pi-antigravity-rotator 1.3.6 → 1.3.8

package/CHANGELOG.md

@@ -0,0 +1,127 @@
+# Changelog
+
+## [Unreleased]
+
+## [1.3.8] - 2026-04-26
+
+### Fixed
+- Persist per-model request-count rotation counters across restarts so configured request thresholds continue to work after service reloads.
+- Keep serving from the current healthy account when request-count rotation reaches its threshold but no replacement account is available, avoiding unnecessary `503` responses while usable quota remains.
+
+## [1.3.7] - 2026-04-25
+
+### Fixed
+- Release in-flight account reservations when a streaming response closes early, the client disconnects, or the upstream stream goes idle, preventing accounts from getting stuck as busy indefinitely.
+
+## [1.3.6] - 2026-04-24
+
+### Fixed
+- Treat Node `fetch failed` transport errors as transient upstream/network failures instead of account health errors, avoiding false account disables during stalled requests.
+
+## [1.3.5] - 2026-04-24
+
+### Fixed
+- Make request-count rotation deterministic by counting per-model account assignments before the next request is forwarded, instead of rotating only after a successful response completes.
+
+## [1.3.4] - 2026-04-24
+
+### Fixed
+- Rotate fairly among accounts that tie on model timer priority and remaining quota instead of repeatedly selecting the first matching candidate.
+
+## [1.3.3] - 2026-04-23
+
+### Added
+- Hosted Antigravity login flow so operators can complete Google account linking from a browser and feed the callback URL back into the rotator workflow.
+- Global fresh-window operator control plus per-account override so dormant quota windows can be blocked pool-wide and selectively re-enabled account by account.
+- Header modal launchers for Attention Needed and Pro Family Advisor to keep operator actions available without taking permanent dashboard space.
+
+### Changed
+- Reworked the dashboard layout to prioritize the account grid above the fold: request totals moved into the header, bulky summary widgets were removed, and Recent Events now sits at the bottom.
+- Simplified the header by moving the PII visibility toggle next to the title and removing the inline model-routing pills.
+- Tightened the routing health strip with denser pills, single-line counters, and clearer spacing between major dashboard sections.
+
+## [1.3.2] - 2026-04-23
+
+### Added
+- Routing health panel in the dashboard with current state, stop reason, retry window, and pool blocker counts.
+- Attention Needed summary panel for flagged, cooling, disabled, and error accounts.
+- Recent Events feed showing the latest rotator and proxy incidents that led to the current state.
+- In-memory event buffer exposed through the status API for dashboard diagnostics.
+- Conservative concurrency guardrail to cap each account to one in-flight request by default.
+- Protective pause after serious provider ToS/abuse-style flags to stop the rest of the pool from being burned.
+
+### Changed
+- Dashboard now focuses on operator visibility so the service can be monitored without relying on `journalctl`.
+- Request-count rotation is now only used when quota data is still unknown, reducing unnecessary account churn.
+- Flagged accounts remain quarantined until the provider explicitly restores access.
+
+### Fixed
+- Fixed the exhausted fallback path so cooled-down accounts are no longer selected again when all accounts are exhausted.
+- Fixed proxy retry behavior so it returns `503` immediately when no healthy replacement account exists instead of continuing to hammer the pool.
+- Fixed quota polling so flagged accounts are no longer re-polled every cycle after a provider `403`.
+- Fixed bursty same-account pressure by reserving accounts during selection and request handling.
+
+## [1.3.1] - 2026-04-22
+
+### Changed
+- Prioritize Pro 5h accounts in rotation. Accounts with active 5h timers are now drained first to maximize the +40% recharge benefit when the timer expires. Previously they were saved for last, wasting quota.
+
+## [1.3.0] - 2026-04-22
+
+### Added
+- Pro Family Sharing Advisor: dashboard panel suggests when to add/remove accounts from Pro family sharing.
+- Pro/Free/Family Manager badges on account cards (auto-detected from 5h/7d timer type).
+- `familyManager` config flag for the account that owns the family plan.
+- `proSlots` config option for max simultaneous Pro accounts (default 6).
+- Advisor prioritizes accounts by longest reset time when suggesting Pro upgrades.
+- Only G3Pro and Claude quotas considered for remove-pro decisions (Flash ignored).
+
+
+## [1.2.0] - 2026-04-22
+
+### Added
+- PII masking mode for dashboard (`?mask` URL param or toggle button). Masks emails and labels for screen recordings.
+- Contextual help hints for flagged accounts (verification instructions, Google Account Recovery link).
+- Model-aware quota rotation: accounts with 0% quota for the requested model are skipped instead of wasting requests.
+
+### Fixed
+- Fixed `ReadableStream is locked` crash by using `Response.text()` and `Readable.fromWeb()` instead of raw ReadableStream API.
+- Fixed `ERR_HTTP_HEADERS_SENT` crash when retrying after response headers were already sent.
+- Fixed 403 fallthrough bug: non-flagging 403 responses consumed the body then fell through to streaming, causing locked stream errors.
+- Accounts needing verification (`Verify your account`) are now flagged immediately instead of retried.
+- Dashboard URL routing now handles query parameters correctly.
+
+## [1.1.0] - 2026-04-22
+
+### Changed
+- Use prod endpoint only (`cloudcode-pa.googleapis.com`). Removed daily/autopush endpoints that caused multi-minute hangs.
+- 503 errors (no capacity) are now returned directly to the agent for its own retry/backoff instead of burning through all accounts.
+- Quota-based rotation only triggers if a healthy account is available. The proxy won't rotate away from a working account if there's no better alternative.
+- Dashboard accounts are sorted by total quota (highest first), flagged/disabled last.
+- Config files now default to `~/.pi-antigravity-rotator/` (overridable via `PI_ROTATOR_DIR` env or `--config-dir` flag).
+
+### Added
+- `POST /api/reset-cooldowns` endpoint to clear all cooldowns at once.
+- CLI entry point with `start`, `login`, and `status` commands.
+- 30-minute max cooldown cap on all exhaustions (prevents multi-day cooldowns).
+- Stale cooldowns from `state.json` are capped to 30 minutes on startup.
+- Case-insensitive authorization header handling (fixes duplicate header bug with pi agent).
+- MIT License.
+
+### Fixed
+- Fixed duplicate `Authorization` header causing 401 on all accounts. Pi sends lowercase `authorization`; the proxy was keeping both the original and the new one.
+- Fixed infinite retry loop when all accounts are exhausted or 503 (no capacity).
+- Fixed quota rotation moving away from the only working account when no alternatives are available.
+
+## [1.0.0] - 2026-04-22
+
+### Added
+- Initial release.
+- Per-model routing (Gemini Pro, Flash, Claude).
+- Quota-based rotation with configurable drop threshold.
+- Request-count-based rotation (fallback).
+- 429 failover with automatic cooldown.
+- Account protection: quota API 403, API 401, API 403 keyword detection.
+- Real-time dashboard with account cards, quota bars, and model routing table.
+- OAuth login helper with automatic pi agent configuration.
+- State persistence across restarts.

package/README.md

@@ -16,7 +16,7 @@ Multi-account rotation proxy for Google Antigravity. Distributes API usage acros
 - **Token auto-refresh** -- Tokens are refreshed automatically before expiry; no manual management
 - **Endpoint cascade** -- Tries daily, autopush, and prod API endpoints for resilience
 - **Web dashboard** -- Real-time view of model routing table, per-account quota bars with per-model timers, and flagged account alerts
-- **State persistence** -- Survives restarts; routing assignments, cooldowns, and flags are saved to disk
+- **State persistence** -- Survives restarts; routing assignments, per-model request counters, cooldowns, and flags are saved to disk
 
 ## Quick Start
 
@@ -148,7 +148,7 @@ Three mechanisms trigger rotation, scoped to the specific model:
 
 1. **Quota-based** (primary) -- Polls the Google quota API every 5 minutes. When a model's remaining quota drops by `rotateOnQuotaDrop` percentage points (default: 20%), that model rotates to the next account. Other models stay on their current accounts.
 
-2. **Request-count** (fallback) -- Before forwarding a request, the rotator checks how many requests the current account has already served for that specific model and rotates once it reaches `requestsPerRotation` (default: 5). By default this fallback is only used when quota data for that model is still unknown.
+2. **Request-count** (fallback) -- Before forwarding a request, the rotator checks how many requests the current account has already served for that specific model and rotates once it reaches `requestsPerRotation` (default: 5). Per-model counters are persisted so restarts do not reset the threshold. By default this fallback is only used when quota data for that model is still unknown; set `useRequestCountRotationWhenQuotaUnknownOnly` to `false` to keep request-count rotation active even when quota telemetry exists. If the threshold is reached but every replacement account is cooling down, flagged, disabled, busy, blocked by fresh-window policy, or out of quota for that model, the rotator stays on the current healthy account instead of returning `503`.
 
 3. **429 failover** (reactive) -- On rate limit, the account is marked exhausted with a parsed retry cooldown and the affected model immediately switches.
 
@@ -253,12 +253,12 @@ pi-antigravity-rotator start --config-dir /path/to/config
 | Field | Default | Description |
 |-------|---------|-------------|
 | `proxyPort` | `51200` | Port the proxy listens on |
-| `requestsPerRotation` | `5` | Max requests before rotating (fallback trigger) |
+| `requestsPerRotation` | `5` | Max per-model requests before attempting request-count rotation |
 | `rotateOnQuotaDrop` | `20` | Rotate when a model's quota drops this many %. Set to `0` to disable |
 | `quotaPollIntervalMs` | `300000` | Quota poll interval in ms (5 minutes) |
 | `maxConcurrentRequestsPerAccount` | `1` | Max simultaneous requests allowed per account |
 | `protectivePauseMs` | `21600000` | Global routing pause after a serious provider enforcement signal |
-| `useRequestCountRotationWhenQuotaUnknownOnly` | `true` | Use request-count rotation only until quota telemetry exists for the request's model |
+| `useRequestCountRotationWhenQuotaUnknownOnly` | `true` | Use request-count rotation only until quota telemetry exists for the request's model. Set to `false` to keep rotating by request count even with known quotas |
 
 ### Account Fields
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-antigravity-rotator",
-  "version": "1.3.6",
+  "version": "1.3.8",
   "description": "Multi-account rotation proxy for Google Antigravity with per-model routing, real-time quota tracking, and infringement detection",
   "license": "MIT",
   "type": "module",
@@ -14,6 +14,7 @@
   "files": [
     "bin/",
     "src/",
+    "CHANGELOG.md",
     "README.md",
     "LICENSE"
   ],

package/src/dashboard.ts

@@ -39,6 +39,12 @@ export function serveAccountFreshWindowStartsApi(
 	res.end(JSON.stringify({ ok, email, allowFreshWindowStartsOverride: enabled }));
 }
 
+export function serveClearInFlightApi(res: ServerResponse, rotator: AccountRotator, email: string, modelKey?: string): void {
+	const ok = rotator.clearInFlightRequests(email, modelKey);
+	res.writeHead(ok ? 200 : 404, { "Content-Type": "application/json" });
+	res.end(JSON.stringify({ ok, email, modelKey }));
+}
+
 const DASHBOARD_HTML = `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -412,6 +418,33 @@ const DASHBOARD_HTML = `<!DOCTYPE html>
     flex-shrink: 0;
   }
 
+  .quota-action {
+    width: 54px;
+    flex-shrink: 0;
+  }
+
+  .btn-clear-flight {
+    width: 54px;
+    border: 1px solid rgba(96, 165, 250, 0.28);
+    background: rgba(96, 165, 250, 0.08);
+    color: var(--blue);
+    border-radius: 4px;
+    font-size: 9px;
+    font-family: var(--font);
+    font-weight: 700;
+    padding: 2px 4px;
+    cursor: pointer;
+  }
+
+  .btn-clear-flight:hover { background: rgba(96, 165, 250, 0.16); }
+  .btn-clear-flight:disabled {
+    border-color: var(--border);
+    background: rgba(255,255,255,0.03);
+    color: var(--text-dim);
+    cursor: not-allowed;
+    opacity: 0.55;
+  }
+
   .pulse { animation: pulse 2s ease-in-out infinite; }
   @keyframes pulse { 0%, 100% { opacity: 1; } 50% { opacity: 0.6; } }
 
@@ -851,9 +884,14 @@ function timerDisplayLabel(timerType) {
   return timerType === 'fresh' ? 'idle' : timerType;
 }
 
-function renderQuotaBars(quota) {
+function renderQuotaBars(account) {
+  var quota = account.quota;
   if (!quota || quota.length === 0) return '';
   var rows = quota.map(function(q) {
+    var inFlightForModel = (account.inFlightByModel || {})[q.modelKey] || 0;
+    var clearButton = inFlightForModel > 0
+      ? '<button class="btn-clear-flight" title="Clear in-flight counter for ' + q.displayName + '" onclick="clearInFlight(\\'' + account.email + '\\', \\'' + q.modelKey + '\\')">Clear</button>'
+      : '<button class="btn-clear-flight" title="No in-flight requests for ' + q.displayName + '" disabled>Clear</button>';
     var color = quotaBarColor(q.percentRemaining);
     var timerClass = 'timer-' + q.timerType;
     var resetLabel = '';
@@ -867,6 +905,7 @@ function renderQuotaBars(quota) {
       '<div class="quota-bar-bg"><div class="quota-bar-fill" style="width:' + q.percentRemaining + '%;background:' + color + '"></div></div>' +
       '<span class="quota-pct" style="color:' + color + '">' + q.percentRemaining + '%</span>' +
       '<span class="quota-reset">' + (resetLabel || '--') + '</span>' +
+      '<span class="quota-action">' + clearButton + '</span>' +
     '</div>';
   }).join('');
   return '<div class="quota-section"><div class="quota-section-title">Quota (per model)</div>' + rows + '</div>';
@@ -967,7 +1006,7 @@ function renderAccounts(data) {
         '</div>' +
       '</div>' +
       '<div class="card-email">' + maskEmail(a.email) + '</div>' +
-      (a.quota && a.quota.length > 0 ? renderQuotaBars(a.quota) : '') +
+      (a.quota && a.quota.length > 0 ? renderQuotaBars(a) : '') +
       '<div class="card-stats">' +
         '<div class="card-stat"><div class="stat-label">Requests</div><div class="stat-value">' +
           a.requestsSinceRotation + ' / ' + a.totalRequests + ' total</div></div>' +
@@ -1163,6 +1202,12 @@ async function setAccountFreshWindowOverride(email, enabled) {
   refresh();
 }
 
+async function clearInFlight(email, modelKey) {
+  if (!confirm('Clear in-flight counter for this account/model? Use only when you are sure the request is stuck.')) return;
+  await fetch('/api/clear-inflight/' + encodeURIComponent(email) + '/' + encodeURIComponent(modelKey), { method: 'POST' });
+  refresh();
+}
+
 function renderProAdvisor(advisor) {
   var panel = document.getElementById('proAdvisor');
   var button = document.getElementById('advisorBtn');

package/src/proxy.ts

@@ -2,7 +2,7 @@
 
 import { createServer, type IncomingMessage, type ServerResponse } from "node:http";
 import { Readable } from "node:stream";
-import { ANTIGRAVITY_ENDPOINTS } from "./types.js";
+import { ANTIGRAVITY_ENDPOINTS, resolveQuotaModelKey } from "./types.js";
 import type { AccountRuntime } from "./types.js";
 import type { AccountRotator } from "./rotator.js";
 import {
@@ -11,11 +11,13 @@ import {
 	serveEnableApi,
 	serveFreshWindowStartsApi,
 	serveAccountFreshWindowStartsApi,
+	serveClearInFlightApi,
 } from "./dashboard.js";
 import { handleHostedCallback, serveLoginLanding, startHostedLogin } from "./onboarding.js";
 
 const MAX_ENDPOINT_RETRIES = 3;
 const MAX_COOLDOWN_MS = 30 * 60 * 1000; // 30 minutes max cooldown
+const STREAM_IDLE_TIMEOUT_MS = 10 * 60 * 1000; // Release account if a stream goes silent.
 
 interface RequestBody {
 	project: string;
@@ -103,6 +105,91 @@ function isFetchTransportError(err: unknown): boolean {
 	return err instanceof TypeError && err.message === "fetch failed";
 }
 
+async function streamResponseBody(
+	body: Response["body"],
+	req: IncomingMessage,
+	res: ServerResponse,
+	label: string,
+	proxyLog: (msg: string, level?: "info" | "warn" | "error") => void,
+): Promise<void> {
+	if (!body) return;
+
+	const nodeStream = Readable.fromWeb(body as import("node:stream/web").ReadableStream);
+
+	await new Promise<void>((resolve) => {
+		let settled = false;
+		let idleTimer: ReturnType<typeof setTimeout> | null = null;
+
+		const cleanup = (): void => {
+			if (idleTimer) clearTimeout(idleTimer);
+			nodeStream.off("data", onData);
+			nodeStream.off("end", onEnd);
+			nodeStream.off("error", onError);
+			nodeStream.off("close", onClose);
+			req.off("aborted", onClientAbort);
+			req.off("close", onClientClose);
+			res.off("close", onResponseClose);
+			res.off("error", onResponseError);
+		};
+
+		const finish = (reason?: string): void => {
+			if (settled) return;
+			settled = true;
+			if (reason) proxyLog(`[${label}] Stream closed: ${reason}`, "warn");
+			cleanup();
+			resolve();
+		};
+
+		const resetIdleTimer = (): void => {
+			if (idleTimer) clearTimeout(idleTimer);
+			idleTimer = setTimeout(() => {
+				nodeStream.destroy(new Error(`stream idle for ${Math.round(STREAM_IDLE_TIMEOUT_MS / 1000)}s`));
+				finish(`idle timeout after ${Math.round(STREAM_IDLE_TIMEOUT_MS / 1000)}s`);
+			}, STREAM_IDLE_TIMEOUT_MS);
+		};
+
+		const onData = (chunk: Buffer): void => {
+			resetIdleTimer();
+			if (!res.destroyed && !res.writableEnded) {
+				res.write(chunk);
+			}
+		};
+		const onEnd = (): void => finish();
+		const onError = (err: Error): void => finish(String(err));
+		const onClose = (): void => finish();
+		const onClientAbort = (): void => {
+			nodeStream.destroy();
+			finish("client aborted");
+		};
+		const onClientClose = (): void => {
+			if (!res.writableEnded) {
+				nodeStream.destroy();
+				finish("client closed connection");
+			}
+		};
+		const onResponseClose = (): void => {
+			if (!res.writableEnded) {
+				nodeStream.destroy();
+				finish("response closed before completion");
+			}
+		};
+		const onResponseError = (err: Error): void => {
+			nodeStream.destroy(err);
+			finish(String(err));
+		};
+
+		nodeStream.on("data", onData);
+		nodeStream.once("end", onEnd);
+		nodeStream.once("error", onError);
+		nodeStream.once("close", onClose);
+		req.once("aborted", onClientAbort);
+		req.once("close", onClientClose);
+		res.once("close", onResponseClose);
+		res.once("error", onResponseError);
+		resetIdleTimer();
+	});
+}
+
 /**
  * Read the full request body from an IncomingMessage.
  */
@@ -218,7 +305,7 @@ async function handleProxyRequest(
 	const rotateAndRelease = async (): Promise<AccountRuntime | null> => {
 		const nextAccount = await rotator.rotateToNext(body.model);
 		if (nextAccount) {
-			rotator.finishRequest(nextAccount);
+			rotator.finishRequest(nextAccount, resolveQuotaModelKey(body.model) ?? undefined);
 		}
 		return nextAccount;
 	};
@@ -241,12 +328,17 @@ async function handleProxyRequest(
 				const cooldownMs = capCooldown(extractRetryDelay(errorText, response.headers));
 				proxyLog(`[${label}] 429 rate limited, cooldown ${Math.ceil(cooldownMs / 1000)}s`, "warn");
 				rotator.markExhausted(account, cooldownMs);
-				const nextAccount = await rotateAndRelease();
-				if (!nextAccount) {
-					sendNoAccountsAvailable(`all candidate accounts are cooling down after ${label} was rate limited`);
-					return;
-				}
-				continue;
+				res.writeHead(503, {
+					"Content-Type": "application/json",
+					"Retry-After": String(Math.ceil(cooldownMs / 1000)),
+				});
+				res.end(JSON.stringify({
+					error: "Rate limited",
+					reason: `${label} was rate limited; not retrying another account for this request`,
+					model: body.model,
+					retryAfterMs: cooldownMs,
+				}));
+				return;
 			}
 
 				if (response.status === 401) {
@@ -313,23 +405,12 @@ async function handleProxyRequest(
 
 			res.writeHead(response.status, responseHeaders);
 
-			// Stream body using Node.js Readable (avoids ReadableStream locking issues)
-			if (response.body) {
 				try {
-					const nodeStream = Readable.fromWeb(response.body as import("node:stream/web").ReadableStream);
-						await new Promise<void>((resolve) => {
-							nodeStream.on("data", (chunk: Buffer) => res.write(chunk));
-							nodeStream.on("end", resolve);
-							nodeStream.on("error", (err) => {
-								proxyLog(`[${label}] Stream error: ${err}`, "warn");
-								resolve();
-							});
-						});
-					} catch (err) {
-						proxyLog(`[${label}] Stream setup error: ${err}`, "warn");
-					}
+					await streamResponseBody(response.body, req, res, label, proxyLog);
+				} catch (err) {
+					proxyLog(`[${label}] Stream setup error: ${err}`, "warn");
 				}
-			res.end();
+				res.end();
 
 			if (shouldRotate) {
 				await rotateAndRelease();
@@ -352,7 +433,7 @@ async function handleProxyRequest(
 			}
 			continue;
 		} finally {
-			rotator.finishRequest(account);
+			rotator.finishRequest(account, resolveQuotaModelKey(body.model) ?? undefined);
 		}
 	}
 
@@ -415,6 +496,15 @@ export function startProxy(rotator: AccountRotator, port: number): void {
 			return;
 		}
 
+		if (method === "POST" && url.startsWith("/api/clear-inflight/")) {
+			const rest = url.slice("/api/clear-inflight/".length);
+			const firstSlash = rest.indexOf("/");
+			const email = decodeURIComponent(firstSlash >= 0 ? rest.slice(0, firstSlash) : rest);
+			const modelKey = firstSlash >= 0 ? decodeURIComponent(rest.slice(firstSlash + 1)) : undefined;
+			serveClearInFlightApi(res, rotator, email, modelKey);
+			return;
+		}
+
 		if (method === "POST" && (url === "/api/settings/fresh-window-starts/on" || url === "/api/settings/fresh-window-starts/off")) {
 			serveFreshWindowStartsApi(res, rotator, url.endsWith("/on"));
 			return;

package/src/rotator.ts

@@ -62,6 +62,7 @@ export class AccountRotator {
 			disabled: false,
 			flagged: false,
 			inFlightRequests: 0,
+			inFlightByModel: {},
 			allowFreshWindowStartsOverride: false,
 		}));
 	}
@@ -78,7 +79,7 @@ export class AccountRotator {
 					this.modelState.set(model, {
 						activeAccountIndex: Math.min(idx, this.accounts.length - 1),
 						quotaAtRotationStart: -1,
-						requestsOnActiveAccount: 0,
+						requestsOnActiveAccount: state.modelRequestCounts?.[model] ?? 0,
 					});
 				}
 			}
@@ -117,12 +118,15 @@ export class AccountRotator {
 
 	saveState(): void {
 		const modelAccounts: Record<string, number> = {};
+		const modelRequestCounts: Record<string, number> = {};
 		for (const [model, state] of this.modelState.entries()) {
 			modelAccounts[model] = state.activeAccountIndex;
+			modelRequestCounts[model] = state.requestsOnActiveAccount;
 		}
 
 		const state: PersistedState = {
 			modelAccounts,
+			modelRequestCounts,
 			currentIndex: this.defaultIndex,
 			protectivePauseUntil: this.protectivePauseUntil,
 			protectivePauseReason: this.protectivePauseReason,
@@ -201,7 +205,7 @@ export class AccountRotator {
 					if (drop >= this.config.rotateOnQuotaDrop) {
 						// Only rotate if there's a healthy account to rotate to
 						const hasHealthy = this.accounts.some(
-							(a, idx) => idx !== mState.activeAccountIndex && this.isAvailable(a, Date.now()),
+							(a, idx) => idx !== mState.activeAccountIndex && this.isRoutableForModel(a, modelKey, Date.now()),
 						);
 						if (hasHealthy) {
 							this.log(
@@ -331,7 +335,7 @@ export class AccountRotator {
 	private hasTimedCandidate(modelKey: string, now: number, excludeIdx: number = -1): boolean {
 		return this.accounts.some((account, idx) => {
 			if (idx === excludeIdx) return false;
-			if (!this.isAvailable(account, now)) return false;
+			if (!this.isAvailableForModel(account, modelKey, now)) return false;
 			if (this.getModelQuota(account, modelKey) === 0) return false;
 			return this.isTimedWindow(account, modelKey);
 		});
@@ -346,7 +350,7 @@ export class AccountRotator {
 		for (let i = 0; i < this.accounts.length; i++) {
 			if (i === excludeIdx) continue;
 			const account = this.accounts[i];
-			if (!this.isAvailable(account, now)) continue;
+			if (!this.isAvailableForModel(account, modelKey, now)) continue;
 
 			const quota = this.getModelQuota(account, modelKey);
 			if (quota === 0) continue;
@@ -374,6 +378,7 @@ export class AccountRotator {
 		const state = this.modelState.get(modelKey);
 		if (state) {
 			state.requestsOnActiveAccount++;
+			this.saveState();
 		}
 	}
 
@@ -409,7 +414,7 @@ export class AccountRotator {
 		const idx = state?.activeAccountIndex ?? this.defaultIndex;
 
 		const current = this.accounts[idx];
-		if (current && this.isAvailable(current, now)) {
+		if (current && (!modelKey ? this.isAvailable(current, now) : this.isAvailableForModel(current, modelKey, now))) {
 			// Check if this account has quota for the requested model
 			if (modelKey) {
 				if (this.shouldRotateBeforeRequest(current, modelKey, state ?? null)) {
@@ -422,7 +427,7 @@ export class AccountRotator {
 						return rotated;
 					}
 					this.log(
-						`${current.config.label || current.config.email} [${modelKey}]: threshold reached but no replacement is available, staying`,
+						`${current.config.label || current.config.email} [${modelKey}]: threshold reached but no replacement is available, staying on current account`,
 						"warn",
 					);
 				}
@@ -444,13 +449,13 @@ export class AccountRotator {
 					return this.rotateModelForRequest(modelKey);
 				}
 			}
-			this.startRequest(current);
+			this.startRequest(current, modelKey ?? undefined);
 			try {
 				await this.ensureValidToken(current);
 				if (modelKey) this.countModelAssignment(modelKey);
 				return current;
 			} catch (err) {
-				this.finishRequest(current);
+				this.finishRequest(current, modelKey ?? undefined);
 				throw err;
 			}
 		}
@@ -483,19 +488,19 @@ export class AccountRotator {
 				`[${modelKey}] Rotated to ${best.config.label || best.config.email} [${timerType}] (quota: ${quota >= 0 ? quota + "%" : "unknown"})`,
 			);
 			this.saveState();
-			this.startRequest(best);
+			this.startRequest(best, modelKey);
 			try {
 				await this.ensureValidToken(best);
 				return best;
 			} catch (err) {
-				this.finishRequest(best);
+				this.finishRequest(best, modelKey);
 				throw err;
 			}
 		}
 
-		if (!this.allowFreshWindowStarts && this.accounts.some((account, idx) => {
-			if (idx === excludeIdx) return false;
-			if (!this.isAvailable(account, now)) return false;
+			if (!this.allowFreshWindowStarts && this.accounts.some((account, idx) => {
+				if (idx === excludeIdx) return false;
+				if (!this.isAvailableForModel(account, modelKey, now)) return false;
 			if (this.getModelQuota(account, modelKey) === 0) return false;
 			return this.getModelTimerType(account, modelKey) === "fresh";
 		})) {
@@ -580,8 +585,22 @@ export class AccountRotator {
 		account.consecutiveErrors = 0;
 		account.lastError = null;
 
+		const modelKey = model ? resolveQuotaModelKey(model) : null;
+		const state = modelKey ? this.modelState.get(modelKey) : null;
+		const shouldRotate =
+			!!modelKey &&
+			!!state &&
+			this.accounts[state.activeAccountIndex] === account &&
+			this.shouldUseRequestCountRotation(account, modelKey) &&
+			state.requestsOnActiveAccount >= this.config.requestsPerRotation;
+
 		this.saveState();
-		return false;
+		if (shouldRotate) {
+			this.log(
+				`${account.config.label || account.config.email} [${modelKey}]: hit rotation threshold (${state.requestsOnActiveAccount}/${this.config.requestsPerRotation})`,
+			);
+		}
+		return shouldRotate;
 	}
 
 	// Mark an account as exhausted (429 or quota exceeded)
@@ -652,6 +671,23 @@ export class AccountRotator {
 		return true;
 	}
 
+	clearInFlightRequests(email: string, modelKey?: string): boolean {
+		const account = this.accounts.find((a) => a.config.email === email);
+		if (!account) return false;
+		if (modelKey) {
+			const previous = account.inFlightByModel[modelKey] ?? 0;
+			account.inFlightByModel[modelKey] = 0;
+			this.recalculateInFlightRequests(account);
+			this.log(`${email}: operator cleared ${previous} in-flight request(s) for ${modelKey}`, "warn");
+			return true;
+		}
+		const previous = account.inFlightRequests;
+		account.inFlightRequests = 0;
+		account.inFlightByModel = {};
+		this.log(`${email}: operator cleared ${previous} in-flight request(s)`, "warn");
+		return true;
+	}
+
 	async ensureValidToken(account: AccountRuntime): Promise<void> {
 		const now = Date.now();
 		if (account.accessToken && account.tokenExpires > now) {
@@ -702,7 +738,12 @@ export class AccountRotator {
 		if (account.disabled) return false;
 		if (account.flagged) return false;
 		if (account.cooldownUntil > now) return false;
-		if (account.inFlightRequests >= (this.config.maxConcurrentRequestsPerAccount ?? 1)) return false;
+		return true;
+	}
+
+	private isAvailableForModel(account: AccountRuntime, modelKey: string, now: number): boolean {
+		if (!this.isAvailable(account, now)) return false;
+		if ((account.inFlightByModel[modelKey] ?? 0) >= (this.config.maxConcurrentRequestsPerAccount ?? 1)) return false;
 		return true;
 	}
 
@@ -711,6 +752,7 @@ export class AccountRotator {
 			account.flagged = true;
 			account.lastError = reason;
 			account.inFlightRequests = 0;
+			account.inFlightByModel = {};
 			this.log(`${account.config.email}: FLAGGED - ${reason}`, "error");
 			if (this.shouldTriggerProtectivePause(reason)) {
 				this.protectivePauseUntil = Date.now() + (this.config.protectivePauseMs ?? 6 * 60 * 60 * 1000);
@@ -723,22 +765,38 @@ export class AccountRotator {
 		this.saveState();
 	}
 
-	startRequest(account: AccountRuntime): void {
-		account.inFlightRequests++;
+	startRequest(account: AccountRuntime, modelKey?: string): void {
+		const key = modelKey ?? "__default__";
+		account.inFlightByModel[key] = (account.inFlightByModel[key] ?? 0) + 1;
+		this.recalculateInFlightRequests(account);
+	}
+
+	finishRequest(account: AccountRuntime, modelKey?: string): void {
+		const key = modelKey ?? "__default__";
+		account.inFlightByModel[key] = Math.max(0, (account.inFlightByModel[key] ?? 0) - 1);
+		if (account.inFlightByModel[key] === 0) delete account.inFlightByModel[key];
+		this.recalculateInFlightRequests(account);
 	}
 
-	finishRequest(account: AccountRuntime): void {
-		account.inFlightRequests = Math.max(0, account.inFlightRequests - 1);
+	private recalculateInFlightRequests(account: AccountRuntime): void {
+		account.inFlightRequests = Object.values(account.inFlightByModel).reduce((sum, count) => sum + count, 0);
+	}
+
+	private isRoutableForModel(account: AccountRuntime, modelKey: string, now: number): boolean {
+		if (!this.isAvailableForModel(account, modelKey, now)) return false;
+		if (this.getModelQuota(account, modelKey) === 0) return false;
+		if (!this.isFreshWindowAllowed(account, modelKey)) return false;
+		return true;
 	}
 
 	getStatus(): StatusResponse {
 		const now = Date.now();
 
-		// Build per-model active account map
+		// Build per-model active account map from accounts that can actually serve now.
 		const activeAccounts: Record<string, string> = {};
 		for (const [model, mState] of this.modelState.entries()) {
 			const account = this.accounts[mState.activeAccountIndex];
-			if (account) {
+			if (account && this.isRoutableForModel(account, model, now)) {
 				activeAccounts[model] = account.config.email;
 			}
 		}
@@ -747,7 +805,7 @@ export class AccountRotator {
 			// Determine which models this account is active for
 			const activeForModels: string[] = [];
 			for (const [model, mState] of this.modelState.entries()) {
-				if (this.accounts[mState.activeAccountIndex] === a) {
+				if (this.accounts[mState.activeAccountIndex] === a && this.isRoutableForModel(a, model, now)) {
 					activeForModels.push(model);
 				}
 			}
@@ -778,11 +836,12 @@ export class AccountRotator {
 				cooldownRemaining: Math.max(0, a.cooldownUntil - now),
 				lastUsed: a.lastUsed,
 				lastError: a.lastError,
-				consecutiveErrors: a.consecutiveErrors,
-				hasValidToken: !!(a.accessToken && a.tokenExpires > now),
-				quota: a.quota,
-				inFlightRequests: a.inFlightRequests,
-				proDetected: this.isProAccount(a),
+					consecutiveErrors: a.consecutiveErrors,
+					hasValidToken: !!(a.accessToken && a.tokenExpires > now),
+					quota: a.quota,
+					inFlightRequests: a.inFlightRequests,
+					inFlightByModel: a.inFlightByModel,
+					proDetected: this.isProAccount(a),
 				familyManager: !!a.config.familyManager,
 				allowFreshWindowStartsOverride: a.allowFreshWindowStartsOverride,
 				effectiveFreshWindowStartsAllowed: this.isEffectiveFreshWindowAllowed(a),
@@ -842,8 +901,9 @@ export class AccountRotator {
 				lastError: null,
 				consecutiveErrors: 0,
 				disabled: false,
-				flagged: false,
-				inFlightRequests: 0,
+					flagged: false,
+					inFlightRequests: 0,
+					inFlightByModel: {},
 				allowFreshWindowStartsOverride: false,
 			};
 			this.accounts.push(runtime);

package/src/types.ts

@@ -110,6 +110,7 @@ export interface AccountRuntime {
 	disabled: boolean; // permanently disabled (revoked token, etc.)
 	flagged: boolean; // flagged for infringement/abuse by Google
 	inFlightRequests: number;
+	inFlightByModel: Record<string, number>;
 	allowFreshWindowStartsOverride: boolean;
 }
 
@@ -124,6 +125,8 @@ export interface ModelRotationState {
 export interface PersistedState {
 	// Per-model active account index
 	modelAccounts: Record<string, number>;
+	// Per-model request count on the active account
+	modelRequestCounts?: Record<string, number>;
 	// Legacy fallback
 	currentIndex?: number;
 	protectivePauseUntil?: number;
@@ -195,6 +198,7 @@ export interface AccountStatus {
 	hasValidToken: boolean;
 	quota: ModelQuota[];
 	inFlightRequests: number;
+	inFlightByModel: Record<string, number>;
 	// Pro family sharing
 	proDetected: boolean;
 	familyManager: boolean;