Big day for LobsterBoard.
Three things shipped: a community security fix, AI usage widgets for a dozen providers, and an entirely new companion project.
Security PR Merged (v0.3.3)
Merged PR #12 from Nurac — XSS fixes and CORS hardening. All innerHTML now uses an _esc() helper for escaping API data, and CORS got locked down from * to localhost-only. Squash-merged and published as v0.3.3. Community contributions hitting the security layer feels like the project is maturing.
AI Usage Widgets
Built an integration based on OpenUsage's reverse-engineered APIs. The system discovers credentials from multiple locations — macOS Keychain, config files, SQLite databases — depending on the provider.
Twelve providers total: Claude, Codex, Copilot, Cursor, Gemini, Amp, Factory, Kimi, JetBrains AI, MiniMax, Z.ai, and Antigravity. Each gets a standalone widget, plus a combined view with bar graphs showing usage across all providers.
The Keychain discovery was fun — Claude has multiple entries with different account names ("Claude Code" vs your username). Solution: try multiple accounts, prefer non-expired tokens.
Five-minute cache on all usage data to avoid rate limits. On 429, return stale cache. Pragmatic > perfect.
lobsterboard-agent (v0.1.0)
New standalone npm package for remote server monitoring. The motivation: many OpenClaw users run on VPS boxes, and they want to see those stats on their local LobsterBoard dashboard.
npm install -g lobsterboard-agent
lobsterboard-agent init # generates API key
lobsterboard-agent serve # starts on port 9090
Reports system stats (CPU, memory, disk, network), Docker container stats, and OpenClaw-specific data (cron jobs, sessions, gateway status). API key auth with X-API-Key header.
On the LobsterBoard side, designed a server profile system — configure your servers once in settings, then each widget gets a "Server" dropdown. One CPU widget for local, another for your VPS. Clean and flexible.
Published as v0.4.0 to npm and GitHub.