@agent-relay/credential-proxy 4.0.10 → 4.0.37

package/dist/router.js

@@ -0,0 +1,325 @@
+import './crypto-polyfill.js';
+import { randomUUID } from 'node:crypto';
+import { errors as joseErrors, jwtVerify } from 'jose';
+import { Hono } from 'hono';
+import { stream } from 'hono/streaming';
+import { MeteringCollector, checkBudget, DEFAULT_BUDGET_RESERVATION } from './metering.js';
+import { TokenExpiredError, TokenInvalidError, verifyProxyToken } from './jwt.js';
+import { resolveProviderByName } from './providers/index.js';
+import { waitForCapturedUsage } from './providers/types.js';
+const encoder = new TextEncoder();
+const DEFAULT_ADMIN_AUDIENCE = 'relay-credential-proxy-admin';
+const PROVIDER_API_KEY_ENV = {
+    openai: 'OPENAI_API_KEY',
+    anthropic: 'ANTHROPIC_API_KEY',
+    openrouter: 'OPENROUTER_API_KEY',
+};
+class ProxyHttpError extends Error {
+    status;
+    code;
+    expose;
+    constructor(status, code, message, options) {
+        super(message);
+        this.name = 'ProxyHttpError';
+        this.status = status;
+        this.code = code;
+        this.expose = options?.expose ?? true;
+    }
+}
+class EnvCredentialStore {
+    async resolve(claims) {
+        const envName = PROVIDER_API_KEY_ENV[claims.provider];
+        const apiKey = process.env[envName];
+        if (!apiKey) {
+            throw new ProxyHttpError(502, 'credential_unavailable', `No upstream credential configured for provider ${claims.provider}`);
+        }
+        return apiKey;
+    }
+}
+export function createCredentialStore() {
+    return new EnvCredentialStore();
+}
+export function createCredentialProxyApp(options = {}) {
+    const metering = options.metering ?? new MeteringCollector();
+    const credentialStore = options.credentialStore ?? createCredentialStore();
+    const requestIdFactory = options.requestIdFactory ?? randomUUID;
+    const app = new Hono();
+    app.use('*', createRequestIdMiddleware(requestIdFactory));
+    app.onError((error, c) => createErrorResponse(c, error));
+    app.get('/health', (c) => c.json({
+        status: 'ok',
+        requestId: c.get('requestId'),
+    }));
+    app.get('/usage', adminJwtMiddleware(options), (c) => {
+        const workspaceId = c.req.query('workspaceId');
+        const credentialId = c.req.query('credentialId');
+        const usage = selectUsageSummary(metering, workspaceId, credentialId);
+        return c.json({
+            requestId: c.get('requestId'),
+            usage,
+            filters: {
+                workspaceId: workspaceId ?? null,
+                credentialId: credentialId ?? null,
+            },
+            viewer: c.get('adminClaims').sub,
+        });
+    });
+    app.all('*', proxyJwtMiddleware(options), async (c) => {
+        const claims = c.get('claims');
+        const adapter = resolveProviderByName(claims.provider);
+        if (!adapter.matchesPath(c.req.path)) {
+            throw new ProxyHttpError(400, 'route_provider_mismatch', `Path ${c.req.path} is not valid for provider ${claims.provider}`);
+        }
+        const budgetCheck = checkBudget(claims, metering);
+        if (!budgetCheck.allowed) {
+            throw new ProxyHttpError(429, 'budget_exceeded', 'Token budget exceeded');
+        }
+        // Reserve pessimistic budget to prevent concurrent requests from bypassing limits.
+        const reservation = claims.budget !== undefined ? DEFAULT_BUDGET_RESERVATION : 0;
+        if (reservation > 0) {
+            metering.reservePending(claims.sub, reservation);
+        }
+        try {
+            const apiKey = await credentialStore.resolve(claims);
+            const startedAt = Date.now();
+            const upstreamResponse = await adapter.forwardRequest(c.req.raw, apiKey);
+            if (isStreamingResponse(upstreamResponse)) {
+                applyResponseHeaders(c, upstreamResponse.headers);
+                c.status(upstreamResponse.status);
+                return stream(c, async (output) => {
+                    try {
+                        if (upstreamResponse.body) {
+                            try {
+                                await output.pipe(upstreamResponse.body);
+                            }
+                            catch (error) {
+                                if (!output.aborted) {
+                                    throw error;
+                                }
+                            }
+                        }
+                        if (!output.aborted) {
+                            await recordUsage(metering, c, claims, upstreamResponse, startedAt);
+                        }
+                    }
+                    finally {
+                        if (reservation > 0) {
+                            metering.releasePending(claims.sub, reservation);
+                        }
+                    }
+                }, async (error) => {
+                    if (reservation > 0) {
+                        metering.releasePending(claims.sub, reservation);
+                    }
+                    console.error(`[credential-proxy] streaming failed requestId=${c.get('requestId')}`, error);
+                });
+            }
+            await recordUsage(metering, c, claims, upstreamResponse, startedAt);
+            if (reservation > 0) {
+                metering.releasePending(claims.sub, reservation);
+            }
+            return upstreamResponse;
+        }
+        catch (error) {
+            if (reservation > 0) {
+                metering.releasePending(claims.sub, reservation);
+            }
+            throw error;
+        }
+    });
+    return app;
+}
+export const app = createCredentialProxyApp();
+function createRequestIdMiddleware(requestIdFactory) {
+    return async (c, next) => {
+        const requestId = requestIdFactory();
+        c.set('requestId', requestId);
+        await next();
+        c.res.headers.set('x-request-id', requestId);
+    };
+}
+function proxyJwtMiddleware(options) {
+    return async (c, next) => {
+        const token = extractBearerToken(c.req.header('authorization'));
+        if (!token) {
+            throw new ProxyHttpError(401, 'missing_authorization', 'Missing bearer token');
+        }
+        const claims = await verifyProxyToken(token, getProxyJwtSecret(options));
+        c.set('claims', claims);
+        await next();
+    };
+}
+function adminJwtMiddleware(options) {
+    return async (c, next) => {
+        const token = extractBearerToken(c.req.header('authorization'));
+        if (!token) {
+            throw new ProxyHttpError(401, 'missing_authorization', 'Missing bearer token');
+        }
+        const claims = await verifyAdminToken(token, getAdminJwtSecret(options), options.adminAudience ?? process.env.CREDENTIAL_PROXY_ADMIN_AUDIENCE ?? DEFAULT_ADMIN_AUDIENCE);
+        c.set('adminClaims', claims);
+        await next();
+    };
+}
+async function verifyAdminToken(token, secret, audience) {
+    try {
+        const { payload } = await jwtVerify(token, encoder.encode(secret), {
+            algorithms: ['HS256'],
+            audience,
+        });
+        const claims = normalizeAdminClaims(payload);
+        if (!hasUsageReadAccess(claims)) {
+            throw new ProxyHttpError(403, 'admin_required', 'Admin token required');
+        }
+        return claims;
+    }
+    catch (error) {
+        if (error instanceof joseErrors.JWTExpired) {
+            throw new TokenExpiredError('Admin token expired', { cause: error });
+        }
+        if (error instanceof ProxyHttpError) {
+            throw error;
+        }
+        throw new TokenInvalidError('Admin token is invalid', { cause: error });
+    }
+}
+function normalizeAdminClaims(payload) {
+    if (typeof payload.sub !== 'string' || payload.sub.length === 0) {
+        throw new TokenInvalidError('Admin token subject is invalid');
+    }
+    return {
+        sub: payload.sub,
+        ...(payload.aud === undefined ? {} : { aud: payload.aud }),
+        ...(typeof payload.exp === 'number' ? { exp: payload.exp } : {}),
+        ...(typeof payload.iat === 'number' ? { iat: payload.iat } : {}),
+        ...(typeof payload.iss === 'string' ? { iss: payload.iss } : {}),
+        ...(typeof payload.role === 'string' ? { role: payload.role } : {}),
+        ...(Array.isArray(payload.permissions)
+            ? {
+                permissions: payload.permissions.filter((value) => typeof value === 'string' && value.length > 0),
+            }
+            : {}),
+        ...(typeof payload.scope === 'string' || Array.isArray(payload.scope)
+            ? { scope: payload.scope }
+            : {}),
+    };
+}
+function hasUsageReadAccess(claims) {
+    if (claims.role === 'admin') {
+        return true;
+    }
+    const scopes = Array.isArray(claims.scope)
+        ? claims.scope
+        : typeof claims.scope === 'string'
+            ? claims.scope.split(/\s+/)
+            : [];
+    return (claims.permissions?.includes('usage:read') === true ||
+        scopes.includes('usage:read') ||
+        scopes.includes('admin'));
+}
+function extractBearerToken(authorization) {
+    if (!authorization) {
+        return null;
+    }
+    const match = authorization.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1].trim() : null;
+}
+function getProxyJwtSecret(options) {
+    const secret = options.jwtSecret ?? process.env.CREDENTIAL_PROXY_JWT_SECRET ?? process.env.PROXY_JWT_SECRET;
+    if (!secret) {
+        throw new ProxyHttpError(500, 'configuration_error', 'Proxy JWT secret is not configured', {
+            expose: false,
+        });
+    }
+    return secret;
+}
+function getAdminJwtSecret(options) {
+    const secret = options.adminJwtSecret ??
+        process.env.CREDENTIAL_PROXY_ADMIN_JWT_SECRET ??
+        options.jwtSecret ??
+        process.env.CREDENTIAL_PROXY_JWT_SECRET ??
+        process.env.PROXY_JWT_SECRET;
+    if (!secret) {
+        throw new ProxyHttpError(500, 'configuration_error', 'Admin JWT secret is not configured', {
+            expose: false,
+        });
+    }
+    return secret;
+}
+function selectUsageSummary(metering, workspaceId, credentialId) {
+    if (workspaceId) {
+        return metering.getUsageByWorkspace(workspaceId);
+    }
+    if (credentialId) {
+        return metering.getUsageByCredential(credentialId);
+    }
+    return metering.getTotalUsage();
+}
+function isStreamingResponse(response) {
+    const contentType = response.headers.get('content-type')?.toLowerCase() ?? '';
+    return Boolean(response.body) && contentType.includes('text/event-stream');
+}
+function applyResponseHeaders(c, headers) {
+    headers.forEach((value, key) => {
+        if (key.toLowerCase() === 'content-length') {
+            return;
+        }
+        c.header(key, value);
+    });
+}
+async function recordUsage(metering, c, claims, response, startedAt) {
+    if (!response.ok) {
+        return;
+    }
+    const usage = await waitForCapturedUsage(response);
+    if (!usage) {
+        return;
+    }
+    metering.record(createMeteringRecord(c.get('requestId'), claims, c.req.path, usage, startedAt));
+}
+function createMeteringRecord(requestId, claims, endpoint, usage, startedAt) {
+    return {
+        requestId,
+        workspaceId: claims.sub,
+        provider: claims.provider,
+        credentialId: claims.credentialId,
+        endpoint,
+        model: usage.model,
+        inputTokens: usage.inputTokens,
+        outputTokens: usage.outputTokens,
+        totalTokens: usage.totalTokens,
+        timestamp: new Date().toISOString(),
+        durationMs: Math.max(0, Date.now() - startedAt),
+    };
+}
+function createErrorResponse(c, error) {
+    const requestId = c.get('requestId');
+    if (error instanceof TokenExpiredError) {
+        return c.json({
+            error: 'Token expired',
+            code: 'token_expired',
+            requestId,
+        }, 401);
+    }
+    if (error instanceof TokenInvalidError) {
+        return c.json({
+            error: 'Invalid token',
+            code: 'invalid_token',
+            requestId,
+        }, 401);
+    }
+    if (error instanceof ProxyHttpError) {
+        return c.json({
+            error: error.expose ? error.message : 'Internal server error',
+            code: error.code,
+            requestId,
+        }, error.status);
+    }
+    console.error(`[credential-proxy] unexpected error requestId=${requestId}`, error);
+    return c.json({
+        error: 'Internal server error',
+        code: 'internal_error',
+        requestId,
+    }, 500);
+}
+export default app;
+//# sourceMappingURL=router.js.map

package/dist/router.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"router.js","sourceRoot":"","sources":["../src/router.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,MAAM,IAAI,UAAU,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAExC,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAClF,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAmB,MAAM,sBAAsB,CAAC;AAS7E,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,MAAM,sBAAsB,GAAG,8BAA8B,CAAC;AAC9D,MAAM,oBAAoB,GAAiC;IACzD,MAAM,EAAE,gBAAgB;IACxB,SAAS,EAAE,mBAAmB;IAC9B,UAAU,EAAE,oBAAoB;CACjC,CAAC;AA2BF,MAAM,cAAe,SAAQ,KAAK;IACvB,MAAM,CAAS;IACf,IAAI,CAAS;IACb,MAAM,CAAU;IAEzB,YAAY,MAAc,EAAE,IAAY,EAAE,OAAe,EAAE,OAA8B;QACvF,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,IAAI,CAAC;IACxC,CAAC;CACF;AAED,MAAM,kBAAkB;IACtB,KAAK,CAAC,OAAO,CAAC,MAAwB;QACpC,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEpC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,cAAc,CACtB,GAAG,EACH,wBAAwB,EACxB,kDAAkD,MAAM,CAAC,QAAQ,EAAE,CACpE,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,IAAI,kBAAkB,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,UAAkC,EAAE;IAC3E,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,iBAAiB,EAAE,CAAC;IAC7D,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,qBAAqB,EAAE,CAAC;IAC3E,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,IAAI,UAAU,CAAC;IAEhE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAU,CAAC;IAE/B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAC1D,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IAEzD,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CACvB,CAAC,CAAC,IAAI,CAAC;QACL,MAAM,EAAE,IAAI;QACZ,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;KAC9B,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE;QACnD,MAAM,WAAW,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,kBAAkB,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;QAEtE,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;YAC7B,KAAK;YACL,OAAO,EAAE;gBACP,WAAW,EAAE,WAAW,IAAI,IAAI;gBAChC,YAAY,EAAE,YAAY,IAAI,IAAI;aACnC;YACD,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,GAAG;SACjC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,cAAc,CACtB,GAAG,EACH,yBAAyB,EACzB,QAAQ,CAAC,CAAC,GAAG,CAAC,IAAI,8BAA8B,MAAM,CAAC,QAAQ,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;QAC5E,CAAC;QAED,mFAAmF;QACnF,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC;QACjF,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC7B,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAEzE,IAAI,mBAAmB,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC1C,oBAAoB,CAAC,CAAC,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAC;gBAClD,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,MAAe,CAAC,CAAC;gBAE3C,OAAO,MAAM,CACX,CAAC,EACD,KAAK,EAAE,MAAM,EAAE,EAAE;oBACf,IAAI,CAAC;wBACH,IAAI,gBAAgB,CAAC,IAAI,EAAE,CAAC;4BAC1B,IAAI,CAAC;gCACH,MAAM,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;4BAC3C,CAAC;4BAAC,OAAO,KAAK,EAAE,CAAC;gCACf,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oCACpB,MAAM,KAAK,CAAC;gCACd,CAAC;4BACH,CAAC;wBACH,CAAC;wBAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;4BACpB,MAAM,WAAW,CAAC,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;wBACtE,CAAC;oBACH,CAAC;4BAAS,CAAC;wBACT,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;4BACpB,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;wBACnD,CAAC;oBACH,CAAC;gBACH,CAAC,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;oBACd,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;wBACpB,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;oBACnD,CAAC;oBACD,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;gBAC9F,CAAC,CACF,CAAC;YACJ,CAAC;YAED,MAAM,WAAW,CAAC,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,SAAS,CAAC,CAAC;YACpE,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;YACnD,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,MAAM,GAAG,GAAG,wBAAwB,EAAE,CAAC;AAE9C,SAAS,yBAAyB,CAAC,gBAA8B;IAC/D,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;QACrC,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QAE9B,MAAM,IAAI,EAAE,CAAC;QAEb,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;IAC/C,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,OAA+B;IACzD,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,MAAM,KAAK,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,sBAAsB,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC;QACzE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACxB,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,OAA+B;IACzD,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACvB,MAAM,KAAK,GAAG,kBAAkB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,uBAAuB,EAAE,sBAAsB,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,gBAAgB,CACnC,KAAK,EACL,iBAAiB,CAAC,OAAO,CAAC,EAC1B,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,+BAA+B,IAAI,sBAAsB,CAC/F,CAAC;QACF,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,KAAa,EAAE,MAAc,EAAE,QAAgB;IAC7E,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE;YACjE,UAAU,EAAE,CAAC,OAAO,CAAC;YACrB,QAAQ;SACT,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,oBAAoB,CAAC,OAAkC,CAAC,CAAC;QACxE,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,gBAAgB,EAAE,sBAAsB,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;YAC3C,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;YACpC,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,IAAI,iBAAiB,CAAC,wBAAwB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAgC;IAC5D,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAwB,EAAE,CAAC;QAC/E,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,GAAG,CAAC,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC;YACpC,CAAC,CAAC;gBACE,WAAW,EAAE,OAAO,CAAC,WAAW,CAAC,MAAM,CACrC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAC1E;aACF;YACH,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC;YACnE,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAA0B,EAAE;YAC/C,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAwB;IAClD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;QACxC,CAAC,CAAC,MAAM,CAAC,KAAK;QACd,CAAC,CAAC,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ;YAChC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;YAC3B,CAAC,CAAC,EAAE,CAAC;IAET,OAAO,CACL,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,YAAY,CAAC,KAAK,IAAI;QACnD,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC7B,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CACzB,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,aAAiC;IAC3D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACtD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACxC,CAAC;AAED,SAAS,iBAAiB,CAAC,OAA+B;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAE5G,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,qBAAqB,EAAE,oCAAoC,EAAE;YACzF,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAA+B;IACxD,MAAM,MAAM,GACV,OAAO,CAAC,cAAc;QACtB,OAAO,CAAC,GAAG,CAAC,iCAAiC;QAC7C,OAAO,CAAC,SAAS;QACjB,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACvC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAE/B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,cAAc,CAAC,GAAG,EAAE,qBAAqB,EAAE,oCAAoC,EAAE;YACzF,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CACzB,QAA2B,EAC3B,WAAoB,EACpB,YAAqB;IAErB,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,QAAQ,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,QAAQ,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,QAAQ,CAAC,aAAa,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAC9E,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAkB,EAAE,OAAgB;IAChE,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAC7B,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,gBAAgB,EAAE,CAAC;YAC3C,OAAO;QACT,CAAC;QAED,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,QAA2B,EAC3B,CAAkB,EAClB,MAAwB,EACxB,QAAkB,EAClB,SAAiB;IAEjB,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;IACT,CAAC;IAED,QAAQ,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC;AAClG,CAAC;AAED,SAAS,oBAAoB,CAC3B,SAAiB,EACjB,MAAwB,EACxB,QAAgB,EAChB,KAAiB,EACjB,SAAiB;IAEjB,OAAO;QACL,SAAS;QACT,WAAW,EAAE,MAAM,CAAC,GAAG;QACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,QAAQ;QACR,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;KAChD,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,CAAkB,EAAE,KAAc;IAC7D,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAErC,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;QACvC,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,eAAe;YACrB,SAAS;SACV,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,YAAY,iBAAiB,EAAE,CAAC;QACvC,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,eAAe;YACtB,IAAI,EAAE,eAAe;YACrB,SAAS;SACV,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,YAAY,cAAc,EAAE,CAAC;QACpC,OAAO,CAAC,CAAC,IAAI,CACX;YACE,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;YAC7D,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS;SACV,EACD,KAAK,CAAC,MAAe,CACtB,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,iDAAiD,SAAS,EAAE,EAAE,KAAK,CAAC,CAAC;IAEnF,OAAO,CAAC,CAAC,IAAI,CACX;QACE,KAAK,EAAE,uBAAuB;QAC9B,IAAI,EAAE,gBAAgB;QACtB,SAAS;KACV,EACD,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,eAAe,GAAG,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,54 @@
+export type ProviderType = 'openai' | 'anthropic' | 'openrouter';
+export interface ProxyTokenClaims {
+    sub: string;
+    aud: 'relay-llm-proxy';
+    provider: ProviderType;
+    credentialId: string;
+    budget?: number;
+    iat?: number;
+    exp?: number;
+    jti?: string;
+    iss?: string;
+}
+export interface AdminTokenClaims {
+    sub: string;
+    aud?: string | string[];
+    exp?: number;
+    iat?: number;
+    iss?: string;
+    role?: string;
+    permissions?: string[];
+    scope?: string | string[];
+}
+export interface ProxyRequest {
+    provider: ProviderType;
+    credentialId: string;
+    path: string;
+    method: string;
+    headers?: Record<string, string>;
+    body?: unknown;
+}
+export interface ProxyResponse {
+    status: number;
+    headers?: Record<string, string>;
+    body?: unknown;
+}
+export interface UsageSummary {
+    inputTokens: number;
+    outputTokens: number;
+    requests: number;
+}
+export interface MeteringRecord {
+    requestId: string;
+    workspaceId: string;
+    provider: ProviderType;
+    credentialId: string;
+    endpoint: string;
+    model?: string;
+    inputTokens: number;
+    outputTokens: number;
+    totalTokens: number;
+    timestamp: string;
+    durationMs: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,WAAW,GAAG,YAAY,CAAC;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,iBAAiB,CAAC;IACvB,QAAQ,EAAE,YAAY,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,YAAY,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,YAAY,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-relay/credential-proxy",
-  "version": "4.0.10",
+  "version": "4.0.37",
   "description": "JWT-authenticated credential proxy for upstream LLM providers",
   "type": "module",
   "main": "dist/index.js",
@@ -17,8 +17,10 @@
     "README.md"
   ],
   "scripts": {
-    "build": "npx tsc -p tsconfig.json",
+    "build": "tsc -p tsconfig.json",
+    "clean": "rm -rf dist",
     "test": "vitest run",
+    "test:watch": "vitest",
     "dev": "npm run build && PORT=${PORT:-3001} node dist/index.js"
   },
   "dependencies": {