tokentrace serve --port 3210 --no-open
                        # Start on a fixed port without opening a browser
tokentrace agent --json # Print machine-readable agent discovery manifest
tokentrace capabilities --json
                        # Alias for agent discovery manifest
tokentrace roadmap --json
                        # Print release status handoff
tokentrace mcp          # Start the local stdio MCP server
tokentrace scan         # Scan local AI CLI usage logs
tokentrace doctor --json
                        # Inspect scan health and repair recommendations
tokentrace preflight --json
                        # Check readiness before another coding-agent run
tokentrace evidence --json
                        # Print metric evidence trails as JSON
tokentrace repair --json
                        # Print unknown-cost repair groups as JSON
tokentrace digest --json
                        # Print current-month local usage digest
tokentrace digest --since yesterday
                        # Print a scoped local usage digest
tokentrace report --markdown
                        # Print a deterministic Markdown report
tokentrace review --json
                        # Print post-session scan and review movement
tokentrace insights --json
                        # Print local recommendations as JSON
tokentrace status --json
                        # Print local usage status as JSON
tokentrace statusline claude
                        # Render a Claude Code status line from stdin
tokentrace statusline claude --compact
                        # Render a shorter Claude Code status line
tokentrace statusline setup claude
                        # Print Claude Code statusLine setup JSON
tokentrace watch --session
                        # Watch local usage status in a terminal split
tokentrace watch --session --compact
                        # Watch a compact live status line
tokentrace pricing refresh
                        # Refresh public model prices
tokentrace run <cmd>    # Optional wrapper mode for command runtime diagnostics
tokentrace reset        # Reset imported local data
tokentrace reset --yes  # Reset without confirmation
tokentrace --help       # Print help
tokentrace --version    # Print version

For Coding Agents

Agents should start with the read-only discovery manifest:

tokentrace agent --json

The alias below returns the same manifest:

tokentrace capabilities --json

The manifest describes TokenTrace's local-first privacy model, safe JSON commands, common workflows, Claude Code status-line setup, Codex sidecar fallback, and guardrails such as never running tokentrace reset without explicit human approval. The discovery command does not scan files, initialize the database, or start the dashboard.

Package-level agent references are included for agents that inspect repository or npm package contents before invoking commands:

MCP-capable clients can start the local stdio server after installing or using the npm package:

tokentrace mcp

Registry name: io.github.abhiyoheswaran1/tokentrace.

First MCP call for agents: get_agent_guide.

Self-test the local MCP entrypoint without scanning files:

tokentrace mcp selftest --json

The MCP server exposes the same local-first surfaces as tools: capabilities, preflight, status, Scan Health, evidence, repair queue, reports, and an explicit scan tool. It does not scan files on startup, and its scan tool requires confirmLocalScan=true before reading local usage files or writing the local database.

Before starting another long coding-agent run, use preflight:

tokentrace preflight --json

In MCP clients, call get_preflight for the same proceed, caution, or blocked decision with local scan freshness, confidence, guardrail, anomaly, and repair findings. Preflight does not scan files or inspect raw prompts.

When the local dashboard is already running, agents can fetch the same manifest over localhost:

curl http://127.0.0.1:3030/api/agent
curl http://127.0.0.1:3030/api/capabilities

The Local Sources & Trust release handoff is also machine-readable:

tokentrace roadmap --json
curl http://127.0.0.1:3030/api/roadmap

Run From Source

npm install
npm run db:migrate
npm run db:seed
npm run dev

Open http://localhost:3000.

Useful source commands:

npm run dev          # Start the Next.js dev server
npm run build        # Build the production app
npm run start        # Serve the production build
npm run scan         # Scan default and configured folders
npm run db:migrate   # Create/update local SQLite tables
npm run db:seed      # Seed editable provider/model prices
npm run screenshots:seed
                    # Seed a guarded public-safe screenshot database
npm run reset        # Clear imported data and scan history
npm test             # Run parser and cost tests
npm run verify       # Run Vitest, TypeScript, and ESLint checks
npm run package:test # Verify, build, and dry-run the npm package
npm run package:inspect
                    # Check package transparency guardrails
npm run security:ioc
                    # Scan lockfiles, workflows, and local AI-tool hooks for supply-chain IOCs
npm run smoke:packed
                    # Inspect packed tarball and smoke test packed CLI
tokentrace roadmap --json
                    # Inspect roadmap handoff, action recipes, and release status

Daily Loop And Trust

TokenTrace now organizes the product around the daily loop:

  1. Preflight: decide whether local evidence is ready before another agent run.
  2. Today: review cost, token, session, confidence, anomaly, and repair signals.
  3. Evidence: trace numbers back to source files, parser confidence, sessions, and model-rate state.
  4. Fix Data: resolve unknown cost, parser review, and model-rate gaps.
  5. Advanced: inspect Scan Health, Discovery, Parsers, Raw Data, Query, and Model Rates when you need the full diagnostic surface.

Trust surfaces include:

  • native structured usage log and Cursor-style chat export ingestion
  • Source Coverage in Scan Health for native, profile-assisted, fallback, and unsupported files
  • privacy-safe Evidence Packs as JSON or Markdown
  • local scan scheduling: manual, on-open, hourly, or daily
  • project/model/tool scoped guardrails with warning thresholds
  • Import Profile preview before saving matchers
  • saved report exports for weekly usage, source coverage, guardrails, unknown cost, high-cost sessions, and confidence trends
  • operating metadata export without raw usage records

Accuracy And Evidence

TokenTrace labels the trust level behind imported numbers:

  • exact provider token counts
  • tokenizer estimates for recognized OpenAI/Codex and Claude-family model names
  • simple estimates when only text-like content is available
  • source-provided costs from local SQLite histories
  • unknown cost repair groups when model, token, or rate evidence is missing

The dashboard surfaces a Data Confidence score on Today, Projects, Sessions, and Session Timeline pages. Scan Health also includes a supply-chain IOC check so package trust is visible in the product, not only in release scripts.

Public releases require maintainer approval. See docs/RELEASE_CHECKLIST.md before bumping versions, tagging, creating GitHub releases, or publishing npm.

In local development, the SQLite database defaults to .tokentrace/tokentrace.db. Override it with:

TOKENTRACE_DB=/absolute/path/tokentrace.db npm run dev

Data Location

When installed from npm, TokenTrace stores runtime data outside the package folder:

  • macOS: ~/Library/Application Support/TokenTrace/
  • Linux: ~/.local/share/tokentrace/
  • Windows: %APPDATA%/TokenTrace/

The CLI sets TOKENTRACE_DB and DATABASE_URL automatically. You can override the base directory with:

TOKENTRACE_HOME=/custom/path tokentrace

Where TokenTrace Looks

Default discovery checks these locations when present:

  • ~/.claude/
  • ~/.config/claude/
  • ~/.codex/
  • ~/.config/codex/
  • ~/.openai/
  • Project-level hidden folders such as .claude, .codex, .openai, and .ai in the directory where tokentrace was invoked
  • TokenTrace wrapper logs in the local app-data directory
  • Any custom folders configured in Settings

Use Settings to add custom folders, toggle raw message storage, and trigger scans. Use Scan Health, Discovery, Parsers, and Raw Data to inspect discovered files, parser decisions, warnings, failures, extracted metadata, and confidence levels.

Settings also supports optional local monthly usage guardrails. Set a cost limit, token limit, or both, and Today will show month-to-date progress from imported local CLI usage.

Sessions includes built-in and local saved views for recurring review paths: unknown cost, high-cost sessions, Claude/Codex this month, estimated tokens, guardrail review, and parser review. Open a session's Timeline link to see ordered interactions, model changes, token spikes, cache activity, tool calls, parser confidence, and unknown-cost events. Raw prompts and message bodies stay hidden by default.

Ingestion Architecture

TokenTrace's primary ingestion architecture is direct local filesystem ingestion:

  1. Discover local AI CLI artifacts.
  2. Parse supported formats through adapters.
  3. Normalize sessions, interactions, token usage, models, projects, and tool calls.
  4. Store normalized records locally in SQLite.
  5. Visualize analytics in the local dashboard.

TokenTrace does not use MITM proxies, packet sniffing, browser extensions, traffic interception, or cloud telemetry.

Each adapter detects compatibility, parses partial metadata where possible, and fails safely when a file format is unsupported. Imported interactions carry token confidence metadata:

  • exact
  • high-confidence estimate
  • low-confidence estimate
  • unknown

Exact and estimated token values are never mixed silently.

Optional Wrapper Mode

Filesystem ingestion is the primary product path. Wrapper mode is secondary and optional:

tokentrace run claude-code
tokentrace run codex
tokentrace run npm test

Wrapper mode launches the subprocess, measures duration, counts stdout/stderr bytes, detects structured JSON output when available, and writes a local JSONL diagnostic log under the app-data directory. It does not intercept network traffic.

Claude Code Status Line

Claude Code can run a local status-line command at the bottom of its terminal UI. TokenTrace supports that path directly:

tokentrace statusline setup claude

Add the printed statusLine block to ~/.claude/settings.json. It points Claude Code at:

tokentrace statusline claude

Claude Code sends session JSON to the command on stdin. TokenTrace reads the transcript path, model, context usage, and session cost, then prints one compact local line:

TokenTrace | Opus | ctx 7% | cost $0.1235 | processed 3.3K tokens | cache 2.0K | priced

Do not set the Claude Code statusLine.command to plain tokentrace. Plain tokentrace starts the dashboard, while tokentrace statusline claude prints exactly one status-line response.

TokenTrace Claude Code status line

You can also inspect the same local status outside Claude Code:

tokentrace status --json
tokentrace watch --session

Daily reporting commands stay deterministic and local:

tokentrace digest --since last-scan
tokentrace digest --since 2026-05-01 --json
tokentrace report --markdown --since yesterday
tokentrace review --json

Codex CLI status-line integration is intentionally deferred until its status-line and hook contracts are stable enough to support without fragile terminal output parsing. Use tokentrace watch --session --compact in a terminal split or tmux pane as the current fallback. See docs/CODEX_INTEGRATION_SPIKE.md for the current decision.

Screenshots

Dashboard views:

TokenTrace Today dashboard

TokenTrace unknown cost evidence trail

TokenTrace Fix Data queue

TokenTrace Scan Health parser review

CLI startup and help:

TokenTrace CLI help

Local scan output:

TokenTrace scan command

Optional wrapper diagnostics:

TokenTrace wrapper command

Privacy Model

  • All processing runs locally on your machine.
  • No external telemetry is included. Next.js telemetry is disabled by the CLI.
  • No cloud account is required.
  • Raw full prompts and responses are not stored by default.
  • TokenTrace stores short text previews for debugging and analytics context.
  • TokenTrace may download a public model-pricing manifest so cost estimates stay useful. It does not send usage logs, prompts, file paths, or analytics data with that request. Set TOKENTRACE_DISABLE_PRICE_REFRESH=1 to use only bundled prices.
  • Turn on Store raw message content in Settings only if you want full local message text preserved in SQLite.

Stop the server with Ctrl+C in the terminal where tokentrace is running.

Package Trust

  • The TokenTrace npm package has no preinstall, install, or postinstall scripts.
  • The published package ships readable application source and the compiled CLI runtime, not generated .next/server route bundles.
  • tokentrace serve prepares the local dashboard build in the user's TokenTrace app-data directory the first time it is needed.
  • npm run package:inspect fails if generated Next.js build output appears in the published tarball.
  • npm run security:ioc scans lockfiles, workflows, and local Claude/VS Code hook files for high-signal supply-chain compromise indicators.
  • Public npm publishing is configured through GitHub Actions Trusted Publishing and provenance from version tags.
  • Socket GitHub checks and ProjScan are used as release guardrails, alongside npm audit --audit-level=moderate.
  • npm run release:check fails when a gate command exits non-zero. The import graph is expected to remain free of circular dependencies; tests/import-boundaries.test.ts protects shared type/helper modules from importing higher-level orchestration barrels.
  • Release notes are published directly in GitHub Releases from the relevant changelog section, not as a link-only summary.

See SECURITY.md for the full security and privacy model.

Model Rates

Model prices change. TokenTrace ships with bundled public list prices and can refresh them from a public TokenTrace model-rate manifest. Manual edits made in Model Rates are preserved by future refreshes.

The bundled catalog includes common OpenAI, Anthropic, Google Gemini, xAI, DeepSeek, Mistral, and Cohere models, checked on May 8, 2026.

Seed sources:

Review and update rates in Model Rates before treating cost estimates as financial truth, especially if you use batch processing, priority/flex modes, data residency, long-context surcharges, subscriptions, or provider-specific discounts.

Refresh from the dashboard or from the CLI:

tokentrace pricing refresh

Cost is calculated per interaction:

inputTokens * inputPricePer1M / 1,000,000
+ outputTokens * outputPricePer1M / 1,000,000
+ cacheReadTokens * cachedInputPricePer1M / 1,000,000
+ cacheWriteTokens * cacheWritePricePer1M / 1,000,000

Cache read and cache write prices fall back to input price when a model has no separate cache rate. Anthropic seed rows use the 5-minute prompt cache write price by default. Rows are marked exact, estimated, or unknown depending on token availability and pricing configuration.

