@desplega.ai/agent-swarm 1.71.2 → 1.72.0

package/src/http/index.ts

@@ -21,6 +21,7 @@ import { handleActiveSessions } from "./active-sessions";
 import { handleAgentRegister, handleAgentsRest } from "./agents";
 import { handleApiKeys } from "./api-keys";
 import { handleApprovalRequests } from "./approval-requests";
+import { handleBudgets } from "./budgets";
 import { handleConfig } from "./config";
 import { handleContext } from "./context";
 import { handleCore, loadGlobalConfigsIntoEnv } from "./core";
@@ -28,11 +29,13 @@ import { handleDbQuery } from "./db-query";
 import { handleEcosystem } from "./ecosystem";
 import { handleEvents } from "./events";
 import { handleHeartbeat } from "./heartbeat";
+import { handleIntegrations } from "./integrations";
 import { handleMcp } from "./mcp";
 import { handleMcpOAuth, startMcpOAuthPendingGc, stopMcpOAuthPendingGc } from "./mcp-oauth";
 import { handleMcpServers } from "./mcp-servers";
 import { handleMemory } from "./memory";
 import { handlePoll } from "./poll";
+import { handlePricing } from "./pricing";
 import { handlePromptTemplates } from "./prompt-templates";
 import { handleRepos } from "./repos";
 import { handleSchedules } from "./schedules";
@@ -118,14 +121,17 @@ const httpServer = createHttpServer(async (req, res) => {
     () => handleTrackers(req, res, pathSegments),
     () => handleWebhooks(req, res, pathSegments),
     () => handleAgentsRest(req, res, pathSegments, queryParams, myAgentId),
+    () => handleBudgets(req, res, pathSegments, queryParams, myAgentId),
     () => handleContext(req, res, pathSegments, queryParams, myAgentId),
     () => handleTasks(req, res, pathSegments, queryParams, myAgentId),
     () => handleStats(req, res, pathSegments, queryParams),
     () => handleActiveSessions(req, res, pathSegments, queryParams, myAgentId),
+    () => handlePricing(req, res, pathSegments, queryParams, myAgentId),
     () => handleSchedules(req, res, pathSegments, queryParams, myAgentId),
     () => handleWorkflows(req, res, pathSegments, queryParams, myAgentId),
     () => handleApprovalRequests(req, res, pathSegments, queryParams),
     () => handleConfig(req, res, pathSegments, queryParams),
+    () => handleIntegrations(req, res, pathSegments),
     () => handlePromptTemplates(req, res, pathSegments, queryParams),
     () => handleDbQuery(req, res, pathSegments, queryParams),
     () => handleRepos(req, res, pathSegments, queryParams),

package/src/http/integrations.ts

@@ -0,0 +1,134 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import Anthropic from "@anthropic-ai/sdk";
+import { z } from "zod";
+import { getResolvedConfig } from "../be/db";
+import { route } from "./route-def";
+import { json } from "./utils";
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+/**
+ * Minimal `client.beta.agents.retrieve` shape we depend on. Lets tests inject
+ * a fake without pulling the entire SDK surface in.
+ */
+export interface ClaudeManagedTestClient {
+  beta: {
+    agents: {
+      retrieve: (agentId: string) => Promise<{ name?: string | null; model?: string | null }>;
+    };
+  };
+}
+
+interface TestConnectionDeps {
+  /**
+   * Optional injectable client factory. When omitted, a real `Anthropic` SDK
+   * client is constructed with the resolved API key.
+   */
+  buildClient?: (apiKey: string) => ClaudeManagedTestClient;
+}
+
+// ─── Route Definition ────────────────────────────────────────────────────────
+
+const claudeManagedTestRoute = route({
+  method: "post",
+  path: "/api/integrations/claude-managed/test",
+  pattern: ["api", "integrations", "claude-managed", "test"],
+  summary:
+    "Test the claude-managed integration: resolves ANTHROPIC_API_KEY + MANAGED_AGENT_ID from swarm_config and calls beta.agents.retrieve.",
+  tags: ["Integrations"],
+  body: z.object({}).optional(),
+  responses: {
+    200: {
+      description:
+        "Connection result — `{ ok: true, agentName, model }` on success or `{ ok: false, error }` on any failure (missing config, Anthropic API error). Always 200 OK.",
+    },
+  },
+});
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/**
+ * Look up a config value by key. Falls back to `process.env` when no
+ * swarm_config row exists — mirrors the resolution order used elsewhere
+ * (see `loadGlobalConfigsIntoEnv`).
+ *
+ * Returns the trimmed value or `null` if unset/empty.
+ */
+function resolveConfigValue(key: string): string | null {
+  const configs = getResolvedConfig();
+  // The setup CLI persists keys in lowercase (e.g. `managed_agent_id`) while
+  // the docker-entrypoint hydrates env vars in uppercase (`MANAGED_AGENT_ID`).
+  // Look up both variants so this endpoint works against either shape.
+  const variants = [key, key.toLowerCase(), key.toUpperCase()];
+  for (const variant of variants) {
+    const row = configs.find((c) => c.key === variant);
+    if (row && typeof row.value === "string" && row.value.length > 0) {
+      return row.value;
+    }
+  }
+  // Env fallback — the row may not exist if the operator deployed via env
+  // file rather than swarm_config.
+  const envValue = process.env[key];
+  if (envValue && envValue.length > 0) return envValue;
+  return null;
+}
+
+// ─── Public handler factory ──────────────────────────────────────────────────
+
+/**
+ * Build the integrations handler. Exposed as a factory so tests can inject a
+ * fake Anthropic client.
+ */
+export function createIntegrationsHandler(deps: TestConnectionDeps = {}) {
+  const buildClient =
+    deps.buildClient ??
+    ((apiKey: string) => new Anthropic({ apiKey }) as unknown as ClaudeManagedTestClient);
+
+  return async function handleIntegrations(
+    req: IncomingMessage,
+    res: ServerResponse,
+    pathSegments: string[],
+  ): Promise<boolean> {
+    if (claudeManagedTestRoute.match(req.method, pathSegments)) {
+      const apiKey = resolveConfigValue("ANTHROPIC_API_KEY");
+      const agentId = resolveConfigValue("MANAGED_AGENT_ID");
+
+      if (!apiKey || !agentId) {
+        const missing: string[] = [];
+        if (!apiKey) missing.push("ANTHROPIC_API_KEY");
+        if (!agentId) missing.push("MANAGED_AGENT_ID");
+        json(res, {
+          ok: false,
+          error: `Missing required config: ${missing.join(", ")}. Run \`bun run src/cli.tsx claude-managed-setup\` to populate.`,
+        });
+        return true;
+      }
+
+      try {
+        const client = buildClient(apiKey);
+        const agent = await client.beta.agents.retrieve(agentId);
+        // `agent.model` is `BetaManagedAgentsModelConfig` ({id, speed}). Flatten
+        // to a string so the UI can render it directly without type guards.
+        const modelId =
+          typeof agent.model === "string"
+            ? agent.model
+            : ((agent.model as { id?: string } | null | undefined)?.id ?? null);
+        json(res, {
+          ok: true,
+          agentName: agent.name ?? null,
+          model: modelId,
+        });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        json(res, { ok: false, error: message });
+      }
+      return true;
+    }
+
+    return false;
+  };
+}
+
+// ─── Default singleton (used in production / OpenAPI generation) ─────────────
+
+export const handleIntegrations = createIntegrationsHandler();

package/src/http/poll.ts

@@ -1,6 +1,11 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { ensure } from "@desplega.ai/business-use";
 import { z } from "zod";
+import { canClaim } from "../be/budget-admission";
+import {
+  type BudgetRefusalContext,
+  emitBudgetRefusalSideEffects,
+} from "../be/budget-refusal-notify";
 import {
   claimMentions,
   claimOfferedTask,
@@ -11,9 +16,11 @@ import {
   getInboxSummary,
   getOfferedTasksForAgent,
   getPendingTaskForAgent,
+  getTaskById,
   getUnassignedTaskIds,
   getUserById,
   hasCapacity,
+  recordBudgetRefusalNotification,
   startTask,
   upsertChannelActivityCursor,
 } from "../be/db";
@@ -22,6 +29,38 @@ import { telemetry } from "../telemetry";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
 
+// ─── Budget-refused trigger envelope ────────────────────────────────────────
+
+/**
+ * Build the `budget_refused` trigger envelope from a `canClaim` refusal. Lives
+ * here (not in budget-admission) because it's the API-shape contract — workers
+ * read this on the wire (Phase 4 teaches them how).
+ *
+ * Phase 5: each refusal site additionally calls
+ * `recordBudgetRefusalNotification` (in-txn) and
+ * `emitBudgetRefusalSideEffects` (after-commit) to drive the lead follow-up
+ * + workflow bus emit. See `src/be/budget-refusal-notify.ts`.
+ */
+function buildBudgetRefusedTrigger(refusal: {
+  cause: "agent" | "global";
+  agentSpend?: number;
+  agentBudget?: number;
+  globalSpend?: number;
+  globalBudget?: number;
+  resetAt: string;
+}): { type: "budget_refused"; [key: string]: unknown } {
+  const trigger: { type: "budget_refused"; [key: string]: unknown } = {
+    type: "budget_refused",
+    cause: refusal.cause,
+    resetAt: refusal.resetAt,
+  };
+  if (refusal.agentSpend !== undefined) trigger.agentSpend = refusal.agentSpend;
+  if (refusal.agentBudget !== undefined) trigger.agentBudget = refusal.agentBudget;
+  if (refusal.globalSpend !== undefined) trigger.globalSpend = refusal.globalSpend;
+  if (refusal.globalBudget !== undefined) trigger.globalBudget = refusal.globalBudget;
+  return trigger;
+}
+
 // ─── Route Definitions ───────────────────────────────────────────────────────
 
 const pollTriggers = route({
@@ -95,9 +134,19 @@ export async function handlePoll(
     }
 
     // Use transaction for consistent reads across all trigger checks
-    let result:
+    type PollTxnResult =
       | { error: string; status: number }
-      | { trigger: { type: string; [key: string]: unknown } | null };
+      | {
+          trigger: { type: string; [key: string]: unknown } | null;
+          /**
+           * Phase 5: when the trigger is `budget_refused`, the txn captures
+           * the dedup-row state + the refused task's Slack context so the
+           * after-commit step can resolve the template and create the lead
+           * follow-up. Undefined for any other trigger.
+           */
+          refusalSideEffects?: { context: BudgetRefusalContext; inserted: boolean };
+        };
+    let result: PollTxnResult;
     try {
       result = getDb().transaction(() => {
         const agent = getAgentById(myAgentId);
@@ -127,6 +176,48 @@ export async function handlePoll(
         if (hasCapacity(myAgentId)) {
           const pendingTask = getPendingTaskForAgent(myAgentId);
           if (pendingTask) {
+            // Budget admission gate (Phase 3). Runs in the same transaction as
+            // the capacity check so capacity AND budget gates share atomicity.
+            // Phase 5 also records the dedup row + captures the side-effect
+            // context here so the after-commit step can notify the lead.
+            const admission = canClaim(myAgentId, new Date());
+            if (!admission.allowed) {
+              const utcDate = new Date().toISOString().slice(0, 10);
+              const dedup = recordBudgetRefusalNotification({
+                taskId: pendingTask.id,
+                date: utcDate,
+                agentId: myAgentId,
+                cause: admission.cause,
+                agentSpendUsd: admission.agentSpend,
+                agentBudgetUsd: admission.agentBudget,
+                globalSpendUsd: admission.globalSpend,
+                globalBudgetUsd: admission.globalBudget,
+              });
+              return {
+                trigger: buildBudgetRefusedTrigger(admission),
+                refusalSideEffects: {
+                  context: {
+                    task: {
+                      id: pendingTask.id,
+                      task: pendingTask.task,
+                      slackChannelId: pendingTask.slackChannelId,
+                      slackThreadTs: pendingTask.slackThreadTs,
+                      slackUserId: pendingTask.slackUserId,
+                    },
+                    agentId: myAgentId,
+                    date: utcDate,
+                    cause: admission.cause,
+                    agentSpendUsd: admission.agentSpend,
+                    agentBudgetUsd: admission.agentBudget,
+                    globalSpendUsd: admission.globalSpend,
+                    globalBudgetUsd: admission.globalBudget,
+                    resetAt: admission.resetAt,
+                  },
+                  inserted: dedup.inserted,
+                },
+              };
+            }
+
             // Mark task as in_progress immediately to prevent duplicate polling
             startTask(pendingTask.id);
 
@@ -203,6 +294,57 @@ export async function handlePoll(
           // from the start (no reassociation needed).
           if (hasCapacity(myAgentId)) {
             const unassignedIds = getUnassignedTaskIds(5);
+            // Budget admission gate (Phase 3). Pool path is workers-only —
+            // per-agent budgets matter most here, but we still check global.
+            // Only run the gate when there's at least one candidate task; an
+            // empty pool is "no work", not "refused".
+            // Phase 5: dedup row keyed on the FIRST candidate id (the one we
+            // would have claimed). That id is stable for the duration of the
+            // refusal, and the dedup is per-(task,date) so subsequent same-day
+            // refusals on the same lead-candidate are suppressed.
+            if (unassignedIds.length > 0) {
+              const admission = canClaim(myAgentId, new Date());
+              if (!admission.allowed) {
+                const candidateId = unassignedIds[0]!;
+                const candidateTask = getTaskById(candidateId);
+                const utcDate = new Date().toISOString().slice(0, 10);
+                const dedup = recordBudgetRefusalNotification({
+                  taskId: candidateId,
+                  date: utcDate,
+                  agentId: myAgentId,
+                  cause: admission.cause,
+                  agentSpendUsd: admission.agentSpend,
+                  agentBudgetUsd: admission.agentBudget,
+                  globalSpendUsd: admission.globalSpend,
+                  globalBudgetUsd: admission.globalBudget,
+                });
+                return {
+                  trigger: buildBudgetRefusedTrigger(admission),
+                  refusalSideEffects: candidateTask
+                    ? {
+                        context: {
+                          task: {
+                            id: candidateTask.id,
+                            task: candidateTask.task,
+                            slackChannelId: candidateTask.slackChannelId,
+                            slackThreadTs: candidateTask.slackThreadTs,
+                            slackUserId: candidateTask.slackUserId,
+                          },
+                          agentId: myAgentId,
+                          date: utcDate,
+                          cause: admission.cause,
+                          agentSpendUsd: admission.agentSpend,
+                          agentBudgetUsd: admission.agentBudget,
+                          globalSpendUsd: admission.globalSpend,
+                          globalBudgetUsd: admission.globalBudget,
+                          resetAt: admission.resetAt,
+                        },
+                        inserted: dedup.inserted,
+                      }
+                    : undefined,
+                };
+              }
+            }
             for (const candidateId of unassignedIds) {
               const claimed = claimTask(candidateId, myAgentId);
               if (claimed) {
@@ -243,6 +385,16 @@ export async function handlePoll(
       return true;
     }
 
+    // Phase 5: after the refusal txn commits, run side effects (lead
+    // follow-up + workflow event bus). Errors here are logged inside the
+    // helper; we never let them affect the response the worker sees.
+    if (result.refusalSideEffects) {
+      emitBudgetRefusalSideEffects(
+        result.refusalSideEffects.context,
+        result.refusalSideEffects.inserted,
+      );
+    }
+
     // If no trigger found and agent is lead, check for Slack channel activity.
     // This is the lowest-priority trigger, checked AFTER all others.
     // Runs outside the transaction because it requires async Slack API calls.
@@ -310,7 +462,13 @@ export async function handlePoll(
       }
     }
 
-    json(res, result);
+    // Strip the internal-only `refusalSideEffects` field from the wire
+    // response — workers receive only the public trigger envelope.
+    const { refusalSideEffects: _omit, ...publicResult } = result as {
+      refusalSideEffects?: unknown;
+      [key: string]: unknown;
+    };
+    json(res, publicResult);
     return true;
   }
 

package/src/http/pricing.ts

@@ -0,0 +1,245 @@
+// Phase 6: REST surface for the append-only `pricing` price book.
+//
+// Append-only by design: operators add a NEW row with a later
+// `effective_from` rather than mutating an existing row. There is no PUT.
+// The only write endpoints are POST (insert) and DELETE (typo correction).
+//
+// Every POST and DELETE writes a row to `agent_log` with eventType
+// `pricing.inserted` / `pricing.deleted` for compliance auditing. The raw
+// API key is never logged — only a short SHA-256 fingerprint.
+
+import { createHash } from "node:crypto";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { z } from "zod";
+import {
+  createLogEntry,
+  deletePricingRow,
+  getActivePricingRow,
+  getAllPricingRows,
+  getPricingRows,
+  insertPricingRow,
+} from "../be/db";
+import { PricingProviderSchema, PricingRowSchema, PricingTokenClassSchema } from "../types";
+import { scrubSecrets } from "../utils/secret-scrubber";
+import { route } from "./route-def";
+import { json, jsonError } from "./utils";
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function apiKeyFingerprint(req: IncomingMessage): string {
+  const authHeader = req.headers.authorization;
+  const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : "";
+  if (!providedKey) return "";
+  const digest = createHash("sha256").update(providedKey).digest("hex").slice(0, 8);
+  return scrubSecrets(digest);
+}
+
+// ─── Route Definitions ───────────────────────────────────────────────────────
+
+const PricingTriplePathParams = z.object({
+  provider: PricingProviderSchema,
+  model: z.string().min(1),
+  tokenClass: PricingTokenClassSchema,
+});
+
+const listAllPricing = route({
+  method: "get",
+  path: "/api/pricing",
+  pattern: ["api", "pricing"],
+  summary: "List every pricing row across all providers",
+  tags: ["Pricing"],
+  responses: {
+    200: { description: "Pricing rows", schema: z.object({ rows: z.array(PricingRowSchema) }) },
+  },
+});
+
+const listPricingForTriple = route({
+  method: "get",
+  path: "/api/pricing/{provider}/{model}/{tokenClass}",
+  pattern: ["api", "pricing", null, null, null],
+  summary: "List pricing history for a (provider, model, tokenClass) triple",
+  tags: ["Pricing"],
+  params: PricingTriplePathParams,
+  responses: {
+    200: { description: "Pricing rows (latest first)" },
+  },
+});
+
+const getActivePricing = route({
+  method: "get",
+  path: "/api/pricing/{provider}/{model}/{tokenClass}/active",
+  pattern: ["api", "pricing", null, null, null, "active"],
+  summary: "Get the currently active pricing row",
+  tags: ["Pricing"],
+  params: PricingTriplePathParams,
+  responses: {
+    200: { description: "Active pricing row", schema: PricingRowSchema },
+    404: { description: "No pricing row in effect" },
+  },
+});
+
+const insertPricing = route({
+  method: "post",
+  path: "/api/pricing/{provider}/{model}/{tokenClass}",
+  pattern: ["api", "pricing", null, null, null],
+  summary: "Append a new pricing row",
+  tags: ["Pricing"],
+  params: PricingTriplePathParams,
+  body: z.object({
+    pricePerMillionUsd: z.number().nonnegative(),
+    effectiveFrom: z.number().nonnegative().optional(),
+  }),
+  responses: {
+    201: { description: "Pricing row inserted", schema: PricingRowSchema },
+    400: { description: "Validation error" },
+    409: { description: "Duplicate (provider, model, tokenClass, effectiveFrom)" },
+  },
+});
+
+const deletePricing = route({
+  method: "delete",
+  path: "/api/pricing/{provider}/{model}/{tokenClass}/{effectiveFrom}",
+  pattern: ["api", "pricing", null, null, null, null],
+  summary: "Delete a pricing row (typo correction)",
+  tags: ["Pricing"],
+  // `effectiveFrom` is parsed as a numeric string in the path. Using
+  // z.string() (instead of z.coerce.number()) keeps the OpenAPI spec valid:
+  // `z.coerce.number()` emits a non-required path parameter which trips
+  // swagger-cli validation. We re-parse to a number in the handler.
+  params: PricingTriplePathParams.extend({
+    effectiveFrom: z.string().regex(/^\d+$/, "effectiveFrom must be a non-negative integer"),
+  }),
+  responses: {
+    204: { description: "Pricing row deleted" },
+    404: { description: "Pricing row not found" },
+  },
+});
+
+// ─── Handler ─────────────────────────────────────────────────────────────────
+
+export async function handlePricing(
+  req: IncomingMessage,
+  res: ServerResponse,
+  pathSegments: string[],
+  queryParams: URLSearchParams,
+  _myAgentId: string | undefined,
+): Promise<boolean> {
+  // GET /api/pricing
+  if (listAllPricing.match(req.method, pathSegments)) {
+    const parsed = await listAllPricing.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    json(res, { rows: getAllPricingRows() });
+    return true;
+  }
+
+  // GET /api/pricing/{provider}/{model}/{tokenClass}/active — must come BEFORE
+  // the 5-segment variants below so the `active` literal is resolved first.
+  if (getActivePricing.match(req.method, pathSegments)) {
+    const parsed = await getActivePricing.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const row = getActivePricingRow(
+      parsed.params.provider,
+      parsed.params.model,
+      parsed.params.tokenClass,
+      Date.now(),
+    );
+    if (!row) {
+      jsonError(res, "No pricing row in effect", 404);
+      return true;
+    }
+    json(res, row);
+    return true;
+  }
+
+  // DELETE /api/pricing/{provider}/{model}/{tokenClass}/{effectiveFrom}
+  // (6-segment delete, matched before the 5-segment list/insert)
+  if (deletePricing.match(req.method, pathSegments)) {
+    const parsed = await deletePricing.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const effectiveFrom = Number.parseInt(parsed.params.effectiveFrom, 10);
+    const deleted = deletePricingRow(
+      parsed.params.provider,
+      parsed.params.model,
+      parsed.params.tokenClass,
+      effectiveFrom,
+    );
+    if (!deleted) {
+      jsonError(res, "Pricing row not found", 404);
+      return true;
+    }
+
+    createLogEntry({
+      eventType: "pricing.deleted",
+      metadata: {
+        provider: parsed.params.provider,
+        model: parsed.params.model,
+        tokenClass: parsed.params.tokenClass,
+        effectiveFrom,
+        apiKeyFingerprint: apiKeyFingerprint(req),
+      },
+    });
+
+    res.writeHead(204);
+    res.end();
+    return true;
+  }
+
+  // GET /api/pricing/{provider}/{model}/{tokenClass}
+  if (listPricingForTriple.match(req.method, pathSegments)) {
+    const parsed = await listPricingForTriple.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const rows = getPricingRows(
+      parsed.params.provider,
+      parsed.params.model,
+      parsed.params.tokenClass,
+    );
+    json(res, { rows });
+    return true;
+  }
+
+  // POST /api/pricing/{provider}/{model}/{tokenClass}
+  if (insertPricing.match(req.method, pathSegments)) {
+    const parsed = await insertPricing.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const effectiveFrom = parsed.body.effectiveFrom ?? Date.now();
+
+    try {
+      const row = insertPricingRow({
+        provider: parsed.params.provider,
+        model: parsed.params.model,
+        tokenClass: parsed.params.tokenClass,
+        effectiveFrom,
+        pricePerMillionUsd: parsed.body.pricePerMillionUsd,
+      });
+
+      createLogEntry({
+        eventType: "pricing.inserted",
+        metadata: {
+          provider: parsed.params.provider,
+          model: parsed.params.model,
+          tokenClass: parsed.params.tokenClass,
+          effectiveFrom,
+          pricePerMillionUsd: parsed.body.pricePerMillionUsd,
+          apiKeyFingerprint: apiKeyFingerprint(req),
+        },
+      });
+
+      json(res, row, 201);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      // bun:sqlite raises SQLITE_CONSTRAINT for PK collision. Surface as 409.
+      if (message.includes("UNIQUE constraint") || message.includes("constraint")) {
+        jsonError(
+          res,
+          "Duplicate pricing row for (provider, model, tokenClass, effectiveFrom). Use a different effectiveFrom.",
+          409,
+        );
+        return true;
+      }
+      jsonError(res, "Failed to insert pricing row", 500);
+    }
+    return true;
+  }
+
+  return false;
+}