feat: Enhance backend sync service with backend-specific file locks and UTC-based daily rollups

- Refactor sync lock acquisition and release methods to support backend-specific locks.
- Introduce daily rollups for session data to ensure accurate token attribution across days.
- Update session file cache structure to include daily rollups for consistent reporting.
- Modify CopilotTokenTracker to calculate and store daily interaction counts and model usage.
- Adjust date handling to use UTC for consistent period boundaries in statistics.
- Improve performance by leveraging pre-computed daily rollups when available.

Author: rajbos

sharing-server/.env.example

@@ -12,6 +12,25 @@ SESSION_SECRET=change_me_to_a_random_secret
 # Public base URL of this server (used in OAuth redirect URI and links)
 BASE_URL=http://localhost:3000
 
-# Optional: restrict to members of a specific GitHub organization
-# Leave empty to allow any GitHub user
+# Optional: restrict dashboard access and data uploads to members of this GitHub org.
+# Leave empty to allow any authenticated GitHub user.
+# Example: ALLOWED_GITHUB_ORG=my-company
 ALLOWED_GITHUB_ORG=
+
+# Optional: server-side GitHub PAT used to verify org membership (see ALLOWED_GITHUB_ORG).
+#
+# When ALLOWED_GITHUB_ORG is set, the server calls the GitHub API to check whether
+# the authenticated user is a member of that org. By default it uses the user's own
+# OAuth token, which fails for orgs that enforce SAML SSO (GitHub returns 403 because
+# the user's token is not SSO-authorized for the org).
+#
+# Setting this to a PAT that belongs to the server operator (who IS a member and has
+# authorized the token for SSO) bypasses that limitation: the server checks membership
+# on the user's behalf without requiring anything extra from the end user.
+#
+# How to create:
+#   1. Go to https://github.com/settings/tokens → Generate new token (classic)
+#   2. Grant the "read:org" scope
+#   3. Click "Configure SSO" next to the token and authorize it for ALLOWED_GITHUB_ORG
+#   4. Paste the generated token below
+GITHUB_ORG_CHECK_TOKEN=

sharing-server/src/auth.ts

@@ -30,6 +30,14 @@ const ipRateMap = new Map<string, { count: number; resetAt: number }>();
 const IP_RATE_MAX = 200;
 const IP_RATE_WINDOW_MS = 60 * 1000; // 1 minute per IP
 
+/**
+ * Validates a GitHub Bearer token supplied by the client (e.g. the VS Code extension).
+ * Resolves the token to a local user row, or returns null if the token is invalid,
+ * the GitHub API is unreachable, or the user is not a member of ALLOWED_GITHUB_ORG.
+ *
+ * Results are cached for 10 minutes (positive) or 1 minute (negative) to reduce
+ * outbound GitHub API calls.
+ */
 export async function validateGitHubToken(token: string): Promise<UserRow | null> {
 	const cacheKey = createHash('sha256').update(token).digest('hex');
 
@@ -83,11 +91,25 @@ export async function validateGitHubToken(token: string): Promise<UserRow | null
 	return user;
 }
 
-async function checkOrgMembership(token: string, username: string, org: string): Promise<boolean> {
+/**
+ * Checks whether `username` is an active public member of `org`.
+ *
+ * Uses GITHUB_ORG_CHECK_TOKEN (a server-configured PAT) when set, so that the
+ * check works even when the org enforces SAML SSO — the server operator's PAT
+ * is pre-authorized for the org, meaning the end user's token never needs
+ * read:org scope or SSO authorization.
+ *
+ * Falls back to the user's own token if no server PAT is configured (works for
+ * orgs with public membership and no SAML enforcement).
+ */
+async function checkOrgMembership(userToken: string, username: string, org: string): Promise<boolean> {
+	// Prefer a server-side PAT (already SSO-authorized) so the user's OAuth token
+	// doesn't need read:org or SAML SSO authorization.
+	const checkToken = process.env.GITHUB_ORG_CHECK_TOKEN || userToken;
 	try {
 		const res = await fetch(`https://api.github.com/orgs/${org}/members/${username}`, {
 			headers: {
-				Authorization: `Bearer ${token}`,
+				Authorization: `Bearer ${checkToken}`,
 				'User-Agent': 'copilot-sharing-server/1.0',
 				Accept: 'application/vnd.github+json',
 			},
@@ -99,6 +121,7 @@ async function checkOrgMembership(token: string, username: string, org: string):
 	}
 }
 
+/** Returns true if the IP address is within the pre-auth rate limit window, false if it should be blocked. */
 export function checkIpRateLimit(ip: string): boolean {
 	const now = Date.now();
 	const entry = ipRateMap.get(ip);
@@ -111,6 +134,7 @@ export function checkIpRateLimit(ip: string): boolean {
 	return true;
 }
 
+/** Returns true if the user is within the upload rate limit window, false if they should be blocked. */
 export function checkUploadRateLimit(userId: number): boolean {
 	const now = Date.now();
 	const entry = uploadRateMap.get(userId);
@@ -125,6 +149,11 @@ export function checkUploadRateLimit(userId: number): boolean {
 
 export type AuthVariables = { user: UserRow };
 
+/**
+ * Hono middleware that enforces Bearer token authentication on API routes.
+ * Applies IP-level rate limiting before token validation, then resolves the
+ * token to a user and stores it in the Hono context for downstream handlers.
+ */
 export async function requireBearerAuth(c: Context, next: Next): Promise<Response | void> {
 	const ip = c.req.header('x-forwarded-for') ?? c.req.header('x-real-ip') ?? 'unknown';
 

sharing-server/src/routes/dashboard.ts

@@ -105,11 +105,15 @@ dashboard.get('/auth/github/callback', async (c) => {
 	// Optional org membership check
 	const allowedOrg = process.env.ALLOWED_GITHUB_ORG;
 	if (allowedOrg) {
+		// Prefer a server-side PAT (already SSO-authorized) so the user's OAuth token
+		// doesn't need read:org or SAML SSO authorization.
+		const checkToken = process.env.GITHUB_ORG_CHECK_TOKEN || accessToken;
 		try {
 			const memberRes = await fetch(`https://api.github.com/orgs/${allowedOrg}/members/${userData.login}`, {
 				headers: {
-					Authorization: `Bearer ${accessToken}`,
+					Authorization: `Bearer ${checkToken}`,
 					'User-Agent': 'copilot-sharing-server/1.0',
+					Accept: 'application/vnd.github+json',
 				},
 				signal: AbortSignal.timeout(10_000),
 			});
@@ -142,6 +146,80 @@ dashboard.get('/auth/logout', (c) => {
 	return c.redirect('/dashboard');
 });
 
+/** POST /auth/pat — Sign in with a GitHub Personal Access Token. */
+dashboard.post('/auth/pat', async (c) => {
+	const body = await c.req.parseBody();
+	const token = (body['pat'] as string ?? '').trim();
+
+	if (!token) {
+		return c.html(errorPage('No token provided.'), 400);
+	}
+
+	// Fetch the authenticated user
+	let userData: { id: number; login: string; name: string | null; avatar_url: string };
+	try {
+		const userRes = await fetch('https://api.github.com/user', {
+			headers: {
+				Authorization: `Bearer ${token}`,
+				'User-Agent': 'copilot-sharing-server/1.0',
+				Accept: 'application/vnd.github+json',
+			},
+			signal: AbortSignal.timeout(10_000),
+		});
+		if (!userRes.ok) {
+			return c.html(errorPage('Invalid token or unable to verify GitHub identity.'), 401);
+		}
+		userData = await userRes.json() as typeof userData;
+	} catch (err) {
+		return c.html(errorPage(`Failed to reach GitHub: ${String(err)}`), 502);
+	}
+
+	// Optional org membership check
+	const allowedOrg = process.env.ALLOWED_GITHUB_ORG;
+	if (allowedOrg) {
+		try {
+			const memberRes = await fetch(`https://api.github.com/user/memberships/orgs/${allowedOrg}`, {
+				headers: {
+					Authorization: `Bearer ${token}`,
+					'User-Agent': 'copilot-sharing-server/1.0',
+					Accept: 'application/vnd.github+json',
+				},
+				signal: AbortSignal.timeout(10_000),
+			});
+			if (memberRes.status === 403) {
+				return c.html(errorPage(
+					`Access denied: your token is not authorized for the "${allowedOrg}" organization. ` +
+					`If this org uses SAML SSO, go to github.com → Settings → Personal access tokens, ` +
+					`click your token, and grant SSO access to the "${allowedOrg}" org.`
+				), 403);
+			}
+			if (memberRes.status !== 200) {
+				return c.html(errorPage(`Access denied: you are not a member of the "${allowedOrg}" organization.`), 403);
+			}
+			const membership = await memberRes.json() as { state: string };
+			if (membership.state !== 'active') {
+				return c.html(errorPage(`Access denied: your membership in the "${allowedOrg}" organization is not active.`), 403);
+			}
+		} catch {
+			return c.html(errorPage('Unable to verify organization membership. Please try again.'), 502);
+		}
+	}
+
+	const user = upsertUser(userData.id, userData.login, userData.name, userData.avatar_url);
+	const claims = makeClaims(user.id);
+	const sessionValue = encodeSession(claims);
+
+	setCookie(c, COOKIE_NAME, sessionValue, {
+		httpOnly: true,
+		secure: process.env.NODE_ENV === 'production',
+		sameSite: 'Lax',
+		maxAge: SESSION_MAX_AGE,
+		path: '/',
+	});
+
+	return c.redirect('/dashboard');
+});
+
 // ── Dashboard ─────────────────────────────────────────────────────────────────
 
 /** Redirect root to dashboard. */
@@ -676,14 +754,42 @@ ${body}
 }
 
 function loginPage(): string {
+	const oauthAvailable = !!process.env.GITHUB_CLIENT_ID;
+	const oauthSection = oauthAvailable ? `
+  <a href="/auth/github" class="btn btn-primary" style="font-size:1rem; padding:12px 28px">
+    Sign in with GitHub (OAuth)
+  </a>
+  <p style="color:#8b949e; margin-top:8px; font-size:0.85rem">
+    Note: requires org admin approval for SSO organizations.
+  </p>
+  <div style="color:#8b949e; margin: 24px 0; font-size:0.9rem">— or —</div>` : '';
+
 	return layout('Sign In', `
 <div class="header"><h1>🤖 Copilot Token Tracker Sharing</h1></div>
 <div class="content" style="text-align:center; margin-top: 80px; align-items:center">
   <h2 style="color:#e6edf3">Sign in to view your usage dashboard</h2>
   <p style="color:#8b949e">Your data is linked to your GitHub account. No account creation needed.</p>
-  <a href="/auth/github" class="btn btn-primary" style="font-size:1rem; padding:12px 28px">
-    Sign in with GitHub
-  </a>
+  ${oauthSection}
+  <form method="POST" action="/auth/pat" style="max-width:420px; margin:0 auto; text-align:left">
+    <label style="color:#8b949e; font-size:0.9rem; display:block; margin-bottom:6px">
+      Sign in with a GitHub Personal Access Token (PAT)
+    </label>
+    <input
+      type="password"
+      name="pat"
+      placeholder="ghp_..."
+      required
+      autocomplete="off"
+      style="width:100%; padding:10px 12px; border-radius:6px; border:1px solid #30363d;
+             background:#161b22; color:#e6edf3; font-size:0.95rem; box-sizing:border-box"
+    />
+    <p style="color:#8b949e; font-size:0.8rem; margin:6px 0 12px">
+      Needs <code>read:user</code> scope (and <code>read:org</code> + SSO authorization if your org enforces SAML SSO).
+    </p>
+    <button type="submit" class="btn btn-primary" style="width:100%; font-size:1rem; padding:10px">
+      Sign in with PAT
+    </button>
+  </form>
   <p style="color:#8b949e; margin-top:32px; font-size:0.85rem">
     The VS Code extension uploads data automatically using your existing GitHub session —
     no separate sign-in required.
@@ -1269,6 +1375,30 @@ var CHART_DATA = ${safeJson(chartData)};
 </script>
 <script>${_chartJsCode}</script>
 <script>${interactiveJs}</script>
+<script>
+// Re-compute "Today" stats using browser's local timezone (server pre-renders in UTC)
+(function() {
+  function fmtLocal(n) {
+    if (n >= 1000000) return (n / 1000000).toFixed(1) + 'M';
+    if (n >= 1000) return (n / 1000).toFixed(1) + 'K';
+    return String(n);
+  }
+  var todayLocal = new Date().toLocaleDateString('sv-SE'); // YYYY-MM-DD in local timezone
+  var todayData = CHART_DATA.filter(function(r) { return r.day === todayLocal; });
+  var inputTokens = todayData.reduce(function(s, r) { return s + r.inputTokens; }, 0);
+  var outputTokens = todayData.reduce(function(s, r) { return s + r.outputTokens; }, 0);
+  var interactions = todayData.reduce(function(s, r) { return s + r.interactions; }, 0);
+  var daysActive = todayData.length > 0 ? 1 : 0;
+  var panel = document.getElementById('stats-today');
+  if (panel) {
+    var values = panel.querySelectorAll('.stat-card .value');
+    if (values[0]) values[0].textContent = fmtLocal(inputTokens);
+    if (values[1]) values[1].textContent = fmtLocal(outputTokens);
+    if (values[2]) values[2].textContent = fmtLocal(interactions);
+    if (values[3]) values[3].textContent = String(daysActive);
+  }
+})();
+</script>
 <script>${fluencyJs}</script>`);
 }
 

vscode-extension/src/backend/configPanel.ts

@@ -10,6 +10,7 @@ export interface BackendConfigPanelState {
 	privacyBadge: string;
 	isConfigured: boolean;
 	authStatus: string;
+	githubTokenAvailable: boolean;
 	shareConsentAt?: string;
 	lastSyncAt?: number;
 }
@@ -291,6 +292,9 @@ export class BackendConfigPanel implements vscode.Disposable {
 				</div>
 				<div id="enabledToggleTeam-help" class="helper">Independent of Azure Storage — both backends can sync simultaneously.</div>
 				<div class="status-line" id="lastSyncLine" style="margin-top: 12px;" role="status"></div>
+			<div id="githubAuthWarning" style="display:none; margin-top: 12px; padding: 10px 12px; background: #4d2c00; border-left: 3px solid #f0883e; border-radius: 4px; font-size: 12px; color: #e5c07b;">
+				⚠️ <strong>GitHub sign-in required.</strong> The extension uses your VS Code GitHub session as the upload token. Open the <strong>Accounts</strong> menu (bottom-left) and grant access to <em>AI Engineering Fluency</em>, then wait for the next sync.
+			</div>
 			</div>
 			<div class="card">
 				<h3>Connection</h3>
@@ -540,6 +544,8 @@ export class BackendConfigPanel implements vscode.Disposable {
 			byId('privacyBadge').innerText = 'Privacy: ' + state.privacyBadge;
 			byId('authBadge').innerText = state.authStatus;
 			byId('backendStateBadge').innerText = (state.draft.enabled || state.draft.sharingServerEnabled) ? 'Backend: Enabled' : 'Backend: Disabled';
+			const showGithubWarning = state.draft.sharingServerEnabled && !state.githubTokenAvailable;
+			byId('githubAuthWarning').style.display = showGithubWarning ? 'block' : 'none';
 			updateLastSyncLine(state.lastSyncAt);
 			
 			// Update overview details

vscode-extension/src/backend/facade.ts

@@ -627,12 +627,14 @@ export class BackendFacade {
           : "Auth: Shared Key missing on this machine"
         : "Auth: Entra ID (RBAC)";
     const lastSyncAt = this.deps.context?.globalState?.get<number>('backend.lastSyncAt');
+    const githubTokenAvailable = !!(this.deps.getGithubToken?.());
     return {
       draft,
       sharedKeySet,
       privacyBadge,
       isConfigured: this.isConfigured(settings),
       authStatus,
+      githubTokenAvailable,
       shareConsentAt: settings.shareConsentAt,
       lastSyncAt,
     };