@agentgazer/proxy 0.1.0

package/dist/proxy-server.js

@@ -0,0 +1,898 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startProxy = startProxy;
+const http = __importStar(require("node:http"));
+const shared_1 = require("@agentgazer/shared");
+const server_1 = require("@agentgazer/server");
+const modelOverrideCache = {};
+const MODEL_OVERRIDE_CACHE_TTL_MS = 30_000; // 30 seconds
+function getModelOverride(db, agentId, provider) {
+    if (!db)
+        return null;
+    const cacheKey = `${agentId}:${provider}`;
+    const cached = modelOverrideCache[cacheKey];
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.model_override;
+    }
+    // Fetch from DB
+    const rule = (0, server_1.getModelRule)(db, agentId, provider);
+    const modelOverride = rule?.model_override ?? null;
+    // Cache the result
+    modelOverrideCache[cacheKey] = {
+        model_override: modelOverride,
+        expiresAt: Date.now() + MODEL_OVERRIDE_CACHE_TTL_MS,
+    };
+    return modelOverride;
+}
+const log = (0, shared_1.createLogger)("proxy");
+const event_buffer_js_1 = require("./event-buffer.js");
+const rate_limiter_js_1 = require("./rate-limiter.js");
+const DEFAULT_PORT = 4000;
+const DEFAULT_ENDPOINT = "https://ingest.agentgazer.com/v1/events";
+const DEFAULT_FLUSH_INTERVAL = 5000;
+const DEFAULT_MAX_BUFFER_SIZE = 50;
+const MAX_REQUEST_BODY_SIZE = 10 * 1024 * 1024; // 10 MB
+const MAX_SSE_BUFFER_SIZE = 50 * 1024 * 1024; // 50 MB
+const UPSTREAM_TIMEOUT_MS = 120_000; // 2 minutes
+const RATE_LIMIT_REFRESH_INTERVAL_MS = 30_000; // 30 seconds
+function readRequestBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let totalSize = 0;
+        req.on("data", (chunk) => {
+            totalSize += chunk.length;
+            if (totalSize > MAX_REQUEST_BODY_SIZE) {
+                const err = new Error("Request body too large");
+                req.destroy(err);
+                reject(err);
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => resolve(Buffer.concat(chunks)));
+        req.on("error", reject);
+    });
+}
+function sendJson(res, statusCode, body) {
+    const payload = JSON.stringify(body);
+    res.writeHead(statusCode, {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+    });
+    res.end(payload);
+}
+// ---------------------------------------------------------------------------
+// SSE streaming parsers — extract usage/model from provider-specific formats
+// ---------------------------------------------------------------------------
+function parseOpenAISSE(dataLines, statusCode) {
+    let model = null;
+    let tokensIn = null;
+    let tokensOut = null;
+    let tokensTotal = null;
+    for (const line of dataLines) {
+        try {
+            const data = JSON.parse(line);
+            if (data.model)
+                model = data.model;
+            if (data.usage) {
+                tokensIn = data.usage.prompt_tokens ?? null;
+                tokensOut = data.usage.completion_tokens ?? null;
+                tokensTotal = data.usage.total_tokens ?? null;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return {
+        model,
+        tokensIn,
+        tokensOut,
+        tokensTotal,
+        statusCode,
+        errorMessage: null,
+    };
+}
+function parseAnthropicSSE(dataLines, statusCode) {
+    let model = null;
+    let tokensIn = null;
+    let tokensOut = null;
+    for (const line of dataLines) {
+        try {
+            const data = JSON.parse(line);
+            if (data.type === "message_start" && data.message) {
+                model = data.message.model ?? null;
+                tokensIn = data.message.usage?.input_tokens ?? null;
+            }
+            if (data.type === "message_delta" && data.usage) {
+                tokensOut = data.usage.output_tokens ?? null;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const tokensTotal = tokensIn != null && tokensOut != null ? tokensIn + tokensOut : null;
+    return {
+        model,
+        tokensIn,
+        tokensOut,
+        tokensTotal,
+        statusCode,
+        errorMessage: null,
+    };
+}
+function parseGoogleSSE(dataLines, statusCode) {
+    let model = null;
+    let tokensIn = null;
+    let tokensOut = null;
+    let tokensTotal = null;
+    for (const line of dataLines) {
+        try {
+            const data = JSON.parse(line);
+            if (data.modelVersion)
+                model = data.modelVersion;
+            if (data.usageMetadata) {
+                tokensIn = data.usageMetadata.promptTokenCount ?? null;
+                tokensOut = data.usageMetadata.candidatesTokenCount ?? null;
+                tokensTotal = data.usageMetadata.totalTokenCount ?? null;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return {
+        model,
+        tokensIn,
+        tokensOut,
+        tokensTotal,
+        statusCode,
+        errorMessage: null,
+    };
+}
+function parseCohereSSE(dataLines, statusCode) {
+    let tokensIn = null;
+    let tokensOut = null;
+    for (const line of dataLines) {
+        try {
+            const data = JSON.parse(line);
+            if (data.meta?.billed_units) {
+                tokensIn = data.meta.billed_units.input_tokens ?? null;
+                tokensOut = data.meta.billed_units.output_tokens ?? null;
+            }
+            // Cohere v2 chat streaming uses response.meta at the end
+            if (data.response?.meta?.billed_units) {
+                tokensIn = data.response.meta.billed_units.input_tokens ?? null;
+                tokensOut = data.response.meta.billed_units.output_tokens ?? null;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const tokensTotal = tokensIn != null && tokensOut != null ? tokensIn + tokensOut : null;
+    return {
+        model: null,
+        tokensIn,
+        tokensOut,
+        tokensTotal,
+        statusCode,
+        errorMessage: null,
+    };
+}
+function parseSSEResponse(provider, sseText, statusCode) {
+    const lines = sseText.split("\n");
+    const dataLines = [];
+    for (const line of lines) {
+        if (line.startsWith("data: ") && line !== "data: [DONE]") {
+            dataLines.push(line.slice(6));
+        }
+    }
+    if (dataLines.length === 0)
+        return null;
+    switch (provider) {
+        case "openai":
+        case "mistral":
+        case "deepseek":
+        case "moonshot":
+        case "zhipu":
+        case "minimax":
+        case "baichuan":
+        case "yi":
+            return parseOpenAISSE(dataLines, statusCode);
+        case "anthropic":
+            return parseAnthropicSSE(dataLines, statusCode);
+        case "google":
+            return parseGoogleSSE(dataLines, statusCode);
+        case "cohere":
+            return parseCohereSSE(dataLines, statusCode);
+        default:
+            return null;
+    }
+}
+function checkAgentPolicy(db, agentId) {
+    if (!db) {
+        // No DB means no policy enforcement (backwards compatible)
+        return { allowed: true };
+    }
+    const policy = (0, server_1.getAgentPolicy)(db, agentId);
+    if (!policy) {
+        // Agent doesn't exist yet or no policy — allow by default
+        return { allowed: true };
+    }
+    // Check if agent is active
+    if (!policy.active) {
+        return {
+            allowed: false,
+            reason: "inactive",
+            message: "Agent is currently deactivated",
+        };
+    }
+    // Check budget limit
+    if (policy.budget_limit !== null) {
+        const dailySpend = (0, server_1.getDailySpend)(db, agentId);
+        if (dailySpend >= policy.budget_limit) {
+            return {
+                allowed: false,
+                reason: "budget_exceeded",
+                message: `Daily budget limit of $${policy.budget_limit.toFixed(2)} exceeded (spent: $${dailySpend.toFixed(2)})`,
+            };
+        }
+    }
+    // Check allowed hours
+    if (policy.allowed_hours_start !== null && policy.allowed_hours_end !== null) {
+        const now = new Date();
+        const currentHour = now.getHours();
+        const start = policy.allowed_hours_start;
+        const end = policy.allowed_hours_end;
+        let isWithinHours;
+        if (start <= end) {
+            // Normal range (e.g., 9-17)
+            isWithinHours = currentHour >= start && currentHour < end;
+        }
+        else {
+            // Overnight range (e.g., 22-6)
+            isWithinHours = currentHour >= start || currentHour < end;
+        }
+        if (!isWithinHours) {
+            return {
+                allowed: false,
+                reason: "outside_hours",
+                message: `Agent is only allowed to operate between ${start}:00 and ${end}:00 (server time)`,
+            };
+        }
+    }
+    return { allowed: true };
+}
+/**
+ * Generate a blocked response in OpenAI format.
+ */
+function generateOpenAIBlockedResponse(reason, message) {
+    return {
+        id: `chatcmpl-blocked-${Date.now()}`,
+        object: "chat.completion",
+        created: Math.floor(Date.now() / 1000),
+        model: "agentgazer-policy",
+        choices: [
+            {
+                index: 0,
+                message: {
+                    role: "assistant",
+                    content: `[AgentGazer Policy Block] ${message}`,
+                },
+                finish_reason: "stop",
+            },
+        ],
+        usage: {
+            prompt_tokens: 0,
+            completion_tokens: 0,
+            total_tokens: 0,
+        },
+    };
+}
+/**
+ * Generate a blocked response in Anthropic format.
+ */
+function generateAnthropicBlockedResponse(reason, message) {
+    return {
+        id: `msg_blocked_${Date.now()}`,
+        type: "message",
+        role: "assistant",
+        content: [
+            {
+                type: "text",
+                text: `[AgentGazer Policy Block] ${message}`,
+            },
+        ],
+        model: "agentgazer-policy",
+        stop_reason: "end_turn",
+        usage: {
+            input_tokens: 0,
+            output_tokens: 0,
+        },
+    };
+}
+/**
+ * Generate a blocked response based on provider format.
+ */
+function generateBlockedResponse(provider, reason, message) {
+    if (provider === "anthropic") {
+        return generateAnthropicBlockedResponse(reason, message);
+    }
+    // Default to OpenAI format (used by most providers)
+    return generateOpenAIBlockedResponse(reason, message);
+}
+/**
+ * Record a blocked event to the database.
+ */
+function recordBlockedEvent(db, agentId, provider, reason, message) {
+    if (!db)
+        return;
+    try {
+        // Ensure agent exists
+        (0, server_1.upsertAgent)(db, agentId, false);
+        // Insert blocked event
+        const event = {
+            agent_id: agentId,
+            event_type: "blocked",
+            provider,
+            model: null,
+            tokens_in: null,
+            tokens_out: null,
+            tokens_total: null,
+            cost_usd: null,
+            latency_ms: null,
+            status_code: 403,
+            source: "proxy",
+            timestamp: new Date().toISOString(),
+            tags: { block_reason: reason, block_message: message },
+        };
+        (0, server_1.insertEvents)(db, [event]);
+    }
+    catch (err) {
+        log.error("Failed to record blocked event", { err: String(err) });
+    }
+}
+// ---------------------------------------------------------------------------
+// Proxy server
+// ---------------------------------------------------------------------------
+/**
+ * Load rate limits from database and convert to RateLimiter config format.
+ */
+function loadRateLimitsFromDb(db) {
+    if (!db)
+        return {};
+    try {
+        const rows = (0, server_1.getAllRateLimits)(db);
+        const configs = {};
+        for (const row of rows) {
+            const key = `${row.agent_id}:${row.provider}`;
+            configs[key] = {
+                maxRequests: row.max_requests,
+                windowSeconds: row.window_seconds,
+            };
+        }
+        return configs;
+    }
+    catch (err) {
+        log.error("Failed to load rate limits from database", { err: String(err) });
+        return {};
+    }
+}
+function startProxy(options) {
+    const port = options.port ?? DEFAULT_PORT;
+    const agentId = options.agentId;
+    const endpoint = options.endpoint ?? DEFAULT_ENDPOINT;
+    const flushInterval = options.flushInterval ?? DEFAULT_FLUSH_INTERVAL;
+    const maxBufferSize = options.maxBufferSize ?? DEFAULT_MAX_BUFFER_SIZE;
+    const providerKeys = options.providerKeys ?? {};
+    const db = options.db;
+    // Initialize rate limiter - prefer database, fall back to options for backward compatibility/testing
+    let initialRateLimits = {};
+    if (db) {
+        initialRateLimits = loadRateLimitsFromDb(db);
+    }
+    else if (options.rateLimits) {
+        // Convert legacy format (provider -> config) to new format (agentId:provider -> config)
+        for (const [provider, config] of Object.entries(options.rateLimits)) {
+            initialRateLimits[`${agentId}:${provider}`] = config;
+        }
+    }
+    const rateLimiter = new rate_limiter_js_1.RateLimiter(initialRateLimits);
+    // Set up periodic refresh of rate limits from database
+    let rateLimitRefreshTimer = null;
+    if (db) {
+        rateLimitRefreshTimer = setInterval(() => {
+            const configs = loadRateLimitsFromDb(db);
+            rateLimiter.updateConfigs(configs);
+        }, RATE_LIMIT_REFRESH_INTERVAL_MS);
+        rateLimitRefreshTimer.unref();
+    }
+    const startTime = Date.now();
+    const eventBuffer = new event_buffer_js_1.EventBuffer({
+        apiKey: options.apiKey,
+        endpoint,
+        flushInterval,
+        maxBufferSize,
+    });
+    eventBuffer.start();
+    const server = http.createServer((req, res) => {
+        void handleRequest(req, res);
+    });
+    async function handleRequest(req, res) {
+        const method = req.method ?? "GET";
+        const path = req.url ?? "/";
+        // Health check endpoint
+        if (method === "GET" && path === "/health") {
+            sendJson(res, 200, {
+                status: "ok",
+                agent_id: agentId,
+                uptime_ms: Date.now() - startTime,
+            });
+            return;
+        }
+        // Agent identification priority: header > path (/agents/{id}/...) > default
+        let effectiveAgentId = req.headers["x-agent-id"];
+        let workingPath = path;
+        // Check for /agents/{id}/... path pattern if no header
+        if (!effectiveAgentId) {
+            const agentPathResult = (0, shared_1.parseAgentPath)(path);
+            if (agentPathResult) {
+                effectiveAgentId = agentPathResult.agentId;
+                workingPath = agentPathResult.remainingPath;
+                log.info(`[PROXY] Agent ID from path: ${effectiveAgentId}`);
+            }
+        }
+        // Fall back to default agent ID
+        if (!effectiveAgentId) {
+            effectiveAgentId = agentId;
+        }
+        // Proxy logic: use x-target-url header if provided, otherwise auto-detect
+        // provider from the Host header or request path.
+        let targetBase = req.headers["x-target-url"];
+        // Validate x-target-url to prevent SSRF
+        if (targetBase) {
+            try {
+                const parsed = new URL(targetBase);
+                if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+                    sendJson(res, 400, { error: "x-target-url must use http or https protocol" });
+                    return;
+                }
+            }
+            catch {
+                sendJson(res, 400, { error: "x-target-url must be a valid URL" });
+                return;
+            }
+        }
+        // Path prefix routing: /{provider}/... -> provider base URL + remaining path
+        let pathPrefixProvider = null;
+        let effectivePath = workingPath;
+        log.info(`[PROXY] ${method} ${path} (working path: ${workingPath}, agent: ${effectiveAgentId})`);
+        log.info(`[PROXY] Headers: ${JSON.stringify(Object.fromEntries(Object.entries(req.headers).filter(([k]) => !k.toLowerCase().includes('key') && !k.toLowerCase().includes('auth'))))}`);
+        if (!targetBase) {
+            const prefixResult = (0, shared_1.parsePathPrefix)(workingPath);
+            if (prefixResult) {
+                const baseUrl = (0, shared_1.getProviderBaseUrl)(prefixResult.provider);
+                if (baseUrl) {
+                    targetBase = baseUrl;
+                    effectivePath = prefixResult.remainingPath;
+                    pathPrefixProvider = prefixResult.provider;
+                    log.info(`[PROXY] Detected provider: ${prefixResult.provider}, forwarding to: ${baseUrl}${effectivePath}`);
+                }
+            }
+        }
+        if (!targetBase) {
+            // Try to detect provider from the Host header (e.g. api.openai.com)
+            const host = req.headers["host"] ?? "";
+            const hostUrl = `https://${host}${effectivePath}`;
+            const detectedProvider = (0, shared_1.detectProvider)(hostUrl);
+            if (detectedProvider !== "unknown") {
+                targetBase = (0, shared_1.getProviderBaseUrl)(detectedProvider) ?? undefined;
+            }
+            // Fallback: try to detect from path patterns alone
+            if (!targetBase) {
+                const pathProvider = (0, shared_1.detectProvider)(`https://placeholder${effectivePath}`);
+                if (pathProvider !== "unknown") {
+                    targetBase = (0, shared_1.getProviderBaseUrl)(pathProvider) ?? undefined;
+                }
+            }
+            if (!targetBase) {
+                sendJson(res, 400, {
+                    error: "Could not determine upstream provider. Use path prefix routing (e.g. /openai/v1/...), set the Host header to a known provider (e.g. api.openai.com), or provide x-target-url header.",
+                });
+                return;
+            }
+        }
+        // Build target URL: combine base with the effective path (prefix stripped if used)
+        const targetUrl = targetBase.replace(/\/+$/, "") + effectivePath;
+        // Detect provider early for policy enforcement response format
+        const earlyProvider = pathPrefixProvider ?? (0, shared_1.detectProvider)(targetUrl);
+        // Policy check: verify agent is allowed to make requests
+        const policyResult = checkAgentPolicy(db, effectiveAgentId);
+        if (!policyResult.allowed && policyResult.reason && policyResult.message) {
+            log.info(`[PROXY] Request blocked for agent "${effectiveAgentId}": ${policyResult.reason}`);
+            // Record blocked event
+            recordBlockedEvent(db, effectiveAgentId, earlyProvider, policyResult.reason, policyResult.message);
+            // Return a fake LLM response that indicates the block
+            const blockedResponse = generateBlockedResponse(earlyProvider, policyResult.reason, policyResult.message);
+            sendJson(res, 200, blockedResponse);
+            return;
+        }
+        log.info(`[PROXY] Target URL: ${targetUrl}`);
+        // Read the full request body
+        let requestBody;
+        try {
+            requestBody = await readRequestBody(req);
+        }
+        catch (err) {
+            if (err instanceof Error && err.message === "Request body too large") {
+                sendJson(res, 413, { error: `Request body too large (max ${MAX_REQUEST_BODY_SIZE / 1024 / 1024}MB)` });
+            }
+            else {
+                sendJson(res, 502, { error: "Failed to read request body" });
+            }
+            return;
+        }
+        // Strict detection (hostname-only): used for key injection and rate limiting.
+        // Path prefix is definitively trusted (we resolved the provider ourselves).
+        const detectedProviderStrict = pathPrefixProvider
+            ?? (0, shared_1.detectProviderByHostname)(targetUrl);
+        // Model override: check if we should rewrite the model in request body
+        let requestedModel = null;
+        let actualModel = null;
+        let modifiedRequestBody = requestBody;
+        if (detectedProviderStrict !== "unknown") {
+            try {
+                const bodyJson = JSON.parse(requestBody.toString("utf-8"));
+                if (bodyJson.model) {
+                    requestedModel = bodyJson.model;
+                    const modelOverride = getModelOverride(db, effectiveAgentId, detectedProviderStrict);
+                    if (modelOverride) {
+                        log.info(`[PROXY] Model override: ${requestedModel} → ${modelOverride}`);
+                        bodyJson.model = modelOverride;
+                        actualModel = modelOverride;
+                        modifiedRequestBody = Buffer.from(JSON.stringify(bodyJson), "utf-8");
+                    }
+                    else {
+                        actualModel = requestedModel;
+                    }
+                }
+            }
+            catch {
+                // Not JSON or no model field - continue without modification
+            }
+        }
+        // Lenient detection (hostname + path fallback): used for metric extraction.
+        let detectedProviderForMetrics = pathPrefixProvider
+            ?? (0, shared_1.detectProvider)(targetUrl);
+        if (detectedProviderForMetrics === "unknown") {
+            detectedProviderForMetrics = (0, shared_1.detectProvider)(`https://placeholder${effectivePath}`);
+        }
+        // Warn when path matches a provider but hostname doesn't — key will NOT be injected.
+        // Skip when path prefix was used (provider is already trusted).
+        if (!pathPrefixProvider && detectedProviderStrict === "unknown" && detectedProviderForMetrics !== "unknown") {
+            const providerKey = providerKeys[detectedProviderForMetrics];
+            if (providerKey) {
+                const expectedBase = (0, shared_1.getProviderBaseUrl)(detectedProviderForMetrics) ?? detectedProviderForMetrics;
+                log.warn(`Path matches "${detectedProviderForMetrics}" but hostname does not — ` +
+                    `API key NOT injected. Use x-target-url=${expectedBase} for key injection.`);
+            }
+        }
+        // Rate limiting: check before forwarding (strict match only)
+        if (detectedProviderStrict !== "unknown") {
+            const rateLimitResult = rateLimiter.check(effectiveAgentId, detectedProviderStrict);
+            if (!rateLimitResult.allowed) {
+                const retryAfter = rateLimitResult.retryAfterSeconds ?? 60;
+                const message = `Rate limit exceeded for agent "${effectiveAgentId}" on ${detectedProviderStrict}. Please retry after ${retryAfter} seconds.`;
+                res.writeHead(429, {
+                    "Content-Type": "application/json",
+                    "Retry-After": String(retryAfter),
+                });
+                // Return provider-specific error format
+                let errorBody;
+                if (detectedProviderStrict === "anthropic") {
+                    // Anthropic error format
+                    errorBody = {
+                        type: "error",
+                        error: {
+                            type: "rate_limit_error",
+                            message,
+                        },
+                        retry_after_seconds: retryAfter,
+                    };
+                }
+                else {
+                    // OpenAI-style error format (used by most providers)
+                    errorBody = {
+                        error: {
+                            message,
+                            type: "rate_limit_error",
+                            param: null,
+                            code: "rate_limit_exceeded",
+                        },
+                        retry_after_seconds: retryAfter,
+                    };
+                }
+                res.end(JSON.stringify(errorBody));
+                // Record rate limit event
+                const event = {
+                    agent_id: effectiveAgentId,
+                    event_type: "error",
+                    provider: detectedProviderStrict,
+                    model: null,
+                    tokens_in: null,
+                    tokens_out: null,
+                    tokens_total: null,
+                    cost_usd: null,
+                    latency_ms: null,
+                    status_code: 429,
+                    source: "proxy",
+                    timestamp: new Date().toISOString(),
+                    tags: { rate_limited: "true" },
+                };
+                eventBuffer.add(event);
+                return;
+            }
+        }
+        // Build forwarded headers, removing proxy-specific ones
+        const forwardHeaders = {};
+        for (const [key, value] of Object.entries(req.headers)) {
+            const lowerKey = key.toLowerCase();
+            if (lowerKey === "x-target-url" ||
+                lowerKey === "host" ||
+                lowerKey === "connection" ||
+                lowerKey === "content-length" // Let fetch recalculate after body modification
+            ) {
+                continue;
+            }
+            if (value !== undefined) {
+                forwardHeaders[key] = Array.isArray(value) ? value.join(", ") : value;
+            }
+        }
+        // Inject provider API key only for hostname-matched providers (strict).
+        // Path-only matches are NOT trusted for key injection to prevent leakage.
+        log.info(`[PROXY] Provider detection: strict=${detectedProviderStrict}, metrics=${detectedProviderForMetrics}`);
+        if (detectedProviderStrict !== "unknown") {
+            const providerKey = providerKeys[detectedProviderStrict];
+            if (providerKey) {
+                const authHeader = (0, shared_1.getProviderAuthHeader)(detectedProviderStrict, providerKey);
+                if (authHeader) {
+                    // Remove any existing auth header and inject the configured one
+                    const existingAuthKey = Object.keys(forwardHeaders).find((k) => k.toLowerCase() === authHeader.name.toLowerCase());
+                    if (existingAuthKey) {
+                        log.info(`[PROXY] Replacing existing ${existingAuthKey} header with configured key`);
+                        delete forwardHeaders[existingAuthKey];
+                    }
+                    forwardHeaders[authHeader.name] = authHeader.value;
+                    log.info(`[PROXY] Injected ${authHeader.name} header for ${detectedProviderStrict}`);
+                }
+            }
+            else {
+                log.warn(`[PROXY] No API key configured for provider: ${detectedProviderStrict}`);
+            }
+        }
+        const requestStart = Date.now();
+        let providerResponse;
+        try {
+            providerResponse = await fetch(targetUrl, {
+                method,
+                headers: forwardHeaders,
+                body: method !== "GET" && method !== "HEAD"
+                    ? new Uint8Array(modifiedRequestBody)
+                    : undefined,
+                signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : "Unknown fetch error";
+            log.error(`[PROXY] Upstream request failed: ${message}`);
+            sendJson(res, 502, { error: `Upstream request failed: ${message}` });
+            return;
+        }
+        log.info(`[PROXY] Response: ${providerResponse.status} ${providerResponse.statusText}`);
+        // Check if the response is an SSE stream
+        const contentType = providerResponse.headers.get("content-type") ?? "";
+        const isSSE = contentType.includes("text/event-stream");
+        if (isSSE && providerResponse.body) {
+            // ---------------------------------------------------------------
+            // STREAMING PATH: pipe chunks through to client in real-time,
+            // accumulate them for metric extraction after the stream ends.
+            // ---------------------------------------------------------------
+            const responseHeaders = {};
+            providerResponse.headers.forEach((value, key) => {
+                responseHeaders[key] = value;
+            });
+            res.writeHead(providerResponse.status, responseHeaders);
+            const chunks = [];
+            let accumulatedSize = 0;
+            const reader = providerResponse.body.getReader();
+            try {
+                for (;;) {
+                    const { done, value } = await reader.read();
+                    if (done)
+                        break;
+                    const buf = Buffer.from(value);
+                    res.write(buf);
+                    accumulatedSize += buf.length;
+                    if (accumulatedSize <= MAX_SSE_BUFFER_SIZE) {
+                        chunks.push(buf);
+                    }
+                }
+            }
+            catch (error) {
+                log.error("Stream read error", { err: error instanceof Error ? error.message : String(error) });
+            }
+            finally {
+                res.end();
+            }
+            const latencyMs = Date.now() - requestStart;
+            const fullBody = Buffer.concat(chunks);
+            try {
+                extractStreamingMetrics(detectedProviderForMetrics, providerResponse.status, fullBody, latencyMs, effectiveAgentId, requestedModel);
+            }
+            catch (error) {
+                log.error("Streaming metric extraction error", { err: error instanceof Error ? error.message : String(error) });
+            }
+        }
+        else {
+            // ---------------------------------------------------------------
+            // NON-STREAMING PATH: buffer full response, forward, extract.
+            // ---------------------------------------------------------------
+            let responseBodyBuffer;
+            try {
+                const arrayBuffer = await providerResponse.arrayBuffer();
+                responseBodyBuffer = Buffer.from(arrayBuffer);
+            }
+            catch {
+                sendJson(res, 502, {
+                    error: "Failed to read upstream response body",
+                });
+                return;
+            }
+            const latencyMs = Date.now() - requestStart;
+            // Forward status code and headers back to the client
+            const responseHeaders = {};
+            providerResponse.headers.forEach((value, key) => {
+                // Skip transfer-encoding since we are sending the full body
+                if (key.toLowerCase() === "transfer-encoding")
+                    return;
+                responseHeaders[key] = value;
+            });
+            res.writeHead(providerResponse.status, responseHeaders);
+            res.end(responseBodyBuffer);
+            // After response is sent, extract metrics asynchronously
+            try {
+                extractAndQueueMetrics(detectedProviderForMetrics, providerResponse.status, responseBodyBuffer, latencyMs, effectiveAgentId, requestedModel);
+            }
+            catch (error) {
+                log.error("Metric extraction error", { err: error instanceof Error ? error.message : String(error) });
+            }
+        }
+    }
+    function extractStreamingMetrics(provider, statusCode, sseBody, latencyMs, effectiveAgentId, requestedModel) {
+        if (provider === "unknown") {
+            log.warn("Unrecognized provider - skipping streaming metric extraction");
+            return;
+        }
+        const sseText = sseBody.toString("utf-8");
+        const parsed = parseSSEResponse(provider, sseText, statusCode);
+        if (!parsed) {
+            log.warn(`No parseable SSE data for provider: ${provider} — skipping event`);
+            return;
+        }
+        let costUsd = null;
+        if (parsed.model && parsed.tokensIn != null && parsed.tokensOut != null) {
+            costUsd = (0, shared_1.calculateCost)(parsed.model, parsed.tokensIn, parsed.tokensOut);
+        }
+        const event = {
+            agent_id: effectiveAgentId,
+            event_type: "llm_call",
+            provider,
+            model: parsed.model,
+            requested_model: requestedModel,
+            tokens_in: parsed.tokensIn,
+            tokens_out: parsed.tokensOut,
+            tokens_total: parsed.tokensTotal,
+            cost_usd: costUsd,
+            latency_ms: latencyMs,
+            status_code: statusCode,
+            source: "proxy",
+            timestamp: new Date().toISOString(),
+            tags: { streaming: "true" },
+        };
+        eventBuffer.add(event);
+    }
+    function extractAndQueueMetrics(provider, statusCode, responseBody, latencyMs, effectiveAgentId, requestedModel) {
+        if (provider === "unknown") {
+            log.warn("Unrecognized provider - skipping metric extraction");
+            return;
+        }
+        // Parse the response body as JSON
+        let parsedBody;
+        try {
+            parsedBody = JSON.parse(responseBody.toString("utf-8"));
+        }
+        catch {
+            log.warn(`Could not parse response body as JSON for ${provider} - skipping metric extraction`);
+            return;
+        }
+        const parsed = (0, shared_1.parseProviderResponse)(provider, parsedBody, statusCode);
+        if (!parsed) {
+            log.warn(`No parser result for provider: ${provider}`);
+            return;
+        }
+        // Calculate cost if we have the necessary token data
+        let costUsd = null;
+        if (parsed.model && parsed.tokensIn != null && parsed.tokensOut != null) {
+            costUsd = (0, shared_1.calculateCost)(parsed.model, parsed.tokensIn, parsed.tokensOut);
+        }
+        const event = {
+            agent_id: effectiveAgentId,
+            event_type: "llm_call",
+            provider,
+            model: parsed.model,
+            requested_model: requestedModel,
+            tokens_in: parsed.tokensIn,
+            tokens_out: parsed.tokensOut,
+            tokens_total: parsed.tokensTotal,
+            cost_usd: costUsd,
+            latency_ms: latencyMs,
+            status_code: statusCode,
+            source: "proxy",
+            timestamp: new Date().toISOString(),
+            tags: {},
+        };
+        eventBuffer.add(event);
+    }
+    server.listen(port);
+    async function shutdown() {
+        if (rateLimitRefreshTimer) {
+            clearInterval(rateLimitRefreshTimer);
+        }
+        await eventBuffer.shutdown();
+        return new Promise((resolve, reject) => {
+            server.close((err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    return { server, shutdown };
+}
+//# sourceMappingURL=proxy-server.js.map