@askalf/dario 1.2.0 → 1.2.1

package/README.md

@@ -2,10 +2,18 @@
   <h1 align="center">dario</h1>
   <p align="center"><strong>Use your Claude subscription as an API.</strong></p>
   <p align="center">
-    One command. No API key. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
+    No API key needed. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
   </p>
 </p>
 
+<p align="center">
+  <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/v/@askalf/dario?color=blue" alt="npm version"></a>
+  <a href="https://github.com/askalf/dario/actions/workflows/ci.yml"><img src="https://github.com/askalf/dario/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://github.com/askalf/dario/actions/workflows/codeql.yml"><img src="https://github.com/askalf/dario/actions/workflows/codeql.yml/badge.svg" alt="CodeQL"></a>
+  <a href="https://github.com/askalf/dario/blob/master/LICENSE"><img src="https://img.shields.io/npm/l/@askalf/dario" alt="License"></a>
+  <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/dm/@askalf/dario" alt="Downloads"></a>
+</p>
+
 <p align="center">
   <a href="#quick-start">Quick Start</a> &bull;
   <a href="#how-it-works">How It Works</a> &bull;
@@ -40,7 +48,9 @@ You pay $100-200/mo for Claude Max or Pro. But that subscription only works on c
 
 ### Prerequisites
 
-[Claude Code](https://docs.anthropic.com/en/docs/claude-code/overview) must be installed and logged in. Dario uses your existing Claude Code credentials — no separate authentication needed.
+[Claude Code](https://docs.anthropic.com/en/docs/claude-code/overview) installed and logged in (recommended). Dario detects your existing Claude Code credentials automatically.
+
+If Claude Code isn't installed, dario runs its own OAuth flow — opens your browser, you authorize, done.
 
 ### Install
 
@@ -60,9 +70,8 @@ npx @askalf/dario login
 dario login
 ```
 
-If Claude Code is installed and authenticated, dario detects your credentials automatically and starts the proxy. No browser, no OAuth flow, no pasting URLs.
-
-If Claude Code credentials aren't found, dario falls back to a manual OAuth flow.
+- **With Claude Code installed:** Detects your credentials automatically and starts the proxy. No browser needed.
+- **Without Claude Code:** Opens your browser to Claude's OAuth page. Authorize, and dario captures the token automatically via a local callback server. Then run `dario proxy` to start the server.
 
 ### Start the proxy
 
@@ -251,7 +260,7 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 └──────────┘     └─────────────────┘     └──────────────────┘
 ```
 
-1. **`dario login`** — Detects your existing Claude Code credentials (`~/.claude/.credentials.json`) and starts the proxy automatically. If Claude Code isn't installed, falls back to a manual PKCE OAuth flow.
+1. **`dario login`** — Detects your existing Claude Code credentials (`~/.claude/.credentials.json`) and starts the proxy automatically. If Claude Code isn't installed, runs a PKCE OAuth flow with a local callback server to capture the token automatically.
 
 2. **`dario proxy`** — Starts an HTTP server on localhost that implements the Anthropic Messages API. In direct mode, it swaps your API key for an OAuth bearer token. In CLI mode, it routes through the Claude Code binary.
 
@@ -321,11 +330,11 @@ curl http://localhost:3456/health
 
 | Concern | How dario handles it |
 |---------|---------------------|
-| Credential storage | Uses Claude Code's credentials or `~/.dario/credentials.json` with `0600` permissions |
+| Credential storage | Reads from Claude Code (`~/.claude/.credentials.json`) or its own store (`~/.dario/credentials.json`) with `0600` permissions |
 | OAuth flow | PKCE (Proof Key for Code Exchange) — no client secret needed |
 | Token transmission | OAuth tokens never leave localhost. Only forwarded to `api.anthropic.com` over HTTPS |
 | Network exposure | Proxy binds to `127.0.0.1` only — not accessible from other machines |
-| SSRF protection | Allowlisted API paths only. Internal networks and cloud metadata blocked |
+| SSRF protection | Hardcoded allowlist of API paths — only `/v1/messages`, `/v1/models`, `/v1/complete` are proxied |
 | Token rotation | Refresh tokens rotate on every use (single-use) |
 | Error sanitization | Token patterns redacted from all error messages |
 | Data collection | Zero. No telemetry, no analytics, no phoning home |
@@ -342,7 +351,7 @@ Claude Max and Claude Pro. Any plan that lets you use Claude Code.
 Should work if your plan includes Claude Code access. Not tested yet — please open an issue with results.
 
