proxyagent 0.3.1__tar.gz → 0.5.0__tar.gz

{proxyagent-0.3.1 → proxyagent-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxyagent
-Version: 0.3.1
+Version: 0.5.0
 Summary: Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
 Project-URL: Homepage, https://github.com/teddyoweh/proxyagent
 Author-email: Spawn Labs <teddy@spawnlabs.ai>
@@ -99,9 +99,15 @@ claude -p "ship it"
 ```
 
 ## The dashboard
-`proxyagent serve` ships a dashboard at `/` — mint/revoke tokens, watch live usage and a
-full request audit log, see configured providers + proxied tools. Paste the admin token to
-open it.
+`proxyagent serve` ships a real dashboard at `/` (reveal the admin token with
+`proxyagent admin-token`):
+
+- **Providers** — a branded catalog of every supported provider; **connect/disconnect**
+  with a key right from the UI, see which auth types each supports (api_key / oauth) and
+  whether it's on via env or stored credentials.
+- **Machine tokens** — mint (scoped/TTL), list, revoke.
+- **Model routing** — add/remove model remaps (e.g. `* → mock` for offline).
+- **Activity** — live request log with usage + cost, and headline stats.
 
 ## Proxied tools — the same trick, for tools
 The proxy can also hold your **tool** keys and hand agents governed tools — so an agent gets
@@ -162,6 +168,27 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Harnesses & auth modes
+You run an **agent harness**, and each one can authenticate several ways. The proxy's job
+is to centralise *all* of them so the machine running the harness holds only a `pa_` token:
+
+| Harness | Provider | Auth modes |
+|---|---|---|
+| **Claude Code** | Anthropic | API key · OAuth (subscription) · AWS Bedrock · Google Vertex |
+| **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
+| **Gemini CLI** | Google | API key · OAuth · Vertex |
+
+Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
+Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
+being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
+none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+
+## Per-token budgets
+Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.
+```bash
+proxyagent token new ci --budget 5.00      # this token may spend at most $5
+```
+
 ## Supported providers
 `anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
 `xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.

{proxyagent-0.3.1 → proxyagent-0.5.0}/README.md

@@ -67,9 +67,15 @@ claude -p "ship it"
 ```
 
 ## The dashboard
-`proxyagent serve` ships a dashboard at `/` — mint/revoke tokens, watch live usage and a
-full request audit log, see configured providers + proxied tools. Paste the admin token to
-open it.
+`proxyagent serve` ships a real dashboard at `/` (reveal the admin token with
+`proxyagent admin-token`):
+
+- **Providers** — a branded catalog of every supported provider; **connect/disconnect**
+  with a key right from the UI, see which auth types each supports (api_key / oauth) and
+  whether it's on via env or stored credentials.
+- **Machine tokens** — mint (scoped/TTL), list, revoke.
+- **Model routing** — add/remove model remaps (e.g. `* → mock` for offline).
+- **Activity** — live request log with usage + cost, and headline stats.
 
 ## Proxied tools — the same trick, for tools
 The proxy can also hold your **tool** keys and hand agents governed tools — so an agent gets
@@ -130,6 +136,27 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Harnesses & auth modes
+You run an **agent harness**, and each one can authenticate several ways. The proxy's job
+is to centralise *all* of them so the machine running the harness holds only a `pa_` token:
+
+| Harness | Provider | Auth modes |
+|---|---|---|
+| **Claude Code** | Anthropic | API key · OAuth (subscription) · AWS Bedrock · Google Vertex |
+| **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
+| **Gemini CLI** | Google | API key · OAuth · Vertex |
+
+Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
+Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
+being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
+none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+
+## Per-token budgets
+Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.
+```bash
+proxyagent token new ci --budget 5.00      # this token may spend at most $5
+```
+
 ## Supported providers
 `anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
 `xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.

{proxyagent-0.3.1 → proxyagent-0.5.0}/proxyagent/__init__.py

@@ -16,7 +16,7 @@ from typing import Optional
 
 from .harness import run  # noqa: F401  (the headline SDK call)
 
-__version__ = "0.3.1"
+__version__ = "0.5.0"
 __all__ = ["run", "serve", "create_app", "Config", "Admin", "__version__"]
 
 

{proxyagent-0.3.1 → proxyagent-0.5.0}/proxyagent/cli.py

@@ -219,16 +219,19 @@ def token_new(
     scope: list[str] = typer.Option(["*"], "--scope", help="Allowed provider:model globs, e.g. anthropic:claude-*"),
     ttl: Optional[int] = typer.Option(None, "--ttl", help="Seconds until expiry."),
     rate: int = typer.Option(0, "--rate", help="Max requests/min (0 = unlimited)."),
+    budget: Optional[float] = typer.Option(None, "--budget", help="Max $ this token may spend."),
     proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
     admin: Optional[str] = typer.Option(None, "--admin"),
 ):
     """Mint a machine token — give it to a remote machine; it holds no real key."""
     if not _is_remote(proxy, admin):
-        plain, _ = _local_store().create_token(label, list(scope), ttl_seconds=ttl, rate_limit=rate)
+        plain, _ = _local_store().create_token(label, list(scope), ttl_seconds=ttl,
+                                               rate_limit=rate, budget_usd=budget)
     else:
         with _admin_client(proxy, admin) as c:
             r = c.post("/admin/tokens", json={"label": label, "scope": list(scope),
-                                              "ttl_seconds": ttl, "rate_limit": rate})
+                                              "ttl_seconds": ttl, "rate_limit": rate,
+                                              "budget_usd": budget})
         if r.status_code >= 400:
             err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
         plain = r.json()["token"]

{proxyagent-0.3.1 → proxyagent-0.5.0}/proxyagent/config.py

@@ -59,6 +59,51 @@ PROVIDERS: dict[str, Provider] = {
 }
 
 
+# Display metadata for the dashboard: label, the auth kinds each provider supports,
+# a brand accent colour, and example models.
+CATALOG: dict[str, dict] = {
+    "anthropic":  {"label": "Anthropic",   "kinds": ["api_key", "oauth"], "color": "#D97757",
+                   "models": ["claude-opus-4", "claude-sonnet-4-5", "claude-haiku-4"]},
+    "openai":     {"label": "OpenAI",       "kinds": ["api_key", "oauth"], "color": "#10A37F",
+                   "models": ["gpt-5", "gpt-4.1", "gpt-4o", "o3"]},
+    "gemini":     {"label": "Google Gemini","kinds": ["api_key"],          "color": "#4285F4",
+                   "models": ["gemini-2.5-pro", "gemini-2.5-flash"]},
+    "groq":       {"label": "Groq",         "kinds": ["api_key"],          "color": "#F55036",
+                   "models": ["llama-3.3-70b", "deepseek-r1-distill"]},
+    "openrouter": {"label": "OpenRouter",   "kinds": ["api_key"],          "color": "#7C7CFF",
+                   "models": ["anthropic/claude-sonnet-4.5", "openai/gpt-5"]},
+    "mistral":    {"label": "Mistral",      "kinds": ["api_key"],          "color": "#FF7000",
+                   "models": ["mistral-large", "codestral"]},
+    "deepseek":   {"label": "DeepSeek",     "kinds": ["api_key"],          "color": "#4D6BFE",
+                   "models": ["deepseek-chat", "deepseek-reasoner"]},
+    "xai":        {"label": "xAI",          "kinds": ["api_key"],          "color": "#111111",
+                   "models": ["grok-4", "grok-3-mini"]},
+    "together":   {"label": "Together",     "kinds": ["api_key"],          "color": "#0F6FFF",
+                   "models": ["llama-3.3-70b", "qwen-2.5-72b"]},
+}
+
+
+# Agent harnesses (what you actually RUN) and the auth modes each supports. The model
+# providers above are the *backends*; these are the agents. Auth mode availability is
+# what makes the proxy valuable — it can centralise all of them so the machine holds none.
+HARNESSES: dict[str, dict] = {
+    "claude-code": {"label": "Claude Code", "provider": "anthropic", "color": "#D97757",
+                    "install": "npm i -g @anthropic-ai/claude-code",
+                    "auth": ["api_key", "oauth", "bedrock", "vertex"]},
+    "codex":       {"label": "Codex", "provider": "openai", "color": "#10A37F",
+                    "install": "npm i -g @openai/codex",
+                    "auth": ["api_key", "oauth", "azure"]},
+    "gemini-cli":  {"label": "Gemini CLI", "provider": "gemini", "color": "#4285F4",
+                    "install": "npm i -g @google/gemini-cli",
+                    "auth": ["api_key", "oauth", "vertex"]},
+}
+AUTH_LABELS = {"api_key": "API key", "oauth": "OAuth", "bedrock": "AWS Bedrock",
+               "vertex": "Google Vertex", "azure": "Azure"}
+# Auth modes that are fully wired today (just a key swap). Others are surfaced in the
+# UI as "available" and built out (Bedrock SigV4 / Vertex token / OAuth refresh).
+AUTH_READY = {"api_key"}
+
+
 @dataclass
 class Config:
     home: Path = HOME

{proxyagent-0.3.1 → proxyagent-0.5.0}/proxyagent/server.py

@@ -15,7 +15,7 @@ from fastapi.responses import HTMLResponse, JSONResponse, StreamingResponse
 from pydantic import BaseModel
 
 from . import aliases, crypto
-from .config import Config, PROVIDERS
+from .config import AUTH_LABELS, AUTH_READY, CATALOG, HARNESSES, Config, PROVIDERS
 from .providers import forward, scope_allows
 from .security import token_matches
 from .store import Store, now_ms
@@ -29,6 +29,7 @@ class TokenBody(BaseModel):
     scope: list[str] = ["*"]
     ttl_seconds: int | None = None
     rate_limit: int = 0
+    budget_usd: float | None = None
 
 
 class ProviderBody(BaseModel):
@@ -66,6 +67,9 @@ def create_app(config: Config | None = None) -> FastAPI:
             raise HTTPException(401, "token expired")
         if row["rate_limit"] and store.recent_request_count(row["id"]) >= row["rate_limit"]:
             raise HTTPException(429, "rate limit exceeded")
+        budget = row.get("budget_usd")
+        if budget is not None and store.token_spend(row["id"]) >= budget:
+            raise HTTPException(402, f"token budget of ${budget:.4f} exhausted")
         store.touch_token(row["id"])
         return row
 
@@ -147,10 +151,10 @@ def create_app(config: Config | None = None) -> FastAPI:
     async def create_token(body: TokenBody, authorization: str | None = Header(None),
                            x_admin_token: str | None = Header(None)):
         require_admin(authorization, x_admin_token)
-        plain, row = store.create_token(body.label, body.scope,
-                                        ttl_seconds=body.ttl_seconds, rate_limit=body.rate_limit)
+        plain, row = store.create_token(body.label, body.scope, ttl_seconds=body.ttl_seconds,
+                                        rate_limit=body.rate_limit, budget_usd=body.budget_usd)
         return {"token": plain, "id": row["id"], "label": row["label"],
-                "scope": body.scope, "note": "shown once — store it now"}
+                "scope": body.scope, "budget_usd": body.budget_usd, "note": "shown once — store it now"}
 
     @app.get("/admin/tokens")
     async def list_tokens_ep(authorization: str | None = Header(None),
@@ -161,7 +165,8 @@ def create_app(config: Config | None = None) -> FastAPI:
             out.append({"id": t["id"], "label": t["label"], "masked": t["masked"],
                         "scope": _json.loads(t["scope_json"]), "revoked": bool(t["revoked"]),
                         "rate_limit": t["rate_limit"], "expires_ms": t["expires_ms"],
-                        "last_used_ms": t["last_used_ms"]})
+                        "last_used_ms": t["last_used_ms"], "budget_usd": t.get("budget_usd"),
+                        "spent_usd": round(store.token_spend(t["id"]), 6)})
         return {"tokens": out}
 
     @app.delete("/admin/tokens/{tid}")
@@ -218,6 +223,46 @@ def create_app(config: Config | None = None) -> FastAPI:
             raise HTTPException(404, "no such credential")
         return {"ok": True}
 
+    @app.get("/admin/harnesses")
+    async def harnesses(authorization: str | None = Header(None),
+                        x_admin_token: str | None = Header(None)):
+        require_admin(authorization, x_admin_token)
+        stored = {c["provider"] for c in store.list_credentials() if c["active"]}
+        out = []
+        for name, h in HARNESSES.items():
+            prov = PROVIDERS.get(h["provider"])
+            configured = bool(prov and prov.key) or h["provider"] in stored
+            out.append({
+                "name": name, "label": h["label"], "provider": h["provider"],
+                "color": h["color"], "install": h["install"],
+                "auth": [{"mode": m, "label": AUTH_LABELS.get(m, m),
+                          "ready": m in AUTH_READY,
+                          "connected": m == "api_key" and configured}
+                         for m in h["auth"]],
+                "configured": configured,
+            })
+        return {"harnesses": out}
+
+    @app.get("/admin/catalog")
+    async def catalog(authorization: str | None = Header(None),
+                      x_admin_token: str | None = Header(None)):
+        require_admin(authorization, x_admin_token)
+        stored = {c["provider"]: c for c in store.list_credentials() if c["active"]}
+        out = []
+        for name, prov in PROVIDERS.items():
+            meta = CATALOG.get(name, {})
+            cred = stored.get(name)
+            out.append({
+                "name": name, "label": meta.get("label", name.title()),
+                "kinds": meta.get("kinds", ["api_key"]), "color": meta.get("color", "#888"),
+                "models": meta.get("models", []), "shape": prov.shape,
+                "via_env": bool(prov.key), "via_store": bool(cred),
+                "cred_id": cred["id"] if cred else None,
+                "cred_kind": cred["kind"] if cred else None,
+                "endpoint": prov.endpoint,
+            })
+        return {"providers": out, "encryption": crypto.encryption_available()}
+
     # -- model aliases / remap -------------------------------------------- #
     @app.get("/admin/aliases")
     async def get_aliases(authorization: str | None = Header(None),

{proxyagent-0.3.1 → proxyagent-0.5.0}/proxyagent/store.py

@@ -22,7 +22,7 @@ CREATE TABLE IF NOT EXISTS proxy_agent_tokens (
     id TEXT PRIMARY KEY, hash TEXT NOT NULL UNIQUE, label TEXT,
     scope_json TEXT NOT NULL DEFAULT '["*"]', rate_limit INTEGER NOT NULL DEFAULT 0,
     created_ms BIGINT, expires_ms BIGINT, revoked INTEGER NOT NULL DEFAULT 0,
-    last_used_ms BIGINT, masked TEXT
+    last_used_ms BIGINT, masked TEXT, budget_usd DOUBLE PRECISION
 );
 CREATE TABLE IF NOT EXISTS proxy_agent_keys (
     id TEXT PRIMARY KEY, provider TEXT NOT NULL, kind TEXT NOT NULL DEFAULT 'api_key',
@@ -47,22 +47,32 @@ class Store:
         self.db = DB(str(path), url=url)
         self.db.executescript(_SCHEMA)
         self.backend = "postgres" if self.db.pg else "sqlite"
+        # migrate older DBs created before budget_usd existed
+        try:
+            self.db.execute("ALTER TABLE proxy_agent_tokens ADD COLUMN budget_usd DOUBLE PRECISION")
+        except Exception:
+            pass
 
     # -- machine tokens ---------------------------------------------------- #
 
-    def create_token(self, label, scope, *, ttl_seconds=None, rate_limit=0):
+    def create_token(self, label, scope, *, ttl_seconds=None, rate_limit=0, budget_usd=None):
         plain = new_token()
         tid = "tok_" + uuid.uuid4().hex[:12]
         expires = now_ms() + ttl_seconds * 1000 if ttl_seconds else None
         self.db.execute(
             """INSERT INTO proxy_agent_tokens
-               (id, hash, label, scope_json, rate_limit, created_ms, expires_ms, masked)
-               VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
+               (id, hash, label, scope_json, rate_limit, created_ms, expires_ms, masked, budget_usd)
+               VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""",
             (tid, hash_token(plain), label, json.dumps(scope), rate_limit, now_ms(),
-             expires, mask(plain)),
+             expires, mask(plain), budget_usd),
         )
         return plain, self.get_token(tid)
 
+    def token_spend(self, token_id: str) -> float:
+        r = self.db.fetchone(
+            "SELECT COALESCE(SUM(cost_usd),0) s FROM proxy_agent_calls WHERE token_id=?", (token_id,))
+        return float((r or {}).get("s", 0) or 0)
+
     def get_token(self, tid):
         return self.db.fetchone("SELECT * FROM proxy_agent_tokens WHERE id=?", (tid,))
 
@@ -88,10 +98,12 @@ class Store:
     # -- provider credentials (proxy_agent_keys) --------------------------- #
 
     def add_credential(self, provider, secret, *, kind="api_key", refresh=None,
-                       expires_ms=None, label=None, meta=None):
+                       expires_ms=None, label=None, meta=None, replace=True):
         cid = "key_" + uuid.uuid4().hex[:12]
-        # one active credential per provider: deactivate older ones
-        self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=?", (provider,))
+        # replace=True (default, the UI "connect"): swap the key. replace=False adds an
+        # ADDITIONAL active key to the provider's pool for failover/rotation.
+        if replace:
+            self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=?", (provider,))
         self.db.execute(
             """INSERT INTO proxy_agent_keys
                (id, provider, kind, secret, refresh, expires_ms, label, created_ms, meta_json, active)

proxyagent-0.5.0/proxyagent/ui/index.html

@@ -0,0 +1,224 @@
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>proxyagent</title>
+<style>
+  :root{--bg:#0a0b0d;--panel:#141619;--panel2:#1a1d21;--line:#23262c;--txt:#eceef1;--dim:#878d96;--grn:#34d39e;--red:#f87171;--yel:#fbbf24;--blu:#6ea8fe}
+  *{box-sizing:border-box}html,body{margin:0;background:var(--bg);color:var(--txt);font:14px/1.55 ui-sans-serif,system-ui,-apple-system,"Segoe UI",Roboto}
+  code,.mono{font-family:ui-monospace,SFMono-Regular,Menlo,monospace}
+  a{color:var(--grn);text-decoration:none}
+  header{position:sticky;top:0;z-index:10;display:flex;align-items:center;justify-content:space-between;padding:14px 26px;border-bottom:1px solid var(--line);background:rgba(10,11,13,.8);backdrop-filter:blur(12px)}
+  .brand{display:flex;align-items:center;gap:10px;font-weight:650;font-size:16px}
+  .logo{width:26px;height:26px;border-radius:7px;background:linear-gradient(135deg,#34d39e,#2563eb);display:grid;place-items:center;color:#04130d;font-weight:800}
+  main{max-width:1120px;margin:0 auto;padding:26px}
+  .stats{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:14px;margin-bottom:24px}
+  .card{background:var(--panel);border:1px solid var(--line);border-radius:14px;padding:18px}
+  .stat .n{font-size:30px;font-weight:680;letter-spacing:-.02em}.stat .l{color:var(--dim);font-size:11px;text-transform:uppercase;letter-spacing:.09em;margin-top:5px}
+  .tabs{display:flex;gap:4px;margin-bottom:18px;border-bottom:1px solid var(--line)}
+  .tab{padding:9px 15px;color:var(--dim);cursor:pointer;border-bottom:2px solid transparent;font-weight:550}
+  .tab.on{color:var(--txt);border-bottom-color:var(--grn)}
+  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(248px,1fr));gap:14px}
+  .prov{background:var(--panel);border:1px solid var(--line);border-radius:16px;padding:16px;transition:border-color .15s}
+  .prov:hover{border-color:#33383f}
+  .prov .top{display:flex;align-items:center;gap:12px}
+  .tile{width:40px;height:40px;border-radius:11px;display:grid;place-items:center;flex:none;font-weight:800;font-size:17px}
+  .prov h3{margin:0;font-size:15px;font-weight:620}.prov .ep{color:var(--dim);font-size:11px;margin-top:1px}
+  .badges{display:flex;gap:6px;flex-wrap:wrap;margin:12px 0}
+  .badge{font-size:10.5px;padding:2px 8px;border-radius:99px;background:#1f2329;color:var(--dim);text-transform:uppercase;letter-spacing:.04em}
+  .badge.on{background:rgba(52,211,158,.13);color:var(--grn)}
+  .models{color:var(--dim);font-size:11.5px;margin:6px 0 12px;min-height:16px}
+  input,button,select{font:inherit;border-radius:9px;border:1px solid var(--line);background:#0e1013;color:var(--txt);padding:8px 11px;outline:none}
+  input:focus,select:focus{border-color:#3a4048}
+  button{background:var(--grn);color:#04130d;border:none;font-weight:640;cursor:pointer}button:hover{filter:brightness(1.07)}
+  button.ghost{background:transparent;color:var(--dim);border:1px solid var(--line)}button.ghost:hover{color:var(--txt)}
+  button.danger{background:transparent;color:var(--red);border:1px solid #3a2626}
+  button.sm{padding:6px 11px;font-size:12.5px;border-radius:8px}
+  .row{display:flex;gap:9px;flex-wrap:wrap;align-items:center}
+  .connect{margin-top:4px;display:none;gap:8px;flex-direction:column}
+  .connect.open{display:flex}
+  table{width:100%;border-collapse:collapse}th,td{text-align:left;padding:10px;border-bottom:1px solid var(--line);font-size:13px}
+  th{color:var(--dim);font-weight:520;font-size:11px;text-transform:uppercase;letter-spacing:.06em}
+  .pill{padding:2px 9px;border-radius:99px;font-size:11px}.pill.ok{background:rgba(52,211,158,.12);color:var(--grn)}.pill.no{background:rgba(248,113,113,.12);color:var(--red)}
+  .gate{max-width:430px;margin:96px auto;text-align:center}.gate input{width:100%;margin:14px 0}
+  .tok{background:#0e1013;border:1px dashed var(--grn);padding:12px;border-radius:10px;word-break:break-all;margin-top:12px;font-size:13px}
+  .hide{display:none}.muted{color:var(--dim)}.h{display:flex;justify-content:space-between;align-items:center;margin:0 0 12px}
+  h2{font-size:13px;text-transform:uppercase;letter-spacing:.08em;color:var(--dim);margin:0}
+</style>
+</head>
+<body>
+<div id="gate" class="gate">
+  <div class="brand" style="justify-content:center"><span class="logo">P</span> proxyagent</div>
+  <p class="muted">Paste your admin token — reveal it with <code>proxyagent admin-token</code>.</p>
+  <input id="admintok" type="password" placeholder="pa_admin_…" onkeydown="if(event.key==='Enter')saveAdmin()"/>
+  <button onclick="saveAdmin()">Open dashboard</button>
+  <p id="gateerr" style="color:var(--red)"></p>
+</div>
+
+<div id="app" class="hide">
+  <header>
+    <div class="brand"><span class="logo">P</span> proxyagent <span id="badge_backend" class="badge" style="margin-left:6px"></span></div>
+    <div class="row"><span id="enc" class="muted" style="font-size:12px"></span><button class="ghost sm" onclick="logout()">Sign out</button></div>
+  </header>
+  <main>
+    <div class="stats">
+      <div class="card stat"><div class="n" id="s_req">0</div><div class="l">Requests</div></div>
+      <div class="card stat"><div class="n" id="s_tok">0</div><div class="l">Tokens (in/out)</div></div>
+      <div class="card stat"><div class="n" id="s_cost" style="color:var(--grn)">$0</div><div class="l">Cost</div></div>
+      <div class="card stat"><div class="n" id="s_prov">0</div><div class="l">Providers connected</div></div>
+    </div>
+
+    <div class="tabs">
+      <div class="tab on" data-t="harnesses" onclick="tab('harnesses')">Harnesses</div>
+      <div class="tab" data-t="providers" onclick="tab('providers')">Model endpoints</div>
+      <div class="tab" data-t="tokens" onclick="tab('tokens')">Machine tokens</div>
+      <div class="tab" data-t="models" onclick="tab('models')">Model routing</div>
+      <div class="tab" data-t="activity" onclick="tab('activity')">Activity</div>
+    </div>
+
+    <section id="t_harnesses">
+      <p class="muted" style="margin:0 0 14px">The agents you run. Connect each auth method once — the machine running the harness then holds only a <code>pa_</code> token.</p>
+      <div class="grid" id="harngrid"></div>
+    </section>
+
+    <section id="t_providers" class="hide">
+      <p class="muted" style="margin:0 0 14px">Raw model backends for model-agnostic harnesses (aider, Cline, Codex pointed elsewhere…).</p>
+      <div class="grid" id="provgrid"></div>
+    </section>
+
+    <section id="t_tokens" class="hide">
+      <div class="card" style="margin-bottom:16px">
+        <div class="h"><h2>Mint a machine token</h2></div>
+        <div class="row">
+          <input id="tk_label" placeholder="label (e.g. macbook-01)"/>
+          <input id="tk_scope" placeholder="scope: * or anthropic:claude-*" style="flex:1"/>
+          <input id="tk_ttl" type="number" placeholder="ttl (s)" style="width:100px"/>
+          <input id="tk_budget" type="number" step="0.01" placeholder="budget $" style="width:100px"/>
+          <button onclick="mintToken()">Mint</button>
+        </div>
+        <div id="tk_out" class="tok hide"></div>
+      </div>
+      <div class="card"><table><thead><tr><th>ID</th><th>Label</th><th>Token</th><th>Scope</th><th>Budget</th><th>Status</th><th></th></tr></thead><tbody id="toks"></tbody></table></div>
+    </section>
+
+    <section id="t_models" class="hide">
+      <div class="card" style="margin-bottom:16px">
+        <div class="h"><h2>Remap a model</h2></div>
+        <div class="row">
+          <input id="al_match" placeholder="match: * or gpt-4o"/>
+          <span class="muted">→</span>
+          <input id="al_target" placeholder="target: mock or anthropic:claude-sonnet-4-5" style="flex:1"/>
+          <button onclick="setAlias()">Map</button>
+        </div>
+        <p class="muted" style="margin:10px 0 0">Tip: map <code>* → mock</code> to run any agent fully offline (no keys).</p>
+      </div>
+      <div class="card"><table><thead><tr><th>Match</th><th>→ Target</th><th></th></tr></thead><tbody id="aliases"></tbody></table></div>
+    </section>
+
+    <section id="t_activity" class="hide">
+      <div class="card"><table><thead><tr><th>Time</th><th>Token</th><th>Provider</th><th>Model</th><th>Status</th><th>In</th><th>Out</th><th>Cost</th><th>ms</th></tr></thead><tbody id="logs"></tbody></table></div>
+    </section>
+  </main>
+</div>
+
+<script>
+const A=()=>localStorage.getItem("pa_admin");
+const H=()=>({"x-admin-token":A(),"content-type":"application/json"});
+async function api(p,o={}){const r=await fetch(p,{...o,headers:{...H(),...(o.headers||{})}});if(r.status===401){logout();throw new Error("401")}return r}
+function val(id){return document.getElementById(id).value.trim()}
+function saveAdmin(){const v=document.getElementById("admintok").value.trim();if(v){localStorage.setItem("pa_admin",v);boot()}}
+function logout(){localStorage.removeItem("pa_admin");document.getElementById("app").classList.add("hide");document.getElementById("gate").classList.remove("hide")}
+function tab(t){document.querySelectorAll(".tab").forEach(e=>e.classList.toggle("on",e.dataset.t===t));["harnesses","providers","tokens","models","activity"].forEach(s=>document.getElementById("t_"+s).classList.toggle("hide",s!==t))}
+
+// ---- provider logos (inline, brand-tinted) ----
+const MARK={
+  anthropic:'<path d="M9.6 3 3 21h4.1l1.2-3.5h5.9L15.4 21H20L13.4 3H9.6Zm-.4 10.5 1.9-5.4 2 5.4H9.2Z"/>',
+  openai:'<path d="M12 2.6c1.9 0 3.5 1.3 4 3a4.2 4.2 0 0 1 2.3 6.8 4.2 4.2 0 0 1-4 5.8 4.2 4.2 0 0 1-8.6-1A4.2 4.2 0 0 1 5.7 12 4.2 4.2 0 0 1 8 5.5a4.2 4.2 0 0 1 4-2.9Zm0 4.6a4.8 4.8 0 1 0 0 9.6 4.8 4.8 0 0 0 0-9.6Z"/>',
+  gemini:'<path d="M12 2c.4 4.6 3.4 7.6 8 8-4.6.4-7.6 3.4-8 8-.4-4.6-3.4-7.6-8-8 4.6-.4 7.6-3.4 8-8Z"/>',
+  groq:'<path d="M12 3a6 6 0 1 0 4.2 10.3l-2-2A3.2 3.2 0 1 1 12 6.2c.9 0 1.6.3 2.2.8L16.3 5A6 6 0 0 0 12 3Zm2 7v3.3h2.6V10H14Z"/>',
+  openrouter:'<path d="M3 8h6l3 4 3-4h6M3 16h6l3-4M21 8l-3 8h-3" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/>',
+  mistral:'<g><rect x="3" y="4" width="3.4" height="3.4"/><rect x="17.6" y="4" width="3.4" height="3.4"/><rect x="7.3" y="8.3" width="3.4" height="3.4"/><rect x="13.3" y="8.3" width="3.4" height="3.4"/><rect x="3" y="12.6" width="3.4" height="3.4"/><rect x="17.6" y="12.6" width="3.4" height="3.4"/><rect x="3" y="16.9" width="18" height="3.1"/></g>',
+  deepseek:'<path d="M4 9c3 0 4 2 7 2s4-3 8-2c-1 4-5 7-9 7-3 0-6-2-6-5 0-1 0-2 0-2Zm12 1.5a1 1 0 1 0 0 2 1 1 0 0 0 0-2Z"/>',
+  xai:'<path d="M4 4h3.2l4 5.6L15.8 4H19l-6 8 6.2 8h-3.2l-4.4-6L7 20H4l6.4-8.4L4 4Z"/>',
+  together:'<path d="M8 5a3.5 3.5 0 1 1 0 7 3.5 3.5 0 0 1 0-7Zm8 7a3.5 3.5 0 1 1 0 7 3.5 3.5 0 0 1 0-7ZM10.5 12.5l3-1.5" fill="none" stroke="currentColor" stroke-width="2"/>',
+};
+function logo(name,color){const m=MARK[name]||`<text x="12" y="16" text-anchor="middle" font-size="13" font-weight="800" fill="currentColor">${(name[0]||"?").toUpperCase()}</text>`;
+  return `<div class="tile" style="background:${hexa(color,.16)};color:${color}"><svg viewBox="0 0 24 24" width="22" height="22" fill="currentColor">${m}</svg></div>`}
+function hexa(h,a){const n=h.replace("#","");const x=parseInt(n.length===3?n.split("").map(c=>c+c).join(""):n,16);return `rgba(${(x>>16)&255},${(x>>8)&255},${x&255},${a})`}
+
+async function boot(){
+  try{
+    const u=await(await api("/admin/usage")).json();
+    document.getElementById("gate").classList.add("hide");document.getElementById("app").classList.remove("hide");
+    document.getElementById("s_req").textContent=u.usage.requests;
+    document.getElementById("s_tok").textContent=`${u.usage.prompt_tokens}/${u.usage.completion_tokens}`;
+    document.getElementById("s_cost").textContent="$"+(u.usage.cost_usd||0).toFixed(4);
+    document.getElementById("badge_backend").textContent=u.backend;
+    document.getElementById("enc").textContent=u.encryption?"🔒 encrypted at rest":"⚠ encryption off";
+    renderHarnesses();refreshProviders();refreshTokens();refreshAliases();refreshLogs();
+  }catch(e){document.getElementById("gateerr").textContent="Invalid admin token."}
+}
+async function renderHarnesses(){
+  const d=await(await api("/admin/harnesses")).json();
+  document.getElementById("harngrid").innerHTML=d.harnesses.map(h=>{
+    const chips=h.auth.map(a=>{
+      const cls=a.connected?"badge on":(a.ready?"badge":"badge");
+      const tag=a.connected?"✓ connected":(a.ready?"connect":"soon");
+      return `<span class="${cls}" title="${a.ready?'available now':'coming soon'}">${a.label} · ${tag}</span>`}).join("");
+    return `<div class="prov"><div class="top">${logo(h.provider,h.color)}<div style="flex:1"><h3>${h.label}</h3><div class="ep">runs on ${h.provider}</div></div>
+      ${h.configured?'<span class="pill ok">ready</span>':'<span class="pill no">connect a key</span>'}</div>
+      <div class="badges">${chips}</div>
+      <div class="models mono" style="font-size:11px">${h.install}</div>
+      <div class="row"><button class="sm" onclick="openConnect('h_${h.name}')">Connect API key</button></div>
+      <div class="connect" id="c_h_${h.name}">
+        <input id="k_h_${h.name}" type="password" placeholder="${h.provider} API key"/>
+        <div class="row"><button class="sm" onclick="connectHarness('${h.name}','${h.provider}')">Save</button><button class="ghost sm" onclick="openConnect('h_${h.name}')">Cancel</button></div>
+      </div></div>`}).join("");
+}
+async function connectHarness(name,provider){const key=document.getElementById("k_h_"+name).value.trim();if(!key)return;
+  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret:key,kind:"api_key"})});renderHarnesses();refreshProviders()}
+async function refreshProviders(){
+  const d=await(await api("/admin/catalog")).json();const g=document.getElementById("provgrid");
+  let connected=0;
+  g.innerHTML=d.providers.map(p=>{const on=p.via_env||p.via_store;if(on)connected++;
+    const how=p.via_store?`stored ${p.cred_kind}`:(p.via_env?"env":"");
+    return `<div class="prov"><div class="top">${logo(p.name,p.color)}<div style="flex:1"><h3>${p.label}</h3><div class="ep">${p.shape} · ${p.name}</div></div>
+      ${on?'<span class="pill ok">on</span>':'<span class="pill no">off</span>'}</div>
+      <div class="badges">${p.kinds.map(k=>`<span class="badge">${k}</span>`).join("")}${on?`<span class="badge on">${how}</span>`:""}</div>
+      <div class="models">${(p.models||[]).slice(0,2).join(" · ")}</div>
+      <div class="row">${p.via_store?`<button class="danger sm" onclick="disconnect('${p.cred_id}')">Disconnect</button>`:`<button class="sm" onclick="openConnect('${p.name}')">${p.via_env?"Override key":"Connect"}</button>`}</div>
+      <div class="connect" id="c_${p.name}">
+        <input id="k_${p.name}" type="password" placeholder="${p.name} API key${p.kinds.includes('oauth')?' / OAuth token':''}"/>
+        <div class="row">${p.kinds.length>1?`<select id="kind_${p.name}">${p.kinds.map(k=>`<option value="${k}">${k}</option>`).join("")}</select>`:`<input id="kind_${p.name}" type="hidden" value="api_key"/>`}
+          <button class="sm" onclick="connect('${p.name}')">Save</button><button class="ghost sm" onclick="openConnect('${p.name}')">Cancel</button></div>
+      </div></div>`}).join("");
+  document.getElementById("s_prov").textContent=connected;
+  document.getElementById("enc2")&&0;
+}
+function openConnect(n){document.getElementById("c_"+n).classList.toggle("open")}
+async function connect(n){const key=document.getElementById("k_"+n).value.trim();if(!key)return;
+  const kindEl=document.getElementById("kind_"+n);const kind=kindEl?kindEl.value:"api_key";
+  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider:n,secret:key,kind})});refreshProviders()}
+async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});refreshProviders()}
+
+async function refreshTokens(){const d=await(await api("/admin/tokens")).json();
+  document.getElementById("toks").innerHTML=d.tokens.map(t=>`<tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td><td class="mono">${(t.scope||[]).join(", ")}</td><td class="mono">${t.budget_usd?('$'+(t.spent_usd||0).toFixed(4)+' / $'+(+t.budget_usd).toFixed(2)):'—'}</td><td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td><td>${t.revoked?"":`<button class="danger sm" onclick="revokeTok('${t.id}')">revoke</button>`}</td></tr>`).join("")}
+async function mintToken(){const body={label:val("tk_label")||"machine",scope:(val("tk_scope")||"*").split(",").map(s=>s.trim()),ttl_seconds:parseInt(val("tk_ttl"))||null,budget_usd:parseFloat(val("tk_budget"))||null};
+  const d=await(await api("/admin/tokens",{method:"POST",body:JSON.stringify(body)})).json();
+  const el=document.getElementById("tk_out");el.classList.remove("hide");el.innerHTML=`<b>Token (shown once):</b><br/><span class="mono">${d.token}</span>`;refreshTokens()}
+async function revokeTok(id){await api("/admin/tokens/"+id,{method:"DELETE"});refreshTokens()}
+
+async function refreshAliases(){const m=(await(await api("/admin/aliases")).json()).map;
+  document.getElementById("aliases").innerHTML=Object.entries(m).map(([k,v])=>`<tr><td class="mono">${k}</td><td class="mono">${v}</td><td><button class="danger sm" onclick="rmAlias('${k}')">remove</button></td></tr>`).join("")||'<tr><td class="muted" colspan="3">No model routes.</td></tr>'}
+async function setAlias(){const m=(await(await api("/admin/aliases")).json()).map;m[val("al_match")||"*"]=val("al_target")||"mock";await api("/admin/aliases",{method:"PUT",body:JSON.stringify({map:m})});document.getElementById("al_match").value="";document.getElementById("al_target").value="";refreshAliases()}
+async function rmAlias(k){const m=(await(await api("/admin/aliases")).json()).map;delete m[k];await api("/admin/aliases",{method:"PUT",body:JSON.stringify({map:m})});refreshAliases()}
+
+async function refreshLogs(){const d=await(await api("/admin/logs?limit=80")).json();
+  document.getElementById("logs").innerHTML=d.logs.map(g=>`<tr><td class="mono">${new Date(g.ts_ms).toLocaleTimeString()}</td><td>${g.token_label||""}</td><td>${g.provider||""}</td><td class="mono">${(g.model||"").slice(0,24)}</td><td>${g.status||""}</td><td>${g.prompt_tokens??"-"}</td><td>${g.completion_tokens??"-"}</td><td>${g.cost_usd?"$"+g.cost_usd.toFixed(4):"-"}</td><td>${g.latency_ms||""}</td></tr>`).join("")}
+
+if(A())boot();
+setInterval(()=>{if(A()&&!document.getElementById("app").classList.contains("hide")){refreshLogs()}},4000);
+</script>
+</body>
+</html>

{proxyagent-0.3.1 → proxyagent-0.5.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "proxyagent"
-version = "0.3.1"
+version = "0.5.0"
 description = "Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools."
 readme = "README.md"
 requires-python = ">=3.10"

{proxyagent-0.3.1 → proxyagent-0.5.0}/tests/test_proxy.py

@@ -165,3 +165,26 @@ def test_model_remap_reroutes_provider():
     _aliases.set_map({"gpt-4o": "anthropic:mock"})
     assert remap("openai", "gpt-4o") == ("anthropic", "mock")
     assert remap("openai", "gpt-4o-mini") == ("openai", "gpt-4o-mini")  # no match
+
+
+def test_budget_exhaustion_returns_402():
+    c = _client()
+    r = c.post("/admin/tokens", headers=ADMIN, json={"scope": ["*"], "budget_usd": 0.001})
+    tok, tid = r.json()["token"], r.json()["id"]
+    # under budget (mock costs $0) → ok
+    assert c.post("/anthropic/v1/messages", headers={"x-api-key": tok},
+                  json={"model": "mock", "messages": [{"role": "user", "content": "hi"}]}).status_code == 200
+    # record spend over the cap, then the next call is blocked
+    c.app.state.store.log_request(token_id=tid, provider="anthropic", model="x", status=200, cost_usd=0.05)
+    assert c.post("/anthropic/v1/messages", headers={"x-api-key": tok},
+                  json={"model": "mock", "messages": []}).status_code == 402
+
+
+def test_harness_catalog():
+    c = _client()
+    h = c.get("/admin/harnesses", headers=ADMIN).json()["harnesses"]
+    names = {x["name"] for x in h}
+    assert {"claude-code", "codex", "gemini-cli"} <= names
+    cc = next(x for x in h if x["name"] == "claude-code")
+    assert {a["mode"] for a in cc["auth"]} == {"api_key", "oauth", "bedrock", "vertex"}
+    assert any(a["mode"] == "api_key" and a["ready"] for a in cc["auth"])

proxyagent-0.3.1/proxyagent/ui/index.html

@@ -1,125 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-<meta charset="utf-8" />
-<meta name="viewport" content="width=device-width, initial-scale=1" />
-<title>proxyagent</title>
-<style>
-  :root { --bg:#0b0c0e; --panel:#15171a; --line:#23262b; --txt:#e7e9ec; --dim:#8a9099; --grn:#34d39e; --red:#f87171; --yel:#fbbf24; }
-  * { box-sizing:border-box; } body { margin:0; background:var(--bg); color:var(--txt); font:14px/1.5 ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto; }
-  a { color:var(--grn); } code,.mono { font-family:ui-monospace,SFMono-Regular,Menlo,monospace; }
-  header { display:flex; align-items:center; justify-content:space-between; padding:18px 28px; border-bottom:1px solid var(--line); }
-  .brand { display:flex; align-items:center; gap:10px; font-weight:600; font-size:16px; }
-  .dot { width:9px; height:9px; border-radius:50%; background:var(--grn); box-shadow:0 0 10px 1px rgba(52,211,158,.5); }
-  main { max-width:1100px; margin:0 auto; padding:28px; }
-  .grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(180px,1fr)); gap:14px; margin-bottom:26px; }
-  .card { background:var(--panel); border:1px solid var(--line); border-radius:14px; padding:18px; }
-  .stat .n { font-size:30px; font-weight:600; } .stat .l { color:var(--dim); font-size:11px; text-transform:uppercase; letter-spacing:.08em; margin-top:4px; }
-  h2 { font-size:13px; text-transform:uppercase; letter-spacing:.08em; color:var(--dim); margin:26px 0 12px; }
-  table { width:100%; border-collapse:collapse; } th,td { text-align:left; padding:9px 10px; border-bottom:1px solid var(--line); font-size:13px; }
-  th { color:var(--dim); font-weight:500; font-size:11px; text-transform:uppercase; letter-spacing:.06em; }
-  input,button,select { font:inherit; border-radius:9px; border:1px solid var(--line); background:#0e1013; color:var(--txt); padding:8px 11px; }
-  button { background:var(--grn); color:#04130d; border:none; font-weight:600; cursor:pointer; } button.ghost { background:transparent; color:var(--dim); border:1px solid var(--line); }
-  button:hover { filter:brightness(1.08); } .row { display:flex; gap:9px; flex-wrap:wrap; align-items:center; }
-  .pill { padding:2px 9px; border-radius:99px; font-size:11px; } .pill.ok { background:rgba(52,211,158,.12); color:var(--grn); } .pill.no { background:rgba(248,113,113,.12); color:var(--red); }
-  .gate { max-width:420px; margin:90px auto; text-align:center; } .gate input { width:100%; margin:14px 0; }
-  .tok { background:#0e1013; border:1px dashed var(--grn); padding:12px; border-radius:10px; word-break:break-all; margin-top:12px; }
-  .hide { display:none; }
-</style>
-</head>
-<body>
-<div id="gate" class="gate">
-  <div class="brand" style="justify-content:center"><span class="dot"></span> proxyagent</div>
-  <p style="color:var(--dim)">Paste your admin token (printed by <code>proxyagent serve</code>).</p>
-  <input id="admintok" type="password" placeholder="pa_admin_…" />
-  <button onclick="saveAdmin()">Open dashboard</button>
-  <p id="gateerr" style="color:var(--red)"></p>
-</div>
-
-<div id="app" class="hide">
-  <header>
-    <div class="brand"><span class="dot"></span> proxyagent</div>
-    <div class="row"><span id="provs" style="color:var(--dim)"></span><button class="ghost" onclick="logout()">Sign out</button></div>
-  </header>
-  <main>
-    <div class="grid">
-      <div class="card stat"><div class="n" id="s_req">0</div><div class="l">Requests</div></div>
-      <div class="card stat"><div class="n" id="s_in">0</div><div class="l">Input tokens</div></div>
-      <div class="card stat"><div class="n" id="s_out">0</div><div class="l">Output tokens</div></div>
-      <div class="card stat"><div class="n" id="s_cost" style="color:var(--grn)">$0</div><div class="l">Cost</div></div>
-      <div class="card stat"><div class="n" id="s_tools">0</div><div class="l">Proxied tools</div></div>
-    </div>
-
-    <h2>Mint a machine token</h2>
-    <div class="card">
-      <div class="row">
-        <input id="t_label" placeholder="label (e.g. macbook-01)" />
-        <input id="t_scope" placeholder="scope: * or anthropic:claude-*" style="flex:1" />
-        <input id="t_ttl" type="number" placeholder="ttl (s)" style="width:110px" />
-        <button onclick="mint()">Mint token</button>
-      </div>
-      <div id="minted" class="tok hide"></div>
-      <p style="color:var(--dim);margin:10px 0 0">The machine holds only this token — never a real key. Revoke anytime.</p>
-    </div>
-
-    <h2>Machine tokens</h2>
-    <div class="card"><table><thead><tr><th>ID</th><th>Label</th><th>Token</th><th>Scope</th><th>Status</th><th></th></tr></thead><tbody id="toks"></tbody></table></div>
-
-    <h2>Recent requests <span style="color:var(--dim);font-weight:400;text-transform:none;letter-spacing:0">· live</span></h2>
-    <div class="card"><table><thead><tr><th>Time</th><th>Token</th><th>Provider</th><th>Model</th><th>Status</th><th>In</th><th>Out</th><th>ms</th></tr></thead><tbody id="logs"></tbody></table></div>
-  </main>
-</div>
-
-<script>
-const A = () => localStorage.getItem("pa_admin");
-const H = () => ({ "x-admin-token": A(), "content-type": "application/json" });
-async function api(path, opts={}) { const r = await fetch(path, { ...opts, headers: { ...H(), ...(opts.headers||{}) } }); if (r.status===401) { logout(); throw new Error("unauthorized"); } return r; }
-
-function saveAdmin() { const v = document.getElementById("admintok").value.trim(); if (!v) return; localStorage.setItem("pa_admin", v); boot(); }
-function logout() { localStorage.removeItem("pa_admin"); document.getElementById("app").classList.add("hide"); document.getElementById("gate").classList.remove("hide"); }
-
-async function boot() {
-  try {
-    const u = await (await api("/admin/usage")).json();
-    document.getElementById("gate").classList.add("hide");
-    document.getElementById("app").classList.remove("hide");
-    document.getElementById("s_req").textContent = u.usage.requests;
-    document.getElementById("s_in").textContent = u.usage.prompt_tokens;
-    document.getElementById("s_out").textContent = u.usage.completion_tokens;
-    document.getElementById("s_cost").textContent = "$" + (u.usage.cost_usd || 0).toFixed(4);
-    document.getElementById("s_tools").textContent = (u.tools||[]).length;
-    document.getElementById("provs").textContent = `${u.backend||"sqlite"} · providers: ` + ((u.providers||[]).join(", ") || "none");
-    refreshTokens(); refreshLogs();
-  } catch (e) { document.getElementById("gateerr").textContent = "Invalid admin token."; }
-}
-
-async function refreshTokens() {
-  const d = await (await api("/admin/tokens")).json();
-  document.getElementById("toks").innerHTML = d.tokens.map(t => `
-    <tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td>
-    <td class="mono">${(t.scope||[]).join(", ")}</td>
-    <td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td>
-    <td>${t.revoked?"":`<button class="ghost" onclick="revoke('${t.id}')">revoke</button>`}</td></tr>`).join("");
-}
-async function refreshLogs() {
-  const d = await (await api("/admin/logs?limit=60")).json();
-  document.getElementById("logs").innerHTML = d.logs.map(g => `
-    <tr><td class="mono">${new Date(g.ts_ms).toLocaleTimeString()}</td><td>${g.token_label||""}</td>
-    <td>${g.provider||""}</td><td class="mono">${(g.model||"").slice(0,26)}</td>
-    <td>${g.status||""}</td><td>${g.prompt_tokens??"-"}</td><td>${g.completion_tokens??"-"}</td><td>${g.latency_ms||""}</td></tr>`).join("");
-}
-async function mint() {
-  const body = { label: val("t_label")||"machine", scope: (val("t_scope")||"*").split(",").map(s=>s.trim()), ttl_seconds: parseInt(val("t_ttl"))||null };
-  const d = await (await api("/admin/tokens", { method:"POST", body: JSON.stringify(body) })).json();
-  const el = document.getElementById("minted"); el.classList.remove("hide");
-  el.innerHTML = `<b>Token (shown once):</b><br/><span class="mono">${d.token}</span>`;
-  refreshTokens(); boot();
-}
-async function revoke(id) { await api("/admin/tokens/"+id, { method:"DELETE" }); refreshTokens(); }
-function val(id){ return document.getElementById(id).value.trim(); }
-
-if (A()) boot();
-setInterval(() => { if (A() && !document.getElementById("app").classList.contains("hide")) { refreshLogs(); } }, 4000);
-</script>
-</body>
-</html>