Patch notes

What's new in Token Rats

We ship a lot of small things and a few big ones. Here's what changed and why. Counts only β€” we still can't read your prompts.

v1.2

Launch Surface

The last mile before strangers arrive. Share, refer, delete, install β€” all of it cleaner.

New

  • NEW
    Wordle-style room recapThe room Share button now spits out a copy-paste recap with the [TRπŸ”ΆπŸ­] brand mark. Built to land on an X timeline and bring a stranger back through the install link.
  • NEW
    Affiliate / referral linksEvery signup carries a ref code through the GitHub OAuth handoff. We finally know who brought who.
  • NEW
    Delete roomOwners can delete their rooms. We know β€” it took a minute.
  • NEW
    Node install hintIf you don't have npx, the install block says so and points at nvm instead of failing in silence.

Improvements

  • IMPROVED
    Cursor v0.0.4CLI now reads aiService.generations straight from the Cursor workspace SQLite and estimates token counts when Cursor doesn't surface them directly.
  • IMPROVED
    sql.js Cursor readerDropped better-sqlite3 in favor of sql.js. The CLI no longer needs a native build step β€” it installs cleanly on every Node version we test.
  • IMPROVED
    Cross-subdomain session cookieWeb and api.* on the same apex finally share the session. Sign in once, stay signed in.
  • IMPROVED
    Auto-redirect logged-in usersHit / or /signin while already logged in? You go straight to /app. No more bounce.

Fixes

  • FIXED
    Number formattingBig numbers now use B for billions and en-US thousands separators everywhere. No more raw scientific-looking integers in your face.
  • FIXED
    Biome lint baselinepnpm lint is green from a clean checkout. CI no longer lies about the warning count.
v1.1

Sharpen the Edge

One viral feature, a stack of hardening, and the boring stuff that has to work when a stranger installs the CLI.

New

  • NEW
    Codex is a first-class sourceParser, pricing, CLI sync. If you use Codex, your sessions count alongside Claude Code and Cursor.
  • NEW
    Add-a-source pickerYour dashboard now has a three-option entry: Claude Code Β· Codex Β· Other. The Other branch breaks down into IDE / API / Open Source so you can find your tool fast.
  • NEW
    Per-source profile tiles/u/[handle] now breaks your spend down by source instead of one giant number. See where your tokens actually go.
  • NEW
    Top-2 source badges on leaderboardsEach row shows which two tools dominate that person's stack. Quick read on who's a Claude main vs a Cursor main vs a Codex sleeper.
  • NEW
    364-day profile heatmapGitHub-style contribution grid on every public profile. Watch your streak fill in and your cold weeks haunt you.
  • NEW
    API proxy modePoint your Anthropic SDK at api.tokenrats.com/v1/proxy/anthropic and we'll auto-log your usage. We never read prompts. Keys are AES-256-GCM encrypted at rest and never returned through the API, even to you.
  • NEW
    tokenrats.com is the home address.dev is retired. .com is the only domain we promise to maintain.

Improvements

  • IMPROVED
    Claude Code token accuracyWe were double-counting cache tokens and undercounting subagents. Cache tokens are now excluded from your totals and subagent calls roll into the parent session. Your numbers got more honest.
  • IMPROVED
    Live leaderboard fan-outCache invalidates on every ingest; Durable Object messages batch instead of firing one per row. Rooms feel real-time again.
  • IMPROVED
    Per-isolate proxy key cacheDecrypted Anthropic keys cache inside each Worker isolate. Proxy requests stop hitting D1 on the hot path.
  • IMPROVED
    KV-cached profile readsProfile, autobiography, and streak reads are now served from KV. Cold loads got noticeably faster.
  • IMPROVED
    OG cards fail loudWhen the API behind a share card breaks, the route returns 500 instead of silently rendering a blank PNG. We'd rather see a broken card than ship a confusing one.
  • IMPROVED
    Honest /v1/push/testThe push-test endpoint now tells you it's a stub until real RFC 8291 payload encryption lands. No more pretending.

Security & trust

  • SECURITY
    Baseline security headersCSP, X-Frame-Options, X-Content-Type-Options, and friends on every worker response.
  • SECURITY
    Idempotent Stripe webhookReplays don't double-charge anyone or create ghost subscriptions.
  • SECURITY
    Pinned OAuth redirect_uriGitHub OAuth redirect_uri is locked to API_ORIGIN. No open-redirect tricks from forged callbacks.
  • SECURITY
    Production-only CORS scopelocalhost-allowed CORS is now gated to non-production builds. Production only trusts the real origin.
  • SECURITY
    Owner-gated org spend/v1/orgs/:id/spend-by-user is now owner/admin-only. Regular members don't see each other's totals.
  • SECURITY
    Validated handlesDisplay handles and twitter handles get a real shape check before they hit the database.

Fixes

  • FIXED
    Settings pages surface failuresIf a settings load fails, you see the error. We stopped defaulting to a fake empty state.
  • FIXED
    Abuse + proxy errors no longer silentIf something breaks in the abuse or proxy paths, the response says so. No more shrugging.
  • FIXED
    Weekly digest cron pausedCron stays off until the real email provider is wired. We won't promise email we can't actually send.
v1.0

Launch Build

The bones of the game. Four phases, one bet: counts only β€” we never read your prompts.

Phase 0 β€” Foundation

  • NEW
    Monorepo + locked contractspnpm workspaces + Turbo + Biome. The contracts package holds every API shape as a Zod schema β€” change a contract, the whole monorepo's typechecker tells you what else needs to move.
  • NEW
    Centralized pricingOne pricing table for every model we support, with date-suffix fallback so a new dated model ID doesn't break price math.

Phase 1 β€” Pipeline end-to-end

  • NEW
    Token Rats CLIlogin, sync, watch, whoami, logout. Reads Claude Code + Cursor logs from disk and uploads counts only β€” prompt content never leaves your machine.
  • NEW
    Cloudflare Worker APIHono on the edge under /v1/*. D1 for storage, KV for cache, R2 for share cards, Durable Objects for live rooms.
  • NEW
    First web surfacesShare cards, /cli device-code approval, /join, public profile pages.

Phase 2 β€” The game layer

  • NEW
    RoomsCreate one, share the code, see your crew on a leaderboard. Range selector for today / 7d / 30d / all.
  • NEW
    Streaks + challengesDaily streak counter, weekly challenges, the small game-loop hooks.
  • NEW
    Autobiography revealAfter your first sync, /onboarding shows you what your last 30 days actually look like. Most people learn something.
  • NEW
    Share cards v2Per-user weekly card, per-room card, trending card β€” all at 1200Γ—630, all cached in R2.

Phase 3 β€” Realtime + trust

  • NEW
    Live rooms via SSERoomLiveHub Durable Object fans leaderboard updates to every open tab. No refresh needed.
  • NEW
    Public profiles/u/[handle] is opt-in. Privacy toggle lives on /settings/profile. Default is private.
  • NEW
    Trending page/trending shows the global movers across every public room. Today / 7d / 30d.
  • NEW
    Org plan scaffoldRoutes, Stripe webhook, org members + roles. Hidden in 1.1 pending consumer pull, but the schema stays.

Coming soon

What's queued for the next patch. Subject to change β€” we follow the signal.

  • Head-to-head cards/r/[code]/vs/[a]/[b] β€” paired stats, a giant delta number, and a card you can paste straight into a reply. Settle it.
  • Real web push payloadsRFC 8291 encryption so push notifications actually land with a title and a body on Chrome desktop and Android.
  • Real email digestsusers.email column + Resend integration. Monday-morning recap, one unsubscribe link, no marketing nonsense.
  • Group heatmap + group streakRoom-scoped contribution grid and an all-members-active streak pill on every room page.
  • Primary-source pillA claude-max / codex-pro / cursor-ide chip next to your handle everywhere, derived from your last 30 days.
  • Coverage waitlistsCompanies waitlist for the org plan. Provider waitlists for the tools we don't track yet. Zero engineering on the feature, real signal on what to revive first.

We don't list changes here that could compromise security. Hardening, owner-only tooling, and anything an attacker could use as a map ships quietly.