@askalf/dario 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AskAlf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,317 @@
+<p align="center">
+  <h1 align="center">dario</h1>
+  <p align="center"><strong>Use your Claude subscription as an API.</strong></p>
+  <p align="center">
+    Two commands. No API key. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
+  </p>
+</p>
+
+<p align="center">
+  <a href="#quick-start">Quick Start</a> &bull;
+  <a href="#how-it-works">How It Works</a> &bull;
+  <a href="#usage-examples">Examples</a> &bull;
+  <a href="#faq">FAQ</a>
+</p>
+
+---
+
+```bash
+npx dario login   # authenticate with Claude
+npx dario proxy   # start local API on :3456
+
+# now use it from anywhere
+export ANTHROPIC_BASE_URL=http://localhost:3456
+export ANTHROPIC_API_KEY=dario
+```
+
+That's it. Any tool that speaks the Anthropic API now uses your subscription.
+
+---
+
+## The Problem
+
+You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — OpenClaw, Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
+
+**dario fixes this.** It creates a local proxy that translates API key auth into your subscription's OAuth tokens. Your tools don't know the difference.
+
+## Quick Start
+
+### Install
+
+```bash
+npm install -g dario
+```
+
+Or use npx (no install needed):
+
+```bash
+npx dario login
+npx dario proxy
+```
+
+### Login
+
+```bash
+dario login
+```
+
+Opens your browser to Claude's OAuth page. Log in, authorize, paste the redirect URL back. Takes 10 seconds.
+
+### Start the proxy
+
+```bash
+dario proxy
+```
+
+```
+dario v1.0.0 — http://localhost:3456
+
+Your Claude subscription is now an API.
+
+Usage:
+  ANTHROPIC_BASE_URL=http://localhost:3456
+  ANTHROPIC_API_KEY=dario
+
+OAuth: healthy (expires in 11h 42m)
+```
+
+### Use it
+
+```bash
+# Set these two env vars — every Anthropic SDK respects them
+export ANTHROPIC_BASE_URL=http://localhost:3456
+export ANTHROPIC_API_KEY=dario
+
+# Now any tool just works
+openclaw start
+aider --model claude-opus-4-6
+continue  # in VS Code, set base URL in config
+python my_script.py
+```
+
+## Usage Examples
+
+### curl
+
+```bash
+curl http://localhost:3456/v1/messages \
+  -H "Content-Type: application/json" \
+  -H "anthropic-version: 2023-06-01" \
+  -d '{
+    "model": "claude-opus-4-6",
+    "max_tokens": 1024,
+    "messages": [{"role": "user", "content": "Hello!"}]
+  }'
+```
+
+### Python
+
+```python
+import anthropic
+
+client = anthropic.Anthropic(
+    base_url="http://localhost:3456",
+    api_key="dario"
+)
+
+message = client.messages.create(
+    model="claude-opus-4-6",
+    max_tokens=1024,
+    messages=[{"role": "user", "content": "Hello!"}]
+)
+print(message.content[0].text)
+```
+
+### TypeScript / Node.js
+
+```typescript
+import Anthropic from "@anthropic-ai/sdk";
+
+const client = new Anthropic({
+  baseURL: "http://localhost:3456",
+  apiKey: "dario",
+});
+
+const message = await client.messages.create({
+  model: "claude-opus-4-6",
+  max_tokens: 1024,
+  messages: [{ role: "user", content: "Hello!" }],
+});
+```
+
+### Streaming
+
+```bash
+curl http://localhost:3456/v1/messages \
+  -H "Content-Type: application/json" \
+  -H "anthropic-version: 2023-06-01" \
+  -d '{
+    "model": "claude-sonnet-4-6",
+    "max_tokens": 1024,
+    "stream": true,
+    "messages": [{"role": "user", "content": "Write a haiku about APIs"}]
+  }'
+```
+
+### With Other Tools
+
+```bash
+# OpenClaw
+ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw start
+
+# Aider
+ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario aider --model claude-opus-4-6
+
+# Any tool that uses ANTHROPIC_BASE_URL
+ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
+```
+
+## How It Works
+
+```
+┌──────────┐     ┌─────────────────┐     ┌──────────────────┐
+│ Your App │ ──> │  dario (proxy)  │ ──> │ api.anthropic.com│
+│          │     │  localhost:3456  │     │                  │
+│ sends    │     │  swaps API key  │     │  sees valid      │
+│ API key  │     │  for OAuth      │     │  OAuth bearer    │
+│ "dario"  │     │  bearer token   │     │  token           │
+└──────────┘     └─────────────────┘     └──────────────────┘
+```
+
+1. **`dario login`** — Standard PKCE OAuth flow. Opens Claude's auth page in your browser. You authorize, dario stores the tokens locally in `~/.dario/credentials.json`. No server involved, no secrets leave your machine.
+
+2. **`dario proxy`** — Starts an HTTP server on localhost that implements the full [Anthropic Messages API](https://docs.anthropic.com/en/api/messages). When a request arrives, dario:
+   - Strips the incoming API key (you can use any string)
+   - Injects your OAuth access token as a Bearer header
+   - Forwards the request to `api.anthropic.com`
+   - Streams the response back to your app
+
+3. **Auto-refresh** — OAuth tokens expire. Dario refreshes them automatically in the background every 15 minutes. Refresh tokens rotate on each use. You never have to re-login unless you explicitly log out.
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `dario login` | Authenticate with your Claude account |
+| `dario proxy` | Start the local API proxy |
+| `dario status` | Check if your token is healthy |
+| `dario refresh` | Force an immediate token refresh |
+| `dario logout` | Delete stored credentials |
+| `dario help` | Show usage information |
+
+### Proxy Options
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--port=PORT` | Port to listen on | `3456` |
+| `--verbose` / `-v` | Log every request with token counts | off |
+
+## Supported Features
+
+Everything the Anthropic Messages API supports:
+
+- All Claude models (`opus-4-6`, `sonnet-4-6`, `haiku-4-5`)
+- Streaming and non-streaming
+- Tool use / function calling
+- System prompts and multi-turn conversations
+- Prompt caching
+- Extended thinking
+- All `anthropic-beta` features (headers pass through)
+- CORS enabled (works from browser apps on localhost)
+
+## Endpoints
+
+| Path | Description |
+|------|-------------|
+| `POST /v1/messages` | Anthropic Messages API (main endpoint) |
+| `GET /health` | Proxy health + OAuth status + request count |
+| `GET /status` | Detailed OAuth token status |
+
+## Health Check
+
+```bash
+curl http://localhost:3456/health
+```
+
+```json
+{
+  "status": "ok",
+  "oauth": "healthy",
+  "expiresIn": "11h 42m",
+  "requests": 47
+}
+```
+
+## Security
+
+| Concern | How dario handles it |
+|---------|---------------------|
+| Credential storage | `~/.dario/credentials.json` with `0600` permissions (owner-only) |
+| OAuth flow | PKCE (Proof Key for Code Exchange) — no client secret needed |
+| Token transmission | OAuth tokens never leave localhost. Only forwarded to `api.anthropic.com` over HTTPS |
+| Network exposure | Proxy binds to `localhost` only — not accessible from other machines |
+| Token rotation | Refresh tokens rotate on every use (single-use) |
+| Data collection | Zero. No telemetry, no analytics, no phoning home |
+
+## FAQ
+
+**Does this violate Anthropic's terms of service?**
+Dario uses the same public OAuth client ID and PKCE flow that Claude Code uses. It authenticates you as you, with your subscription, through Anthropic's official OAuth endpoints. It doesn't bypass any access controls — it just bridges the auth method.
+
+**What subscription plans work?**
+Claude Max and Claude Pro. Any plan that lets you use Claude Code.
+
+**Does it work with Claude Team / Enterprise?**
+Should work if your plan includes Claude Code access. Not tested yet — please open an issue with results.
+
+**What happens when my token expires?**
+Dario auto-refreshes tokens 30 minutes before expiry. You should never see an auth error in normal use. If something goes wrong, `dario refresh` forces an immediate refresh, or `dario login` to re-authenticate.
