feat(llm-gateway): complete Cloudflare Worker implementation (Phases 1–7)

cloudflare-ai-attribution/src/ai-attribution.worker.ts

@@ -30,7 +30,6 @@ export type HonoContext = {
 
 const app = new Hono<HonoContext>();
 
-// @ts-expect-error workers-tagged-logger returns Handler typed against an older hono; incompatible with hono 4.12+
 app.use('*', useWorkersLogger('ai-attribution'));
 
 // Health check endpoint (no auth required)

cloudflare-o11y/src/api-metrics-routes.ts

@@ -1,36 +1,8 @@
 import type { Hono } from 'hono';
-import { z } from 'zod';
-import { zodJsonValidator } from '@kilocode/worker-utils';
+import { zodJsonValidator, ApiMetricsParamsSchema } from '@kilocode/worker-utils';
 import { writeApiMetricsDataPoint } from './o11y-analytics';
 import { requireAdmin } from './admin-middleware';
 
-export const ApiMetricsParamsSchema = z.object({
-	kiloUserId: z.string().min(1),
-	organizationId: z.string().min(1).optional(),
-	isAnonymous: z.boolean(),
-	isStreaming: z.boolean(),
-	userByok: z.boolean(),
-	mode: z.string().min(1).optional(),
-	provider: z.string().min(1),
-	inferenceProvider: z.string().optional().default(''),
-	requestedModel: z.string().min(1),
-	resolvedModel: z.string().min(1),
-	toolsAvailable: z.array(z.string().min(1)),
-	toolsUsed: z.array(z.string().min(1)),
-	ttfbMs: z.number().int().nonnegative(),
-	completeRequestMs: z.number().int().nonnegative(),
-	statusCode: z.number().int().min(100).max(599),
-	tokens: z
-		.object({
-			inputTokens: z.number().int().nonnegative().optional(),
-			outputTokens: z.number().int().nonnegative().optional(),
-			cacheWriteTokens: z.number().int().nonnegative().optional(),
-			cacheHitTokens: z.number().int().nonnegative().optional(),
-			totalTokens: z.number().int().nonnegative().optional(),
-		})
-		.optional(),
-});
-
 export function registerApiMetricsRoutes(app: Hono<{ Bindings: Env }>): void {
 	app.post('/ingest/api-metrics', requireAdmin, zodJsonValidator(ApiMetricsParamsSchema), async (c) => {
 		const params = c.req.valid('json');

cloudflare-o11y/src/index.ts

@@ -1,11 +1,12 @@
 import { WorkerEntrypoint } from 'cloudflare:workers';
 import { Hono } from 'hono';
+import { ApiMetricsParamsSchema, SessionMetricsParamsSchema } from '@kilocode/worker-utils';
+import type { ApiMetricsParams, SessionMetricsParams } from '@kilocode/worker-utils';
 import { registerApiMetricsRoutes } from './api-metrics-routes';
 import { evaluateAlerts } from './alerting/evaluate';
 import { registerAlertingConfigRoutes } from './alerting/config-routes';
-import { SessionMetricsParamsSchema } from './session-metrics-schema';
-import type { SessionMetricsParams } from './session-metrics-schema';
 import { writeSessionMetricsDataPoint } from './session-metrics-analytics';
+import { writeApiMetricsDataPoint } from './o11y-analytics';
 
 export { AlertConfigDO } from './alerting/AlertConfigDO';
 
@@ -28,4 +29,10 @@ export default class extends WorkerEntrypoint<Env> {
 		const parsed = SessionMetricsParamsSchema.parse(params);
 		await writeSessionMetricsDataPoint(parsed, this.env);
 	}
+
+	/** RPC method called by llm-gateway via service binding. */
+	async ingestApiMetrics(params: ApiMetricsParams): Promise<void> {
+		const parsed = ApiMetricsParamsSchema.parse(params);
+		writeApiMetricsDataPoint(parsed, 'kilo-gateway', this.env, (p) => this.ctx.waitUntil(p));
+	}
 }

cloudflare-o11y/src/o11y-analytics.ts

@@ -1,7 +1,4 @@
-import type { z } from 'zod';
-import type { ApiMetricsParamsSchema } from './api-metrics-routes';
-
-type ApiMetricsParams = z.infer<typeof ApiMetricsParamsSchema>;
+import type { ApiMetricsParamsParsed as ApiMetricsParams } from '@kilocode/worker-utils';
 
 /**
  * Write an API metrics data point to Analytics Engine for alerting queries,

cloudflare-o11y/src/session-metrics-analytics.ts

@@ -1,4 +1,4 @@
-import type { SessionMetricsParams } from './session-metrics-schema';
+import type { SessionMetricsParamsParsed as SessionMetricsParams } from '@kilocode/worker-utils';
 
 /**
  * Write a session metrics data point to Analytics Engine,

cloudflare-session-ingest/src/env.ts

@@ -1 +1,3 @@
+import type { O11YBinding } from './o11y-binding';
+
 export type Env = Omit<Cloudflare.Env, 'O11Y'> & { O11Y: O11YBinding };

cloudflare-session-ingest/src/middleware/kilo-jwt-auth.ts

@@ -1,46 +1,12 @@
 import { createMiddleware } from 'hono/factory';
-import { verifyKiloToken, extractBearerToken } from '@kilocode/worker-utils';
-import { eq } from 'drizzle-orm';
+import { verifyKiloToken, extractBearerToken, userExistsWithCache } from '@kilocode/worker-utils';
 import { getWorkerDb } from '@kilocode/db/client';
-import { kilocode_users } from '@kilocode/db/schema';
 
 import type { Env } from '../env';
 
-const USER_EXISTS_TTL_SECONDS = 24 * 60 * 60; // 24h
-const USER_NOT_FOUND_TTL_SECONDS = 5 * 60; // 5m
-
-/**
- * Check whether a user exists, using KV as a cache in front of Postgres.
- * Positive results are cached for 24h. Negative results are cached for 5m
- * to rate-limit DB hits from deleted/nonexistent users with valid tokens.
- */
-async function userExists(env: Env, userId: string): Promise<boolean> {
-  const cacheKey = `user-exists:${userId}`;
-
-  const cached = await env.USER_EXISTS_CACHE.get(cacheKey);
-  if (cached === '1') {
-    return true;
-  }
-  if (cached === '0') {
-    return false;
-  }
-
+function userExists(env: Env, userId: string): Promise<boolean> {
   const db = getWorkerDb(env.HYPERDRIVE.connectionString);
-  const rows = await db
-    .select({ id: kilocode_users.id })
-    .from(kilocode_users)
-    .where(eq(kilocode_users.id, userId))
-    .limit(1);
-
-  const row = rows[0];
-
-  if (!row) {
-    void env.USER_EXISTS_CACHE.put(cacheKey, '0', { expirationTtl: USER_NOT_FOUND_TTL_SECONDS });
-    return false;
-  }
-
-  void env.USER_EXISTS_CACHE.put(cacheKey, '1', { expirationTtl: USER_EXISTS_TTL_SECONDS });
-  return true;
+  return userExistsWithCache(env.USER_EXISTS_CACHE, db, userId);
 }
 
 export const kiloJwtAuthMiddleware = createMiddleware<{

cloudflare-session-ingest/src/o11y-binding.d.ts

@@ -1,41 +1,5 @@
-/**
- * Augment the wrangler-generated Env to give the O11Y service binding its RPC
- * method types.  `wrangler types` only sees `Fetcher` for service bindings;
- * the actual RPC shape comes from the o11y worker's WorkerEntrypoint and is
- * declared here so the generated file can be freely regenerated.
- *
- * Keep in sync with: cloudflare-o11y/src/session-metrics-schema.ts
- */
+import type { SessionMetricsParams } from '@kilocode/worker-utils';
 
-type O11YSessionMetricsParams = {
-  kiloUserId: string;
-  organizationId?: string;
-  sessionId: string;
-  platform: string;
-  sessionDurationMs: number;
-  timeToFirstResponseMs?: number;
-  totalTurns: number;
-  totalSteps: number;
-  toolCallsByType: Record<string, number>;
-  toolErrorsByType: Record<string, number>;
-  totalErrors: number;
-  errorsByType: Record<string, number>;
-  stuckToolCallCount: number;
-  totalTokens: {
-    input: number;
-    output: number;
-    reasoning: number;
-    cacheRead: number;
-    cacheWrite: number;
-  };
-  totalCost: number;
-  compactionCount: number;
-  autoCompactionCount: number;
-  terminationReason: 'completed' | 'error' | 'interrupted' | 'abandoned' | 'unknown';
-  model?: string;
-  ingestVersion: number;
-};
-
-type O11YBinding = Fetcher & {
-  ingestSessionMetrics(params: O11YSessionMetricsParams): Promise<void>;
+export type O11YBinding = Fetcher & {
+  ingestSessionMetrics(params: SessionMetricsParams): Promise<void>;
 };

cloudflare-webhook-agent-ingest/src/index.ts

@@ -18,7 +18,6 @@ export type HonoContext = {
 
 const app = new Hono<HonoContext>();
 
-// @ts-expect-error workers-tagged-logger returns Handler typed against an older hono; incompatible with hono 4.12+
 app.use('*', useWorkersLogger('webhook-agent'));
 
 app.get('/health', c => {

llm-gateway/eslint.config.mjs

@@ -0,0 +1,16 @@
+import { dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { defineConfig } from 'eslint/config';
+import baseConfig from '@kilocode/eslint-config';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default defineConfig([
+  ...baseConfig(__dirname),
+  {
+    files: ['**/*.ts'],
+    rules: {
+      '@typescript-eslint/restrict-template-expressions': 'off',
+    },
+  },
+]);

llm-gateway/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "llm-gateway",
+  "version": "1.0.0",
+  "type": "module",
+  "private": true,
+  "description": "LLM Gateway Cloudflare Worker — transparent drop-in replacement for /api/openrouter",
+  "scripts": {
+    "preinstall": "npx only-allow pnpm",
+    "deploy": "wrangler deploy",
+    "dev": "wrangler dev",
+    "start": "wrangler dev",
+    "types": "wrangler types",
+    "lint": "eslint --config eslint.config.mjs --cache 'src/**/*.ts'",
+    "lint:fix": "eslint --config eslint.config.mjs --cache --fix 'src/**/*.ts'",
+    "format": "prettier --write 'src/**/*.ts'",
+    "format:check": "prettier --check 'src/**/*.ts'",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --config vitest.workers.config.ts",
+    "test:integration:watch": "vitest --config vitest.workers.config.ts",
+    "typecheck": "tsgo --noEmit --incremental false"
+  },
+  "dependencies": {
+    "@sentry/cloudflare": "^10.25.0",
+    "@ai-sdk/anthropic": "^3.0.41",
+    "@ai-sdk/openai": "^3.0.27",
+    "@kilocode/db": "workspace:*",
+    "@kilocode/encryption": "workspace:*",
+    "@kilocode/worker-utils": "workspace:*",
+    "ai": "^6.0.78",
+    "drizzle-orm": "catalog:",
+    "eventsource-parser": "^3.0.6",
+    "hono": "catalog:",
+    "workers-tagged-logger": "catalog:",
+    "zod": "catalog:"
+  },
+  "devDependencies": {
+    "@cloudflare/vitest-pool-workers": "^0.12.8",
+    "jose": "catalog:",
+    "@kilocode/eslint-config": "workspace:*",
+    "@types/node": "^22",
+    "@typescript/native-preview": "7.0.0-dev.20251019.1",
+    "@vitest/ui": "^3.2.4",
+    "drizzle-kit": "catalog:",
+    "eslint": "catalog:",
+    "prettier": "catalog:",
+    "typescript": "catalog:",
+    "vitest": "^3.2.4",
+    "wrangler": "catalog:"
+  }
+}