@askalf/dario 1.1.3 → 1.2.1

package/README.md

@@ -2,10 +2,18 @@
   <h1 align="center">dario</h1>
   <p align="center"><strong>Use your Claude subscription as an API.</strong></p>
   <p align="center">
-    Two commands. No API key. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
+    No API key needed. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
   </p>
 </p>
 
+<p align="center">
+  <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/v/@askalf/dario?color=blue" alt="npm version"></a>
+  <a href="https://github.com/askalf/dario/actions/workflows/ci.yml"><img src="https://github.com/askalf/dario/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://github.com/askalf/dario/actions/workflows/codeql.yml"><img src="https://github.com/askalf/dario/actions/workflows/codeql.yml/badge.svg" alt="CodeQL"></a>
+  <a href="https://github.com/askalf/dario/blob/master/LICENSE"><img src="https://img.shields.io/npm/l/@askalf/dario" alt="License"></a>
+  <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/dm/@askalf/dario" alt="Downloads"></a>
+</p>
+
 <p align="center">
   <a href="#quick-start">Quick Start</a> &bull;
   <a href="#how-it-works">How It Works</a> &bull;
@@ -17,8 +25,7 @@
 ---
 
 ```bash
-npx @askalf/dario login   # authenticate with Claude
-npx @askalf/dario proxy   # start local API on :3456
+npx @askalf/dario login   # detects Claude Code credentials, starts proxy
 
 # now use it from anywhere
 export ANTHROPIC_BASE_URL=http://localhost:3456
@@ -33,12 +40,18 @@ That's it. Any tool that speaks the Anthropic API now uses your subscription.
 
 You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — OpenClaw, Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
 
-**Note:** Claude subscriptions have [usage limits](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) that reset on rolling 5-hour and 7-day windows. When exceeded, Opus and Sonnet may return 429 errors while Haiku continues working. Use `--cli` mode to route through Claude Code's binary, which is not affected by these limits.
+**Note:** Claude subscriptions have [usage limits](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) that reset on rolling 5-hour and 7-day windows. When exceeded, Opus and Sonnet may return 429 errors while Haiku continues working. You can check your utilization via Claude Code's `/usage` command or [statusline](https://code.claude.com/docs/en/statusline). Use `--cli` mode to route through Claude Code's binary, which is not affected by these limits.
 
 **dario fixes this.** It creates a local proxy that translates API key auth into your subscription's OAuth tokens — and with `--cli` mode, routes through the Claude Code binary for uninterrupted access.
 
 ## Quick Start
 
+### Prerequisites
+
+[Claude Code](https://docs.anthropic.com/en/docs/claude-code/overview) installed and logged in (recommended). Dario detects your existing Claude Code credentials automatically.
+
+If Claude Code isn't installed, dario runs its own OAuth flow — opens your browser, you authorize, done.
+
 ### Install
 
 ```bash
@@ -49,7 +62,6 @@ Or use npx (no install needed):
 
 ```bash
 npx @askalf/dario login
-npx @askalf/dario proxy
 ```
 
 ### Login
@@ -58,7 +70,8 @@ npx @askalf/dario proxy
 dario login
 ```
 
-Opens your browser to Claude's OAuth page. Log in, authorize, paste the redirect URL back. Takes 10 seconds.
+- **With Claude Code installed:** Detects your credentials automatically and starts the proxy. No browser needed.
+- **Without Claude Code:** Opens your browser to Claude's OAuth page. Authorize, and dario captures the token automatically via a local callback server. Then run `dario proxy` to start the server.
 
 ### Start the proxy
 
@@ -115,8 +128,6 @@ Backend: Claude CLI (bypasses rate limits)
 Model: claude-opus-4-6 (all requests)
 ```
 
-**Requirements:** Claude Code must be installed (`npm install -g @anthropic-ai/claude-code` or already installed via the desktop app).
-
 **Trade-offs vs direct API mode:**
 
 | | Direct API (default) | CLI Backend (`--cli`) |
@@ -249,7 +260,7 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 └──────────┘     └─────────────────┘     └──────────────────┘
 ```
 
-1. **`dario login`** — Standard PKCE OAuth flow. Opens Claude's auth page in your browser. You authorize, dario stores the tokens locally in `~/.dario/credentials.json`. No server involved, no secrets leave your machine.
+1. **`dario login`** — Detects your existing Claude Code credentials (`~/.claude/.credentials.json`) and starts the proxy automatically. If Claude Code isn't installed, runs a PKCE OAuth flow with a local callback server to capture the token automatically.
 
 2. **`dario proxy`** — Starts an HTTP server on localhost that implements the Anthropic Messages API. In direct mode, it swaps your API key for an OAuth bearer token. In CLI mode, it routes through the Claude Code binary.
 
@@ -259,7 +270,7 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 
 | Command | Description |
 |---------|-------------|
-| `dario login` | Authenticate with your Claude account |
+| `dario login` | Detect credentials and start proxy |
 | `dario proxy` | Start the local API proxy |
 | `dario status` | Check if your token is healthy |
 | `dario refresh` | Force an immediate token refresh |
@@ -319,11 +330,11 @@ curl http://localhost:3456/health
 
 | Concern | How dario handles it |
 |---------|---------------------|
-| Credential storage | `~/.dario/credentials.json` with `0600` permissions (owner-only) |
+| Credential storage | Reads from Claude Code (`~/.claude/.credentials.json`) or its own store (`~/.dario/credentials.json`) with `0600` permissions |
 | OAuth flow | PKCE (Proof Key for Code Exchange) — no client secret needed |
 | Token transmission | OAuth tokens never leave localhost. Only forwarded to `api.anthropic.com` over HTTPS |
 | Network exposure | Proxy binds to `127.0.0.1` only — not accessible from other machines |
-| SSRF protection | Allowlisted API paths only. Internal networks and cloud metadata blocked |
+| SSRF protection | Hardcoded allowlist of API paths — only `/v1/messages`, `/v1/models`, `/v1/complete` are proxied |
 | Token rotation | Refresh tokens rotate on every use (single-use) |
 | Error sanitization | Token patterns redacted from all error messages |
 | Data collection | Zero. No telemetry, no analytics, no phoning home |
@@ -331,7 +342,7 @@ curl http://localhost:3456/health
 ## FAQ
 
 **Does this violate Anthropic's terms of service?**
-Dario uses the same public OAuth client ID and PKCE flow that Claude Code uses. It authenticates you as you, with your subscription, through Anthropic's official OAuth endpoints. The `--cli` mode literally uses Claude Code itself as the backend.
+Dario uses your existing Claude Code credentials with the same OAuth tokens. It authenticates you as you, with your subscription, through Anthropic's official API. The `--cli` mode literally uses Claude Code itself as the backend.
 
 **What subscription plans work?**
 Claude Max and Claude Pro. Any plan that lets you use Claude Code.
@@ -339,17 +350,20 @@ Claude Max and Claude Pro. Any plan that lets you use Claude Code.
 **Does it work with Claude Team / Enterprise?**
 Should work if your plan includes Claude Code access. Not tested yet — please open an issue with results.
 
+**Do I need Claude Code installed?**
+Recommended but not required. If Claude Code is installed and logged in, `dario login` picks up your credentials automatically. Without Claude Code, dario runs its own OAuth flow to authenticate directly. Note: `--cli` mode requires Claude Code (`npm install -g @anthropic-ai/claude-code`).
+
 **What happens when my token expires?**
-Dario auto-refreshes tokens 30 minutes before expiry. You should never see an auth error in normal use. If something goes wrong, `dario refresh` forces an immediate refresh, or `dario login` to re-authenticate.
+Dario auto-refreshes tokens 30 minutes before expiry. You should never see an auth error in normal use. If something goes wrong, `dario refresh` forces an immediate refresh.
 
 **I'm getting rate limited on Opus. What do I do?**
 Use `--cli` mode: `dario proxy --cli`. This routes through the Claude Code binary, which continues working when direct API calls are rate limited. You can also enable [extra usage](https://support.claude.com/en/articles/12429409-manage-extra-usage-for-paid-claude-plans) in your Anthropic account settings to extend your limits at API rates.
 
 **What are the usage limits?**
-Claude subscriptions have rolling 5-hour and 7-day usage windows shared across claude.ai and Claude Code. See [Anthropic's docs](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) for details. Check your current status with `echo "hi" | ANTHROPIC_LOG=debug claude --print --model claude-haiku-4-5 2>&1 | grep ratelimit`.
+Claude subscriptions have rolling 5-hour and 7-day usage windows shared across claude.ai and Claude Code. See [Anthropic's docs](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) for details. In Claude Code, use `/usage` to check your current limits, or configure the [statusline](https://code.claude.com/docs/en/statusline) to show real-time 5h and 7d utilization percentages.
 
 **Can I run this on a server?**
-Dario binds to localhost by default. For server use, you'd need to handle the initial browser-based login on a machine with a browser, then copy `~/.dario/credentials.json` to your server. Auto-refresh will keep it alive from there.
+Dario binds to localhost by default. For server use, you'd need to handle the initial login on a machine with a browser, then copy `~/.claude/.credentials.json` (or `~/.dario/credentials.json`) to your server. Auto-refresh will keep it alive from there.
 
 **Why "dario"?**
 Named after [Dario Amodei](https://en.wikipedia.org/wiki/Dario_Amodei), CEO of Anthropic.
@@ -375,13 +389,39 @@ const status = await getStatus();
 console.log(status.expiresIn); // "11h 42m"
 ```
 
+## Trust & Transparency
+
+Dario handles your OAuth tokens. Here's why you can trust it:
+
+| Signal | Status |
+|--------|--------|
+| **Source code** | ~1000 lines of TypeScript — small enough to read in one sitting |
+| **Dependencies** | 1 production dep (`@anthropic-ai/sdk`). Verify: `npm ls --production` |
+| **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
+| **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
+| **Credential handling** | Tokens never logged, redacted from errors, stored with 0600 permissions |
+| **Network scope** | Binds to 127.0.0.1 only. Upstream traffic goes exclusively to `api.anthropic.com` over HTTPS |
+| **No telemetry** | Zero analytics, tracking, or data collection of any kind |
+| **Audit trail** | [CHANGELOG.md](CHANGELOG.md) documents every release |
+| **Branch protection** | CI must pass before merge. CODEOWNERS enforces review |
+
+Verify the npm package matches this repo:
+
+```bash
+# Check provenance attestation
+npm audit signatures 2>/dev/null; npm view @askalf/dario dist.integrity
+
+# Check dependency tree (should be minimal)
+cd $(npm root -g)/@askalf/dario && npm ls --production
+```
+
 ## Contributing
 
-PRs welcome. The codebase is ~700 lines of TypeScript across 4 files:
+PRs welcome. The codebase is ~1000 lines of TypeScript across 4 files:
 
 | File | Purpose |
 |------|---------|
-| `src/oauth.ts` | PKCE flow, token storage, refresh logic |
+| `src/oauth.ts` | Token storage, refresh logic, Claude Code credential detection, auto OAuth flow |
 | `src/proxy.ts` | HTTP proxy server + CLI backend |
 | `src/cli.ts` | CLI entry point |
 | `src/index.ts` | Library exports |

package/dist/cli.js

@@ -9,60 +9,39 @@
  *   dario refresh   — Force token refresh
  *   dario logout    — Remove saved credentials
  */
-import { createInterface } from 'node:readline';
-import { unlink } from 'node:fs/promises';
+import { readFile, unlink } from 'node:fs/promises';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
-import { startOAuthFlow, exchangeCode, getStatus, refreshTokens } from './oauth.js';
+import { startAutoOAuthFlow, getStatus, refreshTokens } from './oauth.js';
 import { startProxy } from './proxy.js';
 const args = process.argv.slice(2);
 const command = args[0] ?? (process.stdin.isTTY ? 'proxy' : 'proxy');
-function ask(question) {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    return new Promise(resolve => {
-        rl.question(question, answer => {
-            rl.close();
-            resolve(answer.trim());
-        });
-    });
-}
 async function login() {
     console.log('');
-    console.log('  dario — Claude OAuth Login');
-    console.log('  ─────────────────────────');
-    console.log('');
-    const { authUrl, codeVerifier } = startOAuthFlow();
-    console.log('  Step 1: Open this URL in your browser:');
-    console.log('');
-    console.log(`  ${authUrl}`);
+    console.log('  dario — Claude Login');
+    console.log('  ───────────────────');
     console.log('');
-    console.log('  Step 2: Log in to your Claude account and authorize.');
-    console.log('');
-    console.log('  Step 3: After authorization, you\'ll be redirected to a page');
-    console.log('  that shows a code. Copy the FULL URL from your browser\'s');
-    console.log('  address bar (it contains the authorization code).');
-    console.log('');
-    const input = await ask('  Paste the redirect URL or authorization code: ');
-    // Extract code from URL or use raw input
-    let code = input;
+    // Check if Claude Code credentials exist
+    const ccPath = join(homedir(), '.claude', '.credentials.json');
     try {
-        const url = new URL(input);
-        // Only extract from trusted Anthropic redirect URLs
-        if (url.hostname === 'platform.claude.com' || url.hostname === 'claude.ai') {
-            code = url.searchParams.get('code') ?? input;
+        const raw = await readFile(ccPath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+            const expiresAt = parsed.claudeAiOauth.expiresAt;
+            if (expiresAt > Date.now()) {
+                console.log('  Found Claude Code credentials. Starting proxy...');
+                console.log('');
+                await proxy();
+                return;
+            }
         }
     }
-    catch {
-        // Not a URL, use as-is (raw code)
-    }
-    if (!code || code.length < 10 || code.length > 2048) {
-        console.error('  Invalid authorization code.');
-        process.exit(1);
-    }
+    catch { /* no Claude Code credentials, fall through to OAuth */ }
+    console.log('  No Claude Code credentials found. Starting OAuth flow...');
+    console.log('');
     try {
-        const tokens = await exchangeCode(code, codeVerifier);
+        const tokens = await startAutoOAuthFlow();
         const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);
-        console.log('');
         console.log('  Login successful!');
         console.log(`  Token expires in ${expiresIn} minutes (auto-refreshes).`);
         console.log('');
@@ -142,7 +121,7 @@ async function help() {
   dario — Use your Claude subscription as an API.
 
   Usage:
-    dario login              Authenticate with your Claude account
+    dario login              Detect credentials + start proxy (or run OAuth)
     dario proxy [options]    Start the API proxy server
     dario status             Check authentication status
     dario refresh            Force token refresh
@@ -151,27 +130,25 @@ async function help() {
   Proxy options:
     --model=MODEL            Force a model for all requests
                              Shortcuts: opus, sonnet, haiku
+                             Full IDs: claude-opus-4-6, claude-sonnet-4-6
                              Default: passthrough (client decides)
     --cli                    Use Claude CLI as backend (bypasses rate limits)
     --port=PORT              Port to listen on (default: 3456)
     --verbose, -v            Log all requests
 
-  How it works:
-    1. Run \`dario login\` to authenticate with your Claude Max/Pro subscription
-    2. Run \`dario proxy\` to start a local API server
-    3. Point any Anthropic SDK at http://localhost:3456
-
-    Example with OpenClaw, or any tool that uses the Anthropic API:
-      ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw start
+  Quick start:
+    dario login              # auto-detects Claude Code credentials
+    dario proxy              # or: dario proxy --cli --model=opus
 
-    Example with the Anthropic Python SDK:
-      import anthropic
-      client = anthropic.Anthropic(base_url="http://localhost:3456", api_key="dario")
+  Then point any Anthropic SDK at http://localhost:3456:
+    export ANTHROPIC_BASE_URL=http://localhost:3456
+    export ANTHROPIC_API_KEY=dario
 
-    Example with curl:
-      curl http://localhost:3456/v1/messages \\
-        -H "Content-Type: application/json" \\
-        -d '{"model":"claude-opus-4-6","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'
+  Examples:
+    curl http://localhost:3456/v1/messages \\
+      -H "Content-Type: application/json" \\
+      -H "anthropic-version: 2023-06-01" \\
+      -d '{"model":"claude-opus-4-6","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'
 
   Your subscription handles the billing. No API key needed.
   Tokens auto-refresh in the background — set it and forget it.

package/dist/index.d.ts

@@ -4,6 +4,6 @@
  * Use this if you want to embed dario in your own app
  * instead of running the CLI.
  */
-export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export type { OAuthTokens, CredentialsFile } from './oauth.js';
 export { startProxy } from './proxy.js';

package/dist/index.js

@@ -4,5 +4,5 @@
  * Use this if you want to embed dario in your own app
  * instead of running the CLI.
  */
-export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export { startProxy } from './proxy.js';

package/dist/oauth.d.ts

@@ -15,18 +15,10 @@ export interface CredentialsFile {
 }
 export declare function loadCredentials(): Promise<CredentialsFile | null>;
 /**
- * Start the OAuth flow. Returns the authorization URL and PKCE state
- * needed for the exchange step.
+ * Automatic OAuth flow using a local callback server (same as Claude Code).
+ * Opens browser, captures the authorization code automatically.
  */
-export declare function startOAuthFlow(): {
-    authUrl: string;
-    state: string;
-    codeVerifier: string;
-};
-/**
- * Exchange authorization code for tokens and save them.
- */
-export declare function exchangeCode(code: string, codeVerifier: string): Promise<OAuthTokens>;
+export declare function startAutoOAuthFlow(): Promise<OAuthTokens>;
 /**
  * Refresh the access token using the refresh token.
  * Retries with exponential backoff on transient failures.

package/dist/oauth.js

@@ -8,11 +8,11 @@ import { randomBytes, createHash } from 'node:crypto';
 import { readFile, writeFile, mkdir, chmod, rename } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
-// Claude CLI's public OAuth client (PKCE, no secret needed)
+// Claude Code's public OAuth client (PKCE, no secret needed)
 const OAUTH_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
-const OAUTH_AUTHORIZE_URL = 'https://claude.ai/oauth/authorize';
+const OAUTH_AUTHORIZE_URL = 'https://platform.claude.com/oauth/authorize';
 const OAUTH_TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
-const OAUTH_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback';
+const OAUTH_SCOPES = 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
 // Refresh 30 min before expiry
 const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // In-memory credential cache — avoids disk reads on every request
@@ -29,31 +29,34 @@ function generatePKCE() {
     const codeChallenge = base64url(createHash('sha256').update(codeVerifier).digest());
     return { codeVerifier, codeChallenge };
 }
-function getCredentialsPath() {
+function getDarioCredentialsPath() {
     return join(homedir(), '.dario', 'credentials.json');
 }
+function getClaudeCodeCredentialsPath() {
+    return join(homedir(), '.claude', '.credentials.json');
+}
 export async function loadCredentials() {
     // Return cached if fresh
     if (credentialsCache && Date.now() - credentialsCacheTime < CACHE_TTL_MS) {
         return credentialsCache;
     }
-    try {
-        const raw = await readFile(getCredentialsPath(), 'utf-8');
-        const parsed = JSON.parse(raw);
-        // Validate structure
-        if (!parsed?.claudeAiOauth?.accessToken || !parsed?.claudeAiOauth?.refreshToken) {
-            return null;
+    // Try dario's own credentials first, then fall back to Claude Code's
+    for (const path of [getDarioCredentialsPath(), getClaudeCodeCredentialsPath()]) {
+        try {
+            const raw = await readFile(path, 'utf-8');
+            const parsed = JSON.parse(raw);
+            if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+                credentialsCache = parsed;
+                credentialsCacheTime = Date.now();
+                return credentialsCache;
+            }
         }
-        credentialsCache = parsed;
-        credentialsCacheTime = Date.now();
-        return credentialsCache;
-    }
-    catch {
-        return null;
+        catch { /* try next */ }
     }
+    return null;
 }
 async function saveCredentials(creds) {
-    const path = getCredentialsPath();
+    const path = getDarioCredentialsPath();
     await mkdir(dirname(path), { recursive: true });
     // Write atomically: write to temp file, then rename
     const tmpPath = `${path}.tmp.${Date.now()}`;
@@ -69,45 +72,101 @@ async function saveCredentials(creds) {
     credentialsCacheTime = Date.now();
 }
 /**
- * Start the OAuth flow. Returns the authorization URL and PKCE state
- * needed for the exchange step.
+ * Automatic OAuth flow using a local callback server (same as Claude Code).
+ * Opens browser, captures the authorization code automatically.
  */
-export function startOAuthFlow() {
+export async function startAutoOAuthFlow() {
+    const { createServer } = await import('node:http');
     const { codeVerifier, codeChallenge } = generatePKCE();
     const state = base64url(randomBytes(16));
-    const params = new URLSearchParams({
-        response_type: 'code',
-        client_id: OAUTH_CLIENT_ID,
-        redirect_uri: OAUTH_REDIRECT_URI,
-        scope: 'user:inference user:profile',
-        state,
-        code_challenge: codeChallenge,
-        code_challenge_method: 'S256',
+    return new Promise((resolve, reject) => {
+        const server = createServer((req, res) => {
