github
diff --git a/‎containers/api-proxy/management.js‎
Lines changed: 3 additions & 0 deletions b/‎containers/api-proxy/management.js‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎containers/api-proxy/proxy-request.js‎
Lines changed: 228 additions & 3 deletions b/‎containers/api-proxy/proxy-request.js‎
Lines changed: 228 additions & 3 deletions
diff --git a/‎containers/api-proxy/server.js‎
Lines changed: 2 additions & 0 deletions b/‎containers/api-proxy/server.js‎
Lines changed: 2 additions & 0 deletions
@@ -25,6 +25,7 @@ const metrics = require('./metrics');
  * @property {() => import('./rate-limiter').RateLimiter} getLimiter
  * @property {string|undefined}     httpsProxy            - Value of HTTPS_PROXY env var at startup
  * @property {() => object|null}    getModelAliases       - Returns parsed MODEL_ALIASES (or null)
+ * @property {() => object}         getEffectiveTokenUsage - Returns effective token usage summary
  */
 
 /**
@@ -44,6 +45,7 @@ function createManagementHandlers(deps) {
     getLimiter,
     httpsProxy,
     getModelAliases,
+    getEffectiveTokenUsage,
   } = deps;
 
   /**
@@ -91,6 +93,7 @@ function createManagementHandlers(deps) {
       }),
       models_fetch_complete: isModelFetchComplete(),
       model_aliases: modelAliases ? modelAliases.models : null,
+      effective_tokens: getEffectiveTokenUsage(),
     };
   }
 
 
@@ -99,6 +99,178 @@ function extractBillingHeaders(headers) {
  */
 const limiter = rateLimiter.create();
 
+const ET_WARNING_THRESHOLDS = [50, 75, 90, 95];
+const ET_DEFAULT_WEIGHTS = Object.freeze({
+  input: 1.0,
+  cacheRead: 0.1,
+  output: 4.0,
+  reasoning: 4.0,
+});
+let etGuardState = {
+  configKey: null,
+  totalEffectiveTokens: 0,
+  emittedThresholds: new Set(),
+};
+const effectiveTokenConfigCache = {
+  rawMax: undefined,
+  rawMultipliers: undefined,
+  parsed: { max: null, multipliers: {} },
+};
+
+function createEffectiveTokenState(configKey = null) {
+  return {
+    configKey,
+    totalEffectiveTokens: 0,
+    emittedThresholds: new Set(),
+  };
+}
+
+function parseMaxEffectiveTokens(raw) {
+  if (raw === undefined || raw === null || String(raw).trim() === '') return null;
+  const parsed = Number(raw);
+  if (!Number.isInteger(parsed) || parsed <= 0) return null;
+  return parsed;
+}
+
+function parseModelMultipliers(raw) {
+  if (!raw || String(raw).trim() === '') return {};
+  try {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return {};
+    const result = {};
+    for (const [model, value] of Object.entries(parsed)) {
+      const num = Number(value);
+      if (Number.isFinite(num) && num > 0) {
+        result[model] = num;
+      }
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+
+function getEffectiveTokenConfig() {
+  const rawMax = process.env.AWF_MAX_EFFECTIVE_TOKENS;
+  const rawMultipliers = process.env.AWF_EFFECTIVE_TOKEN_MODEL_MULTIPLIERS;
+  if (effectiveTokenConfigCache.rawMax === rawMax && effectiveTokenConfigCache.rawMultipliers === rawMultipliers) {
+    return effectiveTokenConfigCache.parsed;
+  }
+
+  effectiveTokenConfigCache.rawMax = rawMax;
+  effectiveTokenConfigCache.rawMultipliers = rawMultipliers;
+  const parsedMultipliers = Object.freeze(parseModelMultipliers(rawMultipliers));
+  effectiveTokenConfigCache.parsed = {
+    max: parseMaxEffectiveTokens(rawMax),
+    multipliers: parsedMultipliers,
+  };
+  return effectiveTokenConfigCache.parsed;
+}
+
+function getEffectiveTokenState(config) {
+  if (!config.max) return null;
+  const configKey = `${config.max}|${JSON.stringify(config.multipliers)}`;
+  if (etGuardState.configKey !== configKey) {
+    etGuardState = createEffectiveTokenState(configKey);
+  }
+  return etGuardState;
+}
+
+function calculateEffectiveTokens(normalizedUsage, model, config) {
+  const multiplier = config.multipliers[model] ?? 1;
+  const baseWeightedTokens =
+    (ET_DEFAULT_WEIGHTS.input * (normalizedUsage.input_tokens || 0)) +
+    (ET_DEFAULT_WEIGHTS.cacheRead * (normalizedUsage.cache_read_tokens || 0)) +
+    (ET_DEFAULT_WEIGHTS.output * (normalizedUsage.output_tokens || 0)) +
+    (ET_DEFAULT_WEIGHTS.reasoning * (normalizedUsage.reasoning_tokens || 0));
+  return {
+    multiplier,
+    baseWeightedTokens,
+    effectiveTokens: multiplier * baseWeightedTokens,
+  };
+}
+
+function applyEffectiveTokenUsage(normalizedUsage, model) {
+  const config = getEffectiveTokenConfig();
+  const state = getEffectiveTokenState(config);
+  if (!state || !normalizedUsage) return null;
+
+  const previousTotal = state.totalEffectiveTokens;
+  const calc = calculateEffectiveTokens(normalizedUsage, model || 'unknown', config);
+  state.totalEffectiveTokens += calc.effectiveTokens;
+  const percentUsed = (state.totalEffectiveTokens / config.max) * 100;
+
+  const crossedThresholds = [];
+  for (const threshold of ET_WARNING_THRESHOLDS) {
+    if (percentUsed >= threshold && !state.emittedThresholds.has(threshold)) {
+      state.emittedThresholds.add(threshold);
+      crossedThresholds.push(threshold);
+    }
+  }
+
+  return {
+    maxEffectiveTokens: config.max,
+    previousTotalEffectiveTokens: previousTotal,
+    totalEffectiveTokens: state.totalEffectiveTokens,
+    effectiveTokensThisResponse: calc.effectiveTokens,
+    modelMultiplier: calc.multiplier,
+    crossedThresholds,
+    maxExceeded: state.totalEffectiveTokens >= config.max,
+  };
+}
+
+function getEffectiveTokenBlockState() {
+  const config = getEffectiveTokenConfig();
+  const state = getEffectiveTokenState(config);
+  if (!state) return null;
+  return {
+    maxEffectiveTokens: config.max,
+    totalEffectiveTokens: state.totalEffectiveTokens,
+    maxExceeded: state.totalEffectiveTokens >= config.max,
+  };
+}
+
+function getEffectiveTokenReflectState() {
+  const config = getEffectiveTokenConfig();
+  const state = getEffectiveTokenState(config);
+  if (!state) {
+    return {
+      enabled: false,
+      max_effective_tokens: null,
+      total_effective_tokens: 0,
+      remaining_effective_tokens: null,
+      percent_used: 0,
+      thresholds_crossed: [],
+    };
+  }
+  return {
+    enabled: true,
+    max_effective_tokens: config.max,
+    total_effective_tokens: state.totalEffectiveTokens,
+    remaining_effective_tokens: Math.max(0, config.max - state.totalEffectiveTokens),
+    percent_used: Math.round((state.totalEffectiveTokens / config.max) * 10000) / 100,
+    thresholds_crossed: [...state.emittedThresholds].sort((a, b) => a - b),
+  };
+}
+
+function resetEffectiveTokenGuardForTests() {
+  etGuardState = createEffectiveTokenState();
+  effectiveTokenConfigCache.rawMax = undefined;
+  effectiveTokenConfigCache.rawMultipliers = undefined;
+  effectiveTokenConfigCache.parsed = { max: null, multipliers: {} };
+}
+
+function buildEffectiveTokenLimitError(etState) {
+  return {
+    error: {
+      type: 'effective_tokens_limit_reached',
+      message: `Maximum effective tokens reached (${etState.totalEffectiveTokens.toFixed(2)} / ${etState.maxEffectiveTokens}).`,
+      total_effective_tokens: etState.totalEffectiveTokens,
+      max_effective_tokens: etState.maxEffectiveTokens,
+    },
+  };
+}
+
 // ── Utility ───────────────────────────────────────────────────────────────────
 
 /**
@@ -305,6 +477,23 @@ function proxyRequest(req, res, targetHost, injectHeaders, provider, basePath =
       });
     }
 
