aigetwey 1.0.1 → 1.2.0

package/src/core/budget.ts

@@ -0,0 +1,128 @@
+/**
+ * Scoped spend budgets, derived from the usage table (the single source of
+ * truth) rather than a parallel counter. Each budget targets the whole gateway,
+ * one provider, or one upstream model. statuses() computes every budget's spend
+ * over its window; the result list is cached a few seconds so the per-request
+ * hard-stop check stays cheap. blocks() answers "is a route to this
+ * provider/model barred by an exhausted budget?".
+ */
+import type { Budget, BudgetScope } from "../config.js";
+import { budgetKey } from "../config.js";
+import { currentWindowStart, nextResetAt } from "./quota.js";
+
+export interface BudgetStatus {
+  scope: BudgetScope;
+  key: string;
+  label: string;
+  note?: string;
+  unit: "usd" | "tokens";
+  limit: number;
+  spent: number;
+  pct: number;
+  alert: boolean;
+  alert_at: number;
+  exhausted: boolean;
+  est_converse: number | null;
+  reset_in_ms: number;
+  window: Budget["window"];
+}
+
+interface TotalsReader {
+  totals(sinceMs: number, filter?: { provider?: string; model?: string; client_key?: string }): {
+    tokens_in: number;
+    tokens_out: number;
+    cost: number;
+  };
+}
+
+function scopeLabel(scope: BudgetScope, keyName: (fp: string) => string): string {
+  if (scope.type === "global") return "Global";
+  if (scope.type === "key") return keyName(scope.id);
+  return scope.id;
+}
+
+function scopeFilter(scope: BudgetScope): { provider?: string; model?: string; client_key?: string } | undefined {
+  if (scope.type === "provider") return { provider: scope.id };
+  if (scope.type === "model") return { model: scope.id };
+  if (scope.type === "key") return { client_key: scope.id };
+  return undefined;
+}
+
+export class BudgetTracker {
+  private cached?: { at: number; list: BudgetStatus[] };
+
+  constructor(
+    private readonly getBudgets: () => Budget[],
+    private readonly db: TotalsReader,
+    private readonly now: () => number = Date.now,
+    private readonly cacheMs = 5000,
+    private readonly keyName: (fp: string) => string = (fp) => `key …${fp}`,
+  ) {}
+
+  clearCache(): void {
+    this.cached = undefined;
+  }
+
+  statuses(): BudgetStatus[] {
+    const t = this.now();
+    if (this.cached && t - this.cached.at < this.cacheMs) return this.cached.list;
+    const list = this.getBudgets().map((b) => this.compute(b, t));
+    this.cached = { at: t, list };
+    return list;
+  }
+
+  globalStatus(): BudgetStatus | null {
+    return this.statuses().find((s) => s.scope.type === "global") ?? null;
+  }
+
+  /** First exhausted provider/model budget matching a route, or null. */
+  blocks(providerId: string, model: string): { exhausted: true; reset_in_ms: number } | null {
+    for (const s of this.statuses()) {
+      if (!s.exhausted) continue;
+      if (s.scope.type === "provider" && s.scope.id === providerId)
+        return { exhausted: true, reset_in_ms: s.reset_in_ms };
+      if (s.scope.type === "model" && s.scope.id === model)
+        return { exhausted: true, reset_in_ms: s.reset_in_ms };
+    }
+    return null;
+  }
+
+  /** The exhausted key-scoped budget for this fingerprint, or null. */
+  blocksKey(fp: string): { exhausted: true; reset_in_ms: number } | null {
+    for (const s of this.statuses()) {
+      if (s.exhausted && s.scope.type === "key" && s.scope.id === fp) {
+        return { exhausted: true, reset_in_ms: s.reset_in_ms };
+      }
+    }
+    return null;
+  }
+
+  private compute(spec: Budget, t: number): BudgetStatus {
+    const windowStart = currentWindowStart(spec, t);
+    const total = this.db.totals(windowStart, scopeFilter(spec.scope));
+    const tokens = total.tokens_in + total.tokens_out;
+    const cost = total.cost;
+    const rate = tokens > 0 ? cost / tokens : undefined;
+    const spent = spec.unit === "usd" ? cost : tokens;
+    const limit = spec.limit;
+    const pct = limit > 0 ? Math.min(1, spent / limit) : 0;
+    const alertAt = spec.alert_at ?? 0.8;
+    const est_converse = rate === undefined ? null : spec.unit === "usd" ? limit / rate : limit * rate;
+    return {
+      scope: spec.scope,
+      key: budgetKey(spec.scope),
+      label: scopeLabel(spec.scope, this.keyName),
+      note: spec.note,
+      unit: spec.unit,
+      limit,
+      spent,
+      pct,
+      alert: pct >= alertAt,
+      alert_at: alertAt,
+      exhausted: spent >= limit,
+      est_converse,
+      reset_in_ms: Math.max(0, nextResetAt(spec, windowStart, t) - t),
+      window: spec.window,
+    };
+  }
+}

package/src/core/handler.ts

@@ -51,6 +51,12 @@ export interface HandleDeps {
   pool: KeyPool;
   db?: UsageDB;
   quota?: QuotaTracker;
+  budget?: {
+    globalStatus(): { exhausted: boolean; reset_in_ms: number } | null;
+    blocks(providerId: string, model: string): { exhausted: true; reset_in_ms: number } | null;
+    blocksKey(fp: string): { exhausted: true; reset_in_ms: number } | null;
+  };
+  clientKeyFp?: string;
   log?: (msg: string) => void;
   now?: () => number;
 }
@@ -84,6 +90,7 @@ function recordUsage(
     status,
     latency_ms: latencyMs,
     stream: stream ? 1 : 0,
+    client_key: deps.clientKeyFp ?? "",
   });
 }
 
@@ -114,11 +121,29 @@ export async function handle(
   const thinkingIntent: ThinkingConfig | null =
     override ?? captureThinking(canonical as Record<string, unknown>);
 
-  const routes = config.resolve(canonical.model);
+  let routes = config.resolve(canonical.model);
   if (routes.length === 0) {
     throw new GatewayError(404, { error: `unknown model "${canonical.model}"` });
   }
 
+  // Budget hard-stop. Global overrun fails fast. Provider/model budgets bar the
+  // matching routes (like the token-quota skip); if every candidate is barred,
+  // there's nothing to serve → 402.
+  if (deps.budget) {
+    const g = deps.budget.globalStatus();
+    if (g?.exhausted) throw new GatewayError(402, { error: "budget exceeded", reset_in_ms: g.reset_in_ms });
+    if (deps.clientKeyFp) {
+      const kb = deps.budget.blocksKey(deps.clientKeyFp);
+      if (kb?.exhausted) throw new GatewayError(402, { error: "budget exceeded", reset_in_ms: kb.reset_in_ms });
+    }
+    const eligible = routes.filter((r) => !deps.budget!.blocks(r.provider.id, r.model));
+    if (eligible.length === 0) {
+      const b = deps.budget.blocks(routes[0]!.provider.id, routes[0]!.model);
+      throw new GatewayError(402, { error: "budget exceeded", reset_in_ms: b?.reset_in_ms ?? 0 });
+    }
+    routes = eligible;
+  }
+
   // Pipeline order matters: RTK compresses tool_result in the INPUT first, then
   // inject prepends the output-style system prompt. They touch different parts
   // of the request and stack cleanly. Both run before routing so every fallback

package/src/core/quota.ts

@@ -38,6 +38,8 @@ export interface QuotaSnapshot {
   /** 0..1 fraction of the limit used, if a limit is set */
   pct?: number;
   exhausted: boolean;
+  /** true when a limit is set and pct >= the quota's alert_at (default 0.8) */
+  alert: boolean;
 }
 
 // ---- timezone-aware calendar math -----------------------------------------
@@ -113,7 +115,9 @@ function parseHHMM(reset_at: string | undefined): { h: number; m: number } {
  *   - weekly:  next `reset_at` weekday (default monday) at 00:00 in tz.
  *   - monthly: next 1st of month at 00:00 in tz.
  */
-export function nextResetAt(quota: Quota, windowStart: number, now: number): number {
+export type WindowSpec = Pick<Quota, "window" | "reset_at" | "timezone">;
+
+export function nextResetAt(quota: WindowSpec, windowStart: number, now: number): number {
   const tz = quota.timezone || "UTC";
   if (quota.window === "5h") return windowStart + 5 * HOUR_MS;
 
@@ -140,6 +144,40 @@ export function nextResetAt(quota: Quota, windowStart: number, now: number): num
   return zonedWallToEpoch(p.year, p.month + 1, 1, 0, 0, tz);
 }
 
+/**
+ * Epoch ms of the START of the window containing `now`.
+ *   - 5h:      fixed 5-hour grid floor (stateless; no per-provider anchor).
+ *   - daily:   today's reset_at in tz, or yesterday's if that's still ahead.
+ *   - weekly:  the most recent occurrence of the target weekday at 00:00 in tz.
+ *   - monthly: the 1st of the current month at 00:00 in tz.
+ */
+export function currentWindowStart(spec: WindowSpec, now: number): number {
+  const tz = spec.timezone || "UTC";
+  if (spec.window === "5h") return Math.floor(now / (5 * HOUR_MS)) * (5 * HOUR_MS);
+
+  const p = zonedParts(now, tz);
+
+  if (spec.window === "daily") {
+    const { h, m } = parseHHMM(spec.reset_at);
+    let start = zonedWallToEpoch(p.year, p.month, p.day, h, m, tz);
+    if (start > now) start = zonedWallToEpoch(p.year, p.month, p.day - 1, h, m, tz);
+    return start;
+  }
+
+  if (spec.window === "weekly") {
+    const target = WEEKDAYS.indexOf((spec.reset_at ?? "monday").toLowerCase());
+    const targetIdx = target === -1 ? 1 : target;
+    const curIdx = WEEKDAYS.indexOf(p.weekday);
+    const daysBehind = (curIdx - targetIdx + 7) % 7;
+    let start = zonedWallToEpoch(p.year, p.month, p.day - daysBehind, 0, 0, tz);
+    if (start > now) start = zonedWallToEpoch(p.year, p.month, p.day - daysBehind - 7, 0, 0, tz);
+    return start;
+  }
+
+  // monthly
+  return zonedWallToEpoch(p.year, p.month, 1, 0, 0, tz);
+}
+
 export class QuotaTracker {
   private readonly states = new Map<string, QuotaState>();
 
@@ -207,6 +245,7 @@ export class QuotaTracker {
           reset_in_ms: Math.max(0, reset - t),
           pct: limit ? Math.min(1, state.consumed / limit) : undefined,
           exhausted: limit ? state.consumed >= limit : false,
+          alert: limit ? state.consumed / limit >= (provider.quota.alert_at ?? 0.8) : false,
         },
       ];
     });

package/src/core/state.ts

@@ -17,23 +17,42 @@ import {
   validateConfig,
   unmaskSecrets,
   writeConfigFile,
+  maskKey,
 } from "../config.js";
+import { clientKeyFingerprint } from "../middleware/auth.js";
 import { KeyPool } from "./keypool.js";
 import { QuotaTracker } from "./quota.js";
+import { BudgetTracker } from "./budget.js";
+
+function serverKeyLabel(server: { api_keys: string[]; key_names?: Record<string, string> }, fp: string): string {
+  for (const k of server.api_keys) {
+    if (clientKeyFingerprint(k) === fp) return server.key_names?.[k] ?? maskKey(k);
+  }
+  return `key …${fp}`;
+}
 
 export class GatewayState {
   private _config: GatewayConfig;
   private _pool: KeyPool;
   private readonly _quota: QuotaTracker;
+  private readonly _budget: BudgetTracker;
 
   constructor(
     private readonly configPath: string,
     initial: GatewayConfig,
     quota?: QuotaTracker,
+    budgetDb?: { totals(since: number, filter?: { provider?: string; model?: string; client_key?: string }): { tokens_in: number; tokens_out: number; cost: number } },
   ) {
     this._config = initial;
     this._pool = new KeyPool();
     this._quota = quota ?? new QuotaTracker();
+    this._budget = new BudgetTracker(
+      () => this._config.raw.budgets,
+      budgetDb ?? { totals: () => ({ tokens_in: 0, tokens_out: 0, cost: 0 }) },
+      undefined,
+      undefined,
+      (fp) => serverKeyLabel(this._config.raw.server, fp),
+    );
   }
 
   get config(): GatewayConfig {
@@ -48,6 +67,10 @@ export class GatewayState {
     return this._quota;
   }
 
+  get budget(): BudgetTracker {
+    return this._budget;
+  }
+
   /**
    * Validate edited config text, restore masked secrets from the live config,
    * persist atomically, then swap in a fresh config + pool. Throws without
@@ -61,5 +84,6 @@ export class GatewayState {
     writeConfigFile(this.configPath, next.raw);
     this._config = next;
     this._pool = new KeyPool();
+    this._budget.clearCache();
   }
 }

package/src/db.ts

@@ -27,6 +27,7 @@ export interface UsageRow {
   status: number;
   latency_ms: number;
   stream: number; // 0/1
+  client_key: string;
 }
 
 export interface LogRow {
@@ -38,6 +39,12 @@ export interface LogRow {
   response_summary: string;
 }
 
+export interface UsageTotals {
+  tokens_in: number;
+  tokens_out: number;
+  cost: number;
+}
+
 export interface UsageSummary {
   total: { requests: number; tokens_in: number; tokens_out: number; cost: number };
   by_provider: Array<{ provider: string; requests: number; tokens_in: number; tokens_out: number; cost: number }>;
@@ -79,7 +86,8 @@ export class UsageDB {
         cost REAL NOT NULL DEFAULT 0,
         status INTEGER NOT NULL,
         latency_ms INTEGER NOT NULL DEFAULT 0,
-        stream INTEGER NOT NULL DEFAULT 0
+        stream INTEGER NOT NULL DEFAULT 0,
+        client_key TEXT NOT NULL DEFAULT ''
       );
       CREATE INDEX IF NOT EXISTS idx_usage_ts ON usage(ts);
       CREATE TABLE IF NOT EXISTS logs (
@@ -99,10 +107,15 @@ export class UsageDB {
         last_reset INTEGER NOT NULL DEFAULT 0
       );
     `);
+    // migrate older DBs created before client_key existed.
+    const cols = this.db.prepare(`PRAGMA table_info(usage)`).all() as SqlRow[];
+    if (!cols.some((c) => String(c.name) === "client_key")) {
+      this.db.exec(`ALTER TABLE usage ADD COLUMN client_key TEXT NOT NULL DEFAULT ''`);
+    }
     this.now = now;
     this.insertUsage = this.db.prepare(`
-      INSERT INTO usage (ts, alias, provider, model, tokens_in, tokens_out, cached_tokens, cost, status, latency_ms, stream)
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      INSERT INTO usage (ts, alias, provider, model, tokens_in, tokens_out, cached_tokens, cost, status, latency_ms, stream, client_key)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
     `);
     this.insertLog = this.db.prepare(`
       INSERT INTO logs (ts, direction, provider, status, request_summary, response_summary)
@@ -117,7 +130,7 @@ export class UsageDB {
     `);
   }
 
-  record(row: Omit<UsageRow, "ts"> & { ts?: number }): void {
+  record(row: Omit<UsageRow, "ts" | "client_key"> & { ts?: number; client_key?: string }): void {
     this.insertUsage.run(
       row.ts ?? this.now(),
       row.alias,
@@ -130,6 +143,7 @@ export class UsageDB {
       row.status,
       row.latency_ms,
       row.stream,
+      row.client_key ?? "",
     );
   }
 
@@ -195,6 +209,36 @@ export class UsageDB {
     };
   }
 
+  /**
+   * Summed token + cost totals over rows with ts >= sinceMs, optionally filtered
+   * to one provider and/or one model. Backs the scoped budget tracker — the usage
+   * table stays the single source of truth (no parallel counter).
+   */
+  totals(sinceMs: number, filter?: { provider?: string; model?: string; client_key?: string }): UsageTotals {
+    const clauses = ["ts >= ?"];
+    const params: Array<number | string> = [sinceMs];
+    if (filter?.provider) {
+      clauses.push("provider = ?");
+      params.push(filter.provider);
+    }
+    if (filter?.model) {
+      clauses.push("model = ?");
+      params.push(filter.model);
+    }
+    if (filter?.client_key) {
+      clauses.push("client_key = ?");
+      params.push(filter.client_key);
+    }
+    const row = this.db
+      .prepare(
+        `SELECT COALESCE(SUM(tokens_in),0) tokens_in, COALESCE(SUM(tokens_out),0) tokens_out,
+                COALESCE(SUM(cost),0) cost
+         FROM usage WHERE ${clauses.join(" AND ")}`,
+      )
+      .get(...params) as SqlRow;
+    return { tokens_in: num(row.tokens_in), tokens_out: num(row.tokens_out), cost: num(row.cost) };
+  }
+
   /**
    * Bucketed time-series for charts: one point per `bucketMs` interval from
    * `sinceMs` to now, aligned to the bucket boundary, with zero-filled gaps.
@@ -233,7 +277,7 @@ export class UsageDB {
     const rows = this.db
       .prepare(
         `SELECT ts, alias, provider, model, tokens_in, tokens_out, cached_tokens,
-                cost, status, latency_ms, stream
+                cost, status, latency_ms, stream, client_key
          FROM usage ORDER BY id DESC LIMIT ?`,
       )
       .all(Math.max(1, Math.min(limit, 1000))) as SqlRow[];
@@ -249,6 +293,7 @@ export class UsageDB {
       status: num(r.status),
       latency_ms: num(r.latency_ms),
       stream: num(r.stream),
+      client_key: String(r.client_key ?? ""),
     }));
   }
 

package/src/middleware/auth.ts

@@ -15,15 +15,23 @@ function digest(s: string): Buffer {
   return createHash("sha256").update(s).digest();
 }
 
-/** Constant-time membership test over fixed-length digests. */
-export function isValidKey(presented: string, validKeys: string[]): boolean {
+/** Non-secret stable id for a client key: sha256 truncated to 8 hex chars. */
+export function clientKeyFingerprint(key: string): string {
+  return createHash("sha256").update(key).digest("hex").slice(0, 8);
+}
+
+/** Constant-time: returns the matching key (digest every candidate) or null. */
+export function matchKey(presented: string, validKeys: string[]): string | null {
   const p = digest(presented);
-  // compare against every key so timing can't reveal which one matched.
-  let ok = false;
+  let found: string | null = null;
   for (const k of validKeys) {
-    if (timingSafeEqual(p, digest(k))) ok = true;
+    if (timingSafeEqual(p, digest(k))) found = k;
   }
-  return ok;
+  return found;
+}
+
+export function isValidKey(presented: string, validKeys: string[]): boolean {
+  return matchKey(presented, validKeys) !== null;
 }
 
 export function extractKey(req: FastifyRequest): string | null {
@@ -40,14 +48,16 @@ export interface AuthResult {
   ok: boolean;
   status?: number;
   error?: string;
+  keyFp?: string;
 }
 
 export function checkAuth(req: FastifyRequest, validKeys: string[]): AuthResult {
   if (validKeys.length === 0) return { ok: true }; // auth disabled
   const key = extractKey(req);
   if (!key) return { ok: false, status: 401, error: "missing API key" };
-  if (!isValidKey(key, validKeys)) return { ok: false, status: 401, error: "invalid API key" };
-  return { ok: true };
+  const matched = matchKey(key, validKeys);
+  if (!matched) return { ok: false, status: 401, error: "invalid API key" };
+  return { ok: true, keyFp: clientKeyFingerprint(matched) };
 }
 
 /** Verifies a presented admin password (against the persisted hash store). */

package/src/routes/admin.ts

@@ -15,7 +15,7 @@ import { resolve } from "node:path";
 import type { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
 import type { GatewayState } from "../core/state.js";
 import type { UsageDB } from "../db.js";
-import { checkAdminAuth, type AdminVerifier } from "../middleware/auth.js";
+import { checkAdminAuth, clientKeyFingerprint, type AdminVerifier } from "../middleware/auth.js";
 import {
   maskKey,
   serializeConfig,
@@ -44,9 +44,12 @@ import {
   addServerKey,
   editServerKey,
   removeServerKey,
+  setBudget,
+  clearBudget,
   type Config,
   type Provider,
   type EndpointSettings,
+  type Budget,
 } from "../config.js";
 import { pingProvider } from "../upstream/client.js";
 import { handle, GatewayError } from "../core/handler.js";
@@ -142,7 +145,23 @@ export function registerAdminRoutes(app: FastifyInstance, deps: AdminDeps): void
 
   // per-provider quota: consumed, limit, and ms until the next scheduled reset.
   app.get("/admin/quota", requireAdmin, (_req, reply) => {
-    reply.send({ quota: deps.state.quota.snapshot(deps.state.config.listProviders()) });
+    reply.send({
+      quota: deps.state.quota.snapshot(deps.state.config.listProviders()),
+      budgets: deps.state.budget.statuses(),
+    });
+  });
+
+  // add or replace a budget (keyed by scope). Body = Budget; invalid shape or an
+  // unknown provider scope -> 400 via zod / setBudget through state.reload().
+  app.put("/admin/budgets", requireAdmin, (req, reply) => {
+    const b = (req.body ?? {}) as Budget;
+    applyMutation(reply, (c) => setBudget(c, b));
+  });
+
+  // remove a budget by scope key: global | provider:<id> | model:<id>.
+  app.delete("/admin/budgets/:key", requireAdmin, (req, reply) => {
+    const key = decodeURIComponent((req.params as { key: string }).key);
+    applyMutation(reply, (c) => clearBudget(c, key));
   });
 
   // current config, secrets masked
@@ -426,11 +445,17 @@ export function registerAdminRoutes(app: FastifyInstance, deps: AdminDeps): void
 
   // every callable model: provider/model catalog entries + routing aliases.
   app.get("/admin/models", requireAdmin, (_req, reply) => {
-    const providers = deps.state.config.listProviders().map((p) => ({
-      id: p.id,
-      format: p.format,
-      models: p.models.map((m) => ({ id: m.id, ref: `${p.id}/${m.id}`, price_in: m.price_in, price_out: m.price_out })),
-    }));
+    // disabled providers are skipped in routing, so their models must not be
+    // selectable anywhere this catalog feeds (combos, CLI-tool setup, budget
+    // scopes) — drop them here at the single source.
+    const providers = deps.state.config
+      .listProviders()
+      .filter((p) => !p.disabled)
+      .map((p) => ({
+        id: p.id,
+        format: p.format,
+        models: p.models.map((m) => ({ id: m.id, ref: `${p.id}/${m.id}`, price_in: m.price_in, price_out: m.price_out })),
+      }));
     const routes = deps.state.config.listRoutes();
     reply.send({ providers, routes });
   });
@@ -546,6 +571,19 @@ export function registerAdminRoutes(app: FastifyInstance, deps: AdminDeps): void
     applyMutation(reply, (c) => removeServerKey(c, i));
   });
 
+  // server keys with a non-secret fingerprint + display name, for the budget
+  // key-scope picker. Never returns the raw key.
+  app.get("/admin/keys", requireAdmin, (_req, reply) => {
+    const s = deps.state.config.raw.server;
+    reply.send(
+      s.api_keys.map((k) => ({
+        fingerprint: clientKeyFingerprint(k),
+        name: s.key_names?.[k] ?? maskKey(k),
+        masked: maskKey(k),
+      })),
+    );
+  });
+
   // reveal ONE raw gateway key (the "show key" button on the Endpoint page).
   app.get("/admin/endpoint/keys/:index/reveal", requireAdmin, (req, reply) => {
     const { index } = req.params as { index: string };

package/src/routes/v1.ts

@@ -1,5 +1,5 @@
 import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
-import { checkAuth } from "../middleware/auth.js";
+import { checkAuth, extractKey, clientKeyFingerprint } from "../middleware/auth.js";
 import type { GatewayState } from "../core/state.js";
 import { handle, GatewayError, type HandleDeps } from "../core/handler.js";
 import type { WireFormat } from "../core/canonical.js";
@@ -23,16 +23,21 @@ export function registerV1Routes(app: FastifyInstance, state: GatewayState, db?:
   };
 
   // build deps from the live holder per request (never close over config/pool).
-  const depsNow = (): HandleDeps => ({
-    config: state.config,
-    pool: state.pool,
-    quota: state.quota,
-    db,
-    log: (msg) => app.log.info(msg),
-  });
+  const depsNow = (req: FastifyRequest): HandleDeps => {
+    const presented = extractKey(req);
+    return {
+      config: state.config,
+      pool: state.pool,
+      quota: state.quota,
+      budget: state.budget,
+      db,
+      clientKeyFp: presented ? clientKeyFingerprint(presented) : undefined,
+      log: (msg) => app.log.info(msg),
+    };
+  };
 
-  app.post("/v1/chat/completions", requireAuth, (req, reply) => dispatch(depsNow(), "openai", req, reply));
-  app.post("/v1/messages", requireAuth, (req, reply) => dispatch(depsNow(), "anthropic", req, reply));
+  app.post("/v1/chat/completions", requireAuth, (req, reply) => dispatch(depsNow(req), "openai", req, reply));
+  app.post("/v1/messages", requireAuth, (req, reply) => dispatch(depsNow(req), "anthropic", req, reply));
 }
 
 const SSE_HEADERS = {

package/src/server.ts

@@ -59,7 +59,7 @@ async function main(): Promise<void> {
   });
 
   // holder enables runtime config edits (hot-reload) from the dashboard.
-  const state = new GatewayState(configPath, config, quota);
+  const state = new GatewayState(configPath, config, quota, db);
   // admin password lives in a hash store (seeded from the env on first run,
   // changeable at runtime from the dashboard).
   const auth = AuthStore.open(dataDir, process.env.AIGETWEY_ADMIN_PASSWORD);
@@ -78,6 +78,10 @@ async function main(): Promise<void> {
       prefix: "/",
       // forward the whole HTTP surface the dashboard needs (pages + its API).
       httpMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"],
+      // forward WebSocket upgrades too, so `next dev`'s HMR socket works when the
+      // dashboard is proxied — this is what lets dev run single-URL on the gateway
+      // port like production. Harmless for the prebuilt prod dashboard (no socket).
+      websocket: true,
       // keep the ORIGINAL Host so Next builds redirects (e.g. → /login) against
       // the gateway's address, not the internal dashboard port.
       replyOptions: {

package/src/upstream/client.ts

@@ -68,6 +68,15 @@ function buildBody(
   const adapter = adapterFor(provider.format);
   const upstreamReq: CanonicalRequest = { ...req, model, stream };
   const out = adapter.requestFromCanonical(upstreamReq) as Record<string, unknown>;
+  // OpenAI-compatible streams omit usage entirely unless you opt in — without this
+  // every streamed call through an openai-format provider logs 0 tokens in/out
+  // (anthropic/gemini report usage inline, so they're unaffected). Ask for the
+  // final usage chunk; the handler taps it for accounting. Preserve a usage opt-in
+  // the client already set.
+  if (stream && provider.format === "openai") {
+    const existing = (out.stream_options ?? {}) as Record<string, unknown>;
+    out.stream_options = { ...existing, include_usage: true };
+  }
   // Normalize thinking into THIS provider's native format, keyed by the upstream
   // model's capabilities. No-op for non-reasoning models. Runs per-attempt so each
   // provider in a fallback chain gets the right shape.