npm - auditor-lambda - Versions diffs - 0.3.37 → 0.3.38 - Mend

auditor-lambda 0.3.37 → 0.3.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/cli.js +42 -1
package/dist/providers/types.d.ts +6 -0
package/dist/quota/discoveredLimits.d.ts +21 -0
package/dist/quota/discoveredLimits.js +74 -0
package/dist/quota/headerExtraction.d.ts +8 -0
package/dist/quota/headerExtraction.js +140 -0
package/dist/quota/headerExtractors/claudeCodeHeaderExtractor.d.ts +6 -0
package/dist/quota/headerExtractors/claudeCodeHeaderExtractor.js +28 -0
package/dist/quota/headerExtractors/genericHeaderExtractor.d.ts +9 -0
package/dist/quota/headerExtractors/genericHeaderExtractor.js +7 -0
package/dist/quota/headerExtractors/index.d.ts +5 -0
package/dist/quota/headerExtractors/index.js +12 -0
package/dist/quota/index.d.ts +6 -0
package/dist/quota/index.js +3 -0
package/dist/quota/scheduler.d.ts +3 -0
package/dist/quota/scheduler.js +18 -1
package/dist/types/sessionConfig.d.ts +3 -0
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -32,7 +32,7 @@ import { buildReviewPackets, orderTasksForPacketReview, estimateTaskGroupTokens,
 import { buildFileAnchorSummary, } from "./orchestrator/fileAnchors.js";
 import { LOCAL_SUBPROCESS_PROVIDER_NAME } from "./providers/constants.js";
 import { runAuditCodeMcpServer } from "./mcp/server.js";
-import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, detectRateLimitError, computeCooldownUntil, runSlidingWindow, LearnedQuotaSource, CompositeQuotaSource, } from "./quota/index.js";
+import { scheduleWave, buildProviderModelKey, readQuotaState, recordWaveOutcome, resolveLimits, resolveHostActiveSubagentLimit, probeProvider, computeMaxSafeConcurrency, getQuotaStatePath, detectRateLimitError, computeCooldownUntil, runSlidingWindow, LearnedQuotaSource, CompositeQuotaSource, lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, getHeaderExtractorForProvider, } from "./quota/index.js";
 const packageRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
 const ADVANCE_AUDIT_CONTRACT_VERSION = "audit-code/v1alpha1";
 const WORKER_RESULT_CONTRACT_VERSION = "audit-code-worker-result/v1alpha1";
@@ -1426,6 +1426,18 @@ async function cmdRunToCompletion(argv) {
             const allCandidateTasks = buildPendingAuditTasks(bundle);
             const candidateGroups = chunkArray(allCandidateTasks.slice(0, parallelWorkers * agentBatchSize), agentBatchSize);
             const slotTokenEstimates = candidateGroups.map((g) => estimateTaskGroupTokens(g));
+            const providerLimits = await provider.queryLimits?.(hostModel)
+                .then((r) => r ? { ...r, source: "provider_query" } : null)
+                .catch(() => null)
+                ?? null;
+            const cachedLimits = await lookupDiscoveredLimits(providerModelKey).catch(() => null);
+            const discoveredLimits = mergeDiscoveredLimits(providerLimits, cachedLimits);
+            const halfLifeHours = sessionConfig.quota?.empirical_half_life_hours ?? 24;
+            const quotaSource = new CompositeQuotaSource([new LearnedQuotaSource(halfLifeHours)]);
+            const quotaSourceSnapshot = await quotaSource.queryCurrentUsage(providerModelKey).catch(() => null);
+            const hostConcurrencyLimit = resolveHostActiveSubagentLimit({
+                sessionConfig,
+            });
             const waveSchedule = scheduleWave({
                 providerName: resolveFreshSessionProviderName(getExplicitProvider(argv), sessionConfig),
                 sessionConfig,
@@ -1433,6 +1445,9 @@ async function cmdRunToCompletion(argv) {
                 requestedConcurrency: parallelWorkers,
                 estimatedSlotTokens: slotTokenEstimates,
                 quotaStateEntry,
+                hostConcurrencyLimit,
+                quotaSourceSnapshot,
+                discoveredLimits,
             });
             const waveSize = waveSchedule.wave_size;
             if (waveSchedule.cooldown_until) {
@@ -1615,6 +1630,27 @@ async function cmdRunToCompletion(argv) {
                     cooldown_until: rateLimitHit ? computeCooldownUntil(retryAfterMs) : null,
                 }, sessionConfig.quota?.empirical_half_life_hours ?? 24).catch(() => undefined);
             }
+            // Extract rate-limit headers from worker stderr (best-effort)
+            {
+                const extractor = getHeaderExtractorForProvider(provider.name);
+                for (const slot of workerSlots) {
+                    try {
+                        const stderr = await readFile(slot.paths.stderrPath, "utf8");
+                        const extracted = extractor.extract(stderr);
+                        if (extracted && (extracted.requests_per_minute != null || extracted.input_tokens_per_minute != null)) {
+                            await updateDiscoveredLimits(providerModelKey, {
+                                requests_per_minute: extracted.requests_per_minute,
+                                input_tokens_per_minute: extracted.input_tokens_per_minute,
+                                source: "header_extraction",
+                            });
+                            break; // one successful extraction is enough
+                        }
+                    }
+                    catch {
+                        // stderr file missing or unreadable — skip
+                    }
+                }
+            }
             if (batchErrors.length > 0) {
                 const bundleAfter = await loadArtifactBundle(artifactsDir);
                 const blockedState = buildBlockedAuditState({
@@ -2470,6 +2506,7 @@ async function prepareDispatchArtifacts(params) {
         explicitLimit: params.hostActiveSubagentLimit,
         sessionConfig,
     });
+    const dispatchCachedLimits = await lookupDiscoveredLimits(quotaProviderKey).catch(() => null);
     const waveSchedule = scheduleWave({
         providerName: quotaProviderName,
         sessionConfig,
@@ -2478,6 +2515,7 @@ async function prepareDispatchArtifacts(params) {
         estimatedSlotTokens: perPacketTokens,
         quotaStateEntry,
         hostConcurrencyLimit,
+        discoveredLimits: dispatchCachedLimits,
     });
     const dispatchQuota = {
         contract_version: "audit-code-dispatch-quota/v1alpha2",
@@ -3227,6 +3265,7 @@ async function cmdQuota(argv) {
     });
     const quotaSource = new CompositeQuotaSource([new LearnedQuotaSource(halfLifeHours)]);
     const quotaSourceSnapshot = await quotaSource.queryCurrentUsage(providerModelKey).catch(() => null);
+    const queryDiscoveredLimits = await lookupDiscoveredLimits(providerModelKey).catch(() => null);
     const waveSchedule = scheduleWave({
         providerName,
         sessionConfig,
@@ -3235,6 +3274,7 @@ async function cmdQuota(argv) {
         quotaStateEntry,
         hostConcurrencyLimit,
         quotaSourceSnapshot,
+        discoveredLimits: queryDiscoveredLimits,
     });
     console.log(JSON.stringify({
         provider: providerName,
@@ -3253,6 +3293,7 @@ async function cmdQuota(argv) {
             }
             : null,
         quota_source_snapshot: quotaSourceSnapshot,
+        discovered_limits: queryDiscoveredLimits,
         wave_schedule: waveSchedule,
         quota_state_path: getQuotaStatePath(),
     }, null, 2));

package/dist/providers/types.d.ts CHANGED Viewed

@@ -21,7 +21,13 @@ export interface LaunchFreshSessionResult {
     stderrPath?: string;
     error?: string;
 }
+export interface ProviderRateLimits {
+    requests_per_minute?: number | null;
+    input_tokens_per_minute?: number | null;
+    output_tokens_per_minute?: number | null;
+}
 export interface FreshSessionProvider {
     name: string;
     launch(input: LaunchFreshSessionInput): Promise<LaunchFreshSessionResult>;
+    queryLimits?(model: string | null): Promise<ProviderRateLimits | null>;
 }

package/dist/quota/discoveredLimits.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+export interface DiscoveredRateLimits {
+    requests_per_minute?: number | null;
+    input_tokens_per_minute?: number | null;
+    output_tokens_per_minute?: number | null;
+    source: string;
+}
+export interface DiscoveredLimitsCacheEntry {
+    requests_per_minute?: number;
+    input_tokens_per_minute?: number;
+    discovered_at: string;
+    source: string;
+}
+export interface DiscoveredLimitsCache {
+    version: 1;
+    entries: Record<string, DiscoveredLimitsCacheEntry>;
+}
+export declare function readDiscoveredLimitsCache(): Promise<DiscoveredLimitsCache>;
+export declare function writeDiscoveredLimitsCache(cache: DiscoveredLimitsCache): Promise<void>;
+export declare function updateDiscoveredLimits(providerModelKey: string, limits: DiscoveredRateLimits): Promise<void>;
+export declare function lookupDiscoveredLimits(providerModelKey: string): Promise<DiscoveredRateLimits | null>;
+export declare function mergeDiscoveredLimits(...sources: (DiscoveredRateLimits | null | undefined)[]): DiscoveredRateLimits | null;

package/dist/quota/discoveredLimits.js ADDED Viewed

@@ -0,0 +1,74 @@
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import { getQuotaStatePath } from "./state.js";
+function getCachePath() {
+    return getQuotaStatePath().replace(/quota-state\.json$/, "discovered-limits.json");
+}
+export async function readDiscoveredLimitsCache() {
+    try {
+        const raw = await readFile(getCachePath(), "utf8");
+        const parsed = JSON.parse(raw);
+        if (parsed !== null &&
+            typeof parsed === "object" &&
+            !Array.isArray(parsed) &&
+            parsed["version"] === 1) {
+            return parsed;
+        }
+    }
+    catch (error) {
+        if (error.code !== "ENOENT") {
+            process.stderr.write(`[quota] ignoring unreadable discovered-limits cache: ${error instanceof Error ? error.message : String(error)}\n`);
+        }
+    }
+    return { version: 1, entries: {} };
+}
+export async function writeDiscoveredLimitsCache(cache) {
+    const cachePath = getCachePath();
+    await mkdir(dirname(cachePath), { recursive: true });
+    await writeFile(cachePath, JSON.stringify(cache, null, 2) + "\n", "utf8");
+}
+export async function updateDiscoveredLimits(providerModelKey, limits) {
+    const cache = await readDiscoveredLimitsCache();
+    const existing = cache.entries[providerModelKey];
+    const entry = {
+        ...existing,
+        discovered_at: new Date().toISOString(),
+        source: limits.source,
+    };
+    if (limits.requests_per_minute != null) {
+        entry.requests_per_minute = limits.requests_per_minute;
+    }
+    if (limits.input_tokens_per_minute != null) {
+        entry.input_tokens_per_minute = limits.input_tokens_per_minute;
+    }
+    cache.entries[providerModelKey] = entry;
+    await writeDiscoveredLimitsCache(cache);
+}
+export async function lookupDiscoveredLimits(providerModelKey) {
+    const cache = await readDiscoveredLimitsCache();
+    const entry = cache.entries[providerModelKey];
+    if (!entry)
+        return null;
+    if (entry.requests_per_minute == null && entry.input_tokens_per_minute == null)
+        return null;
+    return {
+        requests_per_minute: entry.requests_per_minute ?? null,
+        input_tokens_per_minute: entry.input_tokens_per_minute ?? null,
+        source: entry.source,
+    };
+}
+export function mergeDiscoveredLimits(...sources) {
+    let merged = null;
+    for (const source of sources) {
+        if (!source)
+            continue;
+        if (!merged) {
+            merged = { ...source };
+            continue;
+        }
+        merged.requests_per_minute ??= source.requests_per_minute;
+        merged.input_tokens_per_minute ??= source.input_tokens_per_minute;
+        merged.output_tokens_per_minute ??= source.output_tokens_per_minute;
+    }
+    return merged;
+}

package/dist/quota/headerExtraction.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export interface ExtractedRateLimits {
+    requests_per_minute: number | null;
+    input_tokens_per_minute: number | null;
+    remaining_requests: number | null;
+    remaining_tokens: number | null;
+    reset_at: string | null;
+}
+export declare function extractRateLimitHeaders(text: string): ExtractedRateLimits | null;

package/dist/quota/headerExtraction.js ADDED Viewed

@@ -0,0 +1,140 @@
+const HEADER_PATTERNS = [
+    // Standard x-ratelimit-* (OpenAI, Anthropic, and others)
+    { pattern: /x-ratelimit-limit-requests:\s*(\d+)/i, field: "requests_per_minute" },
+    { pattern: /x-ratelimit-limit-tokens:\s*(\d+)/i, field: "input_tokens_per_minute" },
+    { pattern: /x-ratelimit-remaining-requests:\s*(\d+)/i, field: "remaining_requests" },
+    { pattern: /x-ratelimit-remaining-tokens:\s*(\d+)/i, field: "remaining_tokens" },
+    { pattern: /x-ratelimit-reset-requests:\s*(.+)/i, field: "reset_at", transform: parseResetValue },
+    { pattern: /x-ratelimit-reset-tokens:\s*(.+)/i, field: "reset_at", transform: parseResetValue },
+    // Anthropic-specific header naming
+    { pattern: /anthropic-ratelimit-requests-limit:\s*(\d+)/i, field: "requests_per_minute" },
+    { pattern: /anthropic-ratelimit-tokens-limit:\s*(\d+)/i, field: "input_tokens_per_minute" },
+    { pattern: /anthropic-ratelimit-requests-remaining:\s*(\d+)/i, field: "remaining_requests" },
+    { pattern: /anthropic-ratelimit-tokens-remaining:\s*(\d+)/i, field: "remaining_tokens" },
+    { pattern: /anthropic-ratelimit-requests-reset:\s*(.+)/i, field: "reset_at", transform: parseResetValue },
+    { pattern: /anthropic-ratelimit-tokens-reset:\s*(.+)/i, field: "reset_at", transform: parseResetValue },
+];
+function parseResetValue(value) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return null;
+    // ISO timestamp
+    if (/^\d{4}-\d{2}-\d{2}/.test(trimmed))
+        return trimmed;
+    // Relative seconds (e.g. "42s", "42")
+    const seconds = parseFloat(trimmed);
+    if (Number.isFinite(seconds) && seconds > 0) {
+        return new Date(Date.now() + seconds * 1000).toISOString();
+    }
+    return trimmed;
+}
+function parseNumericValue(value) {
+    const n = parseInt(value, 10);
+    return Number.isFinite(n) && n > 0 ? n : null;
+}
+export function extractRateLimitHeaders(text) {
+    const result = {
+        requests_per_minute: null,
+        input_tokens_per_minute: null,
+        remaining_requests: null,
+        remaining_tokens: null,
+        reset_at: null,
+    };
+    let found = false;
+    for (const { pattern, field, transform } of HEADER_PATTERNS) {
+        const match = pattern.exec(text);
+        if (!match || !match[1])
+            continue;
+        if (result[field] != null)
+            continue; // first match wins
+        if (transform) {
+            const transformed = transform(match[1]);
+            if (transformed != null) {
+                result[field] = transformed;
+                found = true;
+            }
+        }
+        else {
+            const numeric = parseNumericValue(match[1]);
+            if (numeric != null) {
+                result[field] = numeric;
+                found = true;
+            }
+        }
+    }
+    // Also try JSON objects that embed header-like fields
+    if (!found) {
+        const jsonResult = extractFromJson(text);
+        if (jsonResult)
+            return jsonResult;
+    }
+    return found ? result : null;
+}
+function extractFromJson(text) {
+    const jsonPattern = /\{[^{}]*"(?:x-ratelimit|anthropic-ratelimit|ratelimit)[^{}]*\}/gi;
+    for (const match of text.matchAll(jsonPattern)) {
+        try {
+            const obj = JSON.parse(match[0]);
+            return extractFromHeaderObject(obj);
+        }
+        catch {
+            // not valid JSON
+        }
+    }
+    // Try line-by-line JSON (Claude Code stderr format)
+    for (const line of text.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith("{"))
+            continue;
+        try {
+            const obj = JSON.parse(trimmed);
+            const headers = obj["headers"] ??
+                obj["response_headers"];
+            if (headers) {
+                const extracted = extractFromHeaderObject(headers);
+                if (extracted)
+                    return extracted;
+            }
+        }
+        catch {
+            // not valid JSON
+        }
+    }
+    return null;
+}
+function extractFromHeaderObject(headers) {
+    const get = (keys) => {
+        for (const key of keys) {
+            const val = headers[key] ?? headers[key.toLowerCase()];
+            if (val != null) {
+                const n = typeof val === "number" ? val : parseInt(String(val), 10);
+                if (Number.isFinite(n) && n > 0)
+                    return n;
+            }
+        }
+        return null;
+    };
+    const rpm = get([
+        "x-ratelimit-limit-requests",
+        "anthropic-ratelimit-requests-limit",
+    ]);
+    const tpm = get([
+        "x-ratelimit-limit-tokens",
+        "anthropic-ratelimit-tokens-limit",
+    ]);
+    if (rpm == null && tpm == null)
+        return null;
+    return {
+        requests_per_minute: rpm,
+        input_tokens_per_minute: tpm,
+        remaining_requests: get([
+            "x-ratelimit-remaining-requests",
+            "anthropic-ratelimit-requests-remaining",
+        ]),
+        remaining_tokens: get([
+            "x-ratelimit-remaining-tokens",
+            "anthropic-ratelimit-tokens-remaining",
+        ]),
+        reset_at: null,
+    };
+}

package/dist/quota/headerExtractors/claudeCodeHeaderExtractor.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { ExtractedRateLimits } from "../headerExtraction.js";
+import type { HeaderExtractor } from "./genericHeaderExtractor.js";
+export declare class ClaudeCodeHeaderExtractor implements HeaderExtractor {
+    readonly name = "claude-code";
+    extract(stderr: string): ExtractedRateLimits | null;
+}

package/dist/quota/headerExtractors/claudeCodeHeaderExtractor.js ADDED Viewed

@@ -0,0 +1,28 @@
+import { extractRateLimitHeaders } from "../headerExtraction.js";
+export class ClaudeCodeHeaderExtractor {
+    name = "claude-code";
+    extract(stderr) {
+        // Claude Code emits structured JSON lines to stderr. Collect all lines
+        // that might contain header data and feed them to the agnostic parser.
+        const candidates = [];
+        for (const line of stderr.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed.startsWith("{"))
+                continue;
+            try {
+                const obj = JSON.parse(trimmed);
+                if (obj["headers"] || obj["response_headers"]) {
+                    candidates.push(trimmed);
+                }
+            }
+            catch {
+                // not JSON
+            }
+        }
+        if (candidates.length > 0) {
+            return extractRateLimitHeaders(candidates.join("\n"));
+        }
+        // Fall back to scanning the full text for raw header lines
+        return extractRateLimitHeaders(stderr);
+    }
+}

package/dist/quota/headerExtractors/genericHeaderExtractor.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { ExtractedRateLimits } from "../headerExtraction.js";
+export interface HeaderExtractor {
+    readonly name: string;
+    extract(stderr: string): ExtractedRateLimits | null;
+}
+export declare class GenericHeaderExtractor implements HeaderExtractor {
+    readonly name = "generic";
+    extract(stderr: string): ExtractedRateLimits | null;
+}

package/dist/quota/headerExtractors/genericHeaderExtractor.js ADDED Viewed

@@ -0,0 +1,7 @@
+import { extractRateLimitHeaders } from "../headerExtraction.js";
+export class GenericHeaderExtractor {
+    name = "generic";
+    extract(stderr) {
+        return extractRateLimitHeaders(stderr);
+    }
+}

package/dist/quota/headerExtractors/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export type { HeaderExtractor } from "./genericHeaderExtractor.js";
+export { GenericHeaderExtractor } from "./genericHeaderExtractor.js";
+export { ClaudeCodeHeaderExtractor } from "./claudeCodeHeaderExtractor.js";
+import type { HeaderExtractor } from "./genericHeaderExtractor.js";
+export declare function getHeaderExtractorForProvider(providerName: string): HeaderExtractor;

package/dist/quota/headerExtractors/index.js ADDED Viewed

@@ -0,0 +1,12 @@
+export { GenericHeaderExtractor } from "./genericHeaderExtractor.js";
+export { ClaudeCodeHeaderExtractor } from "./claudeCodeHeaderExtractor.js";
+import { GenericHeaderExtractor } from "./genericHeaderExtractor.js";
+import { ClaudeCodeHeaderExtractor } from "./claudeCodeHeaderExtractor.js";
+const PROVIDER_EXTRACTORS = {
+    "claude-code": () => new ClaudeCodeHeaderExtractor(),
+};
+const genericExtractor = new GenericHeaderExtractor();
+export function getHeaderExtractorForProvider(providerName) {
+    const factory = PROVIDER_EXTRACTORS[providerName];
+    return factory ? factory() : genericExtractor;
+}

package/dist/quota/index.d.ts CHANGED Viewed

@@ -16,4 +16,10 @@ export type { ErrorParser } from "./errorParsers/index.js";
 export { GenericErrorParser, ClaudeCodeErrorParser, getErrorParserForProvider } from "./errorParsers/index.js";
 export { LearnedQuotaSource } from "./learnedQuotaSource.js";
 export { CompositeQuotaSource } from "./compositeQuotaSource.js";
+export { lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, readDiscoveredLimitsCache, writeDiscoveredLimitsCache, } from "./discoveredLimits.js";
+export type { DiscoveredRateLimits, DiscoveredLimitsCache, DiscoveredLimitsCacheEntry } from "./discoveredLimits.js";
+export { extractRateLimitHeaders } from "./headerExtraction.js";
+export type { ExtractedRateLimits } from "./headerExtraction.js";
+export type { HeaderExtractor } from "./headerExtractors/index.js";
+export { GenericHeaderExtractor, ClaudeCodeHeaderExtractor, getHeaderExtractorForProvider } from "./headerExtractors/index.js";
 export type { ResolvedLimits, LimitSource, LimitConfidence, HostConcurrencyLimit, HostConcurrencyLimitSource, QuotaState, QuotaStateEntry, ConcurrencyBucket, WaveSchedule, DispatchQuota, ObservedWaveOutcome, } from "./types.js";

package/dist/quota/index.js CHANGED Viewed

@@ -9,3 +9,6 @@ export { probeProvider } from "./probe.js";
 export { GenericErrorParser, ClaudeCodeErrorParser, getErrorParserForProvider } from "./errorParsers/index.js";
 export { LearnedQuotaSource } from "./learnedQuotaSource.js";
 export { CompositeQuotaSource } from "./compositeQuotaSource.js";
+export { lookupDiscoveredLimits, updateDiscoveredLimits, mergeDiscoveredLimits, readDiscoveredLimitsCache, writeDiscoveredLimitsCache, } from "./discoveredLimits.js";
+export { extractRateLimitHeaders } from "./headerExtraction.js";
+export { GenericHeaderExtractor, ClaudeCodeHeaderExtractor, getHeaderExtractorForProvider } from "./headerExtractors/index.js";

package/dist/quota/scheduler.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { ResolvedProviderName, SessionConfig } from "../types/sessionConfig.js";
 import type { HostConcurrencyLimit, QuotaStateEntry, WaveSchedule } from "./types.js";
 import type { QuotaUsageSnapshot } from "./quotaSource.js";
+import type { DiscoveredRateLimits } from "./discoveredLimits.js";
 export interface ScheduleWaveOptions {
     providerName: ResolvedProviderName;
     sessionConfig: SessionConfig;
@@ -13,6 +14,8 @@ export interface ScheduleWaveOptions {
     quotaStateEntry?: QuotaStateEntry | null;
     hostConcurrencyLimit?: HostConcurrencyLimit | null;
     quotaSourceSnapshot?: QuotaUsageSnapshot | null;
+    /** RPM/TPM discovered from provider queries or response header extraction. */
+    discoveredLimits?: DiscoveredRateLimits | null;
 }
 export declare function scheduleWave(options: ScheduleWaveOptions): WaveSchedule;
 /** Build the state key used for indexing quota-state.json entries. */

package/dist/quota/scheduler.js CHANGED Viewed

@@ -7,7 +7,7 @@ function sumTopN(sorted, n) {
     return sum;
 }
 export function scheduleWave(options) {
-    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedSlotTokens, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, quotaSourceSnapshot = null, } = options;
+    const { providerName, sessionConfig, hostModel, requestedConcurrency, estimatedSlotTokens, estimatedPacketTokens = 0, quotaStateEntry = null, hostConcurrencyLimit = null, quotaSourceSnapshot = null, discoveredLimits = null, } = options;
     // Descending sort so sumTopN picks the largest slots
     const slotsSorted = estimatedSlotTokens
         ? [...estimatedSlotTokens].sort((a, b) => b - a)
@@ -44,6 +44,12 @@ export function scheduleWave(options) {
     const safetyMargin = quota.safety_margin ?? 0.8;
     const halfLifeHours = quota.empirical_half_life_hours ?? 24;
     const { limits, source, confidence } = resolveLimits({ providerName, sessionConfig, hostModel });
+    // Fill null RPM/TPM from discovered limits (provider query or header extraction)
+    if (discoveredLimits) {
+        limits.requests_per_minute ??= discoveredLimits.requests_per_minute ?? null;
+        limits.input_tokens_per_minute ??= discoveredLimits.input_tokens_per_minute ?? null;
+        limits.output_tokens_per_minute ??= discoveredLimits.output_tokens_per_minute ?? null;
+    }
     let waveSize = requestedConcurrency;
     let cooldownUntil = null;
     // Respect an active cooldown period
@@ -93,6 +99,17 @@ export function scheduleWave(options) {
             else if (typeof fallbackCap === "number" && Number.isFinite(fallbackCap)) {
                 waveSize = Math.min(waveSize, Math.max(1, Math.floor(fallbackCap)));
             }
+            // First-contact cap: when no learned history, no configured fallback, AND
+            // no RPM/TPM limits from any source, apply a conservative ceiling.
+            // This triggers only for unconfigured local providers (fallbackCap is
+            // undefined). Hosted providers default to 1 via unknown_hosted_concurrency,
+            // and "unlimited" is an explicit opt-out.
+            if (fallbackCap == null &&
+                limits.requests_per_minute == null &&
+                limits.input_tokens_per_minute == null) {
+                const firstContactCap = quota.first_contact_concurrency ?? 3;
+                waveSize = Math.min(waveSize, Math.max(1, firstContactCap));
+            }
         }
     }
     // Apply real-time quota source data if available

package/dist/types/sessionConfig.d.ts CHANGED Viewed

@@ -46,6 +46,9 @@ export interface QuotaConfig {
     empirical_half_life_hours?: number;
     /** Allow the scheduler to try concurrency maxSafe+1 after consecutive successes (default: true). */
     ramp_up_enabled?: boolean;
+    /** Conservative concurrency cap for the first wave when no learned history
+     *  and no discovered RPM/TPM limits exist (default: 3). */
+    first_contact_concurrency?: number;
     /** Hard host ceiling for simultaneously active conversation subagents. */
     host_active_subagent_limit?: number;
     /** Per-model overrides keyed by "provider/model". */

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auditor-lambda",
-  "version": "0.3.37",
+  "version": "0.3.38",
   "private": false,
   "description": "Portable hybrid code-auditing framework for arbitrary repositories.",
   "type": "module",