llmapi-v2 2.1.0

package/src/services/mailer.ts

@@ -0,0 +1,90 @@
+import https from 'https';
+import { logger } from '../utils/logger';
+
+let resendApiKey = '';
+
+export function setMailerApiKey(key: string): void {
+  resendApiKey = key;
+}
+
+async function sendEmail(to: string, subject: string, html: string): Promise<boolean> {
+  if (!resendApiKey) {
+    logger.warn('Resend API key not configured, skipping email');
+    return false;
+  }
+
+  return new Promise((resolve) => {
+    const payload = JSON.stringify({
+      from: 'LLM API <noreply@llmapi.pro>',
+      to,
+      subject,
+      html,
+    });
+
+    const req = https.request({
+      hostname: 'api.resend.com',
+      path: '/emails',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${resendApiKey}`,
+        'Content-Length': Buffer.byteLength(payload),
+      },
+    }, (res) => {
+      const chunks: Buffer[] = [];
+      res.on('data', (c) => chunks.push(c));
+      res.on('end', () => {
+        if (res.statusCode && res.statusCode < 300) {
+          resolve(true);
+        } else {
+          logger.error({ status: res.statusCode, body: Buffer.concat(chunks).toString() }, 'Email send failed');
+          resolve(false);
+        }
+      });
+    });
+
+    req.on('error', (err) => { logger.error({ err }, 'Email request error'); resolve(false); });
+    req.write(payload);
+    req.end();
+  });
+}
+
+const BRAND_STYLE = `
+  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+  max-width: 480px; margin: 0 auto; padding: 32px;
+  background: #FAF6F1; border-radius: 12px;
+`;
+
+export async function sendVerificationEmail(email: string, code: string, name: string): Promise<boolean> {
+  const html = `
+    <div style="${BRAND_STYLE}">
+      <h2 style="color:#1A1915;">Hi ${name},</h2>
+      <p>Your verification code is:</p>
+      <div style="font-size:32px;letter-spacing:8px;font-weight:bold;color:#D97757;text-align:center;padding:16px;background:#fff;border-radius:8px;margin:16px 0;">
+        ${code}
+      </div>
+      <p style="color:#666;font-size:14px;">This code expires in 30 minutes.</p>
+      <hr style="border:none;border-top:1px solid #e0d8d0;margin:24px 0;">
+      <p style="color:#999;font-size:12px;">LLM API - Claude Code API Relay</p>
+    </div>
+  `;
+  return sendEmail(email, `Your verification code: ${code}`, html);
+}
+
+export async function sendWelcomeEmail(email: string, name: string): Promise<boolean> {
+  const html = `
+    <div style="${BRAND_STYLE}">
+      <h2 style="color:#1A1915;">Welcome, ${name}!</h2>
+      <p>Your LLM API account is ready. Here's how to get started:</p>
+      <ol>
+        <li>Go to your <a href="https://llmapi.pro/dashboard" style="color:#D97757;">Dashboard</a></li>
+        <li>Create an API key</li>
+        <li>Configure Claude Code with your key</li>
+      </ol>
+      <p>Need help? Check our <a href="https://llmapi.pro/docs" style="color:#D97757;">documentation</a>.</p>
+      <hr style="border:none;border-top:1px solid #e0d8d0;margin:24px 0;">
+      <p style="color:#999;font-size:12px;">LLM API - Claude Code API Relay</p>
+    </div>
+  `;
+  return sendEmail(email, 'Welcome to LLM API!', html);
+}

package/src/services/metrics.ts

@@ -0,0 +1,104 @@
+/**
+ * Simple in-memory metrics collector.
+ * Tracks request counts, latency, and provider stats.
+ */
+
+interface Counter {
+  total: number;
+  success: number;
+  error: number;
+}
+
+interface LatencyBucket {
+  count: number;
+  sum: number;
+  min: number;
+  max: number;
+}
+
+class Metrics {
+  private requests: Counter = { total: 0, success: 0, error: 0 };
+  private streamRequests: Counter = { total: 0, success: 0, error: 0 };
+  private providerRequests = new Map<string, Counter>();
+  private latency: LatencyBucket = { count: 0, sum: 0, min: Infinity, max: 0 };
+  private ttft: LatencyBucket = { count: 0, sum: 0, min: Infinity, max: 0 };
+  private activeStreams = 0;
+  private startTime = Date.now();
+
+  recordRequest(success: boolean, stream: boolean): void {
+    this.requests.total++;
+    if (success) this.requests.success++;
+    else this.requests.error++;
+
+    if (stream) {
+      this.streamRequests.total++;
+      if (success) this.streamRequests.success++;
+      else this.streamRequests.error++;
+    }
+  }
+
+  recordProviderRequest(provider: string, success: boolean): void {
+    let counter = this.providerRequests.get(provider);
+    if (!counter) {
+      counter = { total: 0, success: 0, error: 0 };
+      this.providerRequests.set(provider, counter);
+    }
+    counter.total++;
+    if (success) counter.success++;
+    else counter.error++;
+  }
+
+  recordLatency(ms: number): void {
+    this.latency.count++;
+    this.latency.sum += ms;
+    this.latency.min = Math.min(this.latency.min, ms);
+    this.latency.max = Math.max(this.latency.max, ms);
+  }
+
+  recordTTFT(ms: number): void {
+    this.ttft.count++;
+    this.ttft.sum += ms;
+    this.ttft.min = Math.min(this.ttft.min, ms);
+    this.ttft.max = Math.max(this.ttft.max, ms);
+  }
+
+  streamStarted(): void { this.activeStreams++; }
+  streamEnded(): void { this.activeStreams = Math.max(0, this.activeStreams - 1); }
+
+  getSnapshot() {
+    const uptime = Date.now() - this.startTime;
+    return {
+      uptime_ms: uptime,
+      uptime_human: formatDuration(uptime),
+      requests: { ...this.requests },
+      stream_requests: { ...this.streamRequests },
+      active_streams: this.activeStreams,
+      latency: this.latency.count > 0 ? {
+        avg_ms: Math.round(this.latency.sum / this.latency.count),
+        min_ms: this.latency.min === Infinity ? 0 : this.latency.min,
+        max_ms: this.latency.max,
+        count: this.latency.count,
+      } : null,
+      ttft: this.ttft.count > 0 ? {
+        avg_ms: Math.round(this.ttft.sum / this.ttft.count),
+        min_ms: this.ttft.min === Infinity ? 0 : this.ttft.min,
+        max_ms: this.ttft.max,
+        count: this.ttft.count,
+      } : null,
+      providers: Object.fromEntries(this.providerRequests),
+    };
+  }
+}
+
+function formatDuration(ms: number): string {
+  const s = Math.floor(ms / 1000);
+  const m = Math.floor(s / 60);
+  const h = Math.floor(m / 60);
+  const d = Math.floor(h / 24);
+  if (d > 0) return `${d}d ${h % 24}h`;
+  if (h > 0) return `${h}h ${m % 60}m`;
+  if (m > 0) return `${m}m ${s % 60}s`;
+  return `${s}s`;
+}
+
+export const metrics = new Metrics();

package/src/services/remote-control.ts

@@ -0,0 +1,226 @@
+import { v4 as uuidv4 } from 'uuid';
+import crypto from 'crypto';
+import type { Request, Response } from 'express';
+import { getPool } from './database';
+import { logger } from '../utils/logger';
+import { hasActiveBridge } from './remote-ws';
+
+const TRIGGER_PHRASES = ['开启远程控制', '远程控制', 'enable remote', 'start remote', 'remote control', 'llmapi remote'];
+
+// i18n
+const ZH = {
+  alreadyActive: '🔗 远程控制已在运行中！',
+  openLink: '在手机或其他设备上打开以下链接：',
+  settingUp: '🔗 正在设置远程控制...',
+  sessionCreated: '🔗 远程控制会话已创建！',
+  manualInstruct: '请在终端中运行以下命令来启动守护进程：',
+  expires: '会话将在 2 小时后过期。',
+};
+const EN = {
+  alreadyActive: '🔗 Remote control is already active!',
+  openLink: 'Open this link on your phone or another device:',
+  settingUp: '🔗 Setting up remote control...',
+  sessionCreated: '🔗 Remote control session created!',
+  manualInstruct: 'Run this command in your terminal to start the daemon:',
+  expires: 'Session expires in 2 hours.',
+};
+
+function getLastUserText(body: any): string {
+  if (!body?.messages?.length) return '';
+  for (let i = body.messages.length - 1; i >= 0; i--) {
+    const msg = body.messages[i];
+    if (msg.role !== 'user') continue;
+    if (typeof msg.content === 'string') return msg.content;
+    if (Array.isArray(msg.content)) return msg.content.filter((b: any) => b.type === 'text').map((b: any) => b.text).join('');
+  }
+  return '';
+}
+
+/**
+ * Check if the last user message contains a remote-control trigger phrase.
+ */
+export function detectRemoteTrigger(body: any): boolean {
+  if (!body || !Array.isArray(body.messages) || body.messages.length === 0) return false;
+
+  let lastUserMsg: any = null;
+  for (let i = body.messages.length - 1; i >= 0; i--) {
+    if (body.messages[i].role === 'user') { lastUserMsg = body.messages[i]; break; }
+  }
+  if (!lastUserMsg) return false;
+
+  let text = '';
+  if (typeof lastUserMsg.content === 'string') {
+    text = lastUserMsg.content;
+  } else if (Array.isArray(lastUserMsg.content)) {
+    for (const block of lastUserMsg.content) {
+      if (block.type === 'text' && typeof block.text === 'string') text += block.text + ' ';
+    }
+  }
+
+  text = text.trim().toLowerCase();
+  if (!text) return false;
+  return TRIGGER_PHRASES.some(phrase => text.includes(phrase.toLowerCase()));
+}
+
+/**
+ * Handle remote-control trigger:
+ * 1. Check if user already has an active bridge -> return URL
+ * 2. If no active bridge -> create session in DB -> return Bash tool_use for installation
+ * 3. If no Bash tool available -> return text-only manual instructions
+ */
+export async function handleRemoteTrigger(req: Request, res: Response): Promise<void> {
+  const body = req.body;
+  const displayModel = body.model || 'claude-sonnet-4-6';
+  const userId = req.userId!;
+
+  // Detect user language from the trigger message
+  const lastMsg = getLastUserText(body);
+  const isChinese = /[\u4e00-\u9fff]/.test(lastMsg);
+  const t = isChinese ? ZH : EN;
+
+  // Check if user already has an active bridge
+  const existingBridge = hasActiveBridge(userId);
+  if (existingBridge) {
+    const remoteUrl = `https://llmapi.pro/remote?s=${existingBridge.sessionId}`;
+    sendSSE(res, displayModel, [
+      { type: 'text', text: `${t.alreadyActive}\n\n${t.openLink}\n${remoteUrl}\n` },
+    ]);
+    logger.info({ sessionId: existingBridge.sessionId, userId }, 'Remote control: reusing existing bridge');
+    return;
+  }
+
+  // Create new session
+  const sessionId = uuidv4();
+  try {
+    const pool = getPool();
+    await pool.execute(
+      "INSERT INTO remote_sessions (session_id, user_id, status) VALUES (?, ?, 'pending')",
+      [sessionId, userId],
+    );
+  } catch (err) {
+    logger.error({ err }, 'Failed to create remote session');
+    res.status(500).json({ type: 'error', error: { type: 'api_error', message: 'Failed to create remote session' } });
+    return;
+  }
+
+  const remoteUrl = `https://llmapi.pro/remote?s=${sessionId}`;
+
+  // Check if Bash tool is available in the request
+  const hasBashTool = Array.isArray(body.tools) && body.tools.some((t: any) => t.name === 'bash' || t.name === 'Bash');
+
+  const bashCommand = `echo "╔══════════════════════════════════════════════════════════╗" && \\
+echo "║  LLM API Remote Control                                 ║" && \\
+echo "║                                                         ║" && \\
+echo "║  This will:                                             ║" && \\
+echo "║  1. Install llmapi-remote globally (one-time)           ║" && \\
+echo "║  2. Start a background daemon on this machine           ║" && \\
+echo "║  3. The daemon connects to llmapi.pro via WebSocket     ║" && \\
+echo "║  4. You can then control Claude Code from your phone    ║" && \\
+echo "║                                                         ║" && \\
+echo "║  Data stored in: ~/.llmapi-remote/                      ║" && \\
+echo "║  To stop:  llmapi-remote stop                           ║" && \\
+echo "║  To remove: npm uninstall -g llmapi-remote              ║" && \\
+echo "║             rm -rf ~/.llmapi-remote                     ║" && \\
+echo "╚══════════════════════════════════════════════════════════╝" && \\
+npm install -g llmapi-remote@latest && \\
+llmapi-remote start --session ${sessionId} --ws wss://llmapi.pro/remote-ws --key $ANTHROPIC_API_KEY`;
+
+  if (hasBashTool) {
+    sendSSE(res, displayModel, [
+      { type: 'text', text: `${t.settingUp}\n\n${t.openLink}\n${remoteUrl}\n` },
+      { type: 'tool_use', name: 'Bash', command: bashCommand },
+    ]);
+  } else {
+    sendSSE(res, displayModel, [
+      { type: 'text', text: `${t.sessionCreated}\n\n${t.manualInstruct}\n\n\`\`\`bash\nnpm install -g llmapi-remote@latest && \\\nllmapi-remote start --session ${sessionId} --ws wss://llmapi.pro/remote-ws --key $ANTHROPIC_API_KEY\n\`\`\`\n\n${t.openLink}\n${remoteUrl}\n\n${t.expires}\n` },
+    ]);
+  }
+
+  logger.info({ sessionId, userId, hasBashTool }, 'Remote control session created');
+}
+
+/**
+ * API endpoint: browser fetches the API key for a remote session.
+ * Called by the remote page to get credentials for direct API access.
+ */
+export async function getRemoteSessionKey(sessionId: string, userId?: number): Promise<{ apiKey: string; baseUrl: string } | null> {
+  const pool = getPool();
+  const [rows] = await pool.execute(
+    "SELECT user_id, encrypted_key FROM remote_sessions WHERE session_id = ? AND status = 'active'",
+    [sessionId],
+  );
+  const session = (rows as any[])[0];
+  if (!session || !session.encrypted_key) return null;
+
+  const apiKey = decryptApiKey(session.encrypted_key, sessionId);
+  return { apiKey, baseUrl: process.env.SITE_URL || 'https://llmapi.pro' };
+}
+
+// Simple encryption: AES-256-CBC with session ID as key material
+function encryptApiKey(apiKey: string, sessionId: string): string {
+  const key = crypto.createHash('sha256').update(sessionId).digest();
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
+  let encrypted = cipher.update(apiKey, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  return iv.toString('hex') + ':' + encrypted;
+}
+
+function decryptApiKey(encrypted: string, sessionId: string): string {
+  const [ivHex, data] = encrypted.split(':');
+  const key = crypto.createHash('sha256').update(sessionId).digest();
+  const iv = Buffer.from(ivHex, 'hex');
+  const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
+  let decrypted = decipher.update(data, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
+
+/**
+ * Send an Anthropic-compatible streaming SSE response with text and optional tool_use blocks.
+ */
+interface ContentBlock {
+  type: 'text' | 'tool_use';
+  text?: string;
+  name?: string;
+  command?: string;
+}
+
+function sendSSE(res: Response, displayModel: string, blocks: ContentBlock[]): void {
+  res.setHeader('Content-Type', 'text/event-stream');
+  res.setHeader('Cache-Control', 'no-cache');
+  res.setHeader('Connection', 'keep-alive');
+  res.flushHeaders();
+
+  const msgId = `msg_${uuidv4().replace(/-/g, '').slice(0, 24)}`;
+  const send = (event: string, data: object) => {
+    res.write(`event: ${event}\ndata: ${JSON.stringify(data)}\n\n`);
+  };
+
+  send('message_start', {
+    type: 'message_start',
+    message: { id: msgId, type: 'message', role: 'assistant', model: displayModel, content: [], stop_reason: null, stop_sequence: null, usage: { input_tokens: 0, output_tokens: 0 } },
+  });
+  send('ping', { type: 'ping' });
+
+  let index = 0;
+  for (const block of blocks) {
+    if (block.type === 'text') {
+      send('content_block_start', { type: 'content_block_start', index, content_block: { type: 'text', text: '' } });
+      send('content_block_delta', { type: 'content_block_delta', index, delta: { type: 'text_delta', text: block.text } });
+      send('content_block_stop', { type: 'content_block_stop', index });
+    } else if (block.type === 'tool_use') {
+      const toolId = `toolu_${uuidv4().replace(/-/g, '').slice(0, 24)}`;
+      const input = { command: block.command, restart: false };
+      send('content_block_start', { type: 'content_block_start', index, content_block: { type: 'tool_use', id: toolId, name: block.name, input: {} } });
+      send('content_block_delta', { type: 'content_block_delta', index, delta: { type: 'input_json_delta', partial_json: JSON.stringify(input) } });
+      send('content_block_stop', { type: 'content_block_stop', index });
+    }
+    index++;
+  }
+
+  const stopReason = blocks.some(b => b.type === 'tool_use') ? 'tool_use' : 'end_turn';
+  send('message_delta', { type: 'message_delta', delta: { stop_reason: stopReason, stop_sequence: null }, usage: { output_tokens: 20 } });
+  send('message_stop', { type: 'message_stop' });
+  res.end();
+}

package/src/services/remote-ws.ts

@@ -0,0 +1,145 @@
+import { WebSocketServer, WebSocket } from 'ws';
+import type { Server } from 'http';
+import crypto from 'crypto';
+import { getPool } from './database';
+import { logger } from '../utils/logger';
+
+interface Session {
+  bridge: WebSocket | null;
+  browsers: Set<WebSocket>;
+  userId: number;
+}
+
+const sessions = new Map<string, Session>();
+
+export function initRemoteWs(server: Server): void {
+  const wss = new WebSocketServer({ server, path: '/remote-ws' });
+
+  wss.on('connection', async (ws, req) => {
+    const url = new URL(req.url || '', 'http://localhost');
+    const sessionId = url.searchParams.get('session');
+    const role = url.searchParams.get('role'); // 'bridge' or 'browser'
+    const token = url.searchParams.get('token');
+
+    if (!sessionId || !role) { ws.close(4001, 'Missing params'); return; }
+
+    // Authenticate
+    let userId: number;
+    try {
+      if (role === 'bridge') {
+        // Bridge sends API key as token
+        if (!token) throw new Error('No token');
+        const keyPrefix = token.substring(0, 12);
+        const keyHash = crypto.createHash('sha256').update(token).digest('hex');
+        const pool = getPool();
+        const [keys] = await pool.execute(
+          'SELECT user_id FROM api_keys WHERE key_prefix = ? AND key_hash = ? AND status = ?',
+          [keyPrefix, keyHash, 'active']
+        );
+        const matched = (keys as any[])[0];
+        if (!matched) throw new Error('Invalid key');
+        userId = matched.user_id;
+      } else {
+        // Browser: session ID itself is the auth (knowing the UUID = access)
+        const pool = getPool();
+        const [rows] = await pool.execute(
+          "SELECT user_id FROM remote_sessions WHERE session_id = ? AND status = 'active'",
+          [sessionId]
+        );
+        const row = (rows as any[])[0];
+        if (!row) throw new Error('Session not found');
+        userId = row.user_id;
+      }
+    } catch (err: any) {
+      logger.warn({ err: err.message, role, sessionId }, 'Remote WS auth failed');
+      ws.close(4003, 'Auth failed');
+      return;
+    }
+
+    // Get or create in-memory session
+    let session = sessions.get(sessionId);
+    if (!session) {
+      session = { bridge: null, browsers: new Set(), userId };
+      sessions.set(sessionId, session);
+    }
+
+    if (role === 'bridge') {
+      session.bridge = ws;
+      const pool = getPool();
+      await pool.execute("UPDATE remote_sessions SET status = 'active' WHERE session_id = ?", [sessionId]);
+
+      // Notify browsers
+      session.browsers.forEach(b => {
+        if (b.readyState === WebSocket.OPEN) b.send(JSON.stringify({ type: 'bridge_connected' }));
+      });
+      logger.info({ sessionId, userId }, 'Remote bridge connected');
+    } else {
+      session.browsers.add(ws);
+      // Notify bridge
+      if (session.bridge?.readyState === WebSocket.OPEN) {
+        session.bridge.send(JSON.stringify({ type: 'browser_connected' }));
+      }
+      // Tell browser if bridge is already connected
+      if (session.bridge?.readyState === WebSocket.OPEN) {
+        ws.send(JSON.stringify({ type: 'bridge_connected' }));
+      }
+      logger.info({ sessionId }, 'Remote browser connected');
+    }
+
+    // Relay messages
+    ws.on('message', (raw) => {
+      const msg = raw.toString();
+      if (role === 'bridge') {
+        // Forward to all browsers
+        session!.browsers.forEach(b => { if (b.readyState === WebSocket.OPEN) b.send(msg); });
+      } else {
+        // Forward to bridge
+        if (session!.bridge?.readyState === WebSocket.OPEN) session!.bridge.send(msg);
+      }
+    });
+
+    ws.on('close', () => {
+      if (role === 'bridge') {
+        session!.bridge = null;
+        session!.browsers.forEach(b => {
+          if (b.readyState === WebSocket.OPEN) b.send(JSON.stringify({ type: 'bridge_disconnected' }));
+        });
+        logger.info({ sessionId }, 'Remote bridge disconnected');
+      } else {
+        session!.browsers.delete(ws);
+        if (session!.bridge?.readyState === WebSocket.OPEN) {
+          session!.bridge.send(JSON.stringify({ type: 'browser_disconnected' }));
+        }
+      }
+      // Cleanup empty sessions
+      if (!session!.bridge && session!.browsers.size === 0) {
+        sessions.delete(sessionId!);
+      }
+    });
+  });
+
+  // Heartbeat
+  setInterval(() => {
+    wss.clients.forEach(ws => { if (ws.readyState === WebSocket.OPEN) ws.ping(); });
+  }, 30000);
+
+  // Cleanup old DB sessions every 5 min
+  setInterval(async () => {
+    try {
+      const pool = getPool();
+      await pool.execute("UPDATE remote_sessions SET status = 'closed', closed_at = NOW() WHERE status = 'active' AND created_at < NOW() - INTERVAL '2 hours'");
+    } catch {}
+  }, 5 * 60000);
+
+  logger.info('Remote WebSocket server initialized on /remote-ws');
+}
+
+// Check if a user has an active bridge connected
+export function hasActiveBridge(userId: number): { sessionId: string } | null {
+  for (const [sessionId, session] of sessions) {
+    if (session.userId === userId && session.bridge?.readyState === WebSocket.OPEN) {
+      return { sessionId };
+    }
+  }
+  return null;
+}

package/src/services/usage.ts

@@ -0,0 +1,57 @@
+import { getPool } from './database';
+import { logger } from '../utils/logger';
+
+export interface UsageDetails {
+  inputTokens: number;
+  outputTokens: number;
+  thinkingTokens: number;
+  ttftMs: number;
+  tokensPerSec: number;
+  durationMs: number;
+}
+
+/**
+ * Record API usage and update subscription quota.
+ * Called after every successful request (async, non-blocking).
+ */
+export async function recordUsage(
+  userId: number,
+  apiKeyId: number | null,
+  displayModel: string,
+  providerName: string,
+  backendModel: string,
+  details: UsageDetails,
+): Promise<void> {
+  const pool = getPool();
+
+  try {
+    // Insert usage log
+    await pool.execute(`
+      INSERT INTO usage_logs (
+        user_id, api_key_id, model, provider_name,
+        input_tokens, output_tokens, thinking_tokens,
+        ttft_ms, tokens_per_sec, duration_ms, status
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'success')
+    `, [
+      userId, apiKeyId, displayModel, providerName,
+      details.inputTokens, details.outputTokens, details.thinkingTokens,
+      details.ttftMs, details.tokensPerSec, details.durationMs,
+    ]);
+
+    // Update subscription quota (input + output tokens count toward limit)
+    const totalTokens = details.inputTokens + details.outputTokens;
+    if (totalTokens > 0) {
+      await pool.execute(
+        'UPDATE subscriptions SET tokens_used = tokens_used + ? WHERE id = (SELECT id FROM subscriptions WHERE user_id = ? ORDER BY period_start DESC LIMIT 1)',
+        [totalTokens, userId],
+      );
+    }
+
+    // Update API key last_used_at
+    if (apiKeyId) {
+      await pool.execute('UPDATE api_keys SET last_used_at = NOW() WHERE id = ?', [apiKeyId]);
+    }
+  } catch (err) {
+    logger.error({ err, userId }, 'Failed to record usage');
+  }
+}

package/src/types/express.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Augment Express Request with custom properties set by our middleware.
+ * Centralized here to avoid multiple fragmented declarations.
+ */
+declare global {
+  namespace Express {
+    interface Request {
+      /** Set by optionalAuth / sessionAuth */
+      user?: {
+        id: number;
+        email: string;
+        name: string;
+        role: string;
+        status: string;
+      };
+      /** Set by apiKeyAuth or sessionAuth */
+      userId?: number;
+      /** Set by apiKeyAuth */
+      apiUser?: {
+        id: number;
+        email: string;
+        name: string;
+        role: string;
+        status: string;
+      };
+      /** Set by apiKeyAuth */
+      apiKey?: {
+        id: number;
+        rate_limit: number;
+      };
+      /** Set by apiKeyAuth */
+      subscription?: {
+        id: number;
+        plan_id: number;
+        plan_name: string;
+        token_limit_monthly: number;
+        tokens_used: number;
+        rate_limit_rpm: number;
+      };
+      /** Set by cookieParser */
+      cookies?: Record<string, string>;
+    }
+  }
+}
+
+export {};