Supported Inputs

Adapters live under src/ingestion/adapters/:

  • claude-code.ts
  • codex-cli.ts
  • structured-usage-log.ts
  • cursor-chat.ts
  • sqlite-history.ts
  • generic-jsonl.ts
  • generic-json.ts
  • generic-log.ts

Formats for Claude Code and Codex CLI can vary across versions, so these adapters are defensive and best-effort. Unknown files fail safely and show warnings in the Raw Data page.

Support Matrix

TokenTrace keeps a visible support contract so daily scans are easier to trust:

| Surface | Support level | Notes | | --- | --- | --- | | Claude Code project transcripts | Stable | Primary local CLI ingestion source. | | Codex CLI session artifacts | Best-effort | Parsed defensively while CLI formats evolve. | | Structured usage JSONL/NDJSON | Stable | Local wrapper and team logs with session, model, token, and source-cost fields. | | Cursor-style chat exports | Best-effort | Imports local editor chat/composer exports without storing raw prompt text by default. | | Usage-shaped SQLite histories | Best-effort | Reads local databases that expose session, model, token, or cost-like columns. | | Generic JSONL, JSON, and text logs | Best-effort | Conservative usage-shaped records only. | | Claude/Codex cache, plugin, todo, config, and support files | Ignored | Tracked as non-usage files, not parser failures. | | Editable model pricing | Stable | Local pricing rows drive costs and unknown-cost repair queues. | | Claude Code status line | Stable | Uses Claude Code's documented statusLine stdin contract. | | Codex sticky status line | Best-effort fallback | Use tokentrace watch --session --compact in a split or tmux pane. | | Desktop app scraping, browser extensions, proxying, packet capture, telemetry | Unsupported | Outside TokenTrace's product boundary. |

Extending Parsers

Example generic JSONL fixtures are in fixtures/generic-jsonl/.

The ingestion system is intentionally pluggable:

  1. Add an adapter implementing IngestionAdapter.
  2. Register it in src/ingestion/adapters/index.ts.
  3. Add parser tests under tests/.

Contributing

Contributions are welcome. See CONTRIBUTING.md for local setup, parser guidelines, pricing update notes, and the release policy.

Troubleshooting

prebuild-install deprecation warning during install

npm warn deprecated [email protected]: No longer maintained...

This is a transitive dependency of better-sqlite3 (the native SQLite driver TokenTrace uses to store local data). The warning is harmless — the install completes normally and TokenTrace runs as expected. It will go away once better-sqlite3 upstream migrates to a different prebuilt binary loader; there is nothing to fix on the TokenTrace side.

Native build errors on better-sqlite3

If the prebuilt binary cannot be downloaded (offline machine, restrictive proxy, unsupported Node ABI), better-sqlite3 will try to compile from source and may fail. Workarounds:

  • Ensure Node.js is a supported LTS (TokenTrace requires >= 20.0.0; Node 20 or 22 LTS is recommended).
  • Install build tools: Xcode Command Line Tools on macOS, build-essential and python3 on Linux, or the "Desktop development with C++" workload on Windows.
  • Retry the install with network access to github.com so the prebuilt binary can be fetched.

EBADENGINE warnings

These appear when your local Node version is older than the engines field of a transitive dependency. They are warnings, not errors. Upgrading to the latest Node LTS resolves them.

Known Limitations

  • Claude Code and Codex CLI log formats are inferred defensively and may need refinement with real sample logs.
  • Tokenizer-backed estimates are available for recognized OpenAI/Codex and Claude-family model names. Unrecognized text-only records still fall back to a conservative simple estimate.
  • SQLite-history ingestion expects usage-shaped local tables and skips arbitrary databases that do not expose session, model, token, or cost-like fields.
  • Seed prices are editable and should be verified manually for your account, region, and provider plan.

License

Open source by Abhi Yoheswaran. Released under the MIT License. See LICENSE.

Next Improvements

  • Expand first-class native adapters for more local AI tools and editor histories.
  • Add provider-specific tokenizer refinements where public tokenizer behavior is stable enough to label clearly.
  • Make Import Profile preview more interactive for teams with custom wrapper logs.
  • Stream scan progress into the UI for very large local folders.