agent-cli-proxy 0.1.0

package/dist/index.js

@@ -0,0 +1,4801 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// src/util/logger.ts
+var Logger;
+var init_logger = __esm(() => {
+  ((Logger) => {
+    const LEVELS = {
+      debug: 10,
+      info: 20,
+      warn: 30,
+      error: 40
+    };
+    const REDACTED = "[REDACTED]";
+    const defaultSink = {
+      stdout(line) {
+        process.stdout.write(`${line}
+`);
+      },
+      stderr(line) {
+        process.stderr.write(`${line}
+`);
+      }
+    };
+    function create(options = {}) {
+      return new StructuredLogger({
+        level: normalizeLevel(options.level),
+        format: normalizeFormat(options.format),
+        base: redact(options.base ?? {}),
+        sink: options.sink ?? defaultSink
+      });
+    }
+    Logger.create = create;
+    function fromConfig(options = {}) {
+      return create({
+        ...options,
+        level: normalizeLevel(process.env.LOG_LEVEL),
+        format: normalizeFormat(process.env.LOG_FORMAT)
+      });
+    }
+    Logger.fromConfig = fromConfig;
+    function redactValue(value) {
+      return redact(value);
+    }
+    Logger.redactValue = redactValue;
+
+    class StructuredLogger {
+      options;
+      constructor(options) {
+        this.options = options;
+      }
+      child(base) {
+        return new StructuredLogger({
+          ...this.options,
+          base: {
+            ...this.options.base,
+            ...redact(base)
+          }
+        });
+      }
+      debug(msg, fields) {
+        this.write("debug", msg, fields);
+      }
+      info(msg, fields) {
+        this.write("info", msg, fields);
+      }
+      warn(msg, fields) {
+        this.write("warn", msg, fields);
+      }
+      error(msg, fields) {
+        this.write("error", msg, fields);
+      }
+      write(level, msg, fields = {}) {
+        if (LEVELS[level] < LEVELS[this.options.level])
+          return;
+        const record = {
+          ts: new Date().toISOString(),
+          level,
+          msg,
+          ...this.options.base,
+          ...redact(fields)
+        };
+        const line = this.options.format === "pretty" ? formatPretty(record) : JSON.stringify(record);
+        if (level === "error") {
+          this.options.sink.stderr(line);
+          return;
+        }
+        this.options.sink.stdout(line);
+      }
+    }
+    function normalizeLevel(value) {
+      if (value === "debug" || value === "info" || value === "warn" || value === "error")
+        return value;
+      return "info";
+    }
+    function normalizeFormat(value) {
+      if (value === "pretty")
+        return "pretty";
+      return "json";
+    }
+    function isSensitiveKey(key) {
+      return /authorization|x[-_]?api[-_]?key|api[-_]?key|token|password|secret/i.test(key);
+    }
+    function redact(value, seen = new WeakSet) {
+      if (value === null || value === undefined)
+        return value;
+      if (typeof value !== "object")
+        return value;
+      if (value instanceof Error) {
+        return {
+          name: value.name,
+          message: value.message,
+          stack: value.stack
+        };
+      }
+      if (seen.has(value))
+        return "[Circular]";
+      seen.add(value);
+      if (Array.isArray(value)) {
+        return value.map((item) => redact(item, seen));
+      }
+      if (value instanceof Headers) {
+        const out2 = {};
+        for (const [key, headerValue] of value.entries()) {
+          out2[key] = isSensitiveKey(key) ? REDACTED : headerValue;
+        }
+        return out2;
+      }
+      const out = {};
+      for (const [key, entry] of Object.entries(value)) {
+        out[key] = isSensitiveKey(key) ? REDACTED : redact(entry, seen);
+      }
+      return out;
+    }
+    function formatPretty(record) {
+      const { ts, level, msg, ...fields } = record;
+      const suffix = Object.entries(fields).map(([key, value]) => `${key}=${formatPrettyValue(value)}`).join(" ");
+      return suffix ? `${ts} ${level.toUpperCase()} ${msg} ${suffix}` : `${ts} ${level.toUpperCase()} ${msg}`;
+    }
+    function formatPrettyValue(value) {
+      if (typeof value === "string")
+        return value.includes(" ") ? JSON.stringify(value) : value;
+      return JSON.stringify(value);
+    }
+  })(Logger ||= {});
+});
+
+// src/provider/registry-schema.ts
+function parseProviderInput(value, path = "provider") {
+  const issues = [];
+  const provider = normalizeProvider(value, path, issues);
+  return {
+    ok: issues.length === 0 && provider !== undefined,
+    provider: issues.length === 0 ? provider : undefined,
+    issues
+  };
+}
+function validateProviderDocument(value) {
+  const issues = [];
+  const providers = [];
+  if (!isRecord(value)) {
+    issues.push({ path: "providers", message: "must be contained in an object" });
+    return { providers, issues };
+  }
+  if (!Array.isArray(value.providers)) {
+    issues.push({ path: "providers", message: "must be an array" });
+    return { providers, issues };
+  }
+  value.providers.forEach((entry, index) => {
+    const result = parseProviderInput(entry, `providers[${index}]`);
+    if (result.provider)
+      providers.push(result.provider);
+    issues.push(...result.issues);
+  });
+  return { providers, issues };
+}
+function normalizeProvider(value, path, issues) {
+  if (!isRecord(value)) {
+    issues.push({ path, message: "must be an object" });
+    return;
+  }
+  const id = readRequiredString(value, "id", path, issues);
+  const type = readProviderType(value.type, `${path}.type`, issues);
+  const paths = readRequiredStringArray(value, "paths", path, issues);
+  const upstreamBaseUrl = readRequiredHttpUrl(value.upstreamBaseUrl, `${path}.upstreamBaseUrl`, issues);
+  const upstreamPath = readOptionalString(value, "upstreamPath", path, issues);
+  const models = readOptionalStringArray(value, "models", path, issues);
+  const headers = readOptionalHeaders(value, path, issues);
+  const auth = readOptionalAuth(value.auth, `${path}.auth`, issues);
+  const stripProviderField = readOptionalBoolean(value, "stripProviderField", path, issues);
+  if (!id || !type || paths.length === 0 || !upstreamBaseUrl)
+    return;
+  const provider = {
+    id,
+    type,
+    paths,
+    upstreamBaseUrl
+  };
+  if (upstreamPath !== undefined)
+    provider.upstreamPath = upstreamPath;
+  if (models !== undefined)
+    provider.models = models;
+  if (headers !== undefined)
+    provider.headers = headers;
+  if (auth !== undefined)
+    provider.auth = auth;
+  if (stripProviderField !== undefined)
+    provider.stripProviderField = stripProviderField;
+  return provider;
+}
+function readRequiredString(record, key, path, issues) {
+  const value = record[key];
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  return value.trim();
+}
+function readProviderType(value, path, issues) {
+  if (typeof value !== "string" || !ALLOWED_PROVIDER_TYPES.has(value)) {
+    issues.push({ path, message: `must be one of ${Array.from(ALLOWED_PROVIDER_TYPES).join(", ")}` });
+    return;
+  }
+  return value;
+}
+function readRequiredStringArray(record, key, path, issues) {
+  const value = record[key];
+  if (!Array.isArray(value) || value.length === 0) {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string array" });
+    return [];
+  }
+  const out = [];
+  value.forEach((entry, index) => {
+    if (typeof entry !== "string" || entry.trim() === "") {
+      issues.push({ path: `${path}.${key}[${index}]`, message: "must be a non-empty string" });
+      return;
+    }
+    out.push(entry.trim());
+  });
+  return out;
+}
+function readRequiredHttpUrl(value, path, issues) {
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path, message: "must be a non-empty http(s) URL string" });
+    return;
+  }
+  return normalizeHttpUrl(value, path, issues);
+}
+function normalizeHttpUrl(raw, path, issues) {
+  try {
+    const parsed = new URL(raw);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      issues.push({ path, message: "must be an http(s) URL" });
+      return;
+    }
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    issues.push({ path, message: "must be a parseable http(s) URL" });
+    return;
+  }
+}
+function readOptionalString(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  return value.trim();
+}
+function readOptionalStringArray(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (!Array.isArray(value)) {
+    issues.push({ path: `${path}.${key}`, message: "must be a string array" });
+    return;
+  }
+  const out = [];
+  value.forEach((entry, index) => {
+    if (typeof entry !== "string" || entry.trim() === "") {
+      issues.push({ path: `${path}.${key}[${index}]`, message: "must be a non-empty string" });
+      return;
+    }
+    out.push(entry.trim());
+  });
+  return out;
+}
+function readOptionalBoolean(record, key, path, issues) {
+  const value = record[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "boolean") {
+    issues.push({ path: `${path}.${key}`, message: "must be a boolean" });
+    return;
+  }
+  return value;
+}
+function readOptionalHeaders(provider, path, issues) {
+  const value = provider.headers;
+  if (value === undefined)
+    return;
+  if (!isRecord(value)) {
+    issues.push({ path: `${path}.headers`, message: "must be an object" });
+    return;
+  }
+  const headers = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (key.trim() === "") {
+      issues.push({ path: `${path}.headers`, message: "must not contain empty header names" });
+      continue;
+    }
+    if (typeof entry !== "string") {
+      issues.push({ path: `${path}.headers.${key}`, message: "must be a string" });
+      continue;
+    }
+    headers[key] = entry;
+  }
+  return headers;
+}
+function readOptionalAuth(auth, path, issues) {
+  if (auth === undefined)
+    return;
+  if (typeof auth === "string") {
+    if (!ALLOWED_AUTH_TYPES.has(auth)) {
+      issues.push({ path, message: `must be one of ${Array.from(ALLOWED_AUTH_TYPES).join(", ")}` });
+      return;
+    }
+    return auth;
+  }
+  if (!isRecord(auth)) {
+    issues.push({ path, message: "must be a string or object" });
+    return;
+  }
+  for (const key of Object.keys(auth)) {
+    if (!ALLOWED_AUTH_OBJECT_KEYS.has(key))
+      issues.push({ path: `${path}.${key}`, message: "is not supported" });
+  }
+  const type = auth.type;
+  if (typeof type !== "string" || type.trim() === "") {
+    issues.push({ path: `${path}.type`, message: "must be a non-empty string" });
+    return;
+  }
+  if (!ALLOWED_AUTH_TYPES.has(type)) {
+    issues.push({ path: `${path}.type`, message: `must be one of ${Array.from(ALLOWED_AUTH_TYPES).join(", ")}` });
+    return;
+  }
+  const result = { type };
+  readAuthString(auth, "env", path, issues, result);
+  readAuthString(auth, "value", path, issues, result);
+  readAuthString(auth, "header", path, issues, result);
+  return result;
+}
+function readAuthString(auth, key, path, issues, result) {
+  const value = auth[key];
+  if (value === undefined)
+    return;
+  if (typeof value !== "string" || value.trim() === "") {
+    issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+    return;
+  }
+  result[key] = value.trim();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+var ALLOWED_PROVIDER_TYPES, ALLOWED_AUTH_TYPES, ALLOWED_AUTH_OBJECT_KEYS;
+var init_registry_schema = __esm(() => {
+  ALLOWED_PROVIDER_TYPES = new Set(["openai-compatible", "anthropic"]);
+  ALLOWED_AUTH_TYPES = new Set(["none", "preserve", "bearer", "x-api-key"]);
+  ALLOWED_AUTH_OBJECT_KEYS = new Set(["type", "env", "value", "header"]);
+});
+
+// src/config/validate.ts
+import { readFileSync } from "fs";
+function readString(env, key, fallback) {
+  const value = env[key];
+  return value === undefined ? fallback : value;
+}
+function readPort(env, issues) {
+  const raw = env.PROXY_PORT ?? "3100";
+  const parsed = Number(raw);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+    issues.push({ path: "PROXY_PORT", message: "must be an integer from 1 to 65535" });
+    return 3100;
+  }
+  return parsed;
+}
+function readPositiveNumber(env, key, fallback, issues) {
+  const raw = env[key];
+  if (raw === undefined)
+    return fallback;
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    issues.push({ path: key, message: "must be a positive finite number" });
+    return fallback;
+  }
+  return parsed;
+}
+function readRequiredUrl(env, key, issues, warnings) {
+  const raw = env[key];
+  if (raw === undefined || raw.trim() === "") {
+    if (env.PROXY_LOCAL_OK === "1") {
+      warnings.push({
+        path: key,
+        message: `defaulted to ${DEFAULT_CLI_PROXY_API_URL} because PROXY_LOCAL_OK=1`
+      });
+      return DEFAULT_CLI_PROXY_API_URL;
+    }
+    issues.push({ path: key, message: "is required unless PROXY_LOCAL_OK=1 permits the local default" });
+    return DEFAULT_CLI_PROXY_API_URL;
+  }
+  return normalizeHttpUrl2(raw, key, issues) ?? raw;
+}
+function normalizeHttpUrl2(raw, path, issues) {
+  try {
+    const parsed = new URL(raw);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      issues.push({ path, message: "must be an http(s) URL" });
+      return;
+    }
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    issues.push({ path, message: "must be a parseable http(s) URL" });
+    return;
+  }
+}
+function readCchPositions(env, issues) {
+  const raw = env.CCH_POSITIONS ?? "[4,7,20]";
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    issues.push({ path: "CCH_POSITIONS", message: "must be JSON array of finite non-negative integers" });
+    return [4, 7, 20];
+  }
+  if (!Array.isArray(parsed)) {
+    issues.push({ path: "CCH_POSITIONS", message: "must be an array" });
+    return [4, 7, 20];
+  }
+  parsed.forEach((value, index) => {
+    if (!Number.isInteger(value) || value < 0) {
+      issues.push({ path: `CCH_POSITIONS[${index}]`, message: "must be a finite non-negative integer" });
+    }
+  });
+  return parsed.filter((value) => Number.isInteger(value) && value >= 0);
+}
+function readClientNameMapping(env, issues) {
+  const mapping = new Map;
+  const raw = env.CLIENT_NAME_MAPPING;
+  if (raw === undefined || raw.trim() === "")
+    return mapping;
+  raw.split(",").forEach((entry, index) => {
+    const pair = entry.trim();
+    const splitAt = pair.indexOf("=");
+    const key = splitAt >= 0 ? pair.slice(0, splitAt).trim() : "";
+    const value = splitAt >= 0 ? pair.slice(splitAt + 1).trim() : "";
+    if (!key || !value) {
+      issues.push({ path: `CLIENT_NAME_MAPPING[${index}]`, message: "must be a non-empty key=value entry" });
+      return;
+    }
+    mapping.set(key, value);
+  });
+  return mapping;
+}
+function validateProviderConfig(env, issues) {
+  const inline = env.PROVIDERS_JSON;
+  const filePath = env.PROVIDERS_CONFIG_PATH;
+  if (inline !== undefined && inline.trim() !== "") {
+    validateProviderJson(inline, "PROVIDERS_JSON", issues);
+    return;
+  }
+  if (filePath === undefined || filePath.trim() === "")
+    return;
+  try {
+    validateProviderJson(readFileSync(filePath, "utf-8"), "PROVIDERS_CONFIG_PATH", issues);
+  } catch (err) {
+    issues.push({
+      path: "PROVIDERS_CONFIG_PATH",
+      message: `could not be read: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+}
+function validateProviderJson(raw, basePath, issues) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    issues.push({
+      path: basePath,
+      message: `must be valid JSON: ${err instanceof Error ? err.message : String(err)}`
+    });
+    return;
+  }
+  const result = validateProviderDocument(parsed);
+  issues.push(...result.issues);
+}
+function isLoopbackHost(host) {
+  return LOOPBACK_HOSTS.has(host.trim().toLowerCase());
+}
+var ConfigError, Config, DEFAULT_CLI_PROXY_API_URL = "http://localhost:8317", LOOPBACK_HOSTS;
+var init_validate = __esm(() => {
+  init_registry_schema();
+  ConfigError = class ConfigError extends Error {
+    issues;
+    name = "ConfigError";
+    code = "CONFIG_INVALID";
+    constructor(issues) {
+      super(`Configuration validation failed: ${issues.map((issue) => `${issue.path} ${issue.message}`).join("; ")}`);
+      this.issues = issues;
+    }
+  };
+  ((Config) => {
+    function validate(env = process.env, options = {}) {
+      const issues = [];
+      const warnings = [];
+      const host = readString(env, "PROXY_HOST", "127.0.0.1");
+      const cliProxyApiUrl = readRequiredUrl(env, "CLI_PROXY_API_URL", issues, warnings);
+      const config = {
+        port: readPort(env, issues),
+        host,
+        adminApiKey: readString(env, "ADMIN_API_KEY", ""),
+        cliProxyApiUrl,
+        claudeCodeVersion: readString(env, "CLAUDE_CODE_VERSION", "2.1.87"),
+        cchSalt: readString(env, "CCH_SALT", "59cf53e54c78"),
+        cchPositions: readCchPositions(env, issues),
+        toolPrefix: readString(env, "TOOL_PREFIX", "mcp_"),
+        cliProxyApiKey: readString(env, "CLI_PROXY_API_KEY", "proxy"),
+        dbPath: readString(env, "DB_PATH", "data/proxy.db"),
+        pricingCacheTtlMs: readPositiveNumber(env, "PRICING_CACHE_TTL_MS", 3600000, issues),
+        pricingCachePath: readString(env, "PRICING_CACHE_PATH", "data/pricing-cache.json"),
+        readyPricingMaxAgeMs: readPositiveNumber(env, "READY_PRICING_MAX_AGE_MS", 86400000, issues),
+        pricingRefreshIntervalMs: readPositiveNumber(env, "PRICING_REFRESH_INTERVAL_MS", 21600000, issues),
+        costBackfillIntervalMs: readPositiveNumber(env, "COST_BACKFILL_INTERVAL_MS", 1800000, issues),
+        costBackfillLookbackMs: readPositiveNumber(env, "COST_BACKFILL_LOOKBACK_MS", 604800000, issues),
+        logLevel: readString(env, "LOG_LEVEL", "info"),
+        clientNameMapping: readClientNameMapping(env, issues),
+        cliproxyMgmtKey: readString(env, "CLIPROXY_MGMT_KEY", ""),
+        cliproxyCorrelationIntervalMs: readPositiveNumber(env, "CLIPROXY_CORRELATION_INTERVAL_MS", 15000, issues),
+        cliproxyCorrelationLookbackMs: readPositiveNumber(env, "CLIPROXY_CORRELATION_LOOKBACK_MS", 300000, issues),
+        cliproxyAuthDir: readString(env, "CLIPROXY_AUTH_DIR", ""),
+        quotaRefreshIntervalMs: readPositiveNumber(env, "QUOTA_REFRESH_INTERVAL_MS", 300000, issues),
+        quotaRefreshTimeoutMs: readPositiveNumber(env, "QUOTA_REFRESH_TIMEOUT_MS", 15000, issues),
+        upstreamTimeoutMs: readPositiveNumber(env, "UPSTREAM_TIMEOUT_MS", 300000, issues),
+        upstreamConnectTimeoutMs: readPositiveNumber(env, "UPSTREAM_CONNECT_TIMEOUT_MS", 1e4, issues)
+      };
+      if (!isLoopbackHost(config.host) && !config.adminApiKey) {
+        issues.push({
+          path: "ADMIN_API_KEY",
+          message: "is required when PROXY_HOST is not loopback"
+        });
+      }
+      validateProviderConfig(env, issues);
+      if (issues.length > 0)
+        throw new ConfigError(issues);
+      for (const warning of warnings)
+        options.onWarning?.(warning);
+      return Object.freeze(config);
+    }
+    Config.validate = validate;
+  })(Config ||= {});
+  LOOPBACK_HOSTS = new Set(["127.0.0.1", "localhost", "::1"]);
+});
+
+// src/config/index.ts
+var exports_config = {};
+__export(exports_config, {
+  ConfigError: () => ConfigError,
+  Config: () => Config2
+});
+var configLogger, validated, Config2;
+var init_config = __esm(() => {
+  init_logger();
+  init_validate();
+  init_validate();
+  configLogger = Logger.fromConfig().child({ component: "config" });
+  validated = Config.validate(process.env, {
+    onWarning(issue) {
+      configLogger.warn("configuration warning", { event: "config.warning", ...issue });
+    }
+  });
+  Config2 = Object.freeze({
+    ...validated,
+    validate: Config.validate
+  });
+});
+
+// src/storage/db.ts
+var exports_db = {};
+__export(exports_db, {
+  Storage: () => Storage,
+  STALE_PENDING_MAX_AGE_MS: () => STALE_PENDING_MAX_AGE_MS
+});
+import { Database } from "bun:sqlite";
+import { readFileSync as readFileSync2, readdirSync } from "fs";
+import { join } from "path";
+function parseStalePendingMaxAgeMs(raw) {
+  if (raw === undefined)
+    return 600000;
+  const parsed = Number(raw);
+  if (!Number.isFinite(parsed) || parsed <= 0)
+    return 600000;
+  return parsed;
+}
+var logger, STALE_PENDING_MAX_AGE_MS, Storage;
+var init_db = __esm(() => {
+  init_logger();
+  logger = Logger.fromConfig().child({ component: "storage-db" });
+  STALE_PENDING_MAX_AGE_MS = parseStalePendingMaxAgeMs(process.env.STALE_PENDING_MAX_AGE_MS);
+  ((Storage) => {
+    function splitStatements(sql) {
+      const stripped = sql.replace(/^\s*--.*$/gm, "");
+      return stripped.split(";").map((s) => s.trim()).filter((s) => s.length > 0);
+    }
+    function execSafe(db, statement) {
+      try {
+        db.exec(statement);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const ignorable = msg.includes("duplicate column name") || msg.includes("already exists") || msg.includes("no such column") || statement.toUpperCase().includes("ADD COLUMN") && msg.includes("syntax error");
+        if (!ignorable)
+          throw err;
+      }
+    }
+    function ensureColumn(db, table, column, typeDef) {
+      const cols = db.prepare(`PRAGMA table_info(${table})`).all();
+      if (cols.some((c) => c.name === column))
+        return;
+      db.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${typeDef}`);
+    }
+    function initDb(dbPath) {
+      const db = new Database(dbPath);
+      db.exec("PRAGMA journal_mode = WAL");
+      db.exec("PRAGMA synchronous = NORMAL");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS schema_migrations (
+        name TEXT PRIMARY KEY,
+        applied_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+      )
+    `);
+      const migrationsDir = join(import.meta.dir, "migrations");
+      const files = readdirSync(migrationsDir).filter((f) => f.endsWith(".sql")).sort();
+      for (const file of files) {
+        const applied = db.prepare("SELECT name FROM schema_migrations WHERE name = ?").get(file);
+        if (applied)
+          continue;
+        const sql = readFileSync2(join(migrationsDir, file), "utf-8");
+        const txn = db.transaction(() => {
+          for (const stmt of splitStatements(sql)) {
+            execSafe(db, stmt);
+          }
+          db.prepare("INSERT INTO schema_migrations (name) VALUES (?)").run(file);
+        });
+        try {
+          txn();
+        } catch (err) {
+          logger.error("migration failed", { err, file });
+          throw err;
+        }
+      }
+      ensureColumn(db, "request_logs", "cliproxy_account", "TEXT");
+      ensureColumn(db, "request_logs", "cliproxy_auth_index", "TEXT");
+      ensureColumn(db, "request_logs", "cliproxy_source", "TEXT");
+      ensureColumn(db, "request_logs", "request_id", "TEXT");
+      ensureColumn(db, "request_logs", "reasoning_tokens", "INTEGER DEFAULT 0");
+      ensureColumn(db, "request_logs", "actual_model", "TEXT");
+      ensureColumn(db, "request_logs", "user_agent", "TEXT");
+      ensureColumn(db, "request_logs", "source_ip", "TEXT");
+      ensureColumn(db, "request_logs", "correlated_at", "TEXT");
+      ensureColumn(db, "request_logs", "agent", "TEXT");
+      ensureColumn(db, "request_logs", "source", "TEXT DEFAULT 'proxy'");
+      ensureColumn(db, "request_logs", "msg_id", "TEXT");
+      ensureColumn(db, "request_logs", "lifecycle_status", "TEXT NOT NULL DEFAULT 'pending' CHECK(lifecycle_status IN ('pending', 'completed', 'error', 'aborted'))");
+      ensureColumn(db, "request_logs", "cost_status", "TEXT NOT NULL DEFAULT 'unresolved' CHECK(cost_status IN ('unresolved', 'ok', 'pending', 'unsupported'))");
+      ensureColumn(db, "request_logs", "subscription_code", "TEXT");
+      ensureColumn(db, "request_logs", "finalized_at", "TEXT");
+      ensureColumn(db, "request_logs", "error_message", "TEXT");
+      db.exec(`
+      UPDATE request_logs
+      SET lifecycle_status = CASE
+          WHEN incomplete = 1
+            OR error_code IS NOT NULL
+            OR status >= 400 THEN 'error'
+          ELSE 'completed'
+        END,
+        finalized_at = COALESCE(finalized_at, finished_at, started_at),
+        cost_status = CASE
+          WHEN cost_usd > 0 THEN 'ok'
+          ELSE 'pending'
+        END
+      WHERE lifecycle_status = 'pending'
+        AND (finalized_at IS NULL OR cost_status = 'unresolved')
+        AND (finished_at IS NOT NULL OR incomplete = 1 OR error_code IS NOT NULL OR status IS NOT NULL)
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cliproxy_account ON request_logs(cliproxy_account)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cliproxy_auth_index ON request_logs(cliproxy_auth_index)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_request_id ON request_logs(request_id)");
+      db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_request_logs_msg_id ON request_logs(msg_id) WHERE msg_id IS NOT NULL");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_lifecycle_status ON request_logs(lifecycle_status)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_cost_status ON request_logs(cost_status)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_request_logs_subscription_code ON request_logs(subscription_code) WHERE subscription_code IS NOT NULL");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS cost_audit (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        request_log_id INTEGER,
+        model TEXT,
+        provider TEXT,
+        source TEXT,
+        base_cost_usd REAL,
+        calc_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+        FOREIGN KEY (request_log_id) REFERENCES request_logs(id)
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_cost_audit_request_log_id ON cost_audit(request_log_id)");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS quota_snapshots (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        timestamp TEXT NOT NULL,
+        provider TEXT NOT NULL,
+        account TEXT NOT NULL,
+        quota_type TEXT NOT NULL,
+        used_pct REAL,
+        remaining REAL,
+        remaining_raw TEXT,
+        resets_at TEXT,
+        raw_json TEXT
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_quota_snapshots_provider ON quota_snapshots(provider, account, timestamp)");
+      db.exec(`
+      CREATE TABLE IF NOT EXISTS daily_account_usage (
+        day TEXT NOT NULL,
+        provider TEXT NOT NULL,
+        model TEXT NOT NULL,
+        cliproxy_account TEXT NOT NULL,
+        cliproxy_auth_index TEXT,
+        request_count INTEGER DEFAULT 0,
+        prompt_tokens INTEGER DEFAULT 0,
+        completion_tokens INTEGER DEFAULT 0,
+        cache_creation_tokens INTEGER DEFAULT 0,
+        cache_read_tokens INTEGER DEFAULT 0,
+        reasoning_tokens INTEGER DEFAULT 0,
+        total_tokens INTEGER DEFAULT 0,
+        cost_usd REAL DEFAULT 0,
+        PRIMARY KEY (day, provider, model, cliproxy_account)
+      )
+    `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_daily_account_usage_day ON daily_account_usage(day)");
+      db.exec("CREATE INDEX IF NOT EXISTS idx_daily_account_usage_account ON daily_account_usage(cliproxy_account)");
+      return db;
+    }
+    Storage.initDb = initDb;
+    function recoverStalePending(db, maxAgeMs = STALE_PENDING_MAX_AGE_MS) {
+      const now = new Date().toISOString();
+      const threshold = new Date(Date.now() - maxAgeMs).toISOString();
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET lifecycle_status = 'aborted',
+          error_message = 'boot-recovery',
+          finalized_at = ?,
+          finished_at = COALESCE(finished_at, ?),
+          incomplete = 1,
+          cost_status = CASE
+            WHEN cost_status = 'unresolved' THEN 'pending'
+            ELSE cost_status
+          END
+      WHERE lifecycle_status = 'pending'
+        AND started_at < ?
+    `);
+      const result = stmt.run(now, now, threshold);
+      const recovered = result.changes;
+      if (recovered > 0) {
+        logger.warn("recovered stale pending request logs", {
+          event: "lifecycle.boot_recovery",
+          recovered,
+          max_age_ms: maxAgeMs,
+          threshold
+        });
+      }
+      return recovered;
+    }
+    Storage.recoverStalePending = recoverStalePending;
+  })(Storage ||= {});
+});
+
+// src/storage/account-subscriptions.ts
+var AccountSubscriptionRepo;
+var init_account_subscriptions = __esm(() => {
+  ((AccountSubscriptionRepo) => {
+    function bind(db, cliproxyAccount, subscriptionCode) {
+      db.prepare(`
+      INSERT INTO account_subscriptions (
+        cliproxy_account, subscription_code, bound_at
+      ) VALUES (?, ?, CURRENT_TIMESTAMP)
+      ON CONFLICT(cliproxy_account) DO UPDATE SET
+        subscription_code = excluded.subscription_code,
+        bound_at = CURRENT_TIMESTAMP
+    `).run(cliproxyAccount, subscriptionCode);
+    }
+    AccountSubscriptionRepo.bind = bind;
+    function unbind(db, cliproxyAccount) {
+      db.prepare("DELETE FROM account_subscriptions WHERE cliproxy_account = ?").run(cliproxyAccount);
+    }
+    AccountSubscriptionRepo.unbind = unbind;
+    function get(db, cliproxyAccount) {
+      return db.prepare(`
+      SELECT cliproxy_account, subscription_code, bound_at
+      FROM account_subscriptions
+      WHERE cliproxy_account = ?
+    `).get(cliproxyAccount);
+    }
+    AccountSubscriptionRepo.get = get;
+    function list(db) {
+      return db.prepare(`
+      SELECT cliproxy_account, subscription_code, bound_at
+      FROM account_subscriptions
+      ORDER BY cliproxy_account ASC
+    `).all();
+    }
+    AccountSubscriptionRepo.list = list;
+  })(AccountSubscriptionRepo ||= {});
+});
+
+// src/storage/repo.ts
+function parseLifecycleStatus(value) {
+  if (value === "completed" || value === "error" || value === "aborted")
+    return value;
+  return "pending";
+}
+var RequestRepo, UsageRepo, QuotaRepo;
+var init_repo = __esm(() => {
+  ((RequestRepo) => {
+    function insert(db, log) {
+      const lifecycleStatus = log.lifecycle_status ?? (log.incomplete === 1 || log.error_code || (log.status ?? 0) >= 400 ? "error" : "completed");
+      const costStatus = log.cost_status ?? (log.cost_usd > 0 ? "ok" : lifecycleStatus === "pending" ? "unresolved" : "pending");
+      const finalizedAt = log.finalized_at ?? (lifecycleStatus === "pending" ? null : log.finished_at ?? log.started_at);
+      const stmt = db.prepare(`
+      INSERT INTO request_logs (
+        request_id, provider, model, actual_model, tool, client_id, path,
+        streamed, status, prompt_tokens, completion_tokens,
+        cache_creation_tokens, cache_read_tokens, reasoning_tokens,
+        total_tokens, cost_usd, incomplete, error_code, latency_ms,
+        started_at, finished_at, meta_json, user_agent, source_ip,
+        agent, source, msg_id, lifecycle_status, cost_status,
+        subscription_code, finalized_at, error_message
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+      const result = stmt.run(log.request_id ?? null, log.provider, log.model, log.actual_model ?? null, log.tool, log.client_id, log.path, log.streamed, log.status ?? null, log.prompt_tokens, log.completion_tokens, log.cache_creation_tokens, log.cache_read_tokens, log.reasoning_tokens ?? 0, log.total_tokens, log.cost_usd, log.incomplete, log.error_code ?? null, log.latency_ms ?? null, log.started_at, log.finished_at ?? null, log.meta_json ?? null, log.user_agent ?? null, log.source_ip ?? null, log.agent ?? null, log.source ?? "proxy", log.msg_id ?? null, lifecycleStatus, costStatus, log.subscription_code ?? null, finalizedAt, log.error_message ?? null);
+      return result.lastInsertRowid;
+    }
+    RequestRepo.insert = insert;
+    function getRecent(db, limit, offset, tool, clientId) {
+      let sql = `SELECT * FROM request_logs WHERE 1=1`;
+      const params = [];
+      if (tool) {
+        sql += ` AND tool = ?`;
+        params.push(tool);
+      }
+      if (clientId) {
+        sql += ` AND client_id = ?`;
+        params.push(clientId);
+      }
+      sql += ` ORDER BY started_at DESC LIMIT ? OFFSET ?`;
+      params.push(limit, offset);
+      const stmt = db.prepare(sql);
+      return stmt.all(...params);
+    }
+    RequestRepo.getRecent = getRecent;
+    function getById(db, id) {
+      const stmt = db.prepare("SELECT * FROM request_logs WHERE id = ?");
+      return stmt.get(id) || null;
+    }
+    RequestRepo.getById = getById;
+    function aggregateByAccountForMonth(db, monthStart, monthEnd) {
+      const stmt = db.prepare(`
+      SELECT
+        rl.cliproxy_account AS cliproxy_account,
+        sub.subscription_code AS subscription_code,
+        COUNT(*) AS total_requests,
+        COALESCE(SUM(rl.cost_usd), 0) AS total_cost_usd
+      FROM request_logs rl
+      LEFT JOIN account_subscriptions sub
+        ON sub.cliproxy_account = rl.cliproxy_account
+      WHERE rl.lifecycle_status = 'completed'
+        AND rl.started_at >= ?
+        AND rl.started_at < ?
+        AND rl.cliproxy_account IS NOT NULL
+        AND rl.cliproxy_account <> ''
+      GROUP BY rl.cliproxy_account, sub.subscription_code
+      ORDER BY total_cost_usd DESC, rl.cliproxy_account ASC
+    `);
+      return stmt.all(monthStart, monthEnd).map((row) => {
+        const record = row;
+        return {
+          cliproxy_account: String(record.cliproxy_account),
+          subscription_code: typeof record.subscription_code === "string" ? record.subscription_code : null,
+          total_requests: Number(record.total_requests ?? 0),
+          total_cost_usd: Number(record.total_cost_usd ?? 0)
+        };
+      });
+    }
+    RequestRepo.aggregateByAccountForMonth = aggregateByAccountForMonth;
+    function getRecentByAccount(db, cliproxyAccount, limit) {
+      const stmt = db.prepare(`
+      SELECT started_at, model, total_tokens, cost_usd, lifecycle_status
+      FROM request_logs
+      WHERE cliproxy_account = ?
+      ORDER BY started_at DESC
+      LIMIT ?
+    `);
+      return stmt.all(cliproxyAccount, limit).map((row) => {
+        const record = row;
+        return {
+          started_at: String(record.started_at),
+          model: String(record.model),
+          total_tokens: Number(record.total_tokens ?? 0),
+          cost_usd: Number(record.cost_usd ?? 0),
+          lifecycle_status: parseLifecycleStatus(record.lifecycle_status)
+        };
+      });
+    }
+    RequestRepo.getRecentByAccount = getRecentByAccount;
+    function getUncorrelated(db, sinceMs, limit) {
+      const sinceIso = new Date(Date.now() - sinceMs).toISOString();
+      const stmt = db.prepare(`
+      SELECT * FROM request_logs
+      WHERE cliproxy_account IS NULL
+        AND status = 200
+        AND started_at >= ?
+      ORDER BY started_at DESC
+      LIMIT ?
+    `);
+      return stmt.all(sinceIso, limit);
+    }
+    RequestRepo.getUncorrelated = getUncorrelated;
+    function applyCorrelation(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET cliproxy_account = COALESCE(?, cliproxy_account),
+          cliproxy_auth_index = COALESCE(?, cliproxy_auth_index),
+          cliproxy_source = COALESCE(?, cliproxy_source),
+          reasoning_tokens = COALESCE(?, reasoning_tokens),
+          actual_model = COALESCE(?, actual_model),
+          correlated_at = ?
+      WHERE id = ?
+    `);
+      stmt.run(fields.cliproxy_account ?? null, fields.cliproxy_auth_index ?? null, fields.cliproxy_source ?? null, fields.reasoning_tokens ?? null, fields.actual_model ?? null, new Date().toISOString(), id);
+    }
+    RequestRepo.applyCorrelation = applyCorrelation;
+    function updateLifecycle(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET lifecycle_status = COALESCE(?, lifecycle_status),
+          finalized_at = COALESCE(?, finalized_at),
+          error_message = COALESCE(?, error_message),
+          cost_status = COALESCE(?, cost_status),
+          subscription_code = COALESCE(?, subscription_code)
+      WHERE id = ?
+    `);
+      stmt.run(fields.lifecycle_status ?? null, fields.finalized_at ?? null, fields.error_message ?? null, fields.cost_status ?? null, fields.subscription_code ?? null, id);
+    }
+    RequestRepo.updateLifecycle = updateLifecycle;
+    function applySubscription(db, id, subscriptionCode) {
+      db.prepare("UPDATE request_logs SET subscription_code = ? WHERE id = ?").run(subscriptionCode, id);
+    }
+    RequestRepo.applySubscription = applySubscription;
+    function updateFinalize(db, id, fields) {
+      const stmt = db.prepare(`
+      UPDATE request_logs
+      SET provider = COALESCE(?, provider),
+          model = COALESCE(?, model),
+          actual_model = COALESCE(?, actual_model),
+          streamed = COALESCE(?, streamed),
+          status = COALESCE(?, status),
+          prompt_tokens = COALESCE(?, prompt_tokens),
+          completion_tokens = COALESCE(?, completion_tokens),
+          cache_creation_tokens = COALESCE(?, cache_creation_tokens),
+          cache_read_tokens = COALESCE(?, cache_read_tokens),
+          reasoning_tokens = COALESCE(?, reasoning_tokens),
+          total_tokens = COALESCE(?, total_tokens),
+          cost_usd = COALESCE(?, cost_usd),
+          incomplete = COALESCE(?, incomplete),
+          error_code = COALESCE(?, error_code),
+          latency_ms = COALESCE(?, latency_ms),
+          finished_at = COALESCE(?, finished_at),
+          lifecycle_status = ?,
+          finalized_at = ?,
+          error_message = COALESCE(?, error_message),
+          cost_status = ?,
+          subscription_code = COALESCE(?, subscription_code)
+      WHERE id = ? AND lifecycle_status = 'pending'
+    `);
+      const result = stmt.run(fields.provider ?? null, fields.model ?? null, fields.actual_model ?? null, fields.streamed ?? null, fields.status ?? null, fields.prompt_tokens ?? null, fields.completion_tokens ?? null, fields.cache_creation_tokens ?? null, fields.cache_read_tokens ?? null, fields.reasoning_tokens ?? null, fields.total_tokens ?? null, fields.cost_usd ?? null, fields.incomplete ?? null, fields.error_code ?? null, fields.latency_ms ?? null, fields.finished_at ?? null, fields.lifecycle_status, fields.finalized_at, fields.error_message ?? null, fields.cost_status, fields.subscription_code ?? null, id);
+      return result.changes;
+    }
+    RequestRepo.updateFinalize = updateFinalize;
+    function insertCostAudit(db, audit) {
+      const stmt = db.prepare(`
+      INSERT INTO cost_audit (
+        request_log_id, model, provider, source, base_cost_usd, calc_at
+      ) VALUES (?, ?, ?, ?, ?, COALESCE(?, CURRENT_TIMESTAMP))
+    `);
+      const result = stmt.run(audit.request_log_id ?? null, audit.model ?? null, audit.provider ?? null, audit.source ?? null, audit.base_cost_usd ?? null, audit.calc_at ?? null);
+      return result.lastInsertRowid;
+    }
+    RequestRepo.insertCostAudit = insertCostAudit;
+  })(RequestRepo ||= {});
+  ((UsageRepo) => {
+    function upsertDaily(db, usage) {
+      const stmt = db.prepare(`
+      INSERT INTO daily_usage (
+        day, provider, model, request_count, prompt_tokens,
+        completion_tokens, cache_creation_tokens, cache_read_tokens,
+        total_tokens, cost_usd
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(day, provider, model) DO UPDATE SET
+        request_count = request_count + excluded.request_count,
+        prompt_tokens = prompt_tokens + excluded.prompt_tokens,
+        completion_tokens = completion_tokens + excluded.completion_tokens,
+        cache_creation_tokens = cache_creation_tokens + excluded.cache_creation_tokens,
+        cache_read_tokens = cache_read_tokens + excluded.cache_read_tokens,
+        total_tokens = total_tokens + excluded.total_tokens,
+        cost_usd = cost_usd + excluded.cost_usd
+    `);
+      stmt.run(usage.day, usage.provider, usage.model, usage.request_count, usage.prompt_tokens, usage.completion_tokens, usage.cache_creation_tokens, usage.cache_read_tokens, usage.total_tokens, usage.cost_usd);
+    }
+    UsageRepo.upsertDaily = upsertDaily;
+    function upsertDailyAccount(db, usage) {
+      const stmt = db.prepare(`
+      INSERT INTO daily_account_usage (
+        day, provider, model, cliproxy_account, cliproxy_auth_index,
+        request_count, prompt_tokens, completion_tokens,
+        cache_creation_tokens, cache_read_tokens, reasoning_tokens,
+        total_tokens, cost_usd
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(day, provider, model, cliproxy_account) DO UPDATE SET
+        cliproxy_auth_index = COALESCE(excluded.cliproxy_auth_index, cliproxy_auth_index),
+        request_count = request_count + excluded.request_count,
+        prompt_tokens = prompt_tokens + excluded.prompt_tokens,
+        completion_tokens = completion_tokens + excluded.completion_tokens,
+        cache_creation_tokens = cache_creation_tokens + excluded.cache_creation_tokens,
+        cache_read_tokens = cache_read_tokens + excluded.cache_read_tokens,
+        reasoning_tokens = reasoning_tokens + excluded.reasoning_tokens,
+        total_tokens = total_tokens + excluded.total_tokens,
+        cost_usd = cost_usd + excluded.cost_usd
+    `);
+      stmt.run(usage.day, usage.provider, usage.model, usage.cliproxy_account, usage.cliproxy_auth_index ?? null, usage.request_count, usage.prompt_tokens, usage.completion_tokens, usage.cache_creation_tokens, usage.cache_read_tokens, usage.reasoning_tokens, usage.total_tokens, usage.cost_usd);
+    }
+    UsageRepo.upsertDailyAccount = upsertDailyAccount;
+    function getDaily(db, day) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_usage
+      WHERE day = ?
+      ORDER BY provider, model
+    `);
+      return stmt.all(day);
+    }
+    UsageRepo.getDaily = getDaily;
+    function getDailyByAccount(db, day) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_account_usage
+      WHERE day = ?
+      ORDER BY cliproxy_account, provider, model
+    `);
+      return stmt.all(day);
+    }
+    UsageRepo.getDailyByAccount = getDailyByAccount;
+    function getRange(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_usage
+      WHERE day >= ? AND day <= ?
+      ORDER BY day DESC, provider, model
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getRange = getRange;
+    function getAccountRange(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT * FROM daily_account_usage
+      WHERE day >= ? AND day <= ?
+      ORDER BY day DESC, cliproxy_account, provider, model
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getAccountRange = getAccountRange;
+    function getAccountSummary(db, from, to) {
+      const stmt = db.prepare(`
+      SELECT
+        cliproxy_account,
+        cliproxy_auth_index,
+        provider,
+        SUM(request_count) AS request_count,
+        SUM(total_tokens) AS total_tokens,
+        SUM(cost_usd) AS cost_usd
+      FROM daily_account_usage
+      WHERE day >= ? AND day <= ?
+      GROUP BY cliproxy_account, cliproxy_auth_index, provider
+      ORDER BY cost_usd DESC
+    `);
+      return stmt.all(from, to);
+    }
+    UsageRepo.getAccountSummary = getAccountSummary;
+  })(UsageRepo ||= {});
+  ((QuotaRepo) => {
+    function insertSnapshot(db, snapshot) {
+      const stmt = db.prepare(`
+      INSERT INTO quota_snapshots (
+        timestamp, provider, account, quota_type, used_pct,
+        remaining, remaining_raw, resets_at, raw_json
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+      const result = stmt.run(snapshot.timestamp, snapshot.provider, snapshot.account, snapshot.quota_type, snapshot.used_pct ?? null, snapshot.remaining ?? null, snapshot.remaining_raw ?? null, snapshot.resets_at ?? null, snapshot.raw_json ?? null);
+      return result.lastInsertRowid;
+    }
+    QuotaRepo.insertSnapshot = insertSnapshot;
+    function getLatest(db) {
+      const stmt = db.prepare(`
+      SELECT q.*
+      FROM quota_snapshots q
+      JOIN (
+        SELECT provider, account, quota_type, MAX(timestamp) AS max_timestamp
+        FROM quota_snapshots
+        GROUP BY provider, account, quota_type
+      ) latest
+        ON latest.provider = q.provider
+       AND latest.account = q.account
+       AND latest.quota_type = q.quota_type
+       AND latest.max_timestamp = q.timestamp
+      ORDER BY q.provider, q.account, q.quota_type
+    `);
+      return stmt.all();
+    }
+    QuotaRepo.getLatest = getLatest;
+    function getLocalWindowUsage(db, provider, account, sinceIso) {
+      const row = db.prepare(`
+        SELECT
+          COUNT(*) AS requests,
+          COALESCE(SUM(total_tokens), 0) AS total_tokens,
+          COALESCE(SUM(cost_usd), 0) AS cost_usd
+        FROM request_logs
+        WHERE provider = ?
+          AND cliproxy_account = ?
+          AND started_at >= ?
+      `).get(provider, account, sinceIso);
+      return {
+        since: sinceIso,
+        requests: Number(row.requests ?? 0),
+        total_tokens: Number(row.total_tokens ?? 0),
+        cost_usd: Number(row.cost_usd ?? 0)
+      };
+    }
+    QuotaRepo.getLocalWindowUsage = getLocalWindowUsage;
+  })(QuotaRepo ||= {});
+});
+
+// src/runtime/supervisor.ts
+var exports_supervisor = {};
+__export(exports_supervisor, {
+  Supervisor: () => Supervisor
+});
+var Supervisor;
+var init_supervisor = __esm(() => {
+  init_logger();
+  ((Supervisor) => {
+    const DEFAULT_JITTER_RATIO = 0.1;
+    const DEFAULT_MAX_BACKOFF_MS = 60000;
+    const DEFAULT_STOP_TIMEOUT_MS = 2000;
+    const registry = new Set;
+    let logger2 = Logger.fromConfig().child({ component: "supervisor" });
+    function run(name, fn, options) {
+      validateOptions(name, options);
+      const controller = new AbortController;
+      const signal = controller.signal;
+      const intervalMs = options.intervalMs;
+      const jitterRatio = options.jitterRatio ?? DEFAULT_JITTER_RATIO;
+      const maxBackoffMs = options.maxBackoffMs ?? DEFAULT_MAX_BACKOFF_MS;
+      const runOnStart = options.runOnStart ?? true;
+      const initialDelayMs = options.initialDelayMs ?? 0;
+      let removeExternalAbort = null;
+      if (options.signal) {
+        if (options.signal.aborted)
+          controller.abort();
+        else {
+          const abort = () => controller.abort();
+          options.signal.addEventListener("abort", abort, { once: true });
+          removeExternalAbort = () => options.signal?.removeEventListener("abort", abort);
+        }
+      }
+      const state = {
+        name,
+        controller,
+        done: Promise.resolve(),
+        stopRequested: false,
+        stopLogged: false,
+        async stop(timeoutMs) {
+          this.stopRequested = true;
+          this.controller.abort();
+          const stopped = await resolveWithin(this.done, timeoutMs);
+          if (stopped) {
+            logStopped(this);
+            return;
+          }
+          registry.delete(this);
+          logStopTimeout(this, timeoutMs);
+        }
+      };
+      state.done = loop({
+        name,
+        fn,
+        signal,
+        intervalMs,
+        initialDelayMs,
+        jitterRatio,
+        maxBackoffMs,
+        runOnStart
+      }).finally(() => {
+        removeExternalAbort?.();
+        registry.delete(state);
+        if (state.stopRequested || signal.aborted)
+          logStopped(state);
+      });
+      registry.add(state);
+      logger2.info("loop started", { name, event: "loop.started", interval_ms: intervalMs });
+      return {
+        stop() {
+          return state.stop(DEFAULT_STOP_TIMEOUT_MS);
+        }
+      };
+    }
+    Supervisor.run = run;
+    async function stopAll(timeoutMs = DEFAULT_STOP_TIMEOUT_MS) {
+      const loops = Array.from(registry);
+      await Promise.all(loops.map((loopState) => loopState.stop(timeoutMs)));
+    }
+    Supervisor.stopAll = stopAll;
+    function list() {
+      return Array.from(registry, (loopState) => loopState.name).sort();
+    }
+    Supervisor.list = list;
+    function __setLoggerForTests(testLogger) {
+      logger2 = testLogger ?? Logger.fromConfig().child({ component: "supervisor" });
+    }
+    Supervisor.__setLoggerForTests = __setLoggerForTests;
+    async function loop(context) {
+      let consecutiveFailures = 0;
+      let nextDelayMs = context.runOnStart ? context.initialDelayMs : context.initialDelayMs > 0 ? context.initialDelayMs : context.intervalMs;
+      while (!context.signal.aborted) {
+        if (nextDelayMs > 0) {
+          const slept = await sleep(nextDelayMs, context.signal);
+          if (!slept)
+            return;
+        }
+        if (context.signal.aborted)
+          return;
+        const startedAt = Date.now();
+        try {
+          await context.fn();
+          const durationMs = Date.now() - startedAt;
+          consecutiveFailures = 0;
+          logger2.debug("loop tick", {
+            name: context.name,
+            event: "loop.tick",
+            duration_ms: durationMs
+          });
+          nextDelayMs = applyJitter(context.intervalMs, context.jitterRatio);
+        } catch (err) {
+          consecutiveFailures += 1;
+          const backoffMs = Math.min(context.intervalMs * 2 ** consecutiveFailures, context.maxBackoffMs);
+          nextDelayMs = applyJitter(backoffMs, context.jitterRatio);
+          logger2.error("loop error", {
+            name: context.name,
+            event: "loop.error",
+            err,
+            attempt: consecutiveFailures,
+            next_delay_ms: nextDelayMs
+          });
+        }
+      }
+    }
+    function validateOptions(name, options) {
+      if (!name.trim())
+        throw new Error("Supervisor loop name is required");
+      if (!Number.isFinite(options.intervalMs) || options.intervalMs <= 0) {
+        throw new Error("Supervisor intervalMs must be a positive finite number");
+      }
+      if (options.initialDelayMs !== undefined && (!Number.isFinite(options.initialDelayMs) || options.initialDelayMs < 0)) {
+        throw new Error("Supervisor initialDelayMs must be a non-negative finite number");
+      }
+      if (options.jitterRatio !== undefined && (!Number.isFinite(options.jitterRatio) || options.jitterRatio < 0)) {
+        throw new Error("Supervisor jitterRatio must be a non-negative finite number");
+      }
+      if (options.maxBackoffMs !== undefined && (!Number.isFinite(options.maxBackoffMs) || options.maxBackoffMs <= 0)) {
+        throw new Error("Supervisor maxBackoffMs must be a positive finite number");
+      }
+    }
+    function applyJitter(delayMs, jitterRatio) {
+      if (delayMs <= 0 || jitterRatio <= 0)
+        return Math.max(0, Math.round(delayMs));
+      const spread = delayMs * jitterRatio;
+      const offset = (Math.random() * 2 - 1) * spread;
+      return Math.max(0, Math.round(delayMs + offset));
+    }
+    function sleep(delayMs, signal) {
+      if (signal.aborted)
+        return Promise.resolve(false);
+      return new Promise((resolve) => {
+        let timeout = null;
+        const onAbort = () => {
+          if (timeout)
+            clearTimeout(timeout);
+          resolve(false);
+        };
+        timeout = setTimeout(() => {
+          signal.removeEventListener("abort", onAbort);
+          resolve(true);
+        }, delayMs);
+        signal.addEventListener("abort", onAbort, { once: true });
+      });
+    }
+    async function resolveWithin(promise, timeoutMs) {
+      let timeout = null;
+      try {
+        return await Promise.race([
+          promise.then(() => true),
+          new Promise((resolve) => {
+            timeout = setTimeout(() => resolve(false), timeoutMs);
+          })
+        ]);
+      } finally {
+        if (timeout)
+          clearTimeout(timeout);
+      }
+    }
+    function logStopped(state) {
+      if (state.stopLogged)
+        return;
+      state.stopLogged = true;
+      logger2.info("loop stopped", { name: state.name, event: "loop.stopped" });
+    }
+    function logStopTimeout(state, timeoutMs) {
+      if (state.stopLogged)
+        return;
+      state.stopLogged = true;
+      logger2.warn("loop stop timeout", {
+        name: state.name,
+        event: "loop.stop_timeout",
+        timeout_ms: timeoutMs
+      });
+    }
+  })(Supervisor ||= {});
+});
+
+// src/storage/pricing.ts
+var exports_pricing = {};
+__export(exports_pricing, {
+  Pricing: () => Pricing
+});
+import { dirname } from "path";
+import { mkdir } from "fs/promises";
+var logger2, Pricing;
+var init_pricing = __esm(() => {
+  init_config();
+  init_logger();
+  init_supervisor();
+  logger2 = Logger.fromConfig().child({ component: "pricing" });
+  ((Pricing) => {
+    const MODELS_DEV_URL = "https://models.dev/api.json";
+    let cache = null;
+    let inFlightFetch = null;
+    let bypassDiskCacheForTests = false;
+    async function fetchPricing(options = {}) {
+      const now = Date.now();
+      if (!options.force && cache && now - cache.fetchedAt < Config2.pricingCacheTtlMs) {
+        return cache.data;
+      }
+      if (!options.force && inFlightFetch) {
+        return inFlightFetch;
+      }
+      inFlightFetch = refreshPricing(options.force ?? false).finally(() => {
+        inFlightFetch = null;
+      });
+      return inFlightFetch;
+    }
+    Pricing.fetchPricing = fetchPricing;
+    function getPricing(model, provider) {
+      return findPricing(model, provider)?.pricing ?? null;
+    }
+    Pricing.getPricing = getPricing;
+    async function getPricingFreshness() {
+      const entry = cache ?? await readDiskCache();
+      if (!entry)
+        return null;
+      return { fetchedAt: entry.fetchedAt, ageMs: Date.now() - entry.fetchedAt };
+    }
+    Pricing.getPricingFreshness = getPricingFreshness;
+    function startBackgroundRefresh(options = {}) {
+      const intervalMs = options.intervalMs ?? Config2.pricingRefreshIntervalMs;
+      return Supervisor.run("pricing-refresh", async () => {
+        await fetchPricing();
+      }, {
+        intervalMs,
+        runOnStart: false,
+        signal: options.signal
+      });
+    }
+    Pricing.startBackgroundRefresh = startBackgroundRefresh;
+    function __setPricingForTests(entries, fetchedAt = Date.now()) {
+      bypassDiskCacheForTests = false;
+      cache = { data: new Map(entries), fetchedAt };
+    }
+    Pricing.__setPricingForTests = __setPricingForTests;
+    function __clearPricingForTests() {
+      cache = null;
+      inFlightFetch = null;
+      bypassDiskCacheForTests = true;
+    }
+    Pricing.__clearPricingForTests = __clearPricingForTests;
+    function findPricing(model, provider) {
+      if (!cache)
+        return null;
+      const normalizedModel = normalizeKey(model);
+      const normalizedProvider = provider ? normalizeKey(provider) : null;
+      const candidates = buildLookupCandidates(model, provider);
+      for (const key of candidates) {
+        const pricing = cache.data.get(key);
+        if (pricing)
+          return { pricing, key, source: "exact" };
+      }
+      for (const [key, pricing] of cache.data) {
+        if (normalizeKey(key) === normalizedModel) {
+          return { pricing, key, source: "normalized" };
+        }
+        if (normalizedProvider && normalizeKey(key) === `${normalizedProvider}/${normalizedModel}`) {
+          return { pricing, key, source: "normalized" };
+        }
+      }
+      const alias = aliasModel(normalizedModel);
+      if (alias) {
+        for (const key of buildLookupCandidates(alias, provider)) {
+          const pricing = cache.data.get(key);
+          if (pricing)
+            return { pricing, key, source: "alias" };
+        }
+      }
+      const fuzzy = findFuzzyMatch(normalizedModel, normalizedProvider, cache.data);
+      if (fuzzy)
+        return fuzzy;
+      return null;
+    }
+    Pricing.findPricing = findPricing;
+    function calculateCost(usage, pricing, provider) {
+      if (provider && normalizeKey(provider) === "openai") {
+        const billableInputTokens = Math.max(usage.prompt_tokens - usage.cache_read_tokens, 0);
+        return (billableInputTokens * pricing.input + usage.completion_tokens * pricing.output + usage.cache_read_tokens * (pricing.cache_read ?? pricing.input)) / 1e6;
+      }
+      return (usage.prompt_tokens * pricing.input + usage.completion_tokens * pricing.output + usage.cache_read_tokens * (pricing.cache_read ?? pricing.input) + usage.cache_creation_tokens * (pricing.cache_write ?? pricing.input) + (usage.reasoning_tokens ?? 0) * (pricing.reasoning ?? pricing.output)) / 1e6;
+    }
+    Pricing.calculateCost = calculateCost;
+    async function refreshPricing(force) {
+      const now = Date.now();
+      if (!force && !bypassDiskCacheForTests) {
+        const diskCache = await readDiskCache();
+        if (diskCache && now - diskCache.fetchedAt < Config2.pricingCacheTtlMs) {
+          cache = diskCache;
+          return diskCache.data;
+        }
+      }
+      try {
+        const res = await fetch(MODELS_DEV_URL, { signal: AbortSignal.timeout(30000) });
+        if (!res.ok)
+          throw new Error(`models.dev returned HTTP ${res.status}`);
+        const raw = await res.json();
+        const map = buildPricingMap(raw);
+        addLocalOverrides(map);
+        cache = { data: map, fetchedAt: now };
+        await writeDiskCache(cache);
+        logger2.info("loaded pricing aliases", { aliases: map.size, source: "models.dev" });
+        return map;
+      } catch (err) {
+        logger2.warn("pricing fetch failed, using cached data", { err, source: "models.dev" });
+        if (cache)
+          return cache.data;
+        const diskCache = bypassDiskCacheForTests ? null : await readDiskCache();
+        if (diskCache) {
+          cache = diskCache;
+          return diskCache.data;
+        }
+        const fallback = new Map;
+        addLocalOverrides(fallback);
+        cache = { data: fallback, fetchedAt: 0 };
+        return fallback;
+      }
+    }
+    function buildPricingMap(raw) {
+      const map = new Map;
+      for (const [provider, providerData] of Object.entries(raw)) {
+        if (!providerData.models)
+          continue;
+        for (const [modelId, modelData] of Object.entries(providerData.models)) {
+          if (!modelData.cost)
+            continue;
+          const pricing = toPricing(modelData.cost);
+          if (!pricing)
+            continue;
+          setPricingAlias(map, modelId, pricing);
+          setPricingAlias(map, `${provider}/${modelId}`, pricing);
+          if (modelData.id)
+            setPricingAlias(map, modelData.id, pricing);
+          if (modelData.name)
+            setPricingAlias(map, modelData.name, pricing);
+        }
+      }
+      return map;
+    }
+    function toPricing(cost) {
+      if (typeof cost.input !== "number" || typeof cost.output !== "number")
+        return null;
+      return {
+        input: cost.input,
+        output: cost.output,
+        cache_read: typeof cost.cache_read === "number" ? cost.cache_read : undefined,
+        cache_write: typeof cost.cache_write === "number" ? cost.cache_write : undefined,
+        reasoning: typeof cost.reasoning === "number" ? cost.reasoning : undefined
+      };
+    }
+    function addLocalOverrides(map) {
+      const overrides = {
+        "gpt-5.4": { input: 2.5, output: 15, cache_read: 0.25 },
+        "gpt-5.4-mini": { input: 0.75, output: 4.5, cache_read: 0.075 },
+        "gpt-5.4-mini-2026-03-17": { input: 0.75, output: 4.5, cache_read: 0.075 },
+        "kimi-for-coding": { input: 0.4, output: 2.5, cache_read: 0.4 },
+        "kimi-k2": { input: 0.4, output: 2.5, cache_read: 0.4 },
+        "kimi-k2.6": { input: 0.95, output: 4, cache_read: 0.16 }
+      };
+      for (const [model, pricing] of Object.entries(overrides)) {
+        setPricingAlias(map, model, pricing);
+        setPricingAlias(map, `openai/${model}`, pricing);
+      }
+    }
+    function setPricingAlias(map, key, pricing) {
+      map.set(key, pricing);
+      map.set(normalizeKey(key), pricing);
+    }
+    function buildLookupCandidates(model, provider) {
+      const candidates = new Set;
+      candidates.add(model);
+      candidates.add(normalizeKey(model));
+      if (provider) {
+        candidates.add(`${provider}/${model}`);
+        candidates.add(`${normalizeKey(provider)}/${normalizeKey(model)}`);
+      }
+      return Array.from(candidates);
+    }
+    function aliasModel(normalizedModel) {
+      if (normalizedModel === "kimi-for-coding")
+        return "kimi-k2";
+      if (normalizedModel.startsWith("gpt-5.4-mini"))
+        return "gpt-5.4-mini";
+      if (normalizedModel.startsWith("gpt-5.4"))
+        return "gpt-5.4";
+      return null;
+    }
+    function findFuzzyMatch(normalizedModel, normalizedProvider, map) {
+      const eligible = Array.from(map.entries()).filter(([key, pricing]) => {
+        if (pricing.input === 0 && pricing.output === 0)
+          return false;
+        const normalizedKey = normalizeKey(key);
+        if (normalizedProvider && !normalizedKey.startsWith(`${normalizedProvider}/`) && normalizedKey.includes("/")) {
+          return false;
+        }
+        return normalizedKey.endsWith(`/${normalizedModel}`) || normalizedKey === normalizedModel;
+      });
+      if (eligible.length > 0) {
+        const [key, pricing] = eligible[0];
+        return { key, pricing, source: "fuzzy" };
+      }
+      const broad = Array.from(map.entries()).find(([key, pricing]) => {
+        if (pricing.input === 0 && pricing.output === 0)
+          return false;
+        const normalizedKey = normalizeKey(key);
+        return normalizedKey.length >= 6 && normalizedModel.includes(normalizedKey);
+      });
+      if (!broad)
+        return null;
+      return { key: broad[0], pricing: broad[1], source: "fuzzy" };
+    }
+    function normalizeKey(key) {
+      return key.trim().toLowerCase().replace(/[_\s]+/g, "-");
+    }
+    async function readDiskCache() {
+      try {
+        const file = Bun.file(Config2.pricingCachePath);
+        if (!await file.exists())
+          return null;
+        const parsed = await file.json();
+        if (typeof parsed.fetchedAt !== "number" || !Array.isArray(parsed.data))
+          return null;
+        return { fetchedAt: parsed.fetchedAt, data: new Map(parsed.data) };
+      } catch (err) {
+        logger2.warn("disk cache read failed", { err, path: Config2.pricingCachePath });
+        return null;
+      }
+    }
+    async function writeDiskCache(entry) {
+      try {
+        await mkdir(dirname(Config2.pricingCachePath), { recursive: true });
+        await Bun.write(Config2.pricingCachePath, JSON.stringify({ fetchedAt: entry.fetchedAt, data: Array.from(entry.data.entries()) }));
+      } catch (err) {
+        logger2.warn("disk cache write failed", { err, path: Config2.pricingCachePath });
+      }
+    }
+  })(Pricing ||= {});
+});
+
+// src/storage/cost.ts
+var logger3, Cost;
+var init_cost = __esm(() => {
+  init_pricing();
+  init_logger();
+  logger3 = Logger.fromConfig().child({ component: "cost" });
+  ((Cost) => {
+    const SENTINEL_MODELS = new Set(["", "unknown", "undefined"]);
+    let activeLogger = logger3;
+    function __setLoggerForTests(nextLogger) {
+      activeLogger = nextLogger;
+    }
+    Cost.__setLoggerForTests = __setLoggerForTests;
+    function __resetLoggerForTests() {
+      activeLogger = logger3;
+    }
+    Cost.__resetLoggerForTests = __resetLoggerForTests;
+    function compute(inputs) {
+      const model = inputs.model?.trim() ?? "";
+      if (SENTINEL_MODELS.has(model.toLowerCase())) {
+        return { cost_usd: 0, cost_status: "unsupported", source: "unsupported_model" };
+      }
+      const pricing = Pricing.getPricing(model, inputs.provider);
+      if (!pricing) {
+        return { cost_usd: 0, cost_status: "pending", source: "pricing" };
+      }
+      const rawCost = Pricing.calculateCost({
+        prompt_tokens: inputs.usage.prompt_tokens ?? 0,
+        completion_tokens: inputs.usage.completion_tokens ?? 0,
+        cache_creation_tokens: inputs.usage.cache_creation_tokens ?? 0,
+        cache_read_tokens: inputs.usage.cache_read_tokens ?? 0,
+        reasoning_tokens: inputs.usage.reasoning_tokens ?? 0
+      }, pricing, inputs.provider);
+      if (!Number.isFinite(rawCost) || Number.isNaN(rawCost) || rawCost < 0) {
+        activeLogger.warn("cost guard rejected computed cost", {
+          event: "cost.guard",
+          provider: inputs.provider,
+          model,
+          raw_cost: rawCost
+        });
+        return { cost_usd: 0, cost_status: "pending", source: "guard" };
+      }
+      if (rawCost === 0) {
+        return { cost_usd: 0, cost_status: "pending", source: "guard" };
+      }
+      return { cost_usd: rawCost, cost_status: "ok", source: "pricing" };
+    }
+    Cost.compute = compute;
+    function inputsFromLog(log) {
+      return {
+        provider: log.provider,
+        model: log.model,
+        usage: {
+          prompt_tokens: log.prompt_tokens,
+          completion_tokens: log.completion_tokens,
+          cache_creation_tokens: log.cache_creation_tokens,
+          cache_read_tokens: log.cache_read_tokens,
+          reasoning_tokens: log.reasoning_tokens ?? 0
+        }
+      };
+    }
+    Cost.inputsFromLog = inputsFromLog;
+  })(Cost ||= {});
+});
+
+// src/upstream/client.ts
+var exports_client = {};
+__export(exports_client, {
+  UpstreamClient: () => UpstreamClient
+});
+var UpstreamClient;
+var init_client = __esm(() => {
+  init_config();
+  init_logger();
+  ((UpstreamClient) => {
+    UpstreamClient.DEFAULT_UPSTREAM_TIMEOUT_MS = 300000;
+    UpstreamClient.DEFAULT_UPSTREAM_CONNECT_TIMEOUT_MS = 1e4;
+    const MAX_RETRIES = 2;
+    const OPEN_AFTER_FAILURES = 5;
+    const HALF_OPEN_AFTER_MS = 30000;
+    const breakers = new Map;
+    let logger4 = Logger.fromConfig().child({ component: "upstream-client" });
+    let sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+    let now = () => Date.now();
+    let random = () => Math.random();
+    async function fetch2(options) {
+      const providerId = options.providerId || "unknown";
+      const breaker = breakerFor(providerId);
+      const breakerState = currentBreakerState(breaker);
+      if (breakerState === "open") {
+        const normalized = normalizeShortCircuit(providerId);
+        logger4.warn("upstream circuit breaker open", {
+          event: "upstream.short_circuit",
+          ...withoutCause(normalized)
+        });
+        logFailure(normalized, 0, false);
+        return normalizedResponse(normalized);
+      }
+      const streaming = isStreamingRequest(options);
+      const idempotent = options.idempotent === true;
+      let attempt = 0;
+      while (true) {
+        const timeout = createTimeoutSignal(Config2.upstreamTimeoutMs, Config2.upstreamConnectTimeoutMs);
+        const signal = composeSignals([timeout.signal, options.signal]);
+        try {
+          const response = await globalThis.fetch(options.url, {
+            method: options.method,
+            headers: options.headers,
+            body: options.body,
+            signal
+          });
+          timeout.clear();
+          if (response.status >= 500) {
+            const normalized = normalizeHttpFailure(response, providerId, canRetry(idempotent, streaming));
+            const retrying = shouldRetry(normalized, attempt, streaming, idempotent);
+            logFailure(normalized, attempt, retrying);
+            if (retrying) {
+              await discardResponse(response);
+              await sleep(backoffMs(attempt));
+              attempt += 1;
+              continue;
+            }
+            recordFailure(breaker);
+            return response;
+          }
+          recordSuccess(breaker);
+          return response;
+        } catch (err) {
+          timeout.clear();
+          const normalized = normalizeThrownFailure(err, providerId, canRetry(idempotent, streaming), timeout.kind);
+          const retrying = shouldRetry(normalized, attempt, streaming, idempotent);
+          logFailure(normalized, attempt, retrying);
+          if (retrying) {
+            await sleep(backoffMs(attempt));
+            attempt += 1;
+            continue;
+          }
+          recordFailure(breaker);
+          return normalizedResponse(normalized);
+        }
+      }
+    }
+    UpstreamClient.fetch = fetch2;
+    function __resetForTests() {
+      breakers.clear();
+      logger4 = Logger.fromConfig().child({ component: "upstream-client" });
+      sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+      now = () => Date.now();
+      random = () => Math.random();
+    }
+    UpstreamClient.__resetForTests = __resetForTests;
+    function __setTestHooks(hooks) {
+      if (hooks.logger)
+        logger4 = hooks.logger;
+      if (hooks.sleep)
+        sleep = hooks.sleep;
+      if (hooks.now)
+        now = hooks.now;
+      if (hooks.random)
+        random = hooks.random;
+    }
+    UpstreamClient.__setTestHooks = __setTestHooks;
+    function breakerFor(providerId) {
+      const existing = breakers.get(providerId);
+      if (existing)
+        return existing;
+      const created = { state: "closed", failures: 0, openedAt: 0 };
+      breakers.set(providerId, created);
+      return created;
+    }
+    function currentBreakerState(breaker) {
+      if (breaker.state === "open" && now() - breaker.openedAt >= HALF_OPEN_AFTER_MS) {
+        breaker.state = "half-open";
+      }
+      return breaker.state;
+    }
+    function recordFailure(breaker) {
+      if (breaker.state === "half-open") {
+        breaker.state = "open";
+        breaker.openedAt = now();
+        breaker.failures = OPEN_AFTER_FAILURES;
+        return;
+      }
+      breaker.failures += 1;
+      if (breaker.failures >= OPEN_AFTER_FAILURES) {
+        breaker.state = "open";
+        breaker.openedAt = now();
+      }
+    }
+    function recordSuccess(breaker) {
+      breaker.state = "closed";
+      breaker.failures = 0;
+      breaker.openedAt = 0;
+    }
+    function canRetry(idempotent, streaming) {
+      return idempotent && !streaming;
+    }
+    function shouldRetry(failure, attempt, streaming, idempotent) {
+      if (!canRetry(idempotent, streaming))
+        return false;
+      if (attempt >= MAX_RETRIES)
+        return false;
+      return failure.code === "network" || failure.code === "5xx" || failure.code === "aborted-due-to-timeout";
+    }
+    function backoffMs(attempt) {
+      const jitter = Math.floor(random() * 100);
+      return Math.min(2 ** attempt * 200 + jitter, 5000);
+    }
+    function createTimeoutSignal(totalMs, connectMs) {
+      const controller = new AbortController;
+      let kind = null;
+      const abort = (nextKind) => {
+        if (controller.signal.aborted)
+          return;
+        kind = nextKind;
+        controller.abort(new Error(`upstream ${nextKind} timeout`));
+      };
+      const connectTimer = setTimeout(() => abort("connect"), connectMs);
+      const totalTimer = setTimeout(() => abort("total"), totalMs);
+      return {
+        signal: controller.signal,
+        clear() {
+          clearTimeout(connectTimer);
+          clearTimeout(totalTimer);
+        },
+        get kind() {
+          return kind;
+        }
+      };
+    }
+    function composeSignals(signals) {
+      const active = signals.filter((signal) => Boolean(signal));
+      if (active.length === 1)
+        return active[0];
+      const abortSignal = AbortSignal;
+      if (typeof abortSignal.any === "function")
+        return abortSignal.any(active);
+      const controller = new AbortController;
+      const abort = (signal) => {
+        if (!controller.signal.aborted)
+          controller.abort(signal.reason);
+      };
+      for (const signal of active) {
+        if (signal.aborted) {
+          abort(signal);
+          break;
+        }
+        signal.addEventListener("abort", () => abort(signal), { once: true });
+      }
+      return controller.signal;
+    }
+    function isStreamingRequest(options) {
+      if (options.body instanceof ReadableStream)
+        return true;
+      const headers = new Headers(options.headers);
+      const accept = headers.get("accept")?.toLowerCase() ?? "";
+      const contentType = headers.get("content-type")?.toLowerCase() ?? "";
+      return accept.includes("text/event-stream") || contentType.includes("text/event-stream");
+    }
+    function normalizeHttpFailure(response, providerId, retryable) {
+      return {
+        code: "5xx",
+        status: response.status,
+        providerId,
+        retryable,
+        cause: { statusText: response.statusText }
+      };
+    }
+    function normalizeThrownFailure(err, providerId, retryable, timeoutKind) {
+      if (timeoutKind) {
+        return {
+          code: "aborted-due-to-timeout",
+          status: 504,
+          providerId,
+          retryable,
+          cause: { timeoutKind, error: serializeCause(err) }
+        };
+      }
+      if (isAbortError(err)) {
+        return {
+          code: "aborted",
+          status: 499,
+          providerId,
+          retryable: false,
+          cause: serializeCause(err)
+        };
+      }
+      return {
+        code: "network",
+        status: 503,
+        providerId,
+        retryable,
+        cause: serializeCause(err)
+      };
+    }
+    function normalizeShortCircuit(providerId) {
+      return {
+        code: "short-circuit",
+        status: 503,
+        providerId,
+        retryable: false,
+        cause: "circuit breaker open"
+      };
+    }
+    function isAbortError(err) {
+      return err instanceof DOMException && err.name === "AbortError";
+    }
+    function logFailure(failure, attempt, retrying) {
+      logger4.error("upstream failure", {
+        event: "upstream.error",
+        ...withoutCause(failure),
+        cause: failure.cause,
+        attempt,
+        max_retries: MAX_RETRIES,
+        retrying
+      });
+    }
+    function withoutCause(failure) {
+      const { cause: _cause, ...rest } = failure;
+      return rest;
+    }
+    function normalizedResponse(failure) {
+      return new Response(JSON.stringify({ error: { ...withoutCause(failure), cause: failure.cause } }), {
+        status: failure.status,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    function serializeCause(err) {
+      if (err instanceof Error) {
+        return { name: err.name, message: err.message };
+      }
+      return err;
+    }
+    async function discardResponse(response) {
+      try {
+        await response.body?.cancel();
+      } catch {}
+    }
+  })(UpstreamClient ||= {});
+});
+
+// src/cliproxy/quota.ts
+import { readdir, readFile } from "fs/promises";
+import { join as join2 } from "path";
+function normalizePercent(value) {
+  if (typeof value !== "number" || !Number.isFinite(value))
+    return;
+  const pct = value <= 1 ? value * 100 : value;
+  return Math.max(0, Math.min(100, pct));
+}
+function normalizeReset(value) {
+  if (typeof value === "number" && Number.isFinite(value)) {
+    const ms = value < 1000000000000 ? value * 1000 : value;
+    return new Date(ms).toISOString();
+  }
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Date.parse(value);
+    if (Number.isFinite(parsed))
+      return new Date(parsed).toISOString();
+  }
+  return;
+}
+function quotaTypeFromSeconds(seconds, fallback) {
+  if (typeof seconds !== "number" || !Number.isFinite(seconds))
+    return fallback;
+  const hours = Math.round(seconds / 3600);
+  if (hours >= 24 * 6)
+    return "week";
+  if (hours >= 24)
+    return `${Math.round(hours / 24)}d`;
+  return `${hours}h`;
+}
+async function fetchJson(url, init) {
+  const controller = new AbortController;
+  const timer = setTimeout(() => controller.abort(), Config2.quotaRefreshTimeoutMs);
+  try {
+    const res = await UpstreamClient.fetch({
+      method: init.method ?? "GET",
+      url,
+      headers: init.headers,
+      body: init.body ?? null,
+      providerId: `quota:${new URL(url).hostname}`,
+      idempotent: (init.method ?? "GET") === "GET" || (init.method ?? "GET") === "HEAD",
+      signal: controller.signal
+    });
+    const text = await res.text();
+    let data = null;
+    try {
+      data = text ? JSON.parse(text) : null;
+    } catch {
+      data = null;
+    }
+    return { ok: res.ok, status: res.status, data, text };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function errorMessage(data, fallback) {
+  if (data && typeof data === "object" && "error" in data) {
+    const err = data.error;
+    if (err && typeof err === "object" && "message" in err) {
+      const message = err.message;
+      if (typeof message === "string" && message.trim())
+        return message;
+    }
+    if (typeof err === "string" && err.trim())
+      return err;
+  }
+  return fallback;
+}
+async function probeClaude(auth) {
+  const account = auth.email ?? "claude";
+  if (!auth.access_token) {
+    return {
+      provider: "claude",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const res = await fetchJson("https://api.anthropic.com/api/oauth/usage", {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${auth.access_token}`,
+      Accept: "application/json",
+      "anthropic-version": "2023-06-01",
+      "anthropic-beta": "oauth-2025-04-20",
+      "User-Agent": "agent-cli-proxy"
+    }
+  });
+  if (!res.ok) {
+    return {
+      provider: "claude",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: errorMessage(res.data, `HTTP ${res.status}`),
+      windows: []
+    };
+  }
+  const data = res.data;
+  const windows = [];
+  for (const [quotaType, window] of [
+    ["5h", data.five_hour],
+    ["week", data.seven_day],
+    ["week_sonnet", data.seven_day_sonnet],
+    ["week_opus", data.seven_day_opus]
+  ]) {
+    if (!window)
+      continue;
+    const used = normalizePercent(window.utilization);
+    if (used === undefined && !window.resets_at)
+      continue;
+    windows.push({
+      quota_type: quotaType,
+      used_pct: used,
+      resets_at: normalizeReset(window.resets_at),
+      raw: window
+    });
+  }
+  return {
+    provider: "claude",
+    account,
+    status: "active",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    windows
+  };
+}
+async function probeCodex(auth) {
+  const account = auth.email ?? "codex";
+  if (!auth.access_token) {
+    return {
+      provider: "codex",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const headers = {
+    Authorization: `Bearer ${auth.access_token}`,
+    Accept: "application/json",
+    "User-Agent": "codex_cli_rs/0.101.0 (Linux; x86_64) agent-cli-proxy"
+  };
+  if (auth.account_id)
+    headers["ChatGPT-Account-Id"] = auth.account_id;
+  const res = await fetchJson("https://chatgpt.com/backend-api/wham/usage", {
+    method: "GET",
+    headers
+  });
+  if (!res.ok) {
+    const data2 = res.data;
+    const resetsAt = normalizeReset(data2?.error?.resets_at);
+    const usedWindow = resetsAt ? [
+      {
+        quota_type: "exhausted",
+        used_pct: 100,
+        resets_at: resetsAt,
+        raw: data2
+      }
+    ] : [];
+    return {
+      provider: "codex",
+      account,
+      status: data2?.error?.type ?? "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      plan: data2?.error?.plan_type,
+      error: data2?.error?.message ?? `HTTP ${res.status}`,
+      windows: usedWindow
+    };
+  }
+  const data = res.data;
+  const windows = [];
+  for (const [fallback, window] of [
+    ["5h", data.rate_limit?.primary_window],
+    ["week", data.rate_limit?.secondary_window]
+  ]) {
+    if (!window)
+      continue;
+    const used = normalizePercent(window.used_percent);
+    const reset = normalizeReset(window.reset_at);
+    if (used === undefined && !reset)
+      continue;
+    windows.push({
+      quota_type: quotaTypeFromSeconds(window.limit_window_seconds, fallback),
+      used_pct: used,
+      resets_at: reset,
+      raw: window
+    });
+  }
+  let plan = data.plan_type;
+  if (data.credits?.balance !== undefined && data.credits.balance !== null) {
+    plan = plan ? `${plan}` : undefined;
+  }
+  return {
+    provider: "codex",
+    account,
+    status: data.rate_limit?.limit_reached ? "limit_reached" : "active",
+    unavailable: data.rate_limit?.limit_reached === true,
+    disabled: auth.disabled === true,
+    plan,
+    windows
+  };
+}
+function readNumber(value) {
+  if (typeof value === "number" && Number.isFinite(value))
+    return value;
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Number(value);
+    if (Number.isFinite(parsed))
+      return parsed;
+  }
+  return;
+}
+function kimiWindow(quotaType, detail, raw) {
+  if (!detail)
+    return null;
+  const limit = readNumber(detail.limit);
+  const remaining = readNumber(detail.remaining);
+  const used = readNumber(detail.used) ?? (limit !== undefined && remaining !== undefined ? limit - remaining : undefined);
+  const usedPct = limit && used !== undefined ? used / limit * 100 : undefined;
+  const reset = normalizeReset(detail.resetTime);
+  if (usedPct === undefined && remaining === undefined && !reset)
+    return null;
+  return {
+    quota_type: quotaType,
+    used_pct: normalizePercent(usedPct),
+    resets_at: reset,
+    raw
+  };
+}
+async function probeKimi(auth) {
+  const account = "kimi";
+  if (!auth.access_token) {
+    return {
+      provider: "kimi",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: "missing access_token",
+      windows: []
+    };
+  }
+  const headers = {
+    Authorization: `Bearer ${auth.access_token}`,
+    Accept: "application/json",
+    "User-Agent": "KimiCLI/1.35 agent-cli-proxy"
+  };
+  let res = await fetchJson("https://api.kimi.com/coding/v1/usages", {
+    method: "GET",
+    headers
+  });
+  if (!res.ok) {
+    res = await fetchJson("https://api.moonshot.ai/v1/usages", {
+      method: "GET",
+      headers
+    });
+  }
+  if (!res.ok) {
+    return {
+      provider: "kimi",
+      account,
+      status: "error",
+      unavailable: true,
+      disabled: auth.disabled === true,
+      error: errorMessage(res.data, `HTTP ${res.status}`),
+      windows: []
+    };
+  }
+  const data = res.data;
+  const coding = data.usages?.find((u) => u.scope === "FEATURE_CODING") ?? data.usages?.[0];
+  const windows = [];
+  const weekly = kimiWindow("week", coding?.detail ?? data.usage, coding?.detail ?? data.usage);
+  if (weekly)
+    windows.push(weekly);
+  for (const limit of coding?.limits ?? data.limits ?? []) {
+    const duration = limit.window?.duration;
+    const quotaType = duration === 300 ? "5h" : quotaTypeFromSeconds((duration ?? 0) * 60, "window");
+    const window = kimiWindow(quotaType, limit.detail, limit);
+    if (window)
+      windows.push(window);
+  }
+  return {
+    provider: "kimi",
+    account,
+    status: "active",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    windows
+  };
+}
+function unsupported(auth) {
+  const provider = auth.type ?? "unknown";
+  return {
+    provider,
+    account: auth.email ?? provider,
+    status: "unsupported",
+    unavailable: false,
+    disabled: auth.disabled === true,
+    error: "quota endpoint is not known for this provider",
+    windows: []
+  };
+}
+async function readAuthFiles() {
+  if (!Config2.cliproxyAuthDir)
+    return [];
+  const names = await readdir(Config2.cliproxyAuthDir);
+  const out = [];
+  for (const name of names) {
+    if (!name.endsWith(".json"))
+      continue;
+    try {
+      const raw = await readFile(join2(Config2.cliproxyAuthDir, name), "utf-8");
+      const parsed = JSON.parse(raw);
+      out.push(parsed);
+    } catch (err) {
+      logger4.warn("failed to read auth file", { err, name });
+    }
+  }
+  return out;
+}
+var logger4, QuotaProbe;
+var init_quota = __esm(() => {
+  init_config();
+  init_client();
+  init_logger();
+  logger4 = Logger.fromConfig().child({ component: "quota" });
+  ((QuotaProbe) => {
+    async function refresh() {
+      const timestamp = new Date().toISOString();
+      const auths = await readAuthFiles();
+      const accounts = [];
+      for (const auth of auths) {
+        let result;
+        try {
+          if (auth.type === "claude")
+            result = await probeClaude(auth);
+          else if (auth.type === "codex")
+            result = await probeCodex(auth);
+          else if (auth.type === "kimi")
+            result = await probeKimi(auth);
+          else
+            result = unsupported(auth);
+        } catch (err) {
+          result = {
+            provider: auth.type ?? "unknown",
+            account: auth.email ?? auth.type ?? "unknown",
+            status: "error",
+            unavailable: true,
+            disabled: auth.disabled === true,
+            error: err instanceof Error ? err.message : String(err),
+            windows: []
+          };
+        }
+        const windows = result.windows.map((window) => ({
+          timestamp,
+          provider: result.provider,
+          account: result.account,
+          quota_type: window.quota_type,
+          used_pct: window.used_pct ?? null,
+          remaining: window.used_pct === undefined ? null : Math.max(0, 100 - window.used_pct),
+          remaining_raw: window.used_pct === undefined ? null : `${Math.max(0, 100 - window.used_pct).toFixed(2)}%`,
+          resets_at: window.resets_at ?? null,
+          raw_json: JSON.stringify(window.raw)
+        }));
+        accounts.push({
+          provider: result.provider,
+          account: result.account,
+          status: result.status,
+          unavailable: result.unavailable,
+          disabled: result.disabled,
+          plan: result.plan,
+          refreshed_at: timestamp,
+          error: result.error,
+          windows,
+          local_usage: {
+            five_hour: { since: "", requests: 0, total_tokens: 0, cost_usd: 0 },
+            seven_day: { since: "", requests: 0, total_tokens: 0, cost_usd: 0 }
+          }
+        });
+      }
+      return { timestamp, accounts, inserted: 0 };
+    }
+    QuotaProbe.refresh = refresh;
+  })(QuotaProbe ||= {});
+});
+
+// src/storage/service.ts
+var exports_service = {};
+__export(exports_service, {
+  UsageService: () => UsageService
+});
+import { readdir as readdir2 } from "fs/promises";
+var logger5, costBackfillLogger, unmappedSubscriptionWarnings, UsageService;
+var init_service = __esm(() => {
+  init_account_subscriptions();
+  init_repo();
+  init_pricing();
+  init_cost();
+  init_quota();
+  init_logger();
+  init_config();
+  init_supervisor();
+  logger5 = Logger.fromConfig().child({ component: "usage-service" });
+  costBackfillLogger = Logger.fromConfig().child({ component: "cost" });
+  unmappedSubscriptionWarnings = new Map;
+  ((UsageService) => {
+    function create(db, options = {}) {
+      const serviceLogger = options.logger ?? logger5;
+      const now = options.now ?? (() => new Date);
+      function preLog(log) {
+        return RequestRepo.insert(db, log);
+      }
+      async function finalizeUsage(id, log) {
+        const cost = computeCost(log);
+        const logWithCost = { ...log, cost_usd: cost.cost_usd, cost_status: cost.cost_status };
+        const txn = db.transaction(() => {
+          const updated = RequestRepo.updateFinalize(db, id, {
+            provider: logWithCost.provider,
+            model: logWithCost.model,
+            actual_model: logWithCost.actual_model,
+            streamed: logWithCost.streamed,
+            status: logWithCost.status,
+            prompt_tokens: logWithCost.prompt_tokens,
+            completion_tokens: logWithCost.completion_tokens,
+            cache_creation_tokens: logWithCost.cache_creation_tokens,
+            cache_read_tokens: logWithCost.cache_read_tokens,
+            reasoning_tokens: logWithCost.reasoning_tokens ?? 0,
+            total_tokens: logWithCost.total_tokens,
+            cost_usd: cost.cost_usd,
+            incomplete: logWithCost.incomplete,
+            error_code: logWithCost.error_code,
+            latency_ms: logWithCost.latency_ms,
+            finished_at: logWithCost.finished_at,
+            lifecycle_status: logWithCost.lifecycle_status ?? "completed",
+            finalized_at: logWithCost.finalized_at ?? logWithCost.finished_at ?? new Date().toISOString(),
+            error_message: logWithCost.error_message,
+            cost_status: cost.cost_status,
+            subscription_code: logWithCost.subscription_code
+          });
+          if (updated === 0)
+            return false;
+          insertCostAudit(id, logWithCost, cost);
+          const day = logWithCost.started_at.slice(0, 10);
+          UsageRepo.upsertDaily(db, {
+            day,
+            provider: logWithCost.provider,
+            model: logWithCost.model,
+            request_count: 1,
+            prompt_tokens: logWithCost.prompt_tokens,
+            completion_tokens: logWithCost.completion_tokens,
+            cache_creation_tokens: logWithCost.cache_creation_tokens,
+            cache_read_tokens: logWithCost.cache_read_tokens,
+            total_tokens: logWithCost.total_tokens,
+            cost_usd: cost.cost_usd
+          });
+          return true;
+        });
+        return txn();
+      }
+      async function recordUsage(log) {
+        const cost = computeCost(log);
+        const logWithCost = { ...log, cost_usd: cost.cost_usd, cost_status: cost.cost_status };
+        const txn = db.transaction(() => {
+          const id = RequestRepo.insert(db, logWithCost);
+          insertCostAudit(id, logWithCost, cost);
+          const day = log.started_at.slice(0, 10);
+          UsageRepo.upsertDaily(db, {
+            day,
+            provider: log.provider,
+            model: log.model,
+            request_count: 1,
+            prompt_tokens: log.prompt_tokens,
+            completion_tokens: log.completion_tokens,
+            cache_creation_tokens: log.cache_creation_tokens,
+            cache_read_tokens: log.cache_read_tokens,
+            total_tokens: log.total_tokens,
+            cost_usd: cost.cost_usd
+          });
+          return id;
+        });
+        return txn();
+      }
+      async function backfillCosts(options2 = {}) {
+        try {
+          await Pricing.fetchPricing({ force: true });
+        } catch (err) {
+          logger5.warn("pricing refresh failed before cost backfill", { err, event: "cost.backfill_pricing_failed" });
+        }
+        const lookbackMs = options2.lookbackMs ?? Config2.costBackfillLookbackMs;
+        const limitClause = options2.limit && options2.limit > 0 ? " LIMIT ?" : "";
+        const sinceClause = options2.all ? "" : "AND started_at >= ?";
+        const sinceIso = new Date(Date.now() - lookbackMs).toISOString();
+        const params = [];
+        if (!options2.all)
+          params.push(sinceIso);
+        if (options2.limit && options2.limit > 0)
+          params.push(options2.limit);
+        const rows = db.query(`
+        SELECT id, provider, model, prompt_tokens, completion_tokens,
+               cache_creation_tokens, cache_read_tokens, reasoning_tokens, cost_usd, cost_status
+        FROM request_logs
+        WHERE lifecycle_status IN ('completed', 'error')
+          AND cost_status IN ('pending', 'unresolved')
+          ${sinceClause}
+        ORDER BY id ASC${limitClause}
+      `).all(...params);
+        let updated = 0;
+        const statusCounts = { ok: 0, pending: 0, unsupported: 0 };
+        const updateTxn = db.transaction(() => {
+          const updateLog = db.prepare("UPDATE request_logs SET cost_usd = ?, cost_status = 'ok' WHERE id = ? AND cost_status IN ('pending', 'unresolved')");
+          for (const row of rows) {
+            const cost = computeCost(row);
+            statusCounts[cost.cost_status] += 1;
+            insertCostAudit(row.id, row, cost);
+            if ((row.cost_status === "pending" || row.cost_status === "unresolved") && cost.cost_status === "ok") {
+              const result = updateLog.run(cost.cost_usd, row.id);
+              updated += result.changes;
+            }
+          }
+          db.exec(`
+          DELETE FROM daily_usage;
+          INSERT INTO daily_usage (
+            day, provider, model, request_count, prompt_tokens,
+            completion_tokens, cache_creation_tokens, cache_read_tokens,
+            total_tokens, cost_usd
+          )
+          SELECT
+            substr(started_at, 1, 10), provider, model, COUNT(*),
+            SUM(prompt_tokens), SUM(completion_tokens), SUM(cache_creation_tokens),
+            SUM(cache_read_tokens), SUM(total_tokens), SUM(cost_usd)
+          FROM request_logs
+          GROUP BY substr(started_at, 1, 10), provider, model;
+        `);
+        });
+        updateTxn();
+        return { scanned: rows.length, updated, ...statusCounts };
+      }
+      function computeCost(log) {
+        return Cost.compute(Cost.inputsFromLog(log));
+      }
+      function insertCostAudit(requestLogId, log, cost) {
+        RequestRepo.insertCostAudit(db, {
+          request_log_id: requestLogId,
+          model: log.model,
+          provider: log.provider,
+          source: cost.source,
+          base_cost_usd: cost.cost_usd
+        });
+      }
+      function getToday() {
+        const today = new Date().toISOString().slice(0, 10);
+        const breakdown = UsageRepo.getDaily(db, today);
+        const totals = breakdown.reduce((acc, row) => ({
+          requests: acc.requests + row.request_count,
+          total_tokens: acc.total_tokens + row.total_tokens,
+          cost_usd: acc.cost_usd + row.cost_usd
+        }), { requests: 0, total_tokens: 0, cost_usd: 0 });
+        return {
+          date: today,
+          requests: totals.requests,
+          total_tokens: totals.total_tokens,
+          cost_usd: totals.cost_usd,
+          breakdown
+        };
+      }
+      function getDateRange(from, to) {
+        const rows = UsageRepo.getRange(db, from, to);
+        const byDay = new Map;
+        for (const row of rows) {
+          const existing = byDay.get(row.day) ?? [];
+          existing.push(row);
+          byDay.set(row.day, existing);
+        }
+        return Array.from(byDay.entries()).map(([day, breakdown]) => {
+          const totals = breakdown.reduce((acc, row) => ({
+            requests: acc.requests + row.request_count,
+            total_tokens: acc.total_tokens + row.total_tokens,
+            cost_usd: acc.cost_usd + row.cost_usd
+          }), { requests: 0, total_tokens: 0, cost_usd: 0 });
+          return { date: day, ...totals, breakdown };
+        });
+      }
+      function getModelBreakdown(day) {
+        return UsageRepo.getDaily(db, day);
+      }
+      function getProviderBreakdown(day) {
+        const rows = UsageRepo.getDaily(db, day);
+        const byProvider = new Map;
+        for (const row of rows) {
+          const existing = byProvider.get(row.provider) ?? {
+            provider: row.provider,
+            request_count: 0,
+            total_tokens: 0,
+            cost_usd: 0
+          };
+          existing.request_count += row.request_count;
+          existing.total_tokens += row.total_tokens;
+          existing.cost_usd += row.cost_usd;
+          byProvider.set(row.provider, existing);
+        }
+        return Array.from(byProvider.values());
+      }
+      function getTotalStats() {
+        const stmt = db.prepare(`
+        SELECT 
+          COUNT(*) as total_requests,
+          SUM(total_tokens) as total_tokens,
+          SUM(cost_usd) as total_cost_usd,
+          MIN(started_at) as first_request_at,
+          MAX(started_at) as last_request_at
+        FROM request_logs
+      `);
+        const row = stmt.get();
+        return {
+          total_requests: Number(row.total_requests ?? 0),
+          total_tokens: Number(row.total_tokens ?? 0),
+          total_cost_usd: Number(row.total_cost_usd ?? 0),
+          first_request_at: row.first_request_at ?? null,
+          last_request_at: row.last_request_at ?? null
+        };
+      }
+      function getRecentLogs(limit, offset, tool, clientId) {
+        return RequestRepo.getRecent(db, limit, offset, tool, clientId);
+      }
+      function getLogById(id) {
+        return RequestRepo.getById(db, id);
+      }
+      function getUncorrelatedLogs(sinceMs, limit) {
+        return RequestRepo.getUncorrelated(db, sinceMs, limit);
+      }
+      function applyCorrelation(id, log, fields) {
+        const txn = db.transaction(() => {
+          RequestRepo.applyCorrelation(db, id, fields);
+          if (fields.cliproxy_account) {
+            applySubscriptionAttribution(db, id, fields.cliproxy_account, serviceLogger, now);
+            UsageRepo.upsertDailyAccount(db, {
+              day: log.started_at.slice(0, 10),
+              provider: log.provider,
+              model: log.model,
+              cliproxy_account: fields.cliproxy_account,
+              cliproxy_auth_index: fields.cliproxy_auth_index,
+              request_count: 1,
+              prompt_tokens: log.prompt_tokens,
+              completion_tokens: log.completion_tokens,
+              cache_creation_tokens: log.cache_creation_tokens,
+              cache_read_tokens: log.cache_read_tokens,
+              reasoning_tokens: fields.reasoning_tokens ?? 0,
+              total_tokens: log.total_tokens,
+              cost_usd: log.cost_usd
+            });
+          }
+        });
+        txn();
+      }
+      function applySubscriptionAttribution(database, requestLogId, cliproxyAccount, targetLogger, currentDate) {
+        const binding = AccountSubscriptionRepo.get(database, cliproxyAccount);
+        if (binding) {
+          RequestRepo.applySubscription(database, requestLogId, binding.subscription_code);
+          return;
+        }
+        warnUnmappedSubscription(targetLogger, cliproxyAccount, currentDate());
+      }
+      function getAccountSummary(from, to) {
+        return UsageRepo.getAccountSummary(db, from, to);
+      }
+      function getAccountDaily(day) {
+        return UsageRepo.getDailyByAccount(db, day);
+      }
+      function getAccountRange(from, to) {
+        return UsageRepo.getAccountRange(db, from, to);
+      }
+      function withLocalUsage(report) {
+        const now2 = Date.now();
+        const fiveHourSince = new Date(now2 - 5 * 60 * 60 * 1000).toISOString();
+        const sevenDaySince = new Date(now2 - 7 * 24 * 60 * 60 * 1000).toISOString();
+        const localProvider = report.provider === "claude" ? "anthropic" : "openai";
+        return {
+          ...report,
+          local_usage: {
+            five_hour: QuotaRepo.getLocalWindowUsage(db, localProvider, report.account, fiveHourSince),
+            seven_day: QuotaRepo.getLocalWindowUsage(db, localProvider, report.account, sevenDaySince)
+          }
+        };
+      }
+      async function refreshQuotas() {
+        const result = await QuotaProbe.refresh();
+        let inserted = 0;
+        const accounts = result.accounts.map(withLocalUsage);
+        const txn = db.transaction(() => {
+          for (const account of accounts) {
+            for (const snapshot of account.windows) {
+              QuotaRepo.insertSnapshot(db, snapshot);
+              inserted += 1;
+            }
+          }
+        });
+        txn();
+        return { ...result, inserted, accounts };
+      }
+      async function startQuotaRefresh(options2 = {}) {
+        if (!Config2.cliproxyAuthDir) {
+          logger5.info("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "missing_auth_dir"
+          });
+          return null;
+        }
+        let authFileNames;
+        try {
+          authFileNames = await readdir2(Config2.cliproxyAuthDir);
+        } catch (err) {
+          logger5.warn("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "auth_dir_unreadable",
+            err,
+            path: Config2.cliproxyAuthDir
+          });
+          return null;
+        }
+        if (!authFileNames.some((name) => name.endsWith(".json"))) {
+          logger5.info("quota background refresh skipped", {
+            event: "quota.refresh_skipped",
+            reason: "no_auth_files",
+            path: Config2.cliproxyAuthDir
+          });
+          return null;
+        }
+        return Supervisor.run("quota-refresh", async () => {
+          await refreshQuotas();
+        }, {
+          intervalMs: options2.intervalMs ?? Config2.quotaRefreshIntervalMs,
+          signal: options2.signal
+        });
+      }
+      function getLatestQuotas() {
+        return QuotaRepo.getLatest(db);
+      }
+      return {
+        db,
+        preLog,
+        finalizeUsage,
+        recordUsage,
+        getToday,
+        getDateRange,
+        getModelBreakdown,
+        getProviderBreakdown,
+        getTotalStats,
+        getRecentLogs,
+        getLogById,
+        backfillCosts,
+        getUncorrelatedLogs,
+        applyCorrelation,
+        getAccountSummary,
+        getAccountDaily,
+        getAccountRange,
+        refreshQuotas,
+        startQuotaRefresh,
+        getLatestQuotas
+      };
+    }
+    UsageService.create = create;
+    function warnUnmappedSubscription(targetLogger, cliproxyAccount, date = new Date) {
+      const day = date.toISOString().slice(0, 10);
+      const key = `${cliproxyAccount}:${day}`;
+      if (unmappedSubscriptionWarnings.has(key))
+        return;
+      unmappedSubscriptionWarnings.set(key, true);
+      targetLogger.warn("plans unmapped", {
+        event: "plans.unmapped",
+        cliproxy_account: cliproxyAccount
+      });
+    }
+    UsageService.warnUnmappedSubscription = warnUnmappedSubscription;
+    function startCostBackfillLoop(service, options = {}) {
+      return Supervisor.run("cost-backfill", async () => {
+        const result = await service.backfillCosts();
+        costBackfillLogger.info("cost backfill completed", { event: "cost.backfill", ...result });
+      }, {
+        intervalMs: options.intervalMs ?? Config2.costBackfillIntervalMs,
+        signal: options.signal
+      });
+    }
+    UsageService.startCostBackfillLoop = startCostBackfillLoop;
+  })(UsageService ||= {});
+});
+
+// src/server/request-inspector.ts
+var RequestInspector;
+var init_request_inspector = __esm(() => {
+  ((RequestInspector) => {
+    async function inspect(req) {
+      const url = new URL(req.url);
+      const path = url.pathname;
+      const method = req.method;
+      const userAgent = req.headers.get("user-agent");
+      const agentName = req.headers.get("x-agent-name");
+      const originator = req.headers.get("originator");
+      const sessionId = req.headers.get("x-opencode-session") || req.headers.get("x-openclaw-session-id") || req.headers.get("x-activity-request-id");
+      const apiKey = req.headers.get("authorization")?.replace("Bearer ", "").trim() || req.headers.get("x-api-key");
+      const forwarded = req.headers.get("x-forwarded-for");
+      const clientIp = forwarded ? forwarded.split(",")[0]?.trim() : null;
+      let model = null;
+      let isStreaming = false;
+      if (method === "POST" && (path === "/v1/messages" || path === "/v1/chat/completions")) {
+        try {
+          const cloned = req.clone();
+          const body = await cloned.json();
+          if (typeof body.model === "string") {
+            model = body.model;
+          }
+          if (body.stream === true || body.stream === "true") {
+            isStreaming = true;
+          }
+        } catch {}
+      }
+      return {
+        model,
+        agentName,
+        userAgent,
+        originator,
+        sessionId,
+        apiKey,
+        isStreaming,
+        path,
+        method,
+        clientIp
+      };
+    }
+    RequestInspector.inspect = inspect;
+    function isClaudeModel(model) {
+      return !!model && model.startsWith("claude");
+    }
+    RequestInspector.isClaudeModel = isClaudeModel;
+    function detectTool(info) {
+      if (info.agentName) {
+        return info.agentName;
+      }
+      if (info.userAgent) {
+        const ua = info.userAgent.toLowerCase();
+        if (ua.includes("opencode"))
+          return "opencode";
+        if (ua.includes("openclaw"))
+          return "openclaw";
+        if (ua.includes("hermes"))
+          return "hermes-agent";
+        if (ua.includes("anthropic"))
+          return "anthropic-sdk";
+      }
+      if (info.originator) {
+        return info.originator.toLowerCase();
+      }
+      if (info.sessionId) {
+        if (info.sessionId.startsWith("opencode-"))
+          return "opencode";
+        if (info.sessionId.startsWith("openclaw-"))
+          return "openclaw";
+      }
+      return "unknown";
+    }
+    RequestInspector.detectTool = detectTool;
+    function generateClientId(tool, info) {
+      const parts = [tool];
+      if (info.agentName) {
+        parts.push(info.agentName);
+      } else if (info.sessionId) {
+        parts.push(info.sessionId.slice(0, 8));
+      } else if (info.apiKey) {
+        parts.push(info.apiKey.slice(0, 8));
+      }
+      return parts.join("-");
+    }
+    RequestInspector.generateClientId = generateClientId;
+  })(RequestInspector ||= {});
+});
+
+// src/server/response-parser.ts
+var ResponseParser;
+var init_response_parser = __esm(() => {
+  ((ResponseParser) => {
+    function parseResponseBody(body) {
+      try {
+        const json = JSON.parse(body);
+        return {
+          actualModel: extractModel(json),
+          usage: extractUsage(json)
+        };
+      } catch {
+        return { actualModel: null, usage: null };
+      }
+    }
+    ResponseParser.parseResponseBody = parseResponseBody;
+    function parseSSELine(line) {
+      try {
+        const json = JSON.parse(line);
+        if (json.type === "message_start" && json.message) {
+          const msg = json.message;
+          return {
+            actualModel: typeof msg.model === "string" ? msg.model : null,
+            usage: extractAnthropicUsage(msg)
+          };
+        }
+        if (json.type === "message_delta" && json.usage) {
+          return {
+            actualModel: null,
+            usage: extractAnthropicUsage(json)
+          };
+        }
+        if (json.choices && Array.isArray(json.choices)) {
+          return {
+            actualModel: typeof json.model === "string" ? json.model : null,
+            usage: extractOpenAIUsage(json)
+          };
+        }
+        if (json.usage && !json.choices) {
+          return {
+            actualModel: typeof json.model === "string" ? json.model : null,
+            usage: extractOpenAIUsage(json)
+          };
+        }
+        return { actualModel: null, usage: null };
+      } catch {
+        return { actualModel: null, usage: null };
+      }
+    }
+    ResponseParser.parseSSELine = parseSSELine;
+    function extractModel(json) {
+      if (typeof json.model === "string") {
+        return json.model;
+      }
+      if (json.message && typeof json.message.model === "string") {
+        return json.message.model;
+      }
+      return null;
+    }
+    function extractUsage(json) {
+      if (!json.usage || typeof json.usage !== "object") {
+        return null;
+      }
+      const usage = json.usage;
+      if (typeof usage.input_tokens === "number") {
+        return {
+          prompt_tokens: usage.input_tokens,
+          completion_tokens: typeof usage.output_tokens === "number" ? usage.output_tokens : 0,
+          total_tokens: (typeof usage.input_tokens === "number" ? usage.input_tokens : 0) + (typeof usage.output_tokens === "number" ? usage.output_tokens : 0),
+          cache_creation_tokens: typeof usage.cache_creation_input_tokens === "number" ? usage.cache_creation_input_tokens : 0,
+          cache_read_tokens: typeof usage.cache_read_input_tokens === "number" ? usage.cache_read_input_tokens : 0,
+          reasoning_tokens: typeof usage.reasoning_tokens === "number" ? usage.reasoning_tokens : 0
+        };
+      }
+      if (typeof usage.prompt_tokens === "number") {
+        const details = typeof usage.completion_tokens_details === "object" && usage.completion_tokens_details ? usage.completion_tokens_details : null;
+        const promptDetails = typeof usage.prompt_tokens_details === "object" && usage.prompt_tokens_details ? usage.prompt_tokens_details : null;
+        return {
+          prompt_tokens: usage.prompt_tokens,
+          completion_tokens: typeof usage.completion_tokens === "number" ? usage.completion_tokens : 0,
+          total_tokens: typeof usage.total_tokens === "number" ? usage.total_tokens : 0,
+          cache_creation_tokens: 0,
+          cache_read_tokens: typeof promptDetails?.cached_tokens === "number" ? promptDetails.cached_tokens : 0,
+          reasoning_tokens: typeof details?.reasoning_tokens === "number" ? details.reasoning_tokens : 0
+        };
+      }
+      return null;
+    }
+    function extractAnthropicUsage(obj) {
+      if (!obj.usage || typeof obj.usage !== "object")
+        return null;
+      const usage = obj.usage;
+      return {
+        prompt_tokens: usage.input_tokens ?? 0,
+        completion_tokens: usage.output_tokens ?? 0,
+        total_tokens: (usage.input_tokens ?? 0) + (usage.output_tokens ?? 0),
+        cache_creation_tokens: usage.cache_creation_input_tokens ?? 0,
+        cache_read_tokens: usage.cache_read_input_tokens ?? 0,
+        reasoning_tokens: usage.reasoning_tokens ?? 0
+      };
+    }
+    function extractOpenAIUsage(obj) {
+      if (!obj.usage || typeof obj.usage !== "object")
+        return null;
+      const usage = obj.usage;
+      const promptDetails = typeof usage.prompt_tokens_details === "object" && usage.prompt_tokens_details ? usage.prompt_tokens_details : null;
+      const completionDetails = typeof usage.completion_tokens_details === "object" && usage.completion_tokens_details ? usage.completion_tokens_details : null;
+      return {
+        prompt_tokens: typeof usage.prompt_tokens === "number" ? usage.prompt_tokens : 0,
+        completion_tokens: typeof usage.completion_tokens === "number" ? usage.completion_tokens : 0,
+        total_tokens: typeof usage.total_tokens === "number" ? usage.total_tokens : 0,
+        cache_creation_tokens: 0,
+        cache_read_tokens: typeof promptDetails?.cached_tokens === "number" ? promptDetails.cached_tokens : 0,
+        reasoning_tokens: typeof completionDetails?.reasoning_tokens === "number" ? completionDetails.reasoning_tokens : 0
+      };
+    }
+  })(ResponseParser ||= {});
+});
+// src/provider/anthropic/index.ts
+var Anthropic;
+var init_anthropic = __esm(() => {
+  init_config();
+  ((Anthropic) => {
+    function extractFirstUserMessageText(messages) {
+      const userMsg = messages.find((message) => message.role === "user");
+      if (!userMsg)
+        return "";
+      const { content } = userMsg;
+      if (typeof content === "string")
+        return content;
+      if (Array.isArray(content)) {
+        const textBlock = content.find((block) => block.type === "text");
+        if (textBlock?.text)
+          return textBlock.text;
+      }
+      return "";
+    }
+    Anthropic.extractFirstUserMessageText = extractFirstUserMessageText;
+    function sha256hex(text) {
+      const hasher = new Bun.CryptoHasher("sha256");
+      hasher.update(text);
+      return hasher.digest("hex");
+    }
+    function computeCCH(messageText) {
+      return sha256hex(messageText).slice(0, 5);
+    }
+    Anthropic.computeCCH = computeCCH;
+    function computeVersionSuffix(messageText, version = Config2.claudeCodeVersion) {
+      const chars = Config2.cchPositions.map((index) => messageText[index] ?? "0").join("");
+      return sha256hex(`${Config2.cchSalt}${chars}${version}`).slice(0, 3);
+    }
+    Anthropic.computeVersionSuffix = computeVersionSuffix;
+    function buildBillingHeaderValue(messages, entrypoint, version = Config2.claudeCodeVersion) {
+      const text = extractFirstUserMessageText(messages);
+      const suffix = computeVersionSuffix(text, version);
+      const cch = computeCCH(text);
+      return "x-anthropic-billing-header: " + `cc_version=${version}.${suffix}; ` + `cc_entrypoint=${entrypoint}; ` + `cch=${cch};`;
+    }
+    Anthropic.buildBillingHeaderValue = buildBillingHeaderValue;
+    const SESSION_ID = crypto.randomUUID();
+    function detectOS() {
+      switch (process.platform) {
+        case "darwin":
+          return "macOS";
+        case "linux":
+          return "Linux";
+        case "win32":
+          return "Windows";
+        default:
+          return "Linux";
+      }
+    }
+    function detectArch() {
+      return process.arch === "arm64" ? "arm64" : "x64";
+    }
+    function buildClaudeCodeHeaders() {
+      return {
+        "user-agent": `claude-cli/${Config2.claudeCodeVersion} (external, cli)`,
+        "x-app": "cli",
+        "x-claude-code-session-id": SESSION_ID,
+        "x-stainless-arch": detectArch(),
+        "x-stainless-os": detectOS(),
+        "x-stainless-lang": "js",
+        "x-stainless-runtime": "node",
+        "x-stainless-runtime-version": process.version,
+        "anthropic-beta": "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14",
+        "anthropic-dangerous-direct-browser-access": "true"
+      };
+    }
+    Anthropic.buildClaudeCodeHeaders = buildClaudeCodeHeaders;
+  })(Anthropic ||= {});
+});
+
+// src/provider/anthropic/transform.ts
+function prefixName(name) {
+  return `${Config2.toolPrefix}${name.charAt(0).toUpperCase()}${name.slice(1)}`;
+}
+function unprefixName(name) {
+  if (name === "StructuredOutput")
+    return name;
+  return `${name.charAt(0).toLowerCase()}${name.slice(1)}`;
+}
+function sanitizeText(text) {
+  const paragraphs = text.split(/\n\n+/);
+  const filtered = paragraphs.filter((paragraph) => {
+    if (paragraph.includes(OPENCODE_IDENTITY_PREFIX))
+      return false;
+    for (const anchor of PARAGRAPH_REMOVAL_ANCHORS) {
+      if (paragraph.includes(anchor))
+        return false;
+    }
+    return true;
+  });
+  let result = filtered.join(`
+
+`);
+  for (const rule of TEXT_REPLACEMENTS) {
+    result = result.replace(rule.match, rule.replacement);
+  }
+  return result.trim();
+}
+function sanitizeSystemText(system) {
+  return system.map((block) => ({ ...block, text: sanitizeText(block.text) })).filter((block) => block.text.length > 0);
+}
+function prependClaudeCodeIdentity(system, billingHeader) {
+  const identityBlock = { type: "text", text: CLAUDE_CODE_IDENTITY };
+  if (system.length > 0 && system[0]?.text === CLAUDE_CODE_IDENTITY) {
+    return system;
+  }
+  const result = [identityBlock, ...system];
+  if (billingHeader) {
+    result.unshift({ type: "text", text: billingHeader });
+  }
+  return result;
+}
+function prefixToolNames(body) {
+  const result = { ...body };
+  if (result.tools && Array.isArray(result.tools)) {
+    result.tools = result.tools.map((tool) => ({
+      ...tool,
+      name: tool.name ? prefixName(tool.name) : tool.name
+    }));
+  }
+  if (result.messages && Array.isArray(result.messages)) {
+    result.messages = result.messages.map((msg) => {
+      if (msg.content && Array.isArray(msg.content)) {
+        return {
+          ...msg,
+          content: msg.content.map((block) => {
+            if (block.type === "tool_use" && block.name) {
+              return { ...block, name: prefixName(block.name) };
+            }
+            return block;
+          })
+        };
+      }
+      return msg;
+    });
+  }
+  return result;
+}
+function stripToolPrefix(body) {
+  return {
+    ...body,
+    content: body.content.map((block) => {
+      if (block.type === "tool_use" && block.name?.startsWith(Config2.toolPrefix)) {
+        return {
+          ...block,
+          name: unprefixName(block.name.slice(Config2.toolPrefix.length))
+        };
+      }
+      return block;
+    })
+  };
+}
+function stripToolPrefixFromLine(line) {
+  return line.replace(/"name"\s*:\s*"mcp_([^"]+)"/g, (_match, name) => `"name": "${unprefixName(name)}"`);
+}
+function normalizeSystem(system) {
+  if (system == null)
+    return [];
+  if (typeof system === "string") {
+    return system.length > 0 ? [{ type: "text", text: system }] : [];
+  }
+  return system;
+}
+function hasUserMessage(messages) {
+  return messages.some((m) => m.role === "user");
+}
+function rewriteRequestBody(body) {
+  const result = { ...body };
+  const rawSystem = normalizeSystem(result.system);
+  const sanitized = sanitizeSystemText(rawSystem);
+  const billingHeader = result.messages && hasUserMessage(result.messages) ? Anthropic.buildBillingHeaderValue(result.messages, CLAUDE_CODE_ENTRYPOINT) : "";
+  const withIdentity = prependClaudeCodeIdentity(sanitized, billingHeader);
+  const coreBlockCount = billingHeader ? 2 : 1;
+  if (withIdentity.length > coreBlockCount && result.messages && Array.isArray(result.messages)) {
+    const kept = withIdentity.slice(0, coreBlockCount);
+    const movedTexts = [];
+    for (let i = coreBlockCount;i < withIdentity.length; i++) {
+      const entry = withIdentity[i];
+      if (entry.text.length > 0)
+        movedTexts.push(entry.text);
+    }
+    if (movedTexts.length > 0) {
+      const firstUser = result.messages.find((m) => m.role === "user");
+      if (firstUser) {
+        result.system = kept;
+        const prefix = movedTexts.join(`
+
+`);
+        result.messages = result.messages.map((msg) => {
+          if (msg !== firstUser)
+            return msg;
+          if (typeof msg.content === "string") {
+            return { ...msg, content: `${prefix}
+
+${msg.content}` };
+          } else if (Array.isArray(msg.content)) {
+            return {
+              ...msg,
+              content: [
+                { type: "text", text: prefix },
+                ...msg.content
+              ]
+            };
+          }
+          return msg;
+        });
+      } else {
+        result.system = withIdentity;
+      }
+    } else {
+      result.system = kept;
+    }
+  } else {
+    result.system = withIdentity;
+  }
+  return prefixToolNames(result);
+}
+var OPENCODE_IDENTITY_PREFIX = "You are OpenCode", CLAUDE_CODE_IDENTITY = "You are a Claude agent, built on Anthropic's Claude Agent SDK.", CLAUDE_CODE_ENTRYPOINT = "sdk-cli", PARAGRAPH_REMOVAL_ANCHORS, TEXT_REPLACEMENTS;
+var init_transform = __esm(() => {
+  init_config();
+  init_anthropic();
+  PARAGRAPH_REMOVAL_ANCHORS = [
+    "github.com/anomalyco/opencode",
+    "opencode.ai/docs"
+  ];
+  TEXT_REPLACEMENTS = [
+    { match: "if OpenCode honestly", replacement: "if the assistant honestly" }
+  ];
+});
+
+// src/server/pass-through.ts
+var logger6, PassThroughProxy;
+var init_pass_through = __esm(() => {
+  init_config();
+  init_request_inspector();
+  init_response_parser();
+  init_anthropic();
+  init_transform();
+  init_client();
+  init_logger();
+  logger6 = Logger.fromConfig().child({ component: "pass-through" });
+  ((PassThroughProxy) => {
+    function create(usageService, dependencies = {}) {
+      const fetchUpstream = dependencies.fetch ?? UpstreamClient.fetch;
+      return async function handle(req, info) {
+        const startTime = Date.now();
+        const lifecycle = preLog(req, info, usageService, startTime);
+        const requestInfo = { ...info, requestId: lifecycle.requestId };
+        const upstreamUrl = `${Config2.cliProxyApiUrl}${requestInfo.path}`;
+        let streamHandedOff = false;
+        try {
+          const { body, rewritten } = await buildBody(req, requestInfo);
+          const upstreamResponse = await fetchUpstream({
+            method: req.method,
+            url: upstreamUrl,
+            headers: buildHeaders(req.headers, requestInfo, rewritten),
+            body,
+            providerId: lifecycle.provider,
+            idempotent: isIdempotentMethod(req.method),
+            signal: req.signal
+          });
+          const isStreaming = upstreamResponse.headers.get("content-type")?.includes("text/event-stream") ?? false;
+          if (isStreaming) {
+            streamHandedOff = true;
+            return handleStreaming(upstreamResponse, requestInfo, usageService, lifecycle);
+          }
+          return await handleNonStreaming(upstreamResponse, requestInfo, usageService, lifecycle);
+        } catch (err) {
+          const aborted = isAbortLike(err, req.signal);
+          const status = aborted ? 499 : 502;
+          const message = errorMessage2(err, aborted ? "request aborted" : "upstream unavailable");
+          logger6.error("upstream fetch failed", { event: "passthrough.upstream_error", err, path: requestInfo.path, request_id: lifecycle.requestId });
+          await finalizeOnce(usageService, lifecycle, {
+            parsed: { actualModel: null, usage: null },
+            status,
+            isStreaming: false,
+            lifecycleStatus: aborted ? "aborted" : "error",
+            errorMessage: message,
+            errorCode: aborted ? "aborted" : "bad_gateway"
+          });
+          return new Response(JSON.stringify({ error: aborted ? "Request aborted" : "Upstream unavailable" }), { status, headers: { "content-type": "application/json" } });
+        } finally {
+          if (!streamHandedOff && !lifecycle.finalized && !lifecycle.finalizing) {
+            await finalizeOnce(usageService, lifecycle, {
+              parsed: { actualModel: null, usage: null },
+              status: 500,
+              isStreaming: false,
+              lifecycleStatus: "error",
+              errorMessage: "unhandled passthrough exit",
+              errorCode: "internal_error"
+            });
+          }
+        }
+      };
+    }
+    PassThroughProxy.create = create;
+    function preLog(req, info, usageService, startTime) {
+      const requestId = crypto.randomUUID();
+      info.requestId = requestId;
+      const provider = providerForPath(info.path);
+      const tool = RequestInspector.detectTool(info);
+      const clientId = RequestInspector.generateClientId(tool, info);
+      const startedAt = new Date(startTime).toISOString();
+      const msgId = req.headers.get("x-msg-id") ?? req.headers.get("x-message-id") ?? req.headers.get("x-request-id") ?? undefined;
+      const source = "proxy";
+      const id = usageService.preLog({
+        request_id: requestId,
+        provider,
+        model: info.model ?? "unknown",
+        tool,
+        client_id: clientId,
+        path: info.path,
+        streamed: info.isStreaming ? 1 : 0,
+        prompt_tokens: 0,
+        completion_tokens: 0,
+        cache_creation_tokens: 0,
+        cache_read_tokens: 0,
+        reasoning_tokens: 0,
+        total_tokens: 0,
+        cost_usd: 0,
+        incomplete: 0,
+        started_at: startedAt,
+        meta_json: JSON.stringify({ method: info.method, originator: info.originator, session_id: info.sessionId }),
+        user_agent: info.userAgent ?? undefined,
+        source_ip: info.clientIp ?? undefined,
+        lifecycle_status: "pending",
+        cost_status: "unresolved",
+        agent: info.agentName ?? undefined,
+        source,
+        msg_id: msgId
+      });
+      logger6.info("request pre-logged", {
+        event: "lifecycle.pre_logged",
+        request_id: requestId,
+        row_id: id,
+        provider,
+        model: info.model ?? "unknown",
+        path: info.path,
+        tool,
+        client_id: clientId
+      });
+      return {
+        id,
+        requestId,
+        startTime,
+        startedAt,
+        provider,
+        model: info.model ?? "unknown",
+        tool,
+        clientId,
+        path: info.path,
+        userAgent: info.userAgent ?? undefined,
+        sourceIp: info.clientIp ?? undefined,
+        agent: info.agentName ?? undefined,
+        source,
+        msgId,
+        finalized: false,
+        finalizing: null
+      };
+    }
+    async function buildBody(req, info) {
+      if (!info.path.includes("messages"))
+        return { body: req.body, rewritten: false };
+      const text = await req.text();
+      try {
+        const rewritten = rewriteRequestBody(JSON.parse(text));
+        return { body: JSON.stringify(rewritten), rewritten: true };
+      } catch (err) {
+        logger6.warn("anthropic rewrite failed, forwarding original body", { err, path: info.path, request_id: info.requestId });
+        return { body: text, rewritten: false };
+      }
+    }
+    function buildHeaders(headers, info, bodyRewritten = false) {
+      const result = new Headers(headers);
+      result.set("authorization", `Bearer ${Config2.cliProxyApiKey}`);
+      result.delete("host");
+      result.delete("content-length");
+      result.delete("content-encoding");
+      result.delete("accept-encoding");
+      if (info.path.includes("messages")) {
+        for (const [key, value] of Object.entries(Anthropic.buildClaudeCodeHeaders())) {
+          result.set(key, value);
+        }
+        if (bodyRewritten)
+          result.set("content-type", "application/json");
+      }
+      return result;
+    }
+    PassThroughProxy.buildHeaders = buildHeaders;
+    function isIdempotentMethod(method) {
+      return method === "GET" || method === "HEAD" || method === "OPTIONS" || method === "DELETE" || method === "PUT";
+    }
+    async function handleNonStreaming(upstreamResponse, info, usageService, lifecycle) {
+      let responseText = await upstreamResponse.text();
+      if (info.path.includes("messages") && upstreamResponse.status < 400) {
+        try {
+          responseText = JSON.stringify(stripToolPrefix(JSON.parse(responseText)));
+        } catch (err) {
+          logger6.warn("anthropic response transform failed", { err, path: info.path, status: upstreamResponse.status, request_id: lifecycle.requestId });
+        }
+      }
+      const parsed = ResponseParser.parseResponseBody(responseText);
+      const lifecycleStatus = upstreamResponse.status >= 400 ? "error" : "completed";
+      await finalizeOnce(usageService, lifecycle, {
+        parsed,
+        status: upstreamResponse.status,
+        isStreaming: false,
+        lifecycleStatus,
+        errorMessage: lifecycleStatus === "error" ? upstreamErrorMessage(upstreamResponse.status, responseText) : undefined,
+        errorCode: lifecycleStatus === "error" ? "upstream_error" : undefined
+      });
+      return new Response(responseText, {
+        status: upstreamResponse.status,
+        headers: {
+          "content-type": upstreamResponse.headers.get("content-type") ?? "application/json"
+        }
+      });
+    }
+    function handleStreaming(upstreamResponse, info, usageService, lifecycle) {
+      const upstreamBody = upstreamResponse.body;
+      if (!upstreamBody) {
+        finalizeOnce(usageService, lifecycle, {
+          parsed: { actualModel: null, usage: null },
+          status: upstreamResponse.status,
+          isStreaming: true,
+          lifecycleStatus: upstreamResponse.status >= 400 ? "error" : "completed",
+          errorMessage: upstreamResponse.status >= 400 ? `upstream HTTP ${upstreamResponse.status}` : undefined,
+          errorCode: upstreamResponse.status >= 400 ? "upstream_error" : undefined
+        });
+        return new Response(null, { status: upstreamResponse.status });
+      }
+      const decoder = new TextDecoder;
+      const encoder = new TextEncoder;
+      let partialLine = "";
+      let accumulated = null;
+      let actualModel = null;
+      let streamDone = false;
+      function processLine(line) {
+        if (line.startsWith("data: ")) {
+          const dataContent = line.slice(6);
+          const parsed = ResponseParser.parseSSELine(dataContent);
+          if (parsed.actualModel)
+            actualModel = parsed.actualModel;
+          if (parsed.usage)
+            accumulated = mergeUsage(accumulated, parsed.usage);
+        }
+        return info.path.includes("messages") ? stripToolPrefixFromLine(line) : line;
+      }
+      const transform = new TransformStream({
+        transform(chunk, controller) {
+          const text = decoder.decode(chunk, { stream: true });
+          const combined = partialLine + text;
+          const lines = combined.split(`
+`);
+          partialLine = lines.pop() ?? "";
+          let output = "";
+          for (const line of lines) {
+            output += `${processLine(line)}
+`;
+          }
+          if (output)
+            controller.enqueue(encoder.encode(output));
+        },
+        async flush(controller) {
+          try {
+            const tail = partialLine + decoder.decode();
+            partialLine = "";
+            if (tail)
+              controller.enqueue(encoder.encode(processLine(tail)));
+            streamDone = true;
+            await finalizeOnce(usageService, lifecycle, {
+              parsed: { actualModel, usage: accumulated },
+              status: upstreamResponse.status,
+              isStreaming: true,
+              lifecycleStatus: upstreamResponse.status >= 400 ? "error" : "completed",
+              errorMessage: upstreamResponse.status >= 400 ? `upstream HTTP ${upstreamResponse.status}` : undefined,
+              errorCode: upstreamResponse.status >= 400 ? "upstream_error" : undefined
+            });
+          } catch (err) {
+            logger6.error("stream flush failed", { event: "passthrough.flush_error", err, request_id: lifecycle.requestId, path: info.path });
+            await finalizeOnce(usageService, lifecycle, {
+              parsed: { actualModel, usage: accumulated },
+              status: 499,
+              isStreaming: true,
+              lifecycleStatus: "aborted",
+              errorMessage: errorMessage2(err, "stream flush failed"),
+              errorCode: "aborted"
+            });
+            throw err;
+          }
+        }
+      });
+      const transformedStream = upstreamBody.pipeThrough(transform);
+      let transformedReader = null;
+      const outputStream = new ReadableStream({
+        async start(controller) {
+          const reader = transformedStream.getReader();
+          transformedReader = reader;
+          try {
+            while (true) {
+              const { done, value } = await reader.read();
+              if (done)
+                break;
+              controller.enqueue(value);
+            }
+            controller.close();
+          } catch (err) {
+            if (!streamDone) {
+              streamDone = true;
+              await finalizeOnce(usageService, lifecycle, {
+                parsed: { actualModel, usage: accumulated },
+                status: isAbortLike(err) ? 499 : upstreamResponse.status,
+                isStreaming: true,
+                lifecycleStatus: isAbortLike(err) ? "aborted" : "error",
+                errorMessage: errorMessage2(err, "stream relay failed"),
+                errorCode: isAbortLike(err) ? "aborted" : "stream_error"
+              });
+            }
+            controller.error(err);
+          } finally {
+            transformedReader = null;
+          }
+        },
+        async cancel(reason) {
+          if (!streamDone) {
+            streamDone = true;
+            await finalizeOnce(usageService, lifecycle, {
+              parsed: { actualModel, usage: accumulated },
+              status: 499,
+              isStreaming: true,
+              lifecycleStatus: "aborted",
+              errorMessage: errorMessage2(reason, "client aborted stream"),
+              errorCode: "aborted"
+            });
+          }
+          await transformedReader?.cancel(reason).catch((err) => {
+            logger6.error("stream cancel failed", { event: "passthrough.flush_error", err, request_id: lifecycle.requestId, path: info.path });
+          });
+        }
+      });
+      return new Response(outputStream, {
+        status: upstreamResponse.status,
+        headers: {
+          "content-type": "text/event-stream",
+          "cache-control": "no-cache",
+          connection: "keep-alive"
+        }
+      });
+    }
+    function mergeUsage(acc, partial) {
+      if (!acc)
+        return partial;
+      return {
+        prompt_tokens: acc.prompt_tokens + partial.prompt_tokens,
+        completion_tokens: acc.completion_tokens + partial.completion_tokens,
+        total_tokens: acc.total_tokens + partial.total_tokens,
+        cache_creation_tokens: acc.cache_creation_tokens + partial.cache_creation_tokens,
+        cache_read_tokens: acc.cache_read_tokens + partial.cache_read_tokens,
+        reasoning_tokens: acc.reasoning_tokens + partial.reasoning_tokens
+      };
+    }
+    async function finalizeOnce(usageService, lifecycle, fields) {
+      if (lifecycle.finalized)
+        return;
+      if (lifecycle.finalizing)
+        return lifecycle.finalizing;
+      lifecycle.finalizing = (async () => {
+        const finishedAt = new Date().toISOString();
+        try {
+          const usage = fields.parsed.usage;
+          const model = fields.parsed.actualModel ?? lifecycle.model;
+          const updated = await usageService.finalizeUsage(lifecycle.id, {
+            request_id: lifecycle.requestId,
+            provider: lifecycle.provider,
+            model,
+            actual_model: fields.parsed.actualModel ?? undefined,
+            tool: lifecycle.tool,
+            client_id: lifecycle.clientId,
+            path: lifecycle.path,
+            streamed: fields.isStreaming ? 1 : 0,
+            status: fields.status,
+            prompt_tokens: usage?.prompt_tokens ?? 0,
+            completion_tokens: usage?.completion_tokens ?? 0,
+            cache_creation_tokens: usage?.cache_creation_tokens ?? 0,
+            cache_read_tokens: usage?.cache_read_tokens ?? 0,
+            reasoning_tokens: usage?.reasoning_tokens ?? 0,
+            total_tokens: usage?.total_tokens ?? 0,
+            cost_usd: 0,
+            incomplete: fields.lifecycleStatus === "completed" ? 0 : 1,
+            error_code: fields.errorCode,
+            latency_ms: Date.now() - lifecycle.startTime,
+            started_at: lifecycle.startedAt,
+            finished_at: finishedAt,
+            user_agent: lifecycle.userAgent,
+            source_ip: lifecycle.sourceIp,
+            lifecycle_status: fields.lifecycleStatus,
+            finalized_at: finishedAt,
+            error_message: fields.errorMessage,
+            agent: lifecycle.agent,
+            source: lifecycle.source,
+            msg_id: lifecycle.msgId
+          });
+          lifecycle.finalized = true;
+          logger6.info("request finalized", {
+            event: fields.lifecycleStatus === "aborted" ? "lifecycle.aborted" : "lifecycle.finalized",
+            request_id: lifecycle.requestId,
+            row_id: lifecycle.id,
+            updated,
+            lifecycle_status: fields.lifecycleStatus,
+            status: fields.status,
+            path: lifecycle.path
+          });
+        } catch (err) {
+          lifecycle.finalizing = null;
+          logger6.error("failed to finalize request log", {
+            event: "lifecycle.finalize_error",
+            err,
+            request_id: lifecycle.requestId,
+            row_id: lifecycle.id,
+            lifecycle_status: fields.lifecycleStatus,
+            path: lifecycle.path
+          });
+        }
+      })();
+      await lifecycle.finalizing;
+    }
+    function providerForPath(path) {
+      return path.includes("messages") ? "anthropic" : "openai";
+    }
+    function upstreamErrorMessage(status, body) {
+      const trimmed = body.trim().slice(0, 300);
+      return trimmed ? `upstream HTTP ${status}: ${trimmed}` : `upstream HTTP ${status}`;
+    }
+    function errorMessage2(err, fallback) {
+      if (err instanceof Error && err.message)
+        return err.message;
+      if (typeof err === "string" && err)
+        return err;
+      return fallback;
+    }
+    function isAbortLike(err, signal) {
+      if (signal?.aborted)
+        return true;
+      if (err instanceof DOMException && err.name === "AbortError")
+        return true;
+      if (err instanceof Error) {
+        return err.name === "AbortError" || err.message.includes("ECONNRESET") || err.message.toLowerCase().includes("aborted");
+      }
+      return false;
+    }
+  })(PassThroughProxy ||= {});
+});
+
+// src/server/metrics.ts
+var Metrics;
+var init_metrics = __esm(() => {
+  init_repo();
+  ((Metrics) => {
+    function escape(value) {
+      return value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n");
+    }
+    function todayUtc() {
+      return new Date().toISOString().slice(0, 10);
+    }
+    function render(db) {
+      const today = todayUtc();
+      const rows = UsageRepo.getDaily(db, today);
+      const lines = [];
+      lines.push("# HELP agent_cli_proxy_up Always 1 when the proxy is reachable");
+      lines.push("# TYPE agent_cli_proxy_up gauge");
+      lines.push("agent_cli_proxy_up 1");
+      lines.push("# HELP agent_cli_proxy_requests_today Total proxied requests for the current UTC day, per provider/model");
+      lines.push("# TYPE agent_cli_proxy_requests_today counter");
+      lines.push("# HELP agent_cli_proxy_tokens_today Total tokens (prompt+completion+cache) for the current UTC day");
+      lines.push("# TYPE agent_cli_proxy_tokens_today counter");
+      lines.push("# HELP agent_cli_proxy_cost_usd_today Estimated cost in USD for the current UTC day, per provider/model");
+      lines.push("# TYPE agent_cli_proxy_cost_usd_today counter");
+      for (const row of rows) {
+        const labels = `provider="${escape(row.provider)}",model="${escape(row.model)}"`;
+        lines.push(`agent_cli_proxy_requests_today{${labels}} ${row.request_count}`);
+        lines.push(`agent_cli_proxy_tokens_today{${labels}} ${row.total_tokens}`);
+        const cost = Number.isFinite(row.cost_usd) ? row.cost_usd : 0;
+        lines.push(`agent_cli_proxy_cost_usd_today{${labels}} ${cost}`);
+      }
+      return lines.join(`
+`) + `
+`;
+    }
+    Metrics.render = render;
+  })(Metrics ||= {});
+});
+
+// data/plans.default.json
+var plans_default_default;
+var init_plans_default = __esm(() => {
+  plans_default_default = {
+    plans: [
+      {
+        code: "claude_pro",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Pro",
+        monthly_price_usd: 20,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "claude_max5",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Max 5x",
+        monthly_price_usd: 100,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "claude_max20",
+        provider: "anthropic",
+        display_name: "Anthropic Claude Max 20x",
+        monthly_price_usd: 200,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.anthropic.com/claude/pricing",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_plus",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Plus",
+        monthly_price_usd: 20,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_pro",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Pro",
+        monthly_price_usd: 200,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "chatgpt_business",
+        provider: "openai",
+        display_name: "OpenAI ChatGPT Business",
+        monthly_price_usd: 25,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://openai.com/chatgpt/pricing/",
+        notes: "Conservative estimate (per-seat); verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "kimi_pro",
+        provider: "moonshot",
+        display_name: "Moonshot Kimi",
+        monthly_price_usd: 15,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://www.moonshot.cn/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "glm_pro",
+        provider: "bigmodel",
+        display_name: "BigModel GLM",
+        monthly_price_usd: 10,
+        currency: "USD",
+        billing_period_days: 30,
+        vendor_url: "https://open.bigmodel.cn/",
+        notes: "Conservative estimate \u2014 verify with vendor \u2014 last updated 2026-05"
+      },
+      {
+        code: "local_byok",
+        provider: "local",
+        display_name: "Bring Your Own Key (BYOK / Self-hosted)",
+        monthly_price_usd: 0,
+        currency: "USD",
+        billing_period_days: 30,
+        notes: "Self-hosted or BYOK provider. No vendor billing. verify with vendor \u2014 last updated 2026-05"
+      }
+    ]
+  };
+});
+
+// src/plans/index.ts
+import { existsSync, readFileSync as readFileSync3 } from "fs";
+import { join as join3 } from "path";
+var Plans;
+var init_plans = __esm(() => {
+  init_plans_default();
+  init_logger();
+  ((Plans) => {
+
+    class SchemaError extends Error {
+      issues;
+      name = "PlansSchemaError";
+      code = "PLANS_SCHEMA_INVALID";
+      constructor(issues) {
+        super(`Plans schema validation failed: ${issues.map((issue) => `${issue.path} ${issue.message}`).join("; ")}`);
+        this.issues = issues;
+      }
+    }
+    Plans.SchemaError = SchemaError;
+    const logger7 = Logger.fromConfig().child({ component: "plans" });
+    let cache = null;
+    function load() {
+      return readCache().list;
+    }
+    Plans.load = load;
+    function list() {
+      return load();
+    }
+    Plans.list = list;
+    function byCode(code) {
+      return readCache().byCode.get(code) ?? null;
+    }
+    Plans.byCode = byCode;
+    function validateBindingInput(account, code) {
+      const normalizedAccount = account.trim();
+      if (!normalizedAccount)
+        throw new Error("Account must be a non-empty string");
+      const normalizedCode = code.trim();
+      if (!normalizedCode)
+        throw new Error("Plan code must be a non-empty string");
+      if (!byCode(normalizedCode))
+        throw new Error(`Unknown plan code: ${normalizedCode}`);
+      return { account: normalizedAccount, code: normalizedCode };
+    }
+    Plans.validateBindingInput = validateBindingInput;
+    function reload() {
+      cache = null;
+      return load();
+    }
+    Plans.reload = reload;
+    function readCache() {
+      if (cache)
+        return cache;
+      const source = resolveSource();
+      const plans = parseSourceOrFallback(source);
+      const frozenPlans = Object.freeze(plans.map((plan) => Object.freeze({ ...plan })));
+      cache = {
+        list: frozenPlans,
+        byCode: new Map(frozenPlans.map((plan) => [plan.code, plan]))
+      };
+      return cache;
+    }
+    function resolveSource() {
+      const inline = process.env.PLANS_JSON;
+      if (inline !== undefined && inline.trim() !== "")
+        return { kind: "PLANS_JSON", raw: inline };
+      const envPath = process.env.PLANS_PATH?.trim();
+      if (envPath)
+        return readPathSource("PLANS_PATH", envPath);
+      const xdgPath = xdgPlansPath();
+      if (xdgPath && existsSync(xdgPath))
+        return readPathSource("XDG_CONFIG_HOME", xdgPath);
+      return { kind: "default", value: plans_default_default };
+    }
+    function readPathSource(kind, configPath) {
+      try {
+        return { kind, raw: readFileSync3(configPath, "utf-8"), configPath };
+      } catch (err) {
+        return { kind, raw: undefined, configPath, value: err };
+      }
+    }
+    function xdgPlansPath() {
+      const base = process.env.XDG_CONFIG_HOME?.trim() || (process.env.HOME?.trim() ? join3(process.env.HOME.trim(), ".config") : "");
+      if (!base)
+        return null;
+      return join3(base, "agent-cli-proxy", "plans.json");
+    }
+    function parseSourceOrFallback(source) {
+      if (source.kind === "default")
+        return validateDefault(plans_default_default);
+      const result = parseSource(source);
+      if (result.ok)
+        return result.plans;
+      logger7.warn("plans config invalid; falling back to packaged defaults", {
+        event: "plans.config.invalid",
+        source: source.kind,
+        configPath: source.configPath,
+        path: result.issues[0]?.path ?? source.kind,
+        issues: result.issues
+      });
+      return validateDefault(plans_default_default);
+    }
+    function parseSource(source) {
+      if (source.raw === undefined) {
+        return {
+          ok: false,
+          issues: [{ path: source.kind, message: source.value instanceof Error ? source.value.message : "could not be read" }]
+        };
+      }
+      let parsed;
+      try {
+        parsed = JSON.parse(source.raw);
+      } catch (err) {
+        return {
+          ok: false,
+          issues: [{ path: "plans", message: err instanceof Error ? err.message : "must be valid JSON" }]
+        };
+      }
+      const validation = parsePlanDocument(parsed);
+      if (validation.issues.length > 0)
+        return { ok: false, issues: validation.issues };
+      return { ok: true, plans: validation.plans };
+    }
+    function validateDefault(value) {
+      const validation = parsePlanDocument(value);
+      if (validation.issues.length > 0)
+        throw new SchemaError(validation.issues);
+      return validation.plans;
+    }
+    function parsePlanDocument(value) {
+      const issues = [];
+      const plans = [];
+      if (!isRecord2(value)) {
+        issues.push({ path: "plans", message: "must be contained in an object" });
+        return { plans, issues };
+      }
+      if (!Array.isArray(value.plans)) {
+        issues.push({ path: "plans", message: "must be an array" });
+        return { plans, issues };
+      }
+      value.plans.forEach((entry, index) => {
+        const plan = parsePlan(entry, `plans[${index}]`, issues);
+        if (plan)
+          plans.push(plan);
+      });
+      const seen = new Set;
+      plans.forEach((plan, index) => {
+        if (seen.has(plan.code))
+          issues.push({ path: `plans[${index}].code`, message: "must be unique" });
+        seen.add(plan.code);
+      });
+      return { plans: issues.length === 0 ? plans : [], issues };
+    }
+    function parsePlan(value, path, issues) {
+      if (!isRecord2(value)) {
+        issues.push({ path, message: "must be an object" });
+        return null;
+      }
+      const code = readRequiredString2(value, "code", path, issues);
+      const provider = readRequiredString2(value, "provider", path, issues);
+      const displayName = readRequiredString2(value, "display_name", path, issues);
+      const monthlyPriceUsd = readRequiredNumber(value, "monthly_price_usd", path, issues);
+      const currency = readRequiredString2(value, "currency", path, issues);
+      const billingPeriodDays = readRequiredPositiveInteger(value, "billing_period_days", path, issues);
+      const vendorUrl = readOptionalHttpUrl(value, "vendor_url", path, issues);
+      const notes = readOptionalString2(value, "notes", path, issues);
+      if (!code || !provider || !displayName || monthlyPriceUsd === undefined || !currency || billingPeriodDays === undefined)
+        return null;
+      const plan = {
+        code,
+        provider,
+        display_name: displayName,
+        monthly_price_usd: monthlyPriceUsd,
+        currency,
+        billing_period_days: billingPeriodDays
+      };
+      if (vendorUrl !== undefined)
+        plan.vendor_url = vendorUrl;
+      if (notes !== undefined)
+        plan.notes = notes;
+      return plan;
+    }
+    function readRequiredString2(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+        return;
+      }
+      return value.trim();
+    }
+    function readOptionalString2(record, key, path, issues) {
+      const value = record[key];
+      if (value === undefined)
+        return;
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty string" });
+        return;
+      }
+      return value.trim();
+    }
+    function readRequiredNumber(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-negative finite number" });
+        return;
+      }
+      return value;
+    }
+    function readRequiredPositiveInteger(record, key, path, issues) {
+      const value = record[key];
+      if (typeof value !== "number" || !Number.isInteger(value) || value <= 0) {
+        issues.push({ path: `${path}.${key}`, message: "must be a positive integer" });
+        return;
+      }
+      return value;
+    }
+    function readOptionalHttpUrl(record, key, path, issues) {
+      const value = record[key];
+      if (value === undefined)
+        return;
+      if (typeof value !== "string" || value.trim() === "") {
+        issues.push({ path: `${path}.${key}`, message: "must be a non-empty http(s) URL string" });
+        return;
+      }
+      try {
+        const url = new URL(value);
+        if (url.protocol !== "http:" && url.protocol !== "https:") {
+          issues.push({ path: `${path}.${key}`, message: "must be an http(s) URL" });
+          return;
+        }
+        return url.toString();
+      } catch {
+        issues.push({ path: `${path}.${key}`, message: "must be a parseable http(s) URL" });
+        return;
+      }
+    }
+    function isRecord2(value) {
+      return typeof value === "object" && value !== null && !Array.isArray(value);
+    }
+  })(Plans ||= {});
+});
+
+// src/admin/index.ts
+var logger7, Admin;
+var init_admin = __esm(() => {
+  init_account_subscriptions();
+  init_repo();
+  init_plans();
+  init_logger();
+  logger7 = Logger.fromConfig().child({ component: "admin" });
+  ((Admin) => {
+    function createRouter(usageService) {
+      return async function handleAdminRequest(req) {
+        const url = new URL(req.url);
+        const path = url.pathname;
+        if (req.method !== "GET")
+          return null;
+        try {
+          if (path === "/admin/usage/today") {
+            return json(usageService.getToday());
+          }
+          if (path === "/admin/usage/range") {
+            const from = url.searchParams.get("from");
+            const to = url.searchParams.get("to");
+            if (!from || !to)
+              return json({ error: "Missing from or to parameter" }, 400);
+            return json(usageService.getDateRange(from, to));
+          }
+          if (path === "/admin/usage/models") {
+            const day = url.searchParams.get("day") ?? new Date().toISOString().slice(0, 10);
+            return json(usageService.getModelBreakdown(day));
+          }
+          if (path === "/admin/usage/providers") {
+            const day = url.searchParams.get("day") ?? new Date().toISOString().slice(0, 10);
+            return json(usageService.getProviderBreakdown(day));
+          }
+          if (path === "/admin/usage/accounts") {
+            const day = url.searchParams.get("day") ?? new Date().toISOString().slice(0, 10);
+            return json(usageService.getAccountDaily(day));
+          }
+          if (path === "/admin/usage/accounts/range") {
+            const from = url.searchParams.get("from");
+            const to = url.searchParams.get("to");
+            if (!from || !to)
+              return json({ error: "Missing from or to parameter" }, 400);
+            return json(usageService.getAccountRange(from, to));
+          }
+          if (path === "/admin/usage/accounts/summary") {
+            const from = url.searchParams.get("from") ?? new Date(Date.now() - 7 * 86400 * 1000).toISOString().slice(0, 10);
+            const to = url.searchParams.get("to") ?? new Date().toISOString().slice(0, 10);
+            return json(usageService.getAccountSummary(from, to));
+          }
+          if (path === "/admin/quotas" || path === "/admin/quotas/refresh") {
+            const refresh = path.endsWith("/refresh") || url.searchParams.get("refresh") === "true";
+            if (refresh)
+              return json(await usageService.refreshQuotas());
+            return json({ snapshots: usageService.getLatestQuotas() });
+          }
+          if (path === "/admin/plans") {
+            const plans = Plans.list();
+            logger7.info("admin plans list", {
+              event: "admin.plans.list",
+              count: plans.length
+            });
+            return json({ plans });
+          }
+          if (path === "/admin/plans/cost-summary") {
+            const month = url.searchParams.get("month") ?? currentUtcMonth();
+            const range = parseMonthRange(month);
+            if (!range) {
+              return json({
+                error: {
+                  code: "INVALID_MONTH",
+                  message: "month must use YYYY-MM format"
+                }
+              }, 400);
+            }
+            const summary = buildCostSummary(usageService, month, range.start, range.end);
+            logger7.info("admin plans cost summary", {
+              event: "admin.plans.cost_summary",
+              month,
+              accounts: summary.rows.length
+            });
+            return json(summary);
+          }
+          const accountPlanMatch = path.match(/^\/admin\/plans\/account\/(.+)$/);
+          if (accountPlanMatch) {
+            const cliproxyAccount = decodeURIComponent(accountPlanMatch[1]);
+            const accountView = buildAccountView(usageService, cliproxyAccount);
+            if (!accountView)
+              return json({ error: "Not found" }, 404);
+            logger7.info("admin plans account view", {
+              event: "admin.plans.account_view",
+              cliproxy_account: cliproxyAccount
+            });
+            return json(accountView);
+          }
+          if (path === "/admin/stats") {
+            return json(usageService.getTotalStats());
+          }
+          if (path === "/admin/logs") {
+            const limit = Math.min(Number(url.searchParams.get("limit") ?? 50), 200);
+            const offset = Number(url.searchParams.get("offset") ?? 0);
+            const tool = url.searchParams.get("tool");
+            const clientId = url.searchParams.get("client_id");
+            if (!Number.isFinite(limit) || !Number.isFinite(offset) || limit < 1 || offset < 0)
+              return json({ error: "Invalid limit or offset" }, 400);
+            return json(usageService.getRecentLogs(limit, offset, tool ?? undefined, clientId ?? undefined));
+          }
+          const logsMatch = path.match(/^\/admin\/logs\/(\d+)$/);
+          if (logsMatch) {
+            const id = Number(logsMatch[1]);
+            const data = usageService.getLogById(id);
+            if (!data)
+              return json({ error: "Not found" }, 404);
+            return json(data);
+          }
+          return null;
+        } catch (err) {
+          logger7.error("admin request failed", { err, path, method: req.method });
+          return json({ error: "Internal server error" }, 500);
+        }
+      };
+    }
+    Admin.createRouter = createRouter;
+    function json(data, status = 200) {
+      return new Response(JSON.stringify(data), {
+        status,
+        headers: { "content-type": "application/json" }
+      });
+    }
+    function currentUtcMonth() {
+      return new Date().toISOString().slice(0, 7);
+    }
+    function parseMonthRange(month) {
+      const match = /^(\d{4})-(0[1-9]|1[0-2])$/.exec(month);
+      if (!match)
+        return null;
+      const year = Number(match[1]);
+      const monthIndex = Number(match[2]) - 1;
+      return {
+        start: new Date(Date.UTC(year, monthIndex, 1)).toISOString(),
+        end: new Date(Date.UTC(year, monthIndex + 1, 1)).toISOString()
+      };
+    }
+    function buildCostSummary(usageService, month, monthStart, monthEnd) {
+      const rows = RequestRepo.aggregateByAccountForMonth(usageService.db, monthStart, monthEnd).map((row) => {
+        const monthlyPriceUsd = row.subscription_code ? Plans.byCode(row.subscription_code)?.monthly_price_usd ?? 0 : 0;
+        const computedOverageUsd = Math.max(row.total_cost_usd - monthlyPriceUsd, 0);
+        return {
+          cliproxy_account: row.cliproxy_account,
+          subscription_code: row.subscription_code,
+          monthly_price_usd: monthlyPriceUsd,
+          total_requests: row.total_requests,
+          total_cost_usd: row.total_cost_usd,
+          computed_overage_usd: computedOverageUsd
+        };
+      });
+      const totals = rows.reduce((acc, row) => ({
+        accounts: acc.accounts + 1,
+        total_requests: acc.total_requests + row.total_requests,
+        total_cost_usd: acc.total_cost_usd + row.total_cost_usd,
+        total_monthly_price_usd: acc.total_monthly_price_usd + row.monthly_price_usd,
+        total_overage_usd: acc.total_overage_usd + row.computed_overage_usd
+      }), {
+        accounts: 0,
+        total_requests: 0,
+        total_cost_usd: 0,
+        total_monthly_price_usd: 0,
+        total_overage_usd: 0
+      });
+      return { month, rows, totals };
+    }
+    function buildAccountView(usageService, cliproxyAccount) {
+      const binding = AccountSubscriptionRepo.get(usageService.db, cliproxyAccount);
+      const recentUsage = RequestRepo.getRecentByAccount(usageService.db, cliproxyAccount, 50);
+      if (!binding && recentUsage.length === 0)
+        return null;
+      const monthlyPriceUsd = binding ? Plans.byCode(binding.subscription_code)?.monthly_price_usd ?? 0 : 0;
+      return {
+        cliproxy_account: cliproxyAccount,
+        subscription_code: binding?.subscription_code ?? null,
+        monthly_price_usd: monthlyPriceUsd,
+        bound_at: binding?.bound_at ?? null,
+        recent_usage: recentUsage
+      };
+    }
+  })(Admin ||= {});
+});
+
+// src/server/handler.ts
+var exports_handler = {};
+__export(exports_handler, {
+  Handler: () => Handler
+});
+var logger8, readyLogger, READY_TOTAL_TIMEOUT_MS = 1500, READY_CACHE_TTL_MS = 3000, READY_CHECK_TIMEOUTS_MS, readyCache = null, readyInFlight = null, Handler;
+var init_handler = __esm(() => {
+  init_request_inspector();
+  init_pass_through();
+  init_metrics();
+  init_admin();
+  init_config();
+  init_logger();
+  init_pricing();
+  init_client();
+  init_supervisor();
+  logger8 = Logger.fromConfig().child({ component: "handler" });
+  readyLogger = logger8.child({ component: "handler.ready" });
+  READY_CHECK_TIMEOUTS_MS = {
+    database: 300,
+    pricing: 300,
+    upstream: 1000,
+    supervisor: 300
+  };
+  ((Handler) => {
+    function __clearReadyCacheForTests() {
+      readyCache = null;
+      readyInFlight = null;
+    }
+    Handler.__clearReadyCacheForTests = __clearReadyCacheForTests;
+    function create(usageService) {
+      const passThrough = PassThroughProxy.create(usageService);
+      const adminRouter = Admin.createRouter(usageService);
+      return async function handleRequest(req) {
+        const url = new URL(req.url);
+        const path = url.pathname;
+        const method = req.method;
+        if (path === "/health" && method === "GET") {
+          return new Response(JSON.stringify({ status: "ok" }), {
+            status: 200,
+            headers: { "content-type": "application/json" }
+          });
+        }
+        if (path === "/ready" && method === "GET") {
+          const result = await getReadyResult(usageService);
+          return readyResponse(result);
+        }
+        if (path === "/metrics" && method === "GET") {
+          return new Response(Metrics.render(usageService.db), {
+            status: 200,
+            headers: { "content-type": "text/plain; version=0.0.4; charset=utf-8" }
+          });
+        }
+        try {
+          if (path.startsWith("/admin/")) {
+            if (!isAdminAuthorized(req)) {
+              return new Response(JSON.stringify({ error: "Forbidden" }), {
+                status: 403,
+                headers: { "content-type": "application/json" }
+              });
+            }
+            const adminResponse = await adminRouter(req);
+            if (adminResponse)
+              return adminResponse;
+            return new Response("Not Found", { status: 404 });
+          }
+          if ((path === "/v1/messages" || path === "/v1/chat/completions") && method === "POST") {
+            const info = await RequestInspector.inspect(req);
+            return passThrough(req, info);
+          }
+          return new Response("Not Found", { status: 404 });
+        } catch (err) {
+          logger8.error("request handler failed", { err, path, method });
+          return new Response(JSON.stringify({ error: "Internal server error" }), {
+            status: 500,
+            headers: { "content-type": "application/json" }
+          });
+        }
+      };
+    }
+    Handler.create = create;
+    function isAdminAuthorized(req) {
+      if (!Config2.adminApiKey) {
+        return Config2.host === "127.0.0.1" || Config2.host === "localhost" || Config2.host === "::1";
+      }
+      const bearer = req.headers.get("authorization")?.replace(/^Bearer\s+/i, "").trim();
+      const token = req.headers.get("x-admin-token")?.trim() || bearer;
+      return token === Config2.adminApiKey;
+    }
+    function readyResponse(result) {
+      return new Response(JSON.stringify(result.body), {
+        status: result.httpStatus,
+        headers: {
+          "content-type": "application/json",
+          "cache-control": "no-store"
+        }
+      });
+    }
+    async function getReadyResult(usageService) {
+      const now = Date.now();
+      if (readyCache && readyCache.expiresAt > now) {
+        readyLogger.debug("readiness cache hit", { event: "ready.cache_hit" });
+        return readyCache.result;
+      }
+      if (readyInFlight)
+        return readyInFlight;
+      readyInFlight = computeReadyResult(usageService).then((result) => {
+        readyCache = { result, expiresAt: Date.now() + READY_CACHE_TTL_MS };
+        return result;
+      }).finally(() => {
+        readyInFlight = null;
+      });
+      return readyInFlight;
+    }
+    async function computeReadyResult(usageService) {
+      const startedAt = Date.now();
+      const result = await raceWithDeadline(runReadyChecks(usageService), startedAt);
+      readyLogger.info("readiness checked", {
+        event: "ready.check",
+        status: result.body.status,
+        duration_ms: result.durationMs,
+        checks: result.body.checks
+      });
+      return result;
+    }
+    async function raceWithDeadline(checks, startedAt) {
+      let timer = null;
+      try {
+        const timeout = new Promise((resolve) => {
+          timer = setTimeout(() => resolve(timeoutChecks()), READY_TOTAL_TIMEOUT_MS);
+        });
+        const readyChecks = await Promise.race([checks, timeout]);
+        const status = aggregateStatus(readyChecks);
+        return {
+          body: { status, checks: readyChecks },
+          httpStatus: status === "fail" ? 503 : 200,
+          durationMs: Date.now() - startedAt
+        };
+      } finally {
+        if (timer)
+          clearTimeout(timer);
+      }
+    }
+    async function runReadyChecks(usageService) {
+      const [database, pricing, upstream, supervisor] = await Promise.all([
+        withCheckTimeout("database", () => checkDatabase(usageService), READY_CHECK_TIMEOUTS_MS.database),
+        withCheckTimeout("pricing", checkPricing, READY_CHECK_TIMEOUTS_MS.pricing),
+        withCheckTimeout("upstream", checkUpstream, READY_CHECK_TIMEOUTS_MS.upstream),
+        withCheckTimeout("supervisor", checkSupervisor, READY_CHECK_TIMEOUTS_MS.supervisor)
+      ]);
+      return { database, pricing, upstream, supervisor };
+    }
+    async function withCheckTimeout(name, check, timeoutMs) {
+      let timer = null;
+      const startedAt = Date.now();
+      try {
+        return await Promise.race([
+          Promise.resolve().then(check),
+          new Promise((resolve) => {
+            timer = setTimeout(() => resolve({
+              status: "fail",
+              output: `${name} check timed out after ${timeoutMs}ms`,
+              responseTime: Date.now() - startedAt
+            }), timeoutMs);
+          })
+        ]);
+      } catch (err) {
+        return {
+          status: "fail",
+          output: err instanceof Error ? err.message : String(err),
+          responseTime: Date.now() - startedAt
+        };
+      } finally {
+        if (timer)
+          clearTimeout(timer);
+      }
+    }
+    function checkDatabase(usageService) {
+      const startedAt = Date.now();
+      const row = usageService.db.prepare("SELECT 1 AS ok").get();
+      if (row?.ok !== 1) {
+        return { status: "fail", responseTime: Date.now() - startedAt, output: "SELECT 1 returned no row" };
+      }
+      return { status: "pass", responseTime: Date.now() - startedAt };
+    }
+    async function checkPricing() {
+      const startedAt = Date.now();
+      const fileExists = await Bun.file(Config2.pricingCachePath).exists();
+      if (!fileExists) {
+        return {
+          status: "fail",
+          responseTime: Date.now() - startedAt,
+          output: `pricing cache missing at ${Config2.pricingCachePath}`
+        };
+      }
+      const freshness = await Pricing.getPricingFreshness();
+      if (!freshness) {
+        return { status: "fail", responseTime: Date.now() - startedAt, output: "pricing cache not loaded" };
+      }
+      if (freshness.ageMs >= Config2.readyPricingMaxAgeMs) {
+        return {
+          status: "fail",
+          ageMs: freshness.ageMs,
+          responseTime: Date.now() - startedAt,
+          output: `pricing cache older than ${Config2.readyPricingMaxAgeMs}ms`
+        };
+      }
+      return { status: "pass", ageMs: freshness.ageMs, responseTime: Date.now() - startedAt };
+    }
+    async function checkUpstream() {
+      const startedAt = Date.now();
+      const upstreamHealthUrl = `${Config2.cliProxyApiUrl.replace(/\/+$/, "")}/health`;
+      const signal = AbortSignal.timeout(READY_CHECK_TIMEOUTS_MS.upstream);
+      const response = await UpstreamClient.fetch({
+        method: "HEAD",
+        url: upstreamHealthUrl,
+        providerId: "ready-probe",
+        idempotent: false,
+        signal
+      });
+      const responseTime = Date.now() - startedAt;
+      const output = `HTTP ${response.status}`;
+      await response.body?.cancel().catch(() => {
+        return;
+      });
+      if (response.status < 500)
+        return { status: "pass", output, responseTime };
+      return { status: "fail", output, responseTime };
+    }
+    function checkSupervisor() {
+      const loops = Supervisor.list();
+      return { status: "pass", loops };
+    }
+    function aggregateStatus(checks) {
+      const statuses = Object.values(checks).map((check) => check.status);
+      if (statuses.includes("fail"))
+        return "fail";
+      if (statuses.includes("warn"))
+        return "warn";
+      return "pass";
+    }
+    function timeoutChecks() {
+      const timedOut = {
+        status: "fail",
+        output: `readiness deadline exceeded after ${READY_TOTAL_TIMEOUT_MS}ms`,
+        responseTime: READY_TOTAL_TIMEOUT_MS
+      };
+      return {
+        database: timedOut,
+        pricing: timedOut,
+        upstream: timedOut,
+        supervisor: timedOut
+      };
+    }
+  })(Handler ||= {});
+});
+
+// src/cliproxy/client.ts
+var logger9, CLIProxyClient;
+var init_client2 = __esm(() => {
+  init_config();
+  init_client();
+  init_logger();
+  logger9 = Logger.fromConfig().child({ component: "cliproxy-client" });
+  ((CLIProxyClient) => {
+    async function fetchUsage() {
+      const key = Config2.cliproxyMgmtKey;
+      if (!key)
+        return null;
+      const url = `${Config2.cliProxyApiUrl}/v0/management/usage`;
+      try {
+        const res = await UpstreamClient.fetch({
+          method: "GET",
+          url,
+          headers: { Authorization: `Bearer ${key}` },
+          providerId: "cliproxy-management",
+          idempotent: true
+        });
+        if (!res.ok) {
+          logger9.error("usage fetch failed", { status: res.status, status_text: res.statusText });
+          return null;
+        }
+        return await res.json();
+      } catch (err) {
+        logger9.error("usage fetch error", { err });
+        return null;
+      }
+    }
+    CLIProxyClient.fetchUsage = fetchUsage;
+    function flattenDetails(response) {
+      const out = [];
+      for (const api of Object.values(response.usage.apis)) {
+        for (const [modelName, modelStats] of Object.entries(api.models)) {
+          for (const detail of modelStats.details) {
+            out.push({ ...detail, model: modelName });
+          }
+        }
+      }
+      return out;
+    }
+    CLIProxyClient.flattenDetails = flattenDetails;
+  })(CLIProxyClient ||= {});
+});
+
+// src/cliproxy/correlator.ts
+var exports_correlator = {};
+__export(exports_correlator, {
+  Correlator: () => Correlator
+});
+var logger10, Correlator;
+var init_correlator = __esm(() => {
+  init_config();
+  init_client2();
+  init_logger();
+  init_supervisor();
+  logger10 = Logger.fromConfig().child({ component: "correlator" });
+  ((Correlator) => {
+    function bestMatch(log, pool) {
+      const logTs = Date.parse(log.started_at);
+      if (Number.isNaN(logTs))
+        return null;
+      let bestIdx = -1;
+      let bestScore = Infinity;
+      for (let i = 0;i < pool.length; i++) {
+        const detail = pool[i];
+        if (detail.model !== log.model)
+          continue;
+        const detailTs = Date.parse(detail.timestamp);
+        if (Number.isNaN(detailTs))
+          continue;
+        const dt = Math.abs(detailTs - logTs);
+        if (dt > 30000)
+          continue;
+        const tokenDiff = Math.abs(detail.tokens.total_tokens - log.total_tokens);
+        const tokenPenalty = log.total_tokens > 0 ? tokenDiff * 100 : 0;
+        const latencyDiff = log.latency_ms != null ? Math.abs(detail.latency_ms - log.latency_ms) : 0;
+        const score = dt + tokenPenalty + latencyDiff * 0.1;
+        if (score < bestScore) {
+          bestScore = score;
+          bestIdx = i;
+        }
+      }
+      if (bestIdx === -1)
+        return null;
+      return { detail: pool[bestIdx], index: bestIdx };
+    }
+    function start(usageService, options = {}) {
+      if (!Config2.cliproxyMgmtKey) {
+        logger10.warn("CLIPROXY_MGMT_KEY not set, skipping correlator");
+        return;
+      }
+      const intervalMs = Config2.cliproxyCorrelationIntervalMs;
+      const lookbackMs = Config2.cliproxyCorrelationLookbackMs;
+      async function tick() {
+        const response = await CLIProxyClient.fetchUsage();
+        if (!response)
+          return;
+        const details = CLIProxyClient.flattenDetails(response);
+        if (details.length === 0)
+          return;
+        const uncorrelated = usageService.getUncorrelatedLogs(lookbackMs, 200);
+        if (uncorrelated.length === 0)
+          return;
+        const pool = [...details];
+        let matched = 0;
+        for (const log of uncorrelated) {
+          if (log.id == null)
+            continue;
+          const match = bestMatch({
+            started_at: log.started_at,
+            model: log.model,
+            total_tokens: log.total_tokens,
+            latency_ms: log.latency_ms
+          }, pool);
+          if (!match)
+            continue;
+          const { detail } = match;
+          usageService.applyCorrelation(log.id, log, {
+            cliproxy_account: detail.source,
+            cliproxy_auth_index: detail.auth_index,
+            cliproxy_source: detail.source,
+            reasoning_tokens: detail.tokens.reasoning_tokens,
+            actual_model: detail.model
+          });
+          pool.splice(match.index, 1);
+          matched++;
+        }
+        if (matched > 0) {
+          logger10.info("correlated logs", { matched, total: uncorrelated.length });
+        }
+      }
+      Supervisor.run("correlator", tick, {
+        intervalMs,
+        initialDelayMs: 5000,
+        runOnStart: true,
+        signal: options.signal
+      });
+      logger10.info("started", { interval_ms: intervalMs, lookback_ms: lookbackMs });
+    }
+    Correlator.start = start;
+  })(Correlator ||= {});
+});
+
+// src/runtime/shutdown.ts
+var exports_shutdown = {};
+__export(exports_shutdown, {
+  Shutdown: () => Shutdown
+});
+var Shutdown;
+var init_shutdown = __esm(() => {
+  init_repo();
+  init_logger();
+  ((Shutdown) => {
+    const DEFAULT_DRAIN_MS = 1e4;
+    const DEFAULT_HARD_KILL_MS = 15000;
+    const POLL_MS = 25;
+    const EXIT_CODES = {
+      SIGINT: 0,
+      SIGTERM: 143,
+      SIGHUP: 129
+    };
+    let handlersRegistered = false;
+    let registeredHandlers = [];
+    let shutdownPromise = null;
+    let shutdownStarted = false;
+    function register(options) {
+      if (handlersRegistered)
+        return shutdownPromise ?? new Promise(() => {
+          return;
+        });
+      handlersRegistered = true;
+      shutdownPromise = new Promise((resolve) => {
+        for (const signal of ["SIGTERM", "SIGINT", "SIGHUP"]) {
+          const handler = () => {
+            if (!shutdownStarted) {
+              shutdownStarted = true;
+              run(signal, options).then(resolve);
+            }
+          };
+          process.on(signal, handler);
+          registeredHandlers.push({ signal, handler });
+        }
+      });
+      return shutdownPromise;
+    }
+    Shutdown.register = register;
+    function __resetForTests() {
+      for (const { signal, handler } of registeredHandlers) {
+        process.removeListener(signal, handler);
+      }
+      registeredHandlers = [];
+      handlersRegistered = false;
+      shutdownPromise = null;
+      shutdownStarted = false;
+    }
+    Shutdown.__resetForTests = __resetForTests;
+    function __runForTests(signal, options) {
+      return run(signal, options);
+    }
+    Shutdown.__runForTests = __runForTests;
+    async function run(signal, options) {
+      const logger11 = (options.logger ?? Logger.fromConfig()).child({ component: "shutdown" });
+      const drainMs = normalizeTimeout(options.drainMs, DEFAULT_DRAIN_MS);
+      const hardKillMs = normalizeTimeout(options.hardKillMs, DEFAULT_HARD_KILL_MS);
+      const exit = options.exit ?? ((code) => process.exit(code));
+      const startedAt = Date.now();
+      const exitCode = EXIT_CODES[signal];
+      logger11.info("shutdown signal", { event: "shutdown.signal", signal });
+      try {
+        options.server.stop(false);
+        await drainServer(options.server, logger11, startedAt, drainMs, hardKillMs);
+        const supervisorTimeoutMs = Math.max(1, hardKillMs - (Date.now() - startedAt));
+        await options.supervisor.stopAll(supervisorTimeoutMs);
+        const abortedRows = finalizePendingRows(options.db);
+        logger11.info("shutdown finalize", { event: "shutdown.finalize", aborted_rows: abortedRows });
+        options.db.exec("PRAGMA wal_checkpoint(TRUNCATE)");
+        logger11.info("shutdown checkpoint", { event: "shutdown.checkpoint" });
+      } catch (err) {
+        logger11.error("shutdown error", { event: "shutdown.error", err });
+      } finally {
+        try {
+          options.db.close();
+        } catch (err) {
+          logger11.error("shutdown db close failed", { event: "shutdown.close_error", err });
+        }
+        logger11.info("shutdown complete", {
+          event: "shutdown.complete",
+          exit_code: exitCode,
+          total_ms: Date.now() - startedAt
+        });
+        exit(exitCode);
+      }
+      return exitCode;
+    }
+    async function drainServer(server, logger11, startedAt, drainMs, hardKillMs) {
+      while (true) {
+        const pendingRequests = server.pendingRequests;
+        const pendingWebSockets = server.pendingWebSockets;
+        const elapsedMs = Date.now() - startedAt;
+        if (pendingRequests === 0 && pendingWebSockets === 0) {
+          logger11.info("shutdown drain", {
+            event: "shutdown.drain",
+            pending_requests: pendingRequests,
+            pending_websockets: pendingWebSockets,
+            elapsed_ms: elapsedMs
+          });
+          return;
+        }
+        if (elapsedMs >= hardKillMs) {
+          const remaining = pendingRequests + pendingWebSockets;
+          logger11.warn("shutdown hard kill", { event: "shutdown.hard_kill", remaining });
+          server.stop(true);
+          logger11.info("shutdown drain", {
+            event: "shutdown.drain",
+            pending_requests: server.pendingRequests,
+            pending_websockets: server.pendingWebSockets,
+            elapsed_ms: Date.now() - startedAt
+          });
+          return;
+        }
+        if (elapsedMs >= drainMs) {
+          logger11.info("shutdown drain", {
+            event: "shutdown.drain",
+            pending_requests: pendingRequests,
+            pending_websockets: pendingWebSockets,
+            elapsed_ms: elapsedMs
+          });
+          return;
+        }
+        await sleep(Math.min(POLL_MS, drainMs - elapsedMs, hardKillMs - elapsedMs));
+      }
+    }
+    function finalizePendingRows(db) {
+      const rows = db.prepare("SELECT id FROM request_logs WHERE lifecycle_status = 'pending'").all();
+      const finalizedAt = new Date().toISOString();
+      for (const row of rows) {
+        RequestRepo.updateLifecycle(db, row.id, {
+          lifecycle_status: "aborted",
+          error_message: "shutdown",
+          finalized_at: finalizedAt
+        });
+      }
+      return rows.length;
+    }
+    function normalizeTimeout(value, fallback) {
+      if (value === undefined)
+        return fallback;
+      if (!Number.isFinite(value) || value < 0)
+        return fallback;
+      return value;
+    }
+    function sleep(ms) {
+      return new Promise((resolve) => setTimeout(resolve, Math.max(0, ms)));
+    }
+  })(Shutdown ||= {});
+});
+
+// src/index.ts
+init_logger();
+var logger11 = Logger.fromConfig().child({ component: "startup" });
+var shutdownController = new AbortController;
+async function main() {
+  const { Config: Config3 } = await Promise.resolve().then(() => (init_config(), exports_config));
+  const { Storage: Storage2 } = await Promise.resolve().then(() => (init_db(), exports_db));
+  const { UsageService: UsageService2 } = await Promise.resolve().then(() => (init_service(), exports_service));
+  const { Pricing: Pricing2 } = await Promise.resolve().then(() => (init_pricing(), exports_pricing));
+  const { Handler: Handler2 } = await Promise.resolve().then(() => (init_handler(), exports_handler));
+  const { Correlator: Correlator2 } = await Promise.resolve().then(() => (init_correlator(), exports_correlator));
+  const { Supervisor: Supervisor2 } = await Promise.resolve().then(() => (init_supervisor(), exports_supervisor));
+  const { Shutdown: Shutdown2 } = await Promise.resolve().then(() => (init_shutdown(), exports_shutdown));
+  Pricing2.fetchPricing().catch((err) => {
+    logger11.warn("pricing fetch failed", { err });
+  });
+  Pricing2.startBackgroundRefresh({ signal: shutdownController.signal });
+  const db = Storage2.initDb(Config3.dbPath);
+  Storage2.recoverStalePending(db);
+  const usageService = UsageService2.create(db);
+  UsageService2.startCostBackfillLoop(usageService, { signal: shutdownController.signal });
+  const handleRequest = Handler2.create(usageService);
+  Correlator2.start(usageService, { signal: shutdownController.signal });
+  await usageService.startQuotaRefresh({ signal: shutdownController.signal });
+  const server = Bun.serve({
+    port: Config3.port,
+    hostname: Config3.host,
+    idleTimeout: 0,
+    fetch: handleRequest,
+    development: { hmr: true, console: true }
+  });
+  if (process.env.DISABLE_SHUTDOWN_HANDLERS !== "1") {
+    Shutdown2.register({ server, db, supervisor: Supervisor2 });
+  }
+  logger11.info("server running", { host: Config3.host, port: Config3.port, url: `http://${Config3.host}:${Config3.port}` });
+}
+main().catch((err) => {
+  if (err instanceof Error && err.code === "CONFIG_INVALID") {
+    logger11.error("configuration validation failed", { event: "config.error", err, issues: err.issues });
+  } else {
+    logger11.error("startup failed", { event: "startup.error", err });
+  }
+  process.exit(1);
+});
+export {
+  shutdownController
+};