feat: add token usage tracking to api-proxy sidecar (#1539)

* feat: add token usage tracking to api-proxy sidecar

Intercept LLM API responses in the api-proxy to extract and log token
usage data. Supports both streaming (SSE) and non-streaming JSON
responses from OpenAI, Anthropic, and Copilot providers.

- Add token-tracker.js module with SSE and JSON usage extraction
- Integrate trackTokenUsage into server.js proxy response pipeline
- Write JSONL logs to /var/log/api-proxy/token-usage.jsonl
- Update input_tokens_total and output_tokens_total metrics
- Add 32 unit tests covering all extraction and normalization paths

Closes #1536

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback for token tracker

- Add token-tracker.js to Dockerfile COPY step
- Add try/catch require guard for graceful fallback
- Fix header comment to match actual architecture
- Guard empty usage objects from producing 0-token log entries
- Handle write backpressure in JSONL log writer
- Make closeLogStream() async to flush before process.exit
- Remove unused method/targetHost opts; drop hardcoded request_bytes
- Redirect test log output to temp dir to avoid /var/log noise

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

containers/api-proxy/Dockerfile

@@ -15,7 +15,7 @@ COPY package*.json ./
 RUN npm ci --omit=dev
 
 # Copy application files
-COPY server.js logging.js metrics.js rate-limiter.js ./
+COPY server.js logging.js metrics.js rate-limiter.js token-tracker.js ./
 
 # Create non-root user
 RUN addgroup -S apiproxy && adduser -S apiproxy -G apiproxy

containers/api-proxy/server.js

@@ -18,6 +18,18 @@ const { HttpsProxyAgent } = require('https-proxy-agent');
 const { generateRequestId, sanitizeForLog, logRequest } = require('./logging');
 const metrics = require('./metrics');
 const rateLimiter = require('./rate-limiter');
+let trackTokenUsage;
+let closeLogStream;
+try {
+  ({ trackTokenUsage, closeLogStream } = require('./token-tracker'));
+} catch (err) {
+  if (err && err.code === 'MODULE_NOT_FOUND') {
+    trackTokenUsage = () => {};
+    closeLogStream = () => {};
+  } else {
+    throw err;
+  }
+}
 
 // Create rate limiter from environment variables
 const limiter = rateLimiter.create();
@@ -423,6 +435,15 @@ function proxyRequest(req, res, targetHost, injectHeaders, provider, basePath =
 
       res.writeHead(proxyRes.statusCode, resHeaders);
       proxyRes.pipe(res);
+
+      // Attach token usage tracking (non-blocking, listens on same data/end events)
+      trackTokenUsage(proxyRes, {
+        requestId,
+        provider,
+        path: sanitizeForLog(req.url),
+        startTime,
+        metrics,
+      });
     });
 
     proxyReq.on('error', (err) => {
@@ -851,13 +872,15 @@ if (require.main === module) {
   }
 
   // Graceful shutdown
-  process.on('SIGTERM', () => {
+  process.on('SIGTERM', async () => {
     logRequest('info', 'shutdown', { message: 'Received SIGTERM, shutting down gracefully' });
+    await closeLogStream();
     process.exit(0);
   });
 
-  process.on('SIGINT', () => {
+  process.on('SIGINT', async () => {
     logRequest('info', 'shutdown', { message: 'Received SIGINT, shutting down gracefully' });
+    await closeLogStream();
     process.exit(0);
   });
 }