feat(proxy): add admin kill switch and expose it in routes page

cmd/maxx/main.go

@@ -463,7 +463,7 @@ func main() {
 	requestTracker := core.NewRequestTracker()
 
 	// Create handlers
-	proxyHandler := handler.NewProxyHandler(clientAdapter, requestExecutor, cachedSessionRepo, tokenAuthMiddleware)
+	proxyHandler := handler.NewProxyHandler(clientAdapter, requestExecutor, cachedSessionRepo, settingRepo, tokenAuthMiddleware)
 	proxyHandler.SetRequestTracker(requestTracker)
 	adminHandler := handler.NewAdminHandler(adminService, backupService, logPath)
 	selfServiceHandler := handler.NewSelfServiceHandler(adminService)

internal/core/database.go

@@ -452,7 +452,7 @@ func InitializeServerComponents(
 
 	log.Printf("[Core] Creating handlers")
 	tokenAuthMiddleware := handler.NewTokenAuthMiddleware(repos.CachedAPITokenRepo, repos.SettingRepo)
-	proxyHandler := handler.NewProxyHandler(clientAdapter, exec, repos.CachedSessionRepo, tokenAuthMiddleware)
+	proxyHandler := handler.NewProxyHandler(clientAdapter, exec, repos.CachedSessionRepo, repos.SettingRepo, tokenAuthMiddleware)
 	modelsHandler := handler.NewModelsHandler(
 		repos.ResponseModelRepo,
 		repos.CachedProviderRepo,

internal/domain/model.go

@@ -688,6 +688,7 @@ const (
 	SettingKeyAutoSortCodex                 = "auto_sort_codex"                  // 是否自动排序 Codex 路由，"true" 或 "false"
 	SettingKeyCodexInstructionsEnabled      = "codex_instructions_enabled"       // 是否启用 Codex 官方 instructions，"true" 或 "false"
 	SettingKeyPayloadOverrideRules          = "payload_override_rules"           // 请求 payload 覆盖规则（JSON 数组）
+	SettingKeyProxyRequestsDisabled         = "proxy_requests_disabled"          // 是否全局禁用代理请求，"true" 或 "false"，默认 "false"
 	SettingKeyEnablePprof                   = "enable_pprof"                     // 是否启用 pprof 性能分析，"true" 或 "false"，默认 "false"
 	SettingKeyPprofPort                     = "pprof_port"                       // pprof 服务端口，默认 6060
 	SettingKeyPprofPassword                 = "pprof_password"                   // pprof 访问密码，为空表示不需要密码

internal/handler/proxy.go

@@ -17,9 +17,13 @@ import (
 	"github.com/awsl-project/maxx/internal/domain"
 	"github.com/awsl-project/maxx/internal/executor"
 	"github.com/awsl-project/maxx/internal/flow"
+	"github.com/awsl-project/maxx/internal/repository"
 	"github.com/awsl-project/maxx/internal/repository/cached"
+	"github.com/awsl-project/maxx/internal/systemsettingcache"
 )
 
+const proxyRequestsDisabledMessage = "proxy requests are temporarily disabled by admin"
+
 // RequestTracker interface for tracking active requests
 type RequestTracker interface {
 	Add() bool
@@ -32,6 +36,7 @@ type ProxyHandler struct {
 	clientAdapter *client.Adapter
 	executor      *executor.Executor
 	sessionRepo   *cached.SessionRepository
+	settingRepo   repository.SystemSettingRepository
 	tokenAuth     *TokenAuthMiddleware
 	tracker       RequestTracker
 	trackerMu     sync.RWMutex
@@ -44,12 +49,14 @@ func NewProxyHandler(
 	clientAdapter *client.Adapter,
 	exec *executor.Executor,
 	sessionRepo *cached.SessionRepository,
+	settingRepo repository.SystemSettingRepository,
 	tokenAuth *TokenAuthMiddleware,
 ) *ProxyHandler {
 	h := &ProxyHandler{
 		clientAdapter: clientAdapter,
 		executor:      exec,
 		sessionRepo:   sessionRepo,
+		settingRepo:   settingRepo,
 		tokenAuth:     tokenAuth,
 		engine:        flow.NewEngine(),
 	}
@@ -103,6 +110,13 @@ func (h *ProxyHandler) ingress(c *flow.Ctx) {
 		return
 	}
 
+	if h.isProxyRequestsDisabled() {
+		log.Printf("[Proxy] Rejecting request because proxy kill switch is enabled: %s %s", r.Method, r.URL.Path)
+		writeError(w, http.StatusServiceUnavailable, proxyRequestsDisabledMessage)
+		c.Abort()
+		return
+	}
+
 	if strings.HasPrefix(r.URL.Path, "/v1/responses") {
 		r.URL.Path = strings.TrimPrefix(r.URL.Path, "/v1")
 	}
@@ -303,6 +317,14 @@ func normalizeOpenAIChatCompletionsPayload(body []byte) ([]byte, bool) {
 	return converted, true
 }
 
+func (h *ProxyHandler) isProxyRequestsDisabled() bool {
+	return isBooleanSystemSettingEnabled(h.settingRepo, domain.SettingKeyProxyRequestsDisabled)
+}
+
+func isBooleanSystemSettingEnabled(repo repository.SystemSettingRepository, key string) bool {
+	return systemsettingcache.GetBoolean(repo, key)
+}
+
 // Helper functions
 
 func writeError(w http.ResponseWriter, status int, message string) {

internal/handler/proxy_test.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@@ -10,8 +11,34 @@ import (
 	"time"
 
 	"github.com/awsl-project/maxx/internal/domain"
+	"github.com/awsl-project/maxx/internal/systemsettingcache"
 )
 
+type proxyBooleanSettingRepo struct {
+	values []string
+	errs   []error
+	reads  int
+}
+
+func (r *proxyBooleanSettingRepo) Get(key string) (string, error) {
+	r.reads++
+	idx := r.reads - 1
+	if idx < len(r.errs) && r.errs[idx] != nil {
+		return "", r.errs[idx]
+	}
+	if idx < len(r.values) {
+		return r.values[idx], nil
+	}
+	if len(r.values) > 0 {
+		return r.values[len(r.values)-1], nil
+	}
+	return "", nil
+}
+
+func (r *proxyBooleanSettingRepo) Set(key, value string) error              { return nil }
+func (r *proxyBooleanSettingRepo) GetAll() ([]*domain.SystemSetting, error) { return nil, nil }
+func (r *proxyBooleanSettingRepo) Delete(key string) error                  { return nil }
+
 func TestWriteError(t *testing.T) {
 	rec := httptest.NewRecorder()
 	writeError(rec, http.StatusBadRequest, "bad request")
@@ -123,3 +150,72 @@ func TestWriteStreamErrorPreservesStatusAndRetryAfter(t *testing.T) {
 		t.Fatalf("stream body = %q, want error event", rec.Body.String())
 	}
 }
+
+func TestProxyHandlerRejectsRequestsWhenKillSwitchEnabled(t *testing.T) {
+	repo := &settingsTestRepo{values: map[string]string{domain.SettingKeyProxyRequestsDisabled: "true"}}
+	h := NewProxyHandler(nil, nil, nil, repo, nil)
+
+	req := httptest.NewRequest(http.MethodPost, "http://example.test/v1/chat/completions", strings.NewReader(`{"model":"gpt-5.4","messages":[]}`))
+	rec := httptest.NewRecorder()
+
+	h.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusServiceUnavailable {
+		t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusServiceUnavailable, rec.Body.String())
+	}
+	if !strings.Contains(rec.Body.String(), proxyRequestsDisabledMessage) {
+		t.Fatalf("body = %q, want disabled message", rec.Body.String())
+	}
+}
+
+func TestIsBooleanSystemSettingEnabledDefaultsFalse(t *testing.T) {
+	systemsettingcache.Invalidate(domain.SettingKeyProxyRequestsDisabled)
+	repo := &settingsTestRepo{}
+	if isBooleanSystemSettingEnabled(repo, domain.SettingKeyProxyRequestsDisabled) {
+		t.Fatal("expected missing setting to default to false")
+	}
+}
+
+func TestIsBooleanSystemSettingEnabledCachesFreshValue(t *testing.T) {
+	oldTTL := systemsettingcache.BooleanTTL
+	systemsettingcache.BooleanTTL = time.Hour
+	defer func() { systemsettingcache.BooleanTTL = oldTTL }()
+
+	key := domain.SettingKeyProxyRequestsDisabled
+	systemsettingcache.Invalidate(key)
+	repo := &proxyBooleanSettingRepo{values: []string{"true"}}
+
+	if !isBooleanSystemSettingEnabled(repo, key) {
+		t.Fatal("expected first read to return true")
+	}
+	if !isBooleanSystemSettingEnabled(repo, key) {
+		t.Fatal("expected cached read to return true")
+	}
+	if repo.reads != 1 {
+		t.Fatalf("reads = %d, want 1", repo.reads)
+	}
+}
+
+func TestIsBooleanSystemSettingEnabledFallsBackToLastKnownValueOnReadError(t *testing.T) {
+	oldTTL := systemsettingcache.BooleanTTL
+	systemsettingcache.BooleanTTL = time.Nanosecond
+	defer func() { systemsettingcache.BooleanTTL = oldTTL }()
+
+	key := domain.SettingKeyProxyRequestsDisabled
+	systemsettingcache.Invalidate(key)
+	repo := &proxyBooleanSettingRepo{
+		values: []string{"true"},
+		errs:   []error{nil, errors.New("db temporarily unavailable")},
+	}
+
+	if !isBooleanSystemSettingEnabled(repo, key) {
+		t.Fatal("expected first read to return true")
+	}
+	time.Sleep(time.Millisecond)
+	if !isBooleanSystemSettingEnabled(repo, key) {
+		t.Fatal("expected cached true value on refresh error")
+	}
+	if repo.reads != 2 {
+		t.Fatalf("reads = %d, want 2", repo.reads)
+	}
+}

internal/service/admin.go

@@ -19,6 +19,7 @@ import (
 	"github.com/awsl-project/maxx/internal/payloadoverride"
 	"github.com/awsl-project/maxx/internal/pricing"
 	"github.com/awsl-project/maxx/internal/repository"
+	"github.com/awsl-project/maxx/internal/systemsettingcache"
 	"github.com/awsl-project/maxx/internal/version"
 )
 
@@ -486,6 +487,7 @@ func (s *AdminService) UpdateSetting(key, value string) error {
 	if err := s.settingRepo.Set(key, value); err != nil {
 		return err
 	}
+	systemsettingcache.Invalidate(key)
 	if key == domain.SettingKeyPayloadOverrideRules {
 		payloadoverride.InvalidateGlobalSettingsCache()
 	}
@@ -507,6 +509,7 @@ func (s *AdminService) DeleteSetting(key string) error {
 	if err := s.settingRepo.Delete(key); err != nil {
 		return err
 	}
+	systemsettingcache.Invalidate(key)
 	if key == domain.SettingKeyPayloadOverrideRules {
 		payloadoverride.InvalidateGlobalSettingsCache()
 	}

internal/service/system_setting_validation.go

@@ -1,6 +1,9 @@
 package service
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/awsl-project/maxx/internal/domain"
 	"github.com/awsl-project/maxx/internal/payloadoverride"
 )
@@ -9,7 +12,22 @@ func validateSystemSettingValue(key, value string) error {
 	switch key {
 	case domain.SettingKeyPayloadOverrideRules:
 		return payloadoverride.ValidateRulesJSON(value)
+	case domain.SettingKeyProxyRequestsDisabled:
+		return validateBooleanSystemSetting(value)
 	default:
 		return nil
 	}
 }
+
+func validateBooleanSystemSetting(value string) error {
+	if strings.TrimSpace(value) != value {
+		return fmt.Errorf("%w: boolean setting must not contain surrounding whitespace", domain.ErrInvalidInput)
+	}
+
+	switch value {
+	case "true", "false":
+		return nil
+	default:
+		return fmt.Errorf("%w: boolean setting must be \"true\" or \"false\"", domain.ErrInvalidInput)
+	}
+}

internal/service/system_setting_validation_test.go

@@ -3,8 +3,10 @@ package service
 import (
 	"errors"
 	"testing"
+	"time"
 
 	"github.com/awsl-project/maxx/internal/domain"
+	"github.com/awsl-project/maxx/internal/systemsettingcache"
 )
 
 type stubSystemSettingRepo struct {
@@ -48,6 +50,87 @@ func TestAdminServiceUpdateSettingRejectsInvalidPayloadOverrideRules(t *testing.
 	}
 }
 
+func TestAdminServiceUpdateSettingRejectsInvalidProxyRequestsDisabledValue(t *testing.T) {
+	repo := &stubSystemSettingRepo{}
+	svc := &AdminService{settingRepo: repo}
+
+	err := svc.UpdateSetting(domain.SettingKeyProxyRequestsDisabled, "maybe")
+	if !errors.Is(err, domain.ErrInvalidInput) {
+		t.Fatalf("expected invalid input error, got %v", err)
+	}
+	if len(repo.values) != 0 {
+		t.Fatalf("expected invalid setting not to be persisted")
+	}
+}
+
+func TestAdminServiceUpdateSettingAcceptsValidProxyRequestsDisabledValue(t *testing.T) {
+	repo := &stubSystemSettingRepo{}
+	svc := &AdminService{settingRepo: repo}
+
+	err := svc.UpdateSetting(domain.SettingKeyProxyRequestsDisabled, "true")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+	if got := repo.values[domain.SettingKeyProxyRequestsDisabled]; got != "true" {
+		t.Fatalf("stored value = %q, want true", got)
+	}
+}
+
+func TestAdminServiceUpdateSettingRejectsProxyRequestsDisabledValueWithWhitespace(t *testing.T) {
+	repo := &stubSystemSettingRepo{}
+	svc := &AdminService{settingRepo: repo}
+
+	err := svc.UpdateSetting(domain.SettingKeyProxyRequestsDisabled, " true ")
+	if !errors.Is(err, domain.ErrInvalidInput) {
+		t.Fatalf("expected invalid input error, got %v", err)
+	}
+	if len(repo.values) != 0 {
+		t.Fatalf("expected invalid setting not to be persisted")
+	}
+}
+
+func TestAdminServiceUpdateSettingInvalidatesProxyBooleanCache(t *testing.T) {
+	oldTTL := systemsettingcache.BooleanTTL
+	systemsettingcache.BooleanTTL = time.Hour
+	defer func() { systemsettingcache.BooleanTTL = oldTTL }()
+
+	repo := &stubSystemSettingRepo{values: map[string]string{domain.SettingKeyProxyRequestsDisabled: "false"}}
+	svc := &AdminService{settingRepo: repo}
+
+	systemsettingcache.Invalidate(domain.SettingKeyProxyRequestsDisabled)
+	if systemsettingcache.GetBoolean(repo, domain.SettingKeyProxyRequestsDisabled) {
+		t.Fatal("expected initial cached value to be false")
+	}
+
+	if err := svc.UpdateSetting(domain.SettingKeyProxyRequestsDisabled, "true"); err != nil {
+		t.Fatalf("expected update to succeed, got %v", err)
+	}
+	if !systemsettingcache.GetBoolean(repo, domain.SettingKeyProxyRequestsDisabled) {
+		t.Fatal("expected cache invalidation to expose updated true value")
+	}
+}
+
+func TestAdminServiceDeleteSettingInvalidatesProxyBooleanCache(t *testing.T) {
+	oldTTL := systemsettingcache.BooleanTTL
+	systemsettingcache.BooleanTTL = time.Hour
+	defer func() { systemsettingcache.BooleanTTL = oldTTL }()
+
+	repo := &stubSystemSettingRepo{values: map[string]string{domain.SettingKeyProxyRequestsDisabled: "true"}}
+	svc := &AdminService{settingRepo: repo}
+
+	systemsettingcache.Invalidate(domain.SettingKeyProxyRequestsDisabled)
+	if !systemsettingcache.GetBoolean(repo, domain.SettingKeyProxyRequestsDisabled) {
+		t.Fatal("expected initial cached value to be true")
+	}
+
+	if err := svc.DeleteSetting(domain.SettingKeyProxyRequestsDisabled); err != nil {
+		t.Fatalf("expected delete to succeed, got %v", err)
+	}
+	if systemsettingcache.GetBoolean(repo, domain.SettingKeyProxyRequestsDisabled) {
+		t.Fatal("expected cache invalidation to expose deleted false value")
+	}
+}
+
 func TestBackupServiceImportSystemSettingsSkipsPayloadOverrideRules(t *testing.T) {
 	repo := &stubSystemSettingRepo{
 		values: map[string]string{},