responses-proxy 0.1.0

package/dist/telegram-bot/format.js

@@ -0,0 +1,140 @@
+export function maskApiKey(value) {
+    const raw = value?.trim() || "";
+    if (!raw) {
+        return "none";
+    }
+    if (raw.length <= 10) {
+        return `${raw.slice(0, 2)}...${raw.slice(-2)}`;
+    }
+    return `${raw.slice(0, 4)}...${raw.slice(-4)}`;
+}
+export function formatProxyError(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    const proxyError = error ?? {};
+    const lines = [
+        `${proxyError.code ?? "PROXY_REQUEST_FAILED"}: ${proxyError.message ?? "Unknown proxy error"}`,
+    ];
+    if (proxyError.request_id) {
+        lines.push(`request_id: ${proxyError.request_id}`);
+    }
+    if (typeof proxyError.upstream_status === "number") {
+        lines.push(`upstream_status: ${proxyError.upstream_status}`);
+    }
+    if (typeof proxyError.retryable === "boolean") {
+        lines.push(`retryable: ${String(proxyError.retryable)}`);
+    }
+    return lines.join("\n");
+}
+export function formatHealthStatus(status) {
+    const lines = [
+        "Proxy status",
+        `ok: ${String(status.ok ?? true)}`,
+        `active provider: ${status.activeProviderId ?? "unknown"}`,
+        `upstream: ${status.upstream ?? "n/a"}`,
+        `fallback: ${status.fallback ?? "n/a"}`,
+    ];
+    if (status.latestPromptCache) {
+        lines.push(`prompt cache: ${status.latestPromptCache.cacheStatus ?? "unknown"} ` +
+            `provider=${status.latestPromptCache.providerId ?? "n/a"} ` +
+            `hit=${String(status.latestPromptCache.providerCacheHit ?? false)}`);
+    }
+    for (const line of status.usageSummary ?? []) {
+        lines.push(line);
+    }
+    return lines.join("\n");
+}
+export function formatProviders(payload) {
+    const lines = [`Active provider: ${payload.activeProviderId ?? "none"}`, "", "Providers:"];
+    for (const provider of payload.providers ?? []) {
+        lines.push(`- ${provider.name} (${provider.id}) auth=${provider.authMode ?? "api_key"} ` +
+            `apiKey=${provider.hasProviderApiKey ? "yes" : "no"} ` +
+            `account=${provider.chatgptAccountId ?? "n/a"}`);
+    }
+    lines.push("", "Client routes:");
+    for (const route of payload.clientRoutes ?? []) {
+        lines.push(`- ${route.key}: ${route.providerName ?? route.providerId ?? "unassigned"} ` +
+            `model=${route.modelOverride ?? "default"} keys=${route.apiKeys.map(maskApiKey).join(", ") || "none"}`);
+    }
+    return lines.join("\n");
+}
+export function formatProviderDetails(provider) {
+    return [
+        `${provider.name} (${provider.id})`,
+        `baseUrl: ${provider.baseUrl}`,
+        `authMode: ${provider.authMode ?? "api_key"}`,
+        `provider keys: ${provider.providerApiKeysCount ?? 0}`,
+        `system managed: ${String(provider.capabilities?.systemManaged ?? false)}`,
+        `account platform: ${provider.capabilities?.accountPlatform ?? "n/a"}`,
+        `account pool required: ${String(provider.capabilities?.accountPoolRequired ?? false)}`,
+        `chatgpt account: ${provider.chatgptAccountId ?? "n/a"}`,
+    ].join("\n");
+}
+export function formatClientConfigs(payload) {
+    const lines = [`Proxy base URL: ${payload.proxyBaseUrl ?? "n/a"}`];
+    for (const [client, status] of Object.entries(payload.clients ?? {})) {
+        lines.push("");
+        lines.push(`${client}:`);
+        lines.push(`path: ${status.path ?? "n/a"}`);
+        lines.push(`exists: ${String(status.exists ?? false)}`);
+        lines.push(`configured: ${String(status.configured ?? false)}`);
+        lines.push(`routeApiKey: ${maskApiKey(status.routeApiKey)}`);
+        if (status.auth) {
+            lines.push(`auth configured: ${String(status.auth.configured ?? false)}`);
+            lines.push(`auth apiKey: ${maskApiKey(status.auth.detectedApiKey)}`);
+        }
+        for (const [key, value] of Object.entries(status.detected ?? {})) {
+            lines.push(`${key}: ${value ?? "n/a"}`);
+        }
+    }
+    return lines.join("\n");
+}
+export function formatOauthStatus(payload) {
+    const lines = [
+        `OAuth enabled: ${String(payload.enabled ?? false)}`,
+        `Rotation mode: ${payload.rotationMode ?? "unknown"}`,
+        "",
+        "Accounts:",
+    ];
+    for (const account of payload.accounts ?? []) {
+        lines.push(`- ${account.email || account.accountId || account.id} id=${account.id} ` +
+            `disabled=${String(account.disabled ?? false)} expires=${account.expiresAt ?? "n/a"} ` +
+            `refreshed=${account.lastRefreshAt ?? "never"}`);
+    }
+    if ((payload.accounts?.length ?? 0) === 0) {
+        lines.push("- none");
+    }
+    return lines.join("\n");
+}
+export function formatTestResult(payload) {
+    const lines = ["Test response", payload.outputText.trim() || "(empty)"];
+    if (payload.requestId) {
+        lines.push("", `request_id: ${payload.requestId}`);
+    }
+    return lines.join("\n");
+}
+export function formatModels(payload) {
+    const lines = ["Models:"];
+    for (const item of payload.data ?? []) {
+        lines.push(`- ${item.id ?? "unknown"} owner=${item.owned_by ?? "n/a"}`);
+    }
+    if ((payload.data?.length ?? 0) === 0) {
+        lines.push("- none");
+    }
+    return lines.join("\n");
+}
+export function extractResponseText(body) {
+    if (!body || typeof body !== "object") {
+        return "";
+    }
+    const candidate = body;
+    if (typeof candidate.output_text === "string") {
+        return candidate.output_text;
+    }
+    const parts = candidate.output
+        ?.flatMap((item) => item.content ?? [])
+        .filter((part) => part?.type === "output_text" && typeof part.text === "string")
+        .map((part) => part.text ?? "") ?? [];
+    return parts.join("\n").trim();
+}

package/dist/telegram-bot/grants.js

@@ -0,0 +1,370 @@
+export function assertWorkspaceApiKeyCapacity(args) {
+    const entitlement = args.billing.getActiveEntitlementForWorkspace(args.workspaceId);
+    const maxApiKeys = entitlement?.maxApiKeys ?? args.maxApiKeysIfNoEntitlement;
+    if (!maxApiKeys) {
+        throw new Error("No active entitlement was found for this customer workspace.");
+    }
+    const ignored = new Set(args.ignoredKeyIds ?? []);
+    const occupiedKeys = args.customerKeys.listKeysByWorkspace(args.workspaceId).filter((record) => {
+        if (ignored.has(record.id)) {
+            return false;
+        }
+        return record.status === "active" || record.status === "suspended";
+    });
+    if (occupiedKeys.length >= maxApiKeys) {
+        throw new Error(`API key limit reached for this workspace (${occupiedKeys.length}/${maxApiKeys}). Revoke or rotate an existing key first.`);
+    }
+}
+export async function grantCustomerAccess(args) {
+    return provisionCustomerAccess({
+        ...args,
+        action: "grant",
+    });
+}
+export async function renewCustomerAccess(args) {
+    return provisionCustomerAccess({
+        ...args,
+        action: "renew",
+    });
+}
+async function provisionCustomerAccess(args) {
+    const existingUser = args.identities.getUser(args.telegramUserId);
+    args.identities.upsertUser({
+        telegramUserId: args.telegramUserId,
+        defaultRole: "customer",
+        defaultStatus: "active",
+    });
+    args.identities.setUserStatus(args.telegramUserId, "active");
+    if (!existingUser) {
+        args.auditLog?.record({
+            event: "user.created",
+            actor: args.actor,
+            subjectType: "telegram_user",
+            subjectId: args.telegramUserId,
+            metadata: {
+                telegramUserId: args.telegramUserId,
+            },
+        });
+    }
+    else if (existingUser.status === "pending_approval") {
+        args.auditLog?.record({
+            event: "user.approved",
+            actor: args.actor,
+            subjectType: "telegram_user",
+            subjectId: args.telegramUserId,
+            metadata: {
+                telegramUserId: args.telegramUserId,
+                priorStatus: existingUser.status,
+                reason: `${args.action}_approval`,
+            },
+        });
+    }
+    const existingWorkspace = args.workspaces.getDefaultWorkspace(args.telegramUserId);
+    const workspace = args.workspaces.ensureDefaultWorkspace({
+        ownerTelegramUserId: args.telegramUserId,
+        defaultClientRoute: args.defaultClientRoute,
+        status: "active",
+    });
+    if (!existingWorkspace) {
+        args.auditLog?.record({
+            event: "workspace.created",
+            actor: args.actor,
+            subjectType: "workspace",
+            subjectId: workspace.id,
+            metadata: {
+                workspaceId: workspace.id,
+                telegramUserId: args.telegramUserId,
+                clientRoute: workspace.defaultClientRoute,
+            },
+        });
+    }
+    else if (existingWorkspace.status === "pending_approval") {
+        args.auditLog?.record({
+            event: "workspace.approved",
+            actor: args.actor,
+            subjectType: "workspace",
+            subjectId: workspace.id,
+            metadata: {
+                workspaceId: workspace.id,
+                telegramUserId: args.telegramUserId,
+                priorStatus: existingWorkspace.status,
+                reason: `${args.action}_approval`,
+            },
+        });
+    }
+    if (workspace.status !== "active") {
+        args.workspaces.setStatus(workspace.id, "active");
+    }
+    const plan = args.billing.getPlan(args.planId);
+    if (!plan) {
+        throw new Error(`Plan not found: ${args.planId}`);
+    }
+    let mode;
+    let keyRecord = args.customerKeys.getActiveKeyForUser(args.telegramUserId);
+    let apiKey;
+    let createdKeyId;
+    let keyToRevokeAfterSync;
+    if (args.replaceKey || (keyRecord && !args.customerKeys.getApiKeySecret(keyRecord.id))) {
+        const latestKey = args.customerKeys.getLatestKeyForUser(args.telegramUserId);
+        const ignoredKeyIds = keyRecord
+            ? [keyRecord.id]
+            : latestKey && latestKey.status !== "revoked"
+                ? [latestKey.id]
+                : [];
+        assertWorkspaceApiKeyCapacity({
+            workspaceId: workspace.id,
+            billing: args.billing,
+            customerKeys: args.customerKeys,
+            ignoredKeyIds,
+            maxApiKeysIfNoEntitlement: plan.maxApiKeys,
+        });
+        keyToRevokeAfterSync = keyRecord ?? (latestKey && latestKey.status !== "revoked" ? latestKey : undefined);
+        const created = args.customerKeys.createKey({
+            workspaceId: workspace.id,
+            telegramUserId: args.telegramUserId,
+            clientRoute: workspace.defaultClientRoute,
+            status: "suspended",
+        });
+        keyRecord = created.record;
+        apiKey = created.apiKey;
+        createdKeyId = created.record.id;
+        mode = latestKey ? "existing_key_replaced" : "new_key_created";
+        args.auditLog?.record({
+            event: "api_key.created",
+            actor: args.actor,
+            subjectType: "customer_api_key",
+            subjectId: keyRecord.id,
+            metadata: {
+                telegramUserId: args.telegramUserId,
+                workspaceId: workspace.id,
+                clientRoute: keyRecord.clientRoute,
+                keyPreview: keyRecord.apiKeyPreview,
+            },
+        });
+        if (latestKey) {
+            args.auditLog?.record({
+                event: "api_key.rotated",
+                actor: args.actor,
+                subjectType: "customer_api_key",
+                subjectId: keyRecord.id,
+                metadata: {
+                    telegramUserId: args.telegramUserId,
+                    workspaceId: workspace.id,
+                    oldKeyId: latestKey.id,
+                    newKeyId: keyRecord.id,
+                    newKeyPreview: keyRecord.apiKeyPreview,
+                },
+            });
+        }
+    }
+    else {
+        if (keyRecord) {
+            mode = "existing_key_already_active";
+            apiKey = args.customerKeys.getApiKeySecret(keyRecord.id);
+        }
+        else {
+            const latestKey = args.customerKeys.getLatestKeyForUser(args.telegramUserId);
+            const latestKeySecret = latestKey ? args.customerKeys.getApiKeySecret(latestKey.id) : undefined;
+            if (latestKey && latestKey.status !== "revoked" && latestKeySecret) {
+                keyRecord = args.customerKeys.setStatus(latestKey.id, "active");
+                mode = "existing_key_reactivated";
+                if (keyRecord) {
+                    apiKey = latestKeySecret;
+                }
+                if (keyRecord) {
+                    args.auditLog?.record({
+                        event: "api_key.activated",
+                        actor: args.actor,
+                        subjectType: "customer_api_key",
+                        subjectId: keyRecord.id,
+                        metadata: {
+                            telegramUserId: args.telegramUserId,
+                            workspaceId: workspace.id,
+                            keyPreview: keyRecord.apiKeyPreview,
+                        },
+                    });
+                }
+            }
+            else if (latestKey && latestKey.status !== "revoked") {
+                assertWorkspaceApiKeyCapacity({
+                    workspaceId: workspace.id,
+                    billing: args.billing,
+                    customerKeys: args.customerKeys,
+                    ignoredKeyIds: [latestKey.id],
+                    maxApiKeysIfNoEntitlement: plan.maxApiKeys,
+                });
+                keyToRevokeAfterSync = latestKey;
+                const created = args.customerKeys.createKey({
+                    workspaceId: workspace.id,
+                    telegramUserId: args.telegramUserId,
+                    clientRoute: workspace.defaultClientRoute,
+                    status: "suspended",
+                });
+                keyRecord = created.record;
+                apiKey = created.apiKey;
+                createdKeyId = created.record.id;
+                mode = "existing_key_replaced";
+                args.auditLog?.record({
+                    event: "api_key.created",
+                    actor: args.actor,
+                    subjectType: "customer_api_key",
+                    subjectId: keyRecord.id,
+                    metadata: {
+                        telegramUserId: args.telegramUserId,
+                        workspaceId: workspace.id,
+                        clientRoute: keyRecord.clientRoute,
+                        keyPreview: keyRecord.apiKeyPreview,
+                        reason: "legacy_key_secret_unavailable",
+                    },
+                });
+                args.auditLog?.record({
+                    event: "api_key.rotated",
+                    actor: args.actor,
+                    subjectType: "customer_api_key",
+                    subjectId: keyRecord.id,
+                    metadata: {
+                        telegramUserId: args.telegramUserId,
+                        workspaceId: workspace.id,
+                        oldKeyId: latestKey.id,
+                        newKeyId: keyRecord.id,
+                        newKeyPreview: keyRecord.apiKeyPreview,
+                        reason: "legacy_key_secret_unavailable",
+                    },
+                });
+            }
+            else {
+                assertWorkspaceApiKeyCapacity({
+                    workspaceId: workspace.id,
+                    billing: args.billing,
+                    customerKeys: args.customerKeys,
+                    maxApiKeysIfNoEntitlement: plan.maxApiKeys,
+                });
+                const created = args.customerKeys.createKey({
+                    workspaceId: workspace.id,
+                    telegramUserId: args.telegramUserId,
+                    clientRoute: workspace.defaultClientRoute,
+                    status: "suspended",
+                });
+                keyRecord = created.record;
+                apiKey = created.apiKey;
+                createdKeyId = created.record.id;
+                mode = "new_key_created";
+                args.auditLog?.record({
+                    event: "api_key.created",
+                    actor: args.actor,
+                    subjectType: "customer_api_key",
+                    subjectId: keyRecord.id,
+                    metadata: {
+                        telegramUserId: args.telegramUserId,
+                        workspaceId: workspace.id,
+                        clientRoute: keyRecord.clientRoute,
+                        keyPreview: keyRecord.apiKeyPreview,
+                    },
+                });
+            }
+        }
+    }
+    if (!keyRecord) {
+        throw new Error("Customer key could not be created or reactivated");
+    }
+    if (apiKey && createdKeyId) {
+        try {
+            await syncNewRouteApiKey(args.proxyClient, workspace.defaultClientRoute, apiKey);
+            const activated = args.customerKeys.setStatus(createdKeyId, "active");
+            if (activated) {
+                keyRecord = activated;
+                args.auditLog?.record({
+                    event: "api_key.activated",
+                    actor: args.actor,
+                    subjectType: "customer_api_key",
+                    subjectId: activated.id,
+                    metadata: {
+                        telegramUserId: args.telegramUserId,
+                        workspaceId: workspace.id,
+                        keyPreview: activated.apiKeyPreview,
+                        reason: "proxy_sync_succeeded",
+                    },
+                });
+            }
+            if (keyToRevokeAfterSync) {
+                args.customerKeys.setStatus(keyToRevokeAfterSync.id, "revoked");
+                args.auditLog?.record({
+                    event: "api_key.revoked",
+                    actor: args.actor,
+                    subjectType: "customer_api_key",
+                    subjectId: keyToRevokeAfterSync.id,
+                    metadata: {
+                        telegramUserId: args.telegramUserId,
+                        workspaceId: workspace.id,
+                        keyPreview: keyToRevokeAfterSync.apiKeyPreview,
+                        reason: "rotation",
+                    },
+                });
+            }
+        }
+        catch (error) {
+            args.customerKeys.setStatus(createdKeyId, "revoked");
+            args.auditLog?.record({
+                event: "api_key.revoked",
+                actor: { type: "system", id: "proxy-sync-rollback" },
+                subjectType: "customer_api_key",
+                subjectId: createdKeyId,
+                metadata: {
+                    telegramUserId: args.telegramUserId,
+                    workspaceId: workspace.id,
+                    keyPreview: keyRecord.apiKeyPreview,
+                    reason: "proxy_sync_failed",
+                },
+            });
+            throw error;
+        }
+    }
+    const { subscription } = args.billing.grantSubscription({
+        workspaceId: workspace.id,
+        planId: args.planId,
+        days: args.days,
+    });
+    args.auditLog?.record({
+        event: args.action === "grant" ? "subscription.granted" : "subscription.renewed",
+        actor: args.actor,
+        subjectType: "workspace",
+        subjectId: workspace.id,
+        metadata: {
+            workspaceId: workspace.id,
+            telegramUserId: args.telegramUserId,
+            planId: args.planId,
+            days: args.days,
+            subscriptionEndsAt: subscription.currentPeriodEnd,
+        },
+    });
+    return {
+        mode,
+        workspaceId: workspace.id,
+        clientRoute: workspace.defaultClientRoute,
+        keyId: keyRecord.id,
+        keyPreview: keyRecord.apiKeyPreview,
+        apiKey,
+        subscriptionEndsAt: subscription.currentPeriodEnd,
+    };
+}
+function readClientRouteKeys(payload, clientRoute) {
+    const routes = [
+        ...(Array.isArray(payload?.clientRoutes) ? payload.clientRoutes : []),
+        ...Object.values(payload?.clients ?? {})
+            .map((entry) => entry?.route)
+            .filter(Boolean),
+    ];
+    const route = routes.find((entry) => entry?.key === clientRoute);
+    return Array.isArray(route?.apiKeys)
+        ? route.apiKeys.filter((entry) => typeof entry === "string" && entry.trim().length > 0)
+        : [];
+}
+async function syncNewRouteApiKey(proxyClient, clientRoute, apiKey) {
+    const clientConfigs = await proxyClient.getClientConfigs();
+    const currentKeys = readClientRouteKeys(clientConfigs, clientRoute);
+    const nextKeys = [...new Set([...currentKeys, apiKey])];
+    await proxyClient.setClientRouteApiKeys({
+        client: clientRoute,
+        apiKeys: nextKeys,
+    });
+}