@askalf/dario 2.3.1 → 2.4.1

package/README.md

@@ -1,8 +1,8 @@
 <p align="center">
   <h1 align="center">dario</h1>
-  <p align="center"><strong>Use your Claude subscription as an API.</strong></p>
+  <p align="center"><strong>Use your Claude subscription as an API. The only proxy that bills correctly.</strong></p>
   <p align="center">
-    No API key needed. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use.
+    No API key needed. Your Claude Max/Pro subscription becomes a local API endpoint<br/>that any tool, SDK, or framework can use — with native billing classification,<br/>so your Max plan limits actually work.
   </p>
 </p>
 
@@ -66,6 +66,37 @@ Opus, Sonnet, Haiku — all models, streaming, tool use. Works with Cursor, Cont
 
 ---
 
+## Why dario
+
+Most Claude subscription proxies have a critical billing problem: **Anthropic classifies their requests as third-party and routes all usage to Extra Usage billing** — even when you have Max plan limits available. You're paying for your subscription twice.
+
+dario is the only proxy that solves this. It injects native Claude Code device identity (`metadata.user_id`) into every request, so Anthropic's billing system treats your requests exactly like Claude Code itself. Your Max plan limits work correctly.
+
+| | dario | Other proxies |
+|---|---|---|
+| **Billing classification** | Native Claude Code session | Third-party (Extra Usage) |
+| **Max plan limits** | Used correctly | Bypassed — billed separately |
+| **Device identity** | Injected automatically | Missing |
+| **Beta flags** | Match Claude Code v2.1.98 | Outdated or missing |
+| **Billable beta filtering** | Strips surprise charges | Passes everything through |
+
+<details>
+<summary><strong>vs competitors</strong></summary>
+
+| Feature | dario | Meridian (710 stars) | CLIProxyAPI (24K stars) | claude-code-mux |
+|---------|-------|---------|------------|-----------------|
+| Native billing classification | **Yes** | No | Inherited (CLI-only) | No |
+| Direct OAuth (streaming, tools) | **Yes** | Yes (SDK-based) | No | No |
+| CLI fallback (rate limit bypass) | **Yes** | No | Yes (only mode) | No |
+| OpenAI API compat | **Yes** | Yes | Yes | Yes |
+| Orchestration sanitization | **Yes** | Yes | No | No |
+| Token anomaly detection | **Yes** | Yes | No | No |
+| Codebase size | ~1,200 lines | ~9,000 lines | Platform | Rust binary |
+| Dependencies | 1 | Many | Many | Compiled |
+| Setup | 2 commands | Config + build | Config + dashboard | Config |
+
+</details>
+
 ## The Problem
 
 You pay $100-200/mo for Claude Max or Pro. But that subscription only works on claude.ai and Claude Code. If you want to use Claude with **any other tool** — Cursor, Continue, Aider, your own scripts — you need a separate API key with separate billing.
@@ -349,13 +380,17 @@ Then run `hermes` normally — it routes through dario using your Claude subscri
 ## Supported Features
 
 ### Direct API Mode
-- All Claude models (Opus 4.6, Sonnet 4.6, Haiku 4.5)
+- All Claude models (Opus 4.6, Sonnet 4.6, Haiku 4.5) + 1M extended context aliases (`opus1m`, `sonnet1m`)
+- **Native billing classification** — device identity metadata ensures Max plan limits work correctly
 - **OpenAI-compatible** (`/v1/chat/completions`) — works with any OpenAI SDK or tool
-- Streaming and non-streaming (both Anthropic and OpenAI SSE formats)
+- Streaming and non-streaming (both Anthropic and OpenAI SSE formats, including tool_use streaming)
 - Tool use / function calling
 - System prompts and multi-turn conversations
 - Prompt caching and extended thinking
-- All `anthropic-beta` features (headers pass through)
+- **Billable beta filtering** — strips `extended-cache-ttl`, `context-management`, `prompt-caching-scope` from client betas to prevent surprise Extra Usage charges
+- **Orchestration tag sanitization** — strips agent-injected XML (`<system-reminder>`, `<env>`, `<task_metadata>`, etc.) before forwarding
+- **Token anomaly detection** — warns on context spike (>60% input growth) or output explosion (>2x previous)
+- Concurrency control (max 10 concurrent upstream requests)
 - CORS enabled (works from browser apps on localhost)
 
 ### CLI Backend Mode
@@ -458,7 +493,7 @@ Dario handles your OAuth tokens. Here's why you can trust it:
 
 | Signal | Status |
 |--------|--------|
-| **Source code** | ~1100 lines of TypeScript — small enough to read in one sitting |
+| **Source code** | ~1,300 lines of TypeScript — small enough to audit in one sitting |
 | **Dependencies** | 1 production dep (`@anthropic-ai/sdk`). Verify: `npm ls --production` |
 | **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
 | **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
@@ -480,7 +515,7 @@ cd $(npm root -g)/@askalf/dario && npm ls --production
 
 ## Contributing
 
-PRs welcome. The codebase is ~1100 lines of TypeScript across 4 files:
+PRs welcome. The codebase is ~1,300 lines of TypeScript across 4 files:
 
 | File | Purpose |
 |------|---------|

package/dist/proxy.js

@@ -1,6 +1,9 @@
 import { createServer } from 'node:http';
 import { randomUUID, timingSafeEqual } from 'node:crypto';
 import { execSync, spawn } from 'node:child_process';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
 import { arch, platform, version as nodeVersion } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
@@ -45,12 +48,120 @@ function detectClaudeVersion() {
 }
 const SESSION_ID = randomUUID();
 const OS_NAME = platform === 'win32' ? 'Windows' : platform === 'darwin' ? 'MacOS' : 'Linux';
+// Claude Code device identity — required for Max plan billing classification.
+// Without metadata.user_id, Anthropic classifies requests as third-party and
+// routes them to Extra Usage billing instead of the Max plan allocation.
+function loadClaudeIdentity() {
+    const paths = [
+        join(homedir(), '.claude.json'), // Windows / Linux / macOS (live config)
+        join(homedir(), '.claude', '.claude.json'), // Alternative location
+        join(homedir(), '.claude', 'claude.json'),
+    ];
+    // Also check backup files as fallback
+    try {
+        const backupDir = join(homedir(), '.claude', 'backups');
+        const files = require('fs').readdirSync(backupDir);
+        const backups = files
+            .filter((f) => f.startsWith('.claude.json.backup.'))
+            .sort()
+            .reverse();
+        for (const b of backups)
+            paths.push(join(backupDir, b));
+    }
+    catch { /* no backups dir */ }
+    for (const p of paths) {
+        try {
+            const data = JSON.parse(readFileSync(p, 'utf-8'));
+            if (data.userID) {
+                // accountUuid lives inside oauthAccount, not at root
+                const accountUuid = data.oauthAccount?.accountUuid ?? data.accountUuid ?? '';
+                return { deviceId: data.userID, accountUuid };
+            }
+        }
+        catch { /* try next */ }
+    }
+    return { deviceId: '', accountUuid: '' };
+}
 // Model shortcuts — users can pass short names
 const MODEL_ALIASES = {
     'opus': 'claude-opus-4-6',
+    'opus1m': 'claude-opus-4-6[1m]',
     'sonnet': 'claude-sonnet-4-6',
+    'sonnet1m': 'claude-sonnet-4-6[1m]',
     'haiku': 'claude-haiku-4-5',
 };
+// Beta prefixes that trigger Extra Usage billing on Max subscriptions.
+// Stripping these prevents surprise charges while keeping caching/thinking/1M active.
+const BILLABLE_BETA_PREFIXES = [
+    'extended-cache-ttl-', // Extended cache TTLs beyond default
+    'context-management-', // Auto-compaction / context management
+    'prompt-caching-scope-', // Extended prompt caching scope
+];
+/** Filter out billable betas from client-provided beta header. */
+function filterBillableBetas(betas) {
+    return betas.split(',').map(b => b.trim()).filter(b => b.length > 0 && !BILLABLE_BETA_PREFIXES.some(p => b.startsWith(p))).join(',');
+}
+// Orchestration tags injected by agents (Aider, Cursor, OpenCode, etc.)
+// that confuse Claude when passed through. Strip before forwarding.
+const ORCHESTRATION_TAG_NAMES = [
+    'system-reminder', 'env', 'system_information', 'current_working_directory',
+    'operating_system', 'default_shell', 'home_directory', 'task_metadata',
+    'tool_exec', 'tool_output', 'skill_content', 'skill_files',
+    'directories', 'available_skills', 'thinking',
+];
+const ORCHESTRATION_PATTERNS = ORCHESTRATION_TAG_NAMES.flatMap(tag => [
+    new RegExp(`<${tag}\\b[^>]*>[\\s\\S]*?<\\/${tag}>`, 'gi'),
+    new RegExp(`<${tag}\\b[^>]*\\/>`, 'gi'),
+]);
+/** Strip orchestration wrapper tags from message content. */
+function sanitizeContent(text) {
+    let result = text;
+    for (const pattern of ORCHESTRATION_PATTERNS) {
+        pattern.lastIndex = 0;
+        result = result.replace(pattern, '');
+    }
+    return result.replace(/\n{3,}/g, '\n\n').trim();
+}
+/** Strip orchestration tags from all messages in a request body. */
+function sanitizeMessages(body) {
+    const messages = body.messages;
+    if (!messages)
+        return;
+    for (const msg of messages) {
+        if (typeof msg.content === 'string') {
+            msg.content = sanitizeContent(msg.content);
+        }
+        else if (Array.isArray(msg.content)) {
+            for (const block of msg.content) {
+                if (typeof block === 'object' && block && 'text' in block && typeof block.text === 'string') {
+                    block.text = sanitizeContent(block.text);
+                }
+            }
+        }
+    }
+}
+let lastTokenSnapshot = null;
+function checkTokenAnomalies(usage, requestId) {
+    const current = {
+        inputTokens: usage.input_tokens ?? 0,
+        outputTokens: usage.output_tokens ?? 0,
+        cacheRead: usage.cache_read_input_tokens ?? 0,
+    };
+    if (lastTokenSnapshot && lastTokenSnapshot.inputTokens > 0) {
+        const growth = (current.inputTokens - lastTokenSnapshot.inputTokens) / lastTokenSnapshot.inputTokens;
+        if (growth > 0.6) {
+            const pct = Math.round(growth * 100);
+            console.warn(`[dario] TOKEN WARN ${requestId}: Input grew ${pct}% (${lastTokenSnapshot.inputTokens} → ${current.inputTokens}). Possible full replay.`);
+        }
+        if (current.outputTokens > lastTokenSnapshot.outputTokens * 2 && current.outputTokens > 2000) {
+            console.warn(`[dario] TOKEN WARN ${requestId}: Output explosion ${current.outputTokens} tokens (${Math.round(current.outputTokens / lastTokenSnapshot.outputTokens)}x previous).`);
+        }
+    }
+    lastTokenSnapshot = current;
+}
+// Extended context fallback — cooldown after 1M context failure
+let extendedContextUnavailableAt = 0;
+const EXTENDED_CONTEXT_COOLDOWN_MS = 60 * 60 * 1000; // 1 hour
 // OpenAI model names → Anthropic (fallback if client sends GPT names)
 const OPENAI_MODEL_MAP = {
     'gpt-5.4': 'claude-opus-4-6',
@@ -255,6 +366,14 @@ export async function startProxy(opts = {}) {
     }
     const cliVersion = detectClaudeVersion();
     const modelOverride = opts.model ? (MODEL_ALIASES[opts.model] ?? opts.model) : null;
+    const identity = loadClaudeIdentity();
+    if (identity.deviceId) {
+        console.log('  Device identity: detected');
+    }
+    else {
+        console.warn('[dario] WARNING: No Claude Code device identity found. Requests may be billed as Extra Usage.');
+        console.warn('[dario] Run Claude Code at least once to generate ~/.claude/.claude.json');
+    }
     // Pre-build static headers (only auth, version, beta, request-id change per request)
     const staticHeaders = {
         'accept': 'application/json',
@@ -352,11 +471,12 @@ export async function startProxy(opts = {}) {
         // Detect OpenAI-format requests
         const isOpenAI = urlPath === '/v1/chat/completions';
         // Allowlisted API paths — only these are proxied (prevents SSRF)
+        // ?beta=true matches native Claude Code behavior for billing classification
         const allowedPaths = {
-            '/v1/messages': `${ANTHROPIC_API}/v1/messages`,
+            '/v1/messages': `${ANTHROPIC_API}/v1/messages?beta=true`,
             '/v1/complete': `${ANTHROPIC_API}/v1/complete`,
         };
-        const targetBase = isOpenAI ? `${ANTHROPIC_API}/v1/messages` : allowedPaths[urlPath];
+        const targetBase = isOpenAI ? `${ANTHROPIC_API}/v1/messages?beta=true` : allowedPaths[urlPath];
         if (!targetBase) {
             res.writeHead(403, JSON_HEADERS);
             res.end(ERR_FORBIDDEN);
@@ -421,12 +541,28 @@ export async function startProxy(opts = {}) {
                 res.end(cliResult.body);
                 return;
             }
-            // Parse body once, apply OpenAI translation or model override
+            // Parse body once, apply OpenAI translation, model override, and sanitization
             let finalBody = body.length > 0 ? body : undefined;
-            if (body.length > 0 && (isOpenAI || modelOverride)) {
+            if (body.length > 0) {
                 try {
                     const parsed = JSON.parse(body.toString());
+                    // Strip orchestration tags from messages (Aider, Cursor, etc.)
+                    sanitizeMessages(parsed);
+                    // Handle 1M context: strip [1m] suffix if in cooldown
+                    if (modelOverride?.includes('[1m]') && extendedContextUnavailableAt > 0 && Date.now() - extendedContextUnavailableAt < EXTENDED_CONTEXT_COOLDOWN_MS) {
+                        parsed.model = modelOverride.replace('[1m]', '');
+                    }
                     const result = isOpenAI ? openaiToAnthropic(parsed, modelOverride) : (modelOverride ? { ...parsed, model: modelOverride } : parsed);
+                    // Inject device identity metadata — required for Max plan billing classification
+                    if (identity.deviceId && typeof result === 'object' && result !== null) {
+                        result.metadata = {
+                            user_id: JSON.stringify({
+                                device_id: identity.deviceId,
+                                account_uuid: identity.accountUuid,
+                                session_id: SESSION_ID,
+                            }),
+                        };
+                    }
                     finalBody = Buffer.from(JSON.stringify(result));
                 }
                 catch { /* not JSON, send as-is */ }
@@ -435,14 +571,16 @@ export async function startProxy(opts = {}) {
                 const modelInfo = modelOverride ? ` (model: ${modelOverride})` : '';
                 console.log(`[dario] #${requestCount} ${req.method} ${urlPath}${modelInfo}`);
             }
-            // Merge client beta flags with required defaults.
-            // Only include betas that are essential for OAuth + standard features.
-            // Avoid betas that may require Extra Usage (context-management, prompt-caching-scope).
-            // Client-provided betas pass through — the client controls its own feature set.
+            // Beta flags matching native Claude Code v2.1.98.
+            // context-management and prompt-caching-scope are safe when metadata.user_id
+            // is present — billing classification depends on device identity, not betas.
             const clientBeta = req.headers['anthropic-beta'];
-            let beta = 'oauth-2025-04-20,interleaved-thinking-2025-05-14,claude-code-20250219';
-            if (clientBeta)
-                beta += ',' + clientBeta.split(',').map(f => f.trim()).filter(f => f.length > 0 && f.length < 100).join(',');
+            let beta = 'oauth-2025-04-20,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,claude-code-20250219,advisor-tool-2026-03-01';
+            if (clientBeta) {
+                const filtered = filterBillableBetas(clientBeta);
+                if (filtered)
+                    beta += ',' + filtered;
+            }
             const headers = {
                 ...staticHeaders,
                 'Authorization': `Bearer ${accessToken}`,
@@ -519,6 +657,21 @@ export async function startProxy(opts = {}) {
             else {
                 // Buffer and forward
                 const responseBody = await upstream.text();
+                // Check for extended context failure — cooldown to avoid repeated failures
+                if (upstream.status === 400 && responseBody.includes('extra_usage') && modelOverride?.includes('[1m]')) {
+                    extendedContextUnavailableAt = Date.now();
+                    console.warn('[dario] 1M context requires Extra Usage — falling back to standard context for 1 hour');
+                }
+                // Token anomaly detection on non-streaming responses
+                if (upstream.status >= 200 && upstream.status < 300) {
+                    try {
+                        const parsed = JSON.parse(responseBody);
+                        const usage = parsed.usage;
+                        if (usage)
+                            checkTokenAnomalies(usage, responseHeaders['request-id'] ?? '');
+                    }
+                    catch { /* ignore parse errors */ }
+                }
                 if (isOpenAI && upstream.status >= 200 && upstream.status < 300) {
                     // Translate Anthropic response → OpenAI format
                     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "2.3.1",
+  "version": "2.4.1",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {