v0.1.0-source-beta: local-first LLM token/quota monitor

This is a source beta, not a polished binary release.

Who Eats Token is a local-first desktop monitor for LLM token and quota visibility. This release publishes the core Electron app, localhost protocol, adapter catalog, MCP server, browser/IDE adapter references, Node SDK path, screenshots, diagnostics, and maintainer checks so contributors and reviewers can inspect the project before signed public binaries are released.

Latest reviewer update (2026-06-05)

• Latest reviewer-facing docs are on main at 43791a8, with structured README evidence, sanitized runtime screenshots, release evidence links, threat model, roadmap, public feedback intake, and a dedicated feedback issue template.
• main branch protection is enabled: force pushes and branch deletion are disabled; required checks are windows-2025-vs2026 and macos-latest; PR review is not mandatory yet.
• Latest main CI is green: https://github.com/mumu-github/who-eats-token/actions/runs/26969946131
• Remote branch cleanup is complete: only main and open PR #12 (refactor/geometry-adapter-consolidation-20260602) remain.
• Manual validation now records Windows packaged smoke/soak, browser Options /health, and VS Code/Cursor adapter status-bar, refresh, and copy snapshot checks in docs/manual-validation.md and docs/release-evidence.md.
• Cursor 3.6.31 logged-in host validation is complete: the VSIX loaded, the status bar showed local /health, refresh executed, and Copy Token Snapshot produced structured JSON without recording token values, prompts, completions, cookies, source files, or full snapshot payloads.
• Issue #19 is closed as completed after recording VS Code 1.122.1 and Cursor 3.6.31 IDE adapter evidence.
• Source-beta feedback collection remains open at #26 so real testers can report host, adapter, privacy-boundary, and UX feedback without sharing secrets.
• The GitHub New Issue flow includes a Source beta feedback template, plus labels for source-beta, feedback, adapter, validation, release, macOS, Windows, and performance triage.

What is ready

• Windows source/runtime validation and local API guardrails.
• Localhost ingest, snapshot, and health endpoints.
• Codex and Hermes local collection paths.
• Hermes OpenAI-compatible bridge usage capture.
• Browser extension and VS Code/Cursor adapter reference implementations with recorded manual host evidence.
• MCP server and Node SDK entry points for agent workflows.
• CI, release readiness checks, secret scan, license check, adapter review, diagnostics, and redacted support bundle commands.
• Reviewer-facing screenshots generated with sanitized mock data via npm run screenshots:readme.
• Security evidence in SECURITY.md, PRIVACY.md, docs/protocol.md, and docs/threat-model.md.

Known blockers before public binaries

• macOS packaged smoke/soak and permission-state validation on a real Mac.
• Windows Authenticode signing plus macOS Developer ID signing and notarization.

Privacy boundary

• No hosted telemetry.
• No prompt, completion, source-file, API-key, cookie, local token, raw database, or screenshot collection.
• Browser and IDE adapters should only report usage/quota/status metadata through explicit local-first paths.

Verification

• Latest main CI: https://github.com/mumu-github/who-eats-token/actions/runs/26969946131
• npm run release:check
• npm run test:docs
• npm run secret:scan
• npm run test:release-readiness
• npm run release:gaps -- --target source-beta --require-source-beta
• npm run release:summary -- --require-source-beta

Public roadmap

Tracked under the v0.1.0 source beta hardening milestone:

• #18 Validate macOS source beta runtime and permission states
• #19 Record VS Code and Cursor adapter manual QA evidence - completed
• #20 Publish community adapter contribution checklist
• #21 Harden browser extension manual QA evidence
• #22 Prepare signing and notarization plan for public binaries