@askalf/dario 2.1.1 → 2.2.0

package/README.md

@@ -32,13 +32,13 @@ export ANTHROPIC_BASE_URL=http://localhost:3456   # or OPENAI_BASE_URL=http://lo
 export ANTHROPIC_API_KEY=dario                    # or OPENAI_API_KEY=dario
 ```
 
-Opus, Sonnet, Haiku — all models, streaming, tool use. Works with OpenClaw, Cursor, Continue, Aider, Hermes, or any tool that speaks the Anthropic or OpenAI API. When rate limited, `--cli` routes through Claude Code for uninterrupted Opus access.
+Opus, Sonnet, Haiku — all models, streaming, tool use. Works with Cursor, Continue, Aider, LiteLLM, Hermes, OpenClaw, or any tool that speaks the Anthropic or OpenAI API. When rate limited, `--cli` routes through Claude Code for uninterrupted Opus access.
 
 ---
 
 ## The Problem
 
-You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — OpenClaw, Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
+You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
 
 **Note:** Claude subscriptions have [usage limits](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) that reset on rolling 5-hour and 7-day windows. When exceeded, Opus and Sonnet may return 429 errors while Haiku continues working. You can check your utilization via Claude Code's `/usage` command or [statusline](https://code.claude.com/docs/en/statusline). Use `--cli` mode to route through Claude Code's binary, which is not affected by these limits.
 
@@ -240,8 +240,8 @@ curl http://localhost:3456/v1/messages \
 ### With Other Tools
 
 ```bash
-# OpenClaw
-ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario openclaw
+# Cursor / Continue / any OpenAI-compatible tool
+OPENAI_BASE_URL=http://localhost:3456/v1 OPENAI_API_KEY=dario cursor
 
 # Aider
 ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario aider --model claude-opus-4-6
@@ -250,6 +250,19 @@ ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario aider --model c
 ANTHROPIC_BASE_URL=http://localhost:3456 ANTHROPIC_API_KEY=dario your-tool-here
 ```
 
+### Hermes
+
+Add to `~/.hermes/config.yaml`:
+
+```yaml
+model:
+  base_url: "http://localhost:3456/v1"
+  api_key: "dario"
+  default: claude-opus-4-6
+```
+
+Then run `hermes` normally — it routes through dario using your Claude subscription.
+
 ## How It Works
 
 ### Direct API Mode (default)
@@ -415,7 +428,7 @@ Dario handles your OAuth tokens. Here's why you can trust it:
 
 | Signal | Status |
 |--------|--------|
-| **Source code** | ~1000 lines of TypeScript — small enough to read in one sitting |
+| **Source code** | ~1100 lines of TypeScript — small enough to read in one sitting |
 | **Dependencies** | 1 production dep (`@anthropic-ai/sdk`). Verify: `npm ls --production` |
 | **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
 | **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
@@ -437,7 +450,7 @@ cd $(npm root -g)/@askalf/dario && npm ls --production
 
 ## Contributing
 
-PRs welcome. The codebase is ~1000 lines of TypeScript across 4 files:
+PRs welcome. The codebase is ~1100 lines of TypeScript across 4 files:
 
 | File | Purpose |
 |------|---------|
@@ -453,6 +466,15 @@ npm install
 npm run dev   # runs with tsx (no build needed)
 ```
 
+## Also by AskAlf
+
+| Project | What it does |
+|---------|-------------|
+| [platform](https://github.com/askalf/platform) | AI workforce with autonomous agents, teams, memory, and self-healing |
+| [agent](https://github.com/askalf/agent) | Connect any device to the workforce over WebSocket |
+| [claude-re](https://github.com/askalf/claude-re) | Claude Code reimplemented in Python |
+| [amnesia](https://github.com/askalf/amnesia) | Privacy search engine — 155 engines, zero tracking |
+
 ## License
 
 MIT

package/dist/cli.js

@@ -154,6 +154,19 @@ async function help() {
   Tokens auto-refresh in the background — set it and forget it.
 `);
 }
+async function version() {
+    const { readFile } = await import('node:fs/promises');
+    const { fileURLToPath } = await import('node:url');
+    const { dirname, join } = await import('node:path');
+    try {
+        const dir = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(await readFile(join(dir, '..', 'package.json'), 'utf-8'));
+        console.log(pkg.version);
+    }
+    catch {
+        console.log('unknown');
+    }
+}
 // Main
 const commands = {
     login,
@@ -162,8 +175,11 @@ const commands = {
     refresh,
     logout,
     help,
+    version,
     '--help': help,
     '-h': help,
+    '--version': version,
+    '-V': version,
 };
 const handler = commands[command];
 if (!handler) {

package/dist/proxy.d.ts

@@ -1,12 +1,3 @@
-/**
- * Dario — API Proxy Server
- *
- * Sits between your app and the Anthropic API.
- * Transparently swaps API key auth for OAuth bearer tokens.
- *
- * Point any Anthropic SDK client at http://localhost:3456 and it just works.
- * No API key needed — your Claude subscription pays for it.
- */
 interface ProxyOptions {
     port?: number;
     verbose?: boolean;

package/dist/proxy.js

@@ -1,12 +1,3 @@
-/**
- * Dario — API Proxy Server
- *
- * Sits between your app and the Anthropic API.
- * Transparently swaps API key auth for OAuth bearer tokens.
- *
- * Point any Anthropic SDK client at http://localhost:3456 and it just works.
- * No API key needed — your Claude subscription pays for it.
- */
 import { createServer } from 'node:http';
 import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { execSync, spawn } from 'node:child_process';
@@ -16,6 +7,7 @@ const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
+const BODY_READ_TIMEOUT_MS = 30_000; // 30s — prevents slow-loris on body reads
 const LOCALHOST = '127.0.0.1';
 // Detect installed Claude Code version at startup
 function detectClaudeVersion() {
@@ -28,73 +20,38 @@ function detectClaudeVersion() {
         return '2.1.96';
     }
 }
-function getOsName() {
-    const p = platform;
-    if (p === 'win32')
-        return 'Windows';
-    if (p === 'darwin')
-        return 'MacOS';
-    return 'Linux';
-}
-// Persistent session ID per proxy lifetime (like Claude Code does per session)
 const SESSION_ID = randomUUID();
-// Detect @anthropic-ai/sdk version from installed package
-function detectSdkVersion() {
-    try {
-        const pkg = require('@anthropic-ai/sdk/package.json');
-        return pkg.version ?? '0.81.0';
-    }
-    catch {
-        return '0.81.0';
-    }
-}
+const OS_NAME = platform === 'win32' ? 'Windows' : platform === 'darwin' ? 'MacOS' : 'Linux';
 // Model shortcuts — users can pass short names
 const MODEL_ALIASES = {
     'opus': 'claude-opus-4-6',
     'sonnet': 'claude-sonnet-4-6',
     'haiku': 'claude-haiku-4-5',
 };
-// OpenAI model name → Anthropic model name
+// OpenAI model names → Anthropic (fallback if client sends GPT names)
 const OPENAI_MODEL_MAP = {
-    'gpt-4.1': 'claude-opus-4-6',
-    'gpt-4.1-mini': 'claude-sonnet-4-6',
-    'gpt-4.1-nano': 'claude-haiku-4-5',
-    'gpt-4o': 'claude-opus-4-6',
-    'gpt-4o-mini': 'claude-haiku-4-5',
-    'gpt-4-turbo': 'claude-opus-4-6',
+    'gpt-5.4': 'claude-opus-4-6',
+    'gpt-5.4-mini': 'claude-sonnet-4-6',
+    'gpt-5.4-nano': 'claude-haiku-4-5',
+    'gpt-5.3': 'claude-opus-4-6',
     'gpt-4': 'claude-opus-4-6',
     'gpt-3.5-turbo': 'claude-haiku-4-5',
-    'o3': 'claude-opus-4-6',
-    'o3-mini': 'claude-sonnet-4-6',
-    'o4-mini': 'claude-sonnet-4-6',
-    'o1': 'claude-opus-4-6',
-    'o1-mini': 'claude-sonnet-4-6',
-    'o1-pro': 'claude-opus-4-6',
 };
-/**
- * Translate OpenAI chat completion request → Anthropic Messages request.
- */
+/** Translate OpenAI chat completion request → Anthropic Messages request. */
 function openaiToAnthropic(body, modelOverride) {
     const messages = body.messages;
     if (!messages)
         return body;
-    // Extract system messages
     const systemMessages = messages.filter(m => m.role === 'system');
     const nonSystemMessages = messages.filter(m => m.role !== 'system');
-    // Map model name
-    const requestModel = String(body.model || '');
-    const model = modelOverride || OPENAI_MODEL_MAP[requestModel] || requestModel;
+    const model = modelOverride || OPENAI_MODEL_MAP[String(body.model || '')] || String(body.model || 'claude-opus-4-6');
     const result = {
         model,
-        messages: nonSystemMessages.map(m => ({
-            role: m.role === 'assistant' ? 'assistant' : 'user',
-            content: m.content,
-        })),
+        messages: nonSystemMessages.map(m => ({ role: m.role === 'assistant' ? 'assistant' : 'user', content: m.content })),
         max_tokens: body.max_tokens ?? body.max_completion_tokens ?? 8192,
     };
-    if (systemMessages.length > 0) {
+    if (systemMessages.length > 0)
         result.system = systemMessages.map(m => typeof m.content === 'string' ? m.content : JSON.stringify(m.content)).join('\n');
-    }
     if (body.stream)
         result.stream = true;
     if (body.temperature != null)
@@ -105,33 +62,20 @@ function openaiToAnthropic(body, modelOverride) {
         result.stop_sequences = Array.isArray(body.stop) ? body.stop : [body.stop];
     return result;
 }
-/**
- * Translate Anthropic Messages response → OpenAI chat completion response.
- */
+/** Translate Anthropic Messages response → OpenAI chat completion response. */
 function anthropicToOpenai(body) {
-    const content = body.content;
-    const text = content?.find(c => c.type === 'text')?.text ?? '';
-    const usage = body.usage;
+    const text = body.content?.find(c => c.type === 'text')?.text ?? '';
+    const u = body.usage;
     return {
         id: `chatcmpl-${(body.id || '').replace('msg_', '')}`,
         object: 'chat.completion',
         created: Math.floor(Date.now() / 1000),
         model: body.model,
-        choices: [{
-                index: 0,
-                message: { role: 'assistant', content: text },
-                finish_reason: body.stop_reason === 'end_turn' ? 'stop' : body.stop_reason === 'max_tokens' ? 'length' : 'stop',
-            }],
-        usage: {
-            prompt_tokens: usage?.input_tokens ?? 0,
-            completion_tokens: usage?.output_tokens ?? 0,
-            total_tokens: (usage?.input_tokens ?? 0) + (usage?.output_tokens ?? 0),
-        },
+        choices: [{ index: 0, message: { role: 'assistant', content: text }, finish_reason: body.stop_reason === 'end_turn' ? 'stop' : 'length' }],
+        usage: { prompt_tokens: u?.input_tokens ?? 0, completion_tokens: u?.output_tokens ?? 0, total_tokens: (u?.input_tokens ?? 0) + (u?.output_tokens ?? 0) },
     };
 }
-/**
- * Translate Anthropic SSE stream → OpenAI SSE stream.
- */
+/** Translate Anthropic SSE → OpenAI SSE. */
 function translateStreamChunk(line) {
     if (!line.startsWith('data: '))
         return null;
@@ -139,54 +83,26 @@ function translateStreamChunk(line) {
     if (json === '[DONE]')
         return 'data: [DONE]\n\n';
     try {
-        const event = JSON.parse(json);
-        if (event.type === 'content_block_delta') {
-            const delta = event.delta;
-            if (delta?.type === 'text_delta' && delta.text) {
-                return `data: ${JSON.stringify({
-                    id: 'chatcmpl-dario',
-                    object: 'chat.completion.chunk',
-                    created: Math.floor(Date.now() / 1000),
-                    model: 'claude',
-                    choices: [{ index: 0, delta: { content: delta.text }, finish_reason: null }],
-                })}\n\n`;
-            }
-        }
-        if (event.type === 'message_stop') {
-            return `data: ${JSON.stringify({
-                id: 'chatcmpl-dario',
-                object: 'chat.completion.chunk',
-                created: Math.floor(Date.now() / 1000),
-                model: 'claude',
-                choices: [{ index: 0, delta: {}, finish_reason: 'stop' }],
-            })}\n\ndata: [DONE]\n\n`;
+        const e = JSON.parse(json);
+        if (e.type === 'content_block_delta') {
+            const d = e.delta;
+            if (d?.type === 'text_delta' && d.text)
+                return `data: ${JSON.stringify({ id: 'chatcmpl-dario', object: 'chat.completion.chunk', created: Math.floor(Date.now() / 1000), model: 'claude', choices: [{ index: 0, delta: { content: d.text }, finish_reason: null }] })}\n\n`;
         }
+        if (e.type === 'message_stop')
+            return `data: ${JSON.stringify({ id: 'chatcmpl-dario', object: 'chat.completion.chunk', created: Math.floor(Date.now() / 1000), model: 'claude', choices: [{ index: 0, delta: {}, finish_reason: 'stop' }] })}\n\ndata: [DONE]\n\n`;
     }
-    catch { /* skip unparseable */ }
+    catch { }
     return null;
 }
-/**
- * OpenAI-compatible models list.
- */
-function openaiModelsList() {
-    const models = ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'];
-    return {
-        object: 'list',
-        data: models.map(id => ({
-            id,
-            object: 'model',
-            created: 1700000000,
-            owned_by: 'anthropic',
-        })),
-    };
-}
+const OPENAI_MODELS_LIST = { object: 'list', data: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'].map(id => ({ id, object: 'model', created: 1700000000, owned_by: 'anthropic' })) };
 export function sanitizeError(err) {
     const msg = err instanceof Error ? err.message : String(err);
     // Never leak tokens, JWTs, or bearer values in error messages
     return msg
         .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
         .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
-        .replace(/Bearer\s+[a-zA-Z0-9_-]+/gi, 'Bearer [REDACTED]');
+        .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
 }
 /**
  * CLI Backend: route requests through `claude --print` instead of direct API.
@@ -231,8 +147,11 @@ async function handleViaCli(body, model, verbose) {
             });
             let stdout = '';
             let stderr = '';
-            child.stdout.on('data', (d) => { stdout += d.toString(); });
-            child.stderr.on('data', (d) => { stderr += d.toString(); });
+            const MAX_CLI_OUTPUT = 5_000_000; // 5MB cap per stream — prevents OOM from runaway CLI
+            child.stdout.on('data', (d) => { if (stdout.length < MAX_CLI_OUTPUT)
+                stdout += d.toString(); });
+            child.stderr.on('data', (d) => { if (stderr.length < MAX_CLI_OUTPUT)
+                stderr += d.toString(); });
             child.stdin.write(prompt);
             child.stdin.end();
             child.on('close', (code) => {
@@ -289,37 +208,65 @@ export async function startProxy(opts = {}) {
         process.exit(1);
     }
     const cliVersion = detectClaudeVersion();
-    const sdkVersion = detectSdkVersion();
     const modelOverride = opts.model ? (MODEL_ALIASES[opts.model] ?? opts.model) : null;
+    // Pre-build static headers (only auth, version, beta, request-id change per request)
+    const staticHeaders = {
+        'accept': 'application/json',
+        'Content-Type': 'application/json',
+        'anthropic-dangerous-direct-browser-access': 'true',
+        'anthropic-client-platform': 'cli',
+        'user-agent': `claude-cli/${cliVersion} (external, cli)`,
+        'x-app': 'cli',
+        'x-claude-code-session-id': SESSION_ID,
+        'x-stainless-arch': arch,
+        'x-stainless-lang': 'js',
+        'x-stainless-os': OS_NAME,
+        'x-stainless-package-version': '0.81.0',
+        'x-stainless-retry-count': '0',
+        'x-stainless-runtime': 'node',
+        'x-stainless-runtime-version': nodeVersion,
+        'x-stainless-timeout': '600',
+    };
     const useCli = opts.cliBackend ?? false;
     let requestCount = 0;
-    let tokenCostEstimate = 0;
-    // Optional proxy authentication
+    // Optional proxy authentication — pre-encode key buffer for performance
     const apiKey = process.env.DARIO_API_KEY;
+    const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
     const corsOrigin = `http://localhost:${port}`;
+    // Security headers for all responses
+    const SECURITY_HEADERS = {
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'DENY',
+        'Cache-Control': 'no-store',
+    };
+    // Pre-serialize static responses
+    const CORS_HEADERS = {
+        'Access-Control-Allow-Origin': corsOrigin,
+        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
+        'Access-Control-Max-Age': '86400',
+        ...SECURITY_HEADERS,
+    };
+    const JSON_HEADERS = { 'Content-Type': 'application/json', ...SECURITY_HEADERS };
+    const MODELS_JSON = JSON.stringify(OPENAI_MODELS_LIST);
+    const ERR_UNAUTH = JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' });
+    const ERR_FORBIDDEN = JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' });
+    const ERR_METHOD = JSON.stringify({ error: 'Method not allowed' });
     function checkAuth(req) {
-        if (!apiKey)
-            return true; // no key set = open access
+        if (!apiKeyBuf)
+            return true;
         const provided = req.headers['x-api-key']
             || req.headers.authorization?.replace(/^Bearer\s+/i, '');
         if (!provided)
             return false;
-        try {
-            return timingSafeEqual(Buffer.from(provided), Buffer.from(apiKey));
-        }
-        catch {
+        const providedBuf = Buffer.from(provided);
+        if (providedBuf.length !== apiKeyBuf.length)
             return false;
-        }
+        return timingSafeEqual(providedBuf, apiKeyBuf);
     }
     const server = createServer(async (req, res) => {
-        // CORS preflight
         if (req.method === 'OPTIONS') {
-            res.writeHead(204, {
-                'Access-Control-Allow-Origin': corsOrigin,
-                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
-                'Access-Control-Max-Age': '86400',
-            });
+            res.writeHead(204, CORS_HEADERS);
             res.end();
             return;
         }
@@ -328,7 +275,7 @@ export async function startProxy(opts = {}) {
         // Health check
         if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, JSON_HEADERS);
             res.end(JSON.stringify({
                 status: 'ok',
                 oauth: s.status,
@@ -337,24 +284,22 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
-        // Auth gate — everything below health requires auth when DARIO_API_KEY is set
         if (!checkAuth(req)) {
-            res.writeHead(401, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' }));
+            res.writeHead(401, JSON_HEADERS);
+            res.end(ERR_UNAUTH);
             return;
         }
         // Status endpoint
         if (urlPath === '/status') {
             const s = await getStatus();
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, JSON_HEADERS);
             res.end(JSON.stringify(s));
             return;
         }
-        // OpenAI-compatible models list
         if (urlPath === '/v1/models' && req.method === 'GET') {
             requestCount++;
-            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': corsOrigin });
-            res.end(JSON.stringify(openaiModelsList()));
+            res.writeHead(200, { ...JSON_HEADERS, 'Access-Control-Allow-Origin': corsOrigin });
+            res.end(MODELS_JSON);
             return;
         }
         // Detect OpenAI-format requests
@@ -366,60 +311,75 @@ export async function startProxy(opts = {}) {
         };
         const targetBase = isOpenAI ? `${ANTHROPIC_API}/v1/messages` : allowedPaths[urlPath];
         if (!targetBase) {
-            res.writeHead(403, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' }));
+            res.writeHead(403, JSON_HEADERS);
+            res.end(ERR_FORBIDDEN);
             return;
         }
-        // Only allow POST (Messages/Chat API) and GET (models)
         if (req.method !== 'POST') {
-            res.writeHead(405, { 'Content-Type': 'application/json' });
-            res.end(JSON.stringify({ error: 'Method not allowed' }));
+            res.writeHead(405, JSON_HEADERS);
+            res.end(ERR_METHOD);
             return;
         }
         // Proxy to Anthropic
         try {
             const accessToken = await getAccessToken();
-            // Read request body with size limit
+            // Read request body with size limit and timeout (prevents slow-loris)
             const chunks = [];
             let totalBytes = 0;
-            for await (const chunk of req) {
-                const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
-                totalBytes += buf.length;
-                if (totalBytes > MAX_BODY_BYTES) {
-                    res.writeHead(413, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({ error: 'Request body too large', max: `${MAX_BODY_BYTES / 1024 / 1024}MB` }));
-                    return;
+            const bodyTimeout = setTimeout(() => { req.destroy(); }, BODY_READ_TIMEOUT_MS);
+            try {
+                for await (const chunk of req) {
+                    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+                    totalBytes += buf.length;
+                    if (totalBytes > MAX_BODY_BYTES) {
+                        clearTimeout(bodyTimeout);
+                        res.writeHead(413, JSON_HEADERS);
+                        res.end(JSON.stringify({ error: 'Request body too large', max: `${MAX_BODY_BYTES / 1024 / 1024}MB` }));
+                        return;
+                    }
+                    chunks.push(buf);
                 }
-                chunks.push(buf);
+            }
+            finally {
+                clearTimeout(bodyTimeout);
             }
             const body = Buffer.concat(chunks);
-            // CLI backend mode: route through claude --print
-            if (useCli && urlPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
-                const cliResult = await handleViaCli(body, modelOverride, verbose);
+            // CLI backend mode: route through claude --print (works for both Anthropic and OpenAI endpoints)
+            if (useCli && req.method === 'POST' && body.length > 0) {
+                let cliBody = body;
+                // Translate OpenAI format before passing to CLI
+                if (isOpenAI) {
+                    try {
+                        const parsed = JSON.parse(body.toString());
+                        cliBody = Buffer.from(JSON.stringify(openaiToAnthropic(parsed, modelOverride)));
+                    }
+                    catch { /* send as-is */ }
+                }
+                const cliResult = await handleViaCli(cliBody, modelOverride, verbose);
                 requestCount++;
+                // Translate CLI response back to OpenAI format if needed
+                if (isOpenAI && cliResult.status >= 200 && cliResult.status < 300) {
+                    try {
+                        const parsed = JSON.parse(cliResult.body);
+                        cliResult.body = JSON.stringify(anthropicToOpenai(parsed));
+                    }
+                    catch { /* send as-is */ }
+                }
                 res.writeHead(cliResult.status, {
                     'Content-Type': cliResult.contentType,
                     'Access-Control-Allow-Origin': corsOrigin,
+                    ...SECURITY_HEADERS,
                 });
                 res.end(cliResult.body);
                 return;
             }
-            // Translate OpenAI → Anthropic format if needed
+            // Parse body once, apply OpenAI translation or model override
             let finalBody = body.length > 0 ? body : undefined;
-            if (isOpenAI && body.length > 0) {
+            if (body.length > 0 && (isOpenAI || modelOverride)) {
                 try {
                     const parsed = JSON.parse(body.toString());
-                    const translated = openaiToAnthropic(parsed, modelOverride);
-                    finalBody = Buffer.from(JSON.stringify(translated));
-                }
-                catch { /* not JSON, send as-is */ }
-            }
-            else if (modelOverride && body.length > 0) {
-                // Override model in request body if --model flag was set
-                try {
-                    const parsed = JSON.parse(body.toString());
-                    parsed.model = modelOverride;
-                    finalBody = Buffer.from(JSON.stringify(parsed));
+                    const result = isOpenAI ? openaiToAnthropic(parsed, modelOverride) : (modelOverride ? { ...parsed, model: modelOverride } : parsed);
+                    finalBody = Buffer.from(JSON.stringify(result));
                 }
                 catch { /* not JSON, send as-is */ }
             }
@@ -427,46 +387,19 @@ export async function startProxy(opts = {}) {
                 const modelInfo = modelOverride ? ` (model: ${modelOverride})` : '';
                 console.log(`[dario] #${requestCount} ${req.method} ${req.url}${modelInfo}`);
             }
-            // Build target URL from allowlist (no user input in URL construction)
-            const targetUrl = targetBase;
-            // Merge any client-provided beta flags with the required oauth flag
+            // Merge client beta flags with defaults
             const clientBeta = req.headers['anthropic-beta'];
-            const betaFlags = new Set([
-                'oauth-2025-04-20',
-                'interleaved-thinking-2025-05-14',
-                'prompt-caching-scope-2026-01-05',
-                'claude-code-20250219',
-                'context-management-2025-06-27',
-            ]);
-            if (clientBeta) {
-                for (const flag of clientBeta.split(',')) {
-                    const trimmed = flag.trim();
-                    if (trimmed.length > 0 && trimmed.length < 100)
-                        betaFlags.add(trimmed);
-                }
-            }
+            let beta = 'oauth-2025-04-20,interleaved-thinking-2025-05-14,prompt-caching-scope-2026-01-05,claude-code-20250219,context-management-2025-06-27';
+            if (clientBeta)
+                beta += ',' + clientBeta.split(',').map(f => f.trim()).filter(f => f.length > 0 && f.length < 100).join(',');
             const headers = {
-                'accept': 'application/json',
+                ...staticHeaders,
                 'Authorization': `Bearer ${accessToken}`,
-                'Content-Type': 'application/json',
                 'anthropic-version': req.headers['anthropic-version'] || '2023-06-01',
-                'anthropic-beta': [...betaFlags].join(','),
-                'anthropic-dangerous-direct-browser-access': 'true',
-                'anthropic-client-platform': 'cli',
-                'user-agent': `claude-cli/${cliVersion} (external, cli)`,
-                'x-app': 'cli',
-                'x-claude-code-session-id': SESSION_ID,
+                'anthropic-beta': beta,
                 'x-client-request-id': randomUUID(),
-                'x-stainless-arch': arch,
-                'x-stainless-lang': 'js',
-                'x-stainless-os': getOsName(),
-                'x-stainless-package-version': sdkVersion,
-                'x-stainless-retry-count': '0',
-                'x-stainless-runtime': 'node',
-                'x-stainless-runtime-version': nodeVersion,
-                'x-stainless-timeout': '600',
             };
-            const upstream = await fetch(targetUrl, {
+            const upstream = await fetch(targetBase, {
                 method: req.method ?? 'POST',
                 headers,
                 body: finalBody ? new Uint8Array(finalBody) : undefined,
@@ -479,6 +412,7 @@ export async function startProxy(opts = {}) {
             const responseHeaders = {
                 'Content-Type': contentType || 'application/json',
                 'Access-Control-Allow-Origin': corsOrigin,
+                ...SECURITY_HEADERS,
             };
             // Forward rate limit headers (including unified subscription headers)
             for (const [key, value] of upstream.headers.entries()) {
@@ -547,24 +481,14 @@ export async function startProxy(opts = {}) {
                 else {
                     res.end(responseBody);
                 }
-                // Quick token estimate for logging
-                if (verbose && responseBody) {
-                    try {
-                        const parsed = JSON.parse(responseBody);
-                        if (parsed.usage) {
-                            const tokens = (parsed.usage.input_tokens ?? 0) + (parsed.usage.output_tokens ?? 0);
-                            tokenCostEstimate += tokens;
-                            console.log(`[dario] #${requestCount} ${upstream.status} — ${tokens} tokens (session total: ${tokenCostEstimate})`);
-                        }
-                    }
-                    catch { /* not JSON, skip */ }
-                }
+                if (verbose)
+                    console.log(`[dario] #${requestCount} ${upstream.status}`);
             }
         }
         catch (err) {
             // Log full error server-side, return generic message to client
             console.error('[dario] Proxy error:', sanitizeError(err));
-            res.writeHead(502, { 'Content-Type': 'application/json' });
+            res.writeHead(502, JSON_HEADERS);
             res.end(JSON.stringify({ error: 'Proxy error', message: 'Failed to reach upstream API' }));
         }
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {