feat(hosted key): Add exa hosted key

[TheodoreSpeaks]

Summary

Added hosted api key integration for exa search.
For hosted sim, api sub block no longer appears for exa search. Users can use the BYOK modal to pass an api key if needed. Non-hosted sim behaves unchanged.

Added throttling per billing actor. Requests are throttled proactively, failing fast if they exceed limits (users can switch to BYOK if they need higher limits). Can be either a limit based on requests per minute or a custom limit using the api response. If custom, rate limiting is optimistic and only applies after execution completes.

Moved cost modification behavior to knowledge block directly instead of transforming each block separately.

Hosted key calls retry 3 times with exponential backoff to handle throttles from increased load, with alarms.

Important: API keys need to be stored in prod and staging before merging:

• EXA_API_KEY_COUNT number
• EXA_API_KEY_{number} api keys (traffic spread evenly via round robin)

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Tested non-host still has required api subblock.
• Tested hosted sim does not have api subblock
• Tested hosted key updates user stats and usage log tables correctly
• Unit tested throttling handles correctly
• Tested rate limiting works successfully for exa search with hosted key and does not apply when BYOK is applied.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 7, 2026 3:56am

[greptile-apps]

Greptile Summary

This PR adds hosted Exa API key support to the Sim platform, allowing users on hosted Sim to run Exa search/content/answer operations without providing their own API key. It introduces a HostedKeyRateLimiter with per-billing-actor token-bucket limiting and round-robin key selection across a pool of hosted keys, a two-phase pricing system (per_request or custom based on Exa's cost response), and exponential backoff retry for upstream rate limits. Knowledge block cost restructuring is also moved from the generic handler to each tool's transformResponse, which is a cleaner approach.

Key changes:

• tools/index.ts: Adds injectHostedKeyIfNeeded, executeWithRetry, and applyHostedKeyCostToResult — the core hosted key pipeline
• lib/core/rate-limiter/hosted-key/: New HostedKeyRateLimiter class with per-actor token buckets backed by the existing RateLimitStorageAdapter
• blocks/blocks/exa.ts & lib/workflows/subblocks/visibility.ts: Declarative hideWhenHosted flag hides the apiKey subblock in the UI and serializer on hosted deployments
• tools/exa/*.ts: Each Exa tool gains a hosting config with pricing and rate limit settings; __costDollars internal field carries Exa's cost data through the pipeline before being stripped
• tools/knowledge/search.ts & upload_chunk.ts: Cost restructuring moved from the generic handler into transformResponse
• Notable open issue: The costDollars? fields declared in the four Exa response interfaces (ExaSearchResponse, etc.) are never populated — the data lives under the untyped __costDollars key — creating a false type contract
• Notable risk: HostedKeyRateLimiter fails open on DB storage errors, meaning all per-actor rate limits and custom dimension budgets are silently bypassed if the storage layer is unavailable

Confidence Score: 3/5

• This PR is functional but has a few unresolved concerns that warrant caution before merging to production.
• The core hosted-key pipeline (injection, retry, billing) is well-structured and unit tested. However, three issues reduce confidence: (1) The HostedKeyRateLimiter fails open on storage errors, completely bypassing rate limiting during any DB outage — a risk in a billing-sensitive path. (2) stripInternalFields is applied unconditionally to all tool outputs rather than being scoped to hosted-key executions, which is a latent regression risk for other tools. (3) The in-memory roundRobinCounters won't distribute load across serverless instances, so the key-pool distribution guarantee is only per-instance. These are known trade-offs (some discussed in prior threads), but the fail-open behaviour in particular should be acknowledged before going to production.
• Pay close attention to apps/sim/lib/core/rate-limiter/hosted-key/hosted-key-rate-limiter.ts (fail-open on storage errors) and apps/sim/tools/index.ts (unconditional stripInternalFields).

Important Files Changed

Filename	Overview
apps/sim/tools/index.ts	Core change: adds injectHostedKeyIfNeeded, executeWithRetry, processHostedKeyCost, and stripInternalFields for hosted Exa key support. The unconditional application of stripInternalFields to all tool outputs (not just hosted-key executions) remains a concern previously flagged. Cost/usage tracking is cleanly deduplicated into applyHostedKeyCostToResult, which is an improvement over an earlier duplicate-code design.
apps/sim/lib/core/rate-limiter/hosted-key/hosted-key-rate-limiter.ts	New rate limiter with per-billing-actor token-bucket limiting and round-robin key selection. The in-memory roundRobinCounters singleton won't distribute load evenly across serverless instances. Both checkActorRateLimit and preCheckDimensions fail-open on storage errors, fully bypassing rate limits if the DB is unavailable.
apps/sim/lib/core/rate-limiter/hosted-key/types.ts	Well-structured type definitions for rate limit config and results. The requestsPerMinute JSDoc says "maximum" but the actual token-bucket allows a 2× burst due to DEFAULT_BURST_MULTIPLIER = 2, which is misleading to callers configuring tools.
apps/sim/tools/exa/types.ts	Adds ExaCostDollars and costDollars? fields to four response interfaces, but the transformResponse implementations store cost under __costDollars. The public type declares a field that is always undefined at runtime, creating a misleading contract for consumers.
apps/sim/blocks/blocks/exa.ts	Splits the single apiKey subblock into two conditionally exclusive subblocks: one hidden when hosted (for all operations except exa_research) and one always visible (for exa_research). Follows the existing canonical-pair pattern correctly; both share the same id so they resolve to one underlying value.
apps/sim/lib/core/rate-limiter/hosted-key/hosted-key-rate-limiter.test.ts	Comprehensive test coverage for acquireKey (per-request and custom modes) and reportUsage, including error paths like storage failures, missing keys, and depleted dimensions. Tests correctly verify round-robin cycling and optimistic concurrency handling.
apps/sim/tools/index.test.ts	Adds substantial new test suites for hosted key injection, rate limiting/retry logic, and cost field handling. Tests properly mock isHosted, getBYOKKey, logFixedUsage, and the rate limiter. Some tests include soft assertions (if (result.output.cost)) that reduce coverage confidence on the billing path.
apps/sim/lib/core/rate-limiter/storage/db-token-bucket.ts	Fixes the token bucket SQL: the old ELSE ${rateLimitBucket.tokens} kept the bucket at its pre-consumption value when overdrawn (causing allowed = true incorrectly). New ELSE -1 correctly marks the bucket as overdrawn. This is a correctness fix; the intentional precision loss for overdraft tracking was accepted by the team.

Sequence Diagram

sequenceDiagram
    participant UI as Browser UI
    participant Serializer
    participant Executor as executeTool()
    participant BYOK as getBYOKKey()
    participant RateLimiter as HostedKeyRateLimiter
    participant DB as Token Bucket DB
    participant Exa as Exa API

    UI->>Serializer: Serialize workflow (key field hidden when hosted)
    Note over Serializer: isSubBlockHiddenByHostedKey skips field
    Serializer-->>Executor: params without key

    Executor->>Executor: injectHostedKeyIfNeeded()
    Executor->>BYOK: getBYOKKey(workspaceId, exa)
    alt BYOK key found
        BYOK-->>Executor: key result (no billing)
    else No BYOK key
        BYOK-->>Executor: null
        Executor->>RateLimiter: acquireKey(provider, prefix, config, actorId)
        RateLimiter->>DB: consumeTokens(actor bucket, 1)
        alt Actor rate limited
            DB-->>RateLimiter: allowed false
            RateLimiter-->>Executor: billingActorRateLimited true
            Executor-->>UI: Error 429
        else Within limit
            DB-->>RateLimiter: allowed true
            RateLimiter-->>Executor: success with hosted key
        end
    end

    loop executeWithRetry up to 3 retries on 429
        Executor->>Exa: executeToolRequest(params)
        alt 429 from Exa
            Exa-->>Executor: HTTP 429
            Note over Executor: Wait 1s then 2s then 4s
        else Success
            Exa-->>Executor: Response with cost data
        end
    end

    Executor->>Executor: applyHostedKeyCostToResult()
    Executor->>DB: logFixedUsage(userId, cost)
    Executor->>Executor: stripInternalFields removes internal fields
    Executor-->>UI: output with cost total and timing

Loading

Comments Outside Diff (3)

1. apps/sim/lib/core/rate-limiter/hosted-key/hosted-key-rate-limiter.ts, line 1118-1124 (link)

   Fail-open on storage errors bypasses rate limiting entirely

   Both checkActorRateLimit and preCheckDimensions catch storage errors and return null / silently skip the failing dimension, which causes the rate limiting to be fully bypassed when the database is unavailable:

   // checkActorRateLimit
   } catch (error) {
     logger.error(`Error checking billing actor rate limit for ${provider}`, { error, billingActorId })
     return null  // ← request is allowed through
   }
   
   // preCheckDimensions – same pattern
   } catch (error) {
     logger.error(`Error pre-checking dimension ${dimension.name} for ${provider}`, { error, billingActorId })
     // ← silently skips this dimension, request proceeds
   }

   If the DB becomes unavailable (even briefly), every workspace's actor-level rate limit and every custom dimension budget are silently bypassed. All requests are served using hosted Exa keys until the storage recovers, with no enforcement. This could cause a large uncontrolled spike in upstream Exa API usage during a storage outage.

   Consider failing closed (blocking requests) when storage fails, or at minimum adding a metric/alarm that fires on repeated storage errors so the ops team is notified promptly. If fail-open is the intentional policy, a comment explaining the decision would help future maintainers understand the tradeoff.

2. apps/sim/lib/core/rate-limiter/hosted-key/types.ts, line 1383-1384 (link)

   requestsPerMinute JSDoc misleads — actual effective limit is 2× due to burst

   The JSDoc says "Maximum requests per minute per billing actor (enforced - blocks if exceeded)", but toTokenBucketConfig sets maxTokens = requestsPerMinute * burstMultiplier (default 2). Token buckets start full, so a workspace can immediately issue 2× the stated limit as a burst before being throttled.

   For example, exa_answer with requestsPerMinute: 5 will allow 10 rapid requests before blocking, then refill at 5/minute.

   This is a standard token-bucket tradeoff (allowing short bursts while averaging to the target rate), but it is surprising to anyone reading the config value as a hard cap. Consider updating the JSDoc to clarify burst semantics:

   /**
    * Target sustained rate per minute per billing actor.
    * Due to burst buffering (maxTokens = requestsPerMinute * burstMultiplier),
    * the short-term effective limit may be up to `requestsPerMinute * burstMultiplier`.
    * @see DEFAULT_BURST_MULTIPLIER
    */
   requestsPerMinute: number

3. apps/sim/tools/exa/types.ts, line 1853-1855 (link)

   costDollars in output types will always be undefined at runtime

   The four response interfaces (ExaSearchResponse, ExaGetContentsResponse, ExaFindSimilarLinksResponse, ExaAnswerResponse) each add costDollars?: ExaCostDollars to their output type. However, all four transformResponse implementations store the Exa cost data under the key __costDollars (double-underscore prefix):

   // search.ts
   output: {
     results: ...,
     __costDollars: data.costDollars,  // stored as __costDollars
   }

   TypeScript consumers that read response.output.costDollars (relying on the declared type) will always get undefined. The real data lives at the untyped __costDollars key.

   Since __costDollars is intentionally an internal field (stripped before returning to users), it should not appear in the public output type at all. These costDollars? fields should either be removed from the four response interfaces, or the type should declare __costDollars as an internal field if it needs to be accessible within the pipeline.

_{Last reviewed commit: a0fc749}

[greptile-apps]

_{22 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[TheodoreSpeaks]

@cursor review @greptile review

[TheodoreSpeaks]

@greptile-apps review

[icecrasher321]

we're trying to avoid any annoations in the codebase -- can the function signature be updated with right shared type? if not use unknown

[icecrasher321]

we tend to avoid fallbacks like this -- is there a reason they might not give us costDollars? We want to fail loudly and fix the root cause if things don't work since hard to know when it flips to the fallback

[icecrasher321]

underscore to hide it from display as an internal field?

[icecrasher321]

nvm mentioned in the comment below, thanks

[TheodoreSpeaks]

Correct - basically wanted to account for being able to pass costDollars internally without needing it displayed to the customer, which is useful if we want to add a hosted key fee without the user getting confused.

[icecrasher321]

same here

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unhandled pricing error crashes successful tool execution

High Severity

applyHostedKeyCostToResult and processHostedKeyCost have no error handling around calculateToolCost. If getCost throws (e.g., Exa API response missing __costDollars), the error propagates unhandled up to executeTool's outer catch block, turning a successful tool execution into a failed result. Since the API call already succeeded and the user already consumed the Exa resource, this silently discards the valid result over a billing calculation failure.

Additional Locations (1)

• apps/sim/tools/index.ts#L257-L269

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}