ampcode-connector 0.1.8 → 0.1.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ampcode-connector",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Proxy AmpCode through local OAuth subscriptions (Claude Code, Codex, Gemini CLI, Antigravity)",
   "license": "MIT",
   "repository": {
@@ -34,22 +34,21 @@
     "dev": "bun run --watch src/index.ts",
     "setup": "bun run src/index.ts setup",
     "login": "bun run src/index.ts login",
-    "test": "bun test tests/router.test.ts tests/middleware.test.ts tests/rewriter.test.ts",
+    "test": "bun test tests/router.test.ts tests/middleware.test.ts tests/rewriter.test.ts tests/forward.test.ts",
     "test:e2e": "bun test tests/code-assist.test.ts",
     "check": "biome check src/ tests/ && tsc --noEmit && bun run test",
     "format": "biome check --write src/ tests/"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.0",
+    "@biomejs/biome": "^2.4.2",
+    "@google/genai": "^1.42.0",
     "@types/bun": "^1.3.9"
   },
   "peerDependencies": {
-    "typescript": "^5"
+    "typescript": "^5.9.3"
   },
   "dependencies": {
-    "@google/genai": "^1.41.0",
-    "@kreuzberg/html-to-markdown": "^2.25.0",
-    "ampcode-connector": "^0.1.5",
+    "@kreuzberg/html-to-markdown": "^2.25.1",
     "exa-js": "^2.4.0"
   }
 }

package/src/auth/callback-server.ts

@@ -2,7 +2,7 @@
 
 import { logger } from "../utils/logger.ts";
 
-export interface CallbackResult {
+interface CallbackResult {
   code: string;
   state: string;
 }

package/src/auth/oauth.ts

@@ -60,7 +60,9 @@ export async function tokenFromAny(config: OAuthConfig): Promise<{ accessToken:
     try {
       const refreshed = await refresh(config, c.refreshToken, account);
       return { accessToken: refreshed.accessToken, account };
-    } catch {}
+    } catch (err) {
+      logger.debug(`${config.providerName}:${account} refresh failed in tokenFromAny`, { error: String(err) });
+    }
   }
 
   return null;
@@ -178,10 +180,16 @@ async function exchange(config: OAuthConfig, params: Record<string, string>): Pr
 }
 
 function parseTokenFields(raw: Record<string, unknown>, config: OAuthConfig): Credentials {
+  if (typeof raw.access_token !== "string" || !raw.access_token) {
+    throw new Error(`${config.providerName} token response missing access_token`);
+  }
+  if (typeof raw.expires_in !== "number" || Number.isNaN(raw.expires_in)) {
+    throw new Error(`${config.providerName} token response missing or invalid expires_in`);
+  }
   const buffer = config.expiryBuffer !== false ? TOKEN_EXPIRY_BUFFER_MS : 0;
   return {
-    accessToken: raw.access_token as string,
+    accessToken: raw.access_token,
     refreshToken: (raw.refresh_token as string) ?? "",
-    expiresAt: Date.now() + (raw.expires_in as number) * 1000 - buffer,
+    expiresAt: Date.now() + raw.expires_in * 1000 - buffer,
   };
 }

package/src/auth/store.ts

@@ -6,6 +6,7 @@ import { Database, type Statement } from "bun:sqlite";
 import { mkdirSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { logger } from "../utils/logger.ts";
 
 export interface Credentials {
   accessToken: string;
@@ -47,13 +48,7 @@ interface Statements {
 
 let _db: Database | null = null;
 let _stmts: Statements | null = null;
-let _dbPath = DEFAULT_DB_PATH;
-
-/** Override the database path (must be called before any store operation). */
-export function setDbPath(path: string): void {
-  _dbPath = path;
-}
-
+const _dbPath = DEFAULT_DB_PATH;
 function init() {
   if (_stmts) return _stmts;
 
@@ -92,16 +87,26 @@ function init() {
 export function get(provider: ProviderName, account = 0): Credentials | undefined {
   const row = init().get.get(provider, account);
   if (!row) return undefined;
-  return JSON.parse(row.data) as Credentials;
+  try {
+    return JSON.parse(row.data) as Credentials;
+  } catch (err) {
+    logger.warn(`Corrupt credentials for ${provider}:${account}, removing`, { error: String(err) });
+    init().delOne.run(provider, account);
+    return undefined;
+  }
 }
 
 export function getAll(provider: ProviderName): { account: number; credentials: Credentials }[] {
-  return init()
-    .getAll.all(provider)
-    .map((row) => ({
-      account: row.account,
-      credentials: JSON.parse(row.data) as Credentials,
-    }));
+  const results: { account: number; credentials: Credentials }[] = [];
+  for (const row of init().getAll.all(provider)) {
+    try {
+      results.push({ account: row.account, credentials: JSON.parse(row.data) as Credentials });
+    } catch (err) {
+      logger.warn(`Corrupt credentials for ${provider}:${row.account}, removing`, { error: String(err) });
+      init().delOne.run(provider, row.account);
+    }
+  }
+  return results;
 }
 
 export function save(provider: ProviderName, credentials: Credentials, account = 0): void {

package/src/cli/ansi.ts

@@ -13,7 +13,7 @@ export const screen = {
 };
 
 /** Erase from cursor to end of line. */
-export const eol = `${ESC}K`;
+const eol = `${ESC}K`;
 
 export const s = {
   reset: `${ESC}0m`,

package/src/cli/setup.ts

@@ -131,6 +131,7 @@ export async function setup(): Promise<void> {
 
   for (const p of providers) {
     const connected = p.accounts.filter((a) => a.status === "connected");
+    const disabled = p.accounts.filter((a) => a.status === "disabled");
     const total = p.accounts.filter((a) => a.status !== "disconnected");
 
     if (connected.length > 0) {
@@ -140,7 +141,10 @@ export async function setup(): Promise<void> {
         .filter(Boolean)
         .join(", ");
       const info = emails ? `  ${s.dim}${emails}${s.reset}` : "";
-      line(`  ${p.label.padEnd(16)} ${s.green}${connected.length} account(s)${s.reset}${info}`);
+      const disabledInfo = disabled.length > 0 ? `  ${s.red}${disabled.length} disabled${s.reset}` : "";
+      line(`  ${p.label.padEnd(16)} ${s.green}${connected.length} account(s)${s.reset}${info}${disabledInfo}`);
+    } else if (disabled.length > 0) {
+      line(`  ${p.label.padEnd(16)} ${s.red}${disabled.length} disabled${s.reset}`);
     } else if (total.length > 0) {
       line(`  ${p.label.padEnd(16)} ${s.yellow}${total.length} expired${s.reset}`);
     } else {

package/src/cli/status.ts

@@ -1,7 +1,8 @@
 import type { Credentials, ProviderName } from "../auth/store.ts";
 import * as store from "../auth/store.ts";
+import { cooldown, type QuotaPool } from "../routing/cooldown.ts";
 
-export type ConnectionStatus = "connected" | "expired" | "disconnected";
+export type ConnectionStatus = "connected" | "expired" | "disabled" | "disconnected";
 
 export interface AccountStatus {
   account: number;
@@ -23,8 +24,16 @@ const PROVIDERS: { name: ProviderName; label: string; sublabel?: string }[] = [
   { name: "google", label: "Google", sublabel: "Gemini CLI + Antigravity" },
 ];
 
-function connectionOf(creds: Credentials): ConnectionStatus {
+const POOL_MAP: Record<ProviderName, QuotaPool[]> = {
+  anthropic: ["anthropic"],
+  codex: ["codex"],
+  google: ["gemini", "antigravity"],
+};
+
+function connectionOf(name: ProviderName, account: number, creds: Credentials): ConnectionStatus {
   if (!creds.refreshToken) return "disconnected";
+  const pools = POOL_MAP[name];
+  if (pools.some((p) => cooldown.isExhausted(p, account))) return "disabled";
   return store.fresh(creds) ? "connected" : "expired";
 }
 
@@ -35,7 +44,7 @@ export function all(): ProviderStatus[] {
     sublabel,
     accounts: store.getAll(name).map((e) => ({
       account: e.account,
-      status: connectionOf(e.credentials),
+      status: connectionOf(name, e.account, e.credentials),
       email: e.credentials.email,
       expiresAt: e.credentials.expiresAt,
     })),

package/src/cli/tui.ts

@@ -16,6 +16,7 @@ const oauthConfigs: Record<ProviderName, OAuthConfig> = {
 const ICON: Record<ConnectionStatus, string> = {
   connected: `${s.green}●${s.reset}`,
   expired: `${s.yellow}●${s.reset}`,
+  disabled: `${s.red}●${s.reset}`,
   disconnected: `${s.dim}○${s.reset}`,
 };
 
@@ -109,7 +110,9 @@ function formatInfo(a: AccountStatus): string {
   if (a.status === "disconnected") return `${s.dim}—${s.reset}`;
 
   const parts: string[] = [];
-  parts.push(a.status === "connected" ? `${s.green}connected${s.reset}` : `${s.yellow}expired${s.reset}`);
+  if (a.status === "connected") parts.push(`${s.green}connected${s.reset}`);
+  else if (a.status === "disabled") parts.push(`${s.red}disabled${s.reset}`);
+  else parts.push(`${s.yellow}expired${s.reset}`);
   if (a.expiresAt && a.status === "connected") parts.push(`${s.dim}${status.remaining(a.expiresAt)}${s.reset}`);
   if (a.email) parts.push(`${s.dim}${a.email}${s.reset}`);
   return parts.join(`${s.dim} · ${s.reset}`);

package/src/config/config.ts

@@ -38,8 +38,13 @@ export async function loadConfig(): Promise<ProxyConfig> {
   const apiKey = await resolveApiKey(file);
   const providers = asRecord(file?.providers);
 
+  const port = asNumber(file?.port) ?? DEFAULTS.port;
+  if (port < 1 || port > 65535) {
+    throw new Error(`Invalid port ${port}: must be between 1 and 65535`);
+  }
+
   return {
-    port: asNumber(file?.port) ?? DEFAULTS.port,
+    port,
     ampUpstreamUrl: asString(file?.ampUpstreamUrl) ?? DEFAULTS.ampUpstreamUrl,
     ampApiKey: apiKey,
     exaApiKey: asString(file?.exaApiKey) ?? process.env.EXA_API_KEY,

package/src/constants.ts

@@ -38,7 +38,6 @@ export const OPENAI_TOKEN_URL = "https://auth.openai.com/oauth/token";
 export const GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
 
 export const TOKEN_EXPIRY_BUFFER_MS = 5 * 60 * 1000;
-export const OAUTH_CALLBACK_TIMEOUT_MS = 120_000;
 export const CLAUDE_CODE_VERSION = "2.1.39";
 
 export const stainlessHeaders: Readonly<Record<string, string>> = {
@@ -48,8 +47,8 @@ export const stainlessHeaders: Readonly<Record<string, string>> = {
   "X-Stainless-Package-Version": "0.73.0",
   "X-Stainless-Runtime": "node",
   "X-Stainless-Lang": "js",
-  "X-Stainless-Arch": "arm64",
-  "X-Stainless-Os": "MacOS",
+  "X-Stainless-Arch": process.arch,
+  "X-Stainless-Os": process.platform === "darwin" ? "MacOS" : process.platform === "win32" ? "Windows" : "Linux",
   "X-Stainless-Timeout": "600",
 };
 

package/src/providers/anthropic.ts

@@ -11,7 +11,7 @@ import {
   stainlessHeaders,
 } from "../constants.ts";
 import type { Provider } from "./base.ts";
-import { denied, forward } from "./base.ts";
+import { denied, forward } from "./forward.ts";
 
 export const provider: Provider = {
   name: "Anthropic",
@@ -32,6 +32,7 @@ export const provider: Provider = {
       streaming: body.stream,
       providerName: "Anthropic",
       rewrite,
+      email: store.get("anthropic", account)?.email,
       headers: {
         ...stainlessHeaders,
         Accept: body.stream ? "text/event-stream" : "application/json",

package/src/providers/antigravity.ts

@@ -10,7 +10,7 @@ import { buildUrl, maybeWrap, withUnwrap } from "../utils/code-assist.ts";
 import { logger } from "../utils/logger.ts";
 import * as path from "../utils/path.ts";
 import type { Provider } from "./base.ts";
-import { denied, forward } from "./base.ts";
+import { denied, forward } from "./forward.ts";
 
 const endpoints = [ANTIGRAVITY_DAILY_ENDPOINT, AUTOPUSH_ENDPOINT, CODE_ASSIST_ENDPOINT];
 
@@ -33,7 +33,7 @@ export const provider: Provider = {
 
   accountCount: () => oauth.accountCount(config),
 
-  async forward(sub, body, originalHeaders, rewrite, account = 0) {
+  async forward(sub, body, _originalHeaders, rewrite, account = 0) {
     const accessToken = await oauth.token(config, account);
     if (!accessToken) return denied("Antigravity");
 
@@ -44,15 +44,11 @@ export const provider: Provider = {
       ...antigravityHeaders,
       Authorization: `Bearer ${accessToken}`,
       "Content-Type": "application/json",
-      Accept: "text/event-stream",
+      Accept: body.stream ? "text/event-stream" : "application/json",
     };
-
-    const anthropicBeta = originalHeaders.get("anthropic-beta");
-    if (anthropicBeta) headers["anthropic-beta"] = anthropicBeta;
-
     const gemini = path.gemini(sub);
     const action = gemini?.action ?? "generateContent";
-    const model = gemini?.model ?? "";
+    const model = gemini?.model === "gemini-3-flash-preview" ? "gemini-3-flash" : (gemini?.model ?? "");
     const requestBody = maybeWrap(body.parsed, body.forwardBody, projectId, model, {
       userAgent: "antigravity",
       requestIdPrefix: "agent",
@@ -60,7 +56,7 @@ export const provider: Provider = {
     });
     const unwrapThenRewrite = withUnwrap(rewrite);
 
-    return tryEndpoints(requestBody, body.stream, headers, action, unwrapThenRewrite);
+    return tryEndpoints(requestBody, body.stream, headers, action, unwrapThenRewrite, creds?.email);
   },
 };
 
@@ -70,13 +66,14 @@ async function tryEndpoints(
   headers: Record<string, string>,
   action: string,
   rewrite?: (data: string) => string,
+  email?: string,
 ): Promise<Response> {
   let lastError: Error | null = null;
 
   for (const endpoint of endpoints) {
     const url = buildUrl(endpoint, action);
     try {
-      const response = await forward({ url, body, streaming, headers, providerName: "Antigravity", rewrite });
+      const response = await forward({ url, body, streaming, headers, providerName: "Antigravity", rewrite, email });
       if (response.status < 500) return response;
       lastError = new Error(`${endpoint} returned ${response.status}`);
       logger.debug("Endpoint 5xx, trying next", { provider: "Antigravity" });

package/src/providers/base.ts

@@ -1,9 +1,7 @@
-/** Provider interface and shared request forwarding. */
+/** Provider interface — the contract every provider must implement. */
 
 import type { ParsedBody } from "../server/body.ts";
 import type { RouteDecision } from "../utils/logger.ts";
-import { logger } from "../utils/logger.ts";
-import * as sse from "../utils/streaming.ts";
 
 export interface Provider {
   readonly name: string;
@@ -18,71 +16,3 @@ export interface Provider {
     account?: number,
   ): Promise<Response>;
 }
-
-interface ForwardOptions {
-  url: string;
-  body: string;
-  streaming: boolean;
-  headers: Record<string, string>;
-  providerName: string;
-  rewrite?: (data: string) => string;
-}
-
-const RETRYABLE_STATUS = new Set([408, 500, 502, 503, 504]);
-const MAX_RETRIES = 3;
-const RETRY_DELAY_MS = 500;
-
-export async function forward(opts: ForwardOptions): Promise<Response> {
-  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-    let response: Response;
-    try {
-      response = await fetch(opts.url, {
-        method: "POST",
-        headers: opts.headers,
-        body: opts.body,
-      });
-    } catch (err) {
-      if (attempt < MAX_RETRIES) {
-        logger.debug(`${opts.providerName} fetch error, retry ${attempt + 1}/${MAX_RETRIES}`, {
-          error: String(err),
-        });
-        await Bun.sleep(RETRY_DELAY_MS * (attempt + 1));
-        continue;
-      }
-      throw err;
-    }
-
-    // Retry on server errors (429 handled at routing layer)
-    if (RETRYABLE_STATUS.has(response.status) && attempt < MAX_RETRIES) {
-      await response.text(); // consume body
-      logger.debug(`${opts.providerName} returned ${response.status}, retry ${attempt + 1}/${MAX_RETRIES}`);
-      await Bun.sleep(RETRY_DELAY_MS * (attempt + 1));
-      continue;
-    }
-
-    const contentType = response.headers.get("Content-Type") ?? "application/json";
-
-    if (!response.ok) {
-      const text = await response.text();
-      logger.error(`${opts.providerName} API error (${response.status})`, { error: text.slice(0, 200) });
-      return new Response(text, { status: response.status, headers: { "Content-Type": contentType } });
-    }
-
-    const isSSE = contentType.includes("text/event-stream") || opts.streaming;
-    if (isSSE) return sse.proxy(response, opts.rewrite);
-
-    if (opts.rewrite) {
-      const text = await response.text();
-      return new Response(opts.rewrite(text), { status: response.status, headers: { "Content-Type": contentType } });
-    }
-
-    return new Response(response.body, { status: response.status, headers: { "Content-Type": contentType } });
-  }
-
-  // Unreachable, but TypeScript needs it
-  throw new Error(`${opts.providerName}: all retries exhausted`);
-}
-
-export function denied(providerName: string): Response {
-  return Response.json({ error: `No ${providerName} OAuth token available. Run login first.` }, { status: 401 });
-}

package/src/providers/codex-sse.ts

@@ -50,7 +50,7 @@ interface TransformState {
 }
 
 /** Create a stateful SSE transformer: Responses API → Chat Completions. */
-export function createResponseTransformer(ampModel: string): (data: string) => string {
+function createResponseTransformer(ampModel: string): (data: string) => string {
   const state: TransformState = {
     responseId: "",
     model: ampModel,

package/src/providers/codex.ts

@@ -10,8 +10,8 @@ import * as store from "../auth/store.ts";
 import { CODEX_BASE_URL, codexHeaders, codexHeaderValues, codexPathMap } from "../constants.ts";
 import { fromBase64url } from "../utils/encoding.ts";
 import type { Provider } from "./base.ts";
-import { denied, forward } from "./base.ts";
 import { transformCodexResponse } from "./codex-sse.ts";
+import { denied, forward } from "./forward.ts";
 
 const DEFAULT_INSTRUCTIONS = "You are an expert coding assistant.";
 
@@ -41,6 +41,7 @@ export const provider: Provider = {
       providerName: "OpenAI Codex",
       // Skip generic rewrite when we need full response transform
       rewrite: needsResponseTransform ? undefined : rewrite,
+      email: store.get("codex", account)?.email,
       headers: {
         "Content-Type": "application/json",
         Authorization: `Bearer ${accessToken}`,
@@ -149,6 +150,7 @@ function transformForCodex(
   // Remove fields the Codex backend doesn't accept
   delete parsed.max_tokens;
   delete parsed.max_completion_tokens;
+  delete parsed.max_output_tokens;
   // Chat Completions fields not in Responses API
   delete parsed.frequency_penalty;
   delete parsed.logprobs;

package/src/providers/forward.ts

@@ -0,0 +1,74 @@
+/** HTTP forwarding with transport-level retry, SSE proxying, and response rewriting. */
+
+import { logger } from "../utils/logger.ts";
+import * as sse from "../utils/streaming.ts";
+
+export interface ForwardOptions {
+  url: string;
+  body: string;
+  streaming: boolean;
+  headers: Record<string, string>;
+  providerName: string;
+  rewrite?: (data: string) => string;
+  email?: string;
+}
+
+const RETRYABLE_STATUS = new Set([408, 500, 502, 503, 504]);
+const MAX_RETRIES = 3;
+const RETRY_DELAY_MS = 500;
+
+export async function forward(opts: ForwardOptions): Promise<Response> {
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    let response: Response;
+    try {
+      response = await fetch(opts.url, {
+        method: "POST",
+        headers: opts.headers,
+        body: opts.body,
+      });
+    } catch (err) {
+      if (attempt < MAX_RETRIES) {
+        logger.debug(`${opts.providerName} fetch error, retry ${attempt + 1}/${MAX_RETRIES}`, {
+          error: String(err),
+        });
+        await Bun.sleep(RETRY_DELAY_MS * (attempt + 1));
+        continue;
+      }
+      throw err;
+    }
+
+    // Retry on server errors (429 handled at routing layer)
+    if (RETRYABLE_STATUS.has(response.status) && attempt < MAX_RETRIES) {
+      await response.text(); // consume body
+      logger.debug(`${opts.providerName} returned ${response.status}, retry ${attempt + 1}/${MAX_RETRIES}`);
+      await Bun.sleep(RETRY_DELAY_MS * (attempt + 1));
+      continue;
+    }
+
+    const contentType = response.headers.get("Content-Type") ?? "application/json";
+
+    if (!response.ok) {
+      const text = await response.text();
+      const ctx = opts.email ? ` account=${opts.email}` : "";
+      logger.error(`${opts.providerName} API error (${response.status})${ctx}`, { error: text.slice(0, 200) });
+      return new Response(text, { status: response.status, headers: { "Content-Type": contentType } });
+    }
+
+    const isSSE = contentType.includes("text/event-stream") || opts.streaming;
+    if (isSSE) return sse.proxy(response, opts.rewrite);
+
+    if (opts.rewrite) {
+      const text = await response.text();
+      return new Response(opts.rewrite(text), { status: response.status, headers: { "Content-Type": contentType } });
+    }
+
+    return new Response(response.body, { status: response.status, headers: { "Content-Type": contentType } });
+  }
+
+  // Unreachable, but TypeScript needs it
+  throw new Error(`${opts.providerName}: all retries exhausted`);
+}
+
+export function denied(providerName: string): Response {
+  return Response.json({ error: `No ${providerName} OAuth token available. Run login first.` }, { status: 401 });
+}

package/src/providers/gemini.ts

@@ -12,7 +12,7 @@ import { buildUrl, maybeWrap, withUnwrap } from "../utils/code-assist.ts";
 import { logger } from "../utils/logger.ts";
 import * as path from "../utils/path.ts";
 import type { Provider } from "./base.ts";
-import { denied, forward } from "./base.ts";
+import { denied, forward } from "./forward.ts";
 
 const geminiHeaders: Readonly<Record<string, string>> = {
   "User-Agent": "google-cloud-sdk vscode_cloudshelleditor/0.1",
@@ -44,7 +44,7 @@ export const provider: Provider = {
       ...geminiHeaders,
       Authorization: `Bearer ${accessToken}`,
       "Content-Type": "application/json",
-      Accept: "text/event-stream",
+      Accept: body.stream ? "text/event-stream" : "application/json",
     };
 
     const gemini = path.gemini(sub);
@@ -67,6 +67,7 @@ export const provider: Provider = {
       headers,
       providerName: "Gemini CLI",
       rewrite: unwrapThenRewrite,
+      email: store.get("google", account)?.email,
     });
   },
 };

package/src/routing/affinity.ts

@@ -5,7 +5,7 @@
 
 import type { QuotaPool } from "./cooldown.ts";
 
-export interface AffinityEntry {
+interface AffinityEntry {
   pool: QuotaPool;
   account: number;
   assignedAt: number;
@@ -16,7 +16,7 @@ const TTL_MS = 2 * 3600_000;
 /** Cleanup stale entries every 10 minutes. */
 const CLEANUP_INTERVAL_MS = 10 * 60_000;
 
-export class AffinityStore {
+class AffinityStore {
   private map = new Map<string, AffinityEntry>();
   private counts = new Map<string, number>();
   private cleanupTimer: Timer | null = null;

package/src/routing/cooldown.ts

@@ -12,6 +12,8 @@ interface CooldownEntry {
 }
 
 /** When detected as exhausted, cooldown for this long. */
+/** 403 = account disabled/revoked — long cooldown. */
+const FORBIDDEN_COOLDOWN_MS = 24 * 3600_000;
 const EXHAUSTED_COOLDOWN_MS = 2 * 3600_000;
 /** Retry-After threshold (seconds) above which we consider quota exhausted. */
 const EXHAUSTED_THRESHOLD_S = 300;
@@ -20,7 +22,7 @@ const EXHAUSTED_CONSECUTIVE = 3;
 /** Default burst cooldown when no Retry-After header. */
 const DEFAULT_BURST_S = 30;
 
-export class CooldownTracker {
+class CooldownTracker {
   private entries = new Map<string, CooldownEntry>();
 
   private key(pool: QuotaPool, account: number): string {
@@ -65,6 +67,13 @@ export class CooldownTracker {
     this.entries.set(k, entry);
   }
 
+  /** 403 = account forbidden/revoked. Immediately disable for 24h. */
+  record403(pool: QuotaPool, account: number): void {
+    const k = this.key(pool, account);
+    this.entries.set(k, { until: Date.now() + FORBIDDEN_COOLDOWN_MS, exhausted: true, consecutive429: 0 });
+    logger.warn(`Account disabled (403): ${k}`, { cooldownHours: FORBIDDEN_COOLDOWN_MS / 3600_000 });
+  }
+
   recordSuccess(pool: QuotaPool, account: number): void {
     this.entries.delete(this.key(pool, account));
   }

package/src/server/server.ts

@@ -5,6 +5,7 @@ import type { ProxyConfig } from "../config/config.ts";
 import * as rewriter from "../proxy/rewriter.ts";
 import * as upstream from "../proxy/upstream.ts";
 import { affinity } from "../routing/affinity.ts";
+import { cooldown } from "../routing/cooldown.ts";
 import { tryReroute, tryWithCachePreserve } from "../routing/retry.ts";
 import { recordSuccess, routeRequest } from "../routing/router.ts";
 import { handleInternal, isLocalMethod } from "../tools/internal.ts";
@@ -31,7 +32,7 @@ export function startServer(config: ProxyConfig): ReturnType<typeof Bun.serve> {
         logger.error("Unhandled server error", { error: String(err) });
         return Response.json({ error: "Internal proxy error" }, { status });
       } finally {
-        logger.info(`${req.method} ${url.pathname} ${status}`, { duration: Date.now() - startTime });
+        logger.info(`${req.method} ${url.pathname}${url.search} ${status}`, { duration: Date.now() - startTime });
       }
     },
   });
@@ -120,6 +121,10 @@ async function handleProvider(
         );
         response = rerouted ?? (await fallbackUpstream(req, body, config));
       }
+    } else if (handlerResponse.status === 403 && route.pool) {
+      cooldown.record403(route.pool, route.account);
+      if (threadId) affinity.clear(threadId, providerName);
+      response = await fallbackUpstream(req, body, config);
     } else if (handlerResponse.status === 401) {
       logger.debug("Local provider denied, falling back to upstream");
       response = await fallbackUpstream(req, body, config);

package/src/tools/web-read.ts

@@ -3,13 +3,13 @@
 import { convert, JsPreprocessingPreset } from "@kreuzberg/html-to-markdown";
 import { logger } from "../utils/logger.ts";
 
-export interface WebReadParams {
+interface WebReadParams {
   url: string;
   objective?: string;
   forceRefetch?: boolean;
 }
 
-export type WebReadResult =
+type WebReadResult =
   | { ok: true; result: { excerpts: string[] } | { fullContent: string } }
   | { ok: false; error: { code: string; message: string } };
 

package/src/tools/web-search.ts

@@ -14,7 +14,7 @@ function getExa(apiKey: string): InstanceType<typeof Exa> {
   return _exa;
 }
 
-export interface SearchParams {
+interface SearchParams {
   objective: string;
   searchQueries?: string[];
   maxResults?: number;

package/src/utils/code-assist.ts

@@ -10,7 +10,7 @@ interface WrapOptions {
 }
 
 /** Wrap a raw request body in the Cloud Code Assist envelope. */
-export function wrapRequest(opts: WrapOptions): string {
+function wrapRequest(opts: WrapOptions): string {
   return JSON.stringify({
     project: opts.projectId,
     model: opts.model,

package/src/utils/streaming.ts

@@ -51,10 +51,7 @@ export function encode(chunk: Chunk): string {
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
 
-export function transform(
-  source: ReadableStream<Uint8Array>,
-  fn: (data: string) => string,
-): ReadableStream<Uint8Array> {
+function transform(source: ReadableStream<Uint8Array>, fn: (data: string) => string): ReadableStream<Uint8Array> {
   let buffer = "";
 
   const stream = new TransformStream<Uint8Array, Uint8Array>({