agent-cli-proxy 0.1.0

package/dist/cli.js

@@ -0,0 +1,4287 @@
+#!/usr/bin/env bun
+// @bun
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// data/plans.default.json
+var plans_default_default;
+var init_plans_default = __esm(() => {
+  plans_default_default = {
+    plans: [
+      {
+        code: "claude_pro",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Pro",
+        monthly_price_usd: 20,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "claude_max5",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Max 5x",
+        monthly_price_usd: 100,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "claude_max20",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Max 20x",
+        monthly_price_usd: 200,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_plus",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Plus",
+        monthly_price_usd: 20,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_pro",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Pro",
+        monthly_price_usd: 200,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_business",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Business",
+        monthly_price_usd: 25,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate (per-seat); verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "kimi_pro",
+        provider: "moonshot",
+        display_name: "Moonshot Kimi",
+        monthly_price_usd: 15,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.moonshot.cn/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "glm_pro",
+        provider: "bigmodel",
+        display_name: "BigModel GLM",
+        monthly_price_usd: 10,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://open.bigmodel.cn/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "local_byok",
+        provider: "local",
+        display_name: "Bring Your Own Key (BYOK / Self-hosted)",
+        monthly_price_usd: 0,
+        currency: "USD",
+        billing_period_days: 30,
+        notes: "Self-hosted or BYOK provider. No vendor billing. verify with vendor \u2014 last updated 2026-05"
+      }
+    ]
+  };
+});
+
+// src/util/logger.ts
+var Logger;
+var init_logger = __esm(() => {
+  ((Logger) => {
+    const LEVELS = {
+      debug: 10,
+      info: 20,
+      warn: 30,
+      error: 40
+    };
+    const REDACTED = "[REDACTED]";
+    const defaultSink = {
+      stdout(line) {
+        process.stdout.write(`${line}
+`);
+      },
+      stderr(line) {
+        process.stderr.write(`${line}
+`);
+      }
+    };
+    function create(options = {}) {
+      return new StructuredLogger({
+        level: normalizeLevel(options.level),
+        format: normalizeFormat(options.format),
+        base: redact(options.base ?? {}),
+        sink: options.sink ?? defaultSink
+      });
+    }
+    Logger.create = create;
+    function fromConfig(options = {}) {
+      return create({
+        ...options,
+        level: normalizeLevel(process.env.LOG_LEVEL),
+        format: normalizeFormat(process.env.LOG_FORMAT)
+      });
+    }
+    Logger.fromConfig = fromConfig;
+    function redactValue(value) {
+      return redact(value);
+    }
+    Logger.redactValue = redactValue;
+
+    class StructuredLogger {
+      options;
+      constructor(options) {
+        this.options = options;
+      }
+      child(base) {
+        return new StructuredLogger({
+          ...this.options,
+          base: {
+            ...this.options.base,
+            ...redact(base)
+          }
+        });
+      }
+      debug(msg, fields) {
+        this.write("debug", msg, fields);
+      }
+      info(msg, fields) {
+        this.write("info", msg, fields);
+      }
+      warn(msg, fields) {
+        this.write("warn", msg, fields);
+      }
+      error(msg, fields) {
+        this.write("error", msg, fields);
+      }
+      write(level, msg, fields = {}) {
+        if (LEVELS[level] < LEVELS[this.options.level])
+          return;
+        const record = {
+          ts: new Date().toISOString(),
+          level,
+          msg,
+          ...this.options.base,
+          ...redact(fields)
+        };
+        const line = this.options.format === "pretty" ? formatPretty(record) : JSON.stringify(record);
+        if (level === "error") {
+          this.options.sink.stderr(line);
+          return;
+        }
+        this.options.sink.stdout(line);
+      }
+    }
+    function normalizeLevel(value) {
+      if (value === "debug" || value === "info" || value === "warn" || value === "error")
+        return value;
+      return "info";
+    }
+    function normalizeFormat(value) {
+      if (value === "pretty")
+        return "pretty";
+      return "json";
+    }
+    function isSensitiveKey(key) {
+      return /authorization|x[-_]?api[-_]?key|api[-_]?key|token|password|secret/i.test(key);
+    }
+    function redact(value, seen = new WeakSet) {
+      if (value === null || value === undefined)
+        return value;
+      if (typeof value !== "object")
+        return value;
+      if (value instanceof Error) {
+        return {
+          name: value.name,
+          message: value.message,
+          stack: value.stack
+        };
+      }
+      if (seen.has(value))
+        return "[Circular]";
+      seen.add(value);
+      if (Array.isArray(value)) {
+        return value.map((item) => redact(item, seen));
+      }
+      if (value instanceof Headers) {
+        const out2 = {};
+        for (const [key, headerValue] of value.entries()) {
+          out2[key] = isSensitiveKey(key) ? REDACTED : headerValue;
+        }
+        return out2;
+      }
+      const out = {};
+      for (const [key, entry] of Object.entries(value)) {
+        out[key] = isSensitiveKey(key) ? REDACTED : redact(entry, seen);
+      }
+      return out;
+    }
+    function formatPretty(record) {
+      const { ts, level, msg, ...fields } = record;
+      const suffix = Object.entries(fields).map(([key, value]) => `${key}=${formatPrettyValue(value)}`).join(" ");
+      return suffix ? `${ts} ${level.toUpperCase()} ${msg} ${suffix}` : `${ts} ${level.toUpperCase()} ${msg}`;
+    }
+    function formatPrettyValue(value) {
+      if (typeof value === "string")
+        return value.includes(" ") ? JSON.stringify(value) : value;
+      return JSON.stringify(value);
+    }
+  })(Logger ||= {});
+});
+
+// src/plans/index.ts
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var Plans;
+var init_plans = __esm(() => {
+  init_plans_default();
+  init_logger();
+  ((Plans) => {
+
+    class SchemaError extends Error {
+      issues;
+      name = "PlansSchemaError";
+      code = "PLANS_SCHEMA_INVALID";
+      constructor(issues) {
+        super(`Plans schema validation failed: ${issues.map((issue) => `${issue.path} ${issue.message}`).join("; ")}`);
+        this.issues = issues;
+      }
+    }
+    Plans.SchemaError = SchemaError;
+    const logger = Logger.fromConfig().child({ component: "plans" });
+    let cache = null;
+    function load() {
+      return readCache().list;
+    }
+    Plans.load = load;
+    function list() {
+      return load();
+    }
+    Plans.list = list;
+    function byCode(code) {
+      return readCache().byCode.get(code) ?? null;
+    }
+    Plans.byCode = byCode;
+    function validateBindingInput(account, code) {
+      const normalizedAccount = account.trim();
+      if (!normalizedAccount)
+        throw new Error("Account must be a non-empty string");
+      const normalizedCode = code.trim();
+      if (!normalizedCode)
+        throw new Error("Plan code must be a non-empty string");
+      if (!byCode(normalizedCode))
+        throw new Error(`Unknown plan code: ${normalizedCode}`);
+      return { account: normalizedAccount, code: normalizedCode };
+    }
+    Plans.validateBindingInput = validateBindingInput;
+    function reload() {
+      cache = null;
+      return load();
+    }
+    Plans.reload = reload;
+    function readCache() {
+      if (cache)
+        return cache;
+      const source = resolveSource();
+      const plans = parseSourceOrFallback(source);
+      const frozenPlans = Object.freeze(plans.map((plan) => Object.freeze({ ...plan })));
+      cache = {
+        list: frozenPlans,
+        byCode: new Map(frozenPlans.map((plan) => [plan.code, plan]))
+      };
+      return cache;
+    }
+    function resolveSource() {
+      const inline = process.env.PLANS_JSON;
+      if (inline !== undefined && inline.trim() !== "")
+        return { kind: "PLANS_JSON", raw: inline };
+      const envPath = process.env.PLANS_PATH?.trim();
+      if (envPath)
+        return readPathSource("PLANS_PATH", envPath);
+      const xdgPath = xdgPlansPath();
+      if (xdgPath && existsSync(xdgPath))
+        return readPathSource("XDG_CONFIG_HOME", xdgPath);
+      return { kind: "default", value: plans_default_default };
+    }
+    function readPathSource(kind, configPath) {
+      try {
+        return { kind, raw: readFileSync(configPath, "utf-8"), configPath };
+      } catch (err) {
+        return { kind, raw: undefined, configPath, value: err };
+      }
+    }
+    function xdgPlansPath() {
+      const base = process.env.XDG_CONFIG_HOME?.trim() || (process.env.HOME?.trim() ? join(process.env.HOME.trim(), ".config") : "");
+      if (!base)
+        return null;
+      return join(base, "agent-cli-proxy", "plans.json");
+    }
+    function parseSourceOrFallback(source) {
+      if (source.kind === "default")
+        return validateDefault(plans_default_default);
+      const result = parseSource(source);
+      if (result.ok)
+        return result.plans;
+      logger.warn("plans config invalid; falling back to packaged defaults", {
+        event: "plans.config.invalid",
+        source: source.kind,
+        configPath: source.configPath,
+        path: result.issues[0]?.path ?? source.kind,
+        issues: result.issues
+      });
+      return validateDefault(plans_default_default);
+    }
+    function parseSource(source) {
+      if (source.raw === undefined) {
+        return {
+          ok: false,
+          issues: [{ path: source.kind, message: source.value instanceof Error ? source.value.message : "could not be read" }]
+        };
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(source.raw);
+      } catch (err) {
+        return {
+          ok: false,
+          issues: [{ path: "plans", message: err instanceof Error ? err.message : "must be valid JSON" }]
+        };
+      }
+      const validation = parsePlanDocument(parsed);
+      if (validation.issues.length > 0)
+        return { ok: false, issues: validation.issues };
+      return { ok: true, plans: validation.plans };
+    }
+    function validateDefault(value) {
+      const validation = parsePlanDocument(value);
+      if (validation.issues.length > 0)
+        throw new SchemaError(validation.issues);
+      return validation.plans;
+    }
+    function parsePlanDocument(value) {
+      const issues = [];
+      const plans = [];
+      if (!isRecord(value)) {
+        issues.push({ path: "plans", message: "must be contained in an object" });
+        return { plans, issues };
+      }
+      if (!Array.isArray(value.plans)) {
+        issues.push({ path: "plans", message: "must be an array" });
+        return { plans, issues };
+      }
+      value.plans.forEach((entry, index) => {
+        const plan = parsePlan(entry, `plans[${index}]`, issues);
+        if (plan)
+          plans.push(plan);
+      });
+      const seen = new Set;
+      plans.forEach((plan, index) => {
+        if (seen.has(plan.code))
+          issues.push({ path: `plans[${index}].code`, message: "must be unique" });
+        seen.add(plan.code);
+      });
+      return { plans: issues.length === 0 ? plans : [], issues };
+    }
+    function parsePlan(value, path, issues) {
+      if (!isRecord(value)) {
+        issues.push({ path, message: "must be an object" });
+        return null;
+      }
+      const code = readRequiredString(value, "code", path, issues);
+      const provider = readRequiredString(value, "provider", path, issues);
+      const displayName = readRequiredString(value, "display_name", path, issues);
+      const monthlyPriceUsd = readRequiredNumber(value, "monthly_price_usd", path, issues);
+      const currency = readRequiredString(value, "currency", path, issues);
+      const billingPeriodDays = readRequiredPositiveInteger(value, "billing_period_days", path, issues);
+      const vendorUrl = readOptionalHttpUrl(value, "vendor_url", path, issues);
+      const notes = readOptionalString(value, "notes", path, issues);
+      if (!code || !provider || !displayName || monthlyPriceUsd === undefined || !currency || billingPeriodDays === undefined)
+        return null;
+      const plan = {
+        code,
+        provider,
+        display_name: displayName,
+        monthly_price_usd: monthlyPriceUsd,
+        currency,
+        billing_period_days: billingPeriodDays
+      };
+      if (vendorUrl !== undefined)
+        plan.vendor_url = vendorUrl;
+      if (notes !== undefined)
+        plan.notes = notes;
+      return plan;
+    }
+    function readRequiredString(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+        return;
+      }
+      return value.trim();
+    }
+    function readOptionalString(record, key, path, issues) {
+      const value = record[key];
+      if (value === undefined)
+        return;
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+        return;
+      }
+      return value.trim();
+    }
+    function readRequiredNumber(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-negative finite number" });
+        return;
+      }
+      return value;
+    }
+    function readRequiredPositiveInteger(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "number" || !Number.isInteger(value) || value <= 0) {
+        issues.push({ path: `${path}.${key}`, message: "must be a positive integer" });
+        return;
+      }
+      return value;
+    }
+    function readOptionalHttpUrl(record, key, path, issues) {
+      const value = record[key];
+      if (value === undefined)
+        return;
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty http(s) URL string" });
+        return;
+      }
+      try {
+        const url = new URL(value);
+        if (url.protocol !== "http:" && url.protocol !== "https:") {
+          issues.push({ path: `${path}.${key}`, message: "must be an http(s) URL" });
+          return;
+        }
+        return url.toString();
+      } catch {
+        issues.push({ path: `${path}.${key}`, message: "must be a parseable http(s) URL" });
+        return;
+      }
+    }
+    function isRecord(value) {
+      return typeof value === "object" && value !== null && !Array.isArray(value);
+    }
+  })(Plans ||= {});
+});
+
+// src/storage/account-subscriptions.ts
+var AccountSubscriptionRepo;
+var init_account_subscriptions = __esm(() => {
+  ((AccountSubscriptionRepo) => {
+    function bind(db, cliproxyAccount, subscriptionCode) {
+      db.prepare(`
+      INSERT INTO account_subscriptions (
+        cliproxy_account, subscription_code, bound_at
+      ) VALUES (?, ?, CURRENT_TIMESTAMP)
+      ON CONFLICT(cliproxy_account) DO UPDATE SET
+        subscription_code = excluded.subscription_code,
+        bound_at = CURRENT_TIMESTAMP
+    `).run(cliproxyAccount, subscriptionCode);
+    }
+    AccountSubscriptionRepo.bind = bind;
+    function unbind(db, cliproxyAccount) {
+      db.prepare("DELETE FROM account_subscriptions WHERE cliproxy_account = ?").run(cliproxyAccount);
+    }
+    AccountSubscriptionRepo.unbind = unbind;
+    function get(db, cliproxyAccount) {
+      return db.prepare(`
+      SELECT cliproxy_account, subscription_code, bound_at
+      FROM account_subscriptions
+      WHERE cliproxy_account = ?
+    `).get(cliproxyAccount);
+    }
+    AccountSubscriptionRepo.get = get;
+    function list(db) {
+      return db.prepare(`
+      SELECT cliproxy_account, subscription_code, bound_at
+      FROM account_subscriptions
+      ORDER BY cliproxy_account ASC
+    `).all();
+    }
+    AccountSubscriptionRepo.list = list;
+  })(AccountSubscriptionRepo ||= {});
+});
+
+// src/storage/db.ts
+var exports_db = {};
+__export(exports_db, {
+  Storage: () => Storage,
+  STALE_PENDING_MAX_AGE_MS: () => STALE_PENDING_MAX_AGE_MS
+});
+import { Database } from "bun:sqlite";
+import { readFileSync as readFileSync2, readdirSync } from "fs";
+import { join as join2 } from "path";
+function parseStalePendingMaxAgeMs(raw) {
+  if (raw === undefined)
+    return 600000;
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0)
+    return 600000;
+  return parsed;
+}
+var logger, STALE_PENDING_MAX_AGE_MS, Storage;
+var init_db = __esm(() => {
+  init_logger();
+  logger = Logger.fromConfig().child({ component: "storage-db" });
+  STALE_PENDING_MAX_AGE_MS = parseStalePendingMaxAgeMs(process.env.STALE_PENDING_MAX_AGE_MS);
+  ((Storage) => {
+    function splitStatements(sql) {
+      const stripped = sql.replace(/^\s*--.*$/gm, "");
+      return stripped.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
+    }
+    function execSafe(db, statement) {
+      try {
+        db.exec(statement);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const ignorable = msg.includes("duplicate column name") || msg.includes("already exists") || msg.includes("no such column") || statement.toUpperCase().includes("ADD COLUMN") && msg.includes("syntax error");
+        if (!ignorable)
+          throw err;
+      }
+    }
+    function ensureColumn(db, table, column, typeDef) {
+      const cols = db.prepare(`PRAGMA table_info(${table})`).all();
+      if (cols.some((c) => c.name === column))
+        return;
+      db.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${typeDef}`);
+    }
+    function initDb(dbPath) {
+      const db = new Database(dbPath);
+      db.exec("PRAGMA journal_mode = WAL");
+      db.exec("PRAGMA synchronous = NORMAL");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS schema_migrations (
+        name TEXT PRIMARY KEY,
+        applied_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+      )
+    `);
+      const migrationsDir = join2(import.meta.dir, "migrations");
+      const files = readdirSync(migrationsDir).filter((f) => f.endsWith(".sql")).sort();
+      for (const file of files) {
+        const applied = db.prepare("SELECT name FROM schema_migrations WHERE name = ?").get(file);
+        if (applied)
+          continue;
+        const sql = readFileSync2(join2(migrationsDir, file), "utf-8");
+        const txn = db.transaction(() => {
+          for (const stmt of splitStatements(sql)) {
+            execSafe(db, stmt);
+          }
+          db.prepare("INSERT INTO schema_migrations (name) VALUES (?)").run(file);
+        });
+        try {
+          txn();
+        } catch (err) {
+          logger.error("migration failed", { err, file });
+          throw err;
+        }
+      }
+      ensureColumn(db, "request_logs", "cliproxy_account", "TEXT");
+      ensureColumn(db, "request_logs", "cliproxy_auth_index", "TEXT");
+      ensureColumn(db, "request_logs", "cliproxy_source", "TEXT");
+      ensureColumn(db, "request_logs", "request_id", "TEXT");
+      ensureColumn(db, "request_logs", "reasoning_tokens", "INTEGER DEFAULT 0");
+      ensureColumn(db, "request_logs", "actual_model", "TEXT");
+      ensureColumn(db, "request_logs", "user_agent", "TEXT");
+      ensureColumn(db, "request_logs", "source_ip", "TEXT");
+      ensureColumn(db, "request_logs", "correlated_at", "TEXT");
+      ensureColumn(db, "request_logs", "agent", "TEXT");
+      ensureColumn(db, "request_logs", "source", "TEXT DEFAULT 'proxy'");
+      ensureColumn(db, "request_logs", "msg_id", "TEXT");
+      ensureColumn(db, "request_logs", "lifecycle_status", "TEXT NOT NULL DEFAULT 'pending' CHECK(lifecycle_status IN ('pending', 'completed', 'error', 'aborted'))");
+      ensureColumn(db, "request_logs", "cost_status", "TEXT NOT NULL DEFAULT 'unresolved' CHECK(cost_status IN ('unresolved', 'ok', 'pending', 'unsupported'))");
+      ensureColumn(db, "request_logs", "subscription_code", "TEXT");
+      ensureColumn(db, "request_logs", "finalized_at", "TEXT");
+      ensureColumn(db, "request_logs", "error_message", "TEXT");
+      db.exec(`
+      UPDATE request_logs
+      SET lifecycle_status = CASE
+          WHEN incomplete = 1
+            OR error_code IS NOT NULL
+            OR status >= 400 THEN 'error'
+          ELSE 'completed'
+        END,
+        finalized_at = COALESCE(finalized_at, finished_at, started_at),
+        cost_status = CASE
+          WHEN cost_usd > 0 THEN 'ok'
+          ELSE 'pending'
+        END
+      WHERE lifecycle_status = 'pending'
+        AND (finalized_at IS NULL OR cost_status = 'unresolved')
+        AND (finished_at IS NOT NULL OR incomplete = 1 OR error_code IS NOT NULL OR status IS NOT NULL)
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cliproxy_account ON request_logs(cliproxy_account)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cliproxy_auth_index ON request_logs(cliproxy_auth_index)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_request_id ON request_logs(request_id)");
+      db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_request_logs_msg_id ON request_logs(msg_id) WHERE msg_id IS NOT NULL");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_lifecycle_status ON request_logs(lifecycle_status)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cost_status ON request_logs(cost_status)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_subscription_code ON request_logs(subscription_code) WHERE subscription_code IS NOT NULL");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS cost_audit (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        request_log_id INTEGER,
+        model TEXT,
+        provider TEXT,
+        source TEXT,
+        base_cost_usd REAL,
+        calc_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (request_log_id) REFERENCES request_logs(id)
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_cost_audit_request_log_id ON cost_audit(request_log_id)");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS quota_snapshots (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        timestamp TEXT NOT NULL,
+        provider TEXT NOT NULL,
+        account TEXT NOT NULL,
+        quota_type TEXT NOT NULL,
+        used_pct REAL,
+        remaining REAL,
+        remaining_raw TEXT,
+        resets_at TEXT,
+        raw_json TEXT
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_quota_snapshots_provider ON quota_snapshots(provider, account, timestamp)");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS daily_account_usage (
+        day TEXT NOT NULL,
+        provider TEXT NOT NULL,
+        model TEXT NOT NULL,
+        cliproxy_account TEXT NOT NULL,
+        cliproxy_auth_index TEXT,
+        request_count INTEGER DEFAULT 0,
+        prompt_tokens INTEGER DEFAULT 0,
+        completion_tokens INTEGER DEFAULT 0,
+        cache_creation_tokens INTEGER DEFAULT 0,
+        cache_read_tokens INTEGER DEFAULT 0,
+        reasoning_tokens INTEGER DEFAULT 0,
+        total_tokens INTEGER DEFAULT 0,
+        cost_usd REAL DEFAULT 0,
+        PRIMARY KEY (day, provider, model, cliproxy_account)
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_daily_account_usage_day ON daily_account_usage(day)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_daily_account_usage_account ON daily_account_usage(cliproxy_account)");
+      return db;
+    }
+    Storage.initDb = initDb;
+    function recoverStalePending(db, maxAgeMs = STALE_PENDING_MAX_AGE_MS) {
+      const now = new Date().toISOString();
+      const threshold = new Date(Date.now() - maxAgeMs).toISOString();
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET lifecycle_status = 'aborted',
+          error_message = 'boot-recovery',
+          finalized_at = ?,
+          finished_at = COALESCE(finished_at, ?),
+          incomplete = 1,
+          cost_status = CASE
+            WHEN cost_status = 'unresolved' THEN 'pending'
+            ELSE cost_status
+          END
+      WHERE lifecycle_status = 'pending'
+        AND started_at < ?
+    `);
+      const result = stmt.run(now, now, threshold);
+      const recovered = result.changes;
+      if (recovered > 0) {
+        logger.warn("recovered stale pending request logs", {
+          event: "lifecycle.boot_recovery",
+          recovered,
+          max_age_ms: maxAgeMs,
+          threshold
+        });
+      }
+      return recovered;
+    }
+    Storage.recoverStalePending = recoverStalePending;
+  })(Storage ||= {});
+});
+
+// src/provider/registry-schema.ts
+function parseProviderInput(value, path = "provider") {
+  const issues = [];
+  const provider = normalizeProvider(value, path, issues);
+  return {
+    ok: issues.length === 0 && provider !== undefined,
+    provider: issues.length === 0 ? provider : undefined,
+    issues
+  };
+}
+function validateProviderDocument(value) {
+  const issues = [];
+  const providers = [];
+  if (!isRecord(value)) {
+    issues.push({ path: "providers", message: "must be contained in an object" });
+    return { providers, issues };
+  }
+  if (!Array.isArray(value.providers)) {
+    issues.push({ path: "providers", message: "must be an array" });
+    return { providers, issues };
+  }
+  value.providers.forEach((entry, index) => {
+    const result = parseProviderInput(entry, `providers[${index}]`);
+    if (result.provider)
+      providers.push(result.provider);
+    issues.push(...result.issues);
+  });
+  return { providers, issues };
+}
+function normalizeProvider(value, path, issues) {
+  if (!isRecord(value)) {
+    issues.push({ path, message: "must be an object" });
+    return;
+  }
+  const id = readRequiredString(value, "id", path, issues);
+  const type = readProviderType(value.type, `${path}.type`, issues);
+  const paths = readRequiredStringArray(value, "paths", path, issues);
+  const upstreamBaseUrl = readRequiredHttpUrl(value.upstreamBaseUrl, `${path}.upstreamBaseUrl`, issues);
+  const upstreamPath = readOptionalString(value, "upstreamPath", path, issues);
+  const models = readOptionalStringArray(value, "models", path, issues);
+  const headers = readOptionalHeaders(value, path, issues);
+  const auth = readOptionalAuth(value.auth, `${path}.auth`, issues);
+  const stripProviderField = readOptionalBoolean(value, "stripProviderField", path, issues);
+  if (!id || !type || paths.length === 0 || !upstreamBaseUrl)
+    return;
+  const provider = {
+    id,
+    type,
+    paths,
+    upstreamBaseUrl
+  };
+  if (upstreamPath !== undefined)
+    provider.upstreamPath = upstreamPath;
+  if (models !== undefined)
+    provider.models = models;
+  if (headers !== undefined)
+    provider.headers = headers;
+  if (auth !== undefined)
+    provider.auth = auth;
+  if (stripProviderField !== undefined)
+    provider.stripProviderField = stripProviderField;
+  return provider;
+}
+function readRequiredString(record, key, path, issues) {
+  const value = record[key];
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  return value.trim();
+}
+function readProviderType(value, path, issues) {
+  if (typeof value !== "string" || !ALLOWED_PROVIDER_TYPES.has(value)) {
+    issues.push({ path, message: `must be one of ${Array.from(ALLOWED_PROVIDER_TYPES).join(", ")}` });
+    return;
+  }
+  return value;
+}
+function readRequiredStringArray(record, key, path, issues) {
+  const value = record[key];
+  if (!Array.isArray(value) || value.length === 0) {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string array" });
+    return [];
+  }
+  const out = [];
+  value.forEach((entry, index) => {
+    if (typeof entry !== "string" || entry.trim() === "") {
+      issues.push({ path: `${path}.${key}[${index}]`, message: "must be a non-empty string" });
+      return;
+    }
+    out.push(entry.trim());
+  });
+  return out;
+}
+function readRequiredHttpUrl(value, path, issues) {
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path, message: "must be a non-empty http(s) URL string" });
+    return;
+  }
+  return normalizeHttpUrl(value, path, issues);
+}
+function normalizeHttpUrl(raw, path, issues) {
+  try {
+    const parsed = new URL(raw);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      issues.push({ path, message: "must be an http(s) URL" });
+      return;
+    }
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    issues.push({ path, message: "must be a parseable http(s) URL" });
+    return;
+  }
+}
+function readOptionalString(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  return value.trim();
+}
+function readOptionalStringArray(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (!Array.isArray(value)) {
+    issues.push({ path: `${path}.${key}`, message: "must be a string array" });
+    return;
+  }
+  const out = [];
+  value.forEach((entry, index) => {
+    if (typeof entry !== "string" || entry.trim() === "") {
+      issues.push({ path: `${path}.${key}[${index}]`, message: "must be a non-empty string" });
+      return;
+    }
+    out.push(entry.trim());
+  });
+  return out;
+}
+function readOptionalBoolean(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "boolean") {
+    issues.push({ path: `${path}.${key}`, message: "must be a boolean" });
+    return;
+  }
+  return value;
+}
+function readOptionalHeaders(provider, path, issues) {
+  const value = provider.headers;
+  if (value === undefined)
+    return;
+  if (!isRecord(value)) {
+    issues.push({ path: `${path}.headers`, message: "must be an object" });
+    return;
+  }
+  const headers = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (key.trim() === "") {
+      issues.push({ path: `${path}.headers`, message: "must not contain empty header names" });
+      continue;
+    }
+    if (typeof entry !== "string") {
+      issues.push({ path: `${path}.headers.${key}`, message: "must be a string" });
+      continue;
+    }
+    headers[key] = entry;
+  }
+  return headers;
+}
+function readOptionalAuth(auth, path, issues) {
+  if (auth === undefined)
+    return;
+  if (typeof auth === "string") {
+    if (!ALLOWED_AUTH_TYPES.has(auth)) {
+      issues.push({ path, message: `must be one of ${Array.from(ALLOWED_AUTH_TYPES).join(", ")}` });
+      return;
+    }
+    return auth;
+  }
+  if (!isRecord(auth)) {
+    issues.push({ path, message: "must be a string or object" });
+    return;
+  }
+  for (const key of Object.keys(auth)) {
+    if (!ALLOWED_AUTH_OBJECT_KEYS.has(key))
+      issues.push({ path: `${path}.${key}`, message: "is not supported" });
+  }
+  const type = auth.type;
+  if (typeof type !== "string" || type.trim() === "") {
+    issues.push({ path: `${path}.type`, message: "must be a non-empty string" });
+    return;
+  }
+  if (!ALLOWED_AUTH_TYPES.has(type)) {
+    issues.push({ path: `${path}.type`, message: `must be one of ${Array.from(ALLOWED_AUTH_TYPES).join(", ")}` });
+    return;
+  }
+  const result = { type };
+  readAuthString(auth, "env", path, issues, result);
+  readAuthString(auth, "value", path, issues, result);
+  readAuthString(auth, "header", path, issues, result);
+  return result;
+}
+function readAuthString(auth, key, path, issues, result) {
+  const value = auth[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  result[key] = value.trim();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+var ALLOWED_PROVIDER_TYPES, ALLOWED_AUTH_TYPES, ALLOWED_AUTH_OBJECT_KEYS;
+var init_registry_schema = __esm(() => {
+  ALLOWED_PROVIDER_TYPES = new Set(["openai-compatible", "anthropic"]);
+  ALLOWED_AUTH_TYPES = new Set(["none", "preserve", "bearer", "x-api-key"]);
+  ALLOWED_AUTH_OBJECT_KEYS = new Set(["type", "env", "value", "header"]);
+});
+
+// src/config/validate.ts
+import { readFileSync as readFileSync3 } from "fs";
+function readString(env, key, fallback) {
+  const value = env[key];
+  return value === undefined ? fallback : value;
+}
+function readPort(env, issues) {
+  const raw = env.PROXY_PORT ?? "3100";
+  const parsed = Number(raw);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    issues.push({ path: "PROXY_PORT", message: "must be an integer from 1 to 65535" });
+    return 3100;
+  }
+  return parsed;
+}
+function readPositiveNumber(env, key, fallback, issues) {
+  const raw = env[key];
+  if (raw === undefined)
+    return fallback;
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    issues.push({ path: key, message: "must be a positive finite number" });
+    return fallback;
+  }
+  return parsed;
+}
+function readRequiredUrl(env, key, issues, warnings) {
+  const raw = env[key];
+  if (raw === undefined || raw.trim() === "") {
+    if (env.PROXY_LOCAL_OK === "1") {
+      warnings.push({
+        path: key,
+        message: `defaulted to ${DEFAULT_CLI_PROXY_API_URL} because PROXY_LOCAL_OK=1`
+      });
+      return DEFAULT_CLI_PROXY_API_URL;
+    }
+    issues.push({ path: key, message: "is required unless PROXY_LOCAL_OK=1 permits the local default" });
+    return DEFAULT_CLI_PROXY_API_URL;
+  }
+  return normalizeHttpUrl2(raw, key, issues) ?? raw;
+}
+function normalizeHttpUrl2(raw, path, issues) {
+  try {
+    const parsed = new URL(raw);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      issues.push({ path, message: "must be an http(s) URL" });
+      return;
+    }
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    issues.push({ path, message: "must be a parseable http(s) URL" });
+    return;
+  }
+}
+function readCchPositions(env, issues) {
+  const raw = env.CCH_POSITIONS ?? "[4,7,20]";
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    issues.push({ path: "CCH_POSITIONS", message: "must be JSON array of finite non-negative integers" });
+    return [4, 7, 20];
+  }
+  if (!Array.isArray(parsed)) {
+    issues.push({ path: "CCH_POSITIONS", message: "must be an array" });
+    return [4, 7, 20];
+  }
+  parsed.forEach((value, index) => {
+    if (!Number.isInteger(value) || value < 0) {
+      issues.push({ path: `CCH_POSITIONS[${index}]`, message: "must be a finite non-negative integer" });
+    }
+  });
+  return parsed.filter((value) => Number.isInteger(value) && value >= 0);
+}
+function readClientNameMapping(env, issues) {
+  const mapping = new Map;
+  const raw = env.CLIENT_NAME_MAPPING;
+  if (raw === undefined || raw.trim() === "")
+    return mapping;
+  raw.split(",").forEach((entry, index) => {
+    const pair = entry.trim();
+    const splitAt = pair.indexOf("=");
+    const key = splitAt >= 0 ? pair.slice(0, splitAt).trim() : "";
+    const value = splitAt >= 0 ? pair.slice(splitAt + 1).trim() : "";
+    if (!key || !value) {
+      issues.push({ path: `CLIENT_NAME_MAPPING[${index}]`, message: "must be a non-empty key=value entry" });
+      return;
+    }
+    mapping.set(key, value);
+  });
+  return mapping;
+}
+function validateProviderConfig(env, issues) {
+  const inline = env.PROVIDERS_JSON;
+  const filePath = env.PROVIDERS_CONFIG_PATH;
+  if (inline !== undefined && inline.trim() !== "") {
+    validateProviderJson(inline, "PROVIDERS_JSON", issues);
+    return;
+  }
+  if (filePath === undefined || filePath.trim() === "")
+    return;
+  try {
+    validateProviderJson(readFileSync3(filePath, "utf-8"), "PROVIDERS_CONFIG_PATH", issues);
+  } catch (err) {
+    issues.push({
+      path: "PROVIDERS_CONFIG_PATH",
+      message: `could not be read: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+}
+function validateProviderJson(raw, basePath, issues) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    issues.push({
+      path: basePath,
+      message: `must be valid JSON: ${err instanceof Error ? err.message : String(err)}`
+    });
+    return;
+  }
+  const result = validateProviderDocument(parsed);
+  issues.push(...result.issues);
+}
+function isLoopbackHost(host) {
+  return LOOPBACK_HOSTS.has(host.trim().toLowerCase());
+}
+var ConfigError, Config, DEFAULT_CLI_PROXY_API_URL = "http://localhost:8317", LOOPBACK_HOSTS;
+var init_validate = __esm(() => {
+  init_registry_schema();
+  ConfigError = class ConfigError extends Error {
+    issues;
+    name = "ConfigError";
+    code = "CONFIG_INVALID";
+    constructor(issues) {
+      super(`Configuration validation failed: ${issues.map((issue) => `${issue.path} ${issue.message}`).join("; ")}`);
+      this.issues = issues;
+    }
+  };
+  ((Config) => {
+    function validate(env = process.env, options = {}) {
+      const issues = [];
+      const warnings = [];
+      const host = readString(env, "PROXY_HOST", "127.0.0.1");
+      const cliProxyApiUrl = readRequiredUrl(env, "CLI_PROXY_API_URL", issues, warnings);
+      const config = {
+        port: readPort(env, issues),
+        host,
+        adminApiKey: readString(env, "ADMIN_API_KEY", ""),
+        cliProxyApiUrl,
+        claudeCodeVersion: readString(env, "CLAUDE_CODE_VERSION", "2.1.87"),
+        cchSalt: readString(env, "CCH_SALT", "59cf53e54c78"),
+        cchPositions: readCchPositions(env, issues),
+        toolPrefix: readString(env, "TOOL_PREFIX", "mcp_"),
+        cliProxyApiKey: readString(env, "CLI_PROXY_API_KEY", "proxy"),
+        dbPath: readString(env, "DB_PATH", "data/proxy.db"),
+        pricingCacheTtlMs: readPositiveNumber(env, "PRICING_CACHE_TTL_MS", 3600000, issues),
+        pricingCachePath: readString(env, "PRICING_CACHE_PATH", "data/pricing-cache.json"),
+        readyPricingMaxAgeMs: readPositiveNumber(env, "READY_PRICING_MAX_AGE_MS", 86400000, issues),
+        pricingRefreshIntervalMs: readPositiveNumber(env, "PRICING_REFRESH_INTERVAL_MS", 21600000, issues),
+        costBackfillIntervalMs: readPositiveNumber(env, "COST_BACKFILL_INTERVAL_MS", 1800000, issues),
+        costBackfillLookbackMs: readPositiveNumber(env, "COST_BACKFILL_LOOKBACK_MS", 604800000, issues),
+        logLevel: readString(env, "LOG_LEVEL", "info"),
+        clientNameMapping: readClientNameMapping(env, issues),
+        cliproxyMgmtKey: readString(env, "CLIPROXY_MGMT_KEY", ""),
+        cliproxyCorrelationIntervalMs: readPositiveNumber(env, "CLIPROXY_CORRELATION_INTERVAL_MS", 15000, issues),
+        cliproxyCorrelationLookbackMs: readPositiveNumber(env, "CLIPROXY_CORRELATION_LOOKBACK_MS", 300000, issues),
+        cliproxyAuthDir: readString(env, "CLIPROXY_AUTH_DIR", ""),
+        quotaRefreshIntervalMs: readPositiveNumber(env, "QUOTA_REFRESH_INTERVAL_MS", 300000, issues),
+        quotaRefreshTimeoutMs: readPositiveNumber(env, "QUOTA_REFRESH_TIMEOUT_MS", 15000, issues),
+        upstreamTimeoutMs: readPositiveNumber(env, "UPSTREAM_TIMEOUT_MS", 300000, issues),
+        upstreamConnectTimeoutMs: readPositiveNumber(env, "UPSTREAM_CONNECT_TIMEOUT_MS", 1e4, issues)
+      };
+      if (!isLoopbackHost(config.host) && !config.adminApiKey) {
+        issues.push({
+          path: "ADMIN_API_KEY",
+          message: "is required when PROXY_HOST is not loopback"
+        });
+      }
+      validateProviderConfig(env, issues);
+      if (issues.length > 0)
+        throw new ConfigError(issues);
+      for (const warning of warnings)
+        options.onWarning?.(warning);
+      return Object.freeze(config);
+    }
+    Config.validate = validate;
+  })(Config ||= {});
+  LOOPBACK_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
+});
+
+// src/storage/repo.ts
+function parseLifecycleStatus(value) {
+  if (value === "completed" || value === "error" || value === "aborted")
+    return value;
+  return "pending";
+}
+var RequestRepo, UsageRepo, QuotaRepo;
+var init_repo = __esm(() => {
+  ((RequestRepo) => {
+    function insert(db, log) {
+      const lifecycleStatus = log.lifecycle_status ?? (log.incomplete === 1 || log.error_code || (log.status ?? 0) >= 400 ? "error" : "completed");
+      const costStatus = log.cost_status ?? (log.cost_usd > 0 ? "ok" : lifecycleStatus === "pending" ? "unresolved" : "pending");
+      const finalizedAt = log.finalized_at ?? (lifecycleStatus === "pending" ? null : log.finished_at ?? log.started_at);
+      const stmt = db.prepare(`
+      INSERT INTO request_logs (
+        request_id, provider, model, actual_model, tool, client_id, path,
+        streamed, status, prompt_tokens, completion_tokens,
+        cache_creation_tokens, cache_read_tokens, reasoning_tokens,
+        total_tokens, cost_usd, incomplete, error_code, latency_ms,
+        started_at, finished_at, meta_json, user_agent, source_ip,
+        agent, source, msg_id, lifecycle_status, cost_status,
+        subscription_code, finalized_at, error_message
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+      const result = stmt.run(log.request_id ?? null, log.provider, log.model, log.actual_model ?? null, log.tool, log.client_id, log.path, log.streamed, log.status ?? null, log.prompt_tokens, log.completion_tokens, log.cache_creation_tokens, log.cache_read_tokens, log.reasoning_tokens ?? 0, log.total_tokens, log.cost_usd, log.incomplete, log.error_code ?? null, log.latency_ms ?? null, log.started_at, log.finished_at ?? null, log.meta_json ?? null, log.user_agent ?? null, log.source_ip ?? null, log.agent ?? null, log.source ?? "proxy", log.msg_id ?? null, lifecycleStatus, costStatus, log.subscription_code ?? null, finalizedAt, log.error_message ?? null);
+      return result.lastInsertRowid;
+    }
+    RequestRepo.insert = insert;
+    function getRecent(db, limit, offset, tool, clientId) {
+      let sql = `SELECT * FROM request_logs WHERE 1=1`;
+      const params = [];
+      if (tool) {
+        sql += ` AND tool = ?`;
+        params.push(tool);
+      }
+      if (clientId) {
+        sql += ` AND client_id = ?`;
+        params.push(clientId);
+      }
+      sql += ` ORDER BY started_at DESC LIMIT ? OFFSET ?`;
+      params.push(limit, offset);
+      const stmt = db.prepare(sql);
+      return stmt.all(...params);
+    }
+    RequestRepo.getRecent = getRecent;
+    function getById(db, id) {
+      const stmt = db.prepare("SELECT * FROM request_logs WHERE id = ?");
+      return stmt.get(id) || null;
+    }
+    RequestRepo.getById = getById;
+    function aggregateByAccountForMonth(db, monthStart, monthEnd) {
+      const stmt = db.prepare(`
+      SELECT
+        rl.cliproxy_account AS cliproxy_account,
+        sub.subscription_code AS subscription_code,
+        COUNT(*) AS total_requests,
+        COALESCE(SUM(rl.cost_usd), 0) AS total_cost_usd
+      FROM request_logs rl
+      LEFT JOIN account_subscriptions sub
+        ON sub.cliproxy_account = rl.cliproxy_account
+      WHERE rl.lifecycle_status = 'completed'
+        AND rl.started_at >= ?
+        AND rl.started_at < ?
+        AND rl.cliproxy_account IS NOT NULL
+        AND rl.cliproxy_account <> ''
+      GROUP BY rl.cliproxy_account, sub.subscription_code
+      ORDER BY total_cost_usd DESC, rl.cliproxy_account ASC
+    `);
+      return stmt.all(monthStart, monthEnd).map((row) => {
+        const record = row;
+        return {
+          cliproxy_account: String(record.cliproxy_account),
+          subscription_code: typeof record.subscription_code === "string" ? record.subscription_code : null,
+          total_requests: Number(record.total_requests ?? 0),
+          total_cost_usd: Number(record.total_cost_usd ?? 0)
+        };
+      });
+    }
+    RequestRepo.aggregateByAccountForMonth = aggregateByAccountForMonth;
+    function getRecentByAccount(db, cliproxyAccount, limit) {
+      const stmt = db.prepare(`
+      SELECT started_at, model, total_tokens, cost_usd, lifecycle_status
+      FROM request_logs
+      WHERE cliproxy_account = ?
+      ORDER BY started_at DESC
+      LIMIT ?
+    `);
+      return stmt.all(cliproxyAccount, limit).map((row) => {
+        const record = row;
+        return {
+          started_at: String(record.started_at),
+          model: String(record.model),
+          total_tokens: Number(record.total_tokens ?? 0),
+          cost_usd: Number(record.cost_usd ?? 0),
+          lifecycle_status: parseLifecycleStatus(record.lifecycle_status)
+        };
+      });
+    }
+    RequestRepo.getRecentByAccount = getRecentByAccount;
+    function getUncorrelated(db, sinceMs, limit) {
+      const sinceIso = new Date(Date.now() - sinceMs).toISOString();
+      const stmt = db.prepare(`
+      SELECT * FROM request_logs
+      WHERE cliproxy_account IS NULL
+        AND status = 200
+        AND started_at >= ?
+      ORDER BY started_at DESC
+      LIMIT ?
+    `);
+      return stmt.all(sinceIso, limit);
+    }
+    RequestRepo.getUncorrelated = getUncorrelated;
+    function applyCorrelation(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET cliproxy_account = COALESCE(?, cliproxy_account),
+          cliproxy_auth_index = COALESCE(?, cliproxy_auth_index),
+          cliproxy_source = COALESCE(?, cliproxy_source),
+          reasoning_tokens = COALESCE(?, reasoning_tokens),
+          actual_model = COALESCE(?, actual_model),
+          correlated_at = ?
+      WHERE id = ?
+    `);
+      stmt.run(fields.cliproxy_account ?? null, fields.cliproxy_auth_index ?? null, fields.cliproxy_source ?? null, fields.reasoning_tokens ?? null, fields.actual_model ?? null, new Date().toISOString(), id);
+    }
+    RequestRepo.applyCorrelation = applyCorrelation;
+    function updateLifecycle(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET lifecycle_status = COALESCE(?, lifecycle_status),
+          finalized_at = COALESCE(?, finalized_at),
+          error_message = COALESCE(?, error_message),
+          cost_status = COALESCE(?, cost_status),
+          subscription_code = COALESCE(?, subscription_code)
+      WHERE id = ?
+    `);
+      stmt.run(fields.lifecycle_status ?? null, fields.finalized_at ?? null, fields.error_message ?? null, fields.cost_status ?? null, fields.subscription_code ?? null, id);
+    }
+    RequestRepo.updateLifecycle = updateLifecycle;
+    function applySubscription(db, id, subscriptionCode) {
+      db.prepare("UPDATE request_logs SET subscription_code = ? WHERE id = ?").run(subscriptionCode, id);
+    }
+    RequestRepo.applySubscription = applySubscription;
+    function updateFinalize(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET provider = COALESCE(?, provider),
+          model = COALESCE(?, model),
+          actual_model = COALESCE(?, actual_model),
+          streamed = COALESCE(?, streamed),
+          status = COALESCE(?, status),
+          prompt_tokens = COALESCE(?, prompt_tokens),
+          completion_tokens = COALESCE(?, completion_tokens),
+          cache_creation_tokens = COALESCE(?, cache_creation_tokens),
+          cache_read_tokens = COALESCE(?, cache_read_tokens),
+          reasoning_tokens = COALESCE(?, reasoning_tokens),
+          total_tokens = COALESCE(?, total_tokens),
+          cost_usd = COALESCE(?, cost_usd),
+          incomplete = COALESCE(?, incomplete),
+          error_code = COALESCE(?, error_code),
+          latency_ms = COALESCE(?, latency_ms),
+          finished_at = COALESCE(?, finished_at),
+          lifecycle_status = ?,
+          finalized_at = ?,
+          error_message = COALESCE(?, error_message),
+          cost_status = ?,
+          subscription_code = COALESCE(?, subscription_code)
+      WHERE id = ? AND lifecycle_status = 'pending'
+    `);
+      const result = stmt.run(fields.provider ?? null, fields.model ?? null, fields.actual_model ?? null, fields.streamed ?? null, fields.status ?? null, fields.prompt_tokens ?? null, fields.completion_tokens ?? null, fields.cache_creation_tokens ?? null, fields.cache_read_tokens ?? null, fields.reasoning_tokens ?? null, fields.total_tokens ?? null, fields.cost_usd ?? null, fields.incomplete ?? null, fields.error_code ?? null, fields.latency_ms ?? null, fields.finished_at ?? null, fields.lifecycle_status, fields.finalized_at, fields.error_message ?? null, fields.cost_status, fields.subscription_code ?? null, id);
+      return result.changes;
+    }
+    RequestRepo.updateFinalize = updateFinalize;
+    function insertCostAudit(db, audit) {
+      const stmt = db.prepare(`
+      INSERT INTO cost_audit (
+        request_log_id, model, provider, source, base_cost_usd, calc_at
+      ) VALUES (?, ?, ?, ?, ?, COALESCE(?, CURRENT_TIMESTAMP))
+    `);
+      const result = stmt.run(audit.request_log_id ?? null, audit.model ?? null, audit.provider ?? null, audit.source ?? null, audit.base_cost_usd ?? null, audit.calc_at ?? null);
+      return result.lastInsertRowid;
+    }
+    RequestRepo.insertCostAudit = insertCostAudit;
+  })(RequestRepo ||= {});
+  ((UsageRepo) => {
+    function upsertDaily(db, usage) {
+      const stmt = db.prepare(`
+      INSERT INTO daily_usage (
+        day, provider, model, request_count, prompt_tokens,
+        completion_tokens, cache_creation_tokens, cache_read_tokens,
+        total_tokens, cost_usd
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(day, provider, model) DO UPDATE SET
+        request_count = request_count + excluded.request_count,
+        prompt_tokens = prompt_tokens + excluded.prompt_tokens,
+        completion_tokens = completion_tokens + excluded.completion_tokens,
+        cache_creation_tokens = cache_creation_tokens + excluded.cache_creation_tokens,
+        cache_read_tokens = cache_read_tokens + excluded.cache_read_tokens,
+        total_tokens = total_tokens + excluded.total_tokens,
+        cost_usd = cost_usd + excluded.cost_usd
+    `);
+      stmt.run(usage.day, usage.provider, usage.model, usage.request_count, usage.prompt_tokens, usage.completion_tokens, usage.cache_creation_tokens, usage.cache_read_tokens, usage.total_tokens, usage.cost_usd);
+    }
+    UsageRepo.upsertDaily = upsertDaily;
+    function upsertDailyAccount(db, usage) {
+      const stmt = db.prepare(`
+      INSERT INTO daily_account_usage (
+        day, provider, model, cliproxy_account, cliproxy_auth_index,
+        request_count, prompt_tokens, completion_tokens,
+        cache_creation_tokens, cache_read_tokens, reasoning_tokens,
+        total_tokens, cost_usd
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(day, provider, model, cliproxy_account) DO UPDATE SET
+        cliproxy_auth_index = COALESCE(excluded.cliproxy_auth_index, cliproxy_auth_index),
+        request_count = request_count + excluded.request_count,
+        prompt_tokens = prompt_tokens + excluded.prompt_tokens,
+        completion_tokens = completion_tokens + excluded.completion_tokens,
+        cache_creation_tokens = cache_creation_tokens + excluded.cache_creation_tokens,
+        cache_read_tokens = cache_read_tokens + excluded.cache_read_tokens,
+        reasoning_tokens = reasoning_tokens + excluded.reasoning_tokens,
+        total_tokens = total_tokens + excluded.total_tokens,
+        cost_usd = cost_usd + excluded.cost_usd
+    `);
+      stmt.run(usage.day, usage.provider, usage.model, usage.cliproxy_account, usage.cliproxy_auth_index ?? null, usage.request_count, usage.prompt_tokens, usage.completion_tokens, usage.cache_creation_tokens, usage.cache_read_tokens, usage.reasoning_tokens, usage.total_tokens, usage.cost_usd);
+    }
+    UsageRepo.upsertDailyAccount = upsertDailyAccount;
+    function getDaily(db, day) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_usage
+      WHERE day = ?
+      ORDER BY provider, model
+    `);
+      return stmt.all(day);
+    }
+    UsageRepo.getDaily = getDaily;
+    function getDailyByAccount(db, day) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_account_usage
+      WHERE day = ?
+      ORDER BY cliproxy_account, provider, model
+    `);
+      return stmt.all(day);
+    }
+    UsageRepo.getDailyByAccount = getDailyByAccount;
+    function getRange(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_usage
+      WHERE day >= ? AND day <= ?
+      ORDER BY day DESC, provider, model
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getRange = getRange;
+    function getAccountRange(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_account_usage
+      WHERE day >= ? AND day <= ?
+      ORDER BY day DESC, cliproxy_account, provider, model
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getAccountRange = getAccountRange;
+    function getAccountSummary(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT
+        cliproxy_account,
+        cliproxy_auth_index,
+        provider,
+        SUM(request_count) AS request_count,
+        SUM(total_tokens) AS total_tokens,
+        SUM(cost_usd) AS cost_usd
+      FROM daily_account_usage
+      WHERE day >= ? AND day <= ?
+      GROUP BY cliproxy_account, cliproxy_auth_index, provider
+      ORDER BY cost_usd DESC
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getAccountSummary = getAccountSummary;
+  })(UsageRepo ||= {});
+  ((QuotaRepo) => {
+    function insertSnapshot(db, snapshot) {
+      const stmt = db.prepare(`
+      INSERT INTO quota_snapshots (
+        timestamp, provider, account, quota_type, used_pct,
+        remaining, remaining_raw, resets_at, raw_json
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+      const result = stmt.run(snapshot.timestamp, snapshot.provider, snapshot.account, snapshot.quota_type, snapshot.used_pct ?? null, snapshot.remaining ?? null, snapshot.remaining_raw ?? null, snapshot.resets_at ?? null, snapshot.raw_json ?? null);
+      return result.lastInsertRowid;
+    }
+    QuotaRepo.insertSnapshot = insertSnapshot;
+    function getLatest(db) {
+      const stmt = db.prepare(`
+      SELECT q.*
+      FROM quota_snapshots q
+      JOIN (
+        SELECT provider, account, quota_type, MAX(timestamp) AS max_timestamp
+        FROM quota_snapshots
+        GROUP BY provider, account, quota_type
+      ) latest
+        ON latest.provider = q.provider
+       AND latest.account = q.account
+       AND latest.quota_type = q.quota_type
+       AND latest.max_timestamp = q.timestamp
+      ORDER BY q.provider, q.account, q.quota_type
+    `);
+      return stmt.all();
+    }
+    QuotaRepo.getLatest = getLatest;
+    function getLocalWindowUsage(db, provider, account, sinceIso) {
+      const row = db.prepare(`
+        SELECT
+          COUNT(*) AS requests,
+          COALESCE(SUM(total_tokens), 0) AS total_tokens,
+          COALESCE(SUM(cost_usd), 0) AS cost_usd
+        FROM request_logs
+        WHERE provider = ?
+          AND cliproxy_account = ?
+          AND started_at >= ?
+      `).get(provider, account, sinceIso);
+      return {
+        since: sinceIso,
+        requests: Number(row.requests ?? 0),
+        total_tokens: Number(row.total_tokens ?? 0),
+        cost_usd: Number(row.cost_usd ?? 0)
+      };
+    }
+    QuotaRepo.getLocalWindowUsage = getLocalWindowUsage;
+  })(QuotaRepo ||= {});
+});
+
+// src/config/index.ts
+var exports_config = {};
+__export(exports_config, {
+  ConfigError: () => ConfigError,
+  Config: () => Config2
+});
+var configLogger, validated, Config2;
+var init_config = __esm(() => {
+  init_logger();
+  init_validate();
+  init_validate();
+  configLogger = Logger.fromConfig().child({ component: "config" });
+  validated = Config.validate(process.env, {
+    onWarning(issue) {
+      configLogger.warn("configuration warning", { event: "config.warning", ...issue });
+    }
+  });
+  Config2 = Object.freeze({
+    ...validated,
+    validate: Config.validate
+  });
+});
+
+// src/runtime/supervisor.ts
+var exports_supervisor = {};
+__export(exports_supervisor, {
+  Supervisor: () => Supervisor
+});
+var Supervisor;
+var init_supervisor = __esm(() => {
+  init_logger();
+  ((Supervisor) => {
+    const DEFAULT_JITTER_RATIO = 0.1;
+    const DEFAULT_MAX_BACKOFF_MS = 60000;
+    const DEFAULT_STOP_TIMEOUT_MS = 2000;
+    const registry = new Set;
+    let logger2 = Logger.fromConfig().child({ component: "supervisor" });
+    function run(name, fn, options) {
+      validateOptions(name, options);
+      const controller = new AbortController;
+      const signal = controller.signal;
+      const intervalMs = options.intervalMs;
+      const jitterRatio = options.jitterRatio ?? DEFAULT_JITTER_RATIO;
+      const maxBackoffMs = options.maxBackoffMs ?? DEFAULT_MAX_BACKOFF_MS;
+      const runOnStart = options.runOnStart ?? true;
+      const initialDelayMs = options.initialDelayMs ?? 0;
+      let removeExternalAbort = null;
+      if (options.signal) {
+        if (options.signal.aborted)
+          controller.abort();
+        else {
+          const abort = () => controller.abort();
+          options.signal.addEventListener("abort", abort, { once: true });
+          removeExternalAbort = () => options.signal?.removeEventListener("abort", abort);
+        }
+      }
+      const state = {
+        name,
+        controller,
+        done: Promise.resolve(),
+        stopRequested: false,
+        stopLogged: false,
+        async stop(timeoutMs) {
+          this.stopRequested = true;
+          this.controller.abort();
+          const stopped = await resolveWithin(this.done, timeoutMs);
+          if (stopped) {
+            logStopped(this);
+            return;
+          }
+          registry.delete(this);
+          logStopTimeout(this, timeoutMs);
+        }
+      };
+      state.done = loop({
+        name,
+        fn,
+        signal,
+        intervalMs,
+        initialDelayMs,
+        jitterRatio,
+        maxBackoffMs,
+        runOnStart
+      }).finally(() => {
+        removeExternalAbort?.();
+        registry.delete(state);
+        if (state.stopRequested || signal.aborted)
+          logStopped(state);
+      });
+      registry.add(state);
+      logger2.info("loop started", { name, event: "loop.started", interval_ms: intervalMs });
+      return {
+        stop() {
+          return state.stop(DEFAULT_STOP_TIMEOUT_MS);
+        }
+      };
+    }
+    Supervisor.run = run;
+    async function stopAll(timeoutMs = DEFAULT_STOP_TIMEOUT_MS) {
+      const loops = Array.from(registry);
+      await Promise.all(loops.map((loopState) => loopState.stop(timeoutMs)));
+    }
+    Supervisor.stopAll = stopAll;
+    function list() {
+      return Array.from(registry, (loopState) => loopState.name).sort();
+    }
+    Supervisor.list = list;
+    function __setLoggerForTests(testLogger) {
+      logger2 = testLogger ?? Logger.fromConfig().child({ component: "supervisor" });
+    }
+    Supervisor.__setLoggerForTests = __setLoggerForTests;
+    async function loop(context) {
+      let consecutiveFailures = 0;
+      let nextDelayMs = context.runOnStart ? context.initialDelayMs : context.initialDelayMs > 0 ? context.initialDelayMs : context.intervalMs;
+      while (!context.signal.aborted) {
+        if (nextDelayMs > 0) {
+          const slept = await sleep(nextDelayMs, context.signal);
+          if (!slept)
+            return;
+        }
+        if (context.signal.aborted)
+          return;
+        const startedAt = Date.now();
+        try {
+          await context.fn();
+          const durationMs = Date.now() - startedAt;
+          consecutiveFailures = 0;
+          logger2.debug("loop tick", {
+            name: context.name,
+            event: "loop.tick",
+            duration_ms: durationMs
+          });
+          nextDelayMs = applyJitter(context.intervalMs, context.jitterRatio);
+        } catch (err) {
+          consecutiveFailures += 1;
+          const backoffMs = Math.min(context.intervalMs * 2 ** consecutiveFailures, context.maxBackoffMs);
+          nextDelayMs = applyJitter(backoffMs, context.jitterRatio);
+          logger2.error("loop error", {
+            name: context.name,
+            event: "loop.error",
+            err,
+            attempt: consecutiveFailures,
+            next_delay_ms: nextDelayMs
+          });
+        }
+      }
+    }
+    function validateOptions(name, options) {
+      if (!name.trim())
+        throw new Error("Supervisor loop name is required");
+      if (!Number.isFinite(options.intervalMs) || options.intervalMs <= 0) {
+        throw new Error("Supervisor intervalMs must be a positive finite number");
+      }
+      if (options.initialDelayMs !== undefined && (!Number.isFinite(options.initialDelayMs) || options.initialDelayMs < 0)) {
+        throw new Error("Supervisor initialDelayMs must be a non-negative finite number");
+      }
+      if (options.jitterRatio !== undefined && (!Number.isFinite(options.jitterRatio) || options.jitterRatio < 0)) {
+        throw new Error("Supervisor jitterRatio must be a non-negative finite number");
+      }
+      if (options.maxBackoffMs !== undefined && (!Number.isFinite(options.maxBackoffMs) || options.maxBackoffMs <= 0)) {
+        throw new Error("Supervisor maxBackoffMs must be a positive finite number");
+      }
+    }
+    function applyJitter(delayMs, jitterRatio) {
+      if (delayMs <= 0 || jitterRatio <= 0)
+        return Math.max(0, Math.round(delayMs));
+      const spread = delayMs * jitterRatio;
+      const offset = (Math.random() * 2 - 1) * spread;
+      return Math.max(0, Math.round(delayMs + offset));
+    }
+    function sleep(delayMs, signal) {
+      if (signal.aborted)
+        return Promise.resolve(false);
+      return new Promise((resolve) => {
+        let timeout = null;
+        const onAbort = () => {
+          if (timeout)
+            clearTimeout(timeout);
+          resolve(false);
+        };
+        timeout = setTimeout(() => {
+          signal.removeEventListener("abort", onAbort);
+          resolve(true);
+        }, delayMs);
+        signal.addEventListener("abort", onAbort, { once: true });
+      });
+    }
+    async function resolveWithin(promise, timeoutMs) {
+      let timeout = null;
+      try {
+        return await Promise.race([
+          promise.then(() => true),
+          new Promise((resolve) => {
+            timeout = setTimeout(() => resolve(false), timeoutMs);
+          })
+        ]);
+      } finally {
+        if (timeout)
+          clearTimeout(timeout);
+      }
+    }
+    function logStopped(state) {
+      if (state.stopLogged)
+        return;
+      state.stopLogged = true;
+      logger2.info("loop stopped", { name: state.name, event: "loop.stopped" });
+    }
+    function logStopTimeout(state, timeoutMs) {
+      if (state.stopLogged)
+        return;
+      state.stopLogged = true;
+      logger2.warn("loop stop timeout", {
+        name: state.name,
+        event: "loop.stop_timeout",
+        timeout_ms: timeoutMs
+      });
+    }
+  })(Supervisor ||= {});
+});
+
+// src/storage/pricing.ts
+var exports_pricing = {};
+__export(exports_pricing, {
+  Pricing: () => Pricing
+});
+import { dirname } from "path";
+import { mkdir } from "fs/promises";
+var logger2, Pricing;
+var init_pricing = __esm(() => {
+  init_config();
+  init_logger();
+  init_supervisor();
+  logger2 = Logger.fromConfig().child({ component: "pricing" });
+  ((Pricing) => {
+    const MODELS_DEV_URL = "https://models.dev/api.json";
+    let cache = null;
+    let inFlightFetch = null;
+    let bypassDiskCacheForTests = false;
+    async function fetchPricing(options = {}) {
+      const now = Date.now();
+      if (!options.force && cache && now - cache.fetchedAt < Config2.pricingCacheTtlMs) {
+        return cache.data;
+      }
+      if (!options.force && inFlightFetch) {
+        return inFlightFetch;
+      }
+      inFlightFetch = refreshPricing(options.force ?? false).finally(() => {
+        inFlightFetch = null;
+      });
+      return inFlightFetch;
+    }
+    Pricing.fetchPricing = fetchPricing;
+    function getPricing(model, provider) {
+      return findPricing(model, provider)?.pricing ?? null;
+    }
+    Pricing.getPricing = getPricing;
+    async function getPricingFreshness() {
+      const entry = cache ?? await readDiskCache();
+      if (!entry)
+        return null;
+      return { fetchedAt: entry.fetchedAt, ageMs: Date.now() - entry.fetchedAt };
+    }
+    Pricing.getPricingFreshness = getPricingFreshness;
+    function startBackgroundRefresh(options = {}) {
+      const intervalMs = options.intervalMs ?? Config2.pricingRefreshIntervalMs;
+      return Supervisor.run("pricing-refresh", async () => {
+        await fetchPricing();
+      }, {
+        intervalMs,
+        runOnStart: false,
+        signal: options.signal
+      });
+    }
+    Pricing.startBackgroundRefresh = startBackgroundRefresh;
+    function __setPricingForTests(entries, fetchedAt = Date.now()) {
+      bypassDiskCacheForTests = false;
+      cache = { data: new Map(entries), fetchedAt };
+    }
+    Pricing.__setPricingForTests = __setPricingForTests;
+    function __clearPricingForTests() {
+      cache = null;
+      inFlightFetch = null;
+      bypassDiskCacheForTests = true;
+    }
+    Pricing.__clearPricingForTests = __clearPricingForTests;
+    function findPricing(model, provider) {
+      if (!cache)
+        return null;
+      const normalizedModel = normalizeKey(model);
+      const normalizedProvider = provider ? normalizeKey(provider) : null;
+      const candidates = buildLookupCandidates(model, provider);
+      for (const key of candidates) {
+        const pricing = cache.data.get(key);
+        if (pricing)
+          return { pricing, key, source: "exact" };
+      }
+      for (const [key, pricing] of cache.data) {
+        if (normalizeKey(key) === normalizedModel) {
+          return { pricing, key, source: "normalized" };
+        }
+        if (normalizedProvider && normalizeKey(key) === `${normalizedProvider}/${normalizedModel}`) {
+          return { pricing, key, source: "normalized" };
+        }
+      }
+      const alias = aliasModel(normalizedModel);
+      if (alias) {
+        for (const key of buildLookupCandidates(alias, provider)) {
+          const pricing = cache.data.get(key);
+          if (pricing)
+            return { pricing, key, source: "alias" };
+        }
+      }
+      const fuzzy = findFuzzyMatch(normalizedModel, normalizedProvider, cache.data);
+      if (fuzzy)
+        return fuzzy;
+      return null;
+    }
+    Pricing.findPricing = findPricing;
+    function calculateCost(usage, pricing, provider) {
+      if (provider && normalizeKey(provider) === "openai") {
+        const billableInputTokens = Math.max(usage.prompt_tokens - usage.cache_read_tokens, 0);
+        return (billableInputTokens * pricing.input + usage.completion_tokens * pricing.output + usage.cache_read_tokens * (pricing.cache_read ?? pricing.input)) / 1e6;
+      }
+      return (usage.prompt_tokens * pricing.input + usage.completion_tokens * pricing.output + usage.cache_read_tokens * (pricing.cache_read ?? pricing.input) + usage.cache_creation_tokens * (pricing.cache_write ?? pricing.input) + (usage.reasoning_tokens ?? 0) * (pricing.reasoning ?? pricing.output)) / 1e6;
+    }
+    Pricing.calculateCost = calculateCost;
+    async function refreshPricing(force) {
+      const now = Date.now();
+      if (!force && !bypassDiskCacheForTests) {
+        const diskCache = await readDiskCache();
+        if (diskCache && now - diskCache.fetchedAt < Config2.pricingCacheTtlMs) {
+          cache = diskCache;
+          return diskCache.data;
+        }
+      }
+      try {
+        const res = await fetch(MODELS_DEV_URL, { signal: AbortSignal.timeout(30000) });
+        if (!res.ok)
+          throw new Error(`models.dev returned HTTP ${res.status}`);
+        const raw = await res.json();
+        const map = buildPricingMap(raw);
+        addLocalOverrides(map);
+        cache = { data: map, fetchedAt: now };
+        await writeDiskCache(cache);
+        logger2.info("loaded pricing aliases", { aliases: map.size, source: "models.dev" });
+        return map;
+      } catch (err) {
+        logger2.warn("pricing fetch failed, using cached data", { err, source: "models.dev" });
+        if (cache)
+          return cache.data;
+        const diskCache = bypassDiskCacheForTests ? null : await readDiskCache();
+        if (diskCache) {
+          cache = diskCache;
+          return diskCache.data;
+        }
+        const fallback = new Map;
+        addLocalOverrides(fallback);
+        cache = { data: fallback, fetchedAt: 0 };
+        return fallback;
+      }
+    }
+    function buildPricingMap(raw) {
+      const map = new Map;
+      for (const [provider, providerData] of Object.entries(raw)) {
+        if (!providerData.models)
+          continue;
+        for (const [modelId, modelData] of Object.entries(providerData.models)) {
+          if (!modelData.cost)
+            continue;
+          const pricing = toPricing(modelData.cost);
+          if (!pricing)
+            continue;
+          setPricingAlias(map, modelId, pricing);
+          setPricingAlias(map, `${provider}/${modelId}`, pricing);
+          if (modelData.id)
+            setPricingAlias(map, modelData.id, pricing);
+          if (modelData.name)
+            setPricingAlias(map, modelData.name, pricing);
+        }
+      }
+      return map;
+    }
+    function toPricing(cost) {
+      if (typeof cost.input !== "number" || typeof cost.output !== "number")
+        return null;
+      return {
+        input: cost.input,
+        output: cost.output,
+        cache_read: typeof cost.cache_read === "number" ? cost.cache_read : undefined,
+        cache_write: typeof cost.cache_write === "number" ? cost.cache_write : undefined,
+        reasoning: typeof cost.reasoning === "number" ? cost.reasoning : undefined
+      };
+    }
+    function addLocalOverrides(map) {
+      const overrides = {
+        "gpt-5.4": { input: 2.5, output: 15, cache_read: 0.25 },
+        "gpt-5.4-mini": { input: 0.75, output: 4.5, cache_read: 0.075 },
+        "gpt-5.4-mini-2026-03-17": { input: 0.75, output: 4.5, cache_read: 0.075 },
+        "kimi-for-coding": { input: 0.4, output: 2.5, cache_read: 0.4 },
+        "kimi-k2": { input: 0.4, output: 2.5, cache_read: 0.4 },
+        "kimi-k2.6": { input: 0.95, output: 4, cache_read: 0.16 }
+      };
+      for (const [model, pricing] of Object.entries(overrides)) {
+        setPricingAlias(map, model, pricing);
+        setPricingAlias(map, `openai/${model}`, pricing);
+      }
+    }
+    function setPricingAlias(map, key, pricing) {
+      map.set(key, pricing);
+      map.set(normalizeKey(key), pricing);
+    }
+    function buildLookupCandidates(model, provider) {
+      const candidates = new Set;
+      candidates.add(model);
+      candidates.add(normalizeKey(model));
+      if (provider) {
+        candidates.add(`${provider}/${model}`);
+        candidates.add(`${normalizeKey(provider)}/${normalizeKey(model)}`);
+      }
+      return Array.from(candidates);
+    }
+    function aliasModel(normalizedModel) {
+      if (normalizedModel === "kimi-for-coding")
+        return "kimi-k2";
+      if (normalizedModel.startsWith("gpt-5.4-mini"))
+        return "gpt-5.4-mini";
+      if (normalizedModel.startsWith("gpt-5.4"))
+        return "gpt-5.4";
+      return null;
+    }
+    function findFuzzyMatch(normalizedModel, normalizedProvider, map) {
+      const eligible = Array.from(map.entries()).filter(([key, pricing]) => {
+        if (pricing.input === 0 && pricing.output === 0)
+          return false;
+        const normalizedKey = normalizeKey(key);
+        if (normalizedProvider && !normalizedKey.startsWith(`${normalizedProvider}/`) && normalizedKey.includes("/")) {
+          return false;
+        }
+        return normalizedKey.endsWith(`/${normalizedModel}`) || normalizedKey === normalizedModel;
+      });
+      if (eligible.length > 0) {
+        const [key, pricing] = eligible[0];
+        return { key, pricing, source: "fuzzy" };
+      }
+      const broad = Array.from(map.entries()).find(([key, pricing]) => {
+        if (pricing.input === 0 && pricing.output === 0)
+          return false;
+        const normalizedKey = normalizeKey(key);
+        return normalizedKey.length >= 6 && normalizedModel.includes(normalizedKey);
+      });
+      if (!broad)
+        return null;
+      return { key: broad[0], pricing: broad[1], source: "fuzzy" };
+    }
+    function normalizeKey(key) {
+      return key.trim().toLowerCase().replace(/[_\s]+/g, "-");
+    }
+    async function readDiskCache() {
+      try {
+        const file = Bun.file(Config2.pricingCachePath);
+        if (!await file.exists())
+          return null;
+        const parsed = await file.json();
+        if (typeof parsed.fetchedAt !== "number" || !Array.isArray(parsed.data))
+          return null;
+        return { fetchedAt: parsed.fetchedAt, data: new Map(parsed.data) };
+      } catch (err) {
+        logger2.warn("disk cache read failed", { err, path: Config2.pricingCachePath });
+        return null;
+      }
+    }
+    async function writeDiskCache(entry) {
+      try {
+        await mkdir(dirname(Config2.pricingCachePath), { recursive: true });
+        await Bun.write(Config2.pricingCachePath, JSON.stringify({ fetchedAt: entry.fetchedAt, data: Array.from(entry.data.entries()) }));
+      } catch (err) {
+        logger2.warn("disk cache write failed", { err, path: Config2.pricingCachePath });
+      }
+    }
+  })(Pricing ||= {});
+});
+
+// src/storage/cost.ts
+var logger3, Cost;
+var init_cost = __esm(() => {
+  init_pricing();
+  init_logger();
+  logger3 = Logger.fromConfig().child({ component: "cost" });
+  ((Cost) => {
+    const SENTINEL_MODELS = new Set(["", "unknown", "undefined"]);
+    let activeLogger = logger3;
+    function __setLoggerForTests(nextLogger) {
+      activeLogger = nextLogger;
+    }
+    Cost.__setLoggerForTests = __setLoggerForTests;
+    function __resetLoggerForTests() {
+      activeLogger = logger3;
+    }
+    Cost.__resetLoggerForTests = __resetLoggerForTests;
+    function compute(inputs) {
+      const model = inputs.model?.trim() ?? "";
+      if (SENTINEL_MODELS.has(model.toLowerCase())) {
+        return { cost_usd: 0, cost_status: "unsupported", source: "unsupported_model" };
+      }
+      const pricing = Pricing.getPricing(model, inputs.provider);
+      if (!pricing) {
+        return { cost_usd: 0, cost_status: "pending", source: "pricing" };
+      }
+      const rawCost = Pricing.calculateCost({
+        prompt_tokens: inputs.usage.prompt_tokens ?? 0,
+        completion_tokens: inputs.usage.completion_tokens ?? 0,
+        cache_creation_tokens: inputs.usage.cache_creation_tokens ?? 0,
+        cache_read_tokens: inputs.usage.cache_read_tokens ?? 0,
+        reasoning_tokens: inputs.usage.reasoning_tokens ?? 0
+      }, pricing, inputs.provider);
+      if (!Number.isFinite(rawCost) || Number.isNaN(rawCost) || rawCost < 0) {
+        activeLogger.warn("cost guard rejected computed cost", {
+          event: "cost.guard",
+          provider: inputs.provider,
+          model,
+          raw_cost: rawCost
+        });
+        return { cost_usd: 0, cost_status: "pending", source: "guard" };
+      }
+      if (rawCost === 0) {
+        return { cost_usd: 0, cost_status: "pending", source: "guard" };
+      }
+      return { cost_usd: rawCost, cost_status: "ok", source: "pricing" };
+    }
+    Cost.compute = compute;
+    function inputsFromLog(log) {
+      return {
+        provider: log.provider,
+        model: log.model,
+        usage: {
+          prompt_tokens: log.prompt_tokens,
+          completion_tokens: log.completion_tokens,
+          cache_creation_tokens: log.cache_creation_tokens,
+          cache_read_tokens: log.cache_read_tokens,
+          reasoning_tokens: log.reasoning_tokens ?? 0
+        }
+      };
+    }
+    Cost.inputsFromLog = inputsFromLog;
+  })(Cost ||= {});
+});
+
+// src/upstream/client.ts
+var exports_client = {};
+__export(exports_client, {
+  UpstreamClient: () => UpstreamClient
+});
+var UpstreamClient;
+var init_client = __esm(() => {
+  init_config();
+  init_logger();
+  ((UpstreamClient) => {
+    UpstreamClient.DEFAULT_UPSTREAM_TIMEOUT_MS = 300000;
+    UpstreamClient.DEFAULT_UPSTREAM_CONNECT_TIMEOUT_MS = 1e4;
+    const MAX_RETRIES = 2;
+    const OPEN_AFTER_FAILURES = 5;
+    const HALF_OPEN_AFTER_MS = 30000;
+    const breakers = new Map;
+    let logger4 = Logger.fromConfig().child({ component: "upstream-client" });
+    let sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+    let now = () => Date.now();
+    let random = () => Math.random();
+    async function fetch2(options) {
+      const providerId = options.providerId || "unknown";
+      const breaker = breakerFor(providerId);
+      const breakerState = currentBreakerState(breaker);
+      if (breakerState === "open") {
+        const normalized = normalizeShortCircuit(providerId);
+        logger4.warn("upstream circuit breaker open", {
+          event: "upstream.short_circuit",
+          ...withoutCause(normalized)
+        });
+        logFailure(normalized, 0, false);
+        return normalizedResponse(normalized);
+      }
+      const streaming = isStreamingRequest(options);
+      const idempotent = options.idempotent === true;
+      let attempt = 0;
+      while (true) {
+        const timeout = createTimeoutSignal(Config2.upstreamTimeoutMs, Config2.upstreamConnectTimeoutMs);
+        const signal = composeSignals([timeout.signal, options.signal]);
+        try {
+          const response = await globalThis.fetch(options.url, {
+            method: options.method,
+            headers: options.headers,
+            body: options.body,
+            signal
+          });
+          timeout.clear();
+          if (response.status >= 500) {
+            const normalized = normalizeHttpFailure(response, providerId, canRetry(idempotent, streaming));
+            const retrying = shouldRetry(normalized, attempt, streaming, idempotent);
+            logFailure(normalized, attempt, retrying);
+            if (retrying) {
+              await discardResponse(response);
+              await sleep(backoffMs(attempt));
+              attempt += 1;
+              continue;
+            }
+            recordFailure(breaker);
+            return response;
+          }
+          recordSuccess(breaker);
+          return response;
+        } catch (err) {
+          timeout.clear();
+          const normalized = normalizeThrownFailure(err, providerId, canRetry(idempotent, streaming), timeout.kind);
+          const retrying = shouldRetry(normalized, attempt, streaming, idempotent);
+          logFailure(normalized, attempt, retrying);
+          if (retrying) {
+            await sleep(backoffMs(attempt));
+            attempt += 1;
+            continue;
+          }
+          recordFailure(breaker);
+          return normalizedResponse(normalized);
+        }
+      }
+    }
+    UpstreamClient.fetch = fetch2;
+    function __resetForTests() {
+      breakers.clear();
+      logger4 = Logger.fromConfig().child({ component: "upstream-client" });
+      sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+      now = () => Date.now();
+      random = () => Math.random();
+    }
+    UpstreamClient.__resetForTests = __resetForTests;
+    function __setTestHooks(hooks) {
+      if (hooks.logger)
+        logger4 = hooks.logger;
+      if (hooks.sleep)
+        sleep = hooks.sleep;
+      if (hooks.now)
+        now = hooks.now;
+      if (hooks.random)
+        random = hooks.random;
+    }
+    UpstreamClient.__setTestHooks = __setTestHooks;
+    function breakerFor(providerId) {
+      const existing = breakers.get(providerId);
+      if (existing)
+        return existing;
+      const created = { state: "closed", failures: 0, openedAt: 0 };
+      breakers.set(providerId, created);
+      return created;
+    }
+    function currentBreakerState(breaker) {
+      if (breaker.state === "open" && now() - breaker.openedAt >= HALF_OPEN_AFTER_MS) {
+        breaker.state = "half-open";
+      }
+      return breaker.state;
+    }
+    function recordFailure(breaker) {
+      if (breaker.state === "half-open") {
+        breaker.state = "open";
+        breaker.openedAt = now();
+        breaker.failures = OPEN_AFTER_FAILURES;
+        return;
+      }
+      breaker.failures += 1;
+      if (breaker.failures >= OPEN_AFTER_FAILURES) {
+        breaker.state = "open";
+        breaker.openedAt = now();
+      }
+    }
+    function recordSuccess(breaker) {
+      breaker.state = "closed";
+      breaker.failures = 0;
+      breaker.openedAt = 0;
+    }
+    function canRetry(idempotent, streaming) {
+      return idempotent && !streaming;
+    }
+    function shouldRetry(failure, attempt, streaming, idempotent) {
+      if (!canRetry(idempotent, streaming))
+        return false;
+      if (attempt >= MAX_RETRIES)
+        return false;
+      return failure.code === "network" || failure.code === "5xx" || failure.code === "aborted-due-to-timeout";
+    }
+    function backoffMs(attempt) {
+      const jitter = Math.floor(random() * 100);
+      return Math.min(2 ** attempt * 200 + jitter, 5000);
+    }
+    function createTimeoutSignal(totalMs, connectMs) {
+      const controller = new AbortController;
+      let kind = null;
+      const abort = (nextKind) => {
+        if (controller.signal.aborted)
+          return;
+        kind = nextKind;
+        controller.abort(new Error(`upstream ${nextKind} timeout`));
+      };
+      const connectTimer = setTimeout(() => abort("connect"), connectMs);
+      const totalTimer = setTimeout(() => abort("total"), totalMs);
+      return {
+        signal: controller.signal,
+        clear() {
+          clearTimeout(connectTimer);
+          clearTimeout(totalTimer);
+        },
+        get kind() {
+          return kind;
+        }
+      };
+    }
+    function composeSignals(signals) {
+      const active = signals.filter((signal) => Boolean(signal));
+      if (active.length === 1)
+        return active[0];
+      const abortSignal = AbortSignal;
+      if (typeof abortSignal.any === "function")
+        return abortSignal.any(active);
+      const controller = new AbortController;
+      const abort = (signal) => {
+        if (!controller.signal.aborted)
+          controller.abort(signal.reason);
+      };
+      for (const signal of active) {
+        if (signal.aborted) {
+          abort(signal);
+          break;
+        }
+        signal.addEventListener("abort", () => abort(signal), { once: true });
+      }
+      return controller.signal;
+    }
+    function isStreamingRequest(options) {
+      if (options.body instanceof ReadableStream)
+        return true;
+      const headers = new Headers(options.headers);
+      const accept = headers.get("accept")?.toLowerCase() ?? "";
+      const contentType = headers.get("content-type")?.toLowerCase() ?? "";
+      return accept.includes("text/event-stream") || contentType.includes("text/event-stream");
+    }
+    function normalizeHttpFailure(response, providerId, retryable) {
+      return {
+        code: "5xx",
+        status: response.status,
+        providerId,
+        retryable,
+        cause: { statusText: response.statusText }
+      };
+    }
+    function normalizeThrownFailure(err, providerId, retryable, timeoutKind) {
+      if (timeoutKind) {
+        return {
+          code: "aborted-due-to-timeout",
+          status: 504,
+          providerId,
+          retryable,
+          cause: { timeoutKind, error: serializeCause(err) }
+        };
+      }
+      if (isAbortError(err)) {
+        return {
+          code: "aborted",
+          status: 499,
+          providerId,
+          retryable: false,
+          cause: serializeCause(err)
+        };
+      }
+      return {
+        code: "network",
+        status: 503,
+        providerId,
+        retryable,
+        cause: serializeCause(err)
+      };
+    }
+    function normalizeShortCircuit(providerId) {
+      return {
+        code: "short-circuit",
+        status: 503,
+        providerId,
+        retryable: false,
+        cause: "circuit breaker open"
+      };
+    }
+    function isAbortError(err) {
+      return err instanceof DOMException && err.name === "AbortError";
+    }
+    function logFailure(failure, attempt, retrying) {
+      logger4.error("upstream failure", {
+        event: "upstream.error",
+        ...withoutCause(failure),
+        cause: failure.cause,
+        attempt,
+        max_retries: MAX_RETRIES,
+        retrying
+      });
+    }
+    function withoutCause(failure) {
+      const { cause: _cause, ...rest } = failure;
+      return rest;
+    }
+    function normalizedResponse(failure) {
+      return new Response(JSON.stringify({ error: { ...withoutCause(failure), cause: failure.cause } }), {
+        status: failure.status,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    function serializeCause(err) {
+      if (err instanceof Error) {
+        return { name: err.name, message: err.message };
+      }
+      return err;
+    }
+    async function discardResponse(response) {
+      try {
+        await response.body?.cancel();
+      } catch {}
+    }
+  })(UpstreamClient ||= {});
+});
+
+// src/cliproxy/quota.ts
+import { readdir, readFile } from "fs/promises";
+import { join as join3 } from "path";
+function normalizePercent(value) {
+  if (typeof value !== "number" || !Number.isFinite(value))
+    return;
+  const pct = value <= 1 ? value * 100 : value;
+  return Math.max(0, Math.min(100, pct));
+}
+function normalizeReset(value) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    const ms = value < 1000000000000 ? value * 1000 : value;
+    return new Date(ms).toISOString();
+  }
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Date.parse(value);
+    if (Number.isFinite(parsed))
+      return new Date(parsed).toISOString();
+  }
+  return;
+}
+function quotaTypeFromSeconds(seconds, fallback) {
+  if (typeof seconds !== "number" || !Number.isFinite(seconds))
+    return fallback;
+  const hours = Math.round(seconds / 3600);
+  if (hours >= 24 * 6)
+    return "week";
+  if (hours >= 24)
+    return `${Math.round(hours / 24)}d`;
+  return `${hours}h`;
+}
+async function fetchJson(url, init) {
+  const controller = new AbortController;
+  const timer = setTimeout(() => controller.abort(), Config2.quotaRefreshTimeoutMs);
+  try {
+    const res = await UpstreamClient.fetch({
+      method: init.method ?? "GET",
+      url,
+      headers: init.headers,
+      body: init.body ?? null,
+      providerId: `quota:${new URL(url).hostname}`,
+      idempotent: (init.method ?? "GET") === "GET" || (init.method ?? "GET") === "HEAD",
+      signal: controller.signal
+    });
+    const text = await res.text();
+    let data = null;
+    try {
+      data = text ? JSON.parse(text) : null;
+    } catch {
+      data = null;
+    }
+    return { ok: res.ok, status: res.status, data, text };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function errorMessage(data, fallback) {
+  if (data && typeof data === "object" && "error" in data) {
+    const err = data.error;
+    if (err && typeof err === "object" && "message" in err) {
+      const message = err.message;
+      if (typeof message === "string" && message.trim())
+        return message;
+    }
+    if (typeof err === "string" && err.trim())
+      return err;
+  }
+  return fallback;
+}
+async function probeClaude(auth) {
+  const account = auth.email ?? "claude";
+  if (!auth.access_token) {
+    return {
+      provider: "claude",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const res = await fetchJson("https://api.anthropic.com/api/oauth/usage", {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${auth.access_token}`,
+      Accept: "application/json",
+      "anthropic-version": "2023-06-01",
+      "anthropic-beta": "oauth-2025-04-20",
+      "User-Agent": "agent-cli-proxy"
+    }
+  });
+  if (!res.ok) {
+    return {
+      provider: "claude",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: errorMessage(res.data, `HTTP ${res.status}`),
+      windows: []
+    };
+  }
+  const data = res.data;
+  const windows = [];
+  for (const [quotaType, window] of [
+    ["5h", data.five_hour],
+    ["week", data.seven_day],
+    ["week_sonnet", data.seven_day_sonnet],
+    ["week_opus", data.seven_day_opus]
+  ]) {
+    if (!window)
+      continue;
+    const used = normalizePercent(window.utilization);
+    if (used === undefined && !window.resets_at)
+      continue;
+    windows.push({
+      quota_type: quotaType,
+      used_pct: used,
+      resets_at: normalizeReset(window.resets_at),
+      raw: window
+    });
+  }
+  return {
+    provider: "claude",
+    account,
+    status: "active",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    windows
+  };
+}
+async function probeCodex(auth) {
+  const account = auth.email ?? "codex";
+  if (!auth.access_token) {
+    return {
+      provider: "codex",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const headers = {
+    Authorization: `Bearer ${auth.access_token}`,
+    Accept: "application/json",
+    "User-Agent": "codex_cli_rs/0.101.0 (Linux; x86_64) agent-cli-proxy"
+  };
+  if (auth.account_id)
+    headers["ChatGPT-Account-Id"] = auth.account_id;
+  const res = await fetchJson("https://chatgpt.com/backend-api/wham/usage", {
+    method: "GET",
+    headers
+  });
+  if (!res.ok) {
+    const data2 = res.data;
+    const resetsAt = normalizeReset(data2?.error?.resets_at);
+    const usedWindow = resetsAt ? [
+      {
+        quota_type: "exhausted",
+        used_pct: 100,
+        resets_at: resetsAt,
+        raw: data2
+      }
+    ] : [];
+    return {
+      provider: "codex",
+      account,
+      status: data2?.error?.type ?? "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      plan: data2?.error?.plan_type,
+      error: data2?.error?.message ?? `HTTP ${res.status}`,
+      windows: usedWindow
+    };
+  }
+  const data = res.data;
+  const windows = [];
+  for (const [fallback, window] of [
+    ["5h", data.rate_limit?.primary_window],
+    ["week", data.rate_limit?.secondary_window]
+  ]) {
+    if (!window)
+      continue;
+    const used = normalizePercent(window.used_percent);
+    const reset = normalizeReset(window.reset_at);
+    if (used === undefined && !reset)
+      continue;
+    windows.push({
+      quota_type: quotaTypeFromSeconds(window.limit_window_seconds, fallback),
+      used_pct: used,
+      resets_at: reset,
+      raw: window
+    });
+  }
+  let plan = data.plan_type;
+  if (data.credits?.balance !== undefined && data.credits.balance !== null) {
+    plan = plan ? `${plan}` : undefined;
+  }
+  return {
+    provider: "codex",
+    account,
+    status: data.rate_limit?.limit_reached ? "limit_reached" : "active",
+    unavailable: data.rate_limit?.limit_reached === true,
+    disabled: auth.disabled === true,
+    plan,
+    windows
+  };
+}
+function readNumber(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Number(value);
+    if (Number.isFinite(parsed))
+      return parsed;
+  }
+  return;
+}
+function kimiWindow(quotaType, detail, raw) {
+  if (!detail)
+    return null;
+  const limit = readNumber(detail.limit);
+  const remaining = readNumber(detail.remaining);
+  const used = readNumber(detail.used) ?? (limit !== undefined && remaining !== undefined ? limit - remaining : undefined);
+  const usedPct = limit && used !== undefined ? used / limit * 100 : undefined;
+  const reset = normalizeReset(detail.resetTime);
+  if (usedPct === undefined && remaining === undefined && !reset)
+    return null;
+  return {
+    quota_type: quotaType,
+    used_pct: normalizePercent(usedPct),
+    resets_at: reset,
+    raw
+  };
+}
+async function probeKimi(auth) {
+  const account = "kimi";
+  if (!auth.access_token) {
+    return {
+      provider: "kimi",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const headers = {
+    Authorization: `Bearer ${auth.access_token}`,
+    Accept: "application/json",
+    "User-Agent": "KimiCLI/1.35 agent-cli-proxy"
+  };
+  let res = await fetchJson("https://api.kimi.com/coding/v1/usages", {
+    method: "GET",
+    headers
+  });
+  if (!res.ok) {
+    res = await fetchJson("https://api.moonshot.ai/v1/usages", {
+      method: "GET",
+      headers
+    });
+  }
+  if (!res.ok) {
+    return {
+      provider: "kimi",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: errorMessage(res.data, `HTTP ${res.status}`),
+      windows: []
+    };
+  }
+  const data = res.data;
+  const coding = data.usages?.find((u) => u.scope === "FEATURE_CODING") ?? data.usages?.[0];
+  const windows = [];
+  const weekly = kimiWindow("week", coding?.detail ?? data.usage, coding?.detail ?? data.usage);
+  if (weekly)
+    windows.push(weekly);
+  for (const limit of coding?.limits ?? data.limits ?? []) {
+    const duration = limit.window?.duration;
+    const quotaType = duration === 300 ? "5h" : quotaTypeFromSeconds((duration ?? 0) * 60, "window");
+    const window = kimiWindow(quotaType, limit.detail, limit);
+    if (window)
+      windows.push(window);
+  }
+  return {
+    provider: "kimi",
+    account,
+    status: "active",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    windows
+  };
+}
+function unsupported(auth) {
+  const provider = auth.type ?? "unknown";
+  return {
+    provider,
+    account: auth.email ?? provider,
+    status: "unsupported",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    error: "quota endpoint is not known for this provider",
+    windows: []
+  };
+}
+async function readAuthFiles() {
+  if (!Config2.cliproxyAuthDir)
+    return [];
+  const names = await readdir(Config2.cliproxyAuthDir);
+  const out = [];
+  for (const name of names) {
+    if (!name.endsWith(".json"))
+      continue;
+    try {
+      const raw = await readFile(join3(Config2.cliproxyAuthDir, name), "utf-8");
+      const parsed = JSON.parse(raw);
+      out.push(parsed);
+    } catch (err) {
+      logger4.warn("failed to read auth file", { err, name });
+    }
+  }
+  return out;
+}
+var logger4, QuotaProbe;
+var init_quota = __esm(() => {
+  init_config();
+  init_client();
+  init_logger();
+  logger4 = Logger.fromConfig().child({ component: "quota" });
+  ((QuotaProbe) => {
+    async function refresh() {
+      const timestamp = new Date().toISOString();
+      const auths = await readAuthFiles();
+      const accounts = [];
+      for (const auth of auths) {
+        let result;
+        try {
+          if (auth.type === "claude")
+            result = await probeClaude(auth);
+          else if (auth.type === "codex")
+            result = await probeCodex(auth);
+          else if (auth.type === "kimi")
+            result = await probeKimi(auth);
+          else
+            result = unsupported(auth);
+        } catch (err) {
+          result = {
+            provider: auth.type ?? "unknown",
+            account: auth.email ?? auth.type ?? "unknown",
+            status: "error",
+            unavailable: true,
+            disabled: auth.disabled === true,
+            error: err instanceof Error ? err.message : String(err),
+            windows: []
+          };
+        }
+        const windows = result.windows.map((window) => ({
+          timestamp,
+          provider: result.provider,
+          account: result.account,
+          quota_type: window.quota_type,
+          used_pct: window.used_pct ?? null,
+          remaining: window.used_pct === undefined ? null : Math.max(0, 100 - window.used_pct),
+          remaining_raw: window.used_pct === undefined ? null : `${Math.max(0, 100 - window.used_pct).toFixed(2)}%`,
+          resets_at: window.resets_at ?? null,
+          raw_json: JSON.stringify(window.raw)
+        }));
+        accounts.push({
+          provider: result.provider,
+          account: result.account,
+          status: result.status,
+          unavailable: result.unavailable,
+          disabled: result.disabled,
+          plan: result.plan,
+          refreshed_at: timestamp,
+          error: result.error,
+          windows,
+          local_usage: {
+            five_hour: { since: "", requests: 0, total_tokens: 0, cost_usd: 0 },
+            seven_day: { since: "", requests: 0, total_tokens: 0, cost_usd: 0 }
+          }
+        });
+      }
+      return { timestamp, accounts, inserted: 0 };
+    }
+    QuotaProbe.refresh = refresh;
+  })(QuotaProbe ||= {});
+});
+
+// src/storage/service.ts
+var exports_service = {};
+__export(exports_service, {
+  UsageService: () => UsageService
+});
+import { readdir as readdir2 } from "fs/promises";
+var logger5, costBackfillLogger, unmappedSubscriptionWarnings, UsageService;
+var init_service = __esm(() => {
+  init_account_subscriptions();
+  init_repo();
+  init_pricing();
+  init_cost();
+  init_quota();
+  init_logger();
+  init_config();
+  init_supervisor();
+  logger5 = Logger.fromConfig().child({ component: "usage-service" });
+  costBackfillLogger = Logger.fromConfig().child({ component: "cost" });
+  unmappedSubscriptionWarnings = new Map;
+  ((UsageService) => {
+    function create(db, options = {}) {
+      const serviceLogger = options.logger ?? logger5;
+      const now = options.now ?? (() => new Date);
+      function preLog(log) {
+        return RequestRepo.insert(db, log);
+      }
+      async function finalizeUsage(id, log) {
+        const cost = computeCost(log);
+        const logWithCost = { ...log, cost_usd: cost.cost_usd, cost_status: cost.cost_status };
+        const txn = db.transaction(() => {
+          const updated = RequestRepo.updateFinalize(db, id, {
+            provider: logWithCost.provider,
+            model: logWithCost.model,
+            actual_model: logWithCost.actual_model,
+            streamed: logWithCost.streamed,
+            status: logWithCost.status,
+            prompt_tokens: logWithCost.prompt_tokens,
+            completion_tokens: logWithCost.completion_tokens,
+            cache_creation_tokens: logWithCost.cache_creation_tokens,
+            cache_read_tokens: logWithCost.cache_read_tokens,
+            reasoning_tokens: logWithCost.reasoning_tokens ?? 0,
+            total_tokens: logWithCost.total_tokens,
+            cost_usd: cost.cost_usd,
+            incomplete: logWithCost.incomplete,
+            error_code: logWithCost.error_code,
+            latency_ms: logWithCost.latency_ms,
+            finished_at: logWithCost.finished_at,
+            lifecycle_status: logWithCost.lifecycle_status ?? "completed",
+            finalized_at: logWithCost.finalized_at ?? logWithCost.finished_at ?? new Date().toISOString(),
+            error_message: logWithCost.error_message,
+            cost_status: cost.cost_status,
+            subscription_code: logWithCost.subscription_code
+          });
+          if (updated === 0)
+            return false;
+          insertCostAudit(id, logWithCost, cost);
+          const day = logWithCost.started_at.slice(0, 10);
+          UsageRepo.upsertDaily(db, {
+            day,
+            provider: logWithCost.provider,
+            model: logWithCost.model,
+            request_count: 1,
+            prompt_tokens: logWithCost.prompt_tokens,
+            completion_tokens: logWithCost.completion_tokens,
+            cache_creation_tokens: logWithCost.cache_creation_tokens,
+            cache_read_tokens: logWithCost.cache_read_tokens,
+            total_tokens: logWithCost.total_tokens,
+            cost_usd: cost.cost_usd
+          });
+          return true;
+        });
+        return txn();
+      }
+      async function recordUsage(log) {
+        const cost = computeCost(log);
+        const logWithCost = { ...log, cost_usd: cost.cost_usd, cost_status: cost.cost_status };
+        const txn = db.transaction(() => {
+          const id = RequestRepo.insert(db, logWithCost);
+          insertCostAudit(id, logWithCost, cost);
+          const day = log.started_at.slice(0, 10);
+          UsageRepo.upsertDaily(db, {
+            day,
+            provider: log.provider,
+            model: log.model,
+            request_count: 1,
+            prompt_tokens: log.prompt_tokens,
+            completion_tokens: log.completion_tokens,
+            cache_creation_tokens: log.cache_creation_tokens,
+            cache_read_tokens: log.cache_read_tokens,
+            total_tokens: log.total_tokens,
+            cost_usd: cost.cost_usd
+          });
+          return id;
+        });
+        return txn();
+      }
+      async function backfillCosts(options2 = {}) {
+        try {
+          await Pricing.fetchPricing({ force: true });
+        } catch (err) {
+          logger5.warn("pricing refresh failed before cost backfill", { err, event: "cost.backfill_pricing_failed" });
+        }
+        const lookbackMs = options2.lookbackMs ?? Config2.costBackfillLookbackMs;
+        const limitClause = options2.limit && options2.limit > 0 ? " LIMIT ?" : "";
+        const sinceClause = options2.all ? "" : "AND started_at >= ?";
+        const sinceIso = new Date(Date.now() - lookbackMs).toISOString();
+        const params = [];
+        if (!options2.all)
+          params.push(sinceIso);
+        if (options2.limit && options2.limit > 0)
+          params.push(options2.limit);
+        const rows = db.query(`
+        SELECT id, provider, model, prompt_tokens, completion_tokens,
+               cache_creation_tokens, cache_read_tokens, reasoning_tokens, cost_usd, cost_status
+        FROM request_logs
+        WHERE lifecycle_status IN ('completed', 'error')
+          AND cost_status IN ('pending', 'unresolved')
+          ${sinceClause}
+        ORDER BY id ASC${limitClause}
+      `).all(...params);
+        let updated = 0;
+        const statusCounts = { ok: 0, pending: 0, unsupported: 0 };
+        const updateTxn = db.transaction(() => {
+          const updateLog = db.prepare("UPDATE request_logs SET cost_usd = ?, cost_status = 'ok' WHERE id = ? AND cost_status IN ('pending', 'unresolved')");
+          for (const row of rows) {
+            const cost = computeCost(row);
+            statusCounts[cost.cost_status] += 1;
+            insertCostAudit(row.id, row, cost);
+            if ((row.cost_status === "pending" || row.cost_status === "unresolved") && cost.cost_status === "ok") {
+              const result = updateLog.run(cost.cost_usd, row.id);
+              updated += result.changes;
+            }
+          }
+          db.exec(`
+          DELETE FROM daily_usage;
+          INSERT INTO daily_usage (
+            day, provider, model, request_count, prompt_tokens,
+            completion_tokens, cache_creation_tokens, cache_read_tokens,
+            total_tokens, cost_usd
+          )
+          SELECT
+            substr(started_at, 1, 10), provider, model, COUNT(*),
+            SUM(prompt_tokens), SUM(completion_tokens), SUM(cache_creation_tokens),
+            SUM(cache_read_tokens), SUM(total_tokens), SUM(cost_usd)
+          FROM request_logs
+          GROUP BY substr(started_at, 1, 10), provider, model;
+        `);
+        });
+        updateTxn();
+        return { scanned: rows.length, updated, ...statusCounts };
+      }
+      function computeCost(log) {
+        return Cost.compute(Cost.inputsFromLog(log));
+      }
+      function insertCostAudit(requestLogId, log, cost) {
+        RequestRepo.insertCostAudit(db, {
+          request_log_id: requestLogId,
+          model: log.model,
+          provider: log.provider,
+          source: cost.source,
+          base_cost_usd: cost.cost_usd
+        });
+      }
+      function getToday() {
+        const today = new Date().toISOString().slice(0, 10);
+        const breakdown = UsageRepo.getDaily(db, today);
+        const totals = breakdown.reduce((acc, row) => ({
+          requests: acc.requests + row.request_count,
+          total_tokens: acc.total_tokens + row.total_tokens,
+          cost_usd: acc.cost_usd + row.cost_usd
+        }), { requests: 0, total_tokens: 0, cost_usd: 0 });
+        return {
+          date: today,
+          requests: totals.requests,
+          total_tokens: totals.total_tokens,
+          cost_usd: totals.cost_usd,
+          breakdown
+        };
+      }
+      function getDateRange(from, to) {
+        const rows = UsageRepo.getRange(db, from, to);
+        const byDay = new Map;
+        for (const row of rows) {
+          const existing = byDay.get(row.day) ?? [];
+          existing.push(row);
+          byDay.set(row.day, existing);
+        }
+        return Array.from(byDay.entries()).map(([day, breakdown]) => {
+          const totals = breakdown.reduce((acc, row) => ({
+            requests: acc.requests + row.request_count,
+            total_tokens: acc.total_tokens + row.total_tokens,
+            cost_usd: acc.cost_usd + row.cost_usd
+          }), { requests: 0, total_tokens: 0, cost_usd: 0 });
+          return { date: day, ...totals, breakdown };
+        });
+      }
+      function getModelBreakdown(day) {
+        return UsageRepo.getDaily(db, day);
+      }
+      function getProviderBreakdown(day) {
+        const rows = UsageRepo.getDaily(db, day);
+        const byProvider = new Map;
+        for (const row of rows) {
+          const existing = byProvider.get(row.provider) ?? {
+            provider: row.provider,
+            request_count: 0,
+            total_tokens: 0,
+            cost_usd: 0
+          };
+          existing.request_count += row.request_count;
+          existing.total_tokens += row.total_tokens;
+          existing.cost_usd += row.cost_usd;
+          byProvider.set(row.provider, existing);
+        }
+        return Array.from(byProvider.values());
+      }
+      function getTotalStats() {
+        const stmt = db.prepare(`
+        SELECT 
+          COUNT(*) as total_requests,
+          SUM(total_tokens) as total_tokens,
+          SUM(cost_usd) as total_cost_usd,
+          MIN(started_at) as first_request_at,
+          MAX(started_at) as last_request_at
+        FROM request_logs
+      `);
+        const row = stmt.get();
+        return {
+          total_requests: Number(row.total_requests ?? 0),
+          total_tokens: Number(row.total_tokens ?? 0),
+          total_cost_usd: Number(row.total_cost_usd ?? 0),
+          first_request_at: row.first_request_at ?? null,
+          last_request_at: row.last_request_at ?? null
+        };
+      }
+      function getRecentLogs(limit, offset, tool, clientId) {
+        return RequestRepo.getRecent(db, limit, offset, tool, clientId);
+      }
+      function getLogById(id) {
+        return RequestRepo.getById(db, id);
+      }
+      function getUncorrelatedLogs(sinceMs, limit) {
+        return RequestRepo.getUncorrelated(db, sinceMs, limit);
+      }
+      function applyCorrelation(id, log, fields) {
+        const txn = db.transaction(() => {
+          RequestRepo.applyCorrelation(db, id, fields);
+          if (fields.cliproxy_account) {
+            applySubscriptionAttribution(db, id, fields.cliproxy_account, serviceLogger, now);
+            UsageRepo.upsertDailyAccount(db, {
+              day: log.started_at.slice(0, 10),
+              provider: log.provider,
+              model: log.model,
+              cliproxy_account: fields.cliproxy_account,
+              cliproxy_auth_index: fields.cliproxy_auth_index,
+              request_count: 1,
+              prompt_tokens: log.prompt_tokens,
+              completion_tokens: log.completion_tokens,
+              cache_creation_tokens: log.cache_creation_tokens,
+              cache_read_tokens: log.cache_read_tokens,
+              reasoning_tokens: fields.reasoning_tokens ?? 0,
+              total_tokens: log.total_tokens,
+              cost_usd: log.cost_usd
+            });
+          }
+        });
+        txn();
+      }
+      function applySubscriptionAttribution(database, requestLogId, cliproxyAccount, targetLogger, currentDate) {
+        const binding = AccountSubscriptionRepo.get(database, cliproxyAccount);
+        if (binding) {
+          RequestRepo.applySubscription(database, requestLogId, binding.subscription_code);
+          return;
+        }
+        warnUnmappedSubscription(targetLogger, cliproxyAccount, currentDate());
+      }
+      function getAccountSummary(from, to) {
+        return UsageRepo.getAccountSummary(db, from, to);
+      }
+      function getAccountDaily(day) {
+        return UsageRepo.getDailyByAccount(db, day);
+      }
+      function getAccountRange(from, to) {
+        return UsageRepo.getAccountRange(db, from, to);
+      }
+      function withLocalUsage(report) {
+        const now2 = Date.now();
+        const fiveHourSince = new Date(now2 - 5 * 60 * 60 * 1000).toISOString();
+        const sevenDaySince = new Date(now2 - 7 * 24 * 60 * 60 * 1000).toISOString();
+        const localProvider = report.provider === "claude" ? "anthropic" : "openai";
+        return {
+          ...report,
+          local_usage: {
+            five_hour: QuotaRepo.getLocalWindowUsage(db, localProvider, report.account, fiveHourSince),
+            seven_day: QuotaRepo.getLocalWindowUsage(db, localProvider, report.account, sevenDaySince)
+          }
+        };
+      }
+      async function refreshQuotas() {
+        const result = await QuotaProbe.refresh();
+        let inserted = 0;
+        const accounts = result.accounts.map(withLocalUsage);
+        const txn = db.transaction(() => {
+          for (const account of accounts) {
+            for (const snapshot of account.windows) {
+              QuotaRepo.insertSnapshot(db, snapshot);
+              inserted += 1;
+            }
+          }
+        });
+        txn();
+        return { ...result, inserted, accounts };
+      }
+      async function startQuotaRefresh(options2 = {}) {
+        if (!Config2.cliproxyAuthDir) {
+          logger5.info("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "missing_auth_dir"
+          });
+          return null;
+        }
+        let authFileNames;
+        try {
+          authFileNames = await readdir2(Config2.cliproxyAuthDir);
+        } catch (err) {
+          logger5.warn("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "auth_dir_unreadable",
+            err,
+            path: Config2.cliproxyAuthDir
+          });
+          return null;
+        }
+        if (!authFileNames.some((name) => name.endsWith(".json"))) {
+          logger5.info("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "no_auth_files",
+            path: Config2.cliproxyAuthDir
+          });
+          return null;
+        }
+        return Supervisor.run("quota-refresh", async () => {
+          await refreshQuotas();
+        }, {
+          intervalMs: options2.intervalMs ?? Config2.quotaRefreshIntervalMs,
+          signal: options2.signal
+        });
+      }
+      function getLatestQuotas() {
+        return QuotaRepo.getLatest(db);
+      }
+      return {
+        db,
+        preLog,
+        finalizeUsage,
+        recordUsage,
+        getToday,
+        getDateRange,
+        getModelBreakdown,
+        getProviderBreakdown,
+        getTotalStats,
+        getRecentLogs,
+        getLogById,
+        backfillCosts,
+        getUncorrelatedLogs,
+        applyCorrelation,
+        getAccountSummary,
+        getAccountDaily,
+        getAccountRange,
+        refreshQuotas,
+        startQuotaRefresh,
+        getLatestQuotas
+      };
+    }
+    UsageService.create = create;
+    function warnUnmappedSubscription(targetLogger, cliproxyAccount, date = new Date) {
+      const day = date.toISOString().slice(0, 10);
+      const key = `${cliproxyAccount}:${day}`;
+      if (unmappedSubscriptionWarnings.has(key))
+        return;
+      unmappedSubscriptionWarnings.set(key, true);
+      targetLogger.warn("plans unmapped", {
+        event: "plans.unmapped",
+        cliproxy_account: cliproxyAccount
+      });
+    }
+    UsageService.warnUnmappedSubscription = warnUnmappedSubscription;
+    function startCostBackfillLoop(service, options = {}) {
+      return Supervisor.run("cost-backfill", async () => {
+        const result = await service.backfillCosts();
+        costBackfillLogger.info("cost backfill completed", { event: "cost.backfill", ...result });
+      }, {
+        intervalMs: options.intervalMs ?? Config2.costBackfillIntervalMs,
+        signal: options.signal
+      });
+    }
+    UsageService.startCostBackfillLoop = startCostBackfillLoop;
+  })(UsageService ||= {});
+});
+
+// src/provider/registry.ts
+var exports_registry = {};
+__export(exports_registry, {
+  ProviderRegistry: () => ProviderRegistry
+});
+import { readFileSync as readFileSync4 } from "fs";
+var ProviderRegistry;
+var init_registry = __esm(() => {
+  init_config();
+  init_logger();
+  init_registry_schema();
+  ((ProviderRegistry) => {
+    const logger6 = Logger.fromConfig().child({ component: "provider-registry" });
+    let cache = null;
+    function loadProviders(options = {}) {
+      if (cache && !options.force)
+        return cache.providers;
+      const customSource = readCustomConfig();
+      const customProviders = customSource ? parseCustomProviders(customSource.raw) : [];
+      const providers = mergeProviders([...builtInProviders(), ...customProviders]);
+      const lastLoadedAt = new Date().toISOString();
+      cache = {
+        providers,
+        source: customSource?.source ?? "built-in",
+        configPath: customSource?.configPath,
+        lastLoadedAt
+      };
+      return providers;
+    }
+    ProviderRegistry.loadProviders = loadProviders;
+    function all() {
+      return loadProviders();
+    }
+    ProviderRegistry.all = all;
+    function handlesPath(path) {
+      return loadProviders().some((provider) => provider.paths.includes(path));
+    }
+    ProviderRegistry.handlesPath = handlesPath;
+    function resolve(input) {
+      const providers = loadProviders();
+      if (input.provider) {
+        const explicit = providers.find((provider) => provider.id === input.provider);
+        if (!explicit || !matchesPath(explicit, input.path) || !matchesModel(explicit, input.model))
+          return null;
+        return explicit;
+      }
+      const candidates = providers.filter((provider) => matchesPath(provider, input.path));
+      if (input.model) {
+        const modelMatch = candidates.find((provider) => matchesModel(provider, input.model));
+        if (modelMatch)
+          return modelMatch;
+      }
+      return candidates[0] ?? null;
+    }
+    ProviderRegistry.resolve = resolve;
+    function forceReload() {
+      return loadProviders({ force: true });
+    }
+    ProviderRegistry.forceReload = forceReload;
+    function configPath() {
+      return process.env.PROVIDERS_CONFIG_PATH?.trim() || undefined;
+    }
+    ProviderRegistry.configPath = configPath;
+    function sourceInfo() {
+      if (!cache) {
+        return { source: "built-in", lastLoadedAt: null };
+      }
+      return {
+        source: cache.source,
+        configPath: cache.configPath,
+        lastLoadedAt: cache.lastLoadedAt
+      };
+    }
+    ProviderRegistry.sourceInfo = sourceInfo;
+    function builtInProviders() {
+      return [
+        {
+          id: "anthropic",
+          type: "anthropic",
+          paths: ["/v1/messages"],
+          upstreamBaseUrl: Config2.cliProxyApiUrl,
+          upstreamPath: "/v1/messages",
+          auth: "preserve"
+        },
+        {
+          id: "openai",
+          type: "openai-compatible",
+          paths: ["/v1/chat/completions"],
+          upstreamBaseUrl: Config2.cliProxyApiUrl,
+          upstreamPath: "/v1/chat/completions",
+          auth: "preserve"
+        }
+      ];
+    }
+    function readCustomConfig() {
+      const inline = process.env.PROVIDERS_JSON;
+      if (inline !== undefined && inline.trim() !== "")
+        return { source: "PROVIDERS_JSON", raw: inline };
+      const path = configPath();
+      if (!path)
+        return null;
+      try {
+        return { source: "PROVIDERS_CONFIG_PATH", raw: readFileSync4(path, "utf-8"), configPath: path };
+      } catch (err) {
+        logger6.warn("provider config could not be read", {
+          event: "provider.config.invalid",
+          source: "PROVIDERS_CONFIG_PATH",
+          path: "PROVIDERS_CONFIG_PATH",
+          configPath: path,
+          err
+        });
+        return null;
+      }
+    }
+    function parseCustomProviders(raw) {
+      let parsed;
+      try {
+        parsed = JSON.parse(raw);
+      } catch (err) {
+        logger6.warn("provider config JSON is invalid", {
+          event: "provider.config.invalid",
+          path: "providers",
+          err
+        });
+        return [];
+      }
+      if (!isRecord2(parsed) || !Array.isArray(parsed.providers)) {
+        const result = validateProviderDocument(parsed);
+        logger6.warn("provider config document is invalid", {
+          event: "provider.config.invalid",
+          path: result.issues[0]?.path ?? "providers",
+          issues: result.issues
+        });
+        return [];
+      }
+      const providers = [];
+      parsed.providers.forEach((entry, index) => {
+        const result = parseProviderInput(entry, `providers[${index}]`);
+        if (result.provider) {
+          providers.push(result.provider);
+          return;
+        }
+        warnInvalidEntry(entry, `providers[${index}]`, result.issues);
+      });
+      return providers;
+    }
+    function warnInvalidEntry(entry, path, issues) {
+      logger6.warn("provider config entry is invalid", {
+        event: "provider.config.invalid",
+        providerId: providerIdForLog(entry),
+        path,
+        issues
+      });
+    }
+    function providerIdForLog(entry) {
+      if (!isRecord2(entry) || typeof entry.id !== "string" || entry.id.trim() === "")
+        return;
+      return entry.id.trim();
+    }
+    function mergeProviders(providers) {
+      const byId = new Map;
+      for (const provider of providers)
+        byId.set(provider.id, provider);
+      return Array.from(byId.values());
+    }
+    function matchesPath(provider, path) {
+      return provider.paths.includes(path);
+    }
+    function matchesModel(provider, model) {
+      if (!model || !provider.models || provider.models.length === 0)
+        return true;
+      return provider.models.some((entry) => model === entry || model.startsWith(entry));
+    }
+    function isRecord2(value) {
+      return typeof value === "object" && value !== null && !Array.isArray(value);
+    }
+  })(ProviderRegistry ||= {});
+});
+
+// src/cli.ts
+init_plans_default();
+init_plans();
+init_account_subscriptions();
+init_db();
+init_validate();
+init_logger();
+init_registry_schema();
+import { mkdir as mkdir2, chmod, copyFile, rm, cp, writeFile, open, rename, stat } from "fs/promises";
+import { existsSync as existsSync2, readFileSync as readFileSync5 } from "fs";
+import { dirname as dirname2, join as join4, resolve } from "path";
+import { homedir, platform } from "os";
+import { createInterface } from "readline/promises";
+import { stdin as input, stdout as output } from "process";
+var APP_NAME = "agent-cli-proxy";
+var HOME = homedir();
+var XDG_CONFIG_HOME = process.env.XDG_CONFIG_HOME ?? join4(HOME, ".config");
+var XDG_DATA_HOME = process.env.XDG_DATA_HOME ?? join4(HOME, ".local", "share");
+var defaultConfigDir = join4(XDG_CONFIG_HOME, APP_NAME);
+var defaultDataDir = join4(XDG_DATA_HOME, APP_NAME);
+var defaultRuntimeDir = join4(XDG_DATA_HOME, APP_NAME, "runtime");
+var defaultEnvPath = join4(defaultConfigDir, ".env");
+var defaultDbPath = join4(defaultDataDir, "proxy.db");
+var defaultPricingCachePath = join4(defaultDataDir, "pricing-cache.json");
+var defaultPlansPath = join4(defaultConfigDir, "plans.json");
+var defaultProvidersPath = join4(defaultConfigDir, "providers.json");
+var packageRoot = resolve(dirname2(Bun.fileURLToPath(import.meta.url)), "..");
+var packagedDistDir = dirname2(Bun.fileURLToPath(import.meta.url));
+var logger6 = Logger.fromConfig().child({ component: "cli" });
+function writeOut(message = "") {
+  process.stdout.write(`${message}
+`);
+}
+function writeErr(message = "") {
+  process.stderr.write(`${message}
+`);
+}
+function parseArgs(argv) {
+  const positional = [];
+  const flags = new Map;
+  for (let index = 0;index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (!arg.startsWith("--")) {
+      positional.push(arg);
+      continue;
+    }
+    const eq = arg.indexOf("=");
+    if (eq > 0) {
+      const name = arg.slice(0, eq);
+      const value = arg.slice(eq + 1);
+      if (value.startsWith("--"))
+        throw new Error(`${name} value must not start with --`);
+      flags.set(name, value);
+      continue;
+    }
+    const next = argv[index + 1];
+    if (next !== undefined && !next.startsWith("--")) {
+      flags.set(arg, next);
+      index += 1;
+    } else {
+      flags.set(arg, true);
+    }
+  }
+  return { positional, flags };
+}
+function getFlagValue(args, name) {
+  const value = args.flags.get(name);
+  if (value === undefined)
+    return;
+  if (value === true)
+    throw new Error(`${name} requires a value`);
+  if (value.startsWith("--"))
+    throw new Error(`${name} value must not start with --`);
+  return value;
+}
+function hasFlag(args, name) {
+  return args.flags.has(name);
+}
+async function main() {
+  const exitCode = await runCli(process.argv.slice(2));
+  if (exitCode !== 0)
+    process.exit(exitCode);
+}
+async function runCli(argv) {
+  try {
+    const args = parseArgs(argv);
+    const [command = hasFlag(args, "--help") ? "help" : "help", subcommand = ""] = args.positional;
+    const ctx = { args };
+    switch (command) {
+      case "init":
+        await initCommand(ctx);
+        return 0;
+      case "doctor":
+        return await doctorCommand(ctx);
+      case "db":
+        if (subcommand === "init") {
+          await initDbCommand(ctx);
+          return 0;
+        }
+        break;
+      case "service":
+        return await serviceCommand(ctx, subcommand);
+      case "backfill-costs":
+        await backfillCostsCommand(ctx);
+        return 0;
+      case "plans":
+        await plansCommand(ctx, subcommand);
+        return 0;
+      case "providers":
+        await providersCommand(ctx, subcommand);
+        return 0;
+      case "paths":
+        printPaths();
+        return 0;
+      case "help":
+      case "--help":
+      case "-h":
+        printHelp();
+        return 0;
+    }
+    writeErr(`Unknown command: ${command}${subcommand ? ` ${subcommand}` : ""}`);
+    printHelp();
+    return 1;
+  } catch (err) {
+    if (err instanceof ConfigError || err instanceof Error && err.code === "CONFIG_INVALID") {
+      logger6.error("configuration validation failed", { event: "config.error", err, issues: err.issues });
+      writeErr(err instanceof Error ? err.message : String(err));
+      return 1;
+    }
+    writeErr(err instanceof Error ? err.message : String(err));
+    return 1;
+  }
+}
+async function initCommand(ctx) {
+  if (hasFlag(ctx.args, "--non-interactive")) {
+    await initNonInteractive(ctx);
+    return;
+  }
+  await initInteractive(ctx);
+}
+async function initInteractive(ctx) {
+  const rl = createInterface({ input, output });
+  try {
+    writeOut(`agent-cli-proxy installer
+`);
+    const envPath = await ask(rl, "Config .env path", getFlagValue(ctx.args, "--env") ?? defaultEnvPath);
+    const dataDir = await ask(rl, "Data directory", getFlagValue(ctx.args, "--data-dir") ?? defaultDataDir);
+    const runtimeDir = await ask(rl, "Runtime directory", getFlagValue(ctx.args, "--runtime-dir") ?? defaultRuntimeDir);
+    const host = await ask(rl, "Proxy host", "127.0.0.1");
+    const port = await ask(rl, "Proxy port", "3100");
+    const cliProxyApiUrl = await ask(rl, "CLIProxyAPI URL", "http://localhost:8317");
+    const cliProxyApiKey = await askSecret(rl, "CLIProxyAPI proxy key", "proxy");
+    const exposeAdmin = host !== "127.0.0.1" && host !== "localhost" && host !== "::1";
+    const adminApiKey = exposeAdmin || await confirm(rl, "Generate ADMIN_API_KEY for admin API?", false) ? crypto.randomUUID().replaceAll("-", "") : "";
+    const enableCliproxyCorrelation = await confirm(rl, "Enable CLIProxyAPI account correlation?", false);
+    const cliproxyMgmtKey = enableCliproxyCorrelation ? await askSecret(rl, "CLIProxyAPI management key", "") : "";
+    const enableQuotaRefresh = await confirm(rl, "Enable subscription quota checks from local CLIProxyAPI auth files?", false);
+    const cliproxyAuthDir = enableQuotaRefresh ? await ask(rl, "CLIProxyAPI auth directory", join4(HOME, ".cli-proxy-api")) : "";
+    const env = buildEnv({
+      host,
+      port,
+      adminApiKey,
+      cliProxyApiUrl,
+      cliProxyApiKey,
+      dataDir,
+      cliproxyMgmtKey,
+      cliproxyAuthDir
+    });
+    await completeInit(envPath, dataDir, runtimeDir, env, writeOptions(ctx));
+    if (await confirm(rl, "Install user daemon now?", platform() === "linux" || platform() === "darwin")) {
+      await installRuntime(runtimeDir, envPath);
+      await installService(ctx, runtimeDir, envPath);
+    }
+  } finally {
+    rl.close();
+  }
+}
+async function initNonInteractive(ctx) {
+  logger6.info("non-interactive init started", { event: "cli.init.non_interactive" });
+  const envPath = getFlagValue(ctx.args, "--env") ?? process.env.AGENT_CLI_PROXY_ENV ?? defaultEnvPath;
+  const dataDir = getFlagValue(ctx.args, "--data-dir") ?? process.env.AGENT_CLI_PROXY_DATA_DIR ?? defaultDataDir;
+  const runtimeDir = getFlagValue(ctx.args, "--runtime-dir") ?? process.env.AGENT_CLI_PROXY_RUNTIME_DIR ?? defaultRuntimeDir;
+  const host = getFlagValue(ctx.args, "--host") ?? process.env.PROXY_HOST ?? "127.0.0.1";
+  const port = getFlagValue(ctx.args, "--port") ?? process.env.PROXY_PORT ?? "3100";
+  const cliProxyApiUrl = getFlagValue(ctx.args, "--cliproxy-api-url") ?? process.env.CLI_PROXY_API_URL;
+  if (!cliProxyApiUrl && process.env.PROXY_LOCAL_OK !== "1") {
+    throw new Error("CLI_PROXY_API_URL is required for init --non-interactive unless PROXY_LOCAL_OK=1");
+  }
+  const cliProxyApiKey = readSecretFromEnvFlag(ctx.args, "--cliproxy-api-key-env", "CLI_PROXY_API_KEY") ?? "proxy";
+  const adminApiKey = getFlagValue(ctx.args, "--admin-token") ?? readNamedEnv(ctx.args, "--admin-token-env") ?? process.env.ADMIN_API_KEY ?? "";
+  const cliproxyMgmtKey = readNamedEnv(ctx.args, "--cliproxy-mgmt-key-env") ?? process.env.CLIPROXY_MGMT_KEY ?? "";
+  const cliproxyAuthDir = getFlagValue(ctx.args, "--cliproxy-auth-dir") ?? process.env.CLIPROXY_AUTH_DIR ?? "";
+  const env = buildEnv({
+    host,
+    port,
+    adminApiKey,
+    cliProxyApiUrl: cliProxyApiUrl ?? "http://localhost:8317",
+    cliProxyApiKey,
+    dataDir,
+    cliproxyMgmtKey,
+    cliproxyAuthDir
+  });
+  await completeInit(envPath, dataDir, runtimeDir, env, writeOptions(ctx));
+}
+function readSecretFromEnvFlag(args, flagName, envName) {
+  return readNamedEnv(args, flagName) ?? process.env[envName];
+}
+function readNamedEnv(args, flagName) {
+  const name = getFlagValue(args, flagName);
+  if (!name)
+    return;
+  const value = process.env[name];
+  if (value === undefined || value === "")
+    throw new Error(`${flagName} references missing environment variable ${name}`);
+  return value;
+}
+function buildEnv(inputEnv) {
+  return {
+    PROXY_HOST: inputEnv.host,
+    PROXY_PORT: inputEnv.port,
+    ADMIN_API_KEY: inputEnv.adminApiKey,
+    CLI_PROXY_API_URL: inputEnv.cliProxyApiUrl,
+    CLI_PROXY_API_KEY: inputEnv.cliProxyApiKey,
+    CLAUDE_CODE_VERSION: "2.1.87",
+    DB_PATH: join4(inputEnv.dataDir, "proxy.db"),
+    PRICING_CACHE_PATH: join4(inputEnv.dataDir, "pricing-cache.json"),
+    PRICING_CACHE_TTL_MS: "3600000",
+    CLIENT_NAME_MAPPING: "",
+    CLIPROXY_MGMT_KEY: inputEnv.cliproxyMgmtKey,
+    CLIPROXY_CORRELATION_INTERVAL_MS: "15000",
+    CLIPROXY_CORRELATION_LOOKBACK_MS: "300000",
+    CLIPROXY_AUTH_DIR: inputEnv.cliproxyAuthDir,
+    QUOTA_REFRESH_TIMEOUT_MS: "15000"
+  };
+}
+async function completeInit(envPath, dataDir, runtimeDir, env, options) {
+  await mkdir2(dirname2(envPath), { recursive: true });
+  await mkdir2(dataDir, { recursive: true });
+  await mkdir2(runtimeDir, { recursive: true });
+  await writeEnvAtomic(envPath, env, options);
+  const persistedEnv = parseEnvFile(envPath);
+  await initDbAt(persistedEnv.DB_PATH ?? env.DB_PATH);
+  writeOut(`
+Created:`);
+  writeOut(`  env: ${envPath}`);
+  writeOut(`  db:  ${persistedEnv.DB_PATH ?? env.DB_PATH}`);
+  writeOut(`  data: ${dataDir}`);
+  writeOut(`  runtime: ${runtimeDir}`);
+}
+function writeOptions(ctx) {
+  return { force: hasFlag(ctx.args, "--force"), merge: hasFlag(ctx.args, "--merge") };
+}
+async function initDbCommand(ctx) {
+  const envPath = getFlagValue(ctx.args, "--env") ?? defaultEnvPath;
+  const env = parseEnvFile(envPath);
+  await initDbAt(env.DB_PATH ?? defaultDbPath);
+  writeOut(`Initialized DB at ${env.DB_PATH ?? defaultDbPath}`);
+}
+async function backfillCostsCommand(ctx) {
+  const envPath = getFlagValue(ctx.args, "--env") ?? defaultEnvPath;
+  const env = parseEnvFile(envPath);
+  applyEnv(env);
+  const { UsageService: UsageService2 } = await Promise.resolve().then(() => (init_service(), exports_service));
+  Config.validate(process.env);
+  const dbPath = env.DB_PATH ?? defaultDbPath;
+  const db = Storage.initDb(dbPath);
+  const usageService = UsageService2.create(db);
+  const result = await usageService.backfillCosts({
+    all: hasFlag(ctx.args, "--all"),
+    limit: parsePositiveLimit(ctx.args)
+  });
+  writeOut(`[backfill-costs] scanned=${result.scanned} updated=${result.updated} ok=${result.ok} pending=${result.pending} unsupported=${result.unsupported}`);
+  db.close();
+}
+async function doctorCommand(ctx) {
+  logger6.info("doctor started", { event: "cli.doctor.started" });
+  const report = await collectDoctorReport(ctx);
+  if (hasFlag(ctx.args, "--json"))
+    writeOut(JSON.stringify(report, null, 2));
+  else
+    printDoctorReport(report);
+  return report.status === "PASS" ? 0 : 1;
+}
+async function collectDoctorReport(ctx) {
+  const { envPath, env } = loadConfigEnv(ctx.args);
+  applyEnv(env);
+  const checks = {};
+  let config = null;
+  try {
+    config = Config.validate(env);
+    checks.config = { status: "PASS", issues: [], details: { envPath } };
+  } catch (err) {
+    const issues = err instanceof ConfigError ? err.issues.map(formatConfigIssue) : [errorMessage2(err)];
+    checks.config = { status: "FAIL", issues, details: { envPath } };
+  }
+  const dbPath = config?.dbPath ?? env.DB_PATH ?? defaultDbPath;
+  checks.database = databaseCheck(dbPath);
+  checks.plans = plansCheck();
+  checks.providers = await providersCheck(Boolean(config));
+  checks.pricingCache = await pricingCacheCheck(config?.pricingCachePath ?? env.PRICING_CACHE_PATH ?? defaultPricingCachePath);
+  checks.upstream = config ? await upstreamCheck(config) : { status: "FAIL", issues: ["skipped because config is invalid"] };
+  checks.supervisor = await supervisorCheck();
+  const status = Object.values(checks).every((check) => check.status === "PASS") ? "PASS" : "FAIL";
+  return { status, checks };
+}
+function loadConfigEnv(args) {
+  const envPath = getFlagValue(args, "--env") ?? defaultEnvPath;
+  return { envPath, env: { ...envFromProcess(), ...parseEnvFile(envPath) } };
+}
+function envFromProcess() {
+  const env = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (value !== undefined)
+      env[key] = value;
+  }
+  return env;
+}
+function databaseCheck(dbPath) {
+  let db = null;
+  try {
+    db = Storage.initDb(dbPath);
+    const tables = db.prepare("SELECT name FROM sqlite_master WHERE type='table' ORDER BY name").all();
+    const migrations = db.prepare("SELECT name FROM schema_migrations ORDER BY name DESC LIMIT 10").all();
+    return {
+      status: "PASS",
+      issues: [],
+      details: {
+        path: dbPath,
+        tablesCount: tables.length,
+        tables: tables.map((table) => table.name),
+        appliedMigrations: migrations.map((migration) => migration.name)
+      }
+    };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)], details: { path: dbPath } };
+  } finally {
+    db?.close();
+  }
+}
+function plansCheck() {
+  try {
+    Plans.reload();
+    const plans = Plans.list();
+    const source = resolvePlansSource();
+    return {
+      status: "PASS",
+      issues: [],
+      details: {
+        count: plans.length,
+        source: source.kind,
+        path: source.path ?? null
+      }
+    };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)] };
+  }
+}
+async function providersCheck(canLoadRegistry) {
+  const inspection = inspectProviderConfig(process.env);
+  if (!canLoadRegistry) {
+    return {
+      status: "FAIL",
+      issues: ["skipped because config is invalid", ...inspection.invalid.map((entry) => entry.reason)],
+      details: { source: inspection.source, invalid: inspection.invalid }
+    };
+  }
+  try {
+    const { ProviderRegistry: ProviderRegistry2 } = await Promise.resolve().then(() => (init_registry(), exports_registry));
+    const providers = ProviderRegistry2.forceReload();
+    return {
+      status: inspection.invalid.length === 0 ? "PASS" : "FAIL",
+      issues: inspection.invalid.map((entry) => entry.reason),
+      details: {
+        count: providers.length,
+        source: inspection.source,
+        invalid: inspection.invalid
+      }
+    };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)], details: { invalid: inspection.invalid } };
+  }
+}
+async function pricingCacheCheck(path) {
+  try {
+    const info = await stat(path);
+    return {
+      status: "PASS",
+      issues: [],
+      details: {
+        path,
+        exists: true,
+        size: info.size,
+        ageMs: Date.now() - info.mtimeMs
+      }
+    };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)], details: { path, exists: false } };
+  }
+}
+async function upstreamCheck(config) {
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(new Error("doctor upstream timeout")), 2000);
+  try {
+    const { UpstreamClient: UpstreamClient2 } = await Promise.resolve().then(() => (init_client(), exports_client));
+    const response = await UpstreamClient2.fetch({
+      method: "HEAD",
+      url: `${config.cliProxyApiUrl}/health`,
+      providerId: "doctor",
+      idempotent: true,
+      signal: controller.signal
+    });
+    if (response.status >= 200 && response.status < 500) {
+      return { status: "PASS", issues: [], details: { statusCode: response.status } };
+    }
+    return { status: "FAIL", issues: [`upstream returned HTTP ${response.status}`], details: { statusCode: response.status } };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)] };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function supervisorCheck() {
+  try {
+    const { Supervisor: Supervisor2 } = await Promise.resolve().then(() => (init_supervisor(), exports_supervisor));
+    return { status: "PASS", issues: [], details: { loops: Supervisor2.list() } };
+  } catch (err) {
+    return { status: "FAIL", issues: [errorMessage2(err)] };
+  }
+}
+function printDoctorReport(report) {
+  writeOut(`doctor: ${report.status}`);
+  for (const [name, check] of Object.entries(report.checks)) {
+    writeOut(`${check.status === "PASS" ? "PASS" : "FAIL"} ${name}`);
+    if (check.issues.length > 0) {
+      for (const issue of check.issues)
+        writeOut(`  - ${issue}`);
+    }
+    if (check.details !== undefined)
+      writeOut(`  ${JSON.stringify(check.details)}`);
+  }
+}
+async function plansCommand(ctx, subcommand) {
+  const planArgs = ctx.args.positional.slice(2);
+  const [accountArg = "", codeArg = ""] = planArgs;
+  switch (subcommand) {
+    case "show": {
+      Plans.reload();
+      const plans = Plans.list();
+      if (hasFlag(ctx.args, "--json"))
+        writeOut(JSON.stringify(plans, null, 2));
+      else
+        printPlansTable(plans);
+      return;
+    }
+    case "path": {
+      const source = resolvePlansSource();
+      writeOut(source.path ?? source.label);
+      return;
+    }
+    case "init": {
+      await initPlansFile(hasFlag(ctx.args, "--force"));
+      return;
+    }
+    case "edit": {
+      const path = await ensureEditablePlansFile(hasFlag(ctx.args, "--force"));
+      await openEditor(path);
+      return;
+    }
+    case "bind": {
+      const { account, code } = Plans.validateBindingInput(accountArg, codeArg);
+      const db = await openConfiguredDb(ctx);
+      try {
+        AccountSubscriptionRepo.bind(db, account, code);
+      } finally {
+        db.close();
+      }
+      writeOut(`Bound ${account} \u2192 ${code}`);
+      return;
+    }
+    case "unbind": {
+      const account = accountArg.trim();
+      if (!account)
+        throw new Error("Account must be a non-empty string");
+      const db = await openConfiguredDb(ctx);
+      try {
+        AccountSubscriptionRepo.unbind(db, account);
+      } finally {
+        db.close();
+      }
+      writeOut(`Unbound ${account}`);
+      return;
+    }
+    case "list": {
+      const db = await openConfiguredDb(ctx);
+      try {
+        writeOut("Plans:");
+        for (const plan of Plans.list()) {
+          writeOut(`  ${plan.code} - ${plan.display_name}`);
+        }
+        writeOut("Bindings:");
+        const bindings = AccountSubscriptionRepo.list(db);
+        if (bindings.length === 0) {
+          writeOut("  (none)");
+        } else {
+          for (const binding of bindings) {
+            writeOut(`  ${binding.cliproxy_account} \u2192 ${binding.subscription_code} (${binding.bound_at})`);
+          }
+        }
+      } finally {
+        db.close();
+      }
+      return;
+    }
+  }
+  writeErr("Usage: agent-cli-proxy plans <show|edit|path|init|bind|unbind|list>");
+  throw new Error("invalid plans subcommand");
+}
+async function providersCommand(ctx, subcommand) {
+  switch (subcommand) {
+    case "show": {
+      const { ProviderRegistry: ProviderRegistry2 } = await Promise.resolve().then(() => (init_registry(), exports_registry));
+      const providers = ProviderRegistry2.all().map(maskProvider);
+      if (hasFlag(ctx.args, "--json"))
+        writeOut(JSON.stringify(providers, null, 2));
+      else
+        printProvidersTable(providers);
+      return;
+    }
+    case "reload": {
+      const { ProviderRegistry: ProviderRegistry2 } = await Promise.resolve().then(() => (init_registry(), exports_registry));
+      const providers = ProviderRegistry2.forceReload();
+      writeOut(`Reloaded providers: ${providers.length}`);
+      return;
+    }
+    case "path": {
+      writeOut(providerPathLabel(process.env));
+      return;
+    }
+    case "init": {
+      const path = getFlagValue(ctx.args, "--path") ?? process.env.PROVIDERS_CONFIG_PATH ?? defaultProvidersPath;
+      await writeJsonAtomic(path, starterProvidersDocument(), { force: hasFlag(ctx.args, "--force") });
+      writeOut(`Created providers config: ${path}`);
+      return;
+    }
+  }
+  writeErr("Usage: agent-cli-proxy providers <show|reload|path|init>");
+  throw new Error("invalid providers subcommand");
+}
+async function serviceCommand(ctx, subcommand) {
+  const envPath = getFlagValue(ctx.args, "--env") ?? defaultEnvPath;
+  const runtimeDir = getFlagValue(ctx.args, "--runtime-dir") ?? defaultRuntimeDir;
+  switch (subcommand) {
+    case "install":
+      await installRuntime(runtimeDir, envPath);
+      await installService(ctx, runtimeDir, envPath);
+      return 0;
+    case "start":
+    case "stop":
+    case "restart":
+    case "status":
+      return await controlService(subcommand);
+    case "logs":
+      return await serviceLogsCommand(hasFlag(ctx.args, "--follow"));
+  }
+  writeErr("Usage: agent-cli-proxy service <install|start|stop|restart|status|logs [--follow]>");
+  return 1;
+}
+async function installRuntime(runtimeDir, envPath) {
+  await mkdir2(runtimeDir, { recursive: true });
+  const distDir = resolveDistDir();
+  if (!existsSync2(join4(distDir, "index.js"))) {
+    throw new Error("dist/index.js not found. Run `bun run build` first.");
+  }
+  await copyFile(join4(distDir, "index.js"), join4(runtimeDir, "index.js"));
+  await copyGlobByPrefix(distDir, runtimeDir, "index-");
+  await rm(join4(runtimeDir, "migrations"), { recursive: true, force: true });
+  await cp(join4(distDir, "migrations"), join4(runtimeDir, "migrations"), { recursive: true });
+  await writeFile(join4(runtimeDir, ".env.path"), `${envPath}
+`);
+}
+async function copyGlobByPrefix(fromDir, toDir, prefix) {
+  const glob = new Bun.Glob(`${prefix}*`);
+  for await (const file of glob.scan({ cwd: fromDir, onlyFiles: true })) {
+    await copyFile(join4(fromDir, file), join4(toDir, file));
+  }
+}
+async function installService(ctx, runtimeDir, envPath) {
+  if (platform() === "linux") {
+    const unitDir = join4(XDG_CONFIG_HOME, "systemd", "user");
+    const unitPath = getFlagValue(ctx.args, "--service-path") ?? join4(unitDir, `${APP_NAME}.service`);
+    await mkdir2(dirname2(unitPath), { recursive: true });
+    await writeFile(unitPath, renderSystemdUserService(runtimeDir, envPath));
+    writeOut(`Installed systemd user service: ${unitPath}`);
+    writeOut(`Run: systemctl --user daemon-reload && systemctl --user enable --now ${APP_NAME}`);
+    return;
+  }
+  if (platform() === "darwin") {
+    const launchDir = join4(HOME, "Library", "LaunchAgents");
+    const plistPath = getFlagValue(ctx.args, "--service-path") ?? join4(launchDir, `ai.agent-cli-proxy.plist`);
+    await mkdir2(dirname2(plistPath), { recursive: true });
+    await writeFile(plistPath, renderLaunchAgent(runtimeDir, envPath));
+    writeOut(`Installed launchd agent: ${plistPath}`);
+    writeOut(`Run: launchctl load ${plistPath}`);
+    return;
+  }
+  throw new Error(`Unsupported service platform: ${platform()}`);
+}
+async function controlService(action) {
+  if (platform() !== "linux") {
+    writeOut("Service control is only automated for systemd user services. Use launchctl on macOS.");
+    return 0;
+  }
+  const args = action === "status" ? ["--user", "--no-pager", "status", APP_NAME] : ["--user", action, APP_NAME];
+  const proc = Bun.spawn(["systemctl", ...args], { stdout: "inherit", stderr: "inherit" });
+  return await proc.exited;
+}
+async function serviceLogsCommand(follow) {
+  const os = platform();
+  if (os === "linux") {
+    const args = ["--user", "-u", `${APP_NAME}.service`];
+    if (follow)
+      args.push("-f");
+    const proc = Bun.spawn(["journalctl", ...args], { stdout: "inherit", stderr: "inherit" });
+    return await proc.exited;
+  }
+  if (os === "darwin") {
+    const command = follow ? "stream" : "show";
+    const args = [command, "--predicate", `process == "${APP_NAME}"`, "--style", "compact"];
+    const proc = Bun.spawn(["log", ...args], { stdout: "inherit", stderr: "inherit" });
+    return await proc.exited;
+  }
+  writeErr("service logs not supported on this platform; check stderr/stdout");
+  return 1;
+}
+function renderSystemdUserService(runtimeDir, envPath) {
+  assertSafePath(runtimeDir, "runtimeDir");
+  assertSafePath(envPath, "envPath");
+  return `[Unit]
+Description=agent-cli-proxy - AI API Proxy with Usage Monitoring
+After=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=${systemdEscape(runtimeDir)}
+Environment=NODE_ENV=production
+Environment=PATH=${systemdEscape(`${HOME}/.bun/bin:/usr/local/bin:/usr/bin:/bin`)}
+EnvironmentFile=${systemdEscape(envPath)}
+ExecStart=${systemdEscape(`${HOME}/.bun/bin/bun`)} run index.js
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=default.target
+`;
+}
+function renderLaunchAgent(runtimeDir, envPath) {
+  assertSafePath(runtimeDir, "runtimeDir");
+  assertSafePath(envPath, "envPath");
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key><string>ai.agent-cli-proxy</string>
+  <key>WorkingDirectory</key><string>${xmlEscape(runtimeDir)}</string>
+  <key>ProgramArguments</key>
+  <array><string>${xmlEscape(`${HOME}/.bun/bin/bun`)}</string><string>--env-file</string><string>${xmlEscape(envPath)}</string><string>run</string><string>index.js</string></array>
+  <key>EnvironmentVariables</key>
+  <dict><key>NODE_ENV</key><string>production</string></dict>
+  <key>RunAtLoad</key><true/>
+  <key>KeepAlive</key><true/>
+</dict>
+</plist>
+`;
+}
+async function initDbAt(dbPath) {
+  await mkdir2(dirname2(dbPath), { recursive: true });
+  const db = Storage.initDb(dbPath);
+  db.close();
+}
+async function openConfiguredDb(ctx) {
+  const envPath = getFlagValue(ctx.args, "--env") ?? defaultEnvPath;
+  const env = parseEnvFile(envPath);
+  applyEnv(env);
+  Config.validate(process.env);
+  return Storage.initDb(env.DB_PATH ?? process.env.DB_PATH ?? defaultDbPath);
+}
+async function writeEnvAtomic(path, envMap, opts) {
+  if (existsSync2(path) && !opts.force && !opts.merge) {
+    throw new Error(`${path} already exists; use --force to overwrite, or --merge to preserve existing values`);
+  }
+  const existing = opts.merge ? parseEnvFile(path) : {};
+  const finalEnv = opts.merge ? { ...envMap, ...existing } : envMap;
+  await writeTextAtomic(path, renderEnv(finalEnv), 384);
+}
+async function writeJsonAtomic(path, value, opts) {
+  if (existsSync2(path) && !opts.force)
+    throw new Error(`${path} already exists; use --force to overwrite`);
+  await writeTextAtomic(path, `${JSON.stringify(value, null, 2)}
+`, 384);
+}
+async function writeTextAtomic(path, text, mode) {
+  await mkdir2(dirname2(path), { recursive: true });
+  const temp = `${path}.tmp.${process.pid}.${crypto.randomUUID()}`;
+  const handle = await open(temp, "w", mode);
+  try {
+    await handle.writeFile(text);
+  } finally {
+    await handle.close();
+  }
+  await chmod(temp, mode);
+  await rename(temp, path);
+  await chmod(path, mode);
+}
+function renderEnv(env) {
+  const lines = Object.entries(env).map(([key, value]) => `${key}=${quoteEnv(value)}`);
+  return `${lines.join(`
+`)}
+`;
+}
+function quoteEnv(value) {
+  if (/^[A-Za-z0-9_./:@-]*$/.test(value))
+    return value;
+  return JSON.stringify(value);
+}
+function parseEnvFile(path) {
+  if (!existsSync2(path))
+    return {};
+  const text = readFileSync5(path, "utf-8");
+  const env = {};
+  for (const line of text.split(`
+`)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#"))
+      continue;
+    const idx = trimmed.indexOf("=");
+    if (idx === -1)
+      continue;
+    env[trimmed.slice(0, idx)] = parseEnvValue(trimmed.slice(idx + 1));
+  }
+  return env;
+}
+function parseEnvValue(raw) {
+  if (!raw.startsWith('"'))
+    return raw;
+  try {
+    const parsed = JSON.parse(raw);
+    return typeof parsed === "string" ? parsed : raw.replace(/^"|"$/g, "");
+  } catch {
+    return raw.replace(/^"|"$/g, "");
+  }
+}
+function parsePositiveLimit(args) {
+  const value = getFlagValue(args, "--limit");
+  if (!value)
+    return;
+  const parsed = Number(value);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : undefined;
+}
+async function ask(rl, question, fallback) {
+  const answer = await rl.question(`${question} (${fallback}): `);
+  return answer.trim() || fallback;
+}
+async function askSecret(rl, question, fallback) {
+  if (!process.stdin.isTTY) {
+    throw new Error(`${question} requires a TTY; use init --non-interactive with environment-backed secret flags`);
+  }
+  const mutableOutput = output;
+  const originalWrite = mutableOutput.write.bind(mutableOutput);
+  let muted = false;
+  mutableOutput.write = (chunk, encoding, cb) => {
+    if (muted)
+      return true;
+    return originalWrite(chunk, encoding, cb);
+  };
+  try {
+    muted = true;
+    const answer = await rl.question(`${question}${fallback ? " (configured)" : ""}: `);
+    muted = false;
+    originalWrite(`
+`);
+    return answer.trim() || fallback;
+  } finally {
+    mutableOutput.write = originalWrite;
+  }
+}
+function resolveDistDir() {
+  if (existsSync2(join4(packagedDistDir, "index.js")))
+    return packagedDistDir;
+  const sourceTreeDist = join4(packageRoot, "dist");
+  if (existsSync2(join4(sourceTreeDist, "index.js")))
+    return sourceTreeDist;
+  const cwdDist = resolve("dist");
+  if (existsSync2(join4(cwdDist, "index.js")))
+    return cwdDist;
+  return packagedDistDir;
+}
+function assertSafePath(path, label) {
+  if (/[\u0000-\u001f\u007f\n\r]/.test(path)) {
+    throw new Error(`${label} contains unsupported control characters`);
+  }
+}
+function systemdEscape(value) {
+  if (/^[A-Za-z0-9_/@%+=:,.-]+$/.test(value))
+    return value;
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"`;
+}
+function xmlEscape(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+async function confirm(rl, question, fallback) {
+  const suffix = fallback ? "Y/n" : "y/N";
+  const answer = (await rl.question(`${question} [${suffix}]: `)).trim().toLowerCase();
+  if (!answer)
+    return fallback;
+  return answer === "y" || answer === "yes";
+}
+function printPaths() {
+  writeOut(JSON.stringify({
+    configDir: defaultConfigDir,
+    dataDir: defaultDataDir,
+    runtimeDir: defaultRuntimeDir,
+    envPath: defaultEnvPath,
+    dbPath: defaultDbPath,
+    pricingCachePath: defaultPricingCachePath,
+    plansPath: defaultPlansPath,
+    providersPath: defaultProvidersPath
+  }, null, 2));
+}
+function printHelp() {
+  writeOut(`agent-cli-proxy
+
+Usage:
+  agent-cli-proxy init [--force|--merge]
+  agent-cli-proxy init --non-interactive [--env PATH] [--data-dir PATH] [--runtime-dir PATH] [--admin-token VALUE|--admin-token-env NAME] [--cliproxy-mgmt-key-env NAME] [--force|--merge]
+  agent-cli-proxy doctor [--env PATH] [--json]
+  agent-cli-proxy db init [--env PATH]
+  agent-cli-proxy service install [--env PATH] [--runtime-dir PATH] [--service-path PATH]
+  agent-cli-proxy service start|stop|restart|status
+  agent-cli-proxy service logs [--follow]
+  agent-cli-proxy backfill-costs [--all] [--limit N]
+  agent-cli-proxy plans show [--json]
+  agent-cli-proxy plans edit|path|init [--force]
+  agent-cli-proxy plans bind <account> <code> [--env PATH]
+  agent-cli-proxy plans unbind <account> [--env PATH]
+  agent-cli-proxy plans list [--env PATH]
+  agent-cli-proxy providers show [--json]
+  agent-cli-proxy providers reload|path|init [--force]
+  agent-cli-proxy paths
+`);
+}
+function applyEnv(env) {
+  for (const [key, value] of Object.entries(env))
+    process.env[key] = value;
+}
+function formatConfigIssue(issue) {
+  return `${issue.path} ${issue.message}`;
+}
+function errorMessage2(err) {
+  return err instanceof Error ? err.message : String(err);
+}
+function resolvePlansSource() {
+  if (process.env.PLANS_JSON?.trim())
+    return { kind: "PLANS_JSON", label: "PLANS_JSON inline" };
+  const envPath = process.env.PLANS_PATH?.trim();
+  if (envPath)
+    return { kind: "PLANS_PATH", path: envPath, label: envPath };
+  if (existsSync2(defaultPlansPath))
+    return { kind: "XDG_CONFIG_HOME", path: defaultPlansPath, label: defaultPlansPath };
+  return { kind: "packaged", label: "packaged default" };
+}
+async function initPlansFile(force) {
+  await writeJsonAtomic(defaultPlansPath, plans_default_default, { force });
+  writeOut(`Created plans config: ${defaultPlansPath}`);
+}
+async function ensureEditablePlansFile(force) {
+  const source = resolvePlansSource();
+  if (source.path && source.kind !== "packaged")
+    return source.path;
+  if (existsSync2(defaultPlansPath) && !force)
+    return defaultPlansPath;
+  await writeJsonAtomic(defaultPlansPath, plans_default_default, { force: force || !existsSync2(defaultPlansPath) });
+  return defaultPlansPath;
+}
+async function openEditor(path) {
+  const editor = process.env.EDITOR?.trim() || "vi";
+  const proc = Bun.spawn([editor, path], { stdout: "inherit", stderr: "inherit", stdin: "inherit" });
+  const exitCode = await proc.exited;
+  if (exitCode !== 0)
+    throw new Error(`${editor} exited with ${exitCode}`);
+}
+function printPlansTable(plans) {
+  writeOut("code\tprovider\tprice\tdisplay_name");
+  for (const plan of plans) {
+    writeOut(`${plan.code}	${plan.provider}	${plan.monthly_price_usd} ${plan.currency}/${plan.billing_period_days}d	${plan.display_name}`);
+  }
+}
+function printProvidersTable(providers) {
+  writeOut("id\ttype\tpaths\tmodels\tauth");
+  for (const provider of providers) {
+    writeOut(`${provider.id}	${provider.type}	${provider.paths.join(",")}	${provider.models?.join(",") ?? ""}	${formatAuth(provider.auth)}`);
+  }
+}
+function maskProvider(provider) {
+  if (typeof provider.auth !== "object" || provider.auth === null)
+    return { ...provider };
+  const auth = { ...provider.auth };
+  if (auth.value !== undefined)
+    auth.value = "[redacted]";
+  return { ...provider, auth };
+}
+function formatAuth(auth) {
+  if (auth === undefined)
+    return "";
+  if (typeof auth === "string")
+    return auth;
+  if (auth.env)
+    return `${auth.type} env:${auth.env}`;
+  if (auth.value)
+    return `${auth.type} value:[redacted]`;
+  return auth.type;
+}
+function providerPathLabel(env) {
+  if (env.PROVIDERS_JSON?.trim())
+    return "PROVIDERS_JSON inline";
+  if (env.PROVIDERS_CONFIG_PATH?.trim())
+    return env.PROVIDERS_CONFIG_PATH.trim();
+  return "(no custom providers configured)";
+}
+function starterProvidersDocument() {
+  return {
+    providers: [
+      {
+        id: "local",
+        type: "openai-compatible",
+        paths: ["/v1/chat/completions"],
+        upstreamBaseUrl: "http://localhost:11434",
+        upstreamPath: "/v1/chat/completions",
+        models: ["llama", "qwen"],
+        auth: "none"
+      },
+      {
+        id: "glm",
+        type: "openai-compatible",
+        paths: ["/v1/chat/completions"],
+        upstreamBaseUrl: "https://open.bigmodel.cn/api/paas/v4",
+        models: ["glm"],
+        auth: { type: "bearer", env: "GLM_API_KEY" }
+      }
+    ]
+  };
+}
+function inspectProviderConfig(env) {
+  const inline = env.PROVIDERS_JSON;
+  if (inline !== undefined && inline.trim() !== "")
+    return inspectProviderRaw("PROVIDERS_JSON", inline);
+  const configPath = env.PROVIDERS_CONFIG_PATH?.trim();
+  if (!configPath)
+    return { source: "built-in", invalid: [] };
+  try {
+    return inspectProviderRaw(configPath, readFileSync5(configPath, "utf-8"));
+  } catch (err) {
+    return { source: configPath, invalid: [{ path: "PROVIDERS_CONFIG_PATH", reason: errorMessage2(err), issues: [{ path: "PROVIDERS_CONFIG_PATH", message: errorMessage2(err) }] }] };
+  }
+}
+function inspectProviderRaw(source, raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const issue = { path: source, message: errorMessage2(err) };
+    return { source, invalid: [{ path: source, reason: `${source} must be valid JSON: ${issue.message}`, issues: [issue] }] };
+  }
+  const result = validateProviderDocument(parsed);
+  const grouped = new Map;
+  for (const issue of result.issues) {
+    const match = /^providers\[(\d+)]/.exec(issue.path);
+    const path = match ? `providers[${match[1]}]` : issue.path;
+    const issues = grouped.get(path) ?? [];
+    issues.push(issue);
+    grouped.set(path, issues);
+  }
+  return {
+    source,
+    invalid: Array.from(grouped, ([path, issues]) => ({
+      path,
+      reason: issues.map((issue) => `${issue.path} ${issue.message}`).join("; "),
+      issues
+    }))
+  };
+}
+if (import.meta.main) {
+  main().catch((err) => {
+    writeErr(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  });
+}
+export {
+  writeEnvAtomic,
+  runCli,
+  parseArgs,
+  getFlagValue
+};