feat(accounts): add account control center

[ozymandiashh]

Summary

Rebases and updates the Account Control Center on current main while preserving the current CLI split: src/cli.ts remains the Node-version-safe launcher, and the account workflow lives in src/main.ts.

This PR builds on the multiple Claude config directory work and turns it into a user-facing attribution workflow for people who run work, personal, desktop, or client Claude accounts side by side.

It answers questions that aggregate cost views cannot answer:

• Which account generated this spend?
• Which projects and sessions drove it?
• Did a work/client project run on the wrong account?
• Is a configured subscription underused or over budget?
• Can usage be exported per account for reimbursement or accountability?

What changed

• Claude discovery carries account metadata from CLAUDE_CONFIG_DIRS through project/session parsing.
• Parser and cache paths preserve account, accountPath, and sourcePath, so the same project path under two Claude accounts does not merge into one summary.
• New codeburn accounts command with text and JSON output.
• Account config stored in CodeBurn config:
  • plan
  • monthlyUsd
  • budgetUsd
  • resetDay
• --account filtering added to:
  • report
  • today
  • month
  • status
  • export
  • accounts
  • optimize
  • compare
• JSON reports include account rollups and account risks.
• CSV/JSON exports include account rows and account metadata.
• Dashboard and compare paths respect account filters while keeping current custom range and multi-plan behavior.

Examples

codeburn accounts
codeburn accounts work
codeburn accounts set work --plan "Claude Max" --monthly-usd 100 --budget-usd 300
codeburn report --account work --format json
codeburn export --account client-a -f csv

A project present under both work and personal account roots is now reported separately instead of being silently merged. Unlabelled provider usage remains grouped as unlabelled, but it does not create duplicate-project noise against labelled Claude accounts.

Account Signals

The account report surfaces:

• total cost and calls,
• sessions and project count,
• edit turns and one-shot turns,
• cost per session and cost per edit,
• top models and top projects,
• subscription utilization vs configured monthly price,
• budget utilization vs configured budget.

Risk signals include:

• duplicate project path across labelled accounts,
• work/client-looking paths on personal accounts,
• personal-looking paths on work/client accounts,
• underused subscription,
• over-budget account.

Review Fixes

Pre-push review found and fixed these issues before the branch was updated:

• Account-scoped project/session keys now prevent same-path projects from merging across accounts.
• Account config matching is case-insensitive, so Work and work do not become separate configured rows.
• Wrong-account heuristics tokenize account labels, so names like homework do not trip the work marker.
• Tiny budget values such as 0.001 render as USD 0.001, not USD 0.
• CSV exports always include deterministic Account and Account Path columns even when the first sorted row is unlabelled.
• Provider-source session IDs are extracted from the actual session-key suffix even if a future provider source includes account metadata.
• The CLI account integration test has an explicit timeout because it launches multiple Node/tsx subprocesses.

Validation

• npx vitest run tests/accounts.test.ts tests/cli-accounts.test.ts tests/parser-filter.test.ts tests/export.test.ts tests/cli-json.test.ts tests/providers/claude.test.ts tests/cli-export-date-range.test.ts — 37/37 passed.
• npx tsc --noEmit --pretty false — passed.
• npm run build — passed.
• git diff --check — passed.
• Argus-style local review — PASS.
• Claude Opus 4.7 effort max review — PASS.
• Gemini 3.1 Pro Preview review — PASS after fixing the required issues above.
• GitHub checks check, semgrep, and assess — passed.

Security / Privacy

This is local aggregation and local config only. It does not add shell execution, network calls, remote writes, or secret handling. CSV export continues to use the existing spreadsheet-injection escaping path.

No local account names, project names, prompts, session IDs, real paths, costs, usage values, or private product details are included in this PR description.

[ozymandiashh]

Validation run on macOS arm64 with private details omitted. This is structural account-output proof, not just build proof.

What was checked:

• accounts --format json produced valid JSON on real local usage.
• The JSON contained the expected top-level sections: accounts, currency, generated, period, and risks.
• Account rows exposed the expected rollup fields for sessions, calls, cost, topProjects, topModels, plan/budget metadata, and account path metadata. Values are intentionally not pasted here.
• The targeted tests cover account aggregation, CLI config behavior, parser filtering, export rows, JSON reporting, Claude account metadata, and date-range export behavior.

Commands:

• npx vitest run tests/accounts.test.ts tests/cli-accounts.test.ts tests/parser-filter.test.ts tests/export.test.ts - targeted tests passed.
• npx tsx src/cli.ts accounts --format json - JSON parsed and structural checks passed.

No local account names, account paths, project names, prompts, session IDs, raw costs, usage totals, or private product details are included here.