@agent-relay/credential-proxy 4.0.10 → 4.0.36

package/README.md

@@ -0,0 +1,71 @@
+# @agent-relay/credential-proxy
+
+JWT-authenticated credential proxy for upstream LLM providers. Lets sandboxed
+agents call provider APIs (OpenAI, Anthropic, OpenRouter) without being given
+raw provider credentials — the proxy holds the keys, agents present per-session
+JWTs, and the proxy enforces per-credential token budgets.
+
+## What it is
+
+A Hono app plus a handful of helpers:
+
+- `createCredentialProxyApp(options)` — mounts the HTTP router (`/health`,
+  `/usage`, and a catch-all provider-forwarding route under `*`). Use it
+  directly in Node (via `@hono/node-server`) or bind it inside a Cloudflare
+  Worker.
+- `mintProxyToken(...)` / `verifyProxyToken(...)` — JWT helpers built on
+  [`jose`](https://github.com/panva/jose). HS256 by default, audience
+  `relay-llm-proxy`.
+- `MeteringCollector` + `checkBudget` — in-memory usage accounting with
+  pessimistic reservations so concurrent requests can't bypass the declared
+  budget.
+- Provider adapters under `providers/` — translate incoming JWT claims to the
+  correct upstream HTTP request for OpenAI / Anthropic / OpenRouter.
+
+## Environment variables
+
+Required at runtime (the host of the proxy):
+
+| Variable                            | Purpose                                                      |
+| ----------------------------------- | ------------------------------------------------------------ |
+| `CREDENTIAL_PROXY_JWT_SECRET`       | HS256 secret the proxy uses to verify per-session JWTs.      |
+| `CREDENTIAL_PROXY_ADMIN_JWT_SECRET` | Secret for admin-scoped tokens (e.g. the `/usage` endpoint). |
+| `CREDENTIAL_PROXY_ADMIN_AUDIENCE`   | Audience claim the proxy requires on admin tokens.           |
+| `OPENAI_API_KEY`                    | Upstream credential for the OpenAI provider adapter.         |
+| `ANTHROPIC_API_KEY`                 | Upstream credential for the Anthropic provider adapter.      |
+| `OPENROUTER_API_KEY`                | Upstream credential for the OpenRouter provider adapter.     |
+
+Only the provider keys you actually forward to need to be set — missing keys
+surface as `502 credential_unavailable` on the relevant route.
+
+The agent side (whichever process mints tokens and launches the sandboxed CLI)
+uses `CREDENTIAL_PROXY_JWT_SECRET` to sign tokens and puts them into the agent's
+environment as `CREDENTIAL_PROXY_TOKEN` (alias: `RELAY_LLM_PROXY_TOKEN`) plus
+`RELAY_LLM_PROXY` / `RELAY_LLM_PROXY_URL` so the SDK's `proxy-env` helpers can
+wire up per-CLI `OPENAI_BASE_URL` / `ANTHROPIC_BASE_URL` overrides.
+
+## Usage
+
+```ts
+import { serve } from '@hono/node-server';
+import { createCredentialProxyApp } from '@agent-relay/credential-proxy';
+
+const app = createCredentialProxyApp({
+  // Defaults to process.env.CREDENTIAL_PROXY_JWT_SECRET / ADMIN_JWT_SECRET.
+});
+
+serve({ fetch: app.fetch, port: Number(process.env.PORT ?? 3001) });
+```
+
+For the SDK-side wiring that lets workflow agents use the proxy transparently,
+see [`@agent-relay/sdk/workflows`'s proxy-env
+module](../sdk/src/workflows/proxy-env.ts) and the `credentialProxy` field on
+`SwarmConfig`.
+
+## Development
+
+```bash
+npm run build      # tsc → dist/
+npm run test       # vitest
+npm run dev        # builds then runs the proxy on PORT (default 3001)
+```

package/dist/crypto-polyfill.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=crypto-polyfill.d.ts.map

package/dist/crypto-polyfill.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-polyfill.d.ts","sourceRoot":"","sources":["../src/crypto-polyfill.ts"],"names":[],"mappings":""}

package/dist/crypto-polyfill.js

@@ -0,0 +1,8 @@
+// jose@^6 ships only a webapi build and requires globalThis.crypto. Node 18
+// gates this behind --experimental-global-webcrypto, so expose it explicitly.
+import { webcrypto } from 'node:crypto';
+const target = globalThis;
+if (typeof target.crypto === 'undefined') {
+    target.crypto = webcrypto;
+}
+//# sourceMappingURL=crypto-polyfill.js.map

package/dist/crypto-polyfill.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-polyfill.js","sourceRoot":"","sources":["../src/crypto-polyfill.ts"],"names":[],"mappings":"AAAA,4EAA4E;AAC5E,8EAA8E;AAC9E,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,MAAM,MAAM,GAAG,UAAqC,CAAC;AACrD,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;IACzC,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC;AAC5B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+import { createServer } from 'node:http';
+import { type CredentialProxyApp, type CredentialProxyOptions } from './router.js';
+export { app, createCredentialProxyApp } from './router.js';
+export { MeteringCollector, checkBudget, DEFAULT_BUDGET_RESERVATION } from './metering.js';
+export { mintProxyToken, verifyProxyToken } from './jwt.js';
+export * from './providers/index.js';
+export type * from './providers/types.js';
+export type { AdminTokenClaims, MeteringRecord, ProviderType, ProxyRequest, ProxyResponse, ProxyTokenClaims, UsageSummary, } from './types.js';
+export type { CredentialProxyOptions, CredentialProxyVariables, CredentialStore, } from './router.js';
+export interface StandaloneServeOptions extends CredentialProxyOptions {
+    app?: CredentialProxyApp;
+    hostname?: string;
+    port?: number;
+}
+export type CredentialProxyServer = ReturnType<typeof createServer>;
+export declare function serve(options?: StandaloneServeOptions): Promise<CredentialProxyServer>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAKpF,OAAO,EAGL,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC5B,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,GAAG,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAC3F,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5D,cAAc,sBAAsB,CAAC;AACrC,mBAAmB,sBAAsB,CAAC;AAC1C,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,YAAY,GACb,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,sBAAsB,EACtB,wBAAwB,EACxB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,sBAAuB,SAAQ,sBAAsB;IACpE,GAAG,CAAC,EAAE,kBAAkB,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,MAAM,qBAAqB,GAAG,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;AAEpE,wBAAsB,KAAK,CAAC,OAAO,GAAE,sBAA2B,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA4BhG"}

package/dist/index.js

@@ -0,0 +1,89 @@
+import { createServer } from 'node:http';
+import { once } from 'node:events';
+import { Readable } from 'node:stream';
+import { pathToFileURL } from 'node:url';
+import { createCredentialProxyApp, } from './router.js';
+export { app, createCredentialProxyApp } from './router.js';
+export { MeteringCollector, checkBudget, DEFAULT_BUDGET_RESERVATION } from './metering.js';
+export { mintProxyToken, verifyProxyToken } from './jwt.js';
+export * from './providers/index.js';
+export async function serve(options = {}) {
+    const proxyApp = options.app ?? createCredentialProxyApp(options);
+    const port = options.port ?? Number.parseInt(process.env.PORT ?? '3001', 10);
+    const hostname = options.hostname ?? process.env.HOST ?? '0.0.0.0';
+    const server = createServer(async (req, res) => {
+        try {
+            const request = createWebRequest(req);
+            const response = await proxyApp.fetch(request);
+            await writeWebResponse(res, response);
+        }
+        catch (error) {
+            console.error('[credential-proxy] standalone server error', error);
+            res.statusCode = 500;
+            res.setHeader('content-type', 'application/json');
+            res.end(JSON.stringify({ error: 'Internal server error', code: 'internal_error' }));
+        }
+    });
+    await new Promise((resolve, reject) => {
+        server.once('error', reject);
+        server.listen(port, hostname, () => {
+            server.off('error', reject);
+            resolve();
+        });
+    });
+    console.log(`credential-proxy listening on http://${hostname}:${port}`);
+    return server;
+}
+function createWebRequest(req) {
+    const protocol = 'encrypted' in req.socket && req.socket.encrypted ? 'https' : 'http';
+    const host = req.headers.host ?? 'localhost';
+    const url = new URL(req.url ?? '/', `${protocol}://${host}`);
+    const headers = new Headers();
+    for (const [key, value] of Object.entries(req.headers)) {
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                headers.append(key, item);
+            }
+            continue;
+        }
+        if (typeof value === 'string') {
+            headers.set(key, value);
+        }
+    }
+    const method = req.method ?? 'GET';
+    const body = method === 'GET' || method === 'HEAD'
+        ? undefined
+        : Readable.toWeb(req);
+    return new Request(url, {
+        method,
+        headers,
+        body,
+        duplex: body ? 'half' : undefined,
+    });
+}
+async function writeWebResponse(res, response) {
+    res.statusCode = response.status;
+    res.statusMessage = response.statusText;
+    response.headers.forEach((value, key) => {
+        res.setHeader(key, value);
+    });
+    if (!response.body) {
+        res.end();
+        return;
+    }
+    const readable = Readable.fromWeb(response.body);
+    readable.on('error', (error) => {
+        console.error('[credential-proxy] response streaming error', error);
+        res.destroy(error);
+    });
+    for await (const chunk of readable) {
+        if (!res.write(chunk)) {
+            await once(res, 'drain');
+        }
+    }
+    res.end();
+}
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+    void serve();
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AACpF,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAEL,wBAAwB,GAGzB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,GAAG,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAC3F,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5D,cAAc,sBAAsB,CAAC;AAyBrC,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,UAAkC,EAAE;IAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,IAAI,wBAAwB,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IAC7E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC;IAEnE,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4CAA4C,EAAE,KAAK,CAAC,CAAC;YACnE,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC;QACtF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;YACjC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,CAAC,GAAG,CAAC,wCAAwC,QAAQ,IAAI,IAAI,EAAE,CAAC,CAAC;IACxE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAoB;IAC5C,MAAM,QAAQ,GAAG,WAAW,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IACtF,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,WAAW,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,GAAG,QAAQ,MAAM,IAAI,EAAE,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAE9B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC5B,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;IACnC,MAAM,IAAI,GACR,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM;QACnC,CAAC,CAAC,SAAS;QACX,CAAC,CAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAgC,CAAC;IAE1D,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE;QACtB,MAAM;QACN,OAAO;QACP,IAAI;QACJ,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;KAClC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,GAAmB,EAAE,QAAkB;IACrE,GAAG,CAAC,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC;IACjC,GAAG,CAAC,aAAa,GAAG,QAAQ,CAAC,UAAU,CAAC;IAExC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAsB,CAAC,CAAC;IAEnE,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;QAC7B,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;QACpE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,GAAG,CAAC,GAAG,EAAE,CAAC;AACZ,CAAC;AAED,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/E,KAAK,KAAK,EAAE,CAAC;AACf,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,20 @@
+import './crypto-polyfill.js';
+import type { ProxyTokenClaims } from './types.js';
+export type { ProxyTokenClaims } from './types.js';
+export declare const PROXY_TOKEN_AUDIENCE = "relay-llm-proxy";
+export declare const DEFAULT_PROXY_TOKEN_TTL_SECONDS: number;
+export declare class TokenInvalidError extends Error {
+    readonly cause?: unknown;
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+export declare class TokenExpiredError extends Error {
+    readonly cause?: unknown;
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+export declare function mintProxyToken(claims: ProxyTokenClaims, secret: string): Promise<string>;
+export declare function verifyProxyToken(token: string, secret: string): Promise<ProxyTokenClaims>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAG9B,OAAO,KAAK,EAAE,gBAAgB,EAAgB,MAAM,YAAY,CAAC;AAEjE,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEnD,eAAO,MAAM,oBAAoB,oBAAoB,CAAC;AACtD,eAAO,MAAM,+BAA+B,QAAU,CAAC;AAIvD,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;gBAEb,OAAO,SAAwB,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAK3E;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;gBAEb,OAAO,SAAwB,EAAE,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAK3E;AAiED,wBAAsB,cAAc,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAc9F;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAmB/F"}

package/dist/jwt.js

@@ -0,0 +1,102 @@
+import './crypto-polyfill.js';
+import { SignJWT, errors, jwtVerify } from 'jose';
+export const PROXY_TOKEN_AUDIENCE = 'relay-llm-proxy';
+export const DEFAULT_PROXY_TOKEN_TTL_SECONDS = 15 * 60;
+const encoder = new TextEncoder();
+export class TokenInvalidError extends Error {
+    cause;
+    constructor(message = 'Invalid proxy token', options) {
+        super(message);
+        this.name = 'TokenInvalidError';
+        this.cause = options?.cause;
+    }
+}
+export class TokenExpiredError extends Error {
+    cause;
+    constructor(message = 'Proxy token expired', options) {
+        super(message);
+        this.name = 'TokenExpiredError';
+        this.cause = options?.cause;
+    }
+}
+function getSecretKey(secret) {
+    return encoder.encode(secret);
+}
+function isProviderType(value) {
+    return value === 'openai' || value === 'anthropic' || value === 'openrouter';
+}
+function normalizeAudience(value) {
+    if (value === PROXY_TOKEN_AUDIENCE) {
+        return PROXY_TOKEN_AUDIENCE;
+    }
+    if (Array.isArray(value) && value.includes(PROXY_TOKEN_AUDIENCE)) {
+        return PROXY_TOKEN_AUDIENCE;
+    }
+    throw new TokenInvalidError('Invalid proxy token audience');
+}
+function normalizeClaims(payload) {
+    const { sub, aud, provider, credentialId, budget, exp } = payload;
+    if (typeof sub !== 'string' || sub.length === 0) {
+        throw new TokenInvalidError('Invalid proxy token subject');
+    }
+    if (!isProviderType(provider)) {
+        throw new TokenInvalidError('Invalid proxy token provider');
+    }
+    if (typeof credentialId !== 'string' || credentialId.length === 0) {
+        throw new TokenInvalidError('Invalid proxy token credentialId');
+    }
+    if (budget !== undefined && (typeof budget !== 'number' || !Number.isFinite(budget) || budget < 0)) {
+        throw new TokenInvalidError('Invalid proxy token budget');
+    }
+    if (typeof exp !== 'number' || !Number.isFinite(exp)) {
+        throw new TokenInvalidError('Invalid proxy token expiration');
+    }
+    const normalizedBudget = typeof budget === 'number' ? budget : undefined;
+    return {
+        sub,
+        aud: normalizeAudience(aud),
+        provider,
+        credentialId,
+        budget: normalizedBudget,
+        exp: Math.floor(exp),
+    };
+}
+function resolveExpirationTime(exp) {
+    if (typeof exp === 'number' && Number.isFinite(exp)) {
+        return Math.floor(exp);
+    }
+    return Math.floor(Date.now() / 1000) + DEFAULT_PROXY_TOKEN_TTL_SECONDS;
+}
+export async function mintProxyToken(claims, secret) {
+    const expirationTime = resolveExpirationTime(claims.exp);
+    return new SignJWT({
+        provider: claims.provider,
+        credentialId: claims.credentialId,
+        ...(claims.budget === undefined ? {} : { budget: claims.budget }),
+    })
+        .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+        .setSubject(claims.sub)
+        .setAudience(claims.aud)
+        .setIssuedAt()
+        .setExpirationTime(expirationTime)
+        .sign(getSecretKey(secret));
+}
+export async function verifyProxyToken(token, secret) {
+    try {
+        const { payload } = await jwtVerify(token, getSecretKey(secret), {
+            algorithms: ['HS256'],
+            audience: PROXY_TOKEN_AUDIENCE,
+        });
+        return normalizeClaims(payload);
+    }
+    catch (error) {
+        if (error instanceof errors.JWTExpired) {
+            throw new TokenExpiredError('Proxy token expired', { cause: error });
+        }
+        if (error instanceof TokenInvalidError) {
+            throw error;
+        }
+        throw new TokenInvalidError('Proxy token is invalid', { cause: error });
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAC9B,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAMlD,MAAM,CAAC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AACtD,MAAM,CAAC,MAAM,+BAA+B,GAAG,EAAE,GAAG,EAAE,CAAC;AAEvD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,KAAK,CAAW;IAEzB,YAAY,OAAO,GAAG,qBAAqB,EAAE,OAA6B;QACxE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,KAAK,GAAG,OAAO,EAAE,KAAK,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,KAAK,CAAW;IAEzB,YAAY,OAAO,GAAG,qBAAqB,EAAE,OAA6B;QACxE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,KAAK,GAAG,OAAO,EAAE,KAAK,CAAC;IAC9B,CAAC;CACF;AAED,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,YAAY,CAAC;AAC/E,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,KAAK,KAAK,oBAAoB,EAAE,CAAC;QACnC,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACjE,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,eAAe,CAAC,OAAgC;IACvD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC;IAElE,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;QACnG,MAAM,IAAI,iBAAiB,CAAC,4BAA4B,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,gBAAgB,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IAEzE,OAAO;QACL,GAAG;QACH,GAAG,EAAE,iBAAiB,CAAC,GAAG,CAAC;QAC3B,QAAQ;QACR,YAAY;QACZ,MAAM,EAAE,gBAAgB;QACxB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;KACrB,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAY;IACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,+BAA+B,CAAC;AACzE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAwB,EAAE,MAAc;IAC3E,MAAM,cAAc,GAAG,qBAAqB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAEzD,OAAO,IAAI,OAAO,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;KAClE,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;SAChD,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC;SACtB,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC;SACvB,WAAW,EAAE;SACb,iBAAiB,CAAC,cAAc,CAAC;SACjC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,MAAc;IAClE,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,MAAM,CAAC,EAAE;YAC/D,UAAU,EAAE,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,oBAAoB;SAC/B,CAAC,CAAC;QAEH,OAAO,eAAe,CAAC,OAAkC,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,MAAM,CAAC,UAAU,EAAE,CAAC;YACvC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;YACvC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,IAAI,iBAAiB,CAAC,wBAAwB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC"}

package/dist/metering.d.ts

@@ -0,0 +1,27 @@
+import type { MeteringRecord, ProxyTokenClaims, UsageSummary } from './types.js';
+export declare class MeteringCollector {
+    private readonly buffer;
+    private readonly pendingTokens;
+    record(entry: MeteringRecord): void;
+    /**
+     * Reserve tokens against a workspace budget before forwarding the request.
+     * This prevents concurrent requests from bypassing budget limits (TOCTOU).
+     */
+    reservePending(workspaceId: string, tokens: number): void;
+    /**
+     * Release a pending reservation (after metering the actual usage or on failure).
+     */
+    releasePending(workspaceId: string, tokens: number): void;
+    getPendingTokens(workspaceId: string): number;
+    flush(): MeteringRecord[];
+    getUsageByWorkspace(workspaceId: string): UsageSummary;
+    getUsageByCredential(credentialId: string): UsageSummary;
+    getTotalUsage(): UsageSummary;
+}
+export declare function checkBudget(claims: ProxyTokenClaims, collector: MeteringCollector): {
+    allowed: boolean;
+    remaining?: number;
+};
+/** Default pessimistic token reservation for in-flight requests. */
+export declare const DEFAULT_BUDGET_RESERVATION = 4096;
+//# sourceMappingURL=metering.d.ts.map

package/dist/metering.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metering.d.ts","sourceRoot":"","sources":["../src/metering.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AA8BjF,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA6B;IAE3D,MAAM,CAAC,KAAK,EAAE,cAAc,GAAG,IAAI;IAInC;;;OAGG;IACH,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAKzD;;OAEG;IACH,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAUzD,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM;IAI7C,KAAK,IAAI,cAAc,EAAE;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,YAAY;IAItD,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,YAAY;IAIxD,aAAa,IAAI,YAAY;CAG9B;AAED,wBAAgB,WAAW,CACzB,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,iBAAiB,GAC3B;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAa1C;AAED,oEAAoE;AACpE,eAAO,MAAM,0BAA0B,OAAO,CAAC"}

package/dist/metering.js

@@ -0,0 +1,82 @@
+function createEmptyUsageSummary() {
+    return {
+        inputTokens: 0,
+        outputTokens: 0,
+        requests: 0,
+    };
+}
+function aggregateUsage(records, predicate) {
+    return records.reduce((summary, record) => {
+        if (predicate && !predicate(record)) {
+            return summary;
+        }
+        summary.inputTokens += record.inputTokens;
+        summary.outputTokens += record.outputTokens;
+        summary.requests += 1;
+        return summary;
+    }, createEmptyUsageSummary());
+}
+function getConsumedBudget(summary) {
+    return summary.inputTokens + summary.outputTokens;
+}
+export class MeteringCollector {
+    buffer = [];
+    pendingTokens = new Map();
+    record(entry) {
+        this.buffer.push({ ...entry });
+    }
+    /**
+     * Reserve tokens against a workspace budget before forwarding the request.
+     * This prevents concurrent requests from bypassing budget limits (TOCTOU).
+     */
+    reservePending(workspaceId, tokens) {
+        const current = this.pendingTokens.get(workspaceId) ?? 0;
+        this.pendingTokens.set(workspaceId, current + tokens);
+    }
+    /**
+     * Release a pending reservation (after metering the actual usage or on failure).
+     */
+    releasePending(workspaceId, tokens) {
+        const current = this.pendingTokens.get(workspaceId) ?? 0;
+        const next = Math.max(0, current - tokens);
+        if (next === 0) {
+            this.pendingTokens.delete(workspaceId);
+        }
+        else {
+            this.pendingTokens.set(workspaceId, next);
+        }
+    }
+    getPendingTokens(workspaceId) {
+        return this.pendingTokens.get(workspaceId) ?? 0;
+    }
+    flush() {
+        const flushed = this.buffer.map((entry) => ({ ...entry }));
+        this.buffer.length = 0;
+        // TODO: Replace the in-memory buffer with a durable backend flush target.
+        return flushed;
+    }
+    getUsageByWorkspace(workspaceId) {
+        return aggregateUsage(this.buffer, (record) => record.workspaceId === workspaceId);
+    }
+    getUsageByCredential(credentialId) {
+        return aggregateUsage(this.buffer, (record) => record.credentialId === credentialId);
+    }
+    getTotalUsage() {
+        return aggregateUsage(this.buffer);
+    }
+}
+export function checkBudget(claims, collector) {
+    if (claims.budget === undefined) {
+        return { allowed: true };
+    }
+    const usage = collector.getUsageByWorkspace(claims.sub);
+    const consumed = getConsumedBudget(usage) + collector.getPendingTokens(claims.sub);
+    const remaining = Math.max(0, claims.budget - consumed);
+    return {
+        allowed: consumed < claims.budget,
+        remaining,
+    };
+}
+/** Default pessimistic token reservation for in-flight requests. */
+export const DEFAULT_BUDGET_RESERVATION = 4096;
+//# sourceMappingURL=metering.js.map

package/dist/metering.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metering.js","sourceRoot":"","sources":["../src/metering.ts"],"names":[],"mappings":"AAEA,SAAS,uBAAuB;IAC9B,OAAO;QACL,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;QACf,QAAQ,EAAE,CAAC;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,OAAkC,EAClC,SAA+C;IAE/C,OAAO,OAAO,CAAC,MAAM,CAAe,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtD,IAAI,SAAS,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;YACpC,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,OAAO,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;QAC1C,OAAO,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC;QAC5C,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAC;QACtB,OAAO,OAAO,CAAC;IACjB,CAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAqB;IAC9C,OAAO,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;AACpD,CAAC;AAED,MAAM,OAAO,iBAAiB;IACX,MAAM,GAAqB,EAAE,CAAC;IAC9B,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE3D,MAAM,CAAC,KAAqB;QAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IACjC,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,WAAmB,EAAE,MAAc;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,GAAG,MAAM,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,WAAmB,EAAE,MAAc;QAChD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,CAAC;QAC3C,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;YACf,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,gBAAgB,CAAC,WAAmB;QAClC,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;IAED,KAAK;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QAEvB,0EAA0E;QAC1E,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,mBAAmB,CAAC,WAAmB;QACrC,OAAO,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC;IACrF,CAAC;IAED,oBAAoB,CAAC,YAAoB;QACvC,OAAO,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,KAAK,YAAY,CAAC,CAAC;IACvF,CAAC;IAED,aAAa;QACX,OAAO,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;CACF;AAED,MAAM,UAAU,WAAW,CACzB,MAAwB,EACxB,SAA4B;IAE5B,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACnF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;IAExD,OAAO;QACL,OAAO,EAAE,QAAQ,GAAG,MAAM,CAAC,MAAM;QACjC,SAAS;KACV,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,CAAC"}

package/dist/providers/anthropic.d.ts

@@ -0,0 +1,11 @@
+import { type ProviderAdapter, type TokenUsage } from './types.js';
+export declare class AnthropicProviderAdapter implements ProviderAdapter {
+    readonly name: "anthropic";
+    readonly baseUrl = "https://api.anthropic.com";
+    authHeader(apiKey: string): Record<string, string>;
+    matchesPath(path: string): boolean;
+    forwardRequest(req: Request, apiKey: string): Promise<Response>;
+    extractUsage(response: Response | object): TokenUsage | null;
+}
+export declare const anthropicProviderAdapter: AnthropicProviderAdapter;
+//# sourceMappingURL=anthropic.d.ts.map

package/dist/providers/anthropic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../src/providers/anthropic.ts"],"names":[],"mappings":"AAAA,OAAO,EAKL,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,YAAY,CAAC;AAUpB,qBAAa,wBAAyB,YAAW,eAAe;IAC9D,QAAQ,CAAC,IAAI,EAAG,WAAW,CAAU;IACrC,QAAQ,CAAC,OAAO,+BAA+B;IAE/C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAOlD,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIlC,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAU/D,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,UAAU,GAAG,IAAI;CAO7D;AAED,eAAO,MAAM,wBAAwB,0BAAiC,CAAC"}

package/dist/providers/anthropic.js

@@ -0,0 +1,39 @@
+import { extractAnthropicUsage, forwardProviderRequest, getCapturedUsage, normalizePath, } from './types.js';
+function extractStreamingUsage(eventData) {
+    try {
+        return extractAnthropicUsage(JSON.parse(eventData));
+    }
+    catch {
+        return null;
+    }
+}
+export class AnthropicProviderAdapter {
+    name = 'anthropic';
+    baseUrl = 'https://api.anthropic.com';
+    authHeader(apiKey) {
+        return {
+            'x-api-key': apiKey,
+            'anthropic-version': '2023-06-01',
+        };
+    }
+    matchesPath(path) {
+        return normalizePath(path) === '/v1/messages';
+    }
+    forwardRequest(req, apiKey) {
+        return forwardProviderRequest({
+            request: req,
+            baseUrl: this.baseUrl,
+            authHeaders: this.authHeader(apiKey),
+            usageExtractor: extractAnthropicUsage,
+            streamingUsageExtractor: extractStreamingUsage,
+        });
+    }
+    extractUsage(response) {
+        if (response instanceof Response) {
+            return getCapturedUsage(response);
+        }
+        return extractAnthropicUsage(response);
+    }
+}
+export const anthropicProviderAdapter = new AnthropicProviderAdapter();
+//# sourceMappingURL=anthropic.js.map

package/dist/providers/anthropic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic.js","sourceRoot":"","sources":["../../src/providers/anthropic.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,gBAAgB,EAChB,aAAa,GAGd,MAAM,YAAY,CAAC;AAEpB,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,IAAI,CAAC;QACH,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAY,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,OAAO,wBAAwB;IAC1B,IAAI,GAAG,WAAoB,CAAC;IAC5B,OAAO,GAAG,2BAA2B,CAAC;IAE/C,UAAU,CAAC,MAAc;QACvB,OAAO;YACL,WAAW,EAAE,MAAM;YACnB,mBAAmB,EAAE,YAAY;SAClC,CAAC;IACJ,CAAC;IAED,WAAW,CAAC,IAAY;QACtB,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,cAAc,CAAC;IAChD,CAAC;IAED,cAAc,CAAC,GAAY,EAAE,MAAc;QACzC,OAAO,sBAAsB,CAAC;YAC5B,OAAO,EAAE,GAAG;YACZ,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YACpC,cAAc,EAAE,qBAAqB;YACrC,uBAAuB,EAAE,qBAAqB;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,QAA2B;QACtC,IAAI,QAAQ,YAAY,QAAQ,EAAE,CAAC;YACjC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,wBAAwB,GAAG,IAAI,wBAAwB,EAAE,CAAC"}

package/dist/providers/index.d.ts

@@ -0,0 +1,9 @@
+import type { ProviderAdapter } from './types.js';
+export { AnthropicProviderAdapter, anthropicProviderAdapter } from './anthropic.js';
+export { OpenAIProviderAdapter, openAIProviderAdapter } from './openai.js';
+export { OpenRouterProviderAdapter, openRouterProviderAdapter } from './openrouter.js';
+export * from './types.js';
+export declare const providerRegistry: ProviderAdapter[];
+export declare function resolveProviderByName(name: ProviderAdapter['name']): ProviderAdapter;
+export declare function resolveProvider(path: string): ProviderAdapter;
+//# sourceMappingURL=index.d.ts.map

package/dist/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AACvF,cAAc,YAAY,CAAC;AAE3B,eAAO,MAAM,gBAAgB,EAAE,eAAe,EAI7C,CAAC;AAEF,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,GAAG,eAAe,CAQpF;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAQ7D"}

package/dist/providers/index.js

@@ -0,0 +1,27 @@
+import { anthropicProviderAdapter } from './anthropic.js';
+import { openAIProviderAdapter } from './openai.js';
+import { openRouterProviderAdapter } from './openrouter.js';
+export { AnthropicProviderAdapter, anthropicProviderAdapter } from './anthropic.js';
+export { OpenAIProviderAdapter, openAIProviderAdapter } from './openai.js';
+export { OpenRouterProviderAdapter, openRouterProviderAdapter } from './openrouter.js';
+export * from './types.js';
+export const providerRegistry = [
+    anthropicProviderAdapter,
+    openAIProviderAdapter,
+    openRouterProviderAdapter,
+];
+export function resolveProviderByName(name) {
+    const adapter = providerRegistry.find((candidate) => candidate.name === name);
+    if (!adapter) {
+        throw new Error(`Unsupported provider: ${name}`);
+    }
+    return adapter;
+}
+export function resolveProvider(path) {
+    const adapter = providerRegistry.find((candidate) => candidate.matchesPath(path));
+    if (!adapter) {
+        throw new Error(`Unsupported provider path: ${path}`);
+    }
+    return adapter;
+}
+//# sourceMappingURL=index.js.map

package/dist/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAG5D,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,yBAAyB,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AACvF,cAAc,YAAY,CAAC;AAE3B,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD,wBAAwB;IACxB,qBAAqB;IACrB,yBAAyB;CAC1B,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,IAA6B;IACjE,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAE9E,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAElF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/providers/openai.d.ts

@@ -0,0 +1,11 @@
+import { type ProviderAdapter, type TokenUsage } from './types.js';
+export declare class OpenAIProviderAdapter implements ProviderAdapter {
+    readonly name: "openai";
+    readonly baseUrl = "https://api.openai.com";
+    authHeader(apiKey: string): Record<string, string>;
+    matchesPath(path: string): boolean;
+    forwardRequest(req: Request, apiKey: string): Promise<Response>;
+    extractUsage(response: Response | object): TokenUsage | null;
+}
+export declare const openAIProviderAdapter: OpenAIProviderAdapter;
+//# sourceMappingURL=openai.d.ts.map

package/dist/providers/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../src/providers/openai.ts"],"names":[],"mappings":"AAAA,OAAO,EAML,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,YAAY,CAAC;AA6BpB,qBAAa,qBAAsB,YAAW,eAAe;IAC3D,QAAQ,CAAC,IAAI,EAAG,QAAQ,CAAU;IAClC,QAAQ,CAAC,OAAO,4BAA4B;IAE5C,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAMlD,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAKlC,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAW/D,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,UAAU,GAAG,IAAI;CAO7D;AAED,eAAO,MAAM,qBAAqB,uBAA8B,CAAC"}