npm - @askalf/dario - Versions diffs - 2.1.2 → 2.2.1 - Mend

@askalf/dario 2.1.2 → 2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -422,6 +422,12 @@ const status = await getStatus();
 console.log(status.expiresIn); // "11h 42m"
 ```
+## What Others Are Saying
+> *"Dario works great and is safe. Fully functional with OpenClaw / Hermes. Gives you Opus 4.6, Sonnet & Haiku using your existing Claude Max/Pro sub. No extra API key or billing needed. Streaming + tools work perfectly. 100% open-source (~1100 lines TS), runs locally only, proper OAuth (PKCE), no telemetry. Highly recommended if you want a clean local proxy."*
+>
+> — [Grok](https://x.com/grok) (xAI), independent code review
 ## Trust & Transparency
 Dario handles your OAuth tokens. Here's why you can trust it:

package/dist/cli.js CHANGED Viewed

@@ -154,6 +154,19 @@ async function help() {
   Tokens auto-refresh in the background — set it and forget it.
 `);
 }
+async function version() {
+    const { readFile } = await import('node:fs/promises');
+    const { fileURLToPath } = await import('node:url');
+    const { dirname, join } = await import('node:path');
+    try {
+        const dir = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(await readFile(join(dir, '..', 'package.json'), 'utf-8'));
+        console.log(pkg.version);
+    }
+    catch {
+        console.log('unknown');
+    }
+}
 // Main
 const commands = {
     login,
@@ -162,8 +175,11 @@ const commands = {
     refresh,
     logout,
     help,
+    version,
     '--help': help,
     '-h': help,
+    '--version': version,
+    '-V': version,
 };
 const handler = commands[command];
 if (!handler) {

package/dist/proxy.js CHANGED Viewed

@@ -7,6 +7,7 @@ const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
+const BODY_READ_TIMEOUT_MS = 30_000; // 30s — prevents slow-loris on body reads
 const LOCALHOST = '127.0.0.1';
 // Detect installed Claude Code version at startup
 function detectClaudeVersion() {
@@ -101,7 +102,7 @@ export function sanitizeError(err) {
     return msg
         .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
         .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
-        .replace(/Bearer\s+[a-zA-Z0-9_-]+/gi, 'Bearer [REDACTED]');
+        .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
 }
 /**
  * CLI Backend: route requests through `claude --print` instead of direct API.
@@ -146,8 +147,11 @@ async function handleViaCli(body, model, verbose) {
             });
             let stdout = '';
             let stderr = '';
-            child.stdout.on('data', (d) => { stdout += d.toString(); });
-            child.stderr.on('data', (d) => { stderr += d.toString(); });
+            const MAX_CLI_OUTPUT = 5_000_000; // 5MB cap per stream — prevents OOM from runaway CLI
+            child.stdout.on('data', (d) => { if (stdout.length < MAX_CLI_OUTPUT)
+                stdout += d.toString(); });
+            child.stderr.on('data', (d) => { if (stderr.length < MAX_CLI_OUTPUT)
+                stderr += d.toString(); });
             child.stdin.write(prompt);
             child.stdin.end();
             child.on('close', (code) => {
@@ -229,13 +233,21 @@ export async function startProxy(opts = {}) {
     const apiKey = process.env.DARIO_API_KEY;
     const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
     const corsOrigin = `http://localhost:${port}`;
+    // Security headers for all responses
+    const SECURITY_HEADERS = {
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'DENY',
+        'Cache-Control': 'no-store',
+    };
     // Pre-serialize static responses
     const CORS_HEADERS = {
         'Access-Control-Allow-Origin': corsOrigin,
         'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
         'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
         'Access-Control-Max-Age': '86400',
+        ...SECURITY_HEADERS,
     };
+    const JSON_HEADERS = { 'Content-Type': 'application/json', ...SECURITY_HEADERS };
     const MODELS_JSON = JSON.stringify(OPENAI_MODELS_LIST);
     const ERR_UNAUTH = JSON.stringify({ error: 'Unauthorized', message: 'Invalid or missing API key' });
     const ERR_FORBIDDEN = JSON.stringify({ error: 'Forbidden', message: 'Path not allowed' });
@@ -263,7 +275,7 @@ export async function startProxy(opts = {}) {
         // Health check
         if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, JSON_HEADERS);
             res.end(JSON.stringify({
                 status: 'ok',
                 oauth: s.status,
@@ -273,20 +285,20 @@ export async function startProxy(opts = {}) {
             return;
         }
         if (!checkAuth(req)) {
-            res.writeHead(401, { 'Content-Type': 'application/json' });
+            res.writeHead(401, JSON_HEADERS);
             res.end(ERR_UNAUTH);
             return;
         }
         // Status endpoint
         if (urlPath === '/status') {
             const s = await getStatus();
-            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.writeHead(200, JSON_HEADERS);
             res.end(JSON.stringify(s));
             return;
         }
         if (urlPath === '/v1/models' && req.method === 'GET') {
             requestCount++;
-            res.writeHead(200, { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': corsOrigin });
+            res.writeHead(200, { ...JSON_HEADERS, 'Access-Control-Allow-Origin': corsOrigin });
             res.end(MODELS_JSON);
             return;
         }
@@ -299,39 +311,64 @@ export async function startProxy(opts = {}) {
         };
         const targetBase = isOpenAI ? `${ANTHROPIC_API}/v1/messages` : allowedPaths[urlPath];
         if (!targetBase) {
-            res.writeHead(403, { 'Content-Type': 'application/json' });
+            res.writeHead(403, JSON_HEADERS);
             res.end(ERR_FORBIDDEN);
             return;
         }
         if (req.method !== 'POST') {
-            res.writeHead(405, { 'Content-Type': 'application/json' });
+            res.writeHead(405, JSON_HEADERS);
             res.end(ERR_METHOD);
             return;
         }
         // Proxy to Anthropic
         try {
             const accessToken = await getAccessToken();
-            // Read request body with size limit
+            // Read request body with size limit and timeout (prevents slow-loris)
             const chunks = [];
             let totalBytes = 0;
-            for await (const chunk of req) {
-                const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
-                totalBytes += buf.length;
-                if (totalBytes > MAX_BODY_BYTES) {
-                    res.writeHead(413, { 'Content-Type': 'application/json' });
-                    res.end(JSON.stringify({ error: 'Request body too large', max: `${MAX_BODY_BYTES / 1024 / 1024}MB` }));
-                    return;
+            const bodyTimeout = setTimeout(() => { req.destroy(); }, BODY_READ_TIMEOUT_MS);
+            try {
+                for await (const chunk of req) {
+                    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+                    totalBytes += buf.length;
+                    if (totalBytes > MAX_BODY_BYTES) {
+                        clearTimeout(bodyTimeout);
+                        res.writeHead(413, JSON_HEADERS);
+                        res.end(JSON.stringify({ error: 'Request body too large', max: `${MAX_BODY_BYTES / 1024 / 1024}MB` }));
+                        return;
+                    }
+                    chunks.push(buf);
                 }
-                chunks.push(buf);
+            }
+            finally {
+                clearTimeout(bodyTimeout);
             }
             const body = Buffer.concat(chunks);
-            // CLI backend mode: route through claude --print
-            if (useCli && urlPath === '/v1/messages' && req.method === 'POST' && body.length > 0) {
-                const cliResult = await handleViaCli(body, modelOverride, verbose);
+            // CLI backend mode: route through claude --print (works for both Anthropic and OpenAI endpoints)
+            if (useCli && req.method === 'POST' && body.length > 0) {
+                let cliBody = body;
+                // Translate OpenAI format before passing to CLI
+                if (isOpenAI) {
+                    try {
+                        const parsed = JSON.parse(body.toString());
+                        cliBody = Buffer.from(JSON.stringify(openaiToAnthropic(parsed, modelOverride)));
+                    }
+                    catch { /* send as-is */ }
+                }
+                const cliResult = await handleViaCli(cliBody, modelOverride, verbose);
                 requestCount++;
+                // Translate CLI response back to OpenAI format if needed
+                if (isOpenAI && cliResult.status >= 200 && cliResult.status < 300) {
+                    try {
+                        const parsed = JSON.parse(cliResult.body);
+                        cliResult.body = JSON.stringify(anthropicToOpenai(parsed));
+                    }
+                    catch { /* send as-is */ }
+                }
                 res.writeHead(cliResult.status, {
                     'Content-Type': cliResult.contentType,
                     'Access-Control-Allow-Origin': corsOrigin,
+                    ...SECURITY_HEADERS,
                 });
                 res.end(cliResult.body);
                 return;
@@ -375,6 +412,7 @@ export async function startProxy(opts = {}) {
             const responseHeaders = {
                 'Content-Type': contentType || 'application/json',
                 'Access-Control-Allow-Origin': corsOrigin,
+                ...SECURITY_HEADERS,
             };
             // Forward rate limit headers (including unified subscription headers)
             for (const [key, value] of upstream.headers.entries()) {
@@ -450,7 +488,7 @@ export async function startProxy(opts = {}) {
         catch (err) {
             // Log full error server-side, return generic message to client
             console.error('[dario] Proxy error:', sanitizeError(err));
-            res.writeHead(502, { 'Content-Type': 'application/json' });
+            res.writeHead(502, JSON_HEADERS);
             res.end(JSON.stringify({ error: 'Proxy error', message: 'Failed to reach upstream API' }));
         }
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.1.2",
+  "version": "2.2.1",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {