npm - @chenpu17/cc-gw - Versions diffs - 0.7.16 → 0.7.18 - Mend

@chenpu17/cc-gw 0.7.16 → 0.7.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/src/server/dist/index.js CHANGED Viewed

@@ -10975,7 +10975,7 @@ function buildProviderBody(payload, options = {}) {
   const body = {
     messages: buildMessages(payload)
   };
-  if (options.maxTokens) {
+  if (options.maxTokens != null) {
     if (payload.thinking) {
       body.max_completion_tokens = options.maxTokens;
     } else {
@@ -11094,7 +11094,7 @@ function buildAnthropicBody(payload, options = {}) {
     messages,
     stream: payload.stream
   };
-  if (options.maxTokens) {
+  if (options.maxTokens != null) {
     body.max_tokens = options.maxTokens;
   }
   if (typeof options.temperature === "number") {
@@ -12826,6 +12826,7 @@ async function ensureSchema(db) {
   await maybeAddColumn(db, "api_keys", "request_count", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "api_keys", "total_input_tokens", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "api_keys", "total_output_tokens", "INTEGER DEFAULT 0");
+  await maybeAddColumn(db, "api_keys", "allowed_endpoints", "TEXT DEFAULT NULL");
   await migrateDailyMetricsTable(db);
   await maybeAddColumn(db, "daily_metrics", "total_cached_tokens", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "daily_metrics", "total_cache_read_tokens", "INTEGER DEFAULT 0");
@@ -13345,6 +13346,33 @@ function maskKey(prefix, suffix) {
   const safeSuffix = suffix ?? "";
   return `${safePrefix}****${safeSuffix}`;
 }
+function parseEndpointList(value) {
+  if (!Array.isArray(value)) {
+    return { ok: false };
+  }
+  const normalized = [];
+  for (const raw of value) {
+    if (typeof raw !== "string") {
+      return { ok: false };
+    }
+    const endpointId = raw.trim();
+    if (!endpointId) {
+      return { ok: false };
+    }
+    normalized.push(endpointId);
+  }
+  return { ok: true, value: [...new Set(normalized)] };
+}
+function normalizeAllowedEndpointsForStorage(value) {
+  if (value == null) {
+    return null;
+  }
+  const parsed = parseEndpointList(value);
+  if (!parsed.ok) {
+    throw new Error("allowedEndpoints must be an array of strings or null");
+  }
+  return parsed.value.length > 0 ? parsed.value : null;
+}
 async function recordAuditLog(payload) {
   const { apiKeyId = null, apiKeyName = null, operation, operator = null, details = null, ipAddress = null } = payload;
   const serializedDetails = details ? JSON.stringify(details) : null;
@@ -13364,22 +13392,36 @@ function generateKey() {
   };
 }
 async function listApiKeys() {
-  const rows = await getAll("SELECT id, name, description, key_prefix, key_suffix, is_wildcard, enabled, created_at, last_used_at, request_count, total_input_tokens, total_output_tokens FROM api_keys ORDER BY is_wildcard DESC, created_at DESC");
-  return rows.map((row) => ({
-    id: row.id,
-    name: row.name,
-    description: row.description ?? null,
-    maskedKey: row.is_wildcard ? null : maskKey(row.key_prefix, row.key_suffix),
-    isWildcard: Boolean(row.is_wildcard),
-    enabled: Boolean(row.enabled),
-    createdAt: toIsoOrNull(row.created_at),
-    lastUsedAt: toIsoOrNull(row.last_used_at),
-    requestCount: row.request_count ?? 0,
-    totalInputTokens: row.total_input_tokens ?? 0,
-    totalOutputTokens: row.total_output_tokens ?? 0
-  }));
+  const rows = await getAll("SELECT id, name, description, key_prefix, key_suffix, is_wildcard, enabled, created_at, last_used_at, request_count, total_input_tokens, total_output_tokens, allowed_endpoints FROM api_keys ORDER BY is_wildcard DESC, created_at DESC");
+  return rows.map((row) => {
+    let allowedEndpoints = null;
+    if (row.allowed_endpoints) {
+      try {
+        const parsed = JSON.parse(row.allowed_endpoints);
+        const endpointList = parseEndpointList(parsed);
+        if (endpointList.ok && endpointList.value.length > 0) {
+          allowedEndpoints = endpointList.value;
+        }
+      } catch {
+      }
+    }
+    return {
+      id: row.id,
+      name: row.name,
+      description: row.description ?? null,
+      maskedKey: row.is_wildcard ? null : maskKey(row.key_prefix, row.key_suffix),
+      isWildcard: Boolean(row.is_wildcard),
+      enabled: Boolean(row.enabled),
+      createdAt: toIsoOrNull(row.created_at),
+      lastUsedAt: toIsoOrNull(row.last_used_at),
+      requestCount: row.request_count ?? 0,
+      totalInputTokens: row.total_input_tokens ?? 0,
+      totalOutputTokens: row.total_output_tokens ?? 0,
+      allowedEndpoints
+    };
+  });
 }
-async function createApiKey(name, description, context) {
+async function createApiKey(name, description, context, allowedEndpoints) {
   const trimmed = name.trim();
   if (!trimmed) {
     throw new Error("Name is required");
@@ -13396,9 +13438,11 @@ async function createApiKey(name, description, context) {
   const hashed = hashKey(key);
   const encrypted = encryptSecret(key);
   const now = Date.now();
-  const columns = ["name", "description", "key_hash", "key_ciphertext", "key_prefix", "key_suffix", "is_wildcard", "enabled", "created_at"];
-  const placeholders = ["?", "?", "?", "?", "?", "?", "?", "?", "?"];
-  const values = [trimmed, trimmedDescription || null, hashed, encrypted, prefix, suffix, 0, 1, now];
+  const columns = ["name", "description", "key_hash", "key_ciphertext", "key_prefix", "key_suffix", "is_wildcard", "enabled", "created_at", "allowed_endpoints"];
+  const placeholders = ["?", "?", "?", "?", "?", "?", "?", "?", "?", "?"];
+  const normalizedEndpoints = normalizeAllowedEndpointsForStorage(allowedEndpoints);
+  const serializedEndpoints = normalizedEndpoints ? JSON.stringify(normalizedEndpoints) : null;
+  const values = [trimmed, trimmedDescription || null, hashed, encrypted, prefix, suffix, 0, 1, now, serializedEndpoints];
   if (apiKeysHasUpdatedAt) {
     columns.push("updated_at");
     placeholders.push("?");
@@ -13423,24 +13467,55 @@ async function createApiKey(name, description, context) {
     createdAt: new Date(now).toISOString()
   };
 }
-async function setApiKeyEnabled(id, enabled, context) {
+async function updateApiKeySettings(id, updates, context) {
   await ensureApiKeysMetadataLoaded();
   const existing = await getOne("SELECT id, name, is_wildcard, enabled FROM api_keys WHERE id = ?", [id]);
   if (!existing) {
     throw new Error("API key not found");
   }
+  const setClauses = [];
+  const values = [];
+  const logs = [];
+  if (typeof updates.enabled === "boolean") {
+    setClauses.push("enabled = ?");
+    values.push(updates.enabled ? 1 : 0);
+    logs.push({
+      apiKeyId: existing.id,
+      apiKeyName: existing.name,
+      operation: updates.enabled ? "enable" : "disable",
+      operator: context?.operator ?? null,
+      ipAddress: context?.ipAddress ?? null
+    });
+  }
+  if (updates.allowedEndpointsProvided) {
+    if (existing.is_wildcard) {
+      throw new Error("Cannot set endpoint restrictions on wildcard key");
+    }
+    const normalizedEndpoints = normalizeAllowedEndpointsForStorage(updates.allowedEndpoints);
+    const serialized = normalizedEndpoints ? JSON.stringify(normalizedEndpoints) : null;
+    setClauses.push("allowed_endpoints = ?");
+    values.push(serialized);
+    logs.push({
+      apiKeyId: existing.id,
+      apiKeyName: existing.name,
+      operation: "update_endpoints",
+      details: { allowedEndpoints: normalizedEndpoints },
+      operator: context?.operator ?? null,
+      ipAddress: context?.ipAddress ?? null
+    });
+  }
+  if (setClauses.length === 0) {
+    throw new Error("No updates provided");
+  }
   if (apiKeysHasUpdatedAt) {
-    await runQuery("UPDATE api_keys SET enabled = ?, updated_at = ? WHERE id = ?", [enabled ? 1 : 0, Date.now(), id]);
-  } else {
-    await runQuery("UPDATE api_keys SET enabled = ? WHERE id = ?", [enabled ? 1 : 0, id]);
+    setClauses.push("updated_at = ?");
+    values.push(Date.now());
+  }
+  values.push(id);
+  await runQuery(`UPDATE api_keys SET ${setClauses.join(", ")} WHERE id = ?`, values);
+  for (const payload of logs) {
+    await recordAuditLog(payload);
   }
-  await recordAuditLog({
-    apiKeyId: existing.id,
-    apiKeyName: existing.name,
-    operation: enabled ? "enable" : "disable",
-    operator: context?.operator ?? null,
-    ipAddress: context?.ipAddress ?? null
-  });
 }
 async function deleteApiKey(id, context) {
   const existing = await getOne("SELECT id, name, is_wildcard FROM api_keys WHERE id = ?", [id]);
@@ -13483,7 +13558,7 @@ async function resolveApiKey(providedRaw, context) {
     throw new ApiKeyError("API key is required", "missing");
   }
   const hashed = hashKey(provided);
-  const existing = await getOne("SELECT id, name, enabled, is_wildcard FROM api_keys WHERE key_hash = ?", [hashed]);
+  const existing = await getOne("SELECT id, name, enabled, is_wildcard, allowed_endpoints FROM api_keys WHERE key_hash = ?", [hashed]);
   if (existing) {
     if (!existing.enabled) {
       await recordAuditLog({
@@ -13495,6 +13570,53 @@ async function resolveApiKey(providedRaw, context) {
       });
       throw new ApiKeyError("API key is disabled", "disabled");
     }
+    if (context?.endpointId && !existing.is_wildcard && existing.allowed_endpoints) {
+      let parsed;
+      try {
+        parsed = JSON.parse(existing.allowed_endpoints);
+      } catch {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      if (!Array.isArray(parsed)) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      const endpointList = parseEndpointList(parsed);
+      if (!endpointList.ok) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      const allowed = endpointList.value;
+      if (allowed.length > 0 && !allowed.includes(context.endpointId)) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "forbidden", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key is not authorized for this endpoint", "forbidden");
+      }
+    }
     return {
       id: existing.id,
       name: existing.name,
@@ -14209,21 +14331,190 @@ function resolveCachedTokens(usage) {
   if (!usage || typeof usage !== "object") {
     return result;
   }
-  if (typeof usage.cache_read_input_tokens === "number") {
+  const hasAnthropicRead = Number.isFinite(usage.cache_read_input_tokens);
+  const hasAnthropicCreation = Number.isFinite(usage.cache_creation_input_tokens);
+  if (hasAnthropicRead) {
     result.read = usage.cache_read_input_tokens;
   }
-  if (typeof usage.cache_creation_input_tokens === "number") {
+  if (hasAnthropicCreation) {
     result.creation = usage.cache_creation_input_tokens;
   }
-  if (typeof usage.cached_tokens === "number") {
-    result.read = usage.cached_tokens;
-  }
-  const promptDetails = usage.prompt_tokens_details;
-  if (promptDetails && typeof promptDetails.cached_tokens === "number") {
-    result.read = promptDetails.cached_tokens;
+  if (!hasAnthropicRead) {
+    const promptDetails = usage.prompt_tokens_details;
+    const inputDetails = usage.input_tokens_details;
+    if (promptDetails && Number.isFinite(promptDetails.cached_tokens)) {
+      result.read = promptDetails.cached_tokens;
+    } else if (inputDetails && Number.isFinite(inputDetails.cached_tokens)) {
+      result.read = inputDetails.cached_tokens;
+    } else if (typeof usage.cached_tokens === "number") {
+      result.read = usage.cached_tokens;
+    }
   }
   return result;
 }
+function extractTextForTokenEstimate(value) {
+  if (value == null)
+    return "";
+  if (typeof value === "string")
+    return value;
+  if (Array.isArray(value)) {
+    return value.map((item) => extractTextForTokenEstimate(item)).filter(Boolean).join("\n");
+  }
+  if (typeof value === "object") {
+    const payload = value;
+    if (typeof payload.text === "string")
+      return payload.text;
+    if (typeof payload.content === "string")
+      return payload.content;
+    if (Array.isArray(payload.content))
+      return extractTextForTokenEstimate(payload.content);
+    if (typeof payload.output_text === "string")
+      return payload.output_text;
+    if (typeof payload.value === "string")
+      return payload.value;
+  }
+  return "";
+}
+function parseSSEToSummary(chunks, format, modelId) {
+  const allChunks = chunks.join("");
+  const lines = allChunks.split("\n");
+  let accumulatedContent = "";
+  let finishReason = null;
+  const toolCalls = /* @__PURE__ */ new Map();
+  let usagePrompt = null;
+  let usageCompletion = null;
+  let usageCached = null;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed.startsWith("data:"))
+      continue;
+    const dataStr = trimmed.slice(5).trim();
+    if (dataStr === "[DONE]")
+      continue;
+    try {
+      const data = JSON.parse(dataStr);
+      if (format === "chat") {
+        const choice = data?.choices?.[0];
+        if (choice) {
+          const delta = choice.delta;
+          if (delta?.content) {
+            accumulatedContent += delta.content;
+          }
+          if (delta?.tool_calls) {
+            for (const tc of delta.tool_calls) {
+              const idx = tc.index ?? 0;
+              const existing = toolCalls.get(idx);
+              if (!existing && tc.id) {
+                toolCalls.set(idx, {
+                  id: tc.id,
+                  type: tc.type || "function",
+                  name: tc.function?.name || "",
+                  arguments: tc.function?.arguments || ""
+                });
+              } else if (existing) {
+                if (tc.function?.arguments) {
+                  existing.arguments += tc.function.arguments;
+                }
+              }
+            }
+          }
+          if (choice.finish_reason) {
+            finishReason = choice.finish_reason;
+          }
+        }
+        if (data?.usage) {
+          usagePrompt = data.usage.prompt_tokens ?? usagePrompt;
+          usageCompletion = data.usage.completion_tokens ?? usageCompletion;
+          const cached = resolveCachedTokens(data.usage);
+          if (cached.read > 0 || cached.creation > 0) {
+            usageCached = cached.read + cached.creation;
+          }
+        }
+      } else {
+        const eventType = data?.type;
+        if (eventType === "response.output_text.delta") {
+          const delta = data?.delta;
+          if (typeof delta === "string") {
+            accumulatedContent += delta;
+          }
+        } else if (eventType === "response.content_part.delta") {
+          const delta = data?.delta?.text;
+          if (typeof delta === "string") {
+            accumulatedContent += delta;
+          }
+        } else if (eventType === "response.function_call_arguments.delta") {
+          const itemId = data?.item_id;
+          const delta = data?.delta;
+          if (itemId && typeof delta === "string") {
+            let found = false;
+            for (const tc of toolCalls.values()) {
+              if (tc.id === itemId) {
+                tc.arguments += delta;
+                found = true;
+                break;
+              }
+            }
+            if (!found) {
+              toolCalls.set(toolCalls.size, {
+                id: itemId,
+                type: "function",
+                name: "",
+                arguments: delta
+              });
+            }
+          }
+        } else if (eventType === "response.output_item.added") {
+          const item = data?.item;
+          if (item?.type === "function_call" && item?.call_id) {
+            toolCalls.set(toolCalls.size, {
+              id: item.call_id,
+              type: "function",
+              name: item.name || "",
+              arguments: ""
+            });
+          }
+        } else if (eventType === "response.completed" || eventType === "response.done") {
+          const response = data?.response;
+          if (response?.status) {
+            finishReason = response.status;
+          }
+          if (response?.usage) {
+            usagePrompt = response.usage.input_tokens ?? response.usage.prompt_tokens ?? usagePrompt;
+            usageCompletion = response.usage.output_tokens ?? response.usage.completion_tokens ?? usageCompletion;
+            const cached = resolveCachedTokens(response.usage);
+            if (cached.read > 0 || cached.creation > 0) {
+              usageCached = cached.read + cached.creation;
+            }
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  const summary = {
+    content: accumulatedContent,
+    model: modelId,
+    finish_reason: finishReason
+  };
+  if (usagePrompt != null || usageCompletion != null || usageCached != null) {
+    summary.usage = {
+      prompt_tokens: usagePrompt,
+      completion_tokens: usageCompletion,
+      cached_tokens: usageCached
+    };
+  }
+  if (toolCalls.size > 0) {
+    summary.tool_calls = Array.from(toolCalls.values()).map((tc) => ({
+      id: tc.id,
+      type: tc.type,
+      function: {
+        name: tc.name,
+        arguments: tc.arguments
+      }
+    }));
+  }
+  return summary;
+}
 var roundTwoDecimals = (value) => Math.round(value * 100) / 100;
 function cloneOriginalPayload(value) {
   const structuredCloneFn = globalThis.structuredClone;
@@ -14365,13 +14656,13 @@ async function registerModelsHandler(app, path5, endpointId) {
     }
     const providedApiKey = extractApiKeyFromRequest(request);
     try {
-      await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+      await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
     } catch (error) {
       if (error instanceof ApiKeyError) {
-        reply.code(401);
+        reply.code(error.code === "forbidden" ? 403 : 401);
         return {
           error: {
-            code: "invalid_api_key",
+            code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
             message: error.message
           }
         };
@@ -14496,13 +14787,13 @@ async function handleAnthropicProtocol(request, reply, endpoint, endpointId, app
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15002,13 +15293,13 @@ async function handleAnthropicCountTokensProtocol(request, reply, endpoint, endp
   }
   const providedApiKey = extractApiKeyFromRequest(request);
   try {
-    await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15078,13 +15369,13 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15162,10 +15453,6 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
       });
     } else {
       providerBody = { ...payload };
-      if (providerBody.max_output_tokens == null && typeof providerBody.max_tokens === "number") {
-        providerBody.max_output_tokens = providerBody.max_tokens;
-      }
-      delete providerBody.max_tokens;
       if (typeof providerBody.thinking === "boolean") {
         delete providerBody.thinking;
       }
@@ -15208,7 +15495,7 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
       const json = await readProviderBodyJson(upstream.body);
       const usagePayload = json?.usage ?? null;
       const inputTokens2 = usagePayload?.prompt_tokens ?? usagePayload?.input_tokens ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
-      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(json?.choices?.[0]?.message?.content ?? "", target.modelId);
+      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(extractTextForTokenEstimate(json?.choices?.[0]?.message?.content), target.modelId);
       const cached = resolveCachedTokens(usagePayload);
       const cachedTokens = cached.read + cached.creation;
       const latencyMs2 = Date.now() - requestStart;
@@ -15322,54 +15609,14 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
       requests: 1,
       inputTokens,
       outputTokens,
+      cachedTokens: usageCached ?? 0,
+      cacheReadTokens: usageCacheRead,
+      cacheCreationTokens: usageCacheCreation,
       latencyMs
     });
     if (storeResponsePayloads && capturedChunks) {
       try {
-        const allChunks = capturedChunks.join("");
-        let accumulatedText = "";
-        let finishReason = null;
-        const lines = allChunks.split("\n");
-        for (const line of lines) {
-          const trimmed = line.trim();
-          if (trimmed.startsWith("data:")) {
-            const dataStr = trimmed.slice(5).trim();
-            if (dataStr !== "[DONE]") {
-              try {
-                const parsed = JSON.parse(dataStr);
-                const choice = parsed?.choices?.[0];
-                if (choice) {
-                  if (choice.delta?.content) {
-                    accumulatedText += choice.delta.content;
-                  }
-                  if (choice.finish_reason) {
-                    finishReason = choice.finish_reason;
-                  }
-                }
-              } catch {
-              }
-            }
-          }
-        }
-        const responseSummary = {
-          id: `chatcmpl_${Date.now()}`,
-          object: "chat.completion",
-          model: target.modelId,
-          choices: [{
-            index: 0,
-            message: {
-              role: "assistant",
-              content: accumulatedText
-            },
-            finish_reason: finishReason ?? "stop"
-          }],
-          usage: {
-            prompt_tokens: inputTokens,
-            completion_tokens: outputTokens,
-            total_tokens: inputTokens + outputTokens,
-            cached_tokens: usageCached ?? 0
-          }
-        };
+        const responseSummary = parseSSEToSummary(capturedChunks, "chat", target.modelId);
         await upsertLogPayload(logId, { response: JSON.stringify(responseSummary) });
       } catch {
       }
@@ -15442,13 +15689,13 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15572,8 +15819,10 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
       const json = await readProviderBodyJson(upstream.body);
       const usagePayload = json?.usage ?? null;
       const inputTokens2 = usagePayload?.prompt_tokens ?? usagePayload?.input_tokens ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
-      const content = json?.response?.body?.content ?? json?.choices?.[0]?.message?.content ?? "";
-      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(content, target.modelId);
+      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(
+        extractTextForTokenEstimate(json?.response?.body?.content ?? json?.choices?.[0]?.message?.content),
+        target.modelId
+      );
       const cached = resolveCachedTokens(usagePayload);
       const cachedTokens = cached.read + cached.creation;
       const latencyMs2 = Date.now() - requestStart;
@@ -15645,7 +15894,7 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
               if (dataStr !== "[DONE]") {
                 try {
                   const parsed = JSON.parse(dataStr);
-                  const usage = parsed?.usage || null;
+                  const usage = parsed?.usage || parsed?.response?.usage || null;
                   if (usage) {
                     usagePrompt = usage.prompt_tokens ?? usage.input_tokens ?? usagePrompt;
                     usageCompletion = usage.completion_tokens ?? usage.output_tokens ?? usageCompletion;
@@ -15687,54 +15936,14 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
       requests: 1,
       inputTokens,
       outputTokens,
+      cachedTokens: usageCached ?? 0,
+      cacheReadTokens: usageCacheRead,
+      cacheCreationTokens: usageCacheCreation,
       latencyMs
     });
     if (storeResponsePayloads && capturedChunks) {
       try {
-        const allChunks = capturedChunks.join("");
-        let accumulatedText = "";
-        let finishReason = null;
-        const lines = allChunks.split("\n");
-        for (const line of lines) {
-          const trimmed = line.trim();
-          if (trimmed.startsWith("data:")) {
-            const dataStr = trimmed.slice(5).trim();
-            if (dataStr !== "[DONE]") {
-              try {
-                const parsed = JSON.parse(dataStr);
-                const choice = parsed?.choices?.[0];
-                if (choice) {
-                  if (choice.delta?.content) {
-                    accumulatedText += choice.delta.content;
-                  }
-                  if (choice.finish_reason) {
-                    finishReason = choice.finish_reason;
-                  }
-                }
-              } catch {
-              }
-            }
-          }
-        }
-        const responseSummary = {
-          id: `chatcmpl_${Date.now()}`,
-          object: "chat.completion",
-          model: target.modelId,
-          choices: [{
-            index: 0,
-            message: {
-              role: "assistant",
-              content: accumulatedText
-            },
-            finish_reason: finishReason ?? "stop"
-          }],
-          usage: {
-            prompt_tokens: inputTokens,
-            completion_tokens: outputTokens,
-            total_tokens: inputTokens + outputTokens,
-            cached_tokens: usageCached ?? 0
-          }
-        };
+        const responseSummary = parseSSEToSummary(capturedChunks, "responses", target.modelId);
         await upsertLogPayload(logId, { response: JSON.stringify(responseSummary) });
       } catch {
       }
@@ -15808,13 +16017,13 @@ async function registerOpenAiRoutes(app) {
   const handleModels = async (request, reply) => {
     const providedApiKey = extractApiKeyFromRequest2(request);
     try {
-      await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+      await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId: "openai" });
     } catch (error) {
       if (error instanceof ApiKeyError) {
-        reply.code(401);
+        reply.code(error.code === "forbidden" ? 403 : 401);
         return {
           error: {
-            code: "invalid_api_key",
+            code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
             message: error.message
           }
         };
@@ -17141,6 +17350,27 @@ async function registerAdminRoutes(app) {
     const endpoint = typeof query.endpoint === "string" && query.endpoint.length > 0 ? query.endpoint : void 0;
     return getApiKeyUsageMetrics(days, limit, endpoint);
   });
+  const normalizeAllowedEndpoints = (value) => {
+    if (value == null) {
+      return { ok: true, value: null };
+    }
+    if (!Array.isArray(value)) {
+      return { ok: false, error: "allowedEndpoints must be an array of strings or null" };
+    }
+    const normalized = [];
+    for (const raw of value) {
+      if (typeof raw !== "string") {
+        return { ok: false, error: "allowedEndpoints must be an array of strings or null" };
+      }
+      const endpointId = raw.trim();
+      if (!endpointId) {
+        return { ok: false, error: "allowedEndpoints must not contain empty endpoint IDs" };
+      }
+      normalized.push(endpointId);
+    }
+    const deduped = [...new Set(normalized)];
+    return { ok: true, value: deduped.length > 0 ? deduped : null };
+  };
   app.get("/api/keys", async () => {
     return listApiKeys();
   });
@@ -17150,8 +17380,19 @@ async function registerAdminRoutes(app) {
       reply.code(400);
       return { error: "Name is required" };
     }
+    const hasAllowedEndpoints = Object.prototype.hasOwnProperty.call(body, "allowedEndpoints");
+    const normalizedAllowedEndpoints = hasAllowedEndpoints ? normalizeAllowedEndpoints(body.allowedEndpoints) : { ok: true, value: null };
+    if (!normalizedAllowedEndpoints.ok) {
+      reply.code(400);
+      return { error: normalizedAllowedEndpoints.error };
+    }
     try {
-      return await createApiKey(body.name, body.description, { ipAddress: request.ip });
+      return await createApiKey(
+        body.name,
+        body.description,
+        { ipAddress: request.ip },
+        normalizedAllowedEndpoints.value
+      );
     } catch (error) {
       reply.code(400);
       return { error: error instanceof Error ? error.message : "Failed to create API key" };
@@ -17163,13 +17404,33 @@ async function registerAdminRoutes(app) {
       reply.code(400);
       return { error: "Invalid id" };
     }
-    const body = request.body;
-    if (typeof body?.enabled !== "boolean") {
+    const rawBody = request.body;
+    if (!rawBody || typeof rawBody !== "object" || Array.isArray(rawBody)) {
+      reply.code(400);
+      return { error: "Invalid request body" };
+    }
+    const body = rawBody;
+    const hasEnabled = typeof body?.enabled === "boolean";
+    const hasAllowedEndpoints = Object.prototype.hasOwnProperty.call(body, "allowedEndpoints");
+    if (!hasEnabled && !hasAllowedEndpoints) {
       reply.code(400);
-      return { error: "enabled field is required" };
+      return { error: "At least one of enabled or allowedEndpoints is required" };
+    }
+    const normalizedAllowedEndpoints = hasAllowedEndpoints ? normalizeAllowedEndpoints(body.allowedEndpoints) : { ok: true, value: null };
+    if (!normalizedAllowedEndpoints.ok) {
+      reply.code(400);
+      return { error: normalizedAllowedEndpoints.error };
     }
     try {
-      await setApiKeyEnabled(id, body.enabled, { ipAddress: request.ip });
+      await updateApiKeySettings(
+        id,
+        {
+          enabled: hasEnabled ? body.enabled : void 0,
+          allowedEndpoints: normalizedAllowedEndpoints.value,
+          allowedEndpointsProvided: hasAllowedEndpoints
+        },
+        { ipAddress: request.ip }
+      );
       return { success: true };
     } catch (error) {
       if (error instanceof Error && error.message === "API key not found") {