@chenpu17/cc-gw 0.7.17 → 0.7.19

package/src/server/dist/index.js

@@ -10975,7 +10975,7 @@ function buildProviderBody(payload, options = {}) {
   const body = {
     messages: buildMessages(payload)
   };
-  if (options.maxTokens) {
+  if (options.maxTokens != null) {
     if (payload.thinking) {
       body.max_completion_tokens = options.maxTokens;
     } else {
@@ -11094,7 +11094,7 @@ function buildAnthropicBody(payload, options = {}) {
     messages,
     stream: payload.stream
   };
-  if (options.maxTokens) {
+  if (options.maxTokens != null) {
     body.max_tokens = options.maxTokens;
   }
   if (typeof options.temperature === "number") {
@@ -12826,6 +12826,7 @@ async function ensureSchema(db) {
   await maybeAddColumn(db, "api_keys", "request_count", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "api_keys", "total_input_tokens", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "api_keys", "total_output_tokens", "INTEGER DEFAULT 0");
+  await maybeAddColumn(db, "api_keys", "allowed_endpoints", "TEXT DEFAULT NULL");
   await migrateDailyMetricsTable(db);
   await maybeAddColumn(db, "daily_metrics", "total_cached_tokens", "INTEGER DEFAULT 0");
   await maybeAddColumn(db, "daily_metrics", "total_cache_read_tokens", "INTEGER DEFAULT 0");
@@ -13345,6 +13346,33 @@ function maskKey(prefix, suffix) {
   const safeSuffix = suffix ?? "";
   return `${safePrefix}****${safeSuffix}`;
 }
+function parseEndpointList(value) {
+  if (!Array.isArray(value)) {
+    return { ok: false };
+  }
+  const normalized = [];
+  for (const raw of value) {
+    if (typeof raw !== "string") {
+      return { ok: false };
+    }
+    const endpointId = raw.trim();
+    if (!endpointId) {
+      return { ok: false };
+    }
+    normalized.push(endpointId);
+  }
+  return { ok: true, value: [...new Set(normalized)] };
+}
+function normalizeAllowedEndpointsForStorage(value) {
+  if (value == null) {
+    return null;
+  }
+  const parsed = parseEndpointList(value);
+  if (!parsed.ok) {
+    throw new Error("allowedEndpoints must be an array of strings or null");
+  }
+  return parsed.value.length > 0 ? parsed.value : null;
+}
 async function recordAuditLog(payload) {
   const { apiKeyId = null, apiKeyName = null, operation, operator = null, details = null, ipAddress = null } = payload;
   const serializedDetails = details ? JSON.stringify(details) : null;
@@ -13364,22 +13392,36 @@ function generateKey() {
   };
 }
 async function listApiKeys() {
-  const rows = await getAll("SELECT id, name, description, key_prefix, key_suffix, is_wildcard, enabled, created_at, last_used_at, request_count, total_input_tokens, total_output_tokens FROM api_keys ORDER BY is_wildcard DESC, created_at DESC");
-  return rows.map((row) => ({
-    id: row.id,
-    name: row.name,
-    description: row.description ?? null,
-    maskedKey: row.is_wildcard ? null : maskKey(row.key_prefix, row.key_suffix),
-    isWildcard: Boolean(row.is_wildcard),
-    enabled: Boolean(row.enabled),
-    createdAt: toIsoOrNull(row.created_at),
-    lastUsedAt: toIsoOrNull(row.last_used_at),
-    requestCount: row.request_count ?? 0,
-    totalInputTokens: row.total_input_tokens ?? 0,
-    totalOutputTokens: row.total_output_tokens ?? 0
-  }));
+  const rows = await getAll("SELECT id, name, description, key_prefix, key_suffix, is_wildcard, enabled, created_at, last_used_at, request_count, total_input_tokens, total_output_tokens, allowed_endpoints FROM api_keys ORDER BY is_wildcard DESC, created_at DESC");
+  return rows.map((row) => {
+    let allowedEndpoints = null;
+    if (row.allowed_endpoints) {
+      try {
+        const parsed = JSON.parse(row.allowed_endpoints);
+        const endpointList = parseEndpointList(parsed);
+        if (endpointList.ok && endpointList.value.length > 0) {
+          allowedEndpoints = endpointList.value;
+        }
+      } catch {
+      }
+    }
+    return {
+      id: row.id,
+      name: row.name,
+      description: row.description ?? null,
+      maskedKey: row.is_wildcard ? null : maskKey(row.key_prefix, row.key_suffix),
+      isWildcard: Boolean(row.is_wildcard),
+      enabled: Boolean(row.enabled),
+      createdAt: toIsoOrNull(row.created_at),
+      lastUsedAt: toIsoOrNull(row.last_used_at),
+      requestCount: row.request_count ?? 0,
+      totalInputTokens: row.total_input_tokens ?? 0,
+      totalOutputTokens: row.total_output_tokens ?? 0,
+      allowedEndpoints
+    };
+  });
 }
-async function createApiKey(name, description, context) {
+async function createApiKey(name, description, context, allowedEndpoints) {
   const trimmed = name.trim();
   if (!trimmed) {
     throw new Error("Name is required");
@@ -13396,9 +13438,11 @@ async function createApiKey(name, description, context) {
   const hashed = hashKey(key);
   const encrypted = encryptSecret(key);
   const now = Date.now();
-  const columns = ["name", "description", "key_hash", "key_ciphertext", "key_prefix", "key_suffix", "is_wildcard", "enabled", "created_at"];
-  const placeholders = ["?", "?", "?", "?", "?", "?", "?", "?", "?"];
-  const values = [trimmed, trimmedDescription || null, hashed, encrypted, prefix, suffix, 0, 1, now];
+  const columns = ["name", "description", "key_hash", "key_ciphertext", "key_prefix", "key_suffix", "is_wildcard", "enabled", "created_at", "allowed_endpoints"];
+  const placeholders = ["?", "?", "?", "?", "?", "?", "?", "?", "?", "?"];
+  const normalizedEndpoints = normalizeAllowedEndpointsForStorage(allowedEndpoints);
+  const serializedEndpoints = normalizedEndpoints ? JSON.stringify(normalizedEndpoints) : null;
+  const values = [trimmed, trimmedDescription || null, hashed, encrypted, prefix, suffix, 0, 1, now, serializedEndpoints];
   if (apiKeysHasUpdatedAt) {
     columns.push("updated_at");
     placeholders.push("?");
@@ -13423,24 +13467,55 @@ async function createApiKey(name, description, context) {
     createdAt: new Date(now).toISOString()
   };
 }
-async function setApiKeyEnabled(id, enabled, context) {
+async function updateApiKeySettings(id, updates, context) {
   await ensureApiKeysMetadataLoaded();
   const existing = await getOne("SELECT id, name, is_wildcard, enabled FROM api_keys WHERE id = ?", [id]);
   if (!existing) {
     throw new Error("API key not found");
   }
+  const setClauses = [];
+  const values = [];
+  const logs = [];
+  if (typeof updates.enabled === "boolean") {
+    setClauses.push("enabled = ?");
+    values.push(updates.enabled ? 1 : 0);
+    logs.push({
+      apiKeyId: existing.id,
+      apiKeyName: existing.name,
+      operation: updates.enabled ? "enable" : "disable",
+      operator: context?.operator ?? null,
+      ipAddress: context?.ipAddress ?? null
+    });
+  }
+  if (updates.allowedEndpointsProvided) {
+    if (existing.is_wildcard) {
+      throw new Error("Cannot set endpoint restrictions on wildcard key");
+    }
+    const normalizedEndpoints = normalizeAllowedEndpointsForStorage(updates.allowedEndpoints);
+    const serialized = normalizedEndpoints ? JSON.stringify(normalizedEndpoints) : null;
+    setClauses.push("allowed_endpoints = ?");
+    values.push(serialized);
+    logs.push({
+      apiKeyId: existing.id,
+      apiKeyName: existing.name,
+      operation: "update_endpoints",
+      details: { allowedEndpoints: normalizedEndpoints },
+      operator: context?.operator ?? null,
+      ipAddress: context?.ipAddress ?? null
+    });
+  }
+  if (setClauses.length === 0) {
+    throw new Error("No updates provided");
+  }
   if (apiKeysHasUpdatedAt) {
-    await runQuery("UPDATE api_keys SET enabled = ?, updated_at = ? WHERE id = ?", [enabled ? 1 : 0, Date.now(), id]);
-  } else {
-    await runQuery("UPDATE api_keys SET enabled = ? WHERE id = ?", [enabled ? 1 : 0, id]);
+    setClauses.push("updated_at = ?");
+    values.push(Date.now());
+  }
+  values.push(id);
+  await runQuery(`UPDATE api_keys SET ${setClauses.join(", ")} WHERE id = ?`, values);
+  for (const payload of logs) {
+    await recordAuditLog(payload);
   }
-  await recordAuditLog({
-    apiKeyId: existing.id,
-    apiKeyName: existing.name,
-    operation: enabled ? "enable" : "disable",
-    operator: context?.operator ?? null,
-    ipAddress: context?.ipAddress ?? null
-  });
 }
 async function deleteApiKey(id, context) {
   const existing = await getOne("SELECT id, name, is_wildcard FROM api_keys WHERE id = ?", [id]);
@@ -13483,7 +13558,7 @@ async function resolveApiKey(providedRaw, context) {
     throw new ApiKeyError("API key is required", "missing");
   }
   const hashed = hashKey(provided);
-  const existing = await getOne("SELECT id, name, enabled, is_wildcard FROM api_keys WHERE key_hash = ?", [hashed]);
+  const existing = await getOne("SELECT id, name, enabled, is_wildcard, allowed_endpoints FROM api_keys WHERE key_hash = ?", [hashed]);
   if (existing) {
     if (!existing.enabled) {
       await recordAuditLog({
@@ -13495,6 +13570,53 @@ async function resolveApiKey(providedRaw, context) {
       });
       throw new ApiKeyError("API key is disabled", "disabled");
     }
+    if (context?.endpointId && !existing.is_wildcard && existing.allowed_endpoints) {
+      let parsed;
+      try {
+        parsed = JSON.parse(existing.allowed_endpoints);
+      } catch {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      if (!Array.isArray(parsed)) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      const endpointList = parseEndpointList(parsed);
+      if (!endpointList.ok) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "endpoint_policy_invalid", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key endpoint policy is invalid", "forbidden");
+      }
+      const allowed = endpointList.value;
+      if (allowed.length > 0 && !allowed.includes(context.endpointId)) {
+        await recordAuditLog({
+          apiKeyId: existing.id,
+          apiKeyName: existing.name,
+          operation: "auth_failure",
+          details: { reason: "forbidden", endpoint: context.endpointId },
+          ipAddress: context?.ipAddress ?? null
+        });
+        throw new ApiKeyError("API key is not authorized for this endpoint", "forbidden");
+      }
+    }
     return {
       id: existing.id,
       name: existing.name,
@@ -14209,21 +14331,190 @@ function resolveCachedTokens(usage) {
   if (!usage || typeof usage !== "object") {
     return result;
   }
-  if (typeof usage.cache_read_input_tokens === "number") {
+  const hasAnthropicRead = Number.isFinite(usage.cache_read_input_tokens);
+  const hasAnthropicCreation = Number.isFinite(usage.cache_creation_input_tokens);
+  if (hasAnthropicRead) {
     result.read = usage.cache_read_input_tokens;
   }
-  if (typeof usage.cache_creation_input_tokens === "number") {
+  if (hasAnthropicCreation) {
     result.creation = usage.cache_creation_input_tokens;
   }
-  if (typeof usage.cached_tokens === "number") {
-    result.read = usage.cached_tokens;
-  }
-  const promptDetails = usage.prompt_tokens_details;
-  if (promptDetails && typeof promptDetails.cached_tokens === "number") {
-    result.read = promptDetails.cached_tokens;
+  if (!hasAnthropicRead) {
+    const promptDetails = usage.prompt_tokens_details;
+    const inputDetails = usage.input_tokens_details;
+    if (promptDetails && Number.isFinite(promptDetails.cached_tokens)) {
+      result.read = promptDetails.cached_tokens;
+    } else if (inputDetails && Number.isFinite(inputDetails.cached_tokens)) {
+      result.read = inputDetails.cached_tokens;
+    } else if (typeof usage.cached_tokens === "number") {
+      result.read = usage.cached_tokens;
+    }
   }
   return result;
 }
+function extractTextForTokenEstimate(value) {
+  if (value == null)
+    return "";
+  if (typeof value === "string")
+    return value;
+  if (Array.isArray(value)) {
+    return value.map((item) => extractTextForTokenEstimate(item)).filter(Boolean).join("\n");
+  }
+  if (typeof value === "object") {
+    const payload = value;
+    if (typeof payload.text === "string")
+      return payload.text;
+    if (typeof payload.content === "string")
+      return payload.content;
+    if (Array.isArray(payload.content))
+      return extractTextForTokenEstimate(payload.content);
+    if (typeof payload.output_text === "string")
+      return payload.output_text;
+    if (typeof payload.value === "string")
+      return payload.value;
+  }
+  return "";
+}
+function parseSSEToSummary(chunks, format, modelId) {
+  const allChunks = chunks.join("");
+  const lines = allChunks.split("\n");
+  let accumulatedContent = "";
+  let finishReason = null;
+  const toolCalls = /* @__PURE__ */ new Map();
+  let usagePrompt = null;
+  let usageCompletion = null;
+  let usageCached = null;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed.startsWith("data:"))
+      continue;
+    const dataStr = trimmed.slice(5).trim();
+    if (dataStr === "[DONE]")
+      continue;
+    try {
+      const data = JSON.parse(dataStr);
+      if (format === "chat") {
+        const choice = data?.choices?.[0];
+        if (choice) {
+          const delta = choice.delta;
+          if (delta?.content) {
+            accumulatedContent += delta.content;
+          }
+          if (delta?.tool_calls) {
+            for (const tc of delta.tool_calls) {
+              const idx = tc.index ?? 0;
+              const existing = toolCalls.get(idx);
+              if (!existing && tc.id) {
+                toolCalls.set(idx, {
+                  id: tc.id,
+                  type: tc.type || "function",
+                  name: tc.function?.name || "",
+                  arguments: tc.function?.arguments || ""
+                });
+              } else if (existing) {
+                if (tc.function?.arguments) {
+                  existing.arguments += tc.function.arguments;
+                }
+              }
+            }
+          }
+          if (choice.finish_reason) {
+            finishReason = choice.finish_reason;
+          }
+        }
+        if (data?.usage) {
+          usagePrompt = data.usage.prompt_tokens ?? usagePrompt;
+          usageCompletion = data.usage.completion_tokens ?? usageCompletion;
+          const cached = resolveCachedTokens(data.usage);
+          if (cached.read > 0 || cached.creation > 0) {
+            usageCached = cached.read + cached.creation;
+          }
+        }
+      } else {
+        const eventType = data?.type;
+        if (eventType === "response.output_text.delta") {
+          const delta = data?.delta;
+          if (typeof delta === "string") {
+            accumulatedContent += delta;
+          }
+        } else if (eventType === "response.content_part.delta") {
+          const delta = data?.delta?.text;
+          if (typeof delta === "string") {
+            accumulatedContent += delta;
+          }
+        } else if (eventType === "response.function_call_arguments.delta") {
+          const itemId = data?.item_id;
+          const delta = data?.delta;
+          if (itemId && typeof delta === "string") {
+            let found = false;
+            for (const tc of toolCalls.values()) {
+              if (tc.id === itemId) {
+                tc.arguments += delta;
+                found = true;
+                break;
+              }
+            }
+            if (!found) {
+              toolCalls.set(toolCalls.size, {
+                id: itemId,
+                type: "function",
+                name: "",
+                arguments: delta
+              });
+            }
+          }
+        } else if (eventType === "response.output_item.added") {
+          const item = data?.item;
+          if (item?.type === "function_call" && item?.call_id) {
+            toolCalls.set(toolCalls.size, {
+              id: item.call_id,
+              type: "function",
+              name: item.name || "",
+              arguments: ""
+            });
+          }
+        } else if (eventType === "response.completed" || eventType === "response.done") {
+          const response = data?.response;
+          if (response?.status) {
+            finishReason = response.status;
+          }
+          if (response?.usage) {
+            usagePrompt = response.usage.input_tokens ?? response.usage.prompt_tokens ?? usagePrompt;
+            usageCompletion = response.usage.output_tokens ?? response.usage.completion_tokens ?? usageCompletion;
+            const cached = resolveCachedTokens(response.usage);
+            if (cached.read > 0 || cached.creation > 0) {
+              usageCached = cached.read + cached.creation;
+            }
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  const summary = {
+    content: accumulatedContent,
+    model: modelId,
+    finish_reason: finishReason
+  };
+  if (usagePrompt != null || usageCompletion != null || usageCached != null) {
+    summary.usage = {
+      prompt_tokens: usagePrompt,
+      completion_tokens: usageCompletion,
+      cached_tokens: usageCached
+    };
+  }
+  if (toolCalls.size > 0) {
+    summary.tool_calls = Array.from(toolCalls.values()).map((tc) => ({
+      id: tc.id,
+      type: tc.type,
+      function: {
+        name: tc.name,
+        arguments: tc.arguments
+      }
+    }));
+  }
+  return summary;
+}
 var roundTwoDecimals = (value) => Math.round(value * 100) / 100;
 function cloneOriginalPayload(value) {
   const structuredCloneFn = globalThis.structuredClone;
@@ -14365,13 +14656,13 @@ async function registerModelsHandler(app, path5, endpointId) {
     }
     const providedApiKey = extractApiKeyFromRequest(request);
     try {
-      await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+      await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
     } catch (error) {
       if (error instanceof ApiKeyError) {
-        reply.code(401);
+        reply.code(error.code === "forbidden" ? 403 : 401);
         return {
           error: {
-            code: "invalid_api_key",
+            code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
             message: error.message
           }
         };
@@ -14496,13 +14787,13 @@ async function handleAnthropicProtocol(request, reply, endpoint, endpointId, app
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15002,13 +15293,13 @@ async function handleAnthropicCountTokensProtocol(request, reply, endpoint, endp
   }
   const providedApiKey = extractApiKeyFromRequest(request);
   try {
-    await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15078,13 +15369,13 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15204,7 +15495,7 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
       const json = await readProviderBodyJson(upstream.body);
       const usagePayload = json?.usage ?? null;
       const inputTokens2 = usagePayload?.prompt_tokens ?? usagePayload?.input_tokens ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
-      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(json?.choices?.[0]?.message?.content ?? "", target.modelId);
+      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(extractTextForTokenEstimate(json?.choices?.[0]?.message?.content), target.modelId);
       const cached = resolveCachedTokens(usagePayload);
       const cachedTokens = cached.read + cached.creation;
       const latencyMs2 = Date.now() - requestStart;
@@ -15318,54 +15609,14 @@ async function handleOpenAIChatProtocol(request, reply, endpoint, endpointId, ap
       requests: 1,
       inputTokens,
       outputTokens,
+      cachedTokens: usageCached ?? 0,
+      cacheReadTokens: usageCacheRead,
+      cacheCreationTokens: usageCacheCreation,
       latencyMs
     });
     if (storeResponsePayloads && capturedChunks) {
       try {
-        const allChunks = capturedChunks.join("");
-        let accumulatedText = "";
-        let finishReason = null;
-        const lines = allChunks.split("\n");
-        for (const line of lines) {
-          const trimmed = line.trim();
-          if (trimmed.startsWith("data:")) {
-            const dataStr = trimmed.slice(5).trim();
-            if (dataStr !== "[DONE]") {
-              try {
-                const parsed = JSON.parse(dataStr);
-                const choice = parsed?.choices?.[0];
-                if (choice) {
-                  if (choice.delta?.content) {
-                    accumulatedText += choice.delta.content;
-                  }
-                  if (choice.finish_reason) {
-                    finishReason = choice.finish_reason;
-                  }
-                }
-              } catch {
-              }
-            }
-          }
-        }
-        const responseSummary = {
-          id: `chatcmpl_${Date.now()}`,
-          object: "chat.completion",
-          model: target.modelId,
-          choices: [{
-            index: 0,
-            message: {
-              role: "assistant",
-              content: accumulatedText
-            },
-            finish_reason: finishReason ?? "stop"
-          }],
-          usage: {
-            prompt_tokens: inputTokens,
-            completion_tokens: outputTokens,
-            total_tokens: inputTokens + outputTokens,
-            cached_tokens: usageCached ?? 0
-          }
-        };
+        const responseSummary = parseSSEToSummary(capturedChunks, "chat", target.modelId);
         await upsertLogPayload(logId, { response: JSON.stringify(responseSummary) });
       } catch {
       }
@@ -15438,13 +15689,13 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
   const providedApiKey = extractApiKeyFromRequest(request);
   let apiKeyContext;
   try {
-    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+    apiKeyContext = await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId });
   } catch (error) {
     if (error instanceof ApiKeyError) {
-      reply.code(401);
+      reply.code(error.code === "forbidden" ? 403 : 401);
       return {
         error: {
-          code: "invalid_api_key",
+          code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
           message: error.message
         }
       };
@@ -15568,8 +15819,10 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
       const json = await readProviderBodyJson(upstream.body);
       const usagePayload = json?.usage ?? null;
       const inputTokens2 = usagePayload?.prompt_tokens ?? usagePayload?.input_tokens ?? target.tokenEstimate ?? estimateTokens(normalized, target.modelId);
-      const content = json?.response?.body?.content ?? json?.choices?.[0]?.message?.content ?? "";
-      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(content, target.modelId);
+      const outputTokens2 = usagePayload?.completion_tokens ?? usagePayload?.output_tokens ?? estimateTextTokens(
+        extractTextForTokenEstimate(json?.response?.body?.content ?? json?.choices?.[0]?.message?.content),
+        target.modelId
+      );
       const cached = resolveCachedTokens(usagePayload);
       const cachedTokens = cached.read + cached.creation;
       const latencyMs2 = Date.now() - requestStart;
@@ -15641,7 +15894,7 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
               if (dataStr !== "[DONE]") {
                 try {
                   const parsed = JSON.parse(dataStr);
-                  const usage = parsed?.usage || null;
+                  const usage = parsed?.usage || parsed?.response?.usage || null;
                   if (usage) {
                     usagePrompt = usage.prompt_tokens ?? usage.input_tokens ?? usagePrompt;
                     usageCompletion = usage.completion_tokens ?? usage.output_tokens ?? usageCompletion;
@@ -15683,54 +15936,14 @@ async function handleOpenAIResponsesProtocol(request, reply, endpoint, endpointI
       requests: 1,
       inputTokens,
       outputTokens,
+      cachedTokens: usageCached ?? 0,
+      cacheReadTokens: usageCacheRead,
+      cacheCreationTokens: usageCacheCreation,
       latencyMs
     });
     if (storeResponsePayloads && capturedChunks) {
       try {
-        const allChunks = capturedChunks.join("");
-        let accumulatedText = "";
-        let finishReason = null;
-        const lines = allChunks.split("\n");
-        for (const line of lines) {
-          const trimmed = line.trim();
-          if (trimmed.startsWith("data:")) {
-            const dataStr = trimmed.slice(5).trim();
-            if (dataStr !== "[DONE]") {
-              try {
-                const parsed = JSON.parse(dataStr);
-                const choice = parsed?.choices?.[0];
-                if (choice) {
-                  if (choice.delta?.content) {
-                    accumulatedText += choice.delta.content;
-                  }
-                  if (choice.finish_reason) {
-                    finishReason = choice.finish_reason;
-                  }
-                }
-              } catch {
-              }
-            }
-          }
-        }
-        const responseSummary = {
-          id: `chatcmpl_${Date.now()}`,
-          object: "chat.completion",
-          model: target.modelId,
-          choices: [{
-            index: 0,
-            message: {
-              role: "assistant",
-              content: accumulatedText
-            },
-            finish_reason: finishReason ?? "stop"
-          }],
-          usage: {
-            prompt_tokens: inputTokens,
-            completion_tokens: outputTokens,
-            total_tokens: inputTokens + outputTokens,
-            cached_tokens: usageCached ?? 0
-          }
-        };
+        const responseSummary = parseSSEToSummary(capturedChunks, "responses", target.modelId);
         await upsertLogPayload(logId, { response: JSON.stringify(responseSummary) });
       } catch {
       }
@@ -15804,13 +16017,13 @@ async function registerOpenAiRoutes(app) {
   const handleModels = async (request, reply) => {
     const providedApiKey = extractApiKeyFromRequest2(request);
     try {
-      await resolveApiKey(providedApiKey, { ipAddress: request.ip });
+      await resolveApiKey(providedApiKey, { ipAddress: request.ip, endpointId: "openai" });
     } catch (error) {
       if (error instanceof ApiKeyError) {
-        reply.code(401);
+        reply.code(error.code === "forbidden" ? 403 : 401);
         return {
           error: {
-            code: "invalid_api_key",
+            code: error.code === "forbidden" ? "endpoint_forbidden" : "invalid_api_key",
             message: error.message
           }
         };
@@ -17137,6 +17350,27 @@ async function registerAdminRoutes(app) {
     const endpoint = typeof query.endpoint === "string" && query.endpoint.length > 0 ? query.endpoint : void 0;
     return getApiKeyUsageMetrics(days, limit, endpoint);
   });
+  const normalizeAllowedEndpoints = (value) => {
+    if (value == null) {
+      return { ok: true, value: null };
+    }
+    if (!Array.isArray(value)) {
+      return { ok: false, error: "allowedEndpoints must be an array of strings or null" };
+    }
+    const normalized = [];
+    for (const raw of value) {
+      if (typeof raw !== "string") {
+        return { ok: false, error: "allowedEndpoints must be an array of strings or null" };
+      }
+      const endpointId = raw.trim();
+      if (!endpointId) {
+        return { ok: false, error: "allowedEndpoints must not contain empty endpoint IDs" };
+      }
+      normalized.push(endpointId);
+    }
+    const deduped = [...new Set(normalized)];
+    return { ok: true, value: deduped.length > 0 ? deduped : null };
+  };
   app.get("/api/keys", async () => {
     return listApiKeys();
   });
@@ -17146,8 +17380,19 @@ async function registerAdminRoutes(app) {
       reply.code(400);
       return { error: "Name is required" };
     }
+    const hasAllowedEndpoints = Object.prototype.hasOwnProperty.call(body, "allowedEndpoints");
+    const normalizedAllowedEndpoints = hasAllowedEndpoints ? normalizeAllowedEndpoints(body.allowedEndpoints) : { ok: true, value: null };
+    if (!normalizedAllowedEndpoints.ok) {
+      reply.code(400);
+      return { error: normalizedAllowedEndpoints.error };
+    }
     try {
-      return await createApiKey(body.name, body.description, { ipAddress: request.ip });
+      return await createApiKey(
+        body.name,
+        body.description,
+        { ipAddress: request.ip },
+        normalizedAllowedEndpoints.value
+      );
     } catch (error) {
       reply.code(400);
       return { error: error instanceof Error ? error.message : "Failed to create API key" };
@@ -17159,13 +17404,33 @@ async function registerAdminRoutes(app) {
       reply.code(400);
       return { error: "Invalid id" };
     }
-    const body = request.body;
-    if (typeof body?.enabled !== "boolean") {
+    const rawBody = request.body;
+    if (!rawBody || typeof rawBody !== "object" || Array.isArray(rawBody)) {
+      reply.code(400);
+      return { error: "Invalid request body" };
+    }
+    const body = rawBody;
+    const hasEnabled = typeof body?.enabled === "boolean";
+    const hasAllowedEndpoints = Object.prototype.hasOwnProperty.call(body, "allowedEndpoints");
+    if (!hasEnabled && !hasAllowedEndpoints) {
       reply.code(400);
-      return { error: "enabled field is required" };
+      return { error: "At least one of enabled or allowedEndpoints is required" };
+    }
+    const normalizedAllowedEndpoints = hasAllowedEndpoints ? normalizeAllowedEndpoints(body.allowedEndpoints) : { ok: true, value: null };
+    if (!normalizedAllowedEndpoints.ok) {
+      reply.code(400);
+      return { error: normalizedAllowedEndpoints.error };
     }
     try {
-      await setApiKeyEnabled(id, body.enabled, { ipAddress: request.ip });
+      await updateApiKeySettings(
+        id,
+        {
+          enabled: hasEnabled ? body.enabled : void 0,
+          allowedEndpoints: normalizedAllowedEndpoints.value,
+          allowedEndpointsProvided: hasAllowedEndpoints
+        },
+        { ipAddress: request.ip }
+      );
       return { success: true };
     } catch (error) {
       if (error instanceof Error && error.message === "API key not found") {