+
+**Can I run this on a server?**
+Dario binds to localhost by default. For server use, you'd need to handle the initial browser-based login on a machine with a browser, then copy `~/.dario/credentials.json` to your server. Auto-refresh will keep it alive from there.
+
+**What's the rate limit?**
+Whatever your subscription plan provides. Dario doesn't add any limits — it's a transparent proxy.
+
+**Why "dario"?**
+Named after [Dario Amodei](https://en.wikipedia.org/wiki/Dario_Amodei), CEO of Anthropic.
+
+## Programmatic API
+
+Use dario as a library in your own Node.js app:
+
+```typescript
+import { startProxy, getAccessToken, getStatus } from "dario";
+
+// Start the proxy programmatically
+await startProxy({ port: 3456, verbose: true });
+
+// Or just get a raw access token
+const token = await getAccessToken();
+
+// Check token health
+const status = await getStatus();
+console.log(status.expiresIn); // "11h 42m"
+```
+
+## Contributing
+
+PRs welcome. The codebase is ~500 lines of TypeScript across 4 files:
+
+| File | Purpose |
+|------|---------|
+| `src/oauth.ts` | PKCE flow, token storage, refresh logic |
+| `src/proxy.ts` | HTTP proxy server |
+| `src/cli.ts` | CLI entry point |
+| `src/index.ts` | Library exports |
+
+```bash
+git clone https://github.com/askalf/dario
+cd dario
+npm install
+npm run dev   # runs with tsx (no build needed)
+```
+
+## License
+
+MIT

package/dist/cli.d.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * dario — Use your Claude subscription as an API.
+ *
+ * Usage:
+ *   dario login     — Authenticate with your Claude account
+ *   dario status    — Check token health
+ *   dario proxy     — Start the API proxy (default: port 3456)
+ *   dario refresh   — Force token refresh
+ *   dario logout    — Remove saved credentials
+ */
+export {};

package/dist/cli.js

@@ -0,0 +1,181 @@
+#!/usr/bin/env node
+/**
+ * dario — Use your Claude subscription as an API.
+ *
+ * Usage:
+ *   dario login     — Authenticate with your Claude account
+ *   dario status    — Check token health
+ *   dario proxy     — Start the API proxy (default: port 3456)
+ *   dario refresh   — Force token refresh
+ *   dario logout    — Remove saved credentials
+ */
+import { createInterface } from 'node:readline';
+import { unlink } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { startOAuthFlow, exchangeCode, getStatus, refreshTokens } from './oauth.js';
+import { startProxy } from './proxy.js';
+const args = process.argv.slice(2);
+const command = args[0] ?? 'proxy';
+function ask(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise(resolve => {
+        rl.question(question, answer => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}
+async function login() {
+    console.log('');
+    console.log('  dario — Claude OAuth Login');
+    console.log('  ─────────────────────────');
+    console.log('');
+    const { authUrl, codeVerifier } = startOAuthFlow();
+    console.log('  Step 1: Open this URL in your browser:');
+    console.log('');
+    console.log(`  ${authUrl}`);
+    console.log('');
+    console.log('  Step 2: Log in to your Claude account and authorize.');
+    console.log('');
+    console.log('  Step 3: After authorization, you\'ll be redirected to a page');
+    console.log('  that shows a code. Copy the FULL URL from your browser\'s');
+    console.log('  address bar (it contains the authorization code).');
+    console.log('');
+    const input = await ask('  Paste the redirect URL or authorization code: ');
+    // Extract code from URL or use raw input
+    let code = input;
+    try {
+        const url = new URL(input);
+        // Only extract from trusted Anthropic redirect URLs
+        if (url.hostname === 'platform.claude.com' || url.hostname === 'claude.ai') {
+            code = url.searchParams.get('code') ?? input;
+        }
+    }
+    catch {
+        // Not a URL, use as-is (raw code)
+    }
+    if (!code || code.length < 10 || code.length > 2048) {
+        console.error('  Invalid authorization code.');
+        process.exit(1);
+    }
+    try {
+        const tokens = await exchangeCode(code, codeVerifier);
+        const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);
+        console.log('');
+        console.log('  Login successful!');
+        console.log(`  Token expires in ${expiresIn} minutes (auto-refreshes).`);
+        console.log('');
+        console.log('  Run `dario proxy` to start the API proxy.');
+        console.log('');
+    }
+    catch (err) {
+        console.error('');
+        console.error(`  Login failed: ${err instanceof Error ? err.message : err}`);
+        console.error('  Try again with `dario login`.');
+        process.exit(1);
+    }
+}
+async function status() {
+    const s = await getStatus();
+    console.log('');
+    console.log('  dario — Status');
+    console.log('  ─────────────');
+    console.log('');
+    if (!s.authenticated) {
+        console.log(`  Status: ${s.status === 'expired' ? 'Expired (will auto-refresh)' : 'Not authenticated'}`);
+        if (s.status === 'none') {
+            console.log('  Run `dario login` to authenticate.');
+        }
+    }
+    else {
+        console.log(`  Status: ${s.status}`);
+        console.log(`  Expires in: ${s.expiresIn}`);
+    }
+    console.log('');
+}
+async function refresh() {
+    console.log('[dario] Refreshing token...');
+    try {
+        const tokens = await refreshTokens();
+        const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);
+        console.log(`[dario] Token refreshed. Expires in ${expiresIn} minutes.`);
+    }
+    catch (err) {
+        console.error(`[dario] Refresh failed: ${err instanceof Error ? err.message : err}`);
+        process.exit(1);
+    }
+}
+async function logout() {
+    const path = join(homedir(), '.dario', 'credentials.json');
+    try {
+        await unlink(path);
+        console.log('[dario] Credentials removed.');
+    }
+    catch {
+        console.log('[dario] No credentials found.');
+    }
+}
+async function proxy() {
+    const portArg = args.find(a => a.startsWith('--port='));
+    const port = portArg ? parseInt(portArg.split('=')[1]) : 3456;
+    const verbose = args.includes('--verbose') || args.includes('-v');
+    await startProxy({ port, verbose });
+}
+async function help() {
+    console.log(`
+  dario — Use your Claude subscription as an API.
+
+  Usage:
+    dario login              Authenticate with your Claude account
+    dario proxy [options]    Start the API proxy server
+    dario status             Check authentication status
+    dario refresh            Force token refresh
+    dario logout             Remove saved credentials
+
+  Proxy options:
+    --port=PORT              Port to listen on (default: 3456)
+    --verbose, -v            Log all requests
+
+  How it works:
+    1. Run \`dario login\` to authenticate with your Claude Max/Pro subscription
+    2. Run \`dario proxy\` to start a local API server
+    3. Point any Anthropic SDK at http://localhost:3456
+
+    Example with OpenClaw, or any tool that uses the Anthropic API:
+      ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw start
+
+    Example with the Anthropic Python SDK:
+      import anthropic
+      client = anthropic.Anthropic(base_url="http://localhost:3456", api_key="dario")
+
+    Example with curl:
+      curl http://localhost:3456/v1/messages \\
+        -H "Content-Type: application/json" \\
+        -d '{"model":"claude-sonnet-4-6","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'
+
+  Your subscription handles the billing. No API key needed.
+  Tokens auto-refresh in the background — set it and forget it.
+`);
+}
+// Main
+const commands = {
+    login,
+    status,
+    proxy,
+    refresh,
+    logout,
+    help,
+    '--help': help,
+    '-h': help,
+};
+const handler = commands[command];
+if (!handler) {
+    console.error(`Unknown command: ${command}`);
+    console.error('Run `dario help` for usage.');
+    process.exit(1);
+}
+handler().catch(err => {
+    console.error('Fatal error:', err);
+    process.exit(1);
+});

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * dario — programmatic API
+ *
+ * Use this if you want to embed dario in your own app
+ * instead of running the CLI.
+ */
+export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export type { OAuthTokens, CredentialsFile } from './oauth.js';
+export { startProxy } from './proxy.js';

package/dist/index.js

@@ -0,0 +1,8 @@
+/**
+ * dario — programmatic API
+ *
+ * Use this if you want to embed dario in your own app
+ * instead of running the CLI.
+ */
+export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export { startProxy } from './proxy.js';

package/dist/oauth.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Dario — Claude OAuth Engine
+ *
+ * Full PKCE OAuth flow for Claude subscriptions.
+ * Handles authorization, token exchange, storage, and auto-refresh.
+ */
+export interface OAuthTokens {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    scopes: string[];
+}
+export interface CredentialsFile {
+    claudeAiOauth: OAuthTokens;
+}
+export declare function loadCredentials(): Promise<CredentialsFile | null>;
+/**
+ * Start the OAuth flow. Returns the authorization URL and PKCE state
+ * needed for the exchange step.
+ */
+export declare function startOAuthFlow(): {
+    authUrl: string;
+    state: string;
+    codeVerifier: string;
+};
+/**
+ * Exchange authorization code for tokens and save them.
+ */
+export declare function exchangeCode(code: string, codeVerifier: string): Promise<OAuthTokens>;
+/**
+ * Refresh the access token using the refresh token.
+ * Retries with exponential backoff on transient failures.
+ */
+export declare function refreshTokens(): Promise<OAuthTokens>;
+/**
+ * Get a valid access token, refreshing if needed.
+ */
+export declare function getAccessToken(): Promise<string>;
+/**
+ * Get token status info.
+ */
+export declare function getStatus(): Promise<{
+    authenticated: boolean;
+    status: 'healthy' | 'expiring' | 'expired' | 'none';
+    expiresAt?: number;
+    expiresIn?: string;
+}>;

package/dist/oauth.js

@@ -0,0 +1,185 @@
+/**
+ * Dario — Claude OAuth Engine
+ *
+ * Full PKCE OAuth flow for Claude subscriptions.
+ * Handles authorization, token exchange, storage, and auto-refresh.
+ */
+import { randomBytes, createHash } from 'node:crypto';
+import { readFile, writeFile, mkdir, chmod } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+import { homedir } from 'node:os';
+// Claude CLI's public OAuth client (PKCE, no secret needed)
+const OAUTH_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const OAUTH_AUTHORIZE_URL = 'https://claude.ai/oauth/authorize';
+const OAUTH_TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
+const OAUTH_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback';
+// Refresh 30 min before expiry
+const REFRESH_BUFFER_MS = 30 * 60 * 1000;
+function base64url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function generatePKCE() {
+    const codeVerifier = base64url(randomBytes(32));
+    const codeChallenge = base64url(createHash('sha256').update(codeVerifier).digest());
+    return { codeVerifier, codeChallenge };
+}
+function getCredentialsPath() {
+    return join(homedir(), '.dario', 'credentials.json');
+}
+export async function loadCredentials() {
+    try {
+        const raw = await readFile(getCredentialsPath(), 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function saveCredentials(creds) {
+    const path = getCredentialsPath();
+    await mkdir(dirname(path), { recursive: true });
+    // Write atomically: write to temp file, then rename
+    const tmpPath = `${path}.tmp.${Date.now()}`;
+    await writeFile(tmpPath, JSON.stringify(creds, null, 2), { mode: 0o600 });
+    const { rename } = await import('node:fs/promises');
+    await rename(tmpPath, path);
+    // Set permissions (best-effort — no-op on Windows where mode is ignored)
+    try {
+        await chmod(path, 0o600);
+    }
+    catch { /* Windows ignores file modes */ }
+}
+/**
+ * Start the OAuth flow. Returns the authorization URL and PKCE state
+ * needed for the exchange step.
+ */
+export function startOAuthFlow() {
+    const { codeVerifier, codeChallenge } = generatePKCE();
+    const state = base64url(randomBytes(16));
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: OAUTH_CLIENT_ID,
+        redirect_uri: OAUTH_REDIRECT_URI,
+        scope: 'user:inference user:profile',
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    });
+    return {
+        authUrl: `${OAUTH_AUTHORIZE_URL}?${params.toString()}`,
+        state,
+        codeVerifier,
+    };
+}
+/**
+ * Exchange authorization code for tokens and save them.
