feat: add project identification to request tracking#53
Open
zenprocess wants to merge 1 commit intosnipeship:mainfrom
Open
feat: add project identification to request tracking#53zenprocess wants to merge 1 commit intosnipeship:mainfrom
zenprocess wants to merge 1 commit intosnipeship:mainfrom
Conversation
Extract project name from Claude API requests using:
1. x-project header (explicit override)
2. Path patterns in system prompt (/Users/.../Desktop/{Project}/)
3. First markdown heading in system prompt
Adds `project` column to requests table with migration guard,
performance index, and pass-through to all domain types and
API responses. Backward-compatible — project defaults to null.
Files: types (api.ts, request.ts), database (migrations, repository,
operations, indexes), proxy (post-processor.worker.ts)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author
Context: Why project tracking mattersThis PR was born from a real production need — we run ccflare as shared infrastructure proxying Claude API traffic across multiple accounts, machines, and projects. Without project tagging, analytics showed aggregate token usage but couldn't answer basic questions like:
The bigger picture: ccflare + AfterburnProject tracking unlocks a powerful integration with Afterburn — a tool that mines Claude Code session history to find recurring friction patterns, successful approaches, and skill gaps. The pipeline: What this enables that neither tool can do alone:
ccflare's Happy to share more details if useful for the project roadmap. |
|
Hi @zenprocess, |
zenprocess
pushed a commit
to zenprocess/ccflare
that referenced
this pull request
Apr 6, 2026
* feat: add dashboard authentication for API key protection [skip-version] Implements secure dashboard authentication when API keys are configured: - Store/retrieve API keys from localStorage - Authentication dialog prompts for API key on first access - Automatic inclusion of API key in all dashboard API requests - Validates API key before accepting it Fixes snipeship#53 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: dashboard authentication now properly includes API key headers [skip-version] Fixed critical issues preventing dashboard from working with API keys: - Auth service now exempts static assets (.js, .css, .svg, etc.) from authentication - API client properly overrides request() method to inject x-api-key header - ApiKeysTab now uses api client instead of direct fetch() calls - Added comprehensive tests for static asset exemption This resolves the 401 errors on dashboard API requests and allows full dashboard functionality when API keys are configured. Closes snipeship#53 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: Dashboard authentication with API keys (fix snipeship#53) [skip-version] - Exempt dashboard routes from server-side auth (only API endpoints require auth) - Add global 401 error handler via custom event system - Auto-trigger auth dialog when closing generated key dialog - Disable queries while key dialog is open to prevent premature 401s - Show auth dialog on any page, not just root - Clean up debug logging Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * security: Add CSP headers and improve error type checking [skip-version] - Add Content Security Policy headers for dashboard HTML - Add security headers (X-Frame-Options, X-Content-Type-Options, etc.) - Replace duck-typed error checks with instanceof HttpError - Ensure consistent error handling across codebase CSP protects against: - XSS attacks (restricts script sources) - Data exfiltration (connect-src 'self' only) - Clickjacking (frame-ancestors 'none') - MIME type confusion (X-Content-Type-Options: nosniff) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * security: Fix authentication bypass and harden CSP [skip-version] Critical fixes: - Fix authentication bypass: Only render content when isAuthenticated=true - Remove 'unsafe-inline' from script-src in CSP (only external scripts allowed) - Keep 'unsafe-inline' for style-src (required for CSS-in-JS/Tailwind) Previous logic allowed unauthenticated access if auth dialog was closed. New logic: Content only renders when explicitly authenticated. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * security: Use sessionStorage instead of localStorage for API keys [skip-version] - Replace localStorage with sessionStorage for API key storage - sessionStorage is cleared when tab closes (reduces exposure window) - Still survives page reloads within same tab (good UX) - Combined with strict CSP headers for XSS protection Benefits: - API key not persisted after browser/tab close - Reduced risk window compared to localStorage - No code changes needed in components (same API) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
x-projectheader > system prompt path pattern > system prompt headingprojectcolumn to requests table with migration guard and performance indexMotivation
When ccflare proxies traffic from multiple Claude Code projects across multiple machines, there's no way to tell which project generated which request. This makes per-project analytics, cost tracking, and session correlation impossible.
Changes
packages/types/src/api.tsprojecttoRequestMetapackages/types/src/request.tsprojecttoRequestRow,Request,RequestResponse+ mapperspackages/proxy/src/post-processor.worker.tsextractProjectFromRequest(), wire throughhandleStart/handleEndpackages/database/src/repositories/request.repository.tsprojecttoRequestData,saveMeta(),save()packages/database/src/database-operations.tsprojectparam through facade methodspackages/database/src/migrations.tsALTER TABLE ADD COLUMN project TEXTpackages/database/src/performance-indexes.tsidx_requests_project_timestampTest plan
bun run buildprojectcolumn populated:sqlite3 ccflare.db "SELECT id, project FROM requests LIMIT 5"x-projectheader override:curl -H "x-project: test" ...🤖 Generated with Claude Code