responses-proxy 0.1.0

package/dist/client-token-limits.test.js

@@ -0,0 +1,129 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { buildClientTokenLimitError, extractUsageTotals, getClientTokenLimitStatus, resolveClientTokenWindowStart, } from "./client-token-limits.js";
+const baseConfig = {
+    clientRoute: "codex",
+    enabled: true,
+    tokenLimit: 1000,
+    windowType: "daily",
+    hardBlock: true,
+    createdAt: "2026-04-27T00:00:00.000Z",
+    updatedAt: "2026-04-27T00:00:00.000Z",
+};
+const baseUsage = {
+    clientRoute: "codex",
+    windowStart: "2026-04-27T00:00:00.000Z",
+    inputTokens: 100,
+    outputTokens: 50,
+    totalTokens: 150,
+    updatedAt: "2026-04-27T12:00:00.000Z",
+};
+test("resolveClientTokenWindowStart supports daily weekly monthly and fixed windows", () => {
+    const now = new Date("2026-04-29T13:45:30.000Z");
+    assert.equal(resolveClientTokenWindowStart(now, { windowType: "daily" }), "2026-04-29T00:00:00.000Z");
+    assert.equal(resolveClientTokenWindowStart(now, { windowType: "weekly" }), "2026-04-27T00:00:00.000Z");
+    assert.equal(resolveClientTokenWindowStart(now, { windowType: "monthly" }), "2026-04-01T00:00:00.000Z");
+    assert.equal(resolveClientTokenWindowStart(now, { windowType: "fixed", windowSizeSeconds: 3600 }), "2026-04-29T13:00:00.000Z");
+});
+test("getClientTokenLimitStatus does not block disabled config", () => {
+    assert.deepEqual(getClientTokenLimitStatus({ ...baseConfig, enabled: false }, baseUsage), {
+        used: 150,
+        limit: null,
+        remaining: null,
+        blocked: false,
+        windowStart: "2026-04-27T00:00:00.000Z",
+    });
+});
+test("getClientTokenLimitStatus reports usage under limit", () => {
+    assert.deepEqual(getClientTokenLimitStatus(baseConfig, baseUsage), {
+        used: 150,
+        limit: 1000,
+        remaining: 850,
+        blocked: false,
+        windowStart: "2026-04-27T00:00:00.000Z",
+    });
+});
+test("getClientTokenLimitStatus blocks exactly at limit", () => {
+    assert.deepEqual(getClientTokenLimitStatus(baseConfig, {
+        ...baseUsage,
+        totalTokens: 1000,
+    }), {
+        used: 1000,
+        limit: 1000,
+        remaining: 0,
+        blocked: true,
+        windowStart: "2026-04-27T00:00:00.000Z",
+    });
+});
+test("getClientTokenLimitStatus blocks above limit", () => {
+    assert.deepEqual(getClientTokenLimitStatus(baseConfig, {
+        ...baseUsage,
+        totalTokens: 1075,
+    }), {
+        used: 1075,
+        limit: 1000,
+        remaining: 0,
+        blocked: true,
+        windowStart: "2026-04-27T00:00:00.000Z",
+    });
+});
+test("buildClientTokenLimitError creates a 429 request error body", () => {
+    const status = getClientTokenLimitStatus(baseConfig, {
+        ...baseUsage,
+        totalTokens: 1000,
+    });
+    assert.deepEqual(buildClientTokenLimitError("codex", status), {
+        statusCode: 429,
+        body: {
+            error: {
+                type: "request_error",
+                code: "CLIENT_TOKEN_LIMIT_EXCEEDED",
+                message: "Client route 'codex' has reached its token limit for the current window.",
+                client: "codex",
+                client_route: "codex",
+                usage: status,
+            },
+        },
+    });
+});
+test("extractUsageTotals reads direct and nested usage totals", () => {
+    assert.deepEqual(extractUsageTotals({
+        input_tokens: 10,
+        output_tokens: 20,
+        total_tokens: 30,
+    }), {
+        inputTokens: 10,
+        outputTokens: 20,
+        totalTokens: 30,
+    });
+    assert.deepEqual(extractUsageTotals({
+        usage: {
+            input_tokens: 5,
+            output_tokens: 6,
+            total_tokens: 11,
+        },
+    }), {
+        inputTokens: 5,
+        outputTokens: 6,
+        totalTokens: 11,
+    });
+    assert.deepEqual(extractUsageTotals({
+        response: {
+            usage: {
+                input_tokens: 3,
+                output_tokens: 4,
+                total_tokens: 7,
+            },
+        },
+    }), {
+        inputTokens: 3,
+        outputTokens: 4,
+        totalTokens: 7,
+    });
+});
+test("extractUsageTotals ignores usage payloads without total_tokens", () => {
+    assert.equal(extractUsageTotals({
+        input_tokens: 10,
+        output_tokens: 20,
+    }), undefined);
+});

package/dist/codex-config.js

@@ -0,0 +1,47 @@
+import { homedir } from "node:os";
+import { readFileSync } from "node:fs";
+export function resolveDefaultCodexConfigPath() {
+    return `${homedir()}/.codex/config.toml`;
+}
+export function readCodexProviderFromConfig(filePath) {
+    let raw;
+    try {
+        raw = readFileSync(filePath, "utf8");
+    }
+    catch {
+        return undefined;
+    }
+    const providerName = readTopLevelTomlString(raw, "model_provider");
+    if (!providerName) {
+        return undefined;
+    }
+    const section = readTomlSection(raw, `model_providers.${providerName}`);
+    if (!section) {
+        return undefined;
+    }
+    const baseUrl = readTomlString(section, "base_url");
+    if (!baseUrl) {
+        return undefined;
+    }
+    return {
+        name: readTomlString(section, "name") ?? providerName,
+        baseUrl,
+        wireApi: readTomlString(section, "wire_api"),
+    };
+}
+function readTopLevelTomlString(raw, key) {
+    const match = raw.match(new RegExp(`^${escapeRegExp(key)}\\s*=\\s*\"([^\"]+)\"\\s*$`, "m"));
+    return match?.[1];
+}
+function readTomlSection(raw, sectionName) {
+    const escaped = escapeRegExp(sectionName);
+    const match = raw.match(new RegExp(`^\\[${escaped}\\]\\s*$([\\s\\S]*?)(?=^\\[|\\Z)`, "m"));
+    return match?.[1];
+}
+function readTomlString(rawSection, key) {
+    const match = rawSection.match(new RegExp(`^${escapeRegExp(key)}\\s*=\\s*\"([^\"]+)\"\\s*$`, "m"));
+    return match?.[1];
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/dist/codex-setup.js

@@ -0,0 +1,87 @@
+import { createHash } from "node:crypto";
+export function buildCodexConfigFiles(input) {
+    const model = input.model?.trim() || "gpt-5.5";
+    const baseUrl = input.baseUrl.trim();
+    const apiKey = input.apiKey.trim();
+    return {
+        configToml: [
+            `model = ${tomlString(model)}`,
+            `model_provider = "resproxy"`,
+            `model_reasoning_effort = "medium"`,
+            "",
+            `[model_providers.resproxy]`,
+            `name = "resproxy"`,
+            `base_url = ${tomlString(baseUrl)}`,
+            `api_key = ${tomlString(apiKey)}`,
+            `wire_api = "responses"`,
+            "",
+        ].join("\n"),
+        authJson: `${JSON.stringify({
+            auth_mode: "apikey",
+            OPENAI_API_KEY: apiKey,
+        }, null, 2)}\n`,
+    };
+}
+export function buildCodexSetupEndpointUrl(publicResponsesBaseUrl) {
+    const trimmed = publicResponsesBaseUrl.trim().replace(/\/+$/, "");
+    const origin = trimmed.endsWith("/v1") ? trimmed.slice(0, -3) : trimmed;
+    return `${origin}/api/customer/codex/setup.sh`;
+}
+export function buildCodexSetupCurlCommand(input) {
+    const setupUrl = buildCodexSetupEndpointUrl(input.publicResponsesBaseUrl);
+    return [
+        "curl -fsSL \\",
+        `  -H 'Authorization: Bearer ${escapeShellSingleQuote(input.apiKey.trim())}' \\`,
+        `  '${escapeShellSingleQuote(setupUrl)}' \\`,
+        "  | sh",
+    ].join("\n");
+}
+export function buildCodexConfigSetupScript(input) {
+    const targetDir = input.targetDir?.trim() || "$HOME/.codex";
+    const configDelimiter = buildHeredocDelimiter("RESPONSES_PROXY_CODEX_CONFIG", input.configToml);
+    const authDelimiter = buildHeredocDelimiter("RESPONSES_PROXY_CODEX_AUTH", input.authJson);
+    return [
+        "#!/usr/bin/env sh",
+        "set -eu",
+        "umask 077",
+        'tmpdir="$(mktemp -d "${TMPDIR:-/tmp}/responses-proxy-codex.XXXXXX")"',
+        'trap \'rm -rf "$tmpdir"\' EXIT INT TERM',
+        `cat > "$tmpdir/config.toml" <<'${configDelimiter}'`,
+        input.configToml,
+        configDelimiter,
+        `cat > "$tmpdir/auth.json" <<'${authDelimiter}'`,
+        input.authJson,
+        authDelimiter,
+        "install_file() {",
+        '  src="$1"',
+        '  dest="$2"',
+        '  dest_dir="$(dirname "$dest")"',
+        '  mkdir -p "$dest_dir"',
+        '  if [ -f "$dest" ] && cmp -s "$src" "$dest"; then',
+        '    printf "%s\\n" "unchanged: $dest"',
+        "    return 0",
+        "  fi",
+        '  if [ -f "$dest" ]; then',
+        '    backup="$dest.$(date +%Y%m%d-%H%M%S).bak"',
+        '    cp "$dest" "$backup"',
+        '    printf "%s\\n" "backup: $backup"',
+        "  fi",
+        '  mv "$src" "$dest"',
+        '  printf "%s\\n" "updated: $dest"',
+        "}",
+        `install_file "$tmpdir/config.toml" "${targetDir}/config.toml"`,
+        `install_file "$tmpdir/auth.json" "${targetDir}/auth.json"`,
+        'printf "%s\\n" "Codex setup applied."',
+        "",
+    ].join("\n");
+}
+function buildHeredocDelimiter(prefix, content) {
+    const digest = createHash("sha256").update(content).digest("hex").slice(0, 16).toUpperCase();
+    return `${prefix}_${digest}`;
+}
+function escapeShellSingleQuote(value) {
+    return value.replace(/'/g, `'\\''`);
+}
+function tomlString(value) {
+    return JSON.stringify(value);
+}

package/dist/codex-setup.test.js

@@ -0,0 +1,30 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { buildCodexConfigFiles, buildCodexConfigSetupScript, buildCodexSetupCurlCommand, buildCodexSetupEndpointUrl, } from "./codex-setup.js";
+test("buildCodexSetupEndpointUrl strips the public /v1 suffix", () => {
+    assert.equal(buildCodexSetupEndpointUrl("https://proxy.example.com/v1/"), "https://proxy.example.com/api/customer/codex/setup.sh");
+});
+test("buildCodexSetupCurlCommand targets the customer setup endpoint", () => {
+    const command = buildCodexSetupCurlCommand({
+        publicResponsesBaseUrl: "https://proxy.example.com/v1",
+        apiKey: "sk-customer-secret",
+    });
+    assert.match(command, /curl -fsSL/);
+    assert.match(command, /Authorization: Bearer sk-customer-secret/);
+    assert.match(command, /https:\/\/proxy\.example\.com\/api\/customer\/codex\/setup\.sh/);
+    assert.match(command, /\| sh$/);
+});
+test("buildCodexConfigSetupScript writes both Codex config files with backups", () => {
+    const files = buildCodexConfigFiles({
+        baseUrl: "https://proxy.example.com/v1",
+        apiKey: "sk-customer-secret",
+        model: "gpt-5.5",
+    });
+    const script = buildCodexConfigSetupScript(files);
+    assert.match(script, /mktemp -d/);
+    assert.match(script, /backup="\$dest\.\$\(date \+%Y%m%d-%H%M%S\)\.bak"/);
+    assert.match(script, /install_file "\$tmpdir\/config\.toml" "\$HOME\/\.codex\/config\.toml"/);
+    assert.match(script, /install_file "\$tmpdir\/auth\.json" "\$HOME\/\.codex\/auth\.json"/);
+    assert.match(script, /base_url = "https:\/\/proxy\.example\.com\/v1"/);
+    assert.match(script, /OPENAI_API_KEY": "sk-customer-secret"/);
+});

package/dist/config.js

@@ -0,0 +1,314 @@
+import os from "node:os";
+import path from "node:path";
+import { z } from "zod";
+function defaultKiroDbPath() {
+    return path.join(os.homedir(), ".9router", "db", "data.sqlite");
+}
+function parseIdList(value) {
+    return (value ?? "")
+        .split(/[,\r?\n]+/g)
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+}
+function parseDelimitedList(value) {
+    return (value ?? "")
+        .split(/[,\r?\n]+/g)
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+}
+const envSchema = z.object({
+    PORT: z.coerce.number().int().positive().default(8318),
+    HOST: z.string().min(1).default("0.0.0.0"),
+    UPSTREAM_BASE_URL: z.url(),
+    UPSTREAM_API_KEY: z.string().optional(),
+    PROVIDER_USAGE_CHECK_URL: z
+        .string()
+        .optional()
+        .transform((value) => (value?.trim() ? value.trim() : undefined))
+        .pipe(z.url().optional()),
+    PROVIDER_USAGE_CHECK_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    REQUEST_TIMEOUT_MS: z.coerce.number().int().positive().default(300_000),
+    SUMMARY_REQUEST_TIMEOUT_MS: z.coerce.number().int().positive().default(900_000),
+    STREAM_IDLE_TIMEOUT_MS: z.coerce.number().int().positive().default(330_000),
+    HERMES_EXTEND_SUMMARY_TIMEOUT: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    REQUEST_BODY_LIMIT_BYTES: z.coerce.number().int().positive().default(25 * 1024 * 1024),
+    HTTP_TRUST_PROXY: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    HTTP_RATE_LIMIT_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    HTTP_RATE_LIMIT_WINDOW_MS: z.coerce.number().int().positive().default(60_000),
+    HTTP_RATE_LIMIT_RESPONSES_MAX_REQUESTS: z.coerce.number().int().positive().default(120),
+    HTTP_RATE_LIMIT_UNAUTHENTICATED_MAX_REQUESTS: z.coerce.number().int().positive().default(20),
+    HTTP_RATE_LIMIT_AUTH_MAX_REQUESTS: z.coerce.number().int().positive().default(30),
+    HTTP_RATE_LIMIT_WEBHOOK_MAX_REQUESTS: z.coerce.number().int().positive().default(60),
+    HTTP_RATE_LIMIT_HEALTH_MAX_REQUESTS: z.coerce.number().int().positive().default(240),
+    LOG_LEVEL: z
+        .enum(["fatal", "error", "warn", "info", "debug", "trace", "silent"])
+        .default("info"),
+    LOG_BODY: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    CHATGPT_OAUTH_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    MODEL_ROUTING_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    MODEL_ROUTING_CHEAP_MODEL: z.string().optional().default("gpt-4o-mini"),
+    MODEL_ROUTING_INPUT_TOKEN_THRESHOLD: z.coerce.number().int().positive().default(2000),
+    MODEL_ROUTING_SKIP_IF_TOOLS: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    MODEL_ROUTING_SKIP_IF_IMAGES: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    MODEL_ROUTING_SKIP_IF_REASONING: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    CHATGPT_OAUTH_CLIENT_ID: z.string().min(1).default("app_EMoamEEZ73f0CkXaXp7hrann"),
+    CHATGPT_OAUTH_REDIRECT_URI: z
+        .string()
+        .min(1)
+        .default("http://localhost:1455/auth/callback"),
+    CHATGPT_OAUTH_CALLBACK_PORT: z.coerce.number().int().positive().default(1455),
+    CHATGPT_OAUTH_AUTH_URL: z
+        .string()
+        .min(1)
+        .default("https://auth.openai.com/oauth/authorize")
+        .pipe(z.url()),
+    CHATGPT_OAUTH_TOKEN_URL: z
+        .string()
+        .min(1)
+        .default("https://auth.openai.com/oauth/token")
+        .pipe(z.url()),
+    CHATGPT_OAUTH_DEVICE_USER_CODE_URL: z
+        .string()
+        .min(1)
+        .default("https://auth.openai.com/api/accounts/deviceauth/usercode")
+        .pipe(z.url()),
+    CHATGPT_OAUTH_DEVICE_TOKEN_URL: z
+        .string()
+        .min(1)
+        .default("https://auth.openai.com/api/accounts/deviceauth/token")
+        .pipe(z.url()),
+    CHATGPT_OAUTH_DEVICE_VERIFICATION_URL: z
+        .string()
+        .min(1)
+        .default("https://auth.openai.com/codex/device")
+        .pipe(z.url()),
+    CHATGPT_CODEX_BASE_URL: z
+        .string()
+        .min(1)
+        .default("https://chatgpt.com/backend-api/codex")
+        .pipe(z.url()),
+    RESPONSES_PROXY_DEFAULT_MODEL: z.string().default("gpt-5.5"),
+    BOT_PUBLIC_RESPONSES_BASE_URL: z.string().optional(),
+    CHATGPT_OAUTH_REFRESH_LEAD_DAYS: z.coerce.number().positive().default(5),
+    OPENCLAW_TOKEN_OPTIMIZATION_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    OPENCLAW_DEFAULT_REASONING_SUMMARY: z
+        .enum(["auto", "none", "concise", "detailed"])
+        .default("auto"),
+    OPENCLAW_DEFAULT_REASONING_EFFORT: z
+        .enum(["minimal", "low", "medium", "high"])
+        .default("low"),
+    OPENCLAW_DEFAULT_TEXT_VERBOSITY: z
+        .enum(["low", "medium", "high"])
+        .default("low"),
+    OPENCLAW_DEFAULT_MAX_OUTPUT_TOKENS: z
+        .string()
+        .optional()
+        .transform((value) => {
+        if (!value?.trim()) {
+            return undefined;
+        }
+        const parsed = Number(value);
+        return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+    }),
+    OPENCLAW_AUTO_PROMPT_CACHE_KEY: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    OPENCLAW_PROMPT_CACHE_RETENTION: z.string().min(1).default("24h"),
+    RESPONSE_CACHE_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    RESPONSE_CACHE_TTL_MS: z.coerce.number().int().positive().default(5 * 60 * 1000),
+    RESPONSE_CACHE_MAX_PAYLOAD_BYTES: z.coerce.number().int().positive().default(512 * 1024),
+    PROVIDER_PROMPT_CACHE_REDESIGN_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    PROVIDER_PROMPT_CACHE_STABLE_SUMMARIZATION_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    PROVIDER_PROMPT_CACHE_INFLIGHT_DEDUPE_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    PROVIDER_PROMPT_CACHE_RETENTION_BY_FAMILY_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    PROVIDER_PROMPT_CACHE_SUMMARY_TRIGGER_ITEMS: z.coerce.number().int().positive().default(14),
+    PROVIDER_PROMPT_CACHE_SUMMARY_KEEP_RECENT_ITEMS: z.coerce.number().int().positive().default(6),
+    PROVIDER_PROMPT_CACHE_RETENTION_BY_FAMILY: z
+        .string()
+        .optional()
+        .transform(parsePromptCacheFamilyRetentionRules),
+    PROVIDER_PROMPT_CACHE_RETENTION_BY_STATIC_KEY_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    PROVIDER_PROMPT_CACHE_RETENTION_BY_STATIC_KEY: z
+        .string()
+        .optional()
+        .transform(parsePromptCacheFamilyRetentionRules),
+    RTK_LAYER_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    RTK_LAYER_TOOL_OUTPUT_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    RTK_LAYER_TOOL_OUTPUT_MAX_CHARS: z.coerce.number().int().positive().default(4000),
+    RTK_LAYER_TOOL_OUTPUT_MAX_LINES: z.coerce.number().int().positive().default(120),
+    RTK_LAYER_TOOL_OUTPUT_TAIL_LINES: z.coerce.number().int().nonnegative().default(0),
+    RTK_LAYER_TOOL_OUTPUT_TAIL_CHARS: z.coerce.number().int().nonnegative().default(0),
+    RTK_LAYER_TOOL_OUTPUT_DETECT_FORMAT: z
+        .enum(["auto", "plain", "json", "stack", "command"])
+        .default("auto"),
+    OPENCLAW_DEFAULT_TRUNCATION: z.enum(["auto", "disabled"]).default("auto"),
+    MAX_OUTPUT_TOKENS_PARAMETER_MODE_FOR_PROVIDER: z
+        .enum(["forward", "strip", "rename"])
+        .optional(),
+    MAX_OUTPUT_TOKENS_PARAMETER_TARGET_FOR_PROVIDER: z.string().optional(),
+    STRIP_MAX_OUTPUT_TOKENS_FOR_PROVIDER: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    SANITIZE_REASONING_SUMMARY_FOR_PROVIDER: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    FALLBACK_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    FALLBACK_STATUS_CODES: z
+        .string()
+        .default("429,500,502,503,504")
+        .transform(parseFallbackStatusCodes),
+    RESPONSES_PROXY_CLIENT_API_KEY: z.string().optional(),
+    TELEGRAM_BOT_TOKEN: z.string().optional(),
+    TELEGRAM_OWNER_USER_IDS: z.string().optional().transform(parseIdList),
+    TELEGRAM_ADMIN_USER_IDS: z.string().optional().transform(parseIdList),
+    DASHBOARD_AUTH_OTP_TTL_MS: z.coerce.number().int().positive().default(10 * 60 * 1000),
+    DASHBOARD_AUTH_SESSION_TTL_MS: z.coerce.number().int().positive().default(12 * 60 * 60 * 1000),
+    APP_DB_PATH: z.string().min(1).default("./logs/app.sqlite"),
+    CUSTOMER_KEY_DB_PATH: z.string().min(1).default("./logs/telegram-bot.sqlite"),
+    SESSION_LOG_DIR: z.string().min(1).default("./logs/sessions"),
+    SESSION_LOG_RETENTION_DAYS: z.coerce.number().int().nonnegative().default(14),
+    SEPAY_WEBHOOK_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => {
+        const normalized = value?.trim().toLowerCase();
+        return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+    }),
+    SEPAY_WEBHOOK_SECRET: z.string().optional(),
+    SEPAY_WEBHOOK_ALLOWED_IPS: z.string().optional().transform(parseDelimitedList),
+    KIRO_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value === "true"),
+    KIRO_DB_PATH: z
+        .string()
+        .optional()
+        .transform((value) => (value?.trim() ? value.trim() : defaultKiroDbPath())),
+    KIRO_DEFAULT_REGION: z.string().min(1).default("us-east-1"),
+    KIRO_REFRESH_LEAD_SECONDS: z.coerce.number().int().nonnegative().default(120),
+    KIRO_WRITE_BACK_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"),
+    KIRO_DEVICE_CLIENT_NAME: z.string().min(1).default("responses-proxy"),
+    KIRO_BUILDER_ID_START_URL: z.string().min(1).default("https://view.awsapps.com/start"),
+    KIRO_DEVICE_SCOPES: z
+        .string()
+        .min(1)
+        .default("codewhisperer:completions,codewhisperer:analysis")
+        .transform((v) => v.split(",").map((s) => s.trim()).filter(Boolean)),
+    // Routing System Configuration
+    ROUTING_HEALTH_CHECK_INTERVAL: z.coerce.number().int().positive().default(30000), // 30 seconds
+    ROUTING_WEBSOCKET_BROADCAST_INTERVAL: z.coerce.number().int().positive().default(5000), // 5 seconds
+    ROUTING_PROVIDER_HEALTH_CACHE_TTL: z.coerce.number().int().positive().default(60000), // 1 minute
+    ROUTING_HEALTH_SCORE_THRESHOLD: z.coerce.number().int().min(0).max(100).default(50), // Minimum eligibility score
+    ROUTING_MAX_FALLBACK_DELAY: z.coerce.number().int().nonnegative().default(10000), // 10 seconds max delay
+    ROUTING_ENABLED: z
+        .string()
+        .optional()
+        .transform((value) => value !== "false"), // Enable routing system by default
+});
+export function readConfig(env) {
+    const parsed = envSchema.parse(env);
+    const base = parsed.UPSTREAM_BASE_URL.replace(/\/+$/, "");
+    const publicResponsesBaseUrl = parsed.BOT_PUBLIC_RESPONSES_BASE_URL?.trim().replace(/\/+$/, "") ||
+        `http://127.0.0.1:${parsed.PORT}/v1`;
+    return {
+        ...parsed,
+        upstreamResponsesUrl: `${base}/responses`,
+        publicResponsesBaseUrl,
+    };
+}
+function parsePromptCacheFamilyRetentionRules(raw) {
+    if (!raw?.trim()) {
+        return [];
+    }
+    return raw
+        .split(",")
+        .map((entry) => {
+        const separatorIndex = entry.indexOf("=");
+        if (separatorIndex <= 0) {
+            return undefined;
+        }
+        const prefix = entry.slice(0, separatorIndex).trim();
+        const retention = entry.slice(separatorIndex + 1).trim();
+        if (!prefix || !retention) {
+            return undefined;
+        }
+        return {
+            prefix,
+            retention,
+        };
+    })
+        .filter((entry) => Boolean(entry));
+}
+function parseFallbackStatusCodes(raw) {
+    const codes = raw
+        .split(",")
+        .map((part) => Number(part.trim()))
+        .filter((value) => Number.isInteger(value) && value >= 400 && value <= 599);
+    return codes.length > 0 ? codes : [429, 500, 502, 503, 504];
+}

package/dist/cost-analytics.js

@@ -0,0 +1,31 @@
+export function buildCostSummary(observations) {
+    const total = observations.length;
+    if (total === 0) {
+        const now = new Date().toISOString();
+        return {
+            window: { from: now, to: now },
+            totalRequests: 0,
+            promptCacheHits: 0,
+            promptCacheHitRate: 0,
+            avgCacheSavedPercent: 0,
+            estimatedTokensSaved: 0,
+        };
+    }
+    const hits = observations.filter((observation) => observation.cacheHit === true).length;
+    const savedPcts = observations
+        .map((observation) => observation.cacheSavedPercent)
+        .filter((value) => typeof value === "number");
+    const avgSaved = savedPcts.length > 0 ? savedPcts.reduce((left, right) => left + right, 0) / savedPcts.length : 0;
+    const tokensSaved = observations
+        .map((observation) => observation.cachedTokens ?? 0)
+        .reduce((left, right) => left + right, 0);
+    const timestamps = observations.map((observation) => observation.timestamp).sort();
+    return {
+        window: { from: timestamps[0] ?? "", to: timestamps[timestamps.length - 1] ?? "" },
+        totalRequests: total,
+        promptCacheHits: hits,
+        promptCacheHitRate: total > 0 ? hits / total : 0,
+        avgCacheSavedPercent: avgSaved,
+        estimatedTokensSaved: tokensSaved,
+    };
+}

package/dist/cost-analytics.test.js

@@ -0,0 +1,38 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { buildCostSummary } from "./cost-analytics.js";
+test("buildCostSummary aggregates prompt cache observations", () => {
+    const summary = buildCostSummary([
+        {
+            cacheHit: true,
+            cacheSavedPercent: 50,
+            cachedTokens: 100,
+            timestamp: "2026-05-11T00:02:00.000Z",
+        },
+        {
+            cacheHit: false,
+            cacheSavedPercent: 10,
+            cachedTokens: 0,
+            timestamp: "2026-05-11T00:01:00.000Z",
+        },
+    ]);
+    assert.deepEqual(summary.window, {
+        from: "2026-05-11T00:01:00.000Z",
+        to: "2026-05-11T00:02:00.000Z",
+    });
+    assert.equal(summary.totalRequests, 2);
+    assert.equal(summary.promptCacheHits, 1);
+    assert.equal(summary.promptCacheHitRate, 0.5);
+    assert.equal(summary.avgCacheSavedPercent, 30);
+    assert.equal(summary.estimatedTokensSaved, 100);
+});
+test("buildCostSummary returns zero summary for empty observations", () => {
+    const summary = buildCostSummary([]);
+    assert.equal(summary.totalRequests, 0);
+    assert.equal(summary.promptCacheHits, 0);
+    assert.equal(summary.promptCacheHitRate, 0);
+    assert.equal(summary.avgCacheSavedPercent, 0);
+    assert.equal(summary.estimatedTokensSaved, 0);
+    assert.match(summary.window.from, /^\d{4}-\d{2}-\d{2}T/);
+    assert.equal(summary.window.to, summary.window.from);
+});