feat(scheduler,apikey): bounded session affinity + per-key limits

Two related backend enhancements addressing #150 and #146.

Scheduler (#150 — "round_robin still hammering one account"):
- Add bounded session affinity. sessionAffinity now tracks boundAt /
  requestCount, and NextForSessionWithFilter escapes the binding when
  any of:
    • requestCount >= 50
    • bound for >= 5 minutes
    • bound account is no longer in the healthy tier
  This preserves prompt-cache reuse on hot sessions while preventing
  any single account from absorbing all traffic.
- Add Store.GetAffinityMode/SetAffinityMode (bounded/off/strict). Off
  means every request re-picks via the scheduler; strict is the legacy
  behavior. system_settings.affinity_mode persists the choice.
- FastScheduler in round_robin mode now sorts the healthy bucket by
  7d usage ASC before round-robining, so the under-used accounts win
  the next slot naturally.

API Keys (#146 — "support per-key 5h/7d quota and model restrictions"):
- Add api_keys.limits JSONB column carrying APIKeyLimits:
    model_allow / model_deny (whitelist takes priority)
    rpm, rpd
    cost_limit_5h, cost_limit_7d
    token_limit_5h, token_limit_7d
- New proxy/apikey_limits.go performs the checks before upstream
  dispatch: O(1) model set check, plus sliding-window aggregation over
  usage_logs (cached 60s in Redis, falls back to DB). Limited keys
  bypass the runtime cache so PATCH takes effect immediately.
- 403 (permission_error) for model-denied, 429 (rate_limit_reached)
  for quota windows. Wired into ChatCompletions, Responses, anthropic,
  and images handlers.

Tested end-to-end against 2004 instance: model whitelist returns 403
for disallowed model, rpm=2 returns 429 after 10 injected usage rows
in the last minute, settings persistence verified.

Author: james-6-23

admin/bootstrap.go

@@ -237,5 +237,6 @@ func defaultBootstrapSettings() *database.SystemSettings {
 		UsageLogFlushIntervalSeconds:     5,
 		StreamFlushPolicy:                proxy.StreamFlushPolicyImmediate,
 		StreamFlushIntervalMS:            20,
+		AffinityMode:                     "bounded",
 	}
 }

admin/handler.go

@@ -3388,13 +3388,14 @@ func (h *Handler) ListAPIKeys(c *gin.Context) {
 }
 
 type createKeyReq struct {
-	Name            string          `json:"name"`
-	Key             string          `json:"key"`
-	QuotaLimit      *float64        `json:"quota_limit"`
-	Quota           *float64        `json:"quota"`
-	ExpiresAt       string          `json:"expires_at"`
-	ExpiresInDays   *int            `json:"expires_in_days"`
-	AllowedGroupIDs json.RawMessage `json:"allowed_group_ids"`
+	Name            string                 `json:"name"`
+	Key             string                 `json:"key"`
+	QuotaLimit      *float64               `json:"quota_limit"`
+	Quota           *float64               `json:"quota"`
+	ExpiresAt       string                 `json:"expires_at"`
+	ExpiresInDays   *int                   `json:"expires_in_days"`
+	AllowedGroupIDs json.RawMessage        `json:"allowed_group_ids"`
+	Limits          *database.APIKeyLimits `json:"limits"`
 }
 
 // generateKey 生成随机 API Key
@@ -3486,12 +3487,18 @@ func (h *Handler) CreateAPIKey(c *gin.Context) {
 		}
 	}
 
+	var limits database.APIKeyLimits
+	if req.Limits != nil {
+		limits = sanitizeAPIKeyLimits(*req.Limits)
+	}
+
 	id, err := h.db.InsertAPIKeyWithOptions(ctx, database.APIKeyInput{
 		Name:            req.Name,
 		Key:             key,
 		QuotaLimit:      quotaLimit,
 		ExpiresAt:       expiresAt,
 		AllowedGroupIDs: allowedGroupIDs.Values,
+		Limits:          limits,
 	})
 	if err != nil {
 		writeError(c, http.StatusInternalServerError, "创建失败: "+err.Error())
@@ -3525,12 +3532,13 @@ func (h *Handler) CreateAPIKey(c *gin.Context) {
 }
 
 type updateAPIKeyReq struct {
-	Name            *string         `json:"name"`
-	QuotaLimit      json.RawMessage `json:"quota_limit"`
-	Quota           json.RawMessage `json:"quota"`
-	ExpiresAt       json.RawMessage `json:"expires_at"`
-	ExpiresInDays   *int            `json:"expires_in_days"`
-	AllowedGroupIDs json.RawMessage `json:"allowed_group_ids"`
+	Name            *string                `json:"name"`
+	QuotaLimit      json.RawMessage        `json:"quota_limit"`
+	Quota           json.RawMessage        `json:"quota"`
+	ExpiresAt       json.RawMessage        `json:"expires_at"`
+	ExpiresInDays   *int                   `json:"expires_in_days"`
+	AllowedGroupIDs json.RawMessage        `json:"allowed_group_ids"`
+	Limits          *database.APIKeyLimits `json:"limits"`
 }
 
 func (h *Handler) UpdateAPIKey(c *gin.Context) {
@@ -3623,6 +3631,10 @@ func (h *Handler) UpdateAPIKey(c *gin.Context) {
 		update.Name = *req.Name
 		update.NameSet = true
 	}
+	if req.Limits != nil {
+		update.Limits = sanitizeAPIKeyLimits(*req.Limits)
+		update.LimitsSet = true
+	}
 	if err := h.db.UpdateAPIKey(ctx, id, update); err != nil {
 		writeInternalError(c, err)
 		return
@@ -3634,6 +3646,63 @@ func (h *Handler) UpdateAPIKey(c *gin.Context) {
 	writeMessage(c, http.StatusOK, "API Key 已更新")
 }
 
+// sanitizeAPIKeyLimits 把请求体里来的 limits 归一:负值置 0,空白模型名过滤,字符串小写。
+// 同时配置 ModelAllow + ModelDeny 时白名单优先(在 enforce 时已生效),这里不强制清空黑名单。
+func sanitizeAPIKeyLimits(in database.APIKeyLimits) database.APIKeyLimits {
+	clean := func(items []string) []string {
+		if len(items) == 0 {
+			return nil
+		}
+		seen := make(map[string]struct{}, len(items))
+		out := make([]string, 0, len(items))
+		for _, item := range items {
+			item = strings.TrimSpace(item)
+			if item == "" {
+				continue
+			}
+			lower := strings.ToLower(item)
+			if _, ok := seen[lower]; ok {
+				continue
+			}
+			seen[lower] = struct{}{}
+			out = append(out, item)
+		}
+		return out
+	}
+	out := database.APIKeyLimits{
+		ModelAllow:   clean(in.ModelAllow),
+		ModelDeny:    clean(in.ModelDeny),
+		RPM:          maxInt(in.RPM, 0),
+		RPD:          maxInt(in.RPD, 0),
+		CostLimit5h:  maxFloat(in.CostLimit5h, 0),
+		CostLimit7d:  maxFloat(in.CostLimit7d, 0),
+		TokenLimit5h: maxInt64(in.TokenLimit5h, 0),
+		TokenLimit7d: maxInt64(in.TokenLimit7d, 0),
+	}
+	return out
+}
+
+func maxInt(v, lo int) int {
+	if v < lo {
+		return lo
+	}
+	return v
+}
+
+func maxInt64(v, lo int64) int64 {
+	if v < lo {
+		return lo
+	}
+	return v
+}
+
+func maxFloat(v, lo float64) float64 {
+	if v < lo {
+		return lo
+	}
+	return v
+}
+
 func parseOptionalAPIKeyQuota(quotaLimitRaw, quotaRaw json.RawMessage) (float64, bool, error) {
 	raw := quotaLimitRaw
 	if len(raw) == 0 {
@@ -3764,6 +3833,7 @@ type settingsResponse struct {
 	ProxyPoolEnabled                 bool   `json:"proxy_pool_enabled"`
 	FastSchedulerEnabled             bool   `json:"fast_scheduler_enabled"`
 	SchedulerMode                    string `json:"scheduler_mode"`
+	AffinityMode                     string `json:"affinity_mode"`
 	MaxRetries                       int    `json:"max_retries"`
 	MaxRateLimitRetries              int    `json:"max_rate_limit_retries"`
 	AllowRemoteMigration             bool   `json:"allow_remote_migration"`
@@ -3824,6 +3894,7 @@ type updateSettingsReq struct {
 	ProxyPoolEnabled                 *bool   `json:"proxy_pool_enabled"`
 	FastSchedulerEnabled             *bool   `json:"fast_scheduler_enabled"`
 	SchedulerMode                    *string `json:"scheduler_mode"`
+	AffinityMode                     *string `json:"affinity_mode"`
 	MaxRetries                       *int    `json:"max_retries"`
 	MaxRateLimitRetries              *int    `json:"max_rate_limit_retries"`
 	AllowRemoteMigration             *bool   `json:"allow_remote_migration"`
@@ -3966,6 +4037,7 @@ func (h *Handler) GetSettings(c *gin.Context) {
 		ProxyPoolEnabled:                 h.store.GetProxyPoolEnabled(),
 		FastSchedulerEnabled:             h.store.FastSchedulerEnabled(),
 		SchedulerMode:                    h.store.GetSchedulerMode(),
+		AffinityMode:                     h.store.GetAffinityMode(),
 		MaxRetries:                       h.store.GetMaxRetries(),
 		MaxRateLimitRetries:              h.store.GetMaxRateLimitRetries(),
 		AllowRemoteMigration:             h.store.GetAllowRemoteMigration() && adminAuthSource != "disabled",
@@ -4208,6 +4280,11 @@ func (h *Handler) UpdateSettings(c *gin.Context) {
 		log.Printf("设置已更新: scheduler_mode = %s", *req.SchedulerMode)
 	}
 
+	if req.AffinityMode != nil {
+		h.store.SetAffinityMode(*req.AffinityMode)
+		log.Printf("设置已更新: affinity_mode = %s", *req.AffinityMode)
+	}
+
 	if req.MaxRetries != nil {
 		v := *req.MaxRetries
 		if v < 0 {
@@ -4451,6 +4528,7 @@ func (h *Handler) UpdateSettings(c *gin.Context) {
 		ProxyPoolEnabled:                 h.store.GetProxyPoolEnabled(),
 		FastSchedulerEnabled:             h.store.FastSchedulerEnabled(),
 		SchedulerMode:                    h.store.GetSchedulerMode(),
+		AffinityMode:                     h.store.GetAffinityMode(),
 		MaxRetries:                       h.store.GetMaxRetries(),
 		MaxRateLimitRetries:              h.store.GetMaxRateLimitRetries(),
 		AllowRemoteMigration:             h.store.GetAllowRemoteMigration() && hasAdminSecret,
@@ -4516,6 +4594,7 @@ func (h *Handler) UpdateSettings(c *gin.Context) {
 		ProxyPoolEnabled:                 h.store.GetProxyPoolEnabled(),
 		FastSchedulerEnabled:             h.store.FastSchedulerEnabled(),
 		SchedulerMode:                    h.store.GetSchedulerMode(),
+		AffinityMode:                     h.store.GetAffinityMode(),
 		MaxRetries:                       h.store.GetMaxRetries(),
 		MaxRateLimitRetries:              h.store.GetMaxRateLimitRetries(),
 		AllowRemoteMigration:             h.store.GetAllowRemoteMigration() && adminAuthSource != "disabled",

admin/responses.go

@@ -49,16 +49,17 @@ type apiKeysResponse struct {
 
 // MaskedAPIKeyRow API Key 响应（含脱敏和完整 key）
 type MaskedAPIKeyRow struct {
-	ID              int64   `json:"id"`
-	Name            string  `json:"name"`
-	Key             string  `json:"key"`
-	RawKey          string  `json:"raw_key"`
-	QuotaLimit      float64 `json:"quota_limit"`
-	QuotaUsed       float64 `json:"quota_used"`
-	ExpiresAt       *string `json:"expires_at"`
-	AllowedGroupIDs []int64 `json:"allowed_group_ids"`
-	Status          string  `json:"status"`
-	CreatedAt       string  `json:"created_at"`
+	ID              int64                 `json:"id"`
+	Name            string                `json:"name"`
+	Key             string                `json:"key"`
+	RawKey          string                `json:"raw_key"`
+	QuotaLimit      float64               `json:"quota_limit"`
+	QuotaUsed       float64               `json:"quota_used"`
+	ExpiresAt       *string               `json:"expires_at"`
+	AllowedGroupIDs []int64               `json:"allowed_group_ids"`
+	Limits          database.APIKeyLimits `json:"limits"`
+	Status          string                `json:"status"`
+	CreatedAt       string                `json:"created_at"`
 }
 
 // NewMaskedAPIKeyRow 创建 API Key 响应
@@ -83,6 +84,7 @@ func NewMaskedAPIKeyRow(row *database.APIKeyRow) *MaskedAPIKeyRow {
 		QuotaUsed:       row.QuotaUsed,
 		ExpiresAt:       expiresAt,
 		AllowedGroupIDs: append([]int64(nil), row.AllowedGroupIDs...),
+		Limits:          row.Limits,
 		Status:          status,
 		CreatedAt:       row.CreatedAt.Format(time.RFC3339),
 	}

auth/fast_scheduler.go

@@ -392,6 +392,24 @@ func (s *FastScheduler) insertLocked(acc *Account, now time.Time) {
 			}
 			return usageI < usageJ
 		})
+	} else if s.schedulerMode == "round_robin" && tier == HealthTierHealthy {
+		// round_robin 模式下,healthy 桶按 7d 用量 ASC 排序后再走轮询。
+		// 这样同一个 round 里,用得少的账号被先轮到,自然把负载摊平到所有可用账号上,
+		// 避免出现"轮询模式仍然一直薅同一个号"的现象 (issue #150)。
+		sort.SliceStable(entries, func(i, j int) bool {
+			usageI := entries[i].acc.usagePercentForScheduling()
+			usageJ := entries[j].acc.usagePercentForScheduling()
+			if usageI == usageJ {
+				if entries[i].dispatchScore != entries[j].dispatchScore {
+					return entries[i].dispatchScore > entries[j].dispatchScore
+				}
+				if entries[i].proven != entries[j].proven {
+					return entries[i].proven
+				}
+				return entries[i].dbID < entries[j].dbID
+			}
+			return usageI < usageJ
+		})
 	} else {
 		sort.SliceStable(entries, func(i, j int) bool {
 			if entries[i].dispatchScore == entries[j].dispatchScore {