@askalf/dario 2.0.0 → 2.1.0

package/README.md

@@ -159,34 +159,18 @@ dario proxy --cli --model=opus
 
 ## OpenAI Compatibility
 
-Dario speaks both Anthropic and OpenAI API formats. Any tool built for OpenAI works with your Claude subscription — Cursor, Continue, LiteLLM, anything.
+Dario implements `/v1/chat/completions` — any tool built for the OpenAI API works with your Claude subscription. No code changes needed.
 
 ```bash
-# Use with any OpenAI SDK or tool
+dario proxy --model=opus
+
 export OPENAI_BASE_URL=http://localhost:3456/v1
 export OPENAI_API_KEY=dario
-```
-
-```python
-from openai import OpenAI
 
-client = OpenAI(base_url="http://localhost:3456/v1", api_key="dario")
-response = client.chat.completions.create(
-    model="claude-opus-4-6",  # or use "gpt-4" — auto-maps to Opus
-    messages=[{"role": "user", "content": "Hello!"}]
-)
+# Cursor, Continue, LiteLLM, any OpenAI SDK — all work
 ```
 
-Model mapping (automatic):
-
-| OpenAI model | Maps to |
-|---|---|
-| `gpt-4`, `gpt-4o`, `o1`, `o3` | `claude-opus-4-6` |
-| `o1-mini`, `o3-mini` | `claude-sonnet-4-6` |
-| `gpt-3.5-turbo`, `gpt-4o-mini` | `claude-haiku-4-5` |
-| Any `claude-*` model | Passed through directly |
-
-Streaming, system prompts, temperature, and stop sequences all translate automatically.
+Use `--model=opus` to force the model regardless of what the client sends. Or pass `claude-opus-4-6` as the model name directly — Claude model names work as-is.
 
 ## Usage Examples
 

package/dist/cli.js

@@ -13,9 +13,9 @@ import { readFile, unlink } from 'node:fs/promises';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { startAutoOAuthFlow, getStatus, refreshTokens } from './oauth.js';
-import { startProxy } from './proxy.js';
+import { startProxy, sanitizeError } from './proxy.js';
 const args = process.argv.slice(2);
-const command = args[0] ?? (process.stdin.isTTY ? 'proxy' : 'proxy');
+const command = args[0] ?? 'proxy';
 async function login() {
     console.log('');
     console.log('  dario — Claude Login');
@@ -50,7 +50,7 @@ async function login() {
     }
     catch (err) {
         console.error('');
-        console.error(`  Login failed: ${err instanceof Error ? err.message : err}`);
+        console.error(`  Login failed: ${sanitizeError(err)}`);
         console.error('  Try again with `dario login`.');
         process.exit(1);
     }
@@ -89,7 +89,7 @@ async function refresh() {
         console.log(`[dario] Token refreshed. Expires in ${expiresIn} minutes.`);
     }
     catch (err) {
-        console.error(`[dario] Refresh failed: ${err instanceof Error ? err.message : err}`);
+        console.error(`[dario] Refresh failed: ${sanitizeError(err)}`);
         process.exit(1);
     }
 }
@@ -172,7 +172,6 @@ if (!handler) {
     process.exit(1);
 }
 handler().catch(err => {
-    const msg = err instanceof Error ? err.message : String(err);
-    console.error('Fatal error:', msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]'));
+    console.error('Fatal error:', sanitizeError(err));
     process.exit(1);
 });

package/dist/index.d.ts

@@ -6,4 +6,4 @@
  */
 export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export type { OAuthTokens, CredentialsFile } from './oauth.js';
-export { startProxy } from './proxy.js';
+export { startProxy, sanitizeError } from './proxy.js';

package/dist/index.js

@@ -5,4 +5,4 @@
  * instead of running the CLI.
  */
 export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
-export { startProxy } from './proxy.js';
+export { startProxy, sanitizeError } from './proxy.js';

package/dist/proxy.d.ts

@@ -13,5 +13,6 @@ interface ProxyOptions {
     model?: string;
     cliBackend?: boolean;
 }
+export declare function sanitizeError(err: unknown): string;
 export declare function startProxy(opts?: ProxyOptions): Promise<void>;
 export {};

package/dist/proxy.js

@@ -8,7 +8,7 @@
  * No API key needed — your Claude subscription pays for it.
  */
 import { createServer } from 'node:http';
-import { randomUUID } from 'node:crypto';
+import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { execSync, spawn } from 'node:child_process';
 import { arch, platform, version as nodeVersion } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
@@ -17,7 +17,6 @@ const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
 const LOCALHOST = '127.0.0.1';
-const CORS_ORIGIN = 'http://localhost';
 // Detect installed Claude Code version at startup
 function detectClaudeVersion() {
     try {
@@ -57,16 +56,20 @@ const MODEL_ALIASES = {
 };
 // OpenAI model name → Anthropic model name
 const OPENAI_MODEL_MAP = {
-    'gpt-4': 'claude-opus-4-6',
+    'gpt-4.1': 'claude-opus-4-6',
+    'gpt-4.1-mini': 'claude-sonnet-4-6',
+    'gpt-4.1-nano': 'claude-haiku-4-5',
     'gpt-4o': 'claude-opus-4-6',
-    'gpt-4-turbo': 'claude-opus-4-6',
     'gpt-4o-mini': 'claude-haiku-4-5',
+    'gpt-4-turbo': 'claude-opus-4-6',
+    'gpt-4': 'claude-opus-4-6',
     'gpt-3.5-turbo': 'claude-haiku-4-5',
-    'o1': 'claude-opus-4-6',
-    'o1-mini': 'claude-sonnet-4-6',
-    'o1-preview': 'claude-opus-4-6',
     'o3': 'claude-opus-4-6',
     'o3-mini': 'claude-sonnet-4-6',
+    'o4-mini': 'claude-sonnet-4-6',
+    'o1': 'claude-opus-4-6',
+    'o1-mini': 'claude-sonnet-4-6',
+    'o1-pro': 'claude-opus-4-6',
 };
 /**
  * Translate OpenAI chat completion request → Anthropic Messages request.
@@ -177,10 +180,13 @@ function openaiModelsList() {
         })),
     };
 }
-function sanitizeError(err) {
+export function sanitizeError(err) {
     const msg = err instanceof Error ? err.message : String(err);
-    // Never leak tokens in error messages
-    return msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]');
+    // Never leak tokens, JWTs, or bearer values in error messages
+    return msg
+        .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
+        .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
+        .replace(/Bearer\s+[a-zA-Z0-9_-]+/gi, 'Bearer [REDACTED]');
 }
 /**
  * CLI Backend: route requests through `claude --print` instead of direct API.
@@ -286,11 +292,28 @@ export async function startProxy(opts = {}) {
     const useCli = opts.cliBackend ?? false;
     let requestCount = 0;
     let tokenCostEstimate = 0;
+    // Optional proxy authentication
+    const apiKey = process.env.DARIO_API_KEY;
+    const corsOrigin = `http://localhost:${port}`;
+    function checkAuth(req) {
+        if (!apiKey)
+            return true; // no key set = open access
+        const provided = req.headers['x-api-key']
+            || req.headers.authorization?.replace(/^Bearer\s+/i, '');
+        if (!provided)
+            return false;
+        try {
+            return timingSafeEqual(Buffer.from(provided), Buffer.from(apiKey));
+        }
+        catch {
+            return false;
+        }
+    }
     const server = createServer(async (req, res) => {
         // CORS preflight
         if (req.method === 'OPTIONS') {
             res.writeHead(204, {
-                'Access-Control-Allow-Origin': CORS_ORIGIN,
+                'Access-Control-Allow-Origin': corsOrigin,
                 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
                 'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
                 'Access-Control-Max-Age': '86400',
@@ -312,6 +335,12 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
+        // Auth gate — everything below health requires auth when DARIO_API_KEY is set
+        if (!checkAuth(req)) {
+            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }));
+            return;
+        }
         // Status endpoint
         if (urlPath === '/status') {
             const s = await getStatus();
@@ -322,7 +351,7 @@ export async function startProxy(opts = {}) {
         // OpenAI-compatible models list
         if (urlPath === '/v1/models' && req.method === 'GET') {
             requestCount++;
-            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': CORS_ORIGIN });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': corsOrigin });
             res.end(JSON.stringify(openaiModelsList()));
             return;
         }
@@ -368,7 +397,7 @@ export async function startProxy(opts = {}) {
                 requestCount++;
                 res.writeHead(cliResult.status, {
                     'Content-Type': cliResult.contentType,
-                    'Access-Control-Allow-Origin': CORS_ORIGIN,
+                    'Access-Control-Allow-Origin': corsOrigin,
                 });
                 res.end(cliResult.body);
                 return;
@@ -447,7 +476,7 @@ export async function startProxy(opts = {}) {
             // Forward response headers
             const responseHeaders = {
                 'Content-Type': contentType || 'application/json',
-                'Access-Control-Allow-Origin': CORS_ORIGIN,
+                'Access-Control-Allow-Origin': corsOrigin,
             };
             // Forward rate limit headers (including unified subscription headers)
             for (const [key, value] of upstream.headers.entries()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {