feat: SOFT sensitive-content / PII scanner for sessions by jakduch · Pull Request #33 · josepe98/claude-usage

jakduch · 2026-05-23T17:42:59Z

What does this add and why do you believe it belongs in this dashboard?

Adds a SOFT, informational-only sensitive-content / PII scanner for sessions. It warns when a session's project name or git branch matches user-configurable regex patterns — out of the box it flags common credential markers like secret, credential, password, api_key, token, .env, .aws/credentials, SSN, private_key, .ssh/. Patterns can be tuned (or replaced wholesale — credit-card numbers, email addresses, anything you want flagged) via ~/.claude/pii-patterns.json.

This belongs in a personal Claude Code usage dashboard precisely because the dashboard is what you tend to share. People screenshot it, paste session IDs into bug reports, screen-share it on calls. Local logs accumulate work from sketchy-named branches (fix/leaked-token, spike/aws-creds) and a quick visual nudge — a small warning chip on the relevant row — is enough to make the user pause before exposing it.

The feature is strictly opt-in in spirit and never blocks anything: the scan runs locally on already-local data, nothing leaves the machine, no session is hidden or rate-limited, and turning it off is one empty JSON file away.

Checklist

Code correctness

All calcCost() calls pass 6 arguments: (model, inp, out, cache_read, cache_creation, cache_1h)
JavaScript template literals use bare backticks (`), not escaped ones (\`)
No JS variables referenced before they are defined
No new third-party dependencies introduced

Tests

python3 -m unittest discover -s tests -v — all passing
python3 -m unittest tests.test_browser -v — all passing
New behaviour is covered by at least one test

Scope

This is a single concern — one feature or fix per PR
Only touches existing files (dashboard.py, scanner.py, cli.py, pricing.py, cowork.py, tests/) — or I've explained below why a new file is needed

Touches dashboard.py (scanner helpers + JS badge) and adds tests/test_pii.py (12 unit tests covering built-in defaults, user-override loading, malformed-file resilience, case-insensitive matching, bad-regex skipping, end-to-end get_dashboard_data attachment, and the JS render helper being bundled into HTML_TEMPLATE).

Test status

$ python3 -m unittest discover -s tests
Ran 202 tests in 2.32s
OK (skipped=6)

Adds a local, informational-only scanner that flags sessions whose project name or git branch contains common secret/credential markers (secret, credential, password, api_key, token, .env, .ssh/, etc). - Patterns are configurable via ~/.claude/pii-patterns.json (a JSON list of regex strings). Falls back to a sensible built-in list when the override file is missing or malformed. - get_dashboard_data attaches a 'sensitive_match' field to every session in the JSON payload — empty list = clean. - The dashboard renders a small warning chip next to flagged sessions with a tooltip listing the matched markers. - Nothing ever leaves the machine; this is a SOFT warning only and never blocks anything. 12 new unit tests cover defaults, override loading, match behaviour, malformed-file resilience, end-to-end JSON wiring, and the JS render helper being present in the bundled HTML.

josepe98 closed this May 25, 2026