costhawk 1.0.0

package/costcanary/app/api/proxy/openai/route.ts

@@ -0,0 +1,529 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { auth } from '@clerk/nextjs/server';
+import { prisma } from '@/lib/prisma';
+import { checkUsageLimit, incrementUsage } from '@/lib/usage-limits';
+import { logAuditEvent } from '@/lib/audit-events';
+import { decrypt } from '@/lib/encryption';
+import { resolveWrappedKey, validateKeyPolicy } from '@/lib/wrapped-keys';
+import { headers } from 'next/headers';
+import { Provider } from '@prisma/client';
+import { resolveCanonicalModel } from '@/lib/model-alias';
+import { getActivePrice, computeCost, getFallbackPrice } from '@/lib/pricing';
+import { parseSSEStream } from '@/lib/sse-parser';
+import { estimateOpenAITokens, estimateCompletionTokens } from '@/lib/tokens';
+
+// Force Node.js runtime and disable static optimization
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+export const revalidate = 0;
+
+// CORS headers for public API access
+function getCorsHeaders() {
+  return {
+    'Access-Control-Allow-Origin': process.env.NEXT_PUBLIC_APP_ORIGIN || '*',
+    'Access-Control-Allow-Methods': 'GET,POST,OPTIONS',
+    'Access-Control-Allow-Headers': 'Content-Type,Authorization',
+  };
+}
+
+// Handle preflight requests
+export async function OPTIONS() {
+  return new NextResponse(null, { 
+    status: 204, 
+    headers: getCorsHeaders()
+  });
+}
+
+// Simple GET for health checks
+export async function GET() {
+  return NextResponse.json(
+    { ok: true, service: 'openai-proxy', timestamp: new Date().toISOString() },
+    { headers: getCorsHeaders() }
+  );
+}
+
+// This is the critical API proxy that enforces usage limits
+export async function POST(req: NextRequest) {
+  const requestId = Math.random().toString(36).substring(7);
+  
+  // Critical debug logging for production issues
+  // DEBUG: console.log(`[proxy-openai-${requestId}] Request received:`, {
+  //   url: req.url,
+  //   method: req.method,
+  //   hasAuth: !!req.headers.get('authorization'),
+  //   authPrefix: req.headers.get('authorization')?.substring(0, 15),
+  // });
+  
+  try {
+    // Parse body once at the beginning
+    const body = await req.json();
+    
+    // Check if this is a wrapped key request
+    const authHeader = req.headers.get('authorization');
+    let isWrappedKey = false;
+    let wrappedKeyId: string | null = null;
+    let resolvedKey: Awaited<ReturnType<typeof resolveWrappedKey>> = null;
+    
+    if (authHeader?.startsWith('Bearer ch_sk_')) {
+      // This is a wrapped key
+      isWrappedKey = true;
+      wrappedKeyId = authHeader.substring(7); // Remove "Bearer "
+      
+      // DEBUG: console.log(`[proxy-openai-${requestId}] Wrapped key detected:`, {
+      //   wrappedKeyId: wrappedKeyId.substring(0, 20) + '...',
+      //   fullKeyLength: wrappedKeyId.length,
+      // });
+      
+      try {
+        // Resolve the wrapped key
+        resolvedKey = await resolveWrappedKey(wrappedKeyId);
+        
+        if (!resolvedKey) {
+          // DEBUG: console.error(`[proxy-openai-${requestId}] Wrapped key not found:`, wrappedKeyId);
+          return NextResponse.json(
+            { error: 'Invalid or expired wrapped key' },
+            { status: 401 }
+          );
+        }
+        
+        // DEBUG: console.log(`[proxy-openai-${requestId}] Wrapped key resolved:`, {
+        //   userId: resolvedKey.userId,
+        //   orgId: resolvedKey.orgId,
+        //   provider: resolvedKey.provider,
+        //   hasPolicy: !!resolvedKey.policy,
+        // });
+        
+      } catch (keyError) {
+        // DEBUG: console.error(`[proxy-openai-${requestId}] Wrapped key resolution error:`, keyError);
+        return NextResponse.json(
+          { error: 'Failed to resolve wrapped key', details: keyError instanceof Error ? keyError.message : 'Unknown error' },
+          { status: 500 }
+        );
+      }
+      
+      try {
+        // Validate policy
+        const headersList = await headers();
+        const ipAddress = headersList.get('x-forwarded-for')?.split(',')[0] || 
+                         headersList.get('x-real-ip') || undefined;
+        
+        const policyValidation = await validateKeyPolicy(resolvedKey.policy, {
+          model: body.model,
+          orgId: resolvedKey.orgId,
+          ipAddress
+        });
+        
+        if (!policyValidation.allowed) {
+          return NextResponse.json(
+            { error: policyValidation.reason || 'Request blocked by policy' },
+            { status: 403 }
+          );
+        }
+        
+      } catch (policyError) {
+        return NextResponse.json(
+          { error: 'Policy validation failed', details: policyError instanceof Error ? policyError.message : 'Unknown error' },
+          { status: 500 }
+        );
+      }
+    } else {
+    }
+    
+    // 1. Authenticate user (for non-wrapped key requests)
+    let user;
+    if (isWrappedKey && resolvedKey) {
+      user = await prisma.user.findUnique({
+        where: { id: resolvedKey.userId }
+      });
+    } else {
+      const { userId: clerkId } = await auth();
+      if (!clerkId) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+      }
+      
+      user = await prisma.user.findUnique({
+        where: { clerkId }
+      });
+    }
+
+    if (!user) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    // 3. CHECK USAGE LIMITS (CRITICAL!)
+    const usageCheck = await checkUsageLimit(user.id);
+    
+    if (!usageCheck.allowed) {
+      // Log the rejection
+      await logAuditEvent({
+        userId: user.id,
+        action: 'api_call_rejected',
+        details: {
+          reason: 'usage_limit_exceeded',
+          currentUsage: usageCheck.currentUsage,
+          limit: usageCheck.limit,
+          tier: usageCheck.tier,
+        },
+      });
+
+      // Return 402 Payment Required
+      return NextResponse.json(
+        {
+          error: 'Usage limit exceeded',
+          message: usageCheck.message,
+          upgradeUrl: usageCheck.upgradeUrl,
+          usage: {
+            current: usageCheck.currentUsage,
+            limit: usageCheck.limit,
+            tier: usageCheck.tier,
+          },
+        },
+        { status: 402 } // Payment Required
+      );
+    }
+
+    // 4. Get API key
+    let decryptedKey: string;
+    let apiKeyId: string | undefined;
+    
+    if (isWrappedKey && resolvedKey) {
+      // Use the wrapped key's real API key
+      decryptedKey = resolvedKey.realKey;
+      // No apiKeyId for wrapped keys
+    } else {
+      // Use regular API key - need to fetch it
+      const apiKey = await prisma.apiKey.findFirst({
+        where: {
+          userId: user.id,
+          provider: 'OPENAI',
+          isActive: true
+        }
+      });
+      
+      if (!apiKey) {
+        return NextResponse.json(
+          { error: 'No OpenAI API key configured. Please add one in settings.' },
+          { status: 400 }
+        );
+      }
+      
+      apiKeyId = apiKey.id;
+      decryptedKey = decrypt(apiKey.encryptedKey);
+    }
+
+    // 5. Forward request to OpenAI
+    const startTime = Date.now();
+
+    const openaiResponse = await fetch('https://api.openai.com/v1/chat/completions', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${decryptedKey}`,
+      },
+      body: JSON.stringify(body),
+      // @ts-expect-error Node 18 streaming support
+      duplex: 'half',
+    });
+
+    const contentType = openaiResponse.headers.get('content-type') || '';
+    const latency = Date.now() - startTime;
+    
+    // Check if this is a streaming response (SSE)
+    const isStreaming = contentType.toLowerCase().includes('text/event-stream');
+    
+    if (isStreaming) {
+      // For streaming responses, use the new SSE parser
+      // DEBUG: console.log(`[proxy-openai-${requestId}] Streaming response detected, parsing with tee`);
+      
+      if (openaiResponse.ok && openaiResponse.body) {
+        // Parse SSE stream to extract usage
+        const { clientStream, parsePromise } = await parseSSEStream(
+          openaiResponse.body,
+          'OPENAI'
+        );
+        
+        // Create response with client stream
+        const response = new Response(clientStream, {
+          status: openaiResponse.status,
+          headers: {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache, no-transform',
+            'X-Accel-Buffering': 'no',
+            ...getCorsHeaders(),
+          },
+        });
+        
+        // Process usage data asynchronously
+        parsePromise.then(async (parseResult) => {
+          await incrementUsage(user.id);
+          
+          // Resolve canonical model
+          const canonicalModel = await resolveCanonicalModel(
+            Provider.OPENAI,
+            body.model,
+            parseResult.model
+          );
+          
+          // Get pricing and compute cost
+          let cost = 0;
+          let costIn = 0;
+          let costOut = 0;
+          let estimated = false;
+          
+          let pricingVersionId: string | undefined;
+          
+          if (canonicalModel) {
+            const price = await getActivePrice(Provider.OPENAI, canonicalModel) ||
+                         getFallbackPrice(Provider.OPENAI, canonicalModel);
+            
+            if (price) {
+              pricingVersionId = price.versionId !== 'fallback' ? price.versionId : undefined;
+              
+              if (parseResult.usage) {
+                const breakdown = computeCost(parseResult.usage, price);
+                cost = breakdown.total;
+                costIn = breakdown.costIn;
+                costOut = breakdown.costOut;
+              } else if (parseResult.completionText) {
+                // Estimate if no usage provided
+                const promptTokens = estimateOpenAITokens(body.model || 'gpt-4', body.messages || []).promptTokens;
+                const completionTokens = estimateCompletionTokens(parseResult.completionText);
+                const breakdown = computeCost(
+                  { prompt: promptTokens, completion: completionTokens },
+                  price
+                );
+                cost = breakdown.total;
+                costIn = breakdown.costIn;
+                costOut = breakdown.costOut;
+                estimated = true;
+              }
+            }
+          }
+          
+          // Log usage
+          await prisma.usageLog.create({
+            data: {
+              userId: user.id,
+              apiKeyId: apiKeyId,
+              wrappedKeyId: isWrappedKey && resolvedKey ? resolvedKey.wrappedKey.id : undefined,
+              provider: Provider.OPENAI,
+              model: body.model || 'unknown',
+              responseModel: parseResult.model,
+              canonicalModel,
+              pricingVersionId,
+              endpoint: '/v1/chat/completions',
+              inputTokens: (typeof parseResult.usage?.prompt_tokens === 'number' ? parseResult.usage.prompt_tokens : 
+                           typeof parseResult.usage?.prompt === 'number' ? parseResult.usage.prompt : 0),
+              outputTokens: (typeof parseResult.usage?.completion_tokens === 'number' ? parseResult.usage.completion_tokens : 
+                            typeof parseResult.usage?.completion === 'number' ? parseResult.usage.completion : 0),
+              totalTokens: (typeof parseResult.usage?.total_tokens === 'number' ? parseResult.usage.total_tokens : 
+                           typeof parseResult.usage?.total === 'number' ? parseResult.usage.total : 0),
+              cost,
+              costInputUsd: costIn,
+              costOutputUsd: costOut,
+              latency,
+              statusCode: openaiResponse.status,
+              metadata: { streaming: true, estimated },
+              estimated,
+            },
+          });
+        }).catch(async error => {
+          // DEBUG: console.error(`[proxy-openai-${requestId}] SSE parse error:`, error);
+          // Still log usage but mark as failed parsing
+          try {
+            await incrementUsage(user.id);
+            await prisma.usageLog.create({
+              data: {
+                userId: user.id,
+                apiKeyId: apiKeyId,
+                wrappedKeyId: isWrappedKey && resolvedKey ? resolvedKey.wrappedKey.id : undefined,
+                provider: Provider.OPENAI,
+                model: body.model || 'unknown',
+                endpoint: '/v1/chat/completions',
+                inputTokens: 0,
+                outputTokens: 0,
+                totalTokens: 0,
+                cost: 0,
+                latency,
+                statusCode: openaiResponse.status,
+                metadata: { streaming: true, parseError: true },
+                error: error instanceof Error ? error.message : 'SSE parse failed',
+              },
+            });
+          } catch (logError) {
+            // DEBUG: console.error(`[proxy-openai-${requestId}] Failed to log parse error:`, logError);
+          }
+        });
+        
+        return response;
+      } else {
+        // Non-OK response, pass through
+        return new Response(openaiResponse.body, {
+          status: openaiResponse.status,
+          headers: {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache, no-transform',
+            'X-Accel-Buffering': 'no',
+            ...getCorsHeaders(),
+          },
+        });
+      }
+    }
+    
+    // For non-streaming responses, parse JSON
+    let responseData;
+    try {
+      const responseText = await openaiResponse.text();
+      responseData = JSON.parse(responseText);
+    } catch (parseError) {
+      // DEBUG: console.error(`[proxy-openai-${requestId}] Failed to parse response:`, parseError);
+      // Return the raw response if we can't parse it
+      return new Response(openaiResponse.body, {
+        status: openaiResponse.status,
+        headers: {
+          ...Object.fromEntries(openaiResponse.headers.entries()),
+          ...getCorsHeaders(),
+        },
+      });
+    }
+
+    // Variables for cost tracking (declared outside for header access)
+    let cost = 0;
+    let costIn = 0;
+    let costOut = 0;
+    let estimated = false;
+
+    // 6. Track usage (AFTER successful call)
+    if (openaiResponse.ok) {
+      await incrementUsage(user.id);
+
+      // Extract model from response
+      const responseModel = responseData.model;
+      
+      // Resolve canonical model
+      const canonicalModel = await resolveCanonicalModel(
+        Provider.OPENAI,
+        body.model,
+        responseModel
+      );
+      
+      // Get pricing and compute cost
+      const usage = responseData.usage || {};
+      let pricingVersionId: string | undefined;
+      
+      if (canonicalModel) {
+        const price = await getActivePrice(Provider.OPENAI, canonicalModel) ||
+                     getFallbackPrice(Provider.OPENAI, canonicalModel);
+        
+        if (price) {
+          pricingVersionId = price.versionId !== 'fallback' ? price.versionId : undefined;
+          
+          if (usage.prompt_tokens || usage.completion_tokens) {
+            const breakdown = computeCost(usage, price);
+            cost = breakdown.total;
+            costIn = breakdown.costIn;
+            costOut = breakdown.costOut;
+          } else {
+            // Estimate tokens if not provided
+            const promptTokens = estimateOpenAITokens(body.model || 'gpt-4', body.messages || []).promptTokens;
+            const completionContent = responseData.choices?.[0]?.message?.content;
+            const completionTokens = completionContent ? 
+              estimateCompletionTokens(completionContent) : 0;
+            const breakdown = computeCost(
+              { prompt: promptTokens, completion: completionTokens },
+              price
+            );
+            cost = breakdown.total;
+            costIn = breakdown.costIn;
+            costOut = breakdown.costOut;
+            estimated = true;
+          }
+        }
+      }
+      
+      // Log usage details
+      await prisma.usageLog.create({
+        data: {
+          userId: user.id,
+          apiKeyId: apiKeyId,
+          wrappedKeyId: isWrappedKey && resolvedKey ? resolvedKey.wrappedKey.id : undefined,
+          provider: Provider.OPENAI,
+          model: body.model || 'unknown',
+          responseModel,
+          canonicalModel,
+          pricingVersionId,
+          endpoint: '/v1/chat/completions',
+          inputTokens: usage.prompt_tokens || 0,
+          outputTokens: usage.completion_tokens || 0,
+          totalTokens: usage.total_tokens || 0,
+          cost,
+          costInputUsd: costIn,
+          costOutputUsd: costOut,
+          latency,
+          statusCode: openaiResponse.status,
+          estimated,
+        },
+      });
+
+      // Update last used timestamp
+      if (apiKeyId) {
+        await prisma.apiKey.update({
+          where: { id: apiKeyId },
+          data: { lastUsed: new Date() },
+        });
+      }
+    }
+
+    // 7. Add usage warning headers if needed
+    const responseHeaders: Record<string, string> = {
+      ...getCorsHeaders(),
+      'X-CH-Proxy': 'openai',
+      'X-CH-Request-Id': requestId,
+    };
+    
+    if (usageCheck.message) {
+      responseHeaders['X-Usage-Warning'] = usageCheck.message;
+      responseHeaders['X-Usage-Current'] = usageCheck.currentUsage.toString();
+      responseHeaders['X-Usage-Limit'] = usageCheck.limit?.toString() || 'unlimited';
+    }
+    
+    // Add usage and cost information to headers
+    if (openaiResponse.ok && responseData.usage) {
+      const usage = responseData.usage;
+      responseHeaders['X-CH-Input-Tokens'] = (usage.prompt_tokens || 0).toString();
+      responseHeaders['X-CH-Output-Tokens'] = (usage.completion_tokens || 0).toString();
+      responseHeaders['X-CH-Total-Tokens'] = (usage.total_tokens || 0).toString();
+      // Add cost information if it was calculated above
+      if (cost > 0 || costIn > 0 || costOut > 0) {
+        responseHeaders['X-CH-Cost-USD'] = cost.toFixed(6);
+        responseHeaders['X-CH-Cost-Input-USD'] = costIn.toFixed(6);
+        responseHeaders['X-CH-Cost-Output-USD'] = costOut.toFixed(6);
+        if (estimated) {
+          responseHeaders['X-CH-Cost-Estimated'] = 'true';
+        }
+      }
+    }
+
+    return NextResponse.json(responseData, { 
+      status: openaiResponse.status,
+      headers: responseHeaders
+    });
+  } catch (error) {
+    // DEBUG: console.error(`[proxy-${requestId}] Critical proxy error:`, error);
+    
+    // Provide more detailed error information in development
+    const isDevelopment = process.env.NODE_ENV === 'development';
+    
+    return NextResponse.json(
+      { 
+        error: 'Internal proxy error',
+        requestId,
+        ...(isDevelopment && { 
+          details: error instanceof Error ? error.message : String(error),
+          stack: error instanceof Error ? error.stack : undefined
+        })
+      },
+      { status: 500 }
+    );
+  }
+}

package/costcanary/app/api/simple-test/route.ts

@@ -0,0 +1,7 @@
+export function GET() {
+  return new Response('Simple test works!', { status: 200 })
+}
+
+export function POST() {
+  return new Response('Simple POST works!', { status: 200 })
+}