+            const url = new URL(req.url || '', `http://${req.headers.host || 'localhost'}`);
+            if (url.pathname !== '/callback') {
+                res.writeHead(404);
+                res.end();
+                return;
+            }
+            const code = url.searchParams.get('code');
+            const returnedState = url.searchParams.get('state');
+            if (!code) {
+                res.writeHead(400);
+                res.end('No authorization code received');
+                server.close();
+                reject(new Error('No authorization code received'));
+                return;
+            }
+            if (returnedState !== state) {
+                res.writeHead(400);
+                res.end('Invalid state parameter');
+                server.close();
+                reject(new Error('Invalid state parameter'));
+                return;
+            }
+            // Redirect browser to success page
+            res.writeHead(302, { Location: 'https://platform.claude.com/oauth/code/success?app=claude-code' });
+            res.end();
+            // Exchange the code for tokens
+            server.close();
+            exchangeCodeWithRedirect(code, codeVerifier, state, port)
+                .then(resolve)
+                .catch(reject);
+        });
+        let port = 0;
+        server.listen(0, 'localhost', () => {
+            const addr = server.address();
+            port = typeof addr === 'object' && addr ? addr.port : 0;
+            const params = new URLSearchParams({
+                code: 'true',
+                client_id: OAUTH_CLIENT_ID,
+                response_type: 'code',
+                redirect_uri: `http://localhost:${port}/callback`,
+                scope: OAUTH_SCOPES,
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                state,
+            });
+            const authUrl = `${OAUTH_AUTHORIZE_URL}?${params.toString()}`;
+            // Open browser
+            console.log('  Opening browser to sign in...');
+            console.log(`  If the browser didn't open, visit: ${authUrl}`);
+            console.log('');
+            // Open browser using platform-specific commands (no external deps)
+            const { exec } = require('node:child_process');
+            const cmd = process.platform === 'win32' ? `start "" "${authUrl}"`
+                : process.platform === 'darwin' ? `open "${authUrl}"`
+                    : `xdg-open "${authUrl}"`;
+            exec(cmd, () => { });
+        });
+        server.on('error', (err) => {
+            reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            server.close();
+            reject(new Error('OAuth flow timed out. Try again with `dario login`.'));
+        }, 300_000);
     });
-    return {
-        authUrl: `${OAUTH_AUTHORIZE_URL}?${params.toString()}`,
-        state,
-        codeVerifier,
-    };
 }
 /**
- * Exchange authorization code for tokens and save them.
+ * Exchange code using the localhost redirect URI.
  */
-export async function exchangeCode(code, codeVerifier) {
+async function exchangeCodeWithRedirect(code, codeVerifier, state, port) {
     const res = await fetch(OAUTH_TOKEN_URL, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
             grant_type: 'authorization_code',
             client_id: OAUTH_CLIENT_ID,
             code,
-            redirect_uri: OAUTH_REDIRECT_URI,
+            redirect_uri: `http://localhost:${port}/callback`,
             code_verifier: codeVerifier,
+            state,
         }),
         signal: AbortSignal.timeout(30000),
     });
     if (!res.ok) {
-        throw new Error(`Token exchange failed (${res.status}). Check your authorization code and try again.`);
+        throw new Error(`Token exchange failed (${res.status}). Try again with \`dario login\`.`);
     }
     const data = await res.json();
     const tokens = {

package/dist/proxy.js

@@ -176,8 +176,10 @@ export async function startProxy(opts = {}) {
             res.end();
             return;
         }
+        // Strip query parameters for endpoint matching
+        const urlPath = req.url?.split('?')[0] ?? '';
         // Health check
-        if (req.url === '/health' || req.url === '/') {
+        if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({
@@ -189,20 +191,19 @@ export async function startProxy(opts = {}) {
             return;
         }
         // Status endpoint
-        if (req.url === '/status') {
+        if (urlPath === '/status') {
             const s = await getStatus();
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify(s));
             return;
         }
         // Allowlisted API paths — only these are proxied (prevents SSRF)
-        const rawPath = req.url?.split('?')[0] ?? '';
         const allowedPaths = {
             '/v1/messages': `${ANTHROPIC_API}/v1/messages`,
             '/v1/models': `${ANTHROPIC_API}/v1/models`,
             '/v1/complete': `${ANTHROPIC_API}/v1/complete`,
         };
-        const targetBase = allowedPaths[rawPath];
+        const targetBase = allowedPaths[urlPath];
         if (!targetBase) {
             res.writeHead(403, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' }));
@@ -232,7 +233,7 @@ export async function startProxy(opts = {}) {
             }
             const body = Buffer.concat(chunks);
             // CLI backend mode: route through claude --print
-            if (useCli && rawPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
+            if (useCli && urlPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
                 const cliResult = await handleViaCli(body, modelOverride, verbose);
                 requestCount++;
                 res.writeHead(cliResult.status, {
@@ -265,6 +266,7 @@ export async function startProxy(opts = {}) {
                 'interleaved-thinking-2025-05-14',
                 'prompt-caching-scope-2026-01-05',
                 'claude-code-20250219',
+                'context-management-2025-06-27',
             ]);
             if (clientBeta) {
                 for (const flag of clientBeta.split(',')) {
@@ -280,6 +282,7 @@ export async function startProxy(opts = {}) {
                 'anthropic-version': req.headers['anthropic-version'] || '2023-06-01',
                 'anthropic-beta': [...betaFlags].join(','),
                 'anthropic-dangerous-direct-browser-access': 'true',
+                'anthropic-client-platform': 'cli',
                 'user-agent': `claude-cli/${cliVersion} (external, cli)`,
                 'x-app': 'cli',
                 'x-claude-code-session-id': SESSION_ID,
@@ -307,11 +310,11 @@ export async function startProxy(opts = {}) {
                 'Content-Type': contentType || 'application/json',
                 'Access-Control-Allow-Origin': CORS_ORIGIN,
             };
-            // Forward rate limit headers
-            for (const h of ['x-ratelimit-limit-requests', 'x-ratelimit-limit-tokens', 'x-ratelimit-remaining-requests', 'x-ratelimit-remaining-tokens', 'request-id']) {
-                const v = upstream.headers.get(h);
-                if (v)
-                    responseHeaders[h] = v;
+            // Forward rate limit headers (including unified subscription headers)
+            for (const [key, value] of upstream.headers.entries()) {
+                if (key.startsWith('x-ratelimit') || key.startsWith('anthropic-ratelimit') || key === 'request-id') {
+                    responseHeaders[key] = value;
+                }
             }
             requestCount++;
             res.writeHead(upstream.status, responseHeaders);
@@ -382,6 +385,33 @@ export async function startProxy(opts = {}) {
         console.log(`  ${modelLine}`);
         console.log('');
     });
+    // Session presence heartbeat — registers this proxy as an active Claude Code session
+    // Claude Code sends this every 5 seconds; the server uses it for priority routing
+    const clientId = randomUUID();
+    const connectedAt = new Date().toISOString();
+    let lastPresencePulse = 0;
+    const presenceInterval = setInterval(async () => {
+        const now = Date.now();
+        if (now - lastPresencePulse < 5000)
+            return;
+        lastPresencePulse = now;
+        try {
+            const token = await getAccessToken();
+            const presenceUrl = `${ANTHROPIC_API}/v1/code/sessions/${SESSION_ID}/client/presence`;
+            await fetch(presenceUrl, {
+                method: 'POST',
+                headers: {
+                    'Authorization': `Bearer ${token}`,
+                    'Content-Type': 'application/json',
+                    'anthropic-version': '2023-06-01',
+                    'anthropic-client-platform': 'cli',
+                },
+                body: JSON.stringify({ client_id: clientId, connected_at: connectedAt }),
+                signal: AbortSignal.timeout(5000),
+            }).catch(() => { });
+        }
+        catch { /* presence is best-effort */ }
+    }, 5000);
     // Periodic token refresh (every 15 minutes)
     const refreshInterval = setInterval(async () => {
         try {
@@ -398,6 +428,7 @@ export async function startProxy(opts = {}) {
     // Graceful shutdown
     const shutdown = () => {
         console.log('\n[dario] Shutting down...');
+        clearInterval(presenceInterval);
         clearInterval(refreshInterval);
         server.close(() => process.exit(0));
         // Force exit after 5s if connections don't close

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@askalf/dario",
-  "version": "1.1.3",
-  "description": "Use your Claude subscription as an API. Two commands, no API key. OAuth bridge for Claude Max/Pro.",
+  "version": "1.2.1",
+  "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {
     "dario": "./dist/cli.js"
@@ -21,6 +21,7 @@
   ],
   "scripts": {
     "build": "tsc",
+    "audit": "npm audit --production --audit-level=high",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts"
@@ -40,7 +41,7 @@
     "cli",
     "developer-tools"
   ],
-  "author": "askalf",
+  "author": "askalf (https://github.com/askalf)",
   "license": "MIT",
   "repository": {
     "type": "git",