@askalf/dario 2.0.0 → 2.1.1

package/README.md

@@ -27,12 +27,12 @@
 ```bash
 npx @askalf/dario login   # detects Claude Code credentials, starts proxy
 
-# now use it from anywhere
-export ANTHROPIC_BASE_URL=http://localhost:3456
-export ANTHROPIC_API_KEY=dario
+# now use it from anywhere — Anthropic or OpenAI SDK
+export ANTHROPIC_BASE_URL=http://localhost:3456   # or OPENAI_BASE_URL=http://localhost:3456/v1
+export ANTHROPIC_API_KEY=dario                    # or OPENAI_API_KEY=dario
 ```
 
-That's it. Any tool that speaks the Anthropic API now uses your subscription.
+Opus, Sonnet, Haiku — all models, streaming, tool use. Works with OpenClaw, Cursor, Continue, Aider, Hermes, or any tool that speaks the Anthropic or OpenAI API. When rate limited, `--cli` routes through Claude Code for uninterrupted Opus access.
 
 ---
 
@@ -88,6 +88,7 @@ Usage:
   ANTHROPIC_BASE_URL=http://localhost:3456
   ANTHROPIC_API_KEY=dario
 
+Auth: open (no DARIO_API_KEY set)
 OAuth: healthy (expires in 11h 42m)
 Model: passthrough (client decides)
 ```
@@ -159,34 +160,18 @@ dario proxy --cli --model=opus
 
 ## OpenAI Compatibility
 
-Dario speaks both Anthropic and OpenAI API formats. Any tool built for OpenAI works with your Claude subscription — Cursor, Continue, LiteLLM, anything.
+Dario implements `/v1/chat/completions` — any tool built for the OpenAI API works with your Claude subscription. No code changes needed.
 
 ```bash
-# Use with any OpenAI SDK or tool
+dario proxy --model=opus
+
 export OPENAI_BASE_URL=http://localhost:3456/v1
 export OPENAI_API_KEY=dario
-```
-
-```python
-from openai import OpenAI
 