 **Do I need Claude Code installed?**
-Yes. Dario reads your Claude Code credentials for authentication. Run `claude` to install and log in, then `dario login` picks up your credentials automatically.
+Recommended but not required. If Claude Code is installed and logged in, `dario login` picks up your credentials automatically. Without Claude Code, dario runs its own OAuth flow to authenticate directly. Note: `--cli` mode requires Claude Code (`npm install -g @anthropic-ai/claude-code`).
 
 **What happens when my token expires?**
 Dario auto-refreshes tokens 30 minutes before expiry. You should never see an auth error in normal use. If something goes wrong, `dario refresh` forces an immediate refresh.
@@ -354,7 +363,7 @@ Use `--cli` mode: `dario proxy --cli`. This routes through the Claude Code binar
 Claude subscriptions have rolling 5-hour and 7-day usage windows shared across claude.ai and Claude Code. See [Anthropic's docs](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) for details. In Claude Code, use `/usage` to check your current limits, or configure the [statusline](https://code.claude.com/docs/en/statusline) to show real-time 5h and 7d utilization percentages.
 
 **Can I run this on a server?**
-Dario binds to localhost by default. For server use, you'd need to handle the initial Claude Code login on a machine with a browser, then copy `~/.claude/.credentials.json` to your server. Auto-refresh will keep it alive from there.
+Dario binds to localhost by default. For server use, you'd need to handle the initial login on a machine with a browser, then copy `~/.claude/.credentials.json` (or `~/.dario/credentials.json`) to your server. Auto-refresh will keep it alive from there.
 
 **Why "dario"?**
 Named after [Dario Amodei](https://en.wikipedia.org/wiki/Dario_Amodei), CEO of Anthropic.
@@ -380,13 +389,39 @@ const status = await getStatus();
 console.log(status.expiresIn); // "11h 42m"
 ```
 
+## Trust & Transparency
+
+Dario handles your OAuth tokens. Here's why you can trust it:
+
+| Signal | Status |
+|--------|--------|
+| **Source code** | ~1000 lines of TypeScript — small enough to read in one sitting |
+| **Dependencies** | 1 production dep (`@anthropic-ai/sdk`). Verify: `npm ls --production` |
+| **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
+| **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
+| **Credential handling** | Tokens never logged, redacted from errors, stored with 0600 permissions |
+| **Network scope** | Binds to 127.0.0.1 only. Upstream traffic goes exclusively to `api.anthropic.com` over HTTPS |
+| **No telemetry** | Zero analytics, tracking, or data collection of any kind |
+| **Audit trail** | [CHANGELOG.md](CHANGELOG.md) documents every release |
+| **Branch protection** | CI must pass before merge. CODEOWNERS enforces review |
+
+Verify the npm package matches this repo:
+
+```bash
+# Check provenance attestation
+npm audit signatures 2>/dev/null; npm view @askalf/dario dist.integrity
+
+# Check dependency tree (should be minimal)
+cd $(npm root -g)/@askalf/dario && npm ls --production
+```
+
 ## Contributing
 
-PRs welcome. The codebase is ~700 lines of TypeScript across 4 files:
+PRs welcome. The codebase is ~1000 lines of TypeScript across 4 files:
 
 | File | Purpose |
 |------|---------|
-| `src/oauth.ts` | Token storage, refresh logic, Claude Code credential detection |
+| `src/oauth.ts` | Token storage, refresh logic, Claude Code credential detection, auto OAuth flow |
 | `src/proxy.ts` | HTTP proxy server + CLI backend |
 | `src/cli.ts` | CLI entry point |
 | `src/index.ts` | Library exports |

package/dist/cli.js

@@ -9,23 +9,13 @@
  *   dario refresh   — Force token refresh
  *   dario logout    — Remove saved credentials
  */
-import { createInterface } from 'node:readline';
 import { readFile, unlink } from 'node:fs/promises';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
-import { startOAuthFlow, exchangeCode, getStatus, refreshTokens } from './oauth.js';
+import { startAutoOAuthFlow, getStatus, refreshTokens } from './oauth.js';
 import { startProxy } from './proxy.js';
 const args = process.argv.slice(2);
 const command = args[0] ?? (process.stdin.isTTY ? 'proxy' : 'proxy');
-function ask(question) {
-    const rl = createInterface({ input: process.stdin, output: process.stdout });
-    return new Promise(resolve => {
-        rl.question(question, answer => {
-            rl.close();
-            resolve(answer.trim());
-        });
-    });
-}
 async function login() {
     console.log('');
     console.log('  dario — Claude Login');
@@ -49,38 +39,9 @@ async function login() {
     catch { /* no Claude Code credentials, fall through to OAuth */ }
     console.log('  No Claude Code credentials found. Starting OAuth flow...');
     console.log('');
-    const { authUrl, codeVerifier } = startOAuthFlow();
-    console.log('  Step 1: Open this URL in your browser:');
-    console.log('');
-    console.log(`  ${authUrl}`);
-    console.log('');
-    console.log('  Step 2: Log in to your Claude account and authorize.');
-    console.log('');
-    console.log('  Step 3: After authorization, you\'ll be redirected to a page');
-    console.log('  that shows a code. Copy the FULL URL from your browser\'s');
-    console.log('  address bar (it contains the authorization code).');
-    console.log('');
-    const input = await ask('  Paste the redirect URL or authorization code: ');
-    // Extract code from URL or use raw input
-    let code = input;
-    try {
-        const url = new URL(input);
-        // Only extract from trusted Anthropic redirect URLs
-        if (url.hostname === 'platform.claude.com' || url.hostname === 'claude.ai') {
-            code = url.searchParams.get('code') ?? input;
-        }
-    }
-    catch {
-        // Not a URL, use as-is (raw code)
-    }
-    if (!code || code.length < 10 || code.length > 2048) {
-        console.error('  Invalid authorization code.');
-        process.exit(1);
-    }
     try {
-        const tokens = await exchangeCode(code, codeVerifier);
+        const tokens = await startAutoOAuthFlow();
         const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);
-        console.log('');
         console.log('  Login successful!');
         console.log(`  Token expires in ${expiresIn} minutes (auto-refreshes).`);
         console.log('');
@@ -160,7 +121,7 @@ async function help() {
   dario — Use your Claude subscription as an API.
 
   Usage:
-    dario login              Authenticate with your Claude account
+    dario login              Detect credentials + start proxy (or run OAuth)
     dario proxy [options]    Start the API proxy server
     dario status             Check authentication status
     dario refresh            Force token refresh
@@ -169,27 +130,25 @@ async function help() {
   Proxy options:
     --model=MODEL            Force a model for all requests
                              Shortcuts: opus, sonnet, haiku
+                             Full IDs: claude-opus-4-6, claude-sonnet-4-6
                              Default: passthrough (client decides)
     --cli                    Use Claude CLI as backend (bypasses rate limits)
     --port=PORT              Port to listen on (default: 3456)
     --verbose, -v            Log all requests
 
-  How it works:
-    1. Run \`dario login\` to authenticate with your Claude Max/Pro subscription
-    2. Run \`dario proxy\` to start a local API server
-    3. Point any Anthropic SDK at http://localhost:3456
-
-    Example with OpenClaw, or any tool that uses the Anthropic API:
-      ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw start
+  Quick start:
+    dario login              # auto-detects Claude Code credentials
+    dario proxy              # or: dario proxy --cli --model=opus
 
-    Example with the Anthropic Python SDK:
-      import anthropic
-      client = anthropic.Anthropic(base_url="http://localhost:3456", api_key="dario")
+  Then point any Anthropic SDK at http://localhost:3456:
+    export ANTHROPIC_BASE_URL=http://localhost:3456
+    export ANTHROPIC_API_KEY=dario
 
-    Example with curl:
-      curl http://localhost:3456/v1/messages \\
-        -H "Content-Type: application/json" \\
-        -d '{"model":"claude-opus-4-6","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'
+  Examples:
+    curl http://localhost:3456/v1/messages \\
+      -H "Content-Type: application/json" \\
+      -H "anthropic-version: 2023-06-01" \\
+      -d '{"model":"claude-opus-4-6","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'
 
   Your subscription handles the billing. No API key needed.
   Tokens auto-refresh in the background — set it and forget it.

package/dist/index.d.ts

@@ -4,6 +4,6 @@
  * Use this if you want to embed dario in your own app
  * instead of running the CLI.
  */
-export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export type { OAuthTokens, CredentialsFile } from './oauth.js';
 export { startProxy } from './proxy.js';

package/dist/index.js

@@ -4,5 +4,5 @@
  * Use this if you want to embed dario in your own app
  * instead of running the CLI.
  */
-export { startOAuthFlow, exchangeCode, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
+export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export { startProxy } from './proxy.js';

package/dist/oauth.d.ts

@@ -15,18 +15,10 @@ export interface CredentialsFile {
 }
 export declare function loadCredentials(): Promise<CredentialsFile | null>;
 /**
- * Start the OAuth flow. Returns the authorization URL and PKCE state
- * needed for the exchange step.
+ * Automatic OAuth flow using a local callback server (same as Claude Code).
+ * Opens browser, captures the authorization code automatically.
  */
-export declare function startOAuthFlow(): {
-    authUrl: string;
-    state: string;
-    codeVerifier: string;
-};
-/**
- * Exchange authorization code for tokens and save them.
- */
-export declare function exchangeCode(code: string, codeVerifier: string): Promise<OAuthTokens>;
+export declare function startAutoOAuthFlow(): Promise<OAuthTokens>;
 /**
  * Refresh the access token using the refresh token.
  * Retries with exponential backoff on transient failures.

package/dist/oauth.js

@@ -12,7 +12,7 @@ import { homedir } from 'node:os';
 const OAUTH_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
 const OAUTH_AUTHORIZE_URL = 'https://platform.claude.com/oauth/authorize';
 const OAUTH_TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
-const OAUTH_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback';
+const OAUTH_SCOPES = 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
 // Refresh 30 min before expiry
 const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // In-memory credential cache — avoids disk reads on every request
@@ -72,46 +72,101 @@ async function saveCredentials(creds) {
     credentialsCacheTime = Date.now();
 }
 /**
- * Start the OAuth flow. Returns the authorization URL and PKCE state
- * needed for the exchange step.
+ * Automatic OAuth flow using a local callback server (same as Claude Code).
+ * Opens browser, captures the authorization code automatically.
  */
-export function startOAuthFlow() {
+export async function startAutoOAuthFlow() {
+    const { createServer } = await import('node:http');
     const { codeVerifier, codeChallenge } = generatePKCE();
     const state = base64url(randomBytes(16));
-    const params = new URLSearchParams({
-        code: 'true',
-        client_id: OAUTH_CLIENT_ID,
-        response_type: 'code',
-        redirect_uri: OAUTH_REDIRECT_URI,
-        scope: 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload',
-        code_challenge: codeChallenge,
-        code_challenge_method: 'S256',
-        state,
+    return new Promise((resolve, reject) => {
+        const server = createServer((req, res) => {
+            const url = new URL(req.url || '', `http://${req.headers.host || 'localhost'}`);
+            if (url.pathname !== '/callback') {
+                res.writeHead(404);
+                res.end();
+                return;
+            }
+            const code = url.searchParams.get('code');
+            const returnedState = url.searchParams.get('state');
+            if (!code) {
+                res.writeHead(400);
+                res.end('No authorization code received');
+                server.close();
+                reject(new Error('No authorization code received'));
+                return;
+            }
+            if (returnedState !== state) {
+                res.writeHead(400);
+                res.end('Invalid state parameter');
+                server.close();
+                reject(new Error('Invalid state parameter'));
+                return;
+            }
+            // Redirect browser to success page
+            res.writeHead(302, { Location: 'https://platform.claude.com/oauth/code/success?app=claude-code' });
+            res.end();
+            // Exchange the code for tokens
+            server.close();
+            exchangeCodeWithRedirect(code, codeVerifier, state, port)
+                .then(resolve)
+                .catch(reject);
+        });
+        let port = 0;
+        server.listen(0, 'localhost', () => {
+            const addr = server.address();
+            port = typeof addr === 'object' && addr ? addr.port : 0;
+            const params = new URLSearchParams({
+                code: 'true',
+                client_id: OAUTH_CLIENT_ID,
+                response_type: 'code',
+                redirect_uri: `http://localhost:${port}/callback`,
+                scope: OAUTH_SCOPES,
+                code_challenge: codeChallenge,
+                code_challenge_method: 'S256',
+                state,
+            });
+            const authUrl = `${OAUTH_AUTHORIZE_URL}?${params.toString()}`;
+            // Open browser
+            console.log('  Opening browser to sign in...');
+            console.log(`  If the browser didn't open, visit: ${authUrl}`);
+            console.log('');
+            // Open browser using platform-specific commands (no external deps)
+            const { exec } = require('node:child_process');
+            const cmd = process.platform === 'win32' ? `start "" "${authUrl}"`
+                : process.platform === 'darwin' ? `open "${authUrl}"`
+                    : `xdg-open "${authUrl}"`;
+            exec(cmd, () => { });
+        });
+        server.on('error', (err) => {
+            reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            server.close();
+            reject(new Error('OAuth flow timed out. Try again with `dario login`.'));
+        }, 300_000);
     });
-    return {
-        authUrl: `${OAUTH_AUTHORIZE_URL}?${params.toString()}`,
-        state,
-        codeVerifier,
-    };
 }
 /**
- * Exchange authorization code for tokens and save them.
+ * Exchange code using the localhost redirect URI.
  */
-export async function exchangeCode(code, codeVerifier) {
+async function exchangeCodeWithRedirect(code, codeVerifier, state, port) {
     const res = await fetch(OAUTH_TOKEN_URL, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
             grant_type: 'authorization_code',
             client_id: OAUTH_CLIENT_ID,
             code,
-            redirect_uri: OAUTH_REDIRECT_URI,
+            redirect_uri: `http://localhost:${port}/callback`,
             code_verifier: codeVerifier,
+            state,
         }),
         signal: AbortSignal.timeout(30000),
     });
     if (!res.ok) {
-        throw new Error(`Token exchange failed (${res.status}). Check your authorization code and try again.`);
+        throw new Error(`Token exchange failed (${res.status}). Try again with \`dario login\`.`);
     }
     const data = await res.json();
     const tokens = {

package/dist/proxy.js

@@ -176,8 +176,10 @@ export async function startProxy(opts = {}) {
             res.end();
             return;
         }
+        // Strip query parameters for endpoint matching
+        const urlPath = req.url?.split('?')[0] ?? '';
         // Health check
-        if (req.url === '/health' || req.url === '/') {
+        if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({
@@ -189,20 +191,19 @@ export async function startProxy(opts = {}) {
             return;
         }
         // Status endpoint
-        if (req.url === '/status') {
+        if (urlPath === '/status') {
             const s = await getStatus();
             res.writeHead(200, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify(s));
             return;
         }
         // Allowlisted API paths — only these are proxied (prevents SSRF)
-        const rawPath = req.url?.split('?')[0] ?? '';
         const allowedPaths = {
             '/v1/messages': `${ANTHROPIC_API}/v1/messages`,
             '/v1/models': `${ANTHROPIC_API}/v1/models`,
             '/v1/complete': `${ANTHROPIC_API}/v1/complete`,
         };
-        const targetBase = allowedPaths[rawPath];
+        const targetBase = allowedPaths[urlPath];
         if (!targetBase) {
             res.writeHead(403, { 'Content-Type': 'application/json' });
             res.end(JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' }));
@@ -232,7 +233,7 @@ export async function startProxy(opts = {}) {
             }
             const body = Buffer.concat(chunks);
             // CLI backend mode: route through claude --print
-            if (useCli && rawPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
+            if (useCli && urlPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
                 const cliResult = await handleViaCli(body, modelOverride, verbose);
                 requestCount++;
                 res.writeHead(cliResult.status, {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@askalf/dario",
-  "version": "1.2.0",
-  "description": "Use your Claude subscription as an API. Two commands, no API key. OAuth bridge for Claude Max/Pro.",
+  "version": "1.2.1",
+  "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {
     "dario": "./dist/cli.js"
@@ -21,6 +21,7 @@
   ],
   "scripts": {
     "build": "tsc",
+    "audit": "npm audit --production --audit-level=high",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts"
@@ -40,7 +41,7 @@
     "cli",
     "developer-tools"
   ],
-  "author": "askalf",
+  "author": "askalf (https://github.com/askalf)",
   "license": "MIT",
   "repository": {
     "type": "git",