@antseed/provider-core 0.1.0

package/dist/token-providers.js

@@ -0,0 +1,151 @@
+const REFRESH_BUFFER_MS = 5 * 60 * 1000; // refresh 5 min before expiry
+const DEFAULT_REFRESH_TIMEOUT_MS = 15_000;
+const DEFAULT_OAUTH_TOKEN_ENDPOINT = 'https://console.anthropic.com/v1/oauth/token';
+function getRefreshTimeoutMs() {
+    const raw = process.env['ANTSEED_OAUTH_REFRESH_TIMEOUT_MS'];
+    if (!raw) {
+        return DEFAULT_REFRESH_TIMEOUT_MS;
+    }
+    const parsed = Number.parseInt(raw.trim(), 10);
+    if (!Number.isFinite(parsed) || parsed <= 0) {
+        return DEFAULT_REFRESH_TIMEOUT_MS;
+    }
+    return parsed;
+}
+// ---------------------------------------------------------------------------
+// StaticTokenProvider
+// ---------------------------------------------------------------------------
+/** Wraps a static API key. No refresh logic. */
+export class StaticTokenProvider {
+    token;
+    constructor(token) {
+        this.token = token;
+    }
+    async getToken() {
+        return this.token;
+    }
+    stop() { }
+    getState() {
+        return { accessToken: this.token };
+    }
+}
+/**
+ * Manages an OAuth access/refresh token pair.
+ * Transparently refreshes the access token when it nears expiry.
+ */
+export class OAuthTokenProvider {
+    state;
+    refreshPromise = null;
+    tokenEndpoint;
+    requestEncoding;
+    clientId;
+    constructor(opts) {
+        this.state = {
+            accessToken: opts.accessToken,
+            refreshToken: opts.refreshToken,
+            expiresAt: opts.expiresAt,
+        };
+        this.tokenEndpoint = opts.tokenEndpoint ?? DEFAULT_OAUTH_TOKEN_ENDPOINT;
+        this.requestEncoding = opts.requestEncoding ?? 'form';
+        this.clientId = opts.clientId;
+    }
+    async getToken() {
+        if (!this.isExpiringSoon()) {
+            return this.state.accessToken;
+        }
+        // Deduplicate concurrent refresh calls
+        if (!this.refreshPromise) {
+            this.refreshPromise = this.refresh().finally(() => {
+                this.refreshPromise = null;
+            });
+        }
+        return this.refreshPromise;
+    }
+    stop() { }
+    /** Expose current state for persistence. */
+    getState() {
+        return { ...this.state };
+    }
+    isExpiringSoon() {
+        return Date.now() >= this.state.expiresAt - REFRESH_BUFFER_MS;
+    }
+    async refresh() {
+        const payload = {
+            grant_type: 'refresh_token',
+            refresh_token: this.state.refreshToken,
+        };
+        if (this.clientId) {
+            payload['client_id'] = this.clientId;
+        }
+        const headers = this.requestEncoding === 'json'
+            ? { 'Content-Type': 'application/json' }
+            : { 'Content-Type': 'application/x-www-form-urlencoded' };
+        const body = this.requestEncoding === 'json'
+            ? JSON.stringify(payload)
+            : new URLSearchParams(payload).toString();
+        const timeoutMs = getRefreshTimeoutMs();
+        const controller = new AbortController();
+        const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
+        let res;
+        try {
+            res = await fetch(this.tokenEndpoint, {
+                method: 'POST',
+                headers,
+                body,
+                signal: controller.signal,
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            if (err instanceof Error && err.name === 'AbortError') {
+                throw new Error(`OAuth refresh timed out after ${timeoutMs}ms while reaching ${this.tokenEndpoint}. ` +
+                    'Check network/proxy/firewall access or use apikey auth.');
+            }
+            throw new Error(`OAuth refresh request failed: ${message}`);
+        }
+        finally {
+            clearTimeout(timeoutHandle);
+        }
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`OAuth refresh failed (${res.status}): ${text}`);
+        }
+        const data = (await res.json());
+        const newAccess = data.access_token ?? data.accessToken;
+        if (!newAccess) {
+            throw new Error('OAuth refresh response missing access token');
+        }
+        this.state.accessToken = newAccess;
+        if (data.refresh_token ?? data.refreshToken) {
+            this.state.refreshToken = (data.refresh_token ?? data.refreshToken);
+        }
+        if (data.expires_at ?? data.expiresAt) {
+            this.state.expiresAt = (data.expires_at ?? data.expiresAt);
+        }
+        else if (data.expires_in) {
+            this.state.expiresAt = Date.now() + data.expires_in * 1000;
+        }
+        return this.state.accessToken;
+    }
+}
+/**
+ * Create the appropriate TokenProvider from config values.
+ */
+export function createTokenProvider(opts) {
+    const authType = opts.authType ?? 'apikey';
+    switch (authType) {
+        case 'oauth':
+            if (!opts.refreshToken) {
+                // No refresh token — treat as static (works until expiry)
+                return new StaticTokenProvider(opts.authValue);
+            }
+            return new OAuthTokenProvider({
+                accessToken: opts.authValue,
+                refreshToken: opts.refreshToken,
+                expiresAt: opts.expiresAt ?? Date.now() + 3600_000,
+            });
+        default:
+            return new StaticTokenProvider(opts.authValue);
+    }
+}
+//# sourceMappingURL=token-providers.js.map

package/dist/token-providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-providers.js","sourceRoot":"","sources":["../src/token-providers.ts"],"names":[],"mappings":"AAIA,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,8BAA8B;AACvE,MAAM,0BAA0B,GAAG,MAAM,CAAC;AAC1C,MAAM,4BAA4B,GAAG,8CAA8C,CAAC;AAEpF,SAAS,mBAAmB;IAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,0BAA0B,CAAC;IACpC,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;QAC5C,OAAO,0BAA0B,CAAC;IACpC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,gDAAgD;AAChD,MAAM,OAAO,mBAAmB;IACD;IAA7B,YAA6B,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAC9C,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IACD,IAAI,KAAU,CAAC;IACf,QAAQ;QACN,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;IACrC,CAAC;CACF;AAcD;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IACrB,KAAK,CAAa;IAClB,cAAc,GAA2B,IAAI,CAAC;IACrC,aAAa,CAAS;IACtB,eAAe,CAAyB;IACxC,QAAQ,CAAqB;IAE9C,YAAY,IAOX;QACC,IAAI,CAAC,KAAK,GAAG;YACX,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;QACF,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,IAAI,4BAA4B,CAAC;QACxE,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC;QAChC,CAAC;QACD,uCAAuC;QACvC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;gBAChD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;YAC7B,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED,IAAI,KAAU,CAAC;IAEf,4CAA4C;IAC5C,QAAQ;QACN,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC3B,CAAC;IAEO,cAAc;QACpB,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,iBAAiB,CAAC;IAChE,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,MAAM,OAAO,GAA2B;YACtC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,YAAY;SACvC,CAAC;QACF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvC,CAAC;QAED,MAAM,OAAO,GACX,IAAI,CAAC,eAAe,KAAK,MAAM;YAC7B,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE;YACxC,CAAC,CAAC,EAAE,cAAc,EAAE,mCAAmC,EAAE,CAAC;QAC9D,MAAM,IAAI,GACR,IAAI,CAAC,eAAe,KAAK,MAAM;YAC7B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YACzB,CAAC,CAAC,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE9C,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;QAEtE,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;gBACpC,MAAM,EAAE,MAAM;gBACd,OAAO;gBACP,IAAI;gBACJ,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACtD,MAAM,IAAI,KAAK,CACb,iCAAiC,SAAS,qBAAqB,IAAI,CAAC,aAAa,IAAI;oBACnF,yDAAyD,CAC5D,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;QAC9D,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAQ7B,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,WAAW,CAAC;QACxD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;QACnC,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,YAAY,CAAE,CAAC;QACvE,CAAC;QACD,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,SAAS,CAAE,CAAC;QAC9D,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC;IAChC,CAAC;CACF;AAQD;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAKnC;IACC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAE3C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACvB,0DAA0D;gBAC1D,OAAO,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,IAAI,kBAAkB,CAAC;gBAC5B,WAAW,EAAE,IAAI,CAAC,SAAS;gBAC3B,YAAY,EAAE,IAAI,CAAC,YAAY;gBAC/B,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ;aACnD,CAAC,CAAC;QAEL;YACE,OAAO,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@antseed/provider-core",
+  "version": "0.1.0",
+  "description": "Shared provider infrastructure for Antseed plugins",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "prebuild": "rm -rf dist",
+    "build": "tsc",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "peerDependencies": {
+    "@antseed/node": ">=0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0",
+    "@antseed/node": "workspace:*"
+  }
+}

package/src/auth-swap.ts

@@ -0,0 +1,89 @@
+import type { SerializedHttpRequest } from '@antseed/node';
+
+/** Set of all known auth header names (lowercase). */
+export const KNOWN_AUTH_HEADERS: Set<string> = new Set([
+  'authorization', 'x-api-key', 'x-goog-api-key',
+]);
+
+/**
+ * Strips all known auth headers and injects the seller's auth.
+ * Returns a NEW object (no mutation of the original).
+ */
+export function swapAuthHeader(
+  request: SerializedHttpRequest,
+  config: { authHeaderName: string; authHeaderValue: string; extraHeaders?: Record<string, string> }
+): SerializedHttpRequest {
+  const newHeaders: Record<string, string> = {};
+
+  for (const [key, value] of Object.entries(request.headers)) {
+    if (!KNOWN_AUTH_HEADERS.has(key.toLowerCase())) {
+      newHeaders[key] = value;
+    }
+  }
+
+  newHeaders[config.authHeaderName] = config.authHeaderValue;
+
+  // Inject any extra headers (e.g. anthropic-beta for OAuth).
+  // For anthropic-beta, merge with existing values (comma-separated)
+  // so the buyer's beta flags (e.g. context-management) are preserved.
+  if (config.extraHeaders) {
+    for (const [key, value] of Object.entries(config.extraHeaders)) {
+      const lower = key.toLowerCase();
+      if (lower === 'anthropic-beta' && newHeaders[key]) {
+        // Merge: deduplicate comma-separated beta flags
+        const existing = new Set(newHeaders[key]!.split(',').map((s) => s.trim()));
+        for (const flag of value.split(',').map((s) => s.trim())) {
+          existing.add(flag);
+        }
+        newHeaders[key] = [...existing].join(',');
+      } else {
+        newHeaders[key] = value;
+      }
+    }
+  }
+
+  return {
+    requestId: request.requestId,
+    method: request.method,
+    path: request.path,
+    headers: newHeaders,
+    body: request.body,
+  };
+}
+
+/**
+ * Validate request against allowed models.
+ * Parses JSON body and enforces strict top-level `"model"` allow-list.
+ * Returns null if ok, error string if rejected.
+ */
+export function validateRequestModel(
+  request: SerializedHttpRequest,
+  allowedModels: string[]
+): string | null {
+  // If allowedModels is empty, allow everything
+  if (allowedModels.length === 0) {
+    return null;
+  }
+
+  let payload: unknown;
+  try {
+    payload = JSON.parse(new TextDecoder().decode(request.body)) as unknown;
+  } catch {
+    return "Invalid JSON request body";
+  }
+
+  if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+    return 'Request body must be a JSON object containing a "model" field';
+  }
+
+  const model = (payload as Record<string, unknown>)["model"];
+  if (typeof model !== "string" || model.trim() === "") {
+    return 'Request is missing a valid "model" field';
+  }
+
+  if (!allowedModels.includes(model)) {
+    return `Model "${model}" is not in the allowed list`;
+  }
+
+  return null;
+}

package/src/base-provider.ts

@@ -0,0 +1,84 @@
+import type { Provider, SerializedHttpRequest, SerializedHttpResponse, SerializedHttpResponseChunk } from '@antseed/node';
+import { HttpRelay, type RelayConfig } from './http-relay.js';
+
+export interface BaseProviderConfig {
+  name: string;
+  models: string[];
+  pricing: Provider['pricing'];
+  relay: RelayConfig;
+}
+
+/**
+ * Convenience base class that wires HttpRelay to the Provider interface.
+ * Pattern adapted from provider-anthropic's AnthropicProvider.
+ */
+export class BaseProvider implements Provider {
+  readonly name: string;
+  readonly models: string[];
+  readonly pricing: Provider['pricing'];
+  readonly maxConcurrency: number;
+
+  private readonly _relay: HttpRelay;
+  private _activeCount = 0;
+
+  private readonly _pending = new Map<
+    string,
+    { resolve: (res: SerializedHttpResponse) => void; reject: (err: Error) => void }
+  >();
+
+  constructor(config: BaseProviderConfig) {
+    this.name = config.name;
+    this.models = config.models;
+    this.pricing = config.pricing;
+    this.maxConcurrency = config.relay.maxConcurrency;
+
+    this._relay = new HttpRelay(config.relay, {
+      onResponse: (response: SerializedHttpResponse) => {
+        this._resolvePending(response.requestId, response);
+      },
+      onResponseChunk: (_chunk: SerializedHttpResponseChunk) => {
+        // Chunks are accumulated by HttpRelay into a complete response
+      },
+    });
+  }
+
+  private _resolvePending(requestId: string, response: SerializedHttpResponse): void {
+    const entry = this._pending.get(requestId);
+    if (entry) {
+      this._pending.delete(requestId);
+      entry.resolve(response);
+    }
+  }
+
+  async init(): Promise<void> {
+    if (this._relay['_config'].tokenProvider) {
+      await this._relay['_config'].tokenProvider.getToken();
+    }
+  }
+
+  async handleRequest(req: SerializedHttpRequest): Promise<SerializedHttpResponse> {
+    this._activeCount++;
+    try {
+      const responsePromise = new Promise<SerializedHttpResponse>((resolve, reject) => {
+        this._pending.set(req.requestId, { resolve, reject });
+      });
+
+      // Fire the relay (it calls onResponse when done)
+      await this._relay.handleRequest(req);
+
+      return await responsePromise;
+    } catch (err) {
+      this._pending.delete(req.requestId);
+      throw err;
+    } finally {
+      this._activeCount--;
+    }
+  }
+
+  getCapacity(): { current: number; max: number } {
+    return {
+      current: this._activeCount,
+      max: this.maxConcurrency,
+    };
+  }
+}

package/src/http-relay.test.ts

@@ -0,0 +1,269 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { HttpRelay, type RelayConfig, type RelayCallbacks } from './http-relay.js';
+import type { SerializedHttpRequest, SerializedHttpResponse } from '@antseed/node';
+
+function makeRequest(overrides?: Partial<SerializedHttpRequest>): SerializedHttpRequest {
+  return {
+    requestId: 'req-1',
+    method: 'POST',
+    path: '/v1/messages',
+    headers: { 'content-type': 'application/json' },
+    body: new TextEncoder().encode(JSON.stringify({ model: 'claude-sonnet-4-20250514', messages: [] })),
+    ...overrides,
+  };
+}
+
+function makeConfig(overrides?: Partial<RelayConfig>): RelayConfig {
+  return {
+    baseUrl: 'https://api.example.com',
+    authHeaderName: 'x-api-key',
+    authHeaderValue: 'sk-test-key',
+    maxConcurrency: 2,
+    allowedModels: ['claude-sonnet-4-20250514'],
+    ...overrides,
+  };
+}
+
+describe('HttpRelay', () => {
+  let fetchMock: ReturnType<typeof vi.fn>;
+  const originalFetch = globalThis.fetch;
+
+  beforeEach(() => {
+    fetchMock = vi.fn();
+    globalThis.fetch = fetchMock;
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+  });
+
+  it('relays a successful non-streaming response', async () => {
+    const responseBody = JSON.stringify({ id: 'msg_1', content: [{ text: 'Hello' }] });
+    fetchMock.mockResolvedValueOnce(new Response(responseBody, {
+      status: 200,
+      headers: { 'content-type': 'application/json', 'request-id': 'upstream-1' },
+    }));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    await relay.handleRequest(makeRequest());
+
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.statusCode).toBe(200);
+    expect(responses[0]!.requestId).toBe('req-1');
+    expect(responses[0]!.headers['content-type']).toBe('application/json');
+
+    // Verify fetch was called with the right URL and auth
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [url, opts] = fetchMock.mock.calls[0] as [string, RequestInit];
+    expect(url).toBe('https://api.example.com/v1/messages');
+    expect((opts.headers as Record<string, string>)['x-api-key']).toBe('sk-test-key');
+  });
+
+  it('rejects disallowed model', async () => {
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    const req = makeRequest({
+      body: new TextEncoder().encode(JSON.stringify({ model: 'gpt-4', messages: [] })),
+    });
+    await relay.handleRequest(req);
+
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.statusCode).toBe(403);
+    const body = JSON.parse(new TextDecoder().decode(responses[0]!.body)) as { error: string };
+    expect(body.error).toContain('not in the allowed list');
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('allows any model when allowedModels is empty', async () => {
+    fetchMock.mockResolvedValueOnce(new Response('{}', { status: 200 }));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig({ allowedModels: [] }), callbacks);
+    const req = makeRequest({
+      body: new TextEncoder().encode(JSON.stringify({ model: 'any-model', messages: [] })),
+    });
+    await relay.handleRequest(req);
+
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.statusCode).toBe(200);
+  });
+
+  it('enforces concurrency limit', async () => {
+    // Create a fetch that blocks until we resolve it
+    let resolveFirst!: (value: Response) => void;
+    const firstFetch = new Promise<Response>((resolve) => { resolveFirst = resolve; });
+
+    fetchMock.mockReturnValueOnce(firstFetch);
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig({ maxConcurrency: 1 }), callbacks);
+
+    // Start first request (fills concurrency) — do NOT await
+    const p1 = relay.handleRequest(makeRequest({ requestId: 'req-1' }));
+
+    // Yield to allow the first handleRequest to progress to its await
+    await new Promise((r) => setTimeout(r, 0));
+
+    // Active count should be 1 now
+    expect(relay.getActiveCount()).toBe(1);
+
+    // Second request should be rejected (concurrency full)
+    await relay.handleRequest(makeRequest({ requestId: 'req-2' }));
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.requestId).toBe('req-2');
+    expect(responses[0]!.statusCode).toBe(429);
+
+    // Complete first request
+    resolveFirst(new Response('{}', { status: 200 }));
+    await p1;
+    expect(responses).toHaveLength(2);
+    expect(responses[1]!.requestId).toBe('req-1');
+    expect(responses[1]!.statusCode).toBe(200);
+
+    // Now concurrency is free, third request should work
+    fetchMock.mockResolvedValueOnce(new Response('{}', { status: 200 }));
+    await relay.handleRequest(makeRequest({ requestId: 'req-3' }));
+    expect(responses).toHaveLength(3);
+    expect(responses[2]!.requestId).toBe('req-3');
+    expect(responses[2]!.statusCode).toBe(200);
+  });
+
+  it('strips hop-by-hop and internal headers from request', async () => {
+    fetchMock.mockResolvedValueOnce(new Response('{}', { status: 200 }));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    await relay.handleRequest(makeRequest({
+      headers: {
+        'content-type': 'application/json',
+        'connection': 'keep-alive',
+        'x-antseed-provider': 'anthropic',
+        'host': 'localhost:3000',
+        'x-custom': 'keep-me',
+      },
+    }));
+
+    const [, opts] = fetchMock.mock.calls[0] as [string, RequestInit];
+    const sentHeaders = opts.headers as Record<string, string>;
+    expect(sentHeaders['connection']).toBeUndefined();
+    expect(sentHeaders['x-antseed-provider']).toBeUndefined();
+    expect(sentHeaders['host']).toBeUndefined();
+    expect(sentHeaders['x-custom']).toBe('keep-me');
+  });
+
+  it('uses tokenProvider when present', async () => {
+    fetchMock.mockResolvedValueOnce(new Response('{}', { status: 200 }));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const tokenProvider = {
+      getToken: vi.fn().mockResolvedValue('fresh-token'),
+      stop: vi.fn(),
+    };
+
+    const relay = new HttpRelay(
+      makeConfig({
+        authHeaderName: 'authorization',
+        authHeaderValue: 'Bearer old-token',
+        tokenProvider,
+      }),
+      callbacks,
+    );
+
+    await relay.handleRequest(makeRequest());
+
+    expect(tokenProvider.getToken).toHaveBeenCalledOnce();
+    const [, opts] = fetchMock.mock.calls[0] as [string, RequestInit];
+    const sentHeaders = opts.headers as Record<string, string>;
+    expect(sentHeaders['authorization']).toBe('Bearer fresh-token');
+  });
+
+  it('returns 502 on fetch failure', async () => {
+    fetchMock.mockRejectedValueOnce(new Error('Connection refused'));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    await relay.handleRequest(makeRequest());
+
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.statusCode).toBe(502);
+    const body = JSON.parse(new TextDecoder().decode(responses[0]!.body)) as { error: string };
+    expect(body.error).toContain('Connection refused');
+  });
+
+  it('accumulates SSE response into complete body', async () => {
+    const sseChunks = [
+      'event: message\ndata: {"text":"Hello"}\n\n',
+      'event: message\ndata: {"text":"World"}\n\n',
+    ];
+    const stream = new ReadableStream({
+      start(controller) {
+        for (const chunk of sseChunks) {
+          controller.enqueue(new TextEncoder().encode(chunk));
+        }
+        controller.close();
+      },
+    });
+
+    fetchMock.mockResolvedValueOnce(new Response(stream, {
+      status: 200,
+      headers: { 'content-type': 'text/event-stream' },
+    }));
+
+    const responses: SerializedHttpResponse[] = [];
+    const callbacks: RelayCallbacks = {
+      onResponse: (res) => responses.push(res),
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    await relay.handleRequest(makeRequest());
+
+    expect(responses).toHaveLength(1);
+    expect(responses[0]!.statusCode).toBe(200);
+    const bodyText = new TextDecoder().decode(responses[0]!.body);
+    expect(bodyText).toContain('Hello');
+    expect(bodyText).toContain('World');
+  });
+
+  it('tracks active count correctly', async () => {
+    fetchMock.mockResolvedValue(new Response('{}', { status: 200 }));
+
+    const callbacks: RelayCallbacks = {
+      onResponse: () => {},
+    };
+
+    const relay = new HttpRelay(makeConfig(), callbacks);
+    expect(relay.getActiveCount()).toBe(0);
+
+    await relay.handleRequest(makeRequest());
+    expect(relay.getActiveCount()).toBe(0); // decremented after completion
+  });
+});