+    const etBlock = getEffectiveTokenBlockState();
+    if (etBlock && etBlock.maxExceeded) {
+      const duration = Date.now() - startTime;
+      metrics.gaugeDec('active_requests', { provider });
+      metrics.increment('requests_total', { provider, method: req.method, status_class: '4xx' });
+      metrics.observe('request_duration_ms', duration, { provider });
+      logRequest('warn', 'effective_tokens_limit_reached', {
+        request_id: requestId,
+        provider,
+        total_effective_tokens: etBlock.totalEffectiveTokens,
+        max_effective_tokens: etBlock.maxEffectiveTokens,
+      });
+      res.writeHead(429, { 'Content-Type': 'application/json', 'X-Request-ID': requestId });
+      res.end(JSON.stringify(buildEffectiveTokenLimitError(etBlock)));
+      return;
+    }
+
     const options = {
       hostname: targetHost, port: 443, path: upstreamPath,
       method: req.method, headers,
@@ -362,8 +551,18 @@ function proxyRequest(req, res, targetHost, injectHeaders, provider, basePath =
 
       res.writeHead(proxyRes.statusCode, resHeaders);
       proxyRes.pipe(res);
-
-      trackTokenUsage(proxyRes, { requestId, provider, path: sanitizeForLog(req.url), startTime, metrics, billingInfo, initiatorSent });
+      trackTokenUsage(proxyRes, {
+        requestId,
+        provider,
+        path: sanitizeForLog(req.url),
+        startTime,
+        metrics,
+        billingInfo,
+        initiatorSent,
+        onUsage: (normalizedUsage, model) => {
+          applyEffectiveTokenUsage(normalizedUsage, model);
+        },
+      });
     });
 
     proxyReq.on('error', (err) => {
@@ -427,6 +626,20 @@ function proxyWebSocket(req, socket, head, targetHost, injectHeaders, provider,
 
   const upstreamPath = buildUpstreamPath(req.url, targetHost, basePath);
 
+  const etBlock = getEffectiveTokenBlockState();
+  if (etBlock && etBlock.maxExceeded) {
+    logRequest('warn', 'effective_tokens_limit_reached', {
+      request_id: requestId,
+      provider,
+      total_effective_tokens: etBlock.totalEffectiveTokens,
+      max_effective_tokens: etBlock.maxEffectiveTokens,
+    });
+    socket.write('HTTP/1.1 429 Too Many Requests\r\nContent-Type: application/json\r\nConnection: close\r\n\r\n');
+    socket.write(JSON.stringify(buildEffectiveTokenLimitError(etBlock)));
+    socket.destroy();
+    return;
+  }
+
   const rateCheck = limiter.check(provider, 0);
   if (!rateCheck.allowed) {
     metrics.increment('rate_limit_rejected_total', { provider, limit_type: rateCheck.limitType });
@@ -530,7 +743,16 @@ function proxyWebSocket(req, socket, head, targetHost, injectHeaders, provider,
       tlsSocket.pipe(socket);
       socket.pipe(tlsSocket);
 
-      trackWebSocketTokenUsage(tlsSocket, { requestId, provider, path: sanitizeForLog(req.url), startTime, metrics });
+      trackWebSocketTokenUsage(tlsSocket, {
+        requestId,
+        provider,
+        path: sanitizeForLog(req.url),
+        startTime,
+        metrics,
+        onUsage: (normalizedUsage, model) => {
+          applyEffectiveTokenUsage(normalizedUsage, model);
+        },
+      });
 
       socket.once('close', () => { finalize(false); tlsSocket.destroy(); });
       tlsSocket.once('close', () => { finalize(false); socket.destroy(); });
@@ -552,4 +774,7 @@ module.exports = {
   limiter,
   proxyAgent,
   HTTPS_PROXY,
+  getEffectiveTokenReflectState,
+  // Exported for tests
+  resetEffectiveTokenGuardForTests,
 };
@@ -34,6 +34,7 @@ const {
   limiter,
   HTTPS_PROXY,
   extractBillingHeaders,
+  getEffectiveTokenReflectState,
 } = require('./proxy-request');
 
 const {
@@ -173,6 +174,7 @@ const { healthResponse, reflectEndpoints, handleManagementEndpoint } = createMan
   getLimiter:            () => limiter,
   httpsProxy:            HTTPS_PROXY,
   getModelAliases:       () => MODEL_ALIASES,
+  getEffectiveTokenUsage: () => getEffectiveTokenReflectState(),
 });
 
 // ── models.json snapshot wrappers ─────────────────────────────────────────────