@askalf/dario 3.12.0 → 3.13.0

package/dist/proxy.js

@@ -7,9 +7,10 @@ import { homedir } from 'node:os';
 import { arch, platform } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
 import { buildCCRequest, reverseMapResponse, createStreamingReverseMapper } from './cc-template.js';
-import { AccountPool, parseRateLimits } from './pool.js';
+import { AccountPool, computeStickyKey, parseRateLimits } from './pool.js';
 import { Analytics, billingBucketFromClaim } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
+import { GroupLender, importGroupPublicKey, decodeBorrowEnvelope, parseBorrowToken, } from './sealed-pool.js';
 import { getOpenAIBackend, isOpenAIModel, forwardToOpenAI } from './openai-backend.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
@@ -367,6 +368,30 @@ export async function startProxy(opts = {}) {
     const accountsList = await loadAllAccounts();
     const pool = accountsList.length >= 2 ? new AccountPool() : null;
     const analytics = pool ? new Analytics() : null;
+    // Sealed-sender overflow pool — activated when ~/.dario/group.json exists.
+    // Config format: { "groupId": "<name>", "publicKey": { n, e, modulusBytes } }
+    // where publicKey is the GroupAdmin's exported RSA public key. Lender runs
+    // in addition to normal pool mode — borrow requests go through a separate
+    // /v1/pool/borrow endpoint and are verified via the admin-signed token.
+    let groupLender = null;
+    try {
+        const groupConfigPath = join(homedir(), '.dario', 'group.json');
+        const rawGroup = readFileSync(groupConfigPath, 'utf-8');
+        const parsed = JSON.parse(rawGroup);
+        if (parsed?.groupId && parsed.publicKey?.n && parsed.publicKey?.e && parsed.publicKey?.modulusBytes) {
+            const pub = importGroupPublicKey(parsed.publicKey);
+            groupLender = new GroupLender(parsed.groupId, pub);
+            console.log(`  Sealed-sender pool: group "${parsed.groupId}" loaded (${pub.modulusBytes * 8}-bit key)`);
+        }
+    }
+    catch (err) {
+        // Group config is optional — silent fallthrough if missing. Log parse
+        // errors explicitly so a broken config doesn't fail silently.
+        const e = err;
+        if (e.code && e.code !== 'ENOENT') {
+            console.warn(`[dario] group.json present but unusable: ${e.message}`);
+        }
+    }
     let status;
     if (pool) {
         for (const acc of accountsList) {
@@ -524,6 +549,108 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
+        // Sealed-sender borrow endpoint — runs BEFORE the API-key auth check
+        // because the admin-signed group token IS the authentication. Anyone
+        // who presents a valid unused token can borrow capacity from this
+        // instance's pool without also holding the local dario API key.
+        // See src/sealed-pool.ts for the protocol.
+        if (urlPath === '/v1/pool/borrow' && req.method === 'POST') {
+            if (!groupLender) {
+                res.writeHead(503, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'sealed-sender pool not configured on this instance' }));
+                return;
+            }
+            if (!pool) {
+                res.writeHead(503, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'pool mode required for sealed-sender borrows' }));
+                return;
+            }
+            // Read body with the same limits as normal /v1/messages.
+            const bChunks = [];
+            let bBytes = 0;
+            const bTimeout = setTimeout(() => { req.destroy(); }, BODY_READ_TIMEOUT_MS);
+            try {
+                for await (const chunk of req) {
+                    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
+                    bBytes += buf.length;
+                    if (bBytes > MAX_BODY_BYTES) {
+                        clearTimeout(bTimeout);
+                        res.writeHead(413, JSON_HEADERS);
+                        res.end(JSON.stringify({ error: 'Request body too large' }));
+                        return;
+                    }
+                    bChunks.push(buf);
+                }
+            }
+            finally {
+                clearTimeout(bTimeout);
+            }
+            const envelope = decodeBorrowEnvelope(Buffer.concat(bChunks).toString('utf-8'));
+            if (!envelope) {
+                res.writeHead(400, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'malformed borrow envelope' }));
+                return;
+            }
+            if (envelope.groupId !== groupLender.groupId) {
+                res.writeHead(403, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'unknown_group', expected: groupLender.groupId }));
+                return;
+            }
+            const borrowTok = parseBorrowToken(envelope);
+            if (!borrowTok) {
+                res.writeHead(400, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'malformed token' }));
+                return;
+            }
+            const accept = groupLender.acceptBorrow(borrowTok.token, borrowTok.signature);
+            if (!accept.ok) {
+                res.writeHead(403, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'borrow_rejected', reason: accept.reason }));
+                return;
+            }
+            // Token validated. Forward the embedded /v1/messages request to
+            // Anthropic using the lender's normal pool. This path is minimal:
+            // no streaming parser, no reverse tool mapping, no 429 failover.
+            // It's enough to demonstrate sealed-sender end-to-end; the full
+            // feature-parity wire-up with the main /v1/messages path is a
+            // separate change (requires threading a pre-read body through
+            // the existing handler).
+            const lenderAccount = pool.select();
+            if (!lenderAccount) {
+                res.writeHead(503, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'lender pool exhausted' }));
+                return;
+            }
+            try {
+                const upstream = await fetch(`${ANTHROPIC_API}/v1/messages?beta=true`, {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'authorization': `Bearer ${lenderAccount.accessToken}`,
+                        'anthropic-version': '2023-06-01',
+                        'anthropic-beta': 'claude-code-20250219',
+                    },
+                    body: JSON.stringify(envelope.request),
+                });
+                const snapshot = parseRateLimits(upstream.headers);
+                pool.updateRateLimits(lenderAccount.alias, snapshot);
+                const body = Buffer.from(await upstream.arrayBuffer());
+                res.writeHead(upstream.status, {
+                    'content-type': upstream.headers.get('content-type') ?? 'application/json',
+                    'Access-Control-Allow-Origin': corsOrigin,
+                    ...SECURITY_HEADERS,
+                });
+                res.end(body);
+                if (verbose) {
+                    console.log(`[dario] borrow: group=${envelope.groupId} → ${lenderAccount.alias} (${upstream.status}, ${body.length}B)`);
+                }
+            }
+            catch (err) {
+                res.writeHead(502, JSON_HEADERS);
+                res.end(JSON.stringify({ error: 'upstream_error', message: err.message }));
+            }
+            return;
+        }
         if (!checkAuth(req)) {
             res.writeHead(401, JSON_HEADERS);
             res.end(ERR_UNAUTH);
@@ -555,7 +682,16 @@ export async function startProxy(opts = {}) {
                 expiresInMs: Math.max(0, a.expiresAt - Date.now()),
             }));
             res.writeHead(200, JSON_HEADERS);
-            res.end(JSON.stringify({ mode: 'pool', ...pool.status(), accounts }));
+            res.end(JSON.stringify({
+                mode: 'pool',
+                ...pool.status(),
+                stickyBindings: pool.stickyCount(),
+                sealedSender: groupLender ? {
+                    groupId: groupLender.groupId,
+                    seenTokens: groupLender.seenCount(),
+                } : null,
+                accounts,
+            }));
             return;
         }
         // Analytics endpoint — request history + burn-rate summary (pool mode only).
@@ -696,6 +832,16 @@ export async function startProxy(opts = {}) {
             let finalBody = body.length > 0 ? body : undefined;
             let ccToolMap = null;
             let requestModel = '';
+            // Session stickiness key — hash of the first user message in this
+            // conversation. Populated inside the template-replay block below
+            // after the first user message is extracted for the build tag, then
+            // used to rebind the sticky slot on in-request 429 failover and on
+            // the eventual request bookkeeping. Null when body isn't JSON, when
+            // there's no user message, or when we're in passthrough mode (the
+            // fingerprint work doesn't run, so there's no point biasing account
+            // selection toward one we already paid cache cost on — passthrough
+            // users aren't doing template replay anyway).
+            let stickyKey = null;
             // Request context for hybrid-mode field injection (#33). Built once
             // per request from incoming headers so the reverse mapper can fill
             // client-declared fields like `sessionId` that CC's schema doesn't
@@ -730,6 +876,24 @@ export async function startProxy(opts = {}) {
                         const fullVersion = `${cliVersion}.${buildTag}`;
                         const billingTag = `x-anthropic-billing-header: cc_version=${fullVersion}; cc_entrypoint=cli; cch=${cch};`;
                         const CACHE_1H = { type: 'ephemeral', ttl: '1h' };
+                        // Session stickiness: rebind the pre-selected pool account to
+                        // whatever the sticky-key resolver picks. If this is a new
+                        // conversation the key binds to the current best account
+                        // (no-op swap in most cases). If this is a follow-up turn of
+                        // an existing conversation the key resolves to the account
+                        // that already has the Anthropic prompt cache warmed for it.
+                        // Rotating off mid-session costs cache-create on every turn.
+                        stickyKey = computeStickyKey(userMsg);
+                        if (pool && stickyKey) {
+                            const preferred = pool.selectSticky(stickyKey);
+                            if (preferred && preferred.alias !== poolAccount?.alias) {
+                                poolAccount = preferred;
+                                accessToken = preferred.accessToken;
+                                if (verbose) {
+                                    console.log(`[dario] #${requestCount} sticky: bind ${stickyKey} → ${preferred.alias}`);
+                                }
+                            }
+                        }
                         const bodyIdentity = poolAccount
                             ? poolAccount.identity
                             : { deviceId: identity.deviceId, accountUuid: identity.accountUuid, sessionId: SESSION_ID };
@@ -907,6 +1071,7 @@ export async function startProxy(opts = {}) {
                                 accessToken = nextAccount.accessToken;
                                 headers['Authorization'] = `Bearer ${accessToken}`;
                                 headers['x-claude-code-session-id'] = nextAccount.identity.sessionId;
+                                pool.rebindSticky(stickyKey, nextAccount.alias);
                                 peekedBody = null;
                                 continue dispatchLoop;
                             }
@@ -965,6 +1130,7 @@ export async function startProxy(opts = {}) {
                             accessToken = nextAccount.accessToken;
                             headers['Authorization'] = `Bearer ${accessToken}`;
                             headers['x-claude-code-session-id'] = nextAccount.identity.sessionId;
+                            pool.rebindSticky(stickyKey, nextAccount.alias);
                             continue dispatchLoop;
                         }
                     }

package/dist/sealed-pool.d.ts

@@ -0,0 +1,202 @@
+/**
+ * Sealed-sender overflow pool — RSA blind signatures for unlinkable capacity
+ * sharing inside a trust group.
+ *
+ * The problem this solves: in a federated pool where several friends lend
+ * each other account capacity, a naive design leaks who is borrowing what.
+ * If member A sends "I'm borrowing from your pool" to member B's dario
+ * instance, B learns exactly which of their friends is running which
+ * workload — and over time B can build a pretty detailed surveillance log
+ * of everyone else's agent sessions. That's the opposite of what a private
+ * friend pool should provide.
+ *
+ * The solution is Chaum's 1983 blind signature construction. A trusted
+ * admin (one member of the group, selected by social consensus) issues
+ * signed borrow tokens to each member. The admin never sees the token
+ * values — they sign blinded values, and the blinding is unlinkable at
+ * the cryptographic level. When a member sends a token to a lender, the
+ * lender can verify "this was signed by the group admin" without learning
+ * WHICH member holds that token. The lender sees a valid group credential
+ * and nothing more.
+ *
+ * From Anthropic's perspective nothing changes: the request still hits
+ * their API under the lender's identity, fully attributable to a real
+ * paying Max subscriber. The privacy property is entirely INSIDE the
+ * trust group — no member can surveil another member's usage through
+ * the pool layer.
+ *
+ * What this is NOT: this is not anonymity from Anthropic, not onion
+ * routing, not credential laundering. It is a privacy layer on top of
+ * a legitimate friends-pool arrangement. Members opt in, the admin is
+ * known, membership is revocable by rotating the group key. It's the
+ * same trust model as a family Netflix account, with unlinkability as
+ * a feature for the pool's internal telemetry.
+ *
+ * Implementation notes:
+ *   - RSA-2048 with FDH (full-domain hash) padding via MGF1-SHA256.
+ *   - Node's crypto.publicEncrypt / privateDecrypt with RSA_NO_PADDING
+ *     for raw RSA operations. All modular arithmetic happens in BigInt.
+ *   - Tokens are 32 random bytes each, single-use (lender tracks SHA-256
+ *     hashes of seen tokens to prevent double-spend).
+ *   - Admin does not need to be online for members to use tokens. Admin
+ *     only runs when issuing a new batch (typically once per day/week).
+ */
+import { type KeyObject } from 'node:crypto';
+export interface RSAPublicKey {
+    n: bigint;
+    e: bigint;
+    modulusBytes: number;
+    keyObj: KeyObject;
+}
+export interface RSAPrivateKey extends RSAPublicKey {
+    keyObjPriv: KeyObject;
+}
+/**
+ * Blind a token: pick r ∈ [2, n), compute blinded = FDH(token) · r^e mod n.
+ * The admin sees only the blinded value (uniform over Z_n*) and learns
+ * nothing about the token.
+ */
+export declare function blindToken(tokenBytes: Buffer, pubKey: RSAPublicKey): {
+    blinded: bigint;
+    r: bigint;
+};
+/** Admin-side: sign a blinded value. No knowledge of the original token. */
+export declare function signBlinded(blinded: bigint, privKey: RSAPrivateKey): bigint;
+/**
+ * Member-side: given the admin's signature on the blinded value, remove
+ * the blinding factor to obtain a raw RSA-FDH signature over the original
+ * token that the admin never saw.
+ *
+ * Math: signed_blinded = (FDH(t) · r^e)^d = FDH(t)^d · r mod n.
+ * Multiplying by r^(-1) mod n yields FDH(t)^d = the raw signature.
+ */
+export declare function unblindSignature(blindedSignature: bigint, r: bigint, pubKey: RSAPublicKey): bigint;
+/**
+ * Verify a (token, signature) pair against the admin's public key.
+ * True iff signature^e ≡ FDH(token) (mod n).
+ */
+export declare function verifyTokenSignature(tokenBytes: Buffer, signature: bigint, pubKey: RSAPublicKey): boolean;
+export declare function generateGroupKey(bits?: number): RSAPrivateKey;
+export interface ExportedGroupKey {
+    n: string;
+    e: string;
+    modulusBytes: number;
+}
+export declare function exportGroupPublicKey(key: RSAPublicKey): ExportedGroupKey;
+export declare function importGroupPublicKey(exported: ExportedGroupKey): RSAPublicKey;
+export interface MemberRecord {
+    pubkey: string;
+    expiresAt: number;
+    quotaPerBatch: number;
+}
+/**
+ * Admin holds the group private key and a roster of authorized members.
+ * Admin does NOT hold any of the tokens, by design — blind signing means
+ * the admin never sees what they signed. This is the key privacy property.
+ *
+ * The admin's responsibilities are purely social: decide who's in the
+ * group, set per-member quotas, rotate the group key when someone leaves.
+ */
+export declare class GroupAdmin {
+    readonly groupId: string;
+    readonly key: RSAPrivateKey;
+    readonly members: Map<string, MemberRecord>;
+    constructor(groupId: string, key: RSAPrivateKey, members: Map<string, MemberRecord>);
+    static create(groupId: string, bits?: number): GroupAdmin;
+    addMember(pubkey: string, quotaPerBatch?: number, validForDays?: number): void;
+    removeMember(pubkey: string): boolean;
+    /**
+     * Sign a batch of blinded tokens submitted by a member. The admin
+     * authenticates the request out-of-band (member identity auth happens
+     * at the HTTP layer via a member signing key — not modelled here).
+     *
+     * Throws on: unknown member, expired membership, batch-too-large.
+     */
+    signBatch(memberPubkey: string, blinded: bigint[]): bigint[];
+    publicKey(): ExportedGroupKey;
+}
+export interface PreparedBatch {
+    blinded: bigint[];
+    state: Array<{
+        token: Buffer;
+        r: bigint;
+    }>;
+}
+export interface BorrowToken {
+    token: Buffer;
+    signature: bigint;
+}
+/**
+ * Member holds an identity pubkey (used by the admin for roster lookup)
+ * and a local stash of unused (token, signature) pairs. Tokens are single-
+ * use — consume one per borrow. Admin never saw any of these tokens.
+ */
+export declare class GroupMember {
+    readonly memberPubkey: string;
+    readonly groupPublicKey: RSAPublicKey;
+    private tokens;
+    constructor(memberPubkey: string, groupPublicKey: RSAPublicKey);
+    /**
+     * Step 1 of a token batch: generate random tokens, blind each, return
+     * the blinded values (to send to admin) plus the per-token state
+     * (kept locally for unblinding after admin responds).
+     */
+    prepareBatch(count: number): PreparedBatch;
+    /**
+     * Step 2 of a token batch: unblind each admin-signed value, verify the
+     * resulting raw signature, and add the (token, signature) pair to the
+     * local stash. Any verification failure throws — we never store a token
+     * whose signature doesn't check out.
+     */
+    finalizeBatch(signedBlinded: bigint[], state: Array<{
+        token: Buffer;
+        r: bigint;
+    }>): void;
+    consumeToken(): BorrowToken | null;
+    tokenCount(): number;
+}
+export type AcceptResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: 'invalid_signature' | 'double_spend' | 'malformed';
+};
+/**
+ * Lender holds the group public key and a set of token hashes that have
+ * already been redeemed. Memory-only in v1; a persisted set would be a
+ * sqlite table keyed on token hash, or just a file of sha256 hex lines.
+ *
+ * The lender LEARNS NOTHING about which member borrowed. That's the
+ * whole point — blind signatures decouple "who signed this request"
+ * (the admin, uniformly) from "who holds the token" (one specific
+ * member who is anonymous to the lender).
+ */
+export declare class GroupLender {
+    readonly groupId: string;
+    readonly groupPublicKey: RSAPublicKey;
+    private seenTokens;
+    private maxSeenTokens;
+    constructor(groupId: string, groupPublicKey: RSAPublicKey, opts?: {
+        maxSeenTokens?: number;
+    });
+    acceptBorrow(token: Buffer, signature: bigint): AcceptResult;
+    seenCount(): number;
+}
+/**
+ * Envelope the member sends to a lender's /v1/pool/borrow endpoint. The
+ * `request` field carries an embedded Anthropic /v1/messages body that
+ * the lender will proxy to api.anthropic.com under its own identity.
+ *
+ * Version field lets us rotate crypto or protocol details without
+ * breaking older members in the same group.
+ */
+export interface BorrowEnvelope {
+    v: 1;
+    groupId: string;
+    token: string;
+    sig: string;
+    request: unknown;
+}
+export declare function encodeBorrowEnvelope(groupId: string, bt: BorrowToken, request: unknown): string;
