@kill-switch/agent-guard 0.1.0 → 0.1.2

package/dist/limits.js

@@ -0,0 +1,133 @@
+/**
+ * Subscription rate-limit awareness — the "how much of my Claude Code plan have
+ * I burned" half of the guard, complementary to the dollar ledger.
+ *
+ * Claude Code on a Pro/Max subscription is NOT billed per token — the scarce
+ * resource is the plan's rate-limit quota, measured in two rolling windows:
+ *   - a 5-hour window (burst protection), and
+ *   - a 7-day window (the real lockout risk, "resets a couple times a month").
+ *
+ * Anthropic reports exactly where you stand in both windows on every API
+ * response, via `anthropic-ratelimit-unified-*` headers. The proxy already sees
+ * every response, so it can read these and know the *real* remaining quota and
+ * the *real* reset times — no estimation, no guessing when limits reset.
+ *
+ * This module owns: parsing those headers into a {@link LimitSnapshot}, and the
+ * small global state file (`limits.json`) that persists the latest snapshot plus
+ * whether we've ever seen subscription headers (so the rest of the guard can
+ * switch into alert-only subscription mode).
+ *
+ * Header formats are owned by Anthropic, not us, and aren't fully contract-
+ * documented, so parsing is deliberately defensive: utilization is accepted as
+ * either a 0–1 fraction or a 0–100 percent; reset is accepted as an ISO 8601
+ * timestamp, an epoch (s or ms), or a relative seconds-until-reset.
+ */
+import { readFileSync, writeFileSync, renameSync } from "node:fs";
+import { limitsPath, ensureGuardDir } from "./config.js";
+/** Nominal window durations, used for pacing math when a reset time is unknown. */
+export const WINDOW_MS = {
+    "5h": 5 * 60 * 60 * 1000,
+    weekly: 7 * 24 * 60 * 60 * 1000,
+};
+export function emptyLimitsState() {
+    return { version: 1, subscriptionDetected: false, snapshot: null, notified: {} };
+}
+export function loadLimitsState() {
+    try {
+        const data = JSON.parse(readFileSync(limitsPath(), "utf8"));
+        if (data && data.version === 1) {
+            return {
+                version: 1,
+                subscriptionDetected: data.subscriptionDetected ?? false,
+                snapshot: data.snapshot ?? null,
+                notified: data.notified ?? {},
+            };
+        }
+    }
+    catch {
+        /* fall through to empty */
+    }
+    return emptyLimitsState();
+}
+export function saveLimitsState(state) {
+    ensureGuardDir();
+    const path = limitsPath();
+    const tmp = `${path}.${process.pid}.tmp`;
+    writeFileSync(tmp, JSON.stringify(state, null, 2));
+    renameSync(tmp, path);
+}
+/** Wrap a plain `Record<string,string>` so it satisfies {@link HeaderGetter}. */
+export function recordHeaders(rec) {
+    const lower = {};
+    for (const [k, v] of Object.entries(rec)) {
+        if (v === undefined)
+            continue;
+        lower[k.toLowerCase()] = Array.isArray(v) ? v.join(", ") : v;
+    }
+    return { get: (name) => lower[name.toLowerCase()] ?? null };
+}
+/**
+ * Parse a utilization header value into a 0–1 fraction.
+ * Accepts "0.62", "62", "62%". Values >1.5 are treated as percentages.
+ */
+export function parseUtilization(raw) {
+    if (raw == null)
+        return null;
+    const n = Number(String(raw).replace(/%$/, "").trim());
+    if (!Number.isFinite(n) || n < 0)
+        return null;
+    const frac = n > 1.5 ? n / 100 : n;
+    return Math.max(0, Math.min(1, frac));
+}
+/**
+ * Parse a reset header value into an absolute epoch-ms timestamp.
+ * Accepts ISO 8601 ("2026-06-13T18:00:00Z"), epoch seconds, epoch ms, or a
+ * relative seconds-until-reset (small numbers). `now` anchors the relative case.
+ */
+export function parseReset(raw, now) {
+    if (raw == null)
+        return null;
+    const s = String(raw).trim();
+    if (!s)
+        return null;
+    // Numeric: disambiguate ms / seconds / relative-seconds by magnitude.
+    if (/^\d+(\.\d+)?$/.test(s)) {
+        const n = Number(s);
+        if (!Number.isFinite(n))
+            return null;
+        if (n > 1e12)
+            return Math.round(n); // epoch ms
+        if (n > 1e9)
+            return Math.round(n * 1000); // epoch seconds
+        return Math.round(now + n * 1000); // relative seconds-until-reset
+    }
+    const t = Date.parse(s);
+    return Number.isNaN(t) ? null : t;
+}
+function parseWindow(h, prefix, key, now) {
+    const util = parseUtilization(h.get(`${prefix}-${key === "5h" ? "5h" : "7d"}-utilization`));
+    const reset = parseReset(h.get(`${prefix}-${key === "5h" ? "5h" : "7d"}-reset`), now);
+    const status = h.get(`${prefix}-${key === "5h" ? "5h" : "7d"}-status`) || undefined;
+    if (util == null && reset == null && !status)
+        return null;
+    return { utilization: util ?? 0, resetAt: reset, status };
+}
+/**
+ * Read the `anthropic-ratelimit-unified-*` family into a {@link LimitSnapshot}.
+ * Returns null when no unified headers are present (i.e. not a subscription
+ * session, or an endpoint that doesn't emit them) — callers use that null to
+ * mean "stay in dollar mode for this response".
+ */
+export function parseUnifiedHeaders(h, now) {
+    const prefix = "anthropic-ratelimit-unified";
+    const fiveHour = parseWindow(h, prefix, "5h", now);
+    const weekly = parseWindow(h, prefix, "weekly", now);
+    const status = h.get(`${prefix}-status`) || null;
+    if (!fiveHour && !weekly && !status)
+        return null;
+    return { fiveHour, weekly, status, observedAt: now };
+}
+/** Stable dedup key for a pacing alert: re-alerts when the window resets. */
+export function limitNotifyKey(window, level, resetAt) {
+    return `${window}:${level}:${resetAt ?? 0}`;
+}

package/dist/net.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Endpoint safety checks (security: M-1).
+ *
+ * The proxy forwards the caller's LLM API key to `upstream`, and breach alerts
+ * POST the user's ks_live key to `apiUrl`. A poisoned local config / flag could
+ * redirect those credentials to an attacker. We can't host-allowlist (users may
+ * self-host the API), but we can refuse insecure schemes and surface a warning
+ * when the host isn't the expected default — so a redirect is never silent.
+ */
+/** True for http(s) URLs that are safe to send credentials to. */
+export declare function isSafeEndpoint(raw: string): boolean;
+/** Validate a credential-bearing endpoint; throws on an unsafe URL. */
+export declare function assertSafeEndpoint(raw: string, label: string): string;
+/** Warn (non-fatal) to stderr when a credential-bearing host isn't the default. */
+export declare function warnIfUnexpectedHost(raw: string, expectedHost: string, label: string): void;

package/dist/net.js

@@ -0,0 +1,45 @@
+/**
+ * Endpoint safety checks (security: M-1).
+ *
+ * The proxy forwards the caller's LLM API key to `upstream`, and breach alerts
+ * POST the user's ks_live key to `apiUrl`. A poisoned local config / flag could
+ * redirect those credentials to an attacker. We can't host-allowlist (users may
+ * self-host the API), but we can refuse insecure schemes and surface a warning
+ * when the host isn't the expected default — so a redirect is never silent.
+ */
+const LOCAL_HOSTS = new Set(["localhost", "127.0.0.1", "::1", "[::1]"]);
+/** True for http(s) URLs that are safe to send credentials to. */
+export function isSafeEndpoint(raw) {
+    try {
+        const u = new URL(raw);
+        if (u.protocol === "https:")
+            return true;
+        // plaintext http is only acceptable to loopback (local dev / self-test)
+        return u.protocol === "http:" && LOCAL_HOSTS.has(u.hostname);
+    }
+    catch {
+        return false;
+    }
+}
+/** Validate a credential-bearing endpoint; throws on an unsafe URL. */
+export function assertSafeEndpoint(raw, label) {
+    if (!isSafeEndpoint(raw)) {
+        throw new Error(`Refusing to use ${label}="${raw}": it must be an https:// URL ` +
+            `(http:// is allowed only for localhost). This protects your API key ` +
+            `from being sent over an insecure or unexpected channel.`);
+    }
+    return raw;
+}
+/** Warn (non-fatal) to stderr when a credential-bearing host isn't the default. */
+export function warnIfUnexpectedHost(raw, expectedHost, label) {
+    try {
+        const host = new URL(raw).hostname;
+        if (host !== expectedHost) {
+            process.stderr.write(`⚠  agent-guard: ${label} points at "${host}", not "${expectedHost}". ` +
+                `Your API key will be sent there — make sure that's intended.\n`);
+        }
+    }
+    catch {
+        /* assertSafeEndpoint handles invalid URLs */
+    }
+}

package/dist/ops.d.ts

@@ -3,6 +3,7 @@
  * subcommands, so both drive the same logic instead of duplicating it (or
  * shelling out). Pure side-effecting helpers over config + Claude Code settings.
  */
+import { type LimitsConfig } from "./config.js";
 import type { Budget } from "./budget.js";
 export interface InstallOptions {
     /** Install into ~/.claude/settings.json instead of ./.claude/settings.json */
@@ -33,6 +34,17 @@ export interface BudgetPatch {
 }
 /** Write budget/webhook overrides to the config file. Returns the saved budget. */
 export declare function setBudget(patch: BudgetPatch): Budget;
+/** Partial subscription-limits update. Merges onto the existing config file. */
+export interface LimitsPatch {
+    plan?: LimitsConfig["plan"];
+    fiveHourSoftPct?: number;
+    fiveHourDangerPct?: number;
+    weeklySoftPct?: number;
+    weeklyDangerPct?: number;
+    burnRatioWarn?: number;
+}
+/** Write subscription-limit overrides to the config file. Returns the saved limits. */
+export declare function setLimits(patch: LimitsPatch): LimitsConfig;
 /** Clear the spend ledger. Scope: all | a single session | today's sessions. */
 export declare function resetLedger(opts: {
     all?: boolean;

package/dist/ops.js

@@ -6,7 +6,7 @@
 import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { homedir } from "node:os";
-import { configPath, ensureGuardDir, DEFAULT_BUDGET } from "./config.js";
+import { configPath, ensureGuardDir, DEFAULT_BUDGET, DEFAULT_LIMITS } from "./config.js";
 import { loadLedger, saveLedger, emptyLedger } from "./ledger.js";
 /**
  * Wire the agent-guard hook into Claude Code settings for PreToolUse,
@@ -73,6 +73,32 @@ export function setBudget(patch) {
     writeFileSync(configPath(), JSON.stringify(file, null, 2) + "\n");
     return budget;
 }
+/** Write subscription-limit overrides to the config file. Returns the saved limits. */
+export function setLimits(patch) {
+    let file = {};
+    try {
+        file = JSON.parse(readFileSync(configPath(), "utf8"));
+    }
+    catch {
+        /* new */
+    }
+    const limits = { ...DEFAULT_LIMITS, ...(file.limits ?? {}) };
+    if (patch.plan && ["auto", "pro", "max5", "max20"].includes(patch.plan))
+        limits.plan = patch.plan;
+    const setPct = (k, v) => {
+        if (v !== undefined && Number.isFinite(v))
+            limits[k] = v;
+    };
+    setPct("fiveHourSoftPct", patch.fiveHourSoftPct);
+    setPct("fiveHourDangerPct", patch.fiveHourDangerPct);
+    setPct("weeklySoftPct", patch.weeklySoftPct);
+    setPct("weeklyDangerPct", patch.weeklyDangerPct);
+    setPct("burnRatioWarn", patch.burnRatioWarn);
+    file.limits = limits;
+    ensureGuardDir();
+    writeFileSync(configPath(), JSON.stringify(file, null, 2) + "\n");
+    return limits;
+}
 /** Clear the spend ledger. Scope: all | a single session | today's sessions. */
 export function resetLedger(opts) {
     if (opts.all) {

package/dist/pacing.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Pacing engine — the "intelligent" half the user asked for.
+ *
+ * Blocking at "90% of weekly" is dumb: 90% on day 6 is fine, but 60% on day 2
+ * means you'll be locked out mid-week. The resource you're spending is a budget
+ * that should last until the window resets, so the real question isn't "how much
+ * is left" — it's "at this burn rate, will I run out before the window resets?".
+ *
+ * For each window we compute:
+ *   - expected utilization = fraction of the window already elapsed
+ *   - burn ratio           = actual / expected   (1.0 = perfectly on pace)
+ *   - projected exhaustion  = when utilization hits 1.0 at the current rate
+ *   - will-lock-out-before-reset = exhaustion lands before the reset
+ *
+ * The level (ok / warn / danger) is the worse of two signals: absolute
+ * utilization against soft/danger thresholds, and pacing (burning fast enough to
+ * lock out before reset). In subscription mode the guard never blocks on this —
+ * it surfaces the assessment as a warning so the human can ease off or switch to
+ * a cheaper model before Anthropic's own limit stops them mid-task.
+ */
+import { type LimitSnapshot, type LimitWindow, type WindowState } from "./limits.js";
+export interface PacingThresholds {
+    /** Per-window soft / danger utilization thresholds (0–1). */
+    fiveHourSoftPct: number;
+    fiveHourDangerPct: number;
+    weeklySoftPct: number;
+    weeklyDangerPct: number;
+    /** Burn ratio above which pacing alone escalates (with meaningful utilization). */
+    burnRatioWarn: number;
+}
+export type PacingLevel = "ok" | "warn" | "danger";
+export interface PacingAssessment {
+    window: LimitWindow;
+    /** 0–1 fraction of the window consumed. */
+    utilization: number;
+    /** Epoch ms the window resets, or null if unknown. */
+    resetAt: number | null;
+    /** actual / expected utilization; null when elapsed is unknown (no reset time). */
+    burnRatio: number | null;
+    /** Epoch ms we project utilization hits 100% at the current rate, or null. */
+    projectedExhaustionAt: number | null;
+    /** True when projected exhaustion lands before the window resets. */
+    willLockOutBeforeReset: boolean;
+    level: PacingLevel;
+    /** One-line human summary. */
+    message: string;
+}
+/** Assess a single window's pacing. `now` is epoch ms. */
+export declare function assessWindow(window: LimitWindow, state: WindowState, thresholds: PacingThresholds, now: number): PacingAssessment;
+/** Assess every window present in a snapshot. */
+export declare function assessSnapshot(snap: LimitSnapshot, thresholds: PacingThresholds, now: number): PacingAssessment[];
+/** Worst level across a set of assessments. */
+export declare function worstLevel(assessments: PacingAssessment[]): PacingLevel;

package/dist/pacing.js

@@ -0,0 +1,127 @@
+/**
+ * Pacing engine — the "intelligent" half the user asked for.
+ *
+ * Blocking at "90% of weekly" is dumb: 90% on day 6 is fine, but 60% on day 2
+ * means you'll be locked out mid-week. The resource you're spending is a budget
+ * that should last until the window resets, so the real question isn't "how much
+ * is left" — it's "at this burn rate, will I run out before the window resets?".
+ *
+ * For each window we compute:
+ *   - expected utilization = fraction of the window already elapsed
+ *   - burn ratio           = actual / expected   (1.0 = perfectly on pace)
+ *   - projected exhaustion  = when utilization hits 1.0 at the current rate
+ *   - will-lock-out-before-reset = exhaustion lands before the reset
+ *
+ * The level (ok / warn / danger) is the worse of two signals: absolute
+ * utilization against soft/danger thresholds, and pacing (burning fast enough to
+ * lock out before reset). In subscription mode the guard never blocks on this —
+ * it surfaces the assessment as a warning so the human can ease off or switch to
+ * a cheaper model before Anthropic's own limit stops them mid-task.
+ */
+import { WINDOW_MS } from "./limits.js";
+function windowLabel(w) {
+    return w === "5h" ? "5-hour" : "weekly";
+}
+function fmtClock(epochMs, now) {
+    const dt = new Date(epochMs);
+    const sameDay = new Date(now).toDateString() === dt.toDateString();
+    // Day-of-week + time reads naturally for a multi-day weekly window.
+    return sameDay
+        ? dt.toLocaleTimeString([], { hour: "numeric", minute: "2-digit" })
+        : dt.toLocaleString([], { weekday: "short", hour: "numeric", minute: "2-digit" });
+}
+function fmtDuration(ms) {
+    if (ms <= 0)
+        return "now";
+    const h = ms / (60 * 60 * 1000);
+    if (h < 1)
+        return `${Math.round(ms / 60000)}m`;
+    if (h < 24)
+        return `${h.toFixed(h < 10 ? 1 : 0)}h`;
+    return `${(h / 24).toFixed(1)}d`;
+}
+/** Assess a single window's pacing. `now` is epoch ms. */
+export function assessWindow(window, state, thresholds, now) {
+    const util = Math.max(0, Math.min(1, state.utilization));
+    const soft = window === "5h" ? thresholds.fiveHourSoftPct : thresholds.weeklySoftPct;
+    const danger = window === "5h" ? thresholds.fiveHourDangerPct : thresholds.weeklyDangerPct;
+    const duration = WINDOW_MS[window];
+    // elapsed = duration - timeUntilReset; only known when we have a reset time.
+    let elapsed = null;
+    if (state.resetAt != null) {
+        const untilReset = state.resetAt - now;
+        elapsed = Math.max(0, Math.min(duration, duration - untilReset));
+    }
+    let burnRatio = null;
+    let projectedExhaustionAt = null;
+    let willLockOut = false;
+    if (elapsed != null && elapsed > 0) {
+        const expected = elapsed / duration;
+        burnRatio = expected > 0 ? util / expected : null;
+        if (util > 0 && util < 1) {
+            const ratePerMs = util / elapsed; // utilization per ms so far
+            const msToFull = (1 - util) / ratePerMs;
+            projectedExhaustionAt = now + msToFull;
+            if (state.resetAt != null)
+                willLockOut = projectedExhaustionAt < state.resetAt;
+        }
+        else if (util >= 1) {
+            projectedExhaustionAt = now;
+            willLockOut = true;
+        }
+    }
+    // Level: worse of absolute-utilization and pacing signals. A projected lockout
+    // only escalates once you've used a meaningful slice of the window — otherwise
+    // tiny noise near a linear burn (e.g. 15% used, exhaustion landing a few hours
+    // before a reset days away) would scream danger far too early. We gate it at
+    // half the soft threshold.
+    const lockoutFloor = soft * 0.5;
+    const lockoutMatters = willLockOut && util >= lockoutFloor;
+    let level = "ok";
+    if (util >= danger || (lockoutMatters && util >= soft))
+        level = "danger";
+    else if (util >= soft ||
+        lockoutMatters ||
+        (burnRatio != null && burnRatio >= thresholds.burnRatioWarn && util >= lockoutFloor))
+        level = "warn";
+    const pct = Math.round(util * 100);
+    const label = windowLabel(window);
+    const parts = [`${label} limit ${pct}% used`];
+    if (state.resetAt != null)
+        parts.push(`resets ${fmtClock(state.resetAt, now)}`);
+    if (burnRatio != null && burnRatio >= 1.2 && level !== "ok")
+        parts.push(`burning ${burnRatio.toFixed(1)}× pace`);
+    // Only surface the lockout projection once it actually drives the level —
+    // keeps low-utilization projection noise out of the message.
+    if (lockoutMatters && projectedExhaustionAt != null && state.resetAt != null) {
+        const before = state.resetAt - projectedExhaustionAt;
+        parts.push(`→ lockout in ~${fmtDuration(projectedExhaustionAt - now)} (${fmtDuration(before)} before reset)`);
+    }
+    return {
+        window,
+        utilization: util,
+        resetAt: state.resetAt,
+        burnRatio,
+        projectedExhaustionAt,
+        willLockOutBeforeReset: willLockOut,
+        level,
+        message: parts.join(", "),
+    };
+}
+/** Assess every window present in a snapshot. */
+export function assessSnapshot(snap, thresholds, now) {
+    const out = [];
+    if (snap.fiveHour)
+        out.push(assessWindow("5h", snap.fiveHour, thresholds, now));
+    if (snap.weekly)
+        out.push(assessWindow("weekly", snap.weekly, thresholds, now));
+    return out;
+}
+/** Worst level across a set of assessments. */
+export function worstLevel(assessments) {
+    if (assessments.some((a) => a.level === "danger"))
+        return "danger";
+    if (assessments.some((a) => a.level === "warn"))
+        return "warn";
+    return "ok";
+}

package/dist/proxy.d.ts

@@ -15,6 +15,7 @@
  * — they'd each meter the same dollars. Hook for Claude Code; proxy for everything
  * else (Cursor, Aider, raw scripts). See README.
  */
+import { type Server } from "node:http";
 import { type TokenUsage } from "./cost.js";
 export interface ProxyOptions {
     port: number;
@@ -33,5 +34,5 @@ export declare function parseStreamUsage(flavor: string, sse: string): {
     model: string;
     usage: TokenUsage;
 } | null;
-export declare function startProxy(opts: ProxyOptions): void;
+export declare function startProxy(opts: ProxyOptions): Server;
 export declare function resolveUpstream(flavor: string, explicit?: string): string;

package/dist/proxy.js

@@ -23,6 +23,9 @@ import { costForUsage, fmtUSD } from "./cost.js";
 import { loadLedger, saveLedger, addSessionCost, rollingDailyCost, prune, } from "./ledger.js";
 import { evaluate } from "./budget.js";
 import { dispatchAlert } from "./alert.js";
+import { assertSafeEndpoint, warnIfUnexpectedHost } from "./net.js";
+import { parseUnifiedHeaders, loadLimitsState, saveLimitsState, limitNotifyKey, } from "./limits.js";
+import { assessSnapshot, worstLevel } from "./pacing.js";
 const UPSTREAMS = {
     anthropic: "https://api.anthropic.com",
     openai: "https://api.openai.com",
@@ -133,20 +136,67 @@ function meter(cfg, ledger, sessionId, parsed, now) {
     prune(ledger, now);
     saveLedger(ledger);
 }
+/**
+ * Read Anthropic's `unified-*` rate-limit headers off a response, persist the
+ * snapshot, latch subscription mode on, and fire a deduped pacing alert when a
+ * window crosses into warn/danger. Returns true if subscription headers were
+ * seen. Alert-only by design — this never blocks (a subscription session already
+ * paid a flat fee; the scarce resource is quota, and Anthropic's own limit is
+ * the real wall).
+ */
+function captureLimits(cfg, headers, sessionId, now) {
+    const snap = parseUnifiedHeaders(headers, now);
+    if (!snap)
+        return false;
+    const state = loadLimitsState();
+    state.subscriptionDetected = true;
+    state.snapshot = snap;
+    const assessments = assessSnapshot(snap, cfg.limits, now);
+    const fresh = assessments.filter((a) => {
+        if (a.level === "ok")
+            return false;
+        const key = limitNotifyKey(a.window, a.level, a.resetAt);
+        if (state.notified[key])
+            return false;
+        state.notified[key] = true;
+        return true;
+    });
+    saveLimitsState(state);
+    if (fresh.length) {
+        const level = worstLevel(fresh);
+        dispatchAlert(cfg, {
+            ts: now,
+            source: "proxy",
+            kind: "limit",
+            sessionId,
+            level: level === "danger" ? "danger" : "warn",
+            sessionUSD: 0,
+            dailyUSD: 0,
+            reasons: fresh.map((a) => a.message),
+            action: level === "danger" ? "on pace to lock out before reset" : "approaching plan limit",
+            limits: fresh.map((a) => ({ window: a.window, utilization: a.utilization, resetAt: a.resetAt, level: a.level })),
+        }).catch(() => { });
+    }
+    return true;
+}
 export function startProxy(opts) {
     const cfg = loadConfig();
-    const upstreamOrigin = opts.upstream.replace(/\/$/, "");
+    const upstreamOrigin = assertSafeEndpoint(opts.upstream, "upstream").replace(/\/$/, "");
     const blockedNotified = {};
     const server = createServer(async (req, res) => {
         const now = Date.now();
         const sessionId = req.headers["x-agent-guard-session"] || `proxy:${todayKey(now)}`;
         // 1) Pre-flight budget check — block before spending anything.
         // Escape hatch: while a human has paused enforcement, never block (but still meter).
+        // Subscription mode is ALERT-ONLY: once we've seen Anthropic's unified
+        // rate-limit headers, the session is on a flat-fee plan where dollars are
+        // meaningless, so we never 402 it — we only pace + warn.
+        const subscriptionMode = loadLimitsState().subscriptionDetected;
         const ledger = loadLedger();
         const sessionUSD = ledger.sessions[sessionId]?.costUSD ?? 0;
         const dailyUSD = rollingDailyCost(ledger, now);
         const verdict = evaluate({ sessionUSD, dailyUSD }, cfg.budget);
-        if (verdict.level === "block" && !isPaused(now)) {
+        if (verdict.level === "block" && !isPaused(now) && !subscriptionMode) {
             if (!blockedNotified[sessionId]) {
                 blockedNotified[sessionId] = true;
                 dispatchAlert(cfg, {
@@ -189,6 +239,15 @@ export function startProxy(opts) {
             res.end(JSON.stringify({ error: "kill-switch proxy: upstream fetch failed", detail: String(err) }));
             return;
         }
+        // 2.5) Read Anthropic's subscription rate-limit headers (alert-only).
+        if (opts.flavor === "anthropic") {
+            try {
+                captureLimits(cfg, upstream.headers, sessionId, Date.now());
+            }
+            catch {
+                /* limit capture must never break the proxied response */
+            }
+        }
         // 3) Relay status + headers.
         const respHeaders = {};
         upstream.headers.forEach((v, k) => {
@@ -242,15 +301,27 @@ export function startProxy(opts) {
             }
         })();
     });
-    server.listen(opts.port, () => {
+    // Bind to loopback only — this proxy forwards the caller's LLM API key
+    // upstream, so it must never be reachable from the local network.
+    server.listen(opts.port, "127.0.0.1", () => {
         process.stdout.write(`🛡  agent-guard proxy on http://localhost:${opts.port} → ${upstreamOrigin} (${opts.flavor})\n` +
             `   Caps: session hard ${fmtUSD(cfg.budget.sessionHardUSD)}, daily hard ${fmtUSD(cfg.budget.dailyHardUSD)}\n` +
+            (opts.flavor === "anthropic"
+                ? `   Subscription mode: reads Anthropic rate-limit headers → paces your Pro/Max plan (alert-only)\n`
+                : "") +
             `   Point your agent at it, e.g.:\n` +
             (opts.flavor === "anthropic"
                 ? `     ANTHROPIC_BASE_URL=http://localhost:${opts.port} claude\n`
                 : `     OPENAI_BASE_URL=http://localhost:${opts.port}/v1 aider\n`));
     });
+    return server;
 }
 export function resolveUpstream(flavor, explicit) {
-    return explicit || UPSTREAMS[flavor] || UPSTREAMS.anthropic;
+    const upstream = explicit || UPSTREAMS[flavor] || UPSTREAMS.anthropic;
+    assertSafeEndpoint(upstream, "upstream");
+    if (explicit) {
+        const expected = new URL(UPSTREAMS[flavor] || UPSTREAMS.anthropic).hostname;
+        warnIfUnexpectedHost(upstream, expected, "--upstream");
+    }
+    return upstream;
 }

package/dist/report.d.ts

@@ -1,9 +1,26 @@
 /**
  * Shared status report — the single computation behind `agent-guard status` and
  * `ks guard status`, so both emit an identical JSON shape and never drift.
+ *
+ * Two halves:
+ *   - the dollar budget (session + daily-rolling), always present; and
+ *   - the subscription rate-limit standing (5-hour + weekly pacing), present
+ *     once we've seen Anthropic's unified headers via the proxy, or estimated
+ *     when the user has pinned a plan tier. Alert-only — never blocks.
  */
 import { type SessionRecord } from "./ledger.js";
 import { type Budget, type VerdictLevel } from "./budget.js";
+import { type PacingAssessment, type PacingLevel } from "./pacing.js";
+export interface LimitsReport {
+    /** Where the numbers came from. "none" = no data and no pinned plan to estimate from. */
+    source: "headers" | "estimated" | "none";
+    plan: string;
+    subscriptionDetected: boolean;
+    /** Epoch ms the snapshot was observed (headers) or computed (estimated). */
+    observedAt: number | null;
+    windows: PacingAssessment[];
+    level: PacingLevel;
+}
 export interface StatusReport {
     budget: Budget;
     dailyUSD: number;
@@ -15,6 +32,14 @@ export interface StatusReport {
     sessions: Array<{
         id: string;
     } & SessionRecord>;
+    /** Subscription rate-limit pacing — present whenever we have data to show. */
+    limits: LimitsReport;
 }
+/**
+ * Render the subscription rate-limit section as plain text lines (no color), so
+ * both the `agent-guard` and `ks guard` status views stay identical. Returns an
+ * empty array when there's nothing useful to show.
+ */
+export declare function formatLimitsLines(limits: LimitsReport, now?: number): string[];
 /** Build the current status report from the on-disk config + ledger. */
 export declare function buildStatusReport(now?: number): StatusReport;