+ */
+export async function exchangeCode(code, codeVerifier) {
+    const res = await fetch(OAUTH_TOKEN_URL, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            client_id: OAUTH_CLIENT_ID,
+            code,
+            redirect_uri: OAUTH_REDIRECT_URI,
+            code_verifier: codeVerifier,
+        }),
+    });
+    if (!res.ok) {
+        const err = await res.text().catch(() => 'Unknown error');
+        throw new Error(`Token exchange failed (${res.status}): ${err}`);
+    }
+    const data = await res.json();
+    const tokens = {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresAt: Date.now() + data.expires_in * 1000,
+        scopes: data.scope?.split(' ') || ['user:inference'],
+    };
+    await saveCredentials({ claudeAiOauth: tokens });
+    return tokens;
+}
+/**
+ * Refresh the access token using the refresh token.
+ * Retries with exponential backoff on transient failures.
+ */
+export async function refreshTokens() {
+    const creds = await loadCredentials();
+    if (!creds?.claudeAiOauth?.refreshToken) {
+        throw new Error('No refresh token available. Run `dario login` first.');
+    }
+    const oauth = creds.claudeAiOauth;
+    for (let attempt = 0; attempt < 3; attempt++) {
+        if (attempt > 0)
+            await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
+        const res = await fetch(OAUTH_TOKEN_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                refresh_token: oauth.refreshToken,
+                client_id: OAUTH_CLIENT_ID,
+            }),
+            signal: AbortSignal.timeout(15000),
+        });
+        if (!res.ok) {
+            if (res.status === 401 || res.status === 403) {
+                throw new Error(`Refresh token rejected (${res.status}). Run \`dario login\` to re-authenticate.`);
+            }
+            continue;
+        }
+        const data = await res.json();
+        const tokens = {
+            ...oauth,
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            expiresAt: Date.now() + data.expires_in * 1000,
+        };
+        await saveCredentials({ claudeAiOauth: tokens });
+        return tokens;
+    }
+    throw new Error('Token refresh failed after 3 attempts');
+}
+/**
+ * Get a valid access token, refreshing if needed.
+ */
+export async function getAccessToken() {
+    const creds = await loadCredentials();
+    if (!creds?.claudeAiOauth) {
+        throw new Error('Not authenticated. Run `dario login` first.');
+    }
+    const oauth = creds.claudeAiOauth;
+    // Still valid
+    if (oauth.expiresAt > Date.now() + REFRESH_BUFFER_MS) {
+        return oauth.accessToken;
+    }
+    // Need refresh
+    console.log('[dario] Token expiring soon, refreshing...');
+    const refreshed = await refreshTokens();
+    return refreshed.accessToken;
+}
+/**
+ * Get token status info.
+ */
+export async function getStatus() {
+    const creds = await loadCredentials();
+    if (!creds?.claudeAiOauth?.accessToken) {
+        return { authenticated: false, status: 'none' };
+    }
+    const { expiresAt } = creds.claudeAiOauth;
+    const now = Date.now();
+    if (expiresAt < now) {
+        return { authenticated: false, status: 'expired', expiresAt };
+    }
+    const ms = expiresAt - now;
+    const hours = Math.floor(ms / 3600000);
+    const mins = Math.floor((ms % 3600000) / 60000);
+    const expiresIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
+    return {
+        authenticated: true,
+        status: ms < REFRESH_BUFFER_MS ? 'expiring' : 'healthy',
+        expiresAt,
+        expiresIn,
+    };
+}

package/dist/proxy.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Dario — API Proxy Server
+ *
+ * Sits between your app and the Anthropic API.
+ * Transparently swaps API key auth for OAuth bearer tokens.
+ *
+ * Point any Anthropic SDK client at http://localhost:3456 and it just works.
+ * No API key needed — your Claude subscription pays for it.
+ */
+interface ProxyOptions {
+    port?: number;
+    verbose?: boolean;
+}
+export declare function startProxy(opts?: ProxyOptions): Promise<void>;
+export {};

package/dist/proxy.js

@@ -0,0 +1,208 @@
+/**
+ * Dario — API Proxy Server
+ *
+ * Sits between your app and the Anthropic API.
+ * Transparently swaps API key auth for OAuth bearer tokens.
+ *
+ * Point any Anthropic SDK client at http://localhost:3456 and it just works.
+ * No API key needed — your Claude subscription pays for it.
+ */
+import { createServer } from 'node:http';
+import { getAccessToken, getStatus } from './oauth.js';
+const ANTHROPIC_API = 'https://api.anthropic.com';
+const DEFAULT_PORT = 3456;
+const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
+const ALLOWED_PATH_PREFIX = '/v1/'; // Only proxy Anthropic API paths
+const LOCALHOST = '127.0.0.1';
+const CORS_ORIGIN = 'http://localhost';
+function sanitizeError(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    // Never leak tokens in error messages
+    return msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]');
+}
+export async function startProxy(opts = {}) {
+    const port = opts.port ?? DEFAULT_PORT;
+    const verbose = opts.verbose ?? false;
+    // Verify auth before starting
+    const status = await getStatus();
+    if (!status.authenticated) {
+        console.error('[dario] Not authenticated. Run `dario login` first.');
+        process.exit(1);
+    }
+    let requestCount = 0;
+    let tokenCostEstimate = 0;
+    const server = createServer(async (req, res) => {
+        // CORS preflight
+        if (req.method === 'OPTIONS') {
+            res.writeHead(204, {
+                'Access-Control-Allow-Origin': CORS_ORIGIN,
+                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
+                'Access-Control-Max-Age': '86400',
+            });
+            res.end();
+            return;
+        }
+        // Health check
+        if (req.url === '/health' || req.url === '/') {
+            const s = await getStatus();
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({
+                status: 'ok',
+                oauth: s.status,
+                expiresIn: s.expiresIn,
+                requests: requestCount,
+            }));
+            return;
+        }
+        // Status endpoint
+        if (req.url === '/status') {
+            const s = await getStatus();
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify(s));
+            return;
+        }
+        // Only allow proxying to /v1/* paths — block path traversal
+        const urlPath = req.url?.split('?')[0] ?? '';
+        if (!urlPath.startsWith(ALLOWED_PATH_PREFIX)) {
+            res.writeHead(403, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Forbidden', message: `Only ${ALLOWED_PATH_PREFIX}* paths are proxied` }));
+            return;
+        }
+        // Only allow POST (Messages API) and GET (models, etc)
+        if (req.method !== 'POST' && req.method !== 'GET') {
+            res.writeHead(405, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Method not allowed' }));
+            return;
+        }
+        // Proxy to Anthropic
+        try {
+            const accessToken = await getAccessToken();
+            requestCount++;
+            // Read request body with size limit
+            const chunks = [];
+            let totalBytes = 0;
+            for await (const chunk of req) {
+                const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+                totalBytes += buf.length;
+                if (totalBytes > MAX_BODY_BYTES) {
+                    res.writeHead(413, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'Request body too large', max: `${MAX_BODY_BYTES / 1024 / 1024}MB` }));
+                    return;
+                }
+                chunks.push(buf);
+            }
+            const body = Buffer.concat(chunks);
+            if (verbose) {
+                console.log(`[dario] #${requestCount} ${req.method} ${req.url}`);
+            }
+            // Forward to Anthropic with OAuth token + required beta flag
+            const targetUrl = `${ANTHROPIC_API}${req.url}`;
+            // Merge any client-provided beta flags with the required oauth flag
+            const clientBeta = req.headers['anthropic-beta'];
+            const betaFlags = new Set(['oauth-2025-04-20']);
+            if (clientBeta) {
+                for (const flag of clientBeta.split(',')) {
+                    const trimmed = flag.trim();
+                    if (trimmed.length > 0 && trimmed.length < 100)
+                        betaFlags.add(trimmed);
+                }
+            }
+            const headers = {
+                'Authorization': `Bearer ${accessToken}`,
+                'Content-Type': 'application/json',
+                'anthropic-version': req.headers['anthropic-version'] || '2023-06-01',
+                'anthropic-beta': [...betaFlags].join(','),
+                'x-app': 'cli',
+            };
+            const upstream = await fetch(targetUrl, {
+                method: req.method ?? 'POST',
+                headers,
+                body: body.length > 0 ? body : undefined,
+                // @ts-expect-error — duplex needed for streaming
+                duplex: 'half',
+            });
+            // Detect streaming from content-type (reliable) or body (fallback)
+            const contentType = upstream.headers.get('content-type') ?? '';
+            const isStream = contentType.includes('text/event-stream');
+            // Forward response headers
+            const responseHeaders = {
+                'Content-Type': contentType || 'application/json',
+                'Access-Control-Allow-Origin': CORS_ORIGIN,
+            };
+            // Forward rate limit headers
+            for (const h of ['x-ratelimit-limit-requests', 'x-ratelimit-limit-tokens', 'x-ratelimit-remaining-requests', 'x-ratelimit-remaining-tokens', 'request-id']) {
+                const v = upstream.headers.get(h);
+                if (v)
+                    responseHeaders[h] = v;
+            }
+            res.writeHead(upstream.status, responseHeaders);
+            if (isStream && upstream.body) {
+                // Stream SSE chunks through
+                const reader = upstream.body.getReader();
+                try {
+                    while (true) {
+                        const { done, value } = await reader.read();
+                        if (done)
+                            break;
+                        res.write(value);
+                    }
+                }
+                catch (err) {
+                    if (verbose)
+                        console.error('[dario] Stream error:', sanitizeError(err));
+                }
+                res.end();
+            }
+            else {
+                // Buffer and forward
+                const responseBody = await upstream.text();
+                res.end(responseBody);
+                // Quick token estimate for logging
+                if (verbose && responseBody) {
+                    try {
+                        const parsed = JSON.parse(responseBody);
+                        if (parsed.usage) {
+                            const tokens = (parsed.usage.input_tokens ?? 0) + (parsed.usage.output_tokens ?? 0);
+                            tokenCostEstimate += tokens;
+                            console.log(`[dario] #${requestCount} ${upstream.status} — ${tokens} tokens (session total: ${tokenCostEstimate})`);
+                        }
+                    }
+                    catch { /* not JSON, skip */ }
+                }
+            }
+        }
+        catch (err) {
+            console.error('[dario] Proxy error:', sanitizeError(err));
+            res.writeHead(502, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Proxy error', message: sanitizeError(err) }));
+        }
+    });
+    server.listen(port, LOCALHOST, () => {
+        const oauthLine = `OAuth: ${status.status} (expires in ${status.expiresIn})`;
+        console.log('');
+        console.log(`  dario v1.0.0 — http://localhost:${port}`);
+        console.log('');
+        console.log('  Your Claude subscription is now an API.');
+        console.log('');
+        console.log('  Usage:');
+        console.log(`    ANTHROPIC_BASE_URL=http://localhost:${port}`);
+        console.log('    ANTHROPIC_API_KEY=dario');
+        console.log('');
+        console.log(`  ${oauthLine}`);
+        console.log('');
+    });
+    // Periodic token refresh (every 15 minutes)
+    setInterval(async () => {
+        try {
+            const s = await getStatus();
+            if (s.status === 'expiring') {
+                console.log('[dario] Token expiring, refreshing...');
+                await getAccessToken(); // triggers refresh
+            }
+        }
+        catch (err) {
+            console.error('[dario] Background refresh error:', err instanceof Error ? err.message : err);
+        }
+    }, 15 * 60 * 1000);
+}

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@askalf/dario",
+  "version": "1.0.0",
+  "description": "Use your Claude subscription as an API. Two commands, no API key. OAuth bridge for Claude Max/Pro.",
+  "type": "module",
+  "bin": {
+    "dario": "./dist/cli.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "start": "node dist/cli.js",
+    "dev": "tsx src/cli.ts"
+  },
+  "keywords": [
+    "claude",
+    "anthropic",
+    "oauth",
+    "proxy",
+    "api",
+    "bridge",
+    "subscription",
+    "claude-max",
+    "claude-pro",
+    "llm",
+    "ai",
+    "cli",
+    "developer-tools"
+  ],
+  "author": "askalf",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/askalf/dario.git"
+  },
+  "homepage": "https://github.com/askalf/dario",
+  "bugs": {
+    "url": "https://github.com/askalf/dario/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.39.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "tsx": "^4.19.0",
+    "@types/node": "^22.0.0"
+  }
+}