@askalf/dario 2.1.0 → 2.1.2

package/README.md

@@ -27,18 +27,18 @@
 ```bash
 npx @askalf/dario login   # detects Claude Code credentials, starts proxy
 
-# now use it from anywhere
-export ANTHROPIC_BASE_URL=http://localhost:3456
-export ANTHROPIC_API_KEY=dario
+# now use it from anywhere — Anthropic or OpenAI SDK
+export ANTHROPIC_BASE_URL=http://localhost:3456   # or OPENAI_BASE_URL=http://localhost:3456/v1
+export ANTHROPIC_API_KEY=dario                    # or OPENAI_API_KEY=dario
 ```
 
-That's it. Any tool that speaks the Anthropic API now uses your subscription.
+Opus, Sonnet, Haiku — all models, streaming, tool use. Works with Cursor, Continue, Aider, LiteLLM, Hermes, OpenClaw, or any tool that speaks the Anthropic or OpenAI API. When rate limited, `--cli` routes through Claude Code for uninterrupted Opus access.
 
 ---
 
 ## The Problem
 
-You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — OpenClaw, Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
+You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
 
 **Note:** Claude subscriptions have [usage limits](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) that reset on rolling 5-hour and 7-day windows. When exceeded, Opus and Sonnet may return 429 errors while Haiku continues working. You can check your utilization via Claude Code's `/usage` command or [statusline](https://code.claude.com/docs/en/statusline). Use `--cli` mode to route through Claude Code's binary, which is not affected by these limits.
 
@@ -88,6 +88,7 @@ Usage:
   ANTHROPIC_BASE_URL=http://localhost:3456
   ANTHROPIC_API_KEY=dario
 
+Auth: open (no DARIO_API_KEY set)
 OAuth: healthy (expires in 11h 42m)
 Model: passthrough (client decides)
 ```
@@ -239,8 +240,8 @@ curl http://localhost:3456/v1/messages \
 ### With Other Tools
 
 ```bash
-# OpenClaw
-ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw
+# Cursor / Continue / any OpenAI-compatible tool
+OPENAI_BASE_URL=http://localhost:3456/v1 OPENAI_API_KEY=dario cursor
 
 # Aider
 ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario aider --model claude-opus-4-6
@@ -249,6 +250,19 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario aider --model c
 ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 ```
 
+### Hermes
+
+Add to `~/.hermes/config.yaml`:
+
+```yaml
+model:
+  base_url: "http://localhost:3456/v1"
+  api_key: "dario"
+  default: claude-opus-4-6
+```
+
+Then run `hermes` normally — it routes through dario using your Claude subscription.
+
 ## How It Works
 
 ### Direct API Mode (default)
@@ -294,12 +308,13 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 
 ### Proxy Options
 
-| Flag | Description | Default |
-|------|-------------|---------|
+| Flag/Env | Description | Default |
+|----------|-------------|---------|
 | `--cli` | Use Claude CLI as backend (bypasses rate limits) | off |
 | `--model=MODEL` | Force a model (`opus`, `sonnet`, `haiku`, or full ID) | passthrough |
 | `--port=PORT` | Port to listen on | `3456` |
 | `--verbose` / `-v` | Log every request | off |
+| `DARIO_API_KEY` | If set, all endpoints (except `/health`) require matching `x-api-key` header or `Authorization: Bearer` header | unset (open) |
 
 ## Supported Features
 
@@ -413,7 +428,7 @@ Dario handles your OAuth tokens. Here's why you can trust it:
 
 | Signal | Status |
 |--------|--------|
-| **Source code** | ~1000 lines of TypeScript — small enough to read in one sitting |
+| **Source code** | ~1100 lines of TypeScript — small enough to read in one sitting |
 | **Dependencies** | 1 production dep (`@anthropic-ai/sdk`). Verify: `npm ls --production` |
 | **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
 | **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
@@ -435,7 +450,7 @@ cd $(npm root -g)/@askalf/dario && npm ls --production
 
 ## Contributing
 
-PRs welcome. The codebase is ~1000 lines of TypeScript across 4 files:
+PRs welcome. The codebase is ~1100 lines of TypeScript across 4 files:
 
 | File | Purpose |
 |------|---------|
@@ -451,6 +466,15 @@ npm install
 npm run dev   # runs with tsx (no build needed)
 ```
 
+## Also by AskAlf
+
+| Project | What it does |
+|---------|-------------|
+| [platform](https://github.com/askalf/platform) | AI workforce with autonomous agents, teams, memory, and self-healing |
+| [agent](https://github.com/askalf/agent) | Connect any device to the workforce over WebSocket |
+| [claude-re](https://github.com/askalf/claude-re) | Claude Code reimplemented in Python |
+| [amnesia](https://github.com/askalf/amnesia) | Privacy search engine — 155 engines, zero tracking |
+
 ## License
 
 MIT

package/dist/proxy.d.ts

@@ -1,12 +1,3 @@
-/**
- * Dario — API Proxy Server
- *
- * Sits between your app and the Anthropic API.
- * Transparently swaps API key auth for OAuth bearer tokens.
- *
- * Point any Anthropic SDK client at http://localhost:3456 and it just works.
- * No API key needed — your Claude subscription pays for it.
- */
 interface ProxyOptions {
     port?: number;
     verbose?: boolean;

package/dist/proxy.js

@@ -1,12 +1,3 @@
-/**
- * Dario — API Proxy Server
- *
- * Sits between your app and the Anthropic API.
- * Transparently swaps API key auth for OAuth bearer tokens.
- *
- * Point any Anthropic SDK client at http://localhost:3456 and it just works.
- * No API key needed — your Claude subscription pays for it.
- */
 import { createServer } from 'node:http';
 import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { execSync, spawn } from 'node:child_process';
@@ -28,73 +19,38 @@ function detectClaudeVersion() {
         return '2.1.96';
     }
 }
-function getOsName() {
-    const p = platform;
-    if (p === 'win32')
-        return 'Windows';
-    if (p === 'darwin')
-        return 'MacOS';
-    return 'Linux';
-}
-// Persistent session ID per proxy lifetime (like Claude Code does per session)
 const SESSION_ID = randomUUID();
-// Detect @anthropic-ai/sdk version from installed package
-function detectSdkVersion() {
-    try {
-        const pkg = require('@anthropic-ai/sdk/package.json');
-        return pkg.version ?? '0.81.0';
-    }
-    catch {
-        return '0.81.0';
-    }
-}
+const OS_NAME = platform === 'win32' ? 'Windows' : platform === 'darwin' ? 'MacOS' : 'Linux';
 // Model shortcuts — users can pass short names
 const MODEL_ALIASES = {
     'opus': 'claude-opus-4-6',
     'sonnet': 'claude-sonnet-4-6',
     'haiku': 'claude-haiku-4-5',
 };
-// OpenAI model name → Anthropic model name
+// OpenAI model names → Anthropic (fallback if client sends GPT names)
 const OPENAI_MODEL_MAP = {
-    'gpt-4.1': 'claude-opus-4-6',
-    'gpt-4.1-mini': 'claude-sonnet-4-6',
-    'gpt-4.1-nano': 'claude-haiku-4-5',
-    'gpt-4o': 'claude-opus-4-6',
-    'gpt-4o-mini': 'claude-haiku-4-5',
-    'gpt-4-turbo': 'claude-opus-4-6',
+    'gpt-5.4': 'claude-opus-4-6',
+    'gpt-5.4-mini': 'claude-sonnet-4-6',
+    'gpt-5.4-nano': 'claude-haiku-4-5',
+    'gpt-5.3': 'claude-opus-4-6',
     'gpt-4': 'claude-opus-4-6',
     'gpt-3.5-turbo': 'claude-haiku-4-5',
-    'o3': 'claude-opus-4-6',
-    'o3-mini': 'claude-sonnet-4-6',
-    'o4-mini': 'claude-sonnet-4-6',
-    'o1': 'claude-opus-4-6',
-    'o1-mini': 'claude-sonnet-4-6',
-    'o1-pro': 'claude-opus-4-6',
 };
-/**
- * Translate OpenAI chat completion request → Anthropic Messages request.
- */
+/** Translate OpenAI chat completion request → Anthropic Messages request. */
 function openaiToAnthropic(body, modelOverride) {
     const messages = body.messages;
     if (!messages)
         return body;
-    // Extract system messages
     const systemMessages = messages.filter(m => m.role === 'system');
     const nonSystemMessages = messages.filter(m => m.role !== 'system');
-    // Map model name
-    const requestModel = String(body.model || '');
-    const model = modelOverride || OPENAI_MODEL_MAP[requestModel] || requestModel;
+    const model = modelOverride || OPENAI_MODEL_MAP[String(body.model || '')] || String(body.model || 'claude-opus-4-6');
     const result = {
         model,
-        messages: nonSystemMessages.map(m => ({
-            role: m.role === 'assistant' ? 'assistant' : 'user',
-            content: m.content,
-        })),
+        messages: nonSystemMessages.map(m => ({ role: m.role === 'assistant' ? 'assistant' : 'user', content: m.content })),
         max_tokens: body.max_tokens ?? body.max_completion_tokens ?? 8192,
     };
-    if (systemMessages.length > 0) {
+    if (systemMessages.length > 0)
         result.system = systemMessages.map(m => typeof m.content === 'string' ? m.content : JSON.stringify(m.content)).join('\n');
-    }
     if (body.stream)
         result.stream = true;
     if (body.temperature != null)
@@ -105,33 +61,20 @@ function openaiToAnthropic(body, modelOverride) {
         result.stop_sequences = Array.isArray(body.stop) ? body.stop : [body.stop];
     return result;
 }
-/**
- * Translate Anthropic Messages response → OpenAI chat completion response.
- */
+/** Translate Anthropic Messages response → OpenAI chat completion response. */
 function anthropicToOpenai(body) {
-    const content = body.content;
-    const text = content?.find(c => c.type === 'text')?.text ?? '';
-    const usage = body.usage;
+    const text = body.content?.find(c => c.type === 'text')?.text ?? '';
+    const u = body.usage;
     return {
         id: `chatcmpl-${(body.id || '').replace('msg_', '')}`,
         object: 'chat.completion',
         created: Math.floor(Date.now() / 1000),
         model: body.model,
-        choices: [{
-                index: 0,
-                message: { role: 'assistant', content: text },
-                finish_reason: body.stop_reason === 'end_turn' ? 'stop' : body.stop_reason === 'max_tokens' ? 'length' : 'stop',
-            }],
-        usage: {
-            prompt_tokens: usage?.input_tokens ?? 0,
-            completion_tokens: usage?.output_tokens ?? 0,
-            total_tokens: (usage?.input_tokens ?? 0) + (usage?.output_tokens ?? 0),
-        },
+        choices: [{ index: 0, message: { role: 'assistant', content: text }, finish_reason: body.stop_reason === 'end_turn' ? 'stop' : 'length' }],
+        usage: { prompt_tokens: u?.input_tokens ?? 0, completion_tokens: u?.output_tokens ?? 0, total_tokens: (u?.input_tokens ?? 0) + (u?.output_tokens ?? 0) },
     };
 }
-/**
- * Translate Anthropic SSE stream → OpenAI SSE stream.
- */
+/** Translate Anthropic SSE → OpenAI SSE. */
 function translateStreamChunk(line) {
     if (!line.startsWith('data: '))
         return null;
@@ -139,47 +82,19 @@ function translateStreamChunk(line) {
     if (json === '[DONE]')
         return 'data: [DONE]\n\n';
     try {
-        const event = JSON.parse(json);
-        if (event.type === 'content_block_delta') {
-            const delta = event.delta;
-            if (delta?.type === 'text_delta' && delta.text) {
-                return `data: ${JSON.stringify({
-                    id: 'chatcmpl-dario',
-                    object: 'chat.completion.chunk',
-                    created: Math.floor(Date.now() / 1000),
-                    model: 'claude',
-                    choices: [{ index: 0, delta: { content: delta.text }, finish_reason: null }],
-                })}\n\n`;
-            }
-        }
-        if (event.type === 'message_stop') {
-            return `data: ${JSON.stringify({
-                id: 'chatcmpl-dario',
-                object: 'chat.completion.chunk',
-                created: Math.floor(Date.now() / 1000),
-                model: 'claude',
-                choices: [{ index: 0, delta: {}, finish_reason: 'stop' }],
-            })}\n\ndata: [DONE]\n\n`;
+        const e = JSON.parse(json);
+        if (e.type === 'content_block_delta') {
+            const d = e.delta;
+            if (d?.type === 'text_delta' && d.text)
+                return `data: ${JSON.stringify({ id: 'chatcmpl-dario', object: 'chat.completion.chunk', created: Math.floor(Date.now() / 1000), model: 'claude', choices: [{ index: 0, delta: { content: d.text }, finish_reason: null }] })}\n\n`;
         }
+        if (e.type === 'message_stop')
+            return `data: ${JSON.stringify({ id: 'chatcmpl-dario', object: 'chat.completion.chunk', created: Math.floor(Date.now() / 1000), model: 'claude', choices: [{ index: 0, delta: {}, finish_reason: 'stop' }] })}\n\ndata: [DONE]\n\n`;
     }
-    catch { /* skip unparseable */ }
+    catch { }
     return null;
 }
-/**
- * OpenAI-compatible models list.
- */
-function openaiModelsList() {
-    const models = ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'];
-    return {
-        object: 'list',
-        data: models.map(id => ({
-            id,
-            object: 'model',
-            created: 1700000000,
-            owned_by: 'anthropic',
-        })),
-    };
-}
+const OPENAI_MODELS_LIST = { object: 'list', data: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'].map(id => ({ id, object: 'model', created: 1700000000, owned_by: 'anthropic' })) };
 export function sanitizeError(err) {
     const msg = err instanceof Error ? err.message : String(err);
     // Never leak tokens, JWTs, or bearer values in error messages
@@ -201,7 +116,9 @@ async function handleViaCli(body, model, verbose) {
         if (!lastUser) {
             return { status: 400, body: JSON.stringify({ error: 'No user message' }), contentType: 'application/json' };
         }
-        const effectiveModel = model ?? parsed.model ?? 'claude-opus-4-6';
+        const rawModel = model ?? parsed.model ?? 'claude-opus-4-6';
+        // Validate model name — only allow alphanumeric, hyphens, dots, underscores
+        const effectiveModel = /^[a-zA-Z0-9._-]+$/.test(rawModel) ? rawModel : 'claude-opus-4-6';
         const prompt = typeof lastUser.content === 'string'
             ? lastUser.content
             : JSON.stringify(lastUser.content);
@@ -237,7 +154,7 @@ async function handleViaCli(body, model, verbose) {
                 if (code !== 0 || !stdout.trim()) {
                     resolve({
                         status: 502,
-                        body: JSON.stringify({ type: 'error', error: { type: 'api_error', message: stderr.substring(0, 200) || 'CLI backend failed' } }),
+                        body: JSON.stringify({ type: 'error', error: { type: 'api_error', message: sanitizeError(stderr.substring(0, 200)) || 'CLI backend failed' } }),
                         contentType: 'application/json',
                     });
                     return;
@@ -287,37 +204,57 @@ export async function startProxy(opts = {}) {
         process.exit(1);
     }
     const cliVersion = detectClaudeVersion();
-    const sdkVersion = detectSdkVersion();
     const modelOverride = opts.model ? (MODEL_ALIASES[opts.model] ?? opts.model) : null;
+    // Pre-build static headers (only auth, version, beta, request-id change per request)
+    const staticHeaders = {
+        'accept': 'application/json',
+        'Content-Type': 'application/json',
+        'anthropic-dangerous-direct-browser-access': 'true',
+        'anthropic-client-platform': 'cli',
+        'user-agent': `claude-cli/${cliVersion} (external, cli)`,
+        'x-app': 'cli',
+        'x-claude-code-session-id': SESSION_ID,
+        'x-stainless-arch': arch,
+        'x-stainless-lang': 'js',
+        'x-stainless-os': OS_NAME,
+        'x-stainless-package-version': '0.81.0',
+        'x-stainless-retry-count': '0',
+        'x-stainless-runtime': 'node',
+        'x-stainless-runtime-version': nodeVersion,
+        'x-stainless-timeout': '600',
+    };
     const useCli = opts.cliBackend ?? false;
     let requestCount = 0;
-    let tokenCostEstimate = 0;
-    // Optional proxy authentication
+    // Optional proxy authentication — pre-encode key buffer for performance
     const apiKey = process.env.DARIO_API_KEY;
+    const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
     const corsOrigin = `http://localhost:${port}`;
+    // Pre-serialize static responses
+    const CORS_HEADERS = {
+        'Access-Control-Allow-Origin': corsOrigin,
+        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
+        'Access-Control-Max-Age': '86400',
+    };
+    const MODELS_JSON = JSON.stringify(OPENAI_MODELS_LIST);
+    const ERR_UNAUTH = JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' });
+    const ERR_FORBIDDEN = JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' });
+    const ERR_METHOD = JSON.stringify({ error: 'Method not allowed' });
     function checkAuth(req) {
-        if (!apiKey)
-            return true; // no key set = open access
+        if (!apiKeyBuf)
+            return true;
         const provided = req.headers['x-api-key']
             || req.headers.authorization?.replace(/^Bearer\s+/i, '');
         if (!provided)
             return false;
-        try {
-            return timingSafeEqual(Buffer.from(provided), Buffer.from(apiKey));
-        }
-        catch {
+        const providedBuf = Buffer.from(provided);
+        if (providedBuf.length !== apiKeyBuf.length)
             return false;
-        }
+        return timingSafeEqual(providedBuf, apiKeyBuf);
     }
     const server = createServer(async (req, res) => {
-        // CORS preflight
         if (req.method === 'OPTIONS') {
-            res.writeHead(204, {
-                'Access-Control-Allow-Origin': corsOrigin,
-                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
-                'Access-Control-Max-Age': '86400',
-            });
+            res.writeHead(204, CORS_HEADERS);
             res.end();
             return;
         }
@@ -335,10 +272,9 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
-        // Auth gate — everything below health requires auth when DARIO_API_KEY is set
         if (!checkAuth(req)) {
             res.writeHead(401, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }));
+            res.end(ERR_UNAUTH);
             return;
         }
         // Status endpoint
@@ -348,11 +284,10 @@ export async function startProxy(opts = {}) {
             res.end(JSON.stringify(s));
             return;
         }
-        // OpenAI-compatible models list
         if (urlPath === '/v1/models' && req.method === 'GET') {
             requestCount++;
             res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': corsOrigin });
-            res.end(JSON.stringify(openaiModelsList()));
+            res.end(MODELS_JSON);
             return;
         }
         // Detect OpenAI-format requests
@@ -365,13 +300,12 @@ export async function startProxy(opts = {}) {
         const targetBase = isOpenAI ? `${ANTHROPIC_API}/v1/messages` : allowedPaths[urlPath];
         if (!targetBase) {
             res.writeHead(403, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' }));
+            res.end(ERR_FORBIDDEN);
             return;
         }
-        // Only allow POST (Messages/Chat API) and GET (models)
         if (req.method !== 'POST') {
             res.writeHead(405, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Method not allowed' }));
+            res.end(ERR_METHOD);
             return;
         }
         // Proxy to Anthropic
@@ -402,22 +336,13 @@ export async function startProxy(opts = {}) {
                 res.end(cliResult.body);
                 return;
             }
-            // Translate OpenAI → Anthropic format if needed
+            // Parse body once, apply OpenAI translation or model override
             let finalBody = body.length > 0 ? body : undefined;
-            if (isOpenAI && body.length > 0) {
+            if (body.length > 0 && (isOpenAI || modelOverride)) {
                 try {
                     const parsed = JSON.parse(body.toString());
-                    const translated = openaiToAnthropic(parsed, modelOverride);
-                    finalBody = Buffer.from(JSON.stringify(translated));
-                }
-                catch { /* not JSON, send as-is */ }
-            }
-            else if (modelOverride && body.length > 0) {
-                // Override model in request body if --model flag was set
-                try {
-                    const parsed = JSON.parse(body.toString());
-                    parsed.model = modelOverride;
-                    finalBody = Buffer.from(JSON.stringify(parsed));
+                    const result = isOpenAI ? openaiToAnthropic(parsed, modelOverride) : (modelOverride ? { ...parsed, model: modelOverride } : parsed);
+                    finalBody = Buffer.from(JSON.stringify(result));
                 }
                 catch { /* not JSON, send as-is */ }
             }
@@ -425,46 +350,19 @@ export async function startProxy(opts = {}) {
                 const modelInfo = modelOverride ? ` (model: ${modelOverride})` : '';
                 console.log(`[dario] #${requestCount} ${req.method} ${req.url}${modelInfo}`);
             }
-            // Build target URL from allowlist (no user input in URL construction)
-            const targetUrl = targetBase;
-            // Merge any client-provided beta flags with the required oauth flag
+            // Merge client beta flags with defaults
             const clientBeta = req.headers['anthropic-beta'];
-            const betaFlags = new Set([
-                'oauth-2025-04-20',
-                'interleaved-thinking-2025-05-14',
-                'prompt-caching-scope-2026-01-05',
-                'claude-code-20250219',
-                'context-management-2025-06-27',
-            ]);
-            if (clientBeta) {
-                for (const flag of clientBeta.split(',')) {
-                    const trimmed = flag.trim();
-                    if (trimmed.length > 0 && trimmed.length < 100)
-                        betaFlags.add(trimmed);
-                }
-            }
+            let beta = 'oauth-2025-04-20,interleaved-thinking-2025-05-14,prompt-caching-scope-2026-01-05,claude-code-20250219,context-management-2025-06-27';
+            if (clientBeta)
+                beta += ',' + clientBeta.split(',').map(f => f.trim()).filter(f => f.length > 0 && f.length < 100).join(',');
             const headers = {
-                'accept': 'application/json',
+                ...staticHeaders,
                 'Authorization': `Bearer ${accessToken}`,
-                'Content-Type': 'application/json',
                 'anthropic-version': req.headers['anthropic-version'] || '2023-06-01',
-                'anthropic-beta': [...betaFlags].join(','),
-                'anthropic-dangerous-direct-browser-access': 'true',
-                'anthropic-client-platform': 'cli',
-                'user-agent': `claude-cli/${cliVersion} (external, cli)`,
-                'x-app': 'cli',
-                'x-claude-code-session-id': SESSION_ID,
+                'anthropic-beta': beta,
                 'x-client-request-id': randomUUID(),
-                'x-stainless-arch': arch,
-                'x-stainless-lang': 'js',
-                'x-stainless-os': getOsName(),
-                'x-stainless-package-version': sdkVersion,
-                'x-stainless-retry-count': '0',
-                'x-stainless-runtime': 'node',
-                'x-stainless-runtime-version': nodeVersion,
-                'x-stainless-timeout': '600',
             };
-            const upstream = await fetch(targetUrl, {
+            const upstream = await fetch(targetBase, {
                 method: req.method ?? 'POST',
                 headers,
                 body: finalBody ? new Uint8Array(finalBody) : undefined,
@@ -492,6 +390,7 @@ export async function startProxy(opts = {}) {
                 const decoder = new TextDecoder();
                 try {
                     let buffer = '';
+                    const MAX_LINE_LENGTH = 1_000_000; // 1MB max per SSE line
                     while (true) {
                         const { done, value } = await reader.read();
                         if (done)
@@ -499,6 +398,10 @@ export async function startProxy(opts = {}) {
                         if (isOpenAI) {
                             // Translate Anthropic SSE → OpenAI SSE
                             buffer += decoder.decode(value, { stream: true });
+                            // Guard against unbounded buffer growth
+                            if (buffer.length > MAX_LINE_LENGTH) {
+                                buffer = buffer.slice(-MAX_LINE_LENGTH);
+                            }
                             const lines = buffer.split('\n');
                             buffer = lines.pop() ?? '';
                             for (const line of lines) {
@@ -540,18 +443,8 @@ export async function startProxy(opts = {}) {
                 else {
                     res.end(responseBody);
                 }
-                // Quick token estimate for logging
-                if (verbose && responseBody) {
-                    try {
-                        const parsed = JSON.parse(responseBody);
-                        if (parsed.usage) {
-                            const tokens = (parsed.usage.input_tokens ?? 0) + (parsed.usage.output_tokens ?? 0);
-                            tokenCostEstimate += tokens;
-                            console.log(`[dario] #${requestCount} ${upstream.status} — ${tokens} tokens (session total: ${tokenCostEstimate})`);
-                        }
-                    }
-                    catch { /* not JSON, skip */ }
-                }
+                if (verbose)
+                    console.log(`[dario] #${requestCount} ${upstream.status}`);
             }
         }
         catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {