responses-proxy 0.1.0

package/dist/client-config-apply.js

@@ -0,0 +1,345 @@
+import { randomBytes } from "node:crypto";
+import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
+import { basename, dirname, join } from "node:path";
+import { homedir } from "node:os";
+export function resolveQuickApplyPaths(overrides) {
+    const home = homedir();
+    const codexConfigPath = overrides?.codexConfigPath?.trim() || `${home}/.codex/config.toml`;
+    const codexAuthPath = overrides?.codexAuthPath?.trim() ||
+        (overrides?.codexConfigPath?.trim() ? join(dirname(codexConfigPath), "auth.json") : `${home}/.codex/auth.json`);
+    return {
+        hermesConfigPath: overrides?.hermesConfigPath?.trim() || `${home}/.hermes/config.yaml`,
+        codexConfigPath,
+        codexAuthPath,
+        backupDir: overrides?.backupDir?.trim() || `${home}/.responses-proxy/client-config-backups`,
+    };
+}
+export function generateRouteApiKey(client) {
+    return `sk-${client}-route-${randomBytes(12).toString("hex")}`;
+}
+export function normalizeProxyBaseUrl(value) {
+    const trimmed = value?.trim() || "";
+    if (!trimmed) {
+        return "";
+    }
+    return trimmed.replace(/\/+$/, "");
+}
+export function readQuickApplyStatus(raw, config, path) {
+    if (config.client === "hermes") {
+        return readHermesStatus(raw, config, path);
+    }
+    return readCodexStatus(raw, config, path);
+}
+export function applyQuickConfig(raw, config) {
+    if (config.client === "hermes") {
+        return applyHermesConfig(raw, config);
+    }
+    return applyCodexConfig(raw, config);
+}
+export function readCodexAuthStatus(raw, routeApiKey, path, options) {
+    const data = parseJsonObject(raw);
+    const detectedApiKey = typeof data.OPENAI_API_KEY === "string" ? data.OPENAI_API_KEY : null;
+    return {
+        path,
+        exists: typeof raw === "string",
+        configured: detectedApiKey === routeApiKey,
+        detectedApiKey,
+        backups: listRecentConfigBackups(path, 1, options),
+    };
+}
+export function applyCodexAuth(raw, routeApiKey) {
+    const data = parseJsonObject(raw);
+    data.OPENAI_API_KEY = routeApiKey;
+    return `${JSON.stringify(data, null, 2)}\n`;
+}
+export function writeQuickConfigFile(filePath, nextRaw, options) {
+    mkdirSync(dirname(filePath), { recursive: true });
+    if (existsSync(filePath)) {
+        const currentRaw = readFileSync(filePath, "utf8");
+        if (currentRaw === nextRaw) {
+            return { changed: false, backupCreated: false };
+        }
+        const backupPath = buildTimestampedBackupPath(filePath, new Date(), options?.backupDir);
+        mkdirSync(dirname(backupPath), { recursive: true });
+        writeFileSync(backupPath, currentRaw, "utf8");
+        writeFileSync(filePath, nextRaw, "utf8");
+        return { changed: true, backupCreated: true, backupPath };
+    }
+    writeFileSync(filePath, nextRaw, "utf8");
+    return { changed: true, backupCreated: false };
+}
+export function readQuickConfigFile(filePath) {
+    try {
+        return readFileSync(filePath, "utf8");
+    }
+    catch {
+        return undefined;
+    }
+}
+export function listRecentConfigBackups(filePath, limit = 5, options) {
+    try {
+        const directory = options?.backupDir?.trim() || dirname(filePath);
+        const fileName = basename(filePath);
+        return readdirSync(directory)
+            .filter((entry) => entry.startsWith(`${fileName}.`) && entry.endsWith(".bak"))
+            .map((entry) => {
+            const fullPath = `${directory}/${entry}`;
+            const stats = statSync(fullPath);
+            return {
+                path: fullPath,
+                fileName: entry,
+                modifiedAt: stats.mtime.toISOString(),
+                sizeBytes: stats.size,
+            };
+        })
+            .sort((left, right) => right.modifiedAt.localeCompare(left.modifiedAt))
+            .slice(0, limit);
+    }
+    catch {
+        return [];
+    }
+}
+function readHermesStatus(raw, config, path) {
+    const detected = {
+        model: readYamlSectionKey(raw, "model", "default"),
+        provider: readYamlSectionKey(raw, "model", "provider"),
+        apiKey: readYamlSectionKey(raw, "model", "api_key"),
+        baseUrl: readYamlSectionKey(raw, "model", "base_url"),
+        apiMode: readYamlSectionKey(raw, "model", "api_mode"),
+    };
+    return {
+        client: "hermes",
+        path,
+        exists: typeof raw === "string",
+        configured: (!config.model?.trim() || detected.model === config.model.trim()) &&
+            detected.provider === "custom" &&
+            normalizeProxyBaseUrl(detected.baseUrl) === normalizeProxyBaseUrl(config.proxyBaseUrl) &&
+            detected.apiKey === config.routeApiKey &&
+            detected.apiMode === "codex_responses",
+        routeApiKey: config.routeApiKey,
+        detected,
+    };
+}
+function readCodexStatus(raw, config, path) {
+    const providerName = readTomlTopLevelString(raw, "model_provider");
+    const section = providerName ? readTomlSection(raw, `model_providers.${providerName}`) : undefined;
+    const detected = {
+        model: readTomlTopLevelString(raw, "model") ?? null,
+        modelProvider: providerName ?? null,
+        providerName: section ? readTomlString(section, "name") ?? providerName ?? null : null,
+        apiKey: section ? readTomlString(section, "api_key") ?? null : null,
+        baseUrl: section ? readTomlString(section, "base_url") ?? null : null,
+        wireApi: section ? readTomlString(section, "wire_api") ?? null : null,
+    };
+    return {
+        client: "codex",
+        path,
+        exists: typeof raw === "string",
+        configured: (!config.model?.trim() || detected.model === config.model.trim()) &&
+            detected.modelProvider === "responses_proxy" &&
+            normalizeProxyBaseUrl(detected.baseUrl) === normalizeProxyBaseUrl(config.proxyBaseUrl) &&
+            detected.apiKey === config.routeApiKey &&
+            detected.wireApi === "responses",
+        routeApiKey: config.routeApiKey,
+        detected,
+    };
+}
+export function applyHermesConfig(raw, config) {
+    const currentModel = readYamlSectionKey(raw, "model", "default");
+    const nextModel = config.model?.trim() || currentModel || "gpt-5.4";
+    const nextBaseUrl = normalizeProxyBaseUrl(config.proxyBaseUrl);
+    let nextRaw = typeof raw === "string" && raw.trim() ? raw : "";
+    nextRaw = upsertYamlSectionKey(nextRaw, "model", "default", nextModel);
+    nextRaw = upsertYamlSectionKey(nextRaw, "model", "provider", "custom");
+    nextRaw = upsertYamlSectionKey(nextRaw, "model", "api_key", config.routeApiKey);
+    nextRaw = upsertYamlSectionKey(nextRaw, "model", "base_url", nextBaseUrl);
+    nextRaw = upsertYamlSectionKey(nextRaw, "model", "api_mode", "codex_responses");
+    return ensureTrailingNewline(nextRaw);
+}
+export function applyCodexConfig(raw, config) {
+    const currentModel = readTomlTopLevelString(raw, "model");
+    const nextModel = config.model?.trim() || currentModel || "gpt-5.4";
+    const nextBaseUrl = normalizeProxyBaseUrl(config.proxyBaseUrl);
+    let nextRaw = typeof raw === "string" && raw.trim() ? raw : "";
+    nextRaw = upsertTomlTopLevelString(nextRaw, "model", nextModel);
+    nextRaw = upsertTomlTopLevelString(nextRaw, "model_provider", "responses_proxy");
+    nextRaw = upsertTomlSectionString(nextRaw, "model_providers.responses_proxy", "name", "responses-proxy");
+    nextRaw = upsertTomlSectionString(nextRaw, "model_providers.responses_proxy", "base_url", nextBaseUrl);
+    nextRaw = upsertTomlSectionString(nextRaw, "model_providers.responses_proxy", "api_key", config.routeApiKey);
+    nextRaw = upsertTomlSectionString(nextRaw, "model_providers.responses_proxy", "wire_api", "responses");
+    return ensureTrailingNewline(nextRaw);
+}
+function upsertYamlSectionKey(raw, section, key, value) {
+    const encodedValue = encodeYamlScalar(value);
+    const lines = raw ? raw.split("\n") : [];
+    const bounds = findYamlSectionBounds(lines, section);
+    if (!bounds) {
+        const prefix = raw.trim() ? `${raw.replace(/\s*$/, "\n\n")}` : "";
+        return `${prefix}${section}:\n  ${key}: ${encodedValue}\n`;
+    }
+    const nextLines = [...lines];
+    let updated = false;
+    for (let index = bounds.start + 1; index < bounds.end; index += 1) {
+        if (new RegExp(`^\\s{2}${escapeRegExp(key)}:`).test(nextLines[index])) {
+            nextLines[index] = `  ${key}: ${encodedValue}`;
+            updated = true;
+            break;
+        }
+    }
+    if (!updated) {
+        nextLines.splice(bounds.end, 0, `  ${key}: ${encodedValue}`);
+    }
+    return nextLines.join("\n");
+}
+function readYamlSectionKey(raw, section, key) {
+    if (!raw) {
+        return null;
+    }
+    const lines = raw.split("\n");
+    const bounds = findYamlSectionBounds(lines, section);
+    if (!bounds) {
+        return null;
+    }
+    for (let index = bounds.start + 1; index < bounds.end; index += 1) {
+        const match = lines[index].match(new RegExp(`^\\s{2}${escapeRegExp(key)}:\\s*(.+?)\\s*$`));
+        if (match?.[1]) {
+            return stripYamlQuotes(match[1].trim());
+        }
+    }
+    return null;
+}
+function encodeYamlScalar(value) {
+    if (/^[A-Za-z0-9_./:-]+$/.test(value)) {
+        return value;
+    }
+    return JSON.stringify(value);
+}
+function stripYamlQuotes(value) {
+    if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+        return value.slice(1, -1);
+    }
+    return value;
+}
+function upsertTomlTopLevelString(raw, key, value) {
+    const encodedValue = JSON.stringify(value);
+    const pattern = new RegExp(`^${escapeRegExp(key)}\\s*=\\s*\"[^\"]*\"\\s*$`, "m");
+    if (pattern.test(raw)) {
+        return raw.replace(pattern, `${key} = ${encodedValue}`);
+    }
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        return `${key} = ${encodedValue}\n`;
+    }
+    return `${key} = ${encodedValue}\n${raw}`;
+}
+function upsertTomlSectionString(raw, sectionName, key, value) {
+    const encodedValue = JSON.stringify(value);
+    const lines = raw ? raw.split("\n") : [];
+    const bounds = findTomlSectionBounds(lines, sectionName);
+    if (!bounds) {
+        const prefix = raw.trim() ? `${raw.replace(/\s*$/, "\n\n")}` : "";
+        return `${prefix}[${sectionName}]\n${key} = ${encodedValue}\n`;
+    }
+    const nextLines = [...lines];
+    let updated = false;
+    for (let index = bounds.start + 1; index < bounds.end; index += 1) {
+        if (new RegExp(`^${escapeRegExp(key)}\\s*=`).test(nextLines[index])) {
+            nextLines[index] = `${key} = ${encodedValue}`;
+            updated = true;
+            break;
+        }
+    }
+    if (!updated) {
+        nextLines.splice(bounds.end, 0, `${key} = ${encodedValue}`);
+    }
+    return nextLines.join("\n");
+}
+function readTomlTopLevelString(raw, key) {
+    if (!raw) {
+        return undefined;
+    }
+    const match = raw.match(new RegExp(`^${escapeRegExp(key)}\\s*=\\s*\"([^\"]+)\"\\s*$`, "m"));
+    return match?.[1];
+}
+function readTomlSection(raw, sectionName) {
+    if (!raw) {
+        return undefined;
+    }
+    const lines = raw.split("\n");
+    const bounds = findTomlSectionBounds(lines, sectionName);
+    if (!bounds) {
+        return undefined;
+    }
+    return lines.slice(bounds.start + 1, bounds.end).join("\n");
+}
+function readTomlString(rawSection, key) {
+    const match = rawSection.match(new RegExp(`^${escapeRegExp(key)}\\s*=\\s*\"([^\"]+)\"\\s*$`, "m"));
+    return match?.[1];
+}
+function parseJsonObject(raw) {
+    if (!raw?.trim()) {
+        return {};
+    }
+    try {
+        const parsed = JSON.parse(raw);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? { ...parsed }
+            : {};
+    }
+    catch {
+        return {};
+    }
+}
+function ensureTrailingNewline(raw) {
+    return raw.endsWith("\n") ? raw : `${raw}\n`;
+}
+function findYamlSectionBounds(lines, section) {
+    const start = lines.findIndex((line) => line.trim() === `${section}:`);
+    if (start === -1) {
+        return undefined;
+    }
+    let end = lines.length;
+    for (let index = start + 1; index < lines.length; index += 1) {
+        const line = lines[index];
+        if (line && !/^\s/.test(line)) {
+            end = index;
+            break;
+        }
+    }
+    return { start, end };
+}
+function findTomlSectionBounds(lines, sectionName) {
+    const start = lines.findIndex((line) => line.trim() === `[${sectionName}]`);
+    if (start === -1) {
+        return undefined;
+    }
+    let end = lines.length;
+    for (let index = start + 1; index < lines.length; index += 1) {
+        if (lines[index].trim().startsWith("[") && lines[index].trim().endsWith("]")) {
+            end = index;
+            break;
+        }
+    }
+    return { start, end };
+}
+function buildTimestampedBackupPath(filePath, date, backupDir) {
+    const pad = (value) => String(value).padStart(2, "0");
+    const padMs = (value) => String(value).padStart(3, "0");
+    const timestamp = [
+        date.getFullYear(),
+        pad(date.getMonth() + 1),
+        pad(date.getDate()),
+        "-",
+        pad(date.getHours()),
+        pad(date.getMinutes()),
+        pad(date.getSeconds()),
+        "-",
+        padMs(date.getMilliseconds()),
+    ].join("");
+    const fileName = basename(filePath);
+    const targetDir = backupDir?.trim() || dirname(filePath);
+    return `${targetDir}/${fileName}.${timestamp}.bak`;
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/dist/client-config-apply.test.js

@@ -0,0 +1,185 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, readFileSync, readdirSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { applyCodexAuth, applyCodexConfig, applyHermesConfig, normalizeProxyBaseUrl, readCodexAuthStatus, readQuickApplyStatus, resolveQuickApplyPaths, writeQuickConfigFile, } from "./client-config-apply.js";
+test("applyHermesConfig points Hermes to proxy while preserving unrelated sections", () => {
+    const raw = [
+        "model:",
+        "  default: gpt-5.5",
+        "  provider: custom",
+        "  api_key: old-key",
+        "browser:",
+        "  inactivity_timeout: 120",
+        "",
+    ].join("\n");
+    const next = applyHermesConfig(raw, {
+        client: "hermes",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-hermes-route-abc",
+    });
+    assert.match(next, /model:\n  default: gpt-5\.5\n  provider: custom\n  api_key: sk-hermes-route-abc\n  base_url: http:\/\/127\.0\.0\.1:8318\/v1\n  api_mode: codex_responses\n/);
+    assert.match(next, /browser:\n  inactivity_timeout: 120/);
+});
+test("readQuickApplyStatus rejects Hermes config when it contains another client's route API key", () => {
+    const raw = [
+        "model:",
+        "  default: gpt-5.4",
+        "  provider: custom",
+        "  api_key: sk-codex-route-abc",
+        "  base_url: http://127.0.0.1:8318/v1",
+        "  api_mode: codex_responses",
+        "",
+    ].join("\n");
+    const status = readQuickApplyStatus(raw, {
+        client: "hermes",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-hermes-route-abc",
+    }, "/tmp/hermes-config.yaml");
+    assert.equal(status.configured, false);
+    assert.equal(status.detected.apiKey, "sk-codex-route-abc");
+    assert.equal(status.routeApiKey, "sk-hermes-route-abc");
+});
+test("readQuickApplyStatus rejects Hermes config when the configured model differs", () => {
+    const raw = [
+        "model:",
+        "  default: cx/gpt-5.4",
+        "  provider: custom",
+        "  api_key: sk-hermes-route-abc",
+        "  base_url: http://127.0.0.1:8318/v1",
+        "  api_mode: codex_responses",
+        "",
+    ].join("\n");
+    const status = readQuickApplyStatus(raw, {
+        client: "hermes",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-hermes-route-abc",
+        model: "cx/gpt-5.5",
+    }, "/tmp/hermes-config.yaml");
+    assert.equal(status.configured, false);
+    assert.equal(status.detected.model, "cx/gpt-5.4");
+});
+test("applyCodexConfig switches active provider to responses_proxy and preserves project sections", () => {
+    const raw = [
+        'model = "gpt-5.4"',
+        'model_provider = "cliproxy"',
+        "",
+        "[model_providers.cliproxy]",
+        'name = "cliproxy"',
+        'base_url = "http://100.111.102.37:8317/v1"',
+        'api_key = "sk-old"',
+        'wire_api = "responses"',
+        "",
+        '[projects."/Volumes/Home_EX/Projects/responses-proxy"]',
+        'trust_level = "trusted"',
+        "",
+    ].join("\n");
+    const next = applyCodexConfig(raw, {
+        client: "codex",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-codex-route-abc",
+    });
+    assert.match(next, /^model = "gpt-5\.4"$/m);
+    assert.match(next, /^model_provider = "responses_proxy"$/m);
+    assert.match(next, /\[model_providers\.responses_proxy\][\s\S]*base_url = "http:\/\/127\.0\.0\.1:8318\/v1"[\s\S]*api_key = "sk-codex-route-abc"[\s\S]*wire_api = "responses"/m);
+    assert.match(next, /\[projects\."\/Volumes\/Home_EX\/Projects\/responses-proxy"\]\ntrust_level = "trusted"/);
+});
+test("applyCodexConfig uses the selected helper model when provided", () => {
+    const next = applyCodexConfig('model = "gpt-5.5"\n', {
+        client: "codex",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-codex-route-abc",
+        model: "gpt-5.4",
+    });
+    assert.match(next, /^model = "gpt-5\.4"$/m);
+});
+test("applyCodexAuth stores the selected route API key in auth.json", () => {
+    const next = applyCodexAuth('{\n  "OPENAI_API_KEY": "sk-old"\n}\n', "sk-codex-route-abc");
+    assert.equal(JSON.parse(next).OPENAI_API_KEY, "sk-codex-route-abc");
+});
+test("readQuickApplyStatus marks Hermes as configured only when route key and base URL match", () => {
+    const raw = [
+        "model:",
+        "  default: cx/gpt-5.4",
+        "  provider: custom",
+        "  api_key: sk-hermes-route-abc",
+        "  base_url: http://127.0.0.1:8318/v1",
+        "  api_mode: codex_responses",
+        "",
+    ].join("\n");
+    const status = readQuickApplyStatus(raw, {
+        client: "hermes",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-hermes-route-abc",
+    }, "/tmp/hermes.yaml");
+    assert.equal(status.configured, true);
+    assert.equal(status.detected.baseUrl, "http://127.0.0.1:8318/v1");
+    assert.equal(status.detected.apiKey, "sk-hermes-route-abc");
+});
+test("readCodexAuthStatus detects when auth.json already matches the route key", () => {
+    const status = readCodexAuthStatus('{\n  "OPENAI_API_KEY": "sk-codex-route-abc"\n}\n', "sk-codex-route-abc", "/tmp/auth.json");
+    assert.equal(status.configured, true);
+    assert.equal(status.detectedApiKey, "sk-codex-route-abc");
+});
+test("writeQuickConfigFile stores backup in configured backup directory", () => {
+    const tempDir = mkdtempSync(path.join(os.tmpdir(), "responses-proxy-quick-apply-"));
+    const configFile = path.join(tempDir, "config.toml");
+    const backupDir = path.join(tempDir, "backups");
+    try {
+        writeQuickConfigFile(configFile, 'model = "gpt-5.4"\n');
+        writeQuickConfigFile(configFile, 'model = "gpt-5.5"\n', { backupDir });
+        const backupFiles = readdirSync(backupDir);
+        assert.equal(backupFiles.length, 1);
+        assert.match(backupFiles[0], /^config\.toml\.\d{8}-\d{6}-\d{3}\.bak$/);
+        assert.equal(readFileSync(path.join(backupDir, backupFiles[0]), "utf8"), 'model = "gpt-5.4"\n');
+    }
+    finally {
+        rmSync(tempDir, { recursive: true, force: true });
+    }
+});
+test("writeQuickConfigFile skips backup when content is unchanged", () => {
+    const tempDir = mkdtempSync(path.join(os.tmpdir(), "responses-proxy-quick-apply-"));
+    const configFile = path.join(tempDir, "config.toml");
+    const backupDir = path.join(tempDir, "backups");
+    try {
+        const firstWrite = writeQuickConfigFile(configFile, 'model = "gpt-5.4"\n');
+        const secondWrite = writeQuickConfigFile(configFile, 'model = "gpt-5.4"\n', { backupDir });
+        assert.equal(firstWrite.changed, true);
+        assert.equal(firstWrite.backupCreated, false);
+        assert.equal(secondWrite.changed, false);
+        assert.equal(secondWrite.backupCreated, false);
+        assert.equal(readdirSync(tempDir).includes("backups"), false);
+    }
+    finally {
+        rmSync(tempDir, { recursive: true, force: true });
+    }
+});
+test("readQuickApplyStatus treats normalized trailing slash base URLs as configured", () => {
+    const raw = [
+        "model:",
+        "  default: gpt-5.5",
+        "  provider: custom",
+        "  api_key: sk-hermes-route-abc",
+        "  base_url: http://127.0.0.1:8318/v1/",
+        "  api_mode: codex_responses",
+        "",
+    ].join("\n");
+    const status = readQuickApplyStatus(raw, {
+        client: "hermes",
+        proxyBaseUrl: "http://127.0.0.1:8318/v1",
+        routeApiKey: "sk-hermes-route-abc",
+    }, "/tmp/hermes.yaml");
+    assert.equal(status.configured, true);
+});
+test("normalizeProxyBaseUrl trims trailing slashes", () => {
+    assert.equal(normalizeProxyBaseUrl(" http://127.0.0.1:8318/v1/ "), "http://127.0.0.1:8318/v1");
+    assert.equal(normalizeProxyBaseUrl(""), "");
+});
+test("resolveQuickApplyPaths keeps Codex auth alongside override config path", () => {
+    const paths = resolveQuickApplyPaths({
+        codexConfigPath: "/host-home/.codex/config.toml",
+    });
+    assert.equal(paths.codexConfigPath, "/host-home/.codex/config.toml");
+    assert.equal(paths.codexAuthPath, "/host-home/.codex/auth.json");
+});

package/dist/client-token-limits.js

@@ -0,0 +1,111 @@
+export function resolveClientTokenWindowStart(now, config) {
+    const current = new Date(now);
+    switch (config.windowType) {
+        case "weekly": {
+            const windowStart = new Date(current);
+            windowStart.setUTCHours(0, 0, 0, 0);
+            const day = windowStart.getUTCDay();
+            const offset = (day + 6) % 7;
+            windowStart.setUTCDate(windowStart.getUTCDate() - offset);
+            return windowStart.toISOString();
+        }
+        case "monthly": {
+            return new Date(Date.UTC(current.getUTCFullYear(), current.getUTCMonth(), 1, 0, 0, 0, 0)).toISOString();
+        }
+        case "fixed": {
+            const sizeSeconds = config.windowSizeSeconds && config.windowSizeSeconds > 0
+                ? config.windowSizeSeconds
+                : 86400;
+            const epochSeconds = Math.floor(current.getTime() / 1000);
+            const windowStartSeconds = epochSeconds - (epochSeconds % sizeSeconds);
+            return new Date(windowStartSeconds * 1000).toISOString();
+        }
+        case "daily":
+        default: {
+            const windowStart = new Date(current);
+            windowStart.setUTCHours(0, 0, 0, 0);
+            return windowStart.toISOString();
+        }
+    }
+}
+export function getClientTokenLimitStatus(config, usage) {
+    const used = normalizeNonNegativeInteger(usage.totalTokens);
+    const windowStart = usage.windowStart;
+    if (!config?.enabled) {
+        return {
+            used,
+            limit: null,
+            remaining: null,
+            blocked: false,
+            windowStart,
+        };
+    }
+    const limit = normalizeNonNegativeInteger(config.tokenLimit);
+    const remaining = Math.max(0, limit - used);
+    return {
+        used,
+        limit,
+        remaining,
+        blocked: config.hardBlock && limit > 0 && remaining <= 0,
+        windowStart,
+    };
+}
+export function buildClientTokenLimitError(client, status) {
+    return {
+        statusCode: 429,
+        body: {
+            error: {
+                type: "request_error",
+                code: "CLIENT_TOKEN_LIMIT_EXCEEDED",
+                message: `Client route '${client}' has reached its token limit for the current window.`,
+                client,
+                client_route: client,
+                usage: status,
+            },
+        },
+    };
+}
+export function extractUsageTotals(usagePayload) {
+    const usage = resolveUsagePayload(usagePayload);
+    if (!usage) {
+        return undefined;
+    }
+    const totalTokens = readNonNegativeInteger(usage.total_tokens);
+    if (totalTokens === undefined) {
+        return undefined;
+    }
+    return {
+        inputTokens: readNonNegativeInteger(usage.input_tokens) ?? 0,
+        outputTokens: readNonNegativeInteger(usage.output_tokens) ?? 0,
+        totalTokens,
+    };
+}
+function resolveUsagePayload(value) {
+    if (!isRecord(value)) {
+        return undefined;
+    }
+    if ("total_tokens" in value) {
+        return value;
+    }
+    if (isRecord(value.usage)) {
+        return value.usage;
+    }
+    const response = value.response;
+    if (!isRecord(response)) {
+        return undefined;
+    }
+    return isRecord(response.usage) ? response.usage : undefined;
+}
+function readNonNegativeInteger(value) {
+    const parsed = Number(value);
+    if (!Number.isFinite(parsed) || parsed < 0) {
+        return undefined;
+    }
+    return Math.floor(parsed);
+}
+function normalizeNonNegativeInteger(value) {
+    return readNonNegativeInteger(value) ?? 0;
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}