@chenpu17/cc-gw 0.5.2 → 0.5.3

package/src/server/dist/index.js

@@ -10047,13 +10047,35 @@ function sanitizeWebAuth(input) {
   }
   return config;
 }
+function sanitizeEndpointValidation(value, fallback) {
+  let mode = fallback?.mode ?? "off";
+  let allowExperimental = fallback?.allowExperimentalBlocks;
+  if (!value || typeof value !== "object") {
+    return fallback;
+  }
+  const source = value;
+  const modeRaw = source.mode;
+  if (typeof modeRaw === "string") {
+    const normalized = modeRaw.trim().toLowerCase();
+    if (normalized === "off" || normalized === "claude-code" || normalized === "anthropic-strict") {
+      mode = normalized;
+    }
+  }
+  if ("allowExperimentalBlocks" in source) {
+    allowExperimental = Boolean(source.allowExperimentalBlocks);
+  }
+  return { mode, allowExperimentalBlocks: allowExperimental };
+}
 function resolveEndpointRouting(source, fallback) {
   const sourceObject = typeof source === "object" && source !== null ? source : void 0;
   const defaultsRaw = sourceObject?.defaults;
   const routesRaw = sourceObject?.modelRoutes;
+  const validationRaw = sourceObject?.validation;
+  const validation = sanitizeEndpointValidation(validationRaw, fallback.validation);
   return {
     defaults: sanitizeDefaults(defaultsRaw ?? fallback.defaults),
-    modelRoutes: sanitizeModelRoutes(routesRaw ?? fallback.modelRoutes)
+    modelRoutes: sanitizeModelRoutes(routesRaw ?? fallback.modelRoutes),
+    ...validation !== void 0 ? { validation } : {}
   };
 }
 function parseConfig(raw) {
@@ -11262,7 +11284,30 @@ async function ensureSchema(db) {
       ip_address TEXT,
       created_at TEXT NOT NULL,
       FOREIGN KEY(api_key_id) REFERENCES api_keys(id) ON DELETE SET NULL
-    );`
+    );
+
+    CREATE TABLE IF NOT EXISTS gateway_events (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      created_at INTEGER NOT NULL,
+      type TEXT NOT NULL,
+      level TEXT NOT NULL DEFAULT 'info',
+      source TEXT,
+      title TEXT,
+      message TEXT,
+      endpoint TEXT,
+      ip_address TEXT,
+      api_key_id INTEGER,
+      api_key_name TEXT,
+      api_key_value TEXT,
+      user_agent TEXT,
+      mode TEXT,
+      details TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_gateway_events_created_at ON gateway_events(created_at DESC);
+    CREATE INDEX IF NOT EXISTS idx_gateway_events_type ON gateway_events(type);
+    CREATE INDEX IF NOT EXISTS idx_gateway_events_level ON gateway_events(level);
+    `
   );
   await maybeAddColumn(db, "request_logs", "client_model", "TEXT");
   await maybeAddColumn(db, "request_logs", "cached_tokens", "INTEGER");
@@ -11338,6 +11383,114 @@ async function getAll(sql, params = []) {
   const db = await getDb();
   return all(db, sql, params);
 }
+async function insertGatewayEvent(input) {
+  const {
+    createdAt,
+    type,
+    level = "info",
+    source = null,
+    title = null,
+    message = null,
+    endpoint = null,
+    ipAddress = null,
+    apiKeyId = null,
+    apiKeyName = null,
+    apiKeyValue = null,
+    userAgent = null,
+    mode = null,
+    details = null
+  } = input;
+  const serializedDetails = details && Object.keys(details).length > 0 ? JSON.stringify(details) : null;
+  const result = await runQuery(
+    `INSERT INTO gateway_events (
+      created_at,
+      type,
+      level,
+      source,
+      title,
+      message,
+      endpoint,
+      ip_address,
+      api_key_id,
+      api_key_name,
+      api_key_value,
+      user_agent,
+      mode,
+      details
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+    [
+      createdAt,
+      type,
+      level,
+      source,
+      title,
+      message,
+      endpoint,
+      ipAddress,
+      apiKeyId,
+      apiKeyName,
+      apiKeyValue,
+      userAgent,
+      mode,
+      serializedDetails
+    ]
+  );
+  return result.lastID;
+}
+async function queryGatewayEvents(options) {
+  const { limit, beforeId, level, type } = options;
+  const clauses = [];
+  const params = [];
+  if (beforeId && Number.isFinite(beforeId)) {
+    clauses.push("id < ?");
+    params.push(beforeId);
+  }
+  if (level) {
+    clauses.push("level = ?");
+    params.push(level);
+  }
+  if (type) {
+    clauses.push("type = ?");
+    params.push(type);
+  }
+  const whereClause = clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : "";
+  params.push(limit);
+  const rows = await getAll(
+    `SELECT
+       id,
+       created_at,
+       type,
+       level,
+       source,
+       title,
+       message,
+       endpoint,
+       ip_address,
+       api_key_id,
+       api_key_name,
+       api_key_value,
+       user_agent,
+       mode,
+       details
+     FROM gateway_events
+     ${whereClause}
+     ORDER BY id DESC
+     LIMIT ?`,
+    params
+  );
+  return rows.map((row) => ({
+    ...row,
+    details: (() => {
+      if (!row.details)
+        return null;
+      try {
+        return JSON.parse(row.details);
+      } catch {
+        return { raw: row.details };
+      }
+    })()
+  }));
+}
 async function getFileSize(filePath) {
   try {
     const stats = await fs2.promises.stat(filePath);
@@ -11911,6 +12064,484 @@ async function ensureWildcardMetadata() {
   );
 }
 
+// events/service.ts
+async function recordEvent(input) {
+  const createdAt = input.timestamp ?? Date.now();
+  const payload = {
+    createdAt,
+    type: input.type,
+    level: input.level ?? "info",
+    source: input.source ?? null,
+    title: input.title ?? null,
+    message: input.message ?? null,
+    endpoint: input.endpoint ?? null,
+    ipAddress: input.ipAddress ?? null,
+    apiKeyId: input.apiKeyId ?? null,
+    apiKeyName: input.apiKeyName ?? null,
+    apiKeyValue: input.apiKeyValue ?? null,
+    userAgent: input.userAgent ?? null,
+    mode: input.mode ?? null,
+    details: input.details ?? null
+  };
+  return insertGatewayEvent(payload);
+}
+async function listEvents(options = {}) {
+  const limit = Math.min(Math.max(options.limit ?? 50, 1), 200);
+  const queryOptions = {
+    limit: limit + 1,
+    beforeId: options.beforeId,
+    level: options.level,
+    type: options.type
+  };
+  const rows = await queryGatewayEvents(queryOptions);
+  let nextCursor = null;
+  let items = rows;
+  if (rows.length > limit) {
+    const last = rows[limit];
+    nextCursor = last.id;
+    items = rows.slice(0, limit);
+  }
+  return {
+    events: items,
+    nextCursor
+  };
+}
+
+// routes/anthropic-validator.ts
+var ALLOWED_ROLES = /* @__PURE__ */ new Set(["user", "assistant"]);
+var KNOWN_BLOCK_TYPES = /* @__PURE__ */ new Set(["text", "tool_use", "tool_result", "thinking", "output_text", "input_text", "image"]);
+var ALLOWED_TYPE_PREFIXES = ["input_", "output_", "data_", "media_"];
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function appendPath(base, segment) {
+  if (!base)
+    return segment;
+  if (segment.startsWith("["))
+    return `${base}${segment}`;
+  return `${base}.${segment}`;
+}
+function fail(message, path5, code = "invalid_payload") {
+  return { ok: false, message, path: path5, code };
+}
+function isSupportedBlockType(type, allowExperimental) {
+  if (KNOWN_BLOCK_TYPES.has(type)) {
+    return true;
+  }
+  if (allowExperimental) {
+    return ALLOWED_TYPE_PREFIXES.some((prefix) => type.startsWith(prefix));
+  }
+  return false;
+}
+function validateCacheControl(value, path5) {
+  if (value === void 0) {
+    return null;
+  }
+  if (!isPlainObject(value)) {
+    return fail("cache_control \u5FC5\u987B\u662F\u5BF9\u8C61", path5, "invalid_cache_control");
+  }
+  if (value.type !== void 0 && typeof value.type !== "string") {
+    return fail("cache_control.type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, "type"), "invalid_cache_control");
+  }
+  return null;
+}
+function validateToolInput(value, path5) {
+  if (value === void 0) {
+    return fail("tool_use.input \u4E3A\u5FC5\u586B\u5B57\u6BB5", path5, "invalid_tool_use");
+  }
+  if (isPlainObject(value)) {
+    return null;
+  }
+  if (typeof value === "string") {
+    return null;
+  }
+  return fail("tool_use.input \u5FC5\u987B\u662F\u5BF9\u8C61\u6216\u5B57\u7B26\u4E32", path5, "invalid_tool_use");
+}
+function validateToolResultContent(value, path5) {
+  if (value === void 0) {
+    return fail("tool_result.content \u4E3A\u5FC5\u586B\u5B57\u6BB5", path5, "invalid_tool_result");
+  }
+  if (typeof value === "string") {
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i += 1) {
+      const entry = value[i];
+      if (typeof entry === "string") {
+        continue;
+      }
+      if (!isPlainObject(entry)) {
+        return fail("tool_result.content[i] \u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u6216\u5BF9\u8C61", appendPath(path5, `[${i}]`), "invalid_tool_result");
+      }
+      if (entry.type !== void 0 && typeof entry.type !== "string") {
+        return fail("tool_result.content[i].type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, `[${i}].type`), "invalid_tool_result");
+      }
+      if (entry.text !== void 0 && typeof entry.text !== "string") {
+        return fail("tool_result.content[i].text \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, `[${i}].text`), "invalid_tool_result");
+      }
+    }
+    return null;
+  }
+  if (isPlainObject(value)) {
+    if (typeof value.text !== "string") {
+      return fail("tool_result.content.text \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, "text"), "invalid_tool_result");
+    }
+    return null;
+  }
+  return fail("tool_result.content \u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u3001\u6570\u7EC4\u6216\u5BF9\u8C61", path5, "invalid_tool_result");
+}
+function validateContentBlock(block, opts) {
+  if (!isPlainObject(block)) {
+    return fail("content \u5757\u5FC5\u987B\u662F\u5BF9\u8C61", opts.path, "invalid_content_block");
+  }
+  if (typeof block.type !== "string" || block.type.trim().length === 0) {
+    return fail("content \u5757\u7F3A\u5C11\u6709\u6548\u7684 type \u5B57\u6BB5", appendPath(opts.path, "type"), "invalid_content_block");
+  }
+  const type = block.type;
+  if (!isSupportedBlockType(type, opts.allowExperimental)) {
+    return fail(`\u4E0D\u652F\u6301\u7684\u5185\u5BB9\u5757\u7C7B\u578B ${type}`, appendPath(opts.path, "type"), "unsupported_content_block");
+  }
+  const cacheValidation = validateCacheControl(block.cache_control, appendPath(opts.path, "cache_control"));
+  if (cacheValidation) {
+    return cacheValidation;
+  }
+  switch (type) {
+    case "text":
+    case "thinking":
+    case "output_text":
+    case "input_text": {
+      if (block.text !== void 0 && typeof block.text !== "string") {
+        return fail(`${type} \u5757\u7684 text \u5FC5\u987B\u662F\u5B57\u7B26\u4E32`, appendPath(opts.path, "text"), "invalid_content_block");
+      }
+      if (block.id !== void 0 && typeof block.id !== "string") {
+        return fail(`${type} \u5757\u7684 id \u5FC5\u987B\u662F\u5B57\u7B26\u4E32`, appendPath(opts.path, "id"), "invalid_content_block");
+      }
+      break;
+    }
+    case "image": {
+      if (!block.source || !isPlainObject(block.source)) {
+        return fail("image \u5757\u5FC5\u987B\u5305\u542B source \u5BF9\u8C61", appendPath(opts.path, "source"), "invalid_content_block");
+      }
+      if (typeof block.source.type !== "string") {
+        return fail("image \u5757 source.type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(opts.path, "source.type"), "invalid_content_block");
+      }
+      if (block.source.media_type !== void 0 && typeof block.source.media_type !== "string") {
+        return fail("image \u5757 source.media_type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(opts.path, "source.media_type"), "invalid_content_block");
+      }
+      break;
+    }
+    case "tool_use": {
+      if (typeof block.id !== "string" || block.id.trim().length === 0) {
+        return fail("tool_use \u5757\u9700\u8981\u5B57\u7B26\u4E32\u7C7B\u578B\u7684 id", appendPath(opts.path, "id"), "invalid_tool_use");
+      }
+      if (typeof block.name !== "string" || block.name.trim().length === 0) {
+        return fail("tool_use \u5757\u9700\u8981\u5B57\u7B26\u4E32\u7C7B\u578B\u7684 name", appendPath(opts.path, "name"), "invalid_tool_use");
+      }
+      const inputValidation = validateToolInput(block.input, appendPath(opts.path, "input"));
+      if (inputValidation) {
+        return inputValidation;
+      }
+      break;
+    }
+    case "tool_result": {
+      if (typeof block.tool_use_id !== "string" || block.tool_use_id.trim().length === 0) {
+        return fail("tool_result \u5757\u9700\u8981\u5B57\u7B26\u4E32\u7C7B\u578B\u7684 tool_use_id", appendPath(opts.path, "tool_use_id"));
+      }
+      const contentValidation = validateToolResultContent(block.content, appendPath(opts.path, "content"));
+      if (contentValidation) {
+        return contentValidation;
+      }
+      break;
+    }
+    default:
+      break;
+  }
+  if (block.type === "tool_use" && opts.role === "user") {
+    return fail("user \u6D88\u606F\u4E0D\u80FD\u5305\u542B tool_use \u5757", opts.path, "invalid_user_message");
+  }
+  if (block.type === "tool_result" && opts.role === "assistant") {
+    return fail("assistant \u6D88\u606F\u4E0D\u80FD\u5305\u542B tool_result \u5757", opts.path, "invalid_assistant_message");
+  }
+  return null;
+}
+function validateMessageContent(message, role, path5, allowExperimental) {
+  if (!("content" in message)) {
+    return fail("messages.content \u4E3A\u5FC5\u586B\u5B57\u6BB5", path5, "invalid_message");
+  }
+  const content = message.content;
+  if (typeof content === "string") {
+    return null;
+  }
+  if (Array.isArray(content)) {
+    for (let i = 0; i < content.length; i += 1) {
+      const block = content[i];
+      const blockValidation = validateContentBlock(block, {
+        path: appendPath(path5, `[${i}]`),
+        allowExperimental,
+        role
+      });
+      if (blockValidation) {
+        return blockValidation;
+      }
+    }
+    return null;
+  }
+  if (content === null) {
+    return null;
+  }
+  return fail("messages.content \u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u6216\u5185\u5BB9\u5757\u6570\u7EC4", path5, "invalid_message");
+}
+function validateMessages(messages, opts) {
+  if (!Array.isArray(messages) || messages.length === 0) {
+    return fail("messages \u5FC5\u987B\u662F\u975E\u7A7A\u6570\u7EC4", "messages", "invalid_message");
+  }
+  for (let i = 0; i < messages.length; i += 1) {
+    const entry = messages[i];
+    const path5 = `messages[${i}]`;
+    if (!isPlainObject(entry)) {
+      return fail("messages[i] \u5FC5\u987B\u662F\u5BF9\u8C61", path5, "invalid_message");
+    }
+    if (typeof entry.role !== "string" || !ALLOWED_ROLES.has(entry.role)) {
+      return fail('messages[i].role \u5FC5\u987B\u662F "user" \u6216 "assistant"', appendPath(path5, "role"), "unsupported_role");
+    }
+    const role = entry.role;
+    const contentValidation = validateMessageContent(entry, role, appendPath(path5, "content"), opts.allowExperimental);
+    if (contentValidation) {
+      return contentValidation;
+    }
+    if (entry.stop_reason !== void 0 && typeof entry.stop_reason !== "string" && entry.stop_reason !== null) {
+      return fail("messages[i].stop_reason \u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u6216 null", appendPath(path5, "stop_reason"), "invalid_stop_reason");
+    }
+  }
+  return null;
+}
+function validateSystemField(system) {
+  if (system === void 0 || system === null) {
+    return null;
+  }
+  if (typeof system === "string") {
+    return null;
+  }
+  if (Array.isArray(system)) {
+    for (let i = 0; i < system.length; i += 1) {
+      const block = system[i];
+      const path5 = `system[${i}]`;
+      if (!isPlainObject(block)) {
+        return fail("system[i] \u5FC5\u987B\u662F\u5BF9\u8C61", path5, "invalid_system");
+      }
+      if (block.type !== void 0 && typeof block.type !== "string") {
+        return fail("system[i].type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, "type"), "invalid_system");
+      }
+      if (block.type === "text" && block.text !== void 0 && typeof block.text !== "string") {
+        return fail("system[i].text \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", appendPath(path5, "text"), "invalid_system");
+      }
+    }
+    return null;
+  }
+  if (isPlainObject(system)) {
+    if (typeof system.text === "string" || Array.isArray(system.text)) {
+      return null;
+    }
+    if (system.type === "text" && typeof system.text === "string") {
+      return null;
+    }
+  }
+  return fail("system \u5B57\u6BB5\u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u3001\u5BF9\u8C61\u6216\u5185\u5BB9\u5757\u6570\u7EC4", "system", "invalid_system");
+}
+function validateTools(tools) {
+  if (tools === void 0) {
+    return null;
+  }
+  if (!Array.isArray(tools)) {
+    return fail("tools \u5FC5\u987B\u662F\u6570\u7EC4", "tools");
+  }
+  for (let i = 0; i < tools.length; i += 1) {
+    const tool = tools[i];
+    const path5 = `tools[${i}]`;
+    if (!isPlainObject(tool)) {
+      return fail("tools[i] \u5FC5\u987B\u662F\u5BF9\u8C61", path5, "invalid_tool");
+    }
+    if (typeof tool.name !== "string" || tool.name.trim().length === 0) {
+      return fail("tools[i].name \u5FC5\u987B\u662F\u975E\u7A7A\u5B57\u7B26\u4E32", appendPath(path5, "name"), "invalid_tool");
+    }
+    if (tool.input_schema !== void 0 && !isPlainObject(tool.input_schema)) {
+      return fail("tools[i].input_schema \u5FC5\u987B\u662F\u5BF9\u8C61", appendPath(path5, "input_schema"), "invalid_tool");
+    }
+    if (tool.parameters !== void 0 && !isPlainObject(tool.parameters)) {
+      return fail("tools[i].parameters \u5FC5\u987B\u662F\u5BF9\u8C61", appendPath(path5, "parameters"), "invalid_tool");
+    }
+  }
+  return null;
+}
+function validateMetadata(metadata) {
+  if (metadata === void 0) {
+    return null;
+  }
+  if (!isPlainObject(metadata)) {
+    return fail("metadata \u5FC5\u987B\u662F\u5BF9\u8C61", "metadata", "invalid_metadata");
+  }
+  return null;
+}
+function validateToolChoice(toolChoice) {
+  if (toolChoice === void 0) {
+    return null;
+  }
+  if (typeof toolChoice === "string") {
+    return null;
+  }
+  if (isPlainObject(toolChoice)) {
+    if (toolChoice.type !== void 0 && typeof toolChoice.type !== "string") {
+      return fail("tool_choice.type \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", "tool_choice.type");
+    }
+    if (toolChoice.name !== void 0 && typeof toolChoice.name !== "string") {
+      return fail("tool_choice.name \u5FC5\u987B\u662F\u5B57\u7B26\u4E32", "tool_choice.name");
+    }
+    return null;
+  }
+  return fail("tool_choice \u5FC5\u987B\u662F\u5B57\u7B26\u4E32\u6216\u5BF9\u8C61", "tool_choice", "invalid_tool_choice");
+}
+function validateMaxTokens(maxTokens) {
+  if (maxTokens === void 0) {
+    return null;
+  }
+  if (typeof maxTokens !== "number" || !Number.isFinite(maxTokens) || maxTokens <= 0) {
+    return fail("max_tokens \u5FC5\u987B\u662F\u6B63\u6570", "max_tokens", "invalid_max_tokens");
+  }
+  return null;
+}
+function validateTemperature(value) {
+  if (value === void 0) {
+    return null;
+  }
+  if (typeof value !== "number" || Number.isNaN(value)) {
+    return fail("temperature \u5FC5\u987B\u662F\u6570\u5B57", "temperature", "invalid_temperature");
+  }
+  return null;
+}
+function validateStream(value) {
+  if (value === void 0) {
+    return null;
+  }
+  if (typeof value !== "boolean") {
+    return fail("stream \u5FC5\u987B\u662F\u5E03\u5C14\u503C", "stream", "invalid_stream_flag");
+  }
+  return null;
+}
+function normalizeHeaderValue(value) {
+  if (!value)
+    return void 0;
+  if (typeof value === "string")
+    return value;
+  if (Array.isArray(value) && value.length > 0) {
+    return value.find((item) => typeof item === "string" && item.trim().length > 0);
+  }
+  return void 0;
+}
+function validateHttpRequest(ctx, mode) {
+  if (ctx.method && ctx.method.toUpperCase() !== "POST") {
+    return fail(`HTTP \u65B9\u6CD5\u5FC5\u987B\u662F POST,\u5F53\u524D\u4E3A ${ctx.method}`, void 0, "invalid_method");
+  }
+  if (ctx.query && ctx.query.trim().length > 0) {
+    const raw = ctx.query.startsWith("?") ? ctx.query.slice(1) : ctx.query;
+    const params = new URLSearchParams(raw);
+    const allowedKeys = /* @__PURE__ */ new Set(["beta"]);
+    for (const key of params.keys()) {
+      if (!allowedKeys.has(key)) {
+        return fail(`\u5B58\u5728\u4E0D\u5141\u8BB8\u7684 query \u53C2\u6570: ${key}`, void 0, "invalid_query");
+      }
+    }
+    if (params.has("beta")) {
+      const beta = params.getAll("beta");
+      const invalid = beta.some((value) => value && value.toLowerCase() !== "true");
+      if (invalid && mode === "anthropic-strict") {
+        return fail("beta \u53C2\u6570\u4EC5\u652F\u6301 true \u6216\u7559\u7A7A", void 0, "invalid_query");
+      }
+    }
+  }
+  if (!ctx.headers) {
+    return null;
+  }
+  const contentType = normalizeHeaderValue(ctx.headers["content-type"]);
+  if (!contentType || !contentType.includes("application/json")) {
+    return fail("Content-Type \u5FC5\u987B\u662F application/json", void 0, "invalid_headers");
+  }
+  const anthropicVersion = normalizeHeaderValue(ctx.headers["anthropic-version"]);
+  if (!anthropicVersion || anthropicVersion.trim().length === 0) {
+    return fail("\u7F3A\u5C11\u5FC5\u586B header: anthropic-version", void 0, "invalid_headers");
+  }
+  if (mode === "claude-code") {
+    const userAgent = normalizeHeaderValue(ctx.headers["user-agent"]);
+    if (!userAgent) {
+      return fail("Claude Code \u8BF7\u6C42\u5FC5\u987B\u5305\u542B User-Agent header", void 0, "invalid_headers");
+    }
+    const isClaudeCode = userAgent.includes("claude-cli/") || userAgent.includes("Claude Code/");
+    if (!isClaudeCode) {
+      return fail(`User-Agent \u4E0D\u7B26\u5408 Claude Code \u89C4\u8303: ${userAgent}`, void 0, "invalid_headers");
+    }
+  }
+  return null;
+}
+function validateAnthropicRequest(payload, ctx = {}) {
+  if (!isPlainObject(payload)) {
+    return fail("\u8BF7\u6C42\u4F53\u5FC5\u987B\u662F JSON \u5BF9\u8C61");
+  }
+  if (typeof payload.model !== "string" || payload.model.trim().length === 0) {
+    return fail("model \u5FC5\u987B\u662F\u975E\u7A7A\u5B57\u7B26\u4E32", "model");
+  }
+  const mode = ctx.mode ?? "claude-code";
+  const allowExperimentalBlocks = ctx.allowExperimentalBlocks ?? mode === "claude-code";
+  if (ctx.request) {
+    const httpValidation = validateHttpRequest(ctx.request, mode);
+    if (httpValidation) {
+      return httpValidation;
+    }
+  }
+  const messagesValidation = validateMessages(payload.messages, {
+    allowExperimental: allowExperimentalBlocks
+  });
+  if (messagesValidation) {
+    return messagesValidation;
+  }
+  const systemValidation = validateSystemField(payload.system);
+  if (systemValidation) {
+    return systemValidation;
+  }
+  const toolsValidation = validateTools(payload.tools);
+  if (toolsValidation) {
+    return toolsValidation;
+  }
+  const metadataValidation = validateMetadata(payload.metadata);
+  if (metadataValidation) {
+    return metadataValidation;
+  }
+  if (mode === "claude-code") {
+    if (!payload.metadata || !isPlainObject(payload.metadata)) {
+      return fail("Claude Code \u8BF7\u6C42\u5FC5\u987B\u5305\u542B metadata \u5BF9\u8C61", "metadata");
+    }
+    const userId = payload.metadata.user_id;
+    if (typeof userId !== "string" || userId.trim().length === 0) {
+      return fail("Claude Code \u8BF7\u6C42\u5FC5\u987B\u5305\u542B metadata.user_id \u5B57\u7B26\u4E32", "metadata.user_id");
+    }
+  }
+  const toolChoiceValidation = validateToolChoice(payload.tool_choice);
+  if (toolChoiceValidation) {
+    return toolChoiceValidation;
+  }
+  const temperatureValidation = validateTemperature(payload.temperature);
+  if (temperatureValidation) {
+    return temperatureValidation;
+  }
+  const maxTokensValidation = validateMaxTokens(payload.max_tokens);
+  if (maxTokensValidation) {
+    return maxTokensValidation;
+  }
+  const streamValidation = validateStream(payload.stream);
+  if (streamValidation) {
+    return streamValidation;
+  }
+  return { ok: true };
+}
+
 // routes/messages.ts
 function mapStopReason(reason) {
   switch (reason) {
@@ -12150,6 +12781,66 @@ async function registerMessagesRoute(app) {
       },
       "received anthropic message request"
     );
+    const configSnapshot = getConfig();
+    const validationConfig = configSnapshot.endpointRouting?.anthropic?.validation;
+    const validationMode = validationConfig?.mode ?? "off";
+    if (validationMode && validationMode !== "off") {
+      const modeLabel = validationMode === "anthropic-strict" ? "Anthropic" : "Claude Code";
+      const result = validateAnthropicRequest(payload, {
+        mode: validationMode === "anthropic-strict" ? "anthropic-strict" : "claude-code",
+        allowExperimentalBlocks: validationConfig?.allowExperimentalBlocks,
+        request: {
+          headers: request.headers,
+          method: request.method,
+          query: querySuffix
+        }
+      });
+      if (!result.ok) {
+        const detail = result.path ? `${result.message} (${result.path})` : result.message;
+        request.log.warn(
+          {
+            event: "anthropic.invalid_request",
+            reason: result.message,
+            path: result.path,
+            mode: validationMode,
+            method: request.method,
+            userAgent: request.headers["user-agent"],
+            hasQuery: !!querySuffix
+          },
+          "rejected anthropic payload by schema validator"
+        );
+        void recordEvent({
+          type: "claude_validation",
+          level: "warn",
+          source: "anthropic",
+          title: "Claude Code \u8BF7\u6C42\u6821\u9A8C\u9632\u62A4\uFF08\u5B9E\u9A8C\u7279\u6027\uFF09\u62E6\u622A",
+          message: detail,
+          endpoint: "anthropic",
+          ipAddress: request.ip,
+          apiKeyId: apiKeyContext.id ?? null,
+          apiKeyName: apiKeyContext.name ?? null,
+          apiKeyValue: encryptedApiKeyValue,
+          userAgent: typeof request.headers["user-agent"] === "string" ? request.headers["user-agent"] : null,
+          mode: validationMode,
+          details: {
+            code: result.code,
+            path: result.path ?? null,
+            method: request.method,
+            query: querySuffix,
+            clientModel: payload.model ?? null
+          }
+        });
+        reply.code(430);
+        return {
+          type: "error",
+          error: {
+            type: "invalid_request_error",
+            code: result.code,
+            message: `\u8BF7\u6C42\u4E0D\u7B26\u5408 ${modeLabel} \u89C4\u8303\uFF1A${detail}`
+          }
+        };
+      }
+    }
     const normalized = normalizeClaudePayload(payload);
     const requestedModel = typeof payload.model === "string" ? payload.model : void 0;
     const target = resolveRoute({
@@ -12207,7 +12898,6 @@ async function registerMessagesRoute(app) {
     }
     const connector = getConnector(target.providerId);
     const requestStart = Date.now();
-    const configSnapshot = getConfig();
     const storeRequestPayloads = configSnapshot.storeRequestPayloads !== false;
     const storeResponsePayloads = configSnapshot.storeResponsePayloads !== false;
     const logId = await recordLog({
@@ -17181,6 +17871,41 @@ async function registerAdminRoutes(app) {
 }
 var isEndpoint = (value) => value === "anthropic" || value === "openai";
 
+// routes/events.ts
+async function registerEventsRoutes(app) {
+  app.get("/api/events", async (request) => {
+    const query = request.query;
+    const limit = Number.parseInt(query.limit ?? "", 10);
+    const cursor = Number.parseInt(query.cursor ?? "", 10);
+    const page = await listEvents({
+      limit: Number.isFinite(limit) && limit > 0 ? limit : 50,
+      beforeId: Number.isFinite(cursor) && cursor > 0 ? cursor : void 0,
+      level: query.level ? query.level.trim() : void 0,
+      type: query.type ? query.type.trim() : void 0
+    });
+    return {
+      events: page.events.map((event) => ({
+        id: event.id,
+        createdAt: event.created_at,
+        type: event.type,
+        level: event.level,
+        source: event.source,
+        title: event.title,
+        message: event.message,
+        endpoint: event.endpoint,
+        ipAddress: event.ip_address,
+        apiKeyId: event.api_key_id,
+        apiKeyName: event.api_key_name,
+        apiKeyValue: event.api_key_value,
+        userAgent: event.user_agent,
+        mode: event.mode,
+        details: event.details
+      })),
+      nextCursor: page.nextCursor
+    };
+  });
+}
+
 // routes/auth.ts
 async function registerAuthRoutes(app) {
   app.get("/auth/session", async (request) => {
@@ -17498,6 +18223,9 @@ async function handleAnthropicProtocol(request, reply, endpoint, endpointId, app
   if (!querySuffix && typeof request.querystring === "string") {
     querySuffix = request.querystring || null;
   }
+  const configSnapshot = getConfig();
+  const validationConfig = configSnapshot.endpointRouting?.anthropic?.validation;
+  const validationMode = validationConfig?.mode ?? "off";
   const providerHeaders = {};
   const headersToForward = [
     "anthropic-version",
@@ -17551,6 +18279,51 @@ async function handleAnthropicProtocol(request, reply, endpoint, endpointId, app
   };
   const normalized = normalizeClaudePayload(payload);
   const requestedModel = typeof payload.model === "string" ? payload.model : void 0;
+  if (validationMode && validationMode !== "off") {
+    const modeLabel = validationMode === "anthropic-strict" ? "Anthropic" : "Claude Code";
+    const validationResult = validateAnthropicRequest(payload, {
+      mode: validationMode === "anthropic-strict" ? "anthropic-strict" : "claude-code",
+      allowExperimentalBlocks: validationConfig?.allowExperimentalBlocks,
+      request: {
+        headers: request.headers,
+        method: request.method,
+        query: querySuffix
+      }
+    });
+    if (!validationResult.ok) {
+      const detail = validationResult.path ? `${validationResult.message} (${validationResult.path})` : validationResult.message;
+      void recordEvent({
+        type: "claude_validation",
+        level: "warn",
+        source: "custom-endpoint",
+        title: "Claude Code \u8BF7\u6C42\u6821\u9A8C\u9632\u62A4\uFF08\u5B9E\u9A8C\u7279\u6027\uFF09\u62E6\u622A",
+        message: detail,
+        endpoint: endpointId,
+        ipAddress: request.ip,
+        apiKeyId: apiKeyContext.id ?? null,
+        apiKeyName: apiKeyContext.name ?? null,
+        apiKeyValue: encryptedApiKeyValue,
+        userAgent: typeof request.headers["user-agent"] === "string" ? request.headers["user-agent"] : null,
+        mode: validationMode,
+        details: {
+          code: validationResult.code,
+          path: validationResult.path ?? null,
+          method: request.method,
+          query: querySuffix,
+          clientModel: payload.model ?? null
+        }
+      });
+      reply.code(430);
+      return {
+        type: "error",
+        error: {
+          type: "invalid_request_error",
+          code: validationResult.code,
+          message: `\u8BF7\u6C42\u4E0D\u7B26\u5408 ${modeLabel} \u89C4\u8303\uFF1A${detail}`
+        }
+      };
+    }
+  }
   const target = resolveRoute({
     payload: normalized,
     requestedModel,
@@ -17558,7 +18331,6 @@ async function handleAnthropicProtocol(request, reply, endpoint, endpointId, app
     customRouting: endpoint.routing
   });
   const requestStart = Date.now();
-  const configSnapshot = getConfig();
   const storeRequestPayloads = configSnapshot.storeRequestPayloads !== false;
   const storeResponsePayloads = configSnapshot.storeResponsePayloads !== false;
   const logId = await recordLog({
@@ -18689,6 +19461,7 @@ async function createServer(protocol = "http") {
   await registerAuthRoutes(app);
   await registerMessagesRoute(app);
   await registerOpenAiRoutes(app);
+  await registerEventsRoutes(app);
   await syncCustomEndpoints(app, config);
   await registerAdminRoutes(app);
   startMaintenanceTimers();