Skip to content

Add AI usage controls with quota reservation, rate limiting, and call logs#3

Open
yuanmomoya wants to merge 1 commit into
floatboatai:mainfrom
yuanmomoya:feat/ai-usage-controls
Open

Add AI usage controls with quota reservation, rate limiting, and call logs#3
yuanmomoya wants to merge 1 commit into
floatboatai:mainfrom
yuanmomoya:feat/ai-usage-controls

Conversation

@yuanmomoya

Copy link
Copy Markdown

Summary

  • Added a shared AI abuse-control layer (idempotency, sliding-window rate limits, credit pre-reservation/refund, and AiUsageLog auditing) for the Day Scheduler, Prompt Optimizer, and HTML animation features.
  • Extended the existing /demo-app flow to reserve credits before OpenAI calls, refund on failure, and prevent duplicate/concurrent abuse.
  • Added admin AI usage dashboard, env-configurable rate limits, stuck pending-log cleanup job, Prompt Optimizer, and HTML animation generation with sandbox preview.

Problem

The existing AI schedule generation decremented credits after the OpenAI call and had no idempotency, rate limit, or usage logging. Concurrent requests could overspend AI budget and bypass user quotas.

Solution

  • Added AiUsageLog model with unique (userId, operation, idempotencyKey) constraint.
  • Introduced src/ai/usageControl.ts for idempotency checks, DB-backed rate limiting, credit pre-reservation, and failure refunds.
  • Updated generateGptResponse to use the control layer; added Prompt Optimizer and HTML animation actions reusing the same infrastructure.
  • Added /admin/ai-usage dashboard for call volume, tokens, and estimated cost.
  • Added env-configurable rate limits and a PgBoss job to clean up stuck pending logs.

Design Trade-offs

  • Credits are reserved before the OpenAI call to close the concurrency loophole.
  • Failed calls refund reserved credits so users are not charged for failed generations.
  • Logs store requestHash instead of raw prompt to reduce privacy risk.
  • Rate limits are env-configurable with sensible defaults (free: 5/min, subscribed: 20/min).
  • OPENAI_API_KEY is optional at startup; placeholder keys return 503 for AI actions to allow local dev without real keys.

Testing

  • npm run lint
  • npm run prettier:check
  • AI unit tests (cost / env / usagePolicy): 8/8 passed
  • prisma validate
  • ./opensaas-sh/tools/patch.sh
  • Full Wasp app / OpenAI e2e — not run locally due to Wasp CLI version mismatch (0.24 vs project ES2025 config) and no real OpenAI key in CI-less local env

Migration

After pulling, run:

wasp db migrate-dev

This creates the new AiUsageLog, PromptOptimization, HtmlAnimation, and AnimationRenderJob tables.

Follow-ups

  • Per-plan (hobby/pro) rate limit tiers
  • Admin AI usage time-range filter and CSV export
  • HTML animation MP4 transcoding and S3 upload

… logs

Introduce a shared AI abuse-control layer (idempotency, sliding-window rate limits,
credit pre-reservation/refund, and AiUsageLog auditing) for the Day Scheduler,
Prompt Optimizer, and HTML animation features, plus admin usage dashboard and
pending-log cleanup job.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant