@bonginkan/maria 4.3.33 → 4.3.34

package/dist/server-express.cjs

@@ -6815,6 +6815,45 @@ var init_src = __esm({
     supportedSchemas = /* @__PURE__ */ new Set(["data:", "http:", "https:"]);
   }
 });
+
+// src/services/media-orchestrator/image-post.ts
+var image_post_exports = {};
+__export(image_post_exports, {
+  processImageOptional: () => processImageOptional
+});
+async function processImageOptional(bytes, format, keepExif, targetSize) {
+  try {
+    const sharp = (await import('sharp')).default;
+    let img = sharp(bytes).toColourspace("srgb");
+    if (targetSize && Number.isFinite(targetSize.width) && Number.isFinite(targetSize.height)) {
+      const width = Math.max(1, Math.floor(targetSize.width));
+      const height = Math.max(1, Math.floor(targetSize.height));
+      img = img.resize(width, height, { fit: "cover" });
+    }
+    if (keepExif) img = img.withMetadata();
+    const qEnv = Number(process.env.MARIA_SHARP_QUALITY || "80");
+    const quality = Number.isFinite(qEnv) ? Math.max(1, Math.min(100, Math.floor(qEnv))) : 80;
+    const alphaMode = String(process.env.MARIA_SHARP_ALPHA || "").toLowerCase();
+    if (format === "jpg" && alphaMode !== "preserve") {
+      img = img.flatten({ background: { r: 255, g: 255, b: 255 } });
+    }
+    switch (format) {
+      case "png":
+        return await img.png().toBuffer();
+      case "webp":
+        return await img.webp({ quality }).toBuffer();
+      case "jpg":
+        return await img.jpeg({ mozjpeg: true, quality }).toBuffer();
+    }
+    return bytes;
+  } catch {
+    return bytes;
+  }
+}
+var init_image_post = __esm({
+  "src/services/media-orchestrator/image-post.ts"() {
+  }
+});
 var rateLimitStore = /* @__PURE__ */ new Map();
 var RATE_LIMITS = {
   "/image:FREE": { windowMs: 3e3, requests: 1 },
@@ -7105,6 +7144,14 @@ var GeminiMediaProvider = class {
   async generateImage(req) {
     const modelName = this.primaryModel;
     const promptPreview = String(req.prompt ?? "").replace(/\s+/g, " ").slice(0, 200);
+    const targetMime = (() => {
+      const fmt = (req.format || "png").toLowerCase();
+      if (fmt === "jpg") return "image/jpeg";
+      if (fmt === "jpeg") return "image/jpeg";
+      if (fmt === "png") return "image/png";
+      if (fmt === "webp") return "image/webp";
+      return "image/png";
+    })();
     let resp;
     try {
       resp = await this.ai.models.generateContent({
@@ -7112,7 +7159,7 @@ var GeminiMediaProvider = class {
         contents: [{ role: "user", parts: [{ text: String(req.prompt) }] }],
         generationConfig: {
           responseModalities: ["IMAGE"],
-          responseMimeType: `image/${req.format || "png"}`
+          responseMimeType: targetMime
         }
       });
     } catch (err) {
@@ -7134,7 +7181,7 @@ var GeminiMediaProvider = class {
       const mime = p?.inlineData?.mimeType || p?.inline_data?.mime_type || p?.inline_data?.mimeType || p?.inlineData?.mime_type;
       if (data) {
         const buf = Buffer.from(String(data), "base64");
-        if (buf.length > 0) return { bytes: buf, mime: typeof mime === "string" ? mime : `image/${req.format}` };
+        if (buf.length > 0) return { bytes: buf, mime: typeof mime === "string" ? mime : targetMime };
       }
     }
     try {
@@ -7147,7 +7194,7 @@ var GeminiMediaProvider = class {
       const bytesB64 = img0?.imageBytes || img0?.bytesBase64Encoded;
       if (bytesB64) {
         const buf = Buffer.from(String(bytesB64), "base64");
-        if (buf.length > 0) return { bytes: buf, mime: `image/${req.format || "png"}` };
+        if (buf.length > 0) return { bytes: buf, mime: targetMime };
       }
     } catch {
     }
@@ -7167,148 +7214,6 @@ var GeminiMediaProvider = class {
   }
 };
 
-// src/config/plans/free-plan.json
-var free_plan_default = {
-  id: "free",
-  name: "Free",
-  displayName: "Free Plan",
-  priceUsd: 0,
-  priceJpy: 0,
-  status: "active",
-  features: {
-    priority: "community",
-    support: "community",
-    accessLevel: "basic"
-  },
-  buckets: {
-    req: 100,
-    tokens: 15e4,
-    code: 20,
-    attachment: 5,
-    image: 25,
-    video: 5
-  },
-  models: [
-    "google:gemini-2.5-flash",
-    "google:gemini-2.0-flash"
-  ],
-  imageModels: [
-    "google:imagen-4-fast",
-    "google:gemini-2.5-image"
-  ],
-  videoModels: [
-    "google:veo-3-fast",
-    "google:veo-2.0-generate-001"
-  ],
-  costRules: {
-    longContextTokens: {
-      threshold: 8e3,
-      multiplier: 2,
-      description: "Long context (>8k tokens) consumes 2x"
-    },
-    imageGen: {
-      multiplier: 1,
-      description: "1 image = 1 image bucket consumption"
-    },
-    videoGen: {
-      multiplier: 1,
-      description: "1 video = 1 video bucket consumption"
-    }
-  },
-  limits: {
-    image: {
-      maxSize: "1024x1024",
-      maxWidth: 1024,
-      maxHeight: 1024,
-      maxCountPerCall: 1,
-      formats: ["png", "jpg", "jpeg", "webp", "svg"],
-      monthlyLimit: 25
-    },
-    video: {
-      maxDurationSec: 8,
-      minDurationSec: 6,
-      maxCountPerCall: 1,
-      aspectWhitelist: ["16:9", "9:16", "1:1"],
-      personGeneration: "DONT_ALLOW",
-      monthlyLimit: 5
-    },
-    code: {
-      maxTokensPerRequest: 8e3,
-      maxOutputTokens: 2048,
-      temperature: {
-        min: 0.1,
-        max: 0.2,
-        default: 0.15
-      }
-    },
-    rateLimit: {
-      requestsPerSecond: 0.33,
-      description: "1 request per 3 seconds"
-    }
-  },
-  fileSave: {
-    allowExtensions: [
-      ".ts",
-      ".tsx",
-      ".js",
-      ".jsx",
-      ".py",
-      ".java",
-      ".go",
-      ".rs",
-      ".html",
-      ".css",
-      ".scss",
-      ".json",
-      ".yml",
-      ".yaml",
-      ".sql",
-      ".csv",
-      ".md",
-      ".sh",
-      ".bash",
-      ".png",
-      ".jpg",
-      ".jpeg",
-      ".webp",
-      ".svg"
-    ],
-    maxFileSizeMB: 10,
-    naming: {
-      convention: "kebab-case",
-      pattern: "^[a-z0-9-_]+\\.[a-z]+$"
-    },
-    dirs: {
-      default: "outputs",
-      images: "outputs/images",
-      videos: "outputs/videos",
-      code: "outputs/code"
-    }
-  },
-  ui: {
-    badge: "FREE",
-    badgeColor: "#4CAF50",
-    description: "Perfect for getting started with AI development",
-    highlights: [
-      "100 requests/month",
-      "Gemini 2.5 Flash for code",
-      "25 images/month (1024px)",
-      "5 videos/month (8 sec)",
-      "Community support"
-    ]
-  },
-  telemetry: {
-    trackingEnabled: true,
-    anonymousId: true,
-    events: [
-      "model_usage",
-      "command_execution",
-      "error_rate",
-      "latency"
-    ]
-  }
-};
-
 // src/services/intelligent-model-selector/IMSFacade.ts
 init_SecretManagerIntegration();
 
@@ -9532,7 +9437,7 @@ app.get("/api/status", (req, res) => {
 app.get("/", (req, res) => {
   res.json({
     name: "MARIA CODE API",
-    version: "4.3.33",
+    version: "4.3.34",
     status: "running",
     environment: process.env.NODE_ENV || "development",
     endpoints: {
@@ -9585,7 +9490,7 @@ function classifyMediaError(err) {
     return { status: 422, code: "policy_violation", message: "Request was blocked by provider policy", hint: "Modify the prompt to comply with safety policies" };
   }
   if (lower2.includes("no inline image returned") || lower2.includes("no video returned") || lower2.includes("refus")) {
-    return { status: 422, code: "content_refused", message: "Model refused or returned no content", hint: "Try rephrasing the prompt or a different model" };
+    return { status: 422, code: "content_refused", message: "Model refused or returned no content", hint: "Try rephrasing the prompt" };
   }
   if (lower2.includes("timeout")) {
     return { status: 504, code: "timeout", message: "Generation timed out", hint: "Please retry later" };
@@ -9619,6 +9524,106 @@ async function decodeFirebaseToken(token) {
     return null;
   }
 }
+function getCurrentPeriodId() {
+  const now = /* @__PURE__ */ new Date();
+  return `${now.getUTCFullYear()}${String(now.getUTCMonth() + 1).padStart(2, "0")}`;
+}
+function nextMonthResetISO() {
+  const d = /* @__PURE__ */ new Date();
+  d.setUTCMonth(d.getUTCMonth() + 1, 1);
+  d.setUTCHours(0, 0, 0, 0);
+  return d.toISOString();
+}
+var PLAN_LIMITS = {
+  free: { req: 300, tokens: 5e4, code: 40, attachment: 5 },
+  starter: { req: 1400, tokens: 1e6, code: 300, attachment: 50 },
+  "starter-annual": { req: 1400, tokens: 1e6, code: 300, attachment: 50 },
+  pro: { req: 5e3, tokens: 35e5, code: 1200, attachment: 200 },
+  "pro-annual": { req: 5e3, tokens: 35e5, code: 1200, attachment: 200 },
+  ultra: { req: 1e4, tokens: 5e6, code: 5e3, attachment: 500 },
+  "ultra-annual": { req: 1e4, tokens: 5e6, code: 5e3, attachment: 500 },
+  enterprise: { req: -1, tokens: -1, code: -1, attachment: -1 }
+};
+function planName(planId) {
+  const names = {
+    free: "Free",
+    starter: "Starter",
+    "starter-annual": "Starter (\u5E74\u984D)",
+    pro: "Pro",
+    "pro-annual": "Pro (\u5E74\u984D)",
+    ultra: "Ultra",
+    "ultra-annual": "Ultra (\u5E74\u984D)",
+    enterprise: "Enterprise"
+  };
+  return names[planId] || "Free";
+}
+async function getUserPlanAndLimits(uid) {
+  const db = await getFirestoreSafe();
+  const fallback = { planId: "free", limits: PLAN_LIMITS.free };
+  if (!db) return fallback;
+  try {
+    const snap = await db.collection("user_subscriptions").doc(uid).get();
+    const pid = snap.exists && snap.data()?.planId ? String(snap.data().planId) : "free";
+    return { planId: pid, limits: PLAN_LIMITS[pid] || PLAN_LIMITS.free };
+  } catch {
+    return fallback;
+  }
+}
+async function ensureUsageDoc(uid) {
+  const db = await getFirestoreSafe();
+  if (!db) return { ref: null, data: null, planId: "free", limits: PLAN_LIMITS.free };
+  const periodId = getCurrentPeriodId();
+  const { planId: pid, limits } = await getUserPlanAndLimits(uid);
+  const ref = db.collection("users").doc(uid).collection("usage").doc(periodId);
+  const snap = await ref.get();
+  if (!snap.exists) {
+    const nowISO = (/* @__PURE__ */ new Date()).toISOString();
+    const init = {
+      periodId,
+      createdAt: nowISO,
+      updatedAt: nowISO,
+      resetAt: nextMonthResetISO(),
+      limits,
+      remain: limits,
+      used: { req: 0, tokens: 0, code: 0, attachment: 0 }
+    };
+    await ref.set(init, { merge: true });
+    return { ref, data: init, planId: pid, limits };
+  }
+  return { ref, data: snap.data(), planId: pid, limits };
+}
+async function applyConsumption(uid, consumption, idemKey) {
+  const db = await getFirestoreSafe();
+  if (!db) return null;
+  const { ref, data, planId: pid, limits } = await ensureUsageDoc(uid);
+  const nowISO = (/* @__PURE__ */ new Date()).toISOString();
+  if (idemKey) {
+    const idemRef = ref.collection("consumptions").doc(idemKey);
+    const idemSnap = await idemRef.get();
+    if (!idemSnap.exists) await idemRef.set({ createdAt: nowISO, consumption });
+    else return data;
+  }
+  const toNum = (v) => typeof v === "number" && isFinite(v) ? v : 0;
+  const incReq = toNum(consumption.requests) + toNum(consumption.req);
+  const incTokens = toNum(consumption.tokens);
+  const incCode = toNum(consumption.code) + toNum(consumption.image) + toNum(consumption.video);
+  const incAttachment = toNum(consumption.attachment);
+  const used = data?.used || { req: 0, tokens: 0, code: 0, attachment: 0 };
+  const newUsed = {
+    req: Math.max(0, used.req + incReq),
+    tokens: Math.max(0, used.tokens + incTokens),
+    code: Math.max(0, used.code + incCode),
+    attachment: Math.max(0, used.attachment + incAttachment)
+  };
+  const remain = {
+    req: limits.req < 0 ? -1 : Math.max(0, limits.req - newUsed.req),
+    tokens: limits.tokens < 0 ? -1 : Math.max(0, limits.tokens - newUsed.tokens),
+    code: limits.code < 0 ? -1 : Math.max(0, limits.code - newUsed.code),
+    attachment: limits.attachment < 0 ? -1 : Math.max(0, limits.attachment - newUsed.attachment)
+  };
+  await ref.set({ used: newUsed, remain, updatedAt: nowISO }, { merge: true });
+  return { ...data || {}, used: newUsed, remain, limits, periodId: getCurrentPeriodId(), updatedAt: nowISO };
+}
 app.get("/api/user/profile", async (req, res) => {
   try {
     const authHeader = req.headers.authorization || "";
@@ -9639,19 +9644,21 @@ app.get("/api/user/profile", async (req, res) => {
       if (Array.isArray(ids["github.com"]) && ids["github.com"].length > 0) provider = "github";
       else if (Array.isArray(ids["google.com"]) && ids["google.com"].length > 0) provider = "google";
     }
-    const plan = "FREE";
+    const { planId: pid, limits } = await getUserPlanAndLimits(uid);
+    const periodRef = await ensureUsageDoc(uid);
+    const currentUsedReq = Number(periodRef?.data?.used?.req || 0);
     const response2 = {
       id: uid,
       email,
       name: displayName,
       provider: provider || "unknown",
-      plan,
+      plan: String(pid).toUpperCase(),
       usage: {
-        requests: 0,
-        requestLimit: 1e3,
-        tokens: 0,
-        tokenLimit: 5e5,
-        resetDate: new Date(Date.now() + 30 * 24 * 60 * 60 * 1e3).toISOString()
+        requests: currentUsedReq,
+        requestLimit: limits.req < 0 ? Number.MAX_SAFE_INTEGER : limits.req,
+        tokens: Number(periodRef?.data?.used?.tokens || 0),
+        tokenLimit: limits.tokens < 0 ? Number.MAX_SAFE_INTEGER : limits.tokens,
+        resetDate: periodRef?.data?.resetAt || nextMonthResetISO()
       },
       models: ["gpt-5", "gemini-2.5-pro"]
     };
@@ -9762,7 +9769,9 @@ app.post("/api/v1/image", rateLimitMiddleware, async (req, res) => {
     const decoded = await decodeFirebaseToken(idToken).catch(() => null);
     if (!decoded) return res.status(401).json({ error: "unauthorized", message: "Invalid login session", hint: "Re-login to continue" });
     const uid = decoded?.uid || decoded?.sub || "current";
-    const { prompt, model, size = "1024x1024", format = "png", count = 1, seed } = req.body || {};
+    const { prompt, model, size = "1024x1024", format: formatRaw = "png", count = 1, seed } = req.body || {};
+    const fmt0 = String(formatRaw || "png").toLowerCase();
+    const format = fmt0 === "jpeg" ? "jpg" : ["png", "jpg", "webp"].includes(fmt0) ? fmt0 : "png";
     if (!prompt) return res.status(400).json({ error: "bad_request", message: "prompt required" });
     const m2 = /^(\d{2,4})x(\d{2,4})$/.exec(String(size));
     if (!m2) return res.status(400).json({ error: "bad_request", message: "size must be WxH" });
@@ -9772,7 +9781,13 @@ app.post("/api/v1/image", rateLimitMiddleware, async (req, res) => {
     const buffers = [];
     for (let i2 = 0; i2 < Math.max(1, Math.min(8, Number(count || 1))); i2++) {
       const r2 = await provider.generateImage({ prompt, width: w, height: h2, format, seed: (seed ?? 0) + i2 });
-      buffers.push(r2.bytes);
+      const processed = await (await Promise.resolve().then(() => (init_image_post(), image_post_exports))).processImageOptional(
+        r2.bytes,
+        String(format),
+        false,
+        { width: w, height: h2 }
+      );
+      buffers.push(processed);
     }
     const promptHash = hashPrompt(prompt);
     const manifest = {
@@ -9793,10 +9808,10 @@ app.post("/api/v1/image", rateLimitMiddleware, async (req, res) => {
       uid
     });
     const idemKey = req.headers["idempotency-key"] || void 0;
-    await recordConsumption(uid, { requests: 1, image: Math.max(1, buffers.length) }, idemKey);
+    await applyConsumption(uid, { requests: 1, image: Math.max(1, buffers.length) }, idemKey);
     const filesInline = buffers.map((b, idx) => ({
       file: saved.files[idx] || "",
-      mime: `image/${format}`,
+      mime: format === "jpg" ? "image/jpeg" : `image/${format}`,
       bytesBase64: b.toString("base64")
     }));
     return res.json({ success: true, data: { url: saved.manifestPath, files: saved.files, filesInline, jobId: manifest.trace } });
@@ -10038,7 +10053,7 @@ app.post("/api/v1/video", rateLimitMiddleware, async (req, res) => {
     const idToken = auth.substring("Bearer ".length).trim();
     const decoded = await decodeFirebaseToken(idToken).catch(() => null);
     const uid = decoded?.uid || decoded?.sub || "current";
-    await recordConsumption(uid, { requests: 1, video: 1 }, idemKey);
+    await applyConsumption(uid, { requests: 1, video: 1 }, idemKey);
     jobIndex.set(String(manifest.trace), {
       id: String(manifest.trace),
       status: "completed",
@@ -10091,6 +10106,12 @@ app.get("/api/v1/jobs/:id", async (req, res) => {
 });
 app.post("/api/v1/code", rateLimitMiddleware, async (req, res) => {
   try {
+    const auth = req.headers.authorization;
+    if (!auth || !auth.startsWith("Bearer ")) return res.status(401).json({ error: "unauthorized" });
+    const idToken = auth.substring("Bearer ".length).trim();
+    const decoded = await decodeFirebaseToken(idToken).catch(() => null);
+    if (!decoded) return res.status(401).json({ error: "unauthorized" });
+    const uid = decoded?.uid || decoded?.sub;
     const { prompt, language = "typescript", model = "gpt-4" } = req.body;
     if (!prompt) {
       return res.status(400).json({
@@ -10098,6 +10119,8 @@ app.post("/api/v1/code", rateLimitMiddleware, async (req, res) => {
         message: "Prompt is required"
       });
     }
+    const idemKey = req.headers["idempotency-key"] || void 0;
+    await applyConsumption(uid, { requests: 1, code: 1 }, idemKey);
     return res.json({
       success: true,
       data: {
@@ -10121,6 +10144,12 @@ function example() {
 });
 app.post("/api/v1/chat", rateLimitMiddleware, async (req, res) => {
   try {
+    const auth = req.headers.authorization;
+    if (!auth || !auth.startsWith("Bearer ")) return res.status(401).json({ error: "unauthorized" });
+    const idToken = auth.substring("Bearer ".length).trim();
+    const decoded = await decodeFirebaseToken(idToken).catch(() => null);
+    if (!decoded) return res.status(401).json({ error: "unauthorized" });
+    const uid = decoded?.uid || decoded?.sub;
     const { message, model = "gpt-4" } = req.body;
     if (!message) {
       return res.status(400).json({
@@ -10128,6 +10157,8 @@ app.post("/api/v1/chat", rateLimitMiddleware, async (req, res) => {
         message: "Message is required"
       });
     }
+    const idemKey = req.headers["idempotency-key"] || void 0;
+    await applyConsumption(uid, { requests: 1 }, idemKey);
     return res.json({
       success: true,
       data: {
@@ -10150,6 +10181,11 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
     if (!auth || !auth.startsWith("Bearer ")) return res.status(401).json({ error: "unauthorized" });
     const { prompt, taskType } = req.body || {};
     if (!prompt) return res.status(400).json({ error: "bad_request", message: "prompt required" });
+    const idToken = auth.substring("Bearer ".length).trim();
+    const decoded = await decodeFirebaseToken(idToken).catch(() => null);
+    if (!decoded) return res.status(401).json({ error: "unauthorized" });
+    const uid = decoded?.uid || decoded?.sub;
+    const idemKey = req.headers["idempotency-key"] || void 0;
     if (process.env.MARIA_TELEMETRY === "1") {
       try {
         console.log(JSON.stringify({ ev: "ai_proxy_request", taskType: taskType || "unknown", promptLen: String(prompt).length }));
@@ -10196,6 +10232,12 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
           } catch {
           }
         }
+        const consumption2 = { requests: 1 };
+        if (taskType === "code" || taskType === "evaluation") consumption2.code = 1;
+        try {
+          await applyConsumption(uid, consumption2, idemKey);
+        } catch {
+        }
         return res.json({ data: { content: content2, routedModel: { vendor: "google", family: "gemini", name: modelName, reason: taskType || "code" } } });
       } catch (e2) {
         console.warn("[AI Proxy] Gemini path failed, falling back to OpenAI:", e2?.message || e2);
@@ -10221,6 +10263,7 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
     const client = new OpenAI2({ apiKey: openaiKey });
     let model = process.env.MARIA_CODE_MODEL || "gpt-5-mini";
     let content = "";
+    let totalTokens = 0;
     try {
       const r2 = await client.responses.create({
         model,
@@ -10230,6 +10273,12 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
         ]
       });
       content = r2?.output_text || r2?.content?.[0]?.text || "";
+      const u = r2?.usage;
+      if (u) {
+        const inTok = Number(u.input_tokens || u.inputTokens || 0);
+        const outTok = Number(u.output_tokens || u.outputTokens || 0);
+        totalTokens = Number(u.total_tokens || u.totalTokens || inTok + outTok || 0);
+      }
     } catch (_e) {
       model = "gpt-4o-mini";
       const r2 = await client.chat.completions.create({
@@ -10240,6 +10289,8 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
         ]
       });
       content = r2.choices?.[0]?.message?.content || "";
+      const u2 = r2?.usage;
+      if (u2) totalTokens = Number(u2.total_tokens || 0);
     }
     if (process.env.MARIA_TELEMETRY === "1") {
       try {
@@ -10247,6 +10298,13 @@ app.post("/v1/ai-proxy", rateLimitMiddleware, async (req, res) => {
       } catch {
       }
     }
+    const consumption = { requests: 1 };
+    if (totalTokens > 0) consumption.tokens = totalTokens;
+    if (taskType === "code" || taskType === "evaluation") consumption.code = 1;
+    try {
+      await applyConsumption(uid, consumption, idemKey);
+    } catch {
+    }
     return res.json({ data: { content, routedModel: { vendor: "openai", family: "gpt", name: model, reason: taskType || "code" } } });
   } catch (error) {
     console.error("[AI Proxy] Error:", error);
@@ -10274,89 +10332,35 @@ async function getFirestoreSafe() {
     return null;
   }
 }
-function calcNextReset() {
-  const d = /* @__PURE__ */ new Date();
-  d.setUTCMonth(d.getUTCMonth() + 1, 1);
-  d.setUTCHours(0, 0, 0, 0);
-  return d.toISOString();
-}
-async function recordConsumption(uid, consumption, idempotencyKey) {
-  const db = await getFirestoreSafe();
-  if (!db) return;
-  const docPath = `projects/default/usage/${uid}`;
-  const usageRef = db.doc(docPath);
-  const nowISO = (/* @__PURE__ */ new Date()).toISOString();
-  if (idempotencyKey) {
-    const idemRef = db.doc(`projects/default/usage/${uid}/consumptions/${idempotencyKey}`);
-    const idemSnap = await idemRef.get();
-    if (idemSnap.exists) return;
-    await idemRef.set({ createdAt: nowISO, consumption });
-  }
-  const snap = await usageRef.get();
-  let data = snap.exists ? snap.data() : null;
-  if (!data) {
-    data = {
-      plan: { name: "FREE", limits: { requests: free_plan_default.buckets.req } },
-      monthly: {
-        requests: { used: 0, limit: free_plan_default.buckets.req },
-        image: { used: 0, limit: free_plan_default.buckets.image },
-        video: { used: 0, limit: free_plan_default.buckets.video },
-        code: { used: 0, limit: free_plan_default.buckets.code },
-        resetAt: calcNextReset()
-      },
-      updatedAt: nowISO
-    };
-  }
-  const m2 = data.monthly || {};
-  if (consumption?.requests) m2.requests.used = Math.max(0, (m2.requests.used || 0) + Number(consumption.requests));
-  if (consumption?.image) m2.image.used = Math.max(0, (m2.image.used || 0) + Number(consumption.image));
-  if (consumption?.video) m2.video.used = Math.max(0, (m2.video.used || 0) + Number(consumption.video));
-  if (consumption?.code) m2.code.used = Math.max(0, (m2.code.used || 0) + Number(consumption.code));
-  data.monthly = m2;
-  data.updatedAt = nowISO;
-  await usageRef.set(data, { merge: true });
-}
 app.get("/api/v1/usage", rateLimitMiddleware, async (req, res) => {
   try {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return res.status(401).json({ error: "unauthorized" });
-    const db = await getFirestoreSafe();
-    const uid = "current";
-    const docPath = `projects/default/usage/${uid}`;
-    let data = null;
-    if (db) {
-      const snap = await db.doc(docPath).get();
-      data = snap.exists ? snap.data() : null;
-      if (!data) {
-        data = {
-          plan: { name: "FREE", limits: { requests: free_plan_default.buckets.req } },
-          monthly: {
-            requests: { used: 0, limit: free_plan_default.buckets.req },
-            image: { used: 0, limit: free_plan_default.buckets.image },
-            video: { used: 0, limit: free_plan_default.buckets.video },
-            code: { used: 0, limit: free_plan_default.buckets.code },
-            resetAt: calcNextReset()
-          },
-          updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        await db.doc(docPath).set(data);
-      }
-      const historySnap = await db.collection(`projects/default/usage/${uid}/consumptions`).orderBy("createdAt", "desc").limit(20).get();
-      const history = historySnap.docs.map((d) => ({ id: d.id, ...d.data() }));
-      data.history = history;
-    } else {
-      data = {
-        plan: { name: "FREE", limits: { requests: free_plan_default.buckets.req } },
-        monthly: {
-          requests: { used: 0, limit: free_plan_default.buckets.req },
-          image: { used: 0, limit: free_plan_default.buckets.image },
-          video: { used: 0, limit: free_plan_default.buckets.video },
-          code: { used: 0, limit: free_plan_default.buckets.code },
-          resetAt: calcNextReset()
-        }
-      };
-    }
-    return res.json(data);
+    const idToken = auth.substring("Bearer ".length).trim();
+    const decoded = await decodeFirebaseToken(idToken).catch(() => null);
+    if (!decoded) return res.status(401).json({ error: "unauthorized" });
+    const uid = decoded?.uid || decoded?.sub;
+    const { planId: pid, limits } = await getUserPlanAndLimits(uid);
+    const { data } = await ensureUsageDoc(uid);
+    const periodId = getCurrentPeriodId();
+    const used = data?.used || { req: 0, tokens: 0, code: 0, attachment: 0 };
+    const remain = data?.remain || limits;
+    const percentage = {
+      req: limits.req > 0 ? Math.round(used.req / limits.req * 100) : 0,
+      tokens: limits.tokens > 0 ? Math.round(used.tokens / limits.tokens * 100) : 0,
+      code: limits.code > 0 ? Math.round(used.code / limits.code * 100) : 0,
+      attachment: limits.attachment > 0 ? Math.round(used.attachment / limits.attachment * 100) : 0
+    };
+    return res.json({
+      periodId,
+      planCode: pid,
+      planName: planName(pid),
+      used,
+      remain,
+      limits,
+      percentage,
+      resetAt: data?.resetAt || nextMonthResetISO()
+    });
   } catch (e2) {
     console.error("[Usage] GET error", e2);
     return res.status(500).json({ error: "internal_error" });
@@ -10368,18 +10372,23 @@ app.post("/api/v1/usage", rateLimitMiddleware, async (req, res) => {
     if (!auth || !auth.startsWith("Bearer ")) return res.status(401).json({ error: "unauthorized" });
     const { consumption } = req.body || {};
     const idemKey = req.headers["idempotency-key"] || void 0;
-    const db = await getFirestoreSafe();
-    const uid = "current";
-    const docPath = `projects/default/usage/${uid}`;
-    let data = null;
-    if (db) {
-      await recordConsumption(uid, consumption || {}, idemKey);
-      const snap = await db.doc(docPath).get();
-      data = snap.exists ? snap.data() : { ok: true };
-    } else {
-      data = { ok: true };
-    }
-    return res.json(data);
+    const idToken = auth.substring("Bearer ".length).trim();
+    const decoded = await decodeFirebaseToken(idToken).catch(() => null);
+    if (!decoded) return res.status(401).json({ error: "unauthorized" });
+    const uid = decoded?.uid || decoded?.sub;
+    await applyConsumption(uid, consumption || {}, idemKey);
+    const { data } = await ensureUsageDoc(uid);
+    const { planId: pid, limits } = await getUserPlanAndLimits(uid);
+    const periodId = getCurrentPeriodId();
+    const used = data?.used || { req: 0, tokens: 0, code: 0, attachment: 0 };
+    const remain = data?.remain || limits;
+    const percentage = {
+      req: limits.req > 0 ? Math.round(used.req / limits.req * 100) : 0,
+      tokens: limits.tokens > 0 ? Math.round(used.tokens / limits.tokens * 100) : 0,
+      code: limits.code > 0 ? Math.round(used.code / limits.code * 100) : 0,
+      attachment: limits.attachment > 0 ? Math.round(used.attachment / limits.attachment * 100) : 0
+    };
+    return res.json({ periodId, planCode: pid, planName: planName(pid), used, remain, limits, percentage, resetAt: data?.resetAt || nextMonthResetISO() });
   } catch (e2) {
     console.error("[Usage] POST error", e2);
     return res.status(500).json({ error: "internal_error" });