pi-antigravity-rotator 1.9.0 → 1.9.2

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [1.9.2] - 2026-04-29
+
+### Fixed
+- **Project Discovery Without Shared Fallback**: Login now fails if Google does not return a companion project ID. No more shared `rising-fact-p41fc` fallback.
+- **Activation Hint**: Login/discovery errors now tell you to open the account in Antigravity IDE and send one message first.
+- **Activation Docs**: README now documents the first-use activation rule for new accounts.
+
+## [1.9.1] - 2026-04-29
+
+### Fixed
+- **429 Account-Safety Backoff**: All provider-side `429` responses now stop the current request instead of immediately retrying another account. This prevents cascade-burning the full pool when Google rate-limits a shared project/request bucket. `RESOURCE_EXHAUSTED` gets a 30-minute cooldown; other 429s use parsed `Retry-After`/retry-delay.
+- **Stream Idle Crash Safety**: Stream idle timeout now closes cleanly without emitting an unhandled stream error that could crash-loop systemd.
+
+### Added
+- **Project Circuit Breaker**: If multiple accounts sharing a `projectId` hit provider `429` for the same quota model inside a rolling window, routing pauses that `projectId`/model instead of burning sibling accounts.
+- **Daily Safety Budgets**: Per-account and per-`projectId` daily upstream attempt counters now trigger slow-mode jitter and hard stops until the next UTC day.
+- **Project Concurrency Guard**: Added `maxConcurrentRequestsPerProjectModel` to prevent simultaneous calls through multiple accounts backed by the same provider project bucket.
+- **Large Context Warning**: Requests above 1 MiB now log a warning because huge contexts increase rate-limit and flag pressure.
+
 ## [1.9.0] - 2026-04-29
 
 ### Added

package/README.md

@@ -9,7 +9,7 @@ Multi-account rotation proxy for Google Antigravity. Distributes API usage acros
 - **Per-model timer tracking** -- Timer classification (`fresh`/`7d`/`5h`) is evaluated per model using each model's actual `resetTime` from the quota API, not a per-account estimate
 - **Smart rotation** -- Rotates only the specific model whose quota dropped, leaving other models on their current accounts
 - **Infringement detection** -- On 403 with infringement/abuse/suspension keywords, the account is immediately flagged and excluded from routing
-- **Automatic failover** -- On 429 rate limits, instantly switches the affected model to the next available account
+- **Safer 429 handling** -- On provider `429`, stops the current request and avoids cascade-burning sibling accounts
 - **Concurrency guardrails** -- Limits each account to one in-flight request by default to avoid bursty pressure
 - **Operator fresh-window controls** -- You can block new `fresh` window starts globally, then selectively allow specific accounts to override that policy
 - **Protective pause** -- Pauses all routing for several hours after serious ToS/abuse-style flags so the rest of the pool is not burned
@@ -57,6 +57,7 @@ Run `npm run login` once per Google account:
 2. Complete the sign-in and grant permissions
 3. The browser redirects to a `localhost` URL that won't load -- this is expected
 4. Copy the **full URL** from the browser's address bar and paste it into the terminal
+5. If project discovery fails, open that same account in Antigravity IDE, send one message, then rerun login
 
 The tool automatically:
 
@@ -66,6 +67,15 @@ The tool automatically:
 
 Re-running with the same email updates the existing entry.
 
+### Activation rule
+
+Some accounts do not expose a discoverable `projectId` until they are used once in the Antigravity IDE.
+If login fails at project discovery:
+
+1. Open that exact Google account in Antigravity IDE.
+2. Send one message.
+3. Rerun `npm run login`.
+
 ## Dashboard
 
 After starting the proxy, open `http://localhost:51200/dashboard` or `http://<your-server-ip>:51200/dashboard` from any machine on the same network (the proxy binds to `0.0.0.0`).
@@ -213,7 +223,8 @@ export PI_AI_ANTIGRAVITY_VERSION=1.107.0
 pi-antigravity-rotator start --config-dir /path/to/config
 ```
 
-`accounts.json` is created automatically by the login command:
+`accounts.json` is created automatically by the login command.
+Login now fails if Google does not return a project ID. No shared fallback.
 
 ```json
 {
@@ -222,6 +233,16 @@ pi-antigravity-rotator start --config-dir /path/to/config
   "rotateOnQuotaDrop": 20,
   "quotaPollIntervalMs": 300000,
   "maxConcurrentRequestsPerAccount": 1,
+  "maxConcurrentRequestsPerProjectModel": 1,
+  "projectCircuitBreaker429Threshold": 3,
+  "projectCircuitBreakerWindowMs": 600000,
+  "projectCircuitBreakerCooldownMs": 3600000,
+  "dailyAccountSlowRequests": 250,
+  "dailyAccountStopRequests": 350,
+  "dailyProjectSlowRequests": 900,
+  "dailyProjectStopRequests": 1200,
+  "slowModeJitterMinMs": 8000,
+  "slowModeJitterMaxMs": 25000,
   "protectivePauseMs": 21600000,
   "useRequestCountRotationWhenQuotaUnknownOnly": true,
   "accounts": [
@@ -244,6 +265,16 @@ pi-antigravity-rotator start --config-dir /path/to/config
 | `rotateOnQuotaDrop` | `20` | Rotate when a model's quota drops this many %. Set to `0` to disable |
 | `quotaPollIntervalMs` | `300000` | Quota poll interval in ms (5 minutes) |
 | `maxConcurrentRequestsPerAccount` | `1` | Max simultaneous requests allowed per account |
+| `maxConcurrentRequestsPerProjectModel` | `1` | Max simultaneous requests allowed across accounts sharing the same `projectId` for the same quota model |
+| `projectCircuitBreaker429Threshold` | `3` | Unique accounts from the same `projectId` that must hit provider `429` before pausing that project/model |
+| `projectCircuitBreakerWindowMs` | `600000` | Rolling window for the project/model `429` circuit breaker |
+| `projectCircuitBreakerCooldownMs` | `3600000` | Minimum project/model pause after the circuit breaker trips |
+| `dailyAccountSlowRequests` | `250` | Daily upstream attempts per account before slow-mode jitter starts |
+| `dailyAccountStopRequests` | `350` | Daily upstream attempts per account before routing stops for that account until the next UTC day |
+| `dailyProjectSlowRequests` | `900` | Daily upstream attempts per `projectId` before slow-mode jitter starts |
+| `dailyProjectStopRequests` | `1200` | Daily upstream attempts per `projectId` before routing stops for that project until the next UTC day |
+| `slowModeJitterMinMs` | `8000` | Minimum slow-mode delay before upstream request |
+| `slowModeJitterMaxMs` | `25000` | Maximum slow-mode delay before upstream request |
 | `protectivePauseMs` | `21600000` | Global routing pause after a serious provider enforcement signal |
 | `useRequestCountRotationWhenQuotaUnknownOnly` | `true` | Use request-count rotation only until quota telemetry exists for the request's model. Set to `false` to keep rotating by request count even with known quotas |
 
@@ -253,7 +284,8 @@ pi-antigravity-rotator start --config-dir /path/to/config
 |-------|-------------|
 | `email` | Google account email (auto-filled by login) |
 | `refreshToken` | OAuth refresh token (auto-filled by login) |
-| `projectId` | Cloud project ID (auto-discovered during login) |
+| `projectId` | Cloud project ID discovered from Google during login |
+| `projectSource` | Optional metadata: `google` when discovered from Google, `manual` if edited by hand |
 | `label` | Display name on the dashboard (auto-filled, defaults to email username) |
 
 ## API Endpoints

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-antigravity-rotator",
-  "version": "1.9.0",
+  "version": "1.9.2",
   "description": "Multi-account rotation proxy for Google Antigravity with per-model routing, real-time quota tracking, and infringement detection",
   "license": "MIT",
   "type": "module",

package/src/account-store.ts

@@ -23,6 +23,16 @@ export function loadOrCreateAccountsConfig(): Config {
 		rotateOnQuotaDrop: 20,
 		quotaPollIntervalMs: 300000,
 		maxConcurrentRequestsPerAccount: 1,
+		maxConcurrentRequestsPerProjectModel: 1,
+		projectCircuitBreaker429Threshold: 3,
+		projectCircuitBreakerWindowMs: 10 * 60 * 1000,
+		projectCircuitBreakerCooldownMs: 60 * 60 * 1000,
+		dailyAccountSlowRequests: 250,
+		dailyAccountStopRequests: 350,
+		dailyProjectSlowRequests: 900,
+		dailyProjectStopRequests: 1200,
+		slowModeJitterMinMs: 8_000,
+		slowModeJitterMaxMs: 25_000,
 		protectivePauseMs: 21600000,
 		useRequestCountRotationWhenQuotaUnknownOnly: true,
 		accounts: [],

package/src/index.ts

@@ -38,6 +38,16 @@ function loadConfig(): Config {
 		config.rotateOnQuotaDrop = config.rotateOnQuotaDrop ?? 20;
 		config.quotaPollIntervalMs = config.quotaPollIntervalMs || 300_000;
 		config.maxConcurrentRequestsPerAccount = config.maxConcurrentRequestsPerAccount ?? 1;
+		config.maxConcurrentRequestsPerProjectModel = config.maxConcurrentRequestsPerProjectModel ?? 1;
+		config.projectCircuitBreaker429Threshold = config.projectCircuitBreaker429Threshold ?? 3;
+		config.projectCircuitBreakerWindowMs = config.projectCircuitBreakerWindowMs ?? 10 * 60 * 1000;
+		config.projectCircuitBreakerCooldownMs = config.projectCircuitBreakerCooldownMs ?? 60 * 60 * 1000;
+		config.dailyAccountSlowRequests = config.dailyAccountSlowRequests ?? 250;
+		config.dailyAccountStopRequests = config.dailyAccountStopRequests ?? 350;
+		config.dailyProjectSlowRequests = config.dailyProjectSlowRequests ?? 900;
+		config.dailyProjectStopRequests = config.dailyProjectStopRequests ?? 1200;
+		config.slowModeJitterMinMs = config.slowModeJitterMinMs ?? 8_000;
+		config.slowModeJitterMaxMs = config.slowModeJitterMaxMs ?? 25_000;
 		config.protectivePauseMs = config.protectivePauseMs ?? 6 * 60 * 60 * 1000;
 		config.useRequestCountRotationWhenQuotaUnknownOnly =
 			config.useRequestCountRotationWhenQuotaUnknownOnly ?? true;
@@ -97,7 +107,8 @@ export function main(): void {
 	console.log(`Loaded ${config.accounts.length} accounts`);
 	console.log(`Rotation: ${config.requestsPerRotation} requests / ${config.rotateOnQuotaDrop}% quota drop`);
 	console.log(`Quota poll: every ${Math.round((config.quotaPollIntervalMs || 300000) / 1000)}s`);
-	console.log(`Concurrency cap: ${config.maxConcurrentRequestsPerAccount} request/account`);
+	console.log(`Concurrency cap: ${config.maxConcurrentRequestsPerAccount} request/account, ${config.maxConcurrentRequestsPerProjectModel} request/project+model`);
+	console.log(`Safety breaker: ${config.projectCircuitBreaker429Threshold} provider 429s / ${Math.round((config.projectCircuitBreakerWindowMs || 0) / 60000)}m pauses project+model for ${Math.round((config.projectCircuitBreakerCooldownMs || 0) / 60000)}m`);
 	console.log(`Protective pause: ${Math.round((config.protectivePauseMs || 0) / 3600000)}h after serious flag`);
 	console.log();
 

package/src/login.ts

@@ -79,19 +79,21 @@ export async function runLogin(): Promise<void> {
 	const email = await getUserEmail(tokenData.accessToken);
 
 	console.log("Discovering project...");
-	const projectId = await discoverProject(tokenData.accessToken);
+	const project = await discoverProject(tokenData.accessToken);
 
 	const label = email ? email.split("@")[0] : "Account";
 	const entry: AccountConfig = {
 		email: email || "unknown@gmail.com",
 		refreshToken: tokenData.refreshToken,
-		projectId,
+		projectId: project.projectId,
+		projectSource: project.source,
 		label,
 	};
 
 	console.log();
 	const { isNew } = addAccountToConfig(entry);
 	console.log(`  ${isNew ? "Added" : "Updated"} ${entry.email} in ${ACCOUNTS_FILE}`);
+	console.log(`  projectId=${project.projectId} (source=${project.source})`);
 
 	ensurePiModelsConfig();
 	ensurePiAuthConfig();

package/src/oauth.ts

@@ -11,7 +11,6 @@ export const SCOPES = [
 	"https://www.googleapis.com/auth/experimentsandconfigs",
 ];
 export const AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
-export const DEFAULT_PROJECT_ID = "rising-fact-p41fc";
 
 export interface OAuthClientConfig {
 	clientId: string;
@@ -107,7 +106,13 @@ export async function exchangeAuthorizationCode(code: string, verifier: string):
 	};
 }
 
-export async function discoverProject(accessToken: string): Promise<string> {
+export interface ProjectDiscoveryResult {
+	projectId: string;
+	source: "google";
+	endpoint: string;
+}
+
+export async function discoverProject(accessToken: string): Promise<ProjectDiscoveryResult> {
 	const headers: Record<string, string> = {
 		Authorization: `Bearer ${accessToken}`,
 		"Content-Type": "application/json",
@@ -138,14 +143,14 @@ export async function discoverProject(accessToken: string): Promise<string> {
 					cloudaicompanionProject?: string | { id?: string };
 				};
 				if (typeof data.cloudaicompanionProject === "string" && data.cloudaicompanionProject) {
-					return data.cloudaicompanionProject;
+					return { projectId: data.cloudaicompanionProject, source: "google", endpoint };
 				}
 				if (
 					data.cloudaicompanionProject &&
 					typeof data.cloudaicompanionProject === "object" &&
 					data.cloudaicompanionProject.id
 				) {
-					return data.cloudaicompanionProject.id;
+					return { projectId: data.cloudaicompanionProject.id, source: "google", endpoint };
 				}
 			}
 		} catch {
@@ -153,7 +158,7 @@ export async function discoverProject(accessToken: string): Promise<string> {
 		}
 	}
 
-	return DEFAULT_PROJECT_ID;
+	throw new Error("Could not discover Cloud Code companion project ID from Google. If this account is new, open it in Antigravity IDE and send one message first, then retry login. Login failed instead of falling back to a shared projectId.");
 }
 
 export async function getUserEmail(accessToken: string): Promise<string | undefined> {

package/src/onboarding.ts

@@ -203,12 +203,13 @@ export async function handleHostedCallback(
 	try {
 		const tokenData = await exchangeAuthorizationCode(code, session.verifier);
 		const email = await getUserEmail(tokenData.accessToken);
-		const projectId = await discoverProject(tokenData.accessToken);
+		const project = await discoverProject(tokenData.accessToken);
 		const label = email ? email.split("@")[0] : "Account";
 		const entry = {
 			email: email || "unknown@gmail.com",
 			refreshToken: tokenData.refreshToken,
-			projectId,
+			projectId: project.projectId,
+			projectSource: project.source,
 			label,
 		};
 
@@ -221,6 +222,7 @@ export async function handleHostedCallback(
 				"Account Connected",
 				`<h1>Account Connected</h1>
 <p><strong>${entry.email}</strong> was ${isNew ? "added" : "updated"} successfully.</p>
+<p>Project: <span class="mono">${project.projectId}</span> via ${project.source}.</p>
 <p>The rotator can start using this account immediately.</p>
 <div class="note">If you ever want to stop sharing access, revoke this app's access from the Google account security settings.</div>`,
 			),

package/src/proxy.ts

@@ -26,7 +26,13 @@ const proxyLogger = logger.child("proxy");
 
 const MAX_ENDPOINT_RETRIES = 3;
 const MAX_COOLDOWN_MS = 30 * 60 * 1000; // 30 minutes max cooldown
+const RESOURCE_EXHAUSTED_COOLDOWN_MS = 30 * 60 * 1000; // Stop hammering provider-side daily/request buckets
 const STREAM_IDLE_TIMEOUT_MS = 2 * 60 * 1000; // Release account if a stream goes silent.
+const LARGE_CONTEXT_WARN_BYTES = 1 * 1024 * 1024;
+
+function sleep(ms: number): Promise<void> {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
 
 interface RequestBody {
 	project: string;
@@ -97,6 +103,11 @@ function capCooldown(ms: number): number {
 	return Math.min(ms, MAX_COOLDOWN_MS);
 }
 
+function isResourceExhausted(errorText: string): boolean {
+	const lower = errorText.toLowerCase();
+	return lower.includes("resource_exhausted") || lower.includes("resource exhausted");
+}
+
 function formatError(err: unknown): string {
 	if (!(err instanceof Error)) return String(err);
 	const cause = err.cause;
@@ -180,8 +191,8 @@ async function streamResponseBody(
 		const resetIdleTimer = (): void => {
 			if (idleTimer) clearTimeout(idleTimer);
 			idleTimer = setTimeout(() => {
-				nodeStream.destroy(new Error(`stream idle for ${Math.round(STREAM_IDLE_TIMEOUT_MS / 1000)}s`));
 				finish(`idle timeout after ${Math.round(STREAM_IDLE_TIMEOUT_MS / 1000)}s`);
+				if (!nodeStream.destroyed) nodeStream.destroy();
 			}, STREAM_IDLE_TIMEOUT_MS);
 		};
 
@@ -346,6 +357,9 @@ async function handleProxyRequest(
 	const proxyLog = (msg: string, level: "info" | "warn" | "error" = "info"): void => {
 		log(msg, rotator, level);
 	};
+	if (bodyBuffer.length > LARGE_CONTEXT_WARN_BYTES) {
+		proxyLog(`[${body.model}] Large request body ${bodyBuffer.length} bytes; high context pressure increases rate-limit/flag risk`, "warn");
+	}
 
 	const sendNoAccountsAvailable = (reason: string): void => {
 		proxyLog(`[${body.model}] No healthy account available: ${reason}`, "warn");
@@ -392,22 +406,41 @@ async function handleProxyRequest(
 		};
 
 		try {
+			const jitterMs = rotator.getSafetyJitterMs(account);
+			if (jitterMs > 0) {
+				proxyLog(`[${requestId}] Safety slow-mode jitter ${jitterMs}ms for account/project daily budget pressure`, "warn");
+				await sleep(jitterMs);
+			}
+			rotator.recordUpstreamAttempt(account);
 			const response = await forwardRequest(account, { ...body }, flattenHeaders(req.headers));
 
 			if (response.status === 429) {
 				const errorText = await response.text().catch(() => "");
-				const cooldownMs = capCooldown(extractRetryDelay(errorText, response.headers));
-				proxyLog(`[${label}] 429 rate limited, cooldown ${Math.ceil(cooldownMs / 1000)}s`, "warn");
+				const providerResourceExhausted = isResourceExhausted(errorText);
+				const cooldownMs = providerResourceExhausted
+					? RESOURCE_EXHAUSTED_COOLDOWN_MS
+					: capCooldown(extractRetryDelay(errorText, response.headers));
+				proxyLog(
+					`[${label}] 429 rate limited${providerResourceExhausted ? " (RESOURCE_EXHAUSTED)" : ""}, cooldown ${Math.ceil(cooldownMs / 1000)}s. Error text: ${errorText.slice(0, 300)}`,
+					"warn",
+				);
 				recordOutcome(429);
-				logRequestEnd(429, `cooldownMs=${cooldownMs}`);
+				logRequestEnd(429, `cooldownMs=${cooldownMs}${providerResourceExhausted ? " resourceExhausted=true" : ""}`);
 				rotator.markExhausted(account, body.model, cooldownMs);
-				res.writeHead(503, {
+				rotator.recordProvider429(account, body.model, cooldownMs);
+
+				// Safety first: do NOT immediately retry another account on 429.
+				// Provider-side 429s can represent daily/request buckets or shared project pressure;
+				// cascading retries burn the full pool and increase ban/flag risk.
+				res.writeHead(429, {
 					"Content-Type": "application/json",
 					"Retry-After": String(Math.ceil(cooldownMs / 1000)),
 				});
 				res.end(JSON.stringify({
-					error: "Rate limited",
-					reason: `${label} was rate limited; not retrying another account for this request`,
+					error: providerResourceExhausted ? "Resource exhausted" : "Rate limited",
+					reason: providerResourceExhausted
+						? `${label} hit provider RESOURCE_EXHAUSTED; not retrying another account to avoid pool-wide hammering`
+						: `${label} was rate limited; not retrying another account for account-safety`,
 					model: body.model,
 					account: label,
 					retryAfterMs: cooldownMs,

package/src/rotator.ts

@@ -38,6 +38,14 @@ const rotatorLogger = logger.child("rotator");
 const STATE_FILE = getStatePath();
 const TOKENS_FILE = STATE_FILE.replace("state.json", "token-usage.json");
 
+function currentUtcDay(now = Date.now()): string {
+	return new Date(now).toISOString().slice(0, 10);
+}
+
+function projectModelKey(projectId: string, modelKey: string): string {
+	return `${projectId}::${modelKey}`;
+}
+
 export class AccountRotator {
 	private accounts: AccountRuntime[] = [];
 	// Per-model active account tracking
@@ -56,6 +64,10 @@ export class AccountRotator {
 	private static readonly MAX_LATENCY_RECORDS = 200;
 	private requestLog: StatusResponse["requestLog"] = [];
 	private static readonly MAX_REQUEST_LOG = 200;
+	private safetyDay = currentUtcDay();
+	private projectRequests: Record<string, number> = {};
+	private projectModelBreakers: Record<string, number> = {};
+	private provider429Events: Array<{ ts: number; projectId: string; modelKey: string; account: string }> = [];
 
 	constructor(private config: Config) {
 		this.initAccounts();
@@ -83,6 +95,8 @@ export class AccountRotator {
 			inFlightByModel: {},
 			allowFreshWindowStartsOverride: false,
 			quotaWindows: {},
+			dailyRequestCount: 0,
+			dailyRequestDay: currentUtcDay(),
 		}));
 	}
 
@@ -109,11 +123,18 @@ export class AccountRotator {
 			this.protectivePauseUntil = state.protectivePauseUntil ?? 0;
 			this.protectivePauseReason = state.protectivePauseReason ?? null;
 			this.allowFreshWindowStarts = state.allowFreshWindowStarts ?? true;
+			this.safetyDay = state.safety?.day ?? currentUtcDay();
+			this.projectRequests = state.safety?.projectRequests ?? {};
+			this.projectModelBreakers = state.safety?.projectModelBreakers ?? {};
+			this.provider429Events = state.safety?.provider429Events ?? [];
+			this.rollDailySafetyIfNeeded(Date.now());
 
 			for (const account of this.accounts) {
 				const saved = state.accounts[account.config.email];
 				if (saved) {
 					account.totalRequests = saved.totalRequests;
+					account.dailyRequestCount = saved.dailyRequestCount ?? 0;
+					account.dailyRequestDay = saved.dailyRequestDay ?? currentUtcDay();
 					account.cooldownsByModel = saved.cooldownsByModel ?? {};
 					if (saved.cooldownUntil !== undefined && Object.keys(account.cooldownsByModel).length === 0) {
 						// legacy migration: apply global cooldown to default
@@ -186,11 +207,19 @@ export class AccountRotator {
 			protectivePauseUntil: this.protectivePauseUntil,
 			protectivePauseReason: this.protectivePauseReason,
 			allowFreshWindowStarts: this.allowFreshWindowStarts,
+			safety: {
+				day: this.safetyDay,
+				projectRequests: { ...this.projectRequests },
+				projectModelBreakers: { ...this.projectModelBreakers },
+				provider429Events: [...this.provider429Events],
+			},
 			accounts: {},
 		};
 		for (const account of this.accounts) {
 			state.accounts[account.config.email] = {
 				totalRequests: account.totalRequests,
+				dailyRequestCount: account.dailyRequestCount,
+				dailyRequestDay: account.dailyRequestDay,
 				cooldownsByModel: { ...account.cooldownsByModel },
 				quotaExhaustedAt: account.quotaExhaustedAt,
 				disabled: account.disabled,
@@ -545,6 +574,54 @@ export class AccountRotator {
 		return account;
 	}
 
+	private rollDailySafetyIfNeeded(now: number): void {
+		const day = currentUtcDay(now);
+		if (this.safetyDay === day) return;
+		this.safetyDay = day;
+		this.projectRequests = {};
+		for (const account of this.accounts) {
+			account.dailyRequestDay = day;
+			account.dailyRequestCount = 0;
+		}
+	}
+
+	private getAccountDailyCount(account: AccountRuntime, now: number): number {
+		const day = currentUtcDay(now);
+		if (account.dailyRequestDay !== day) {
+			account.dailyRequestDay = day;
+			account.dailyRequestCount = 0;
+		}
+		return account.dailyRequestCount;
+	}
+
+	private getProjectDailyCount(projectId: string, now: number): number {
+		this.rollDailySafetyIfNeeded(now);
+		return this.projectRequests[projectId] ?? 0;
+	}
+
+	private getProjectInFlight(modelKey: string, projectId: string): number {
+		return this.accounts
+			.filter((account) => account.config.projectId === projectId)
+			.reduce((sum, account) => sum + (account.inFlightByModel[modelKey] ?? 0), 0);
+	}
+
+	private isProjectModelBreakerActive(projectId: string, modelKey: string, now: number): boolean {
+		const until = this.projectModelBreakers[projectModelKey(projectId, modelKey)] ?? 0;
+		if (until <= now) {
+			if (until > 0) delete this.projectModelBreakers[projectModelKey(projectId, modelKey)];
+			return false;
+		}
+		return true;
+	}
+
+	private getUnavailableReasonForModel(account: AccountRuntime, modelKey: string, now: number): string | null {
+		if (this.isProjectModelBreakerActive(account.config.projectId, modelKey, now)) return "project circuit breaker active";
+		if (this.getProjectInFlight(modelKey, account.config.projectId) >= (this.config.maxConcurrentRequestsPerProjectModel ?? 1)) return "project concurrency limit reached";
+		if (this.getAccountDailyCount(account, now) >= (this.config.dailyAccountStopRequests ?? 350)) return "daily account budget exhausted";
+		if (this.getProjectDailyCount(account.config.projectId, now) >= (this.config.dailyProjectStopRequests ?? 1200)) return "daily project budget exhausted";
+		return null;
+	}
+
 	// =========================================================================
 	// Account Selection (per-model)
 	// =========================================================================
@@ -1001,13 +1078,58 @@ export class AccountRotator {
 		account.cooldownsByModel[modelKey] = now + cooldownMs;
 		account.quotaExhaustedAt = now;
 
+		this.log(
+			`${account.config.label || account.config.email} [${modelKey}]: EXHAUSTED, cooldown ${Math.ceil(cooldownMs / 1000)}s`,
+			"warn",
+		);
+		this.saveState();
+	}
+
+	recordProvider429(account: AccountRuntime, model: string | undefined, cooldownMs: number): void {
+		const now = Date.now();
+		const modelKey = model ? (resolveQuotaModelKey(model) ?? "__default__") : "__default__";
+		const windowMs = this.config.projectCircuitBreakerWindowMs ?? 10 * 60 * 1000;
+		const threshold = this.config.projectCircuitBreaker429Threshold ?? 3;
+		const breakerCooldownMs = this.config.projectCircuitBreakerCooldownMs ?? 60 * 60 * 1000;
+		const projectId = account.config.projectId;
+		this.provider429Events = this.provider429Events
+			.filter((event) => now - event.ts <= windowMs)
+			.concat({ ts: now, projectId, modelKey, account: account.config.email });
+		const uniqueAccounts = new Set(
+			this.provider429Events
+				.filter((event) => event.projectId === projectId && event.modelKey === modelKey)
+				.map((event) => event.account),
+		);
+		if (uniqueAccounts.size >= threshold) {
+			const until = now + Math.max(cooldownMs, breakerCooldownMs);
+			this.projectModelBreakers[projectModelKey(projectId, modelKey)] = until;
 			this.log(
-				`${account.config.label || account.config.email} [${modelKey}]: EXHAUSTED, cooldown ${Math.ceil(cooldownMs / 1000)}s`,
+				`[${modelKey}] Project circuit breaker active for projectId=${projectId} after ${uniqueAccounts.size} accounts hit 429; cooldown ${Math.ceil((until - now) / 1000)}s`,
 				"warn",
 			);
+		}
+		this.saveState();
+	}
+
+	recordUpstreamAttempt(account: AccountRuntime): void {
+		const now = Date.now();
+		this.rollDailySafetyIfNeeded(now);
+		this.getAccountDailyCount(account, now);
+		account.dailyRequestCount++;
+		this.projectRequests[account.config.projectId] = (this.projectRequests[account.config.projectId] ?? 0) + 1;
 		this.saveState();
 	}
 
+	getSafetyJitterMs(account: AccountRuntime): number {
+		const now = Date.now();
+		const accountSlow = this.getAccountDailyCount(account, now) >= (this.config.dailyAccountSlowRequests ?? 250);
+		const projectSlow = this.getProjectDailyCount(account.config.projectId, now) >= (this.config.dailyProjectSlowRequests ?? 900);
+		if (!accountSlow && !projectSlow) return 0;
+		const min = this.config.slowModeJitterMinMs ?? 8_000;
+		const max = Math.max(min, this.config.slowModeJitterMaxMs ?? 25_000);
+		return Math.floor(min + Math.random() * (max - min + 1));
+	}
+
 	markError(account: AccountRuntime, error: string): void {
 		account.lastError = error;
 			account.consecutiveErrors++;
@@ -1139,6 +1261,7 @@ export class AccountRotator {
 		const modelCooldown = account.cooldownsByModel[modelKey] ?? 0;
 		if (modelCooldown > now) return false;
 		if ((account.inFlightByModel[modelKey] ?? 0) >= (this.config.maxConcurrentRequestsPerAccount ?? 1)) return false;
+		if (this.getUnavailableReasonForModel(account, modelKey, now)) return false;
 		return true;
 	}
 
@@ -1348,6 +1471,8 @@ export class AccountRotator {
 					inFlightByModel: {},
 				allowFreshWindowStartsOverride: false,
 					quotaWindows: {},
+				dailyRequestCount: 0,
+				dailyRequestDay: currentUtcDay(),
 			};
 			this.accounts.push(runtime);
 			this.config.accounts.push(runtime.config);

package/src/types.ts

@@ -6,6 +6,8 @@ export interface AccountConfig {
 	email: string;
 	refreshToken: string;
 	projectId: string;
+	// How the projectId was obtained.
+	projectSource?: "google" | "manual";
 	label?: string;
 	// Optional - pro/free is detected dynamically from quota API reset times
 	type?: AccountType;
@@ -25,6 +27,20 @@ export interface Config {
 	proSlots?: number;
 	// Hard cap on parallel requests per account. Conservative default is 1.
 	maxConcurrentRequestsPerAccount?: number;
+	// Hard cap on parallel requests per projectId/model. Conservative default is 1.
+	maxConcurrentRequestsPerProjectModel?: number;
+	// Pause projectId/model when several accounts hit provider 429 in a short window. Defaults: 3 hits / 10min / 60min pause.
+	projectCircuitBreaker429Threshold?: number;
+	projectCircuitBreakerWindowMs?: number;
+	projectCircuitBreakerCooldownMs?: number;
+	// Daily safety budgets. Defaults: account slow 250, account stop 350, project slow 900, project stop 1200.
+	dailyAccountSlowRequests?: number;
+	dailyAccountStopRequests?: number;
+	dailyProjectSlowRequests?: number;
+	dailyProjectStopRequests?: number;
+	// Add small delay before upstream call when an account/project is in slow mode. Default: 8-25s.
+	slowModeJitterMinMs?: number;
+	slowModeJitterMaxMs?: number;
 	// Pause all routing after a serious provider flag. Default: 6h.
 	protectivePauseMs?: number;
 	// Use request-count rotation only before quota data is available. Default: true.
@@ -139,6 +155,8 @@ export interface AccountRuntime {
 	inFlightByModel: Record<string, number>;
 	allowFreshWindowStartsOverride: boolean;
 	quotaWindows: QuotaWindowHistory;
+	dailyRequestCount: number;
+	dailyRequestDay: string;
 }
 
 // Per-model rotation state tracked by the rotator
@@ -164,6 +182,13 @@ export interface DualWindowTracker {
 // Per-account quota window tracking: keyed by model key
 export type QuotaWindowHistory = Record<string, DualWindowTracker>;
 
+export interface PersistedSafetyState {
+	day: string;
+	projectRequests: Record<string, number>;
+	projectModelBreakers: Record<string, number>;
+	provider429Events: Array<{ ts: number; projectId: string; modelKey: string; account: string }>;
+}
+
 export interface PersistedState {
 	// Per-model active account index
 	modelAccounts: Record<string, number>;
@@ -174,10 +199,13 @@ export interface PersistedState {
 	protectivePauseUntil?: number;
 	protectivePauseReason?: string | null;
 	allowFreshWindowStarts?: boolean;
+	safety?: PersistedSafetyState;
 	accounts: Record<
 		string,
 		{
 			totalRequests: number;
+			dailyRequestCount?: number;
+			dailyRequestDay?: string;
 			cooldownUntil?: number; // legacy fallback
 			cooldownsByModel?: Record<string, number>;
 			quotaExhaustedAt: number;

package/src/validators.ts

@@ -63,6 +63,16 @@ export function validateConfig(value: unknown): ValidationResult<Config> {
 	if (value.quotaPollIntervalMs !== undefined && !isPositiveNumber(value.quotaPollIntervalMs)) errors.push("config.quotaPollIntervalMs must be a positive number");
 	if (value.proSlots !== undefined && !isPositiveNumber(value.proSlots)) errors.push("config.proSlots must be a positive number");
 	if (value.maxConcurrentRequestsPerAccount !== undefined && !isPositiveNumber(value.maxConcurrentRequestsPerAccount)) errors.push("config.maxConcurrentRequestsPerAccount must be a positive number");
+	if (value.maxConcurrentRequestsPerProjectModel !== undefined && !isPositiveNumber(value.maxConcurrentRequestsPerProjectModel)) errors.push("config.maxConcurrentRequestsPerProjectModel must be a positive number");
+	if (value.projectCircuitBreaker429Threshold !== undefined && !isPositiveNumber(value.projectCircuitBreaker429Threshold)) errors.push("config.projectCircuitBreaker429Threshold must be a positive number");
+	if (value.projectCircuitBreakerWindowMs !== undefined && !isPositiveNumber(value.projectCircuitBreakerWindowMs)) errors.push("config.projectCircuitBreakerWindowMs must be a positive number");
+	if (value.projectCircuitBreakerCooldownMs !== undefined && !isPositiveNumber(value.projectCircuitBreakerCooldownMs)) errors.push("config.projectCircuitBreakerCooldownMs must be a positive number");
+	if (value.dailyAccountSlowRequests !== undefined && !isPositiveNumber(value.dailyAccountSlowRequests)) errors.push("config.dailyAccountSlowRequests must be a positive number");
+	if (value.dailyAccountStopRequests !== undefined && !isPositiveNumber(value.dailyAccountStopRequests)) errors.push("config.dailyAccountStopRequests must be a positive number");
+	if (value.dailyProjectSlowRequests !== undefined && !isPositiveNumber(value.dailyProjectSlowRequests)) errors.push("config.dailyProjectSlowRequests must be a positive number");
+	if (value.dailyProjectStopRequests !== undefined && !isPositiveNumber(value.dailyProjectStopRequests)) errors.push("config.dailyProjectStopRequests must be a positive number");
+	if (value.slowModeJitterMinMs !== undefined && !isNonNegativeNumber(value.slowModeJitterMinMs)) errors.push("config.slowModeJitterMinMs must be a non-negative number");
+	if (value.slowModeJitterMaxMs !== undefined && !isNonNegativeNumber(value.slowModeJitterMaxMs)) errors.push("config.slowModeJitterMaxMs must be a non-negative number");
 	if (value.protectivePauseMs !== undefined && !isNonNegativeNumber(value.protectivePauseMs)) errors.push("config.protectivePauseMs must be a non-negative number");
 	if (value.useRequestCountRotationWhenQuotaUnknownOnly !== undefined && typeof value.useRequestCountRotationWhenQuotaUnknownOnly !== "boolean") {
 		errors.push("config.useRequestCountRotationWhenQuotaUnknownOnly must be a boolean");