-client = OpenAI(base_url="http://localhost:3456/v1", api_key="dario")
-response = client.chat.completions.create(
-    model="claude-opus-4-6",  # or use "gpt-4" — auto-maps to Opus
-    messages=[{"role": "user", "content": "Hello!"}]
-)
+# Cursor, Continue, LiteLLM, any OpenAI SDK — all work
 ```
 
-Model mapping (automatic):
-
-| OpenAI model | Maps to |
-|---|---|
-| `gpt-4`, `gpt-4o`, `o1`, `o3` | `claude-opus-4-6` |
-| `o1-mini`, `o3-mini` | `claude-sonnet-4-6` |
-| `gpt-3.5-turbo`, `gpt-4o-mini` | `claude-haiku-4-5` |
-| Any `claude-*` model | Passed through directly |
-
-Streaming, system prompts, temperature, and stop sequences all translate automatically.
+Use `--model=opus` to force the model regardless of what the client sends. Or pass `claude-opus-4-6` as the model name directly — Claude model names work as-is.
 
 ## Usage Examples
 
@@ -310,12 +295,13 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 
 ### Proxy Options
 
-| Flag | Description | Default |
-|------|-------------|---------|
+| Flag/Env | Description | Default |
+|----------|-------------|---------|
 | `--cli` | Use Claude CLI as backend (bypasses rate limits) | off |
 | `--model=MODEL` | Force a model (`opus`, `sonnet`, `haiku`, or full ID) | passthrough |
 | `--port=PORT` | Port to listen on | `3456` |
 | `--verbose` / `-v` | Log every request | off |
+| `DARIO_API_KEY` | If set, all endpoints (except `/health`) require matching `x-api-key` header or `Authorization: Bearer` header | unset (open) |
 
 ## Supported Features
 

package/dist/cli.js

@@ -13,9 +13,9 @@ import { readFile, unlink } from 'node:fs/promises';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { startAutoOAuthFlow, getStatus, refreshTokens } from './oauth.js';
-import { startProxy } from './proxy.js';
+import { startProxy, sanitizeError } from './proxy.js';
 const args = process.argv.slice(2);
-const command = args[0] ?? (process.stdin.isTTY ? 'proxy' : 'proxy');
+const command = args[0] ?? 'proxy';
 async function login() {
     console.log('');
     console.log('  dario — Claude Login');
@@ -50,7 +50,7 @@ async function login() {
     }
     catch (err) {
         console.error('');
-        console.error(`  Login failed: ${err instanceof Error ? err.message : err}`);
+        console.error(`  Login failed: ${sanitizeError(err)}`);
         console.error('  Try again with `dario login`.');
         process.exit(1);
     }
@@ -89,7 +89,7 @@ async function refresh() {
         console.log(`[dario] Token refreshed. Expires in ${expiresIn} minutes.`);
     }
     catch (err) {
-        console.error(`[dario] Refresh failed: ${err instanceof Error ? err.message : err}`);
+        console.error(`[dario] Refresh failed: ${sanitizeError(err)}`);
         process.exit(1);
     }
 }
@@ -172,7 +172,6 @@ if (!handler) {
     process.exit(1);
 }
 handler().catch(err => {
-    const msg = err instanceof Error ? err.message : String(err);
-    console.error('Fatal error:', msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]'));
+    console.error('Fatal error:', sanitizeError(err));
     process.exit(1);
 });

package/dist/index.d.ts

@@ -6,4 +6,4 @@
  */
 export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
 export type { OAuthTokens, CredentialsFile } from './oauth.js';
-export { startProxy } from './proxy.js';
+export { startProxy, sanitizeError } from './proxy.js';

package/dist/index.js

@@ -5,4 +5,4 @@
  * instead of running the CLI.
  */
 export { startAutoOAuthFlow, refreshTokens, getAccessToken, getStatus, loadCredentials } from './oauth.js';
-export { startProxy } from './proxy.js';
+export { startProxy, sanitizeError } from './proxy.js';

package/dist/proxy.d.ts

@@ -13,5 +13,6 @@ interface ProxyOptions {
     model?: string;
     cliBackend?: boolean;
 }
+export declare function sanitizeError(err: unknown): string;
 export declare function startProxy(opts?: ProxyOptions): Promise<void>;
 export {};

package/dist/proxy.js

@@ -8,7 +8,7 @@
  * No API key needed — your Claude subscription pays for it.
  */
 import { createServer } from 'node:http';
-import { randomUUID } from 'node:crypto';
+import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { execSync, spawn } from 'node:child_process';
 import { arch, platform, version as nodeVersion } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
@@ -17,7 +17,6 @@ const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
 const LOCALHOST = '127.0.0.1';
-const CORS_ORIGIN = 'http://localhost';
 // Detect installed Claude Code version at startup
 function detectClaudeVersion() {
     try {
@@ -57,16 +56,20 @@ const MODEL_ALIASES = {
 };
 // OpenAI model name → Anthropic model name
 const OPENAI_MODEL_MAP = {
-    'gpt-4': 'claude-opus-4-6',
+    'gpt-4.1': 'claude-opus-4-6',
+    'gpt-4.1-mini': 'claude-sonnet-4-6',
+    'gpt-4.1-nano': 'claude-haiku-4-5',
     'gpt-4o': 'claude-opus-4-6',
-    'gpt-4-turbo': 'claude-opus-4-6',
     'gpt-4o-mini': 'claude-haiku-4-5',
+    'gpt-4-turbo': 'claude-opus-4-6',
+    'gpt-4': 'claude-opus-4-6',
     'gpt-3.5-turbo': 'claude-haiku-4-5',
-    'o1': 'claude-opus-4-6',
-    'o1-mini': 'claude-sonnet-4-6',
-    'o1-preview': 'claude-opus-4-6',
     'o3': 'claude-opus-4-6',
     'o3-mini': 'claude-sonnet-4-6',
+    'o4-mini': 'claude-sonnet-4-6',
+    'o1': 'claude-opus-4-6',
+    'o1-mini': 'claude-sonnet-4-6',
+    'o1-pro': 'claude-opus-4-6',
 };
 /**
  * Translate OpenAI chat completion request → Anthropic Messages request.
@@ -177,10 +180,13 @@ function openaiModelsList() {
         })),
     };
 }
-function sanitizeError(err) {
+export function sanitizeError(err) {
     const msg = err instanceof Error ? err.message : String(err);
-    // Never leak tokens in error messages
-    return msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]');
+    // Never leak tokens, JWTs, or bearer values in error messages
+    return msg
+        .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
+        .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
+        .replace(/Bearer\s+[a-zA-Z0-9_-]+/gi, 'Bearer [REDACTED]');
 }
 /**
  * CLI Backend: route requests through `claude --print` instead of direct API.
@@ -195,7 +201,9 @@ async function handleViaCli(body, model, verbose) {
         if (!lastUser) {
             return { status: 400, body: JSON.stringify({ error: 'No user message' }), contentType: 'application/json' };
         }
-        const effectiveModel = model ?? parsed.model ?? 'claude-opus-4-6';
+        const rawModel = model ?? parsed.model ?? 'claude-opus-4-6';
+        // Validate model name — only allow alphanumeric, hyphens, dots, underscores
+        const effectiveModel = /^[a-zA-Z0-9._-]+$/.test(rawModel) ? rawModel : 'claude-opus-4-6';
         const prompt = typeof lastUser.content === 'string'
             ? lastUser.content
             : JSON.stringify(lastUser.content);
@@ -231,7 +239,7 @@ async function handleViaCli(body, model, verbose) {
                 if (code !== 0 || !stdout.trim()) {
                     resolve({
                         status: 502,
-                        body: JSON.stringify({ type: 'error', error: { type: 'api_error', message: stderr.substring(0, 200) || 'CLI backend failed' } }),
+                        body: JSON.stringify({ type: 'error', error: { type: 'api_error', message: sanitizeError(stderr.substring(0, 200)) || 'CLI backend failed' } }),
                         contentType: 'application/json',
                     });
                     return;
@@ -286,11 +294,28 @@ export async function startProxy(opts = {}) {
     const useCli = opts.cliBackend ?? false;
     let requestCount = 0;
     let tokenCostEstimate = 0;
+    // Optional proxy authentication
+    const apiKey = process.env.DARIO_API_KEY;
+    const corsOrigin = `http://localhost:${port}`;
+    function checkAuth(req) {
+        if (!apiKey)
+            return true; // no key set = open access
+        const provided = req.headers['x-api-key']
+            || req.headers.authorization?.replace(/^Bearer\s+/i, '');
+        if (!provided)
+            return false;
+        try {
+            return timingSafeEqual(Buffer.from(provided), Buffer.from(apiKey));
+        }
+        catch {
+            return false;
+        }
+    }
     const server = createServer(async (req, res) => {
         // CORS preflight
         if (req.method === 'OPTIONS') {
             res.writeHead(204, {
-                'Access-Control-Allow-Origin': CORS_ORIGIN,
+                'Access-Control-Allow-Origin': corsOrigin,
                 'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
                 'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
                 'Access-Control-Max-Age': '86400',
@@ -312,6 +337,12 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
+        // Auth gate — everything below health requires auth when DARIO_API_KEY is set
+        if (!checkAuth(req)) {
+            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }));
+            return;
+        }
         // Status endpoint
         if (urlPath === '/status') {
             const s = await getStatus();
@@ -322,7 +353,7 @@ export async function startProxy(opts = {}) {
         // OpenAI-compatible models list
         if (urlPath === '/v1/models' && req.method === 'GET') {
             requestCount++;
-            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': CORS_ORIGIN });
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': corsOrigin });
             res.end(JSON.stringify(openaiModelsList()));
             return;
         }
@@ -368,7 +399,7 @@ export async function startProxy(opts = {}) {
                 requestCount++;
                 res.writeHead(cliResult.status, {
                     'Content-Type': cliResult.contentType,
-                    'Access-Control-Allow-Origin': CORS_ORIGIN,
+                    'Access-Control-Allow-Origin': corsOrigin,
                 });
                 res.end(cliResult.body);
                 return;
@@ -447,7 +478,7 @@ export async function startProxy(opts = {}) {
             // Forward response headers
             const responseHeaders = {
                 'Content-Type': contentType || 'application/json',
-                'Access-Control-Allow-Origin': CORS_ORIGIN,
+                'Access-Control-Allow-Origin': corsOrigin,
             };
             // Forward rate limit headers (including unified subscription headers)
             for (const [key, value] of upstream.headers.entries()) {
@@ -463,6 +494,7 @@ export async function startProxy(opts = {}) {
                 const decoder = new TextDecoder();
                 try {
                     let buffer = '';
+                    const MAX_LINE_LENGTH = 1_000_000; // 1MB max per SSE line
                     while (true) {
                         const { done, value } = await reader.read();
                         if (done)
@@ -470,6 +502,10 @@ export async function startProxy(opts = {}) {
                         if (isOpenAI) {
                             // Translate Anthropic SSE → OpenAI SSE
                             buffer += decoder.decode(value, { stream: true });
+                            // Guard against unbounded buffer growth
+                            if (buffer.length > MAX_LINE_LENGTH) {
+                                buffer = buffer.slice(-MAX_LINE_LENGTH);
+                            }
                             const lines = buffer.split('\n');
                             buffer = lines.pop() ?? '';
                             for (const line of lines) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.0.0",
+  "version": "2.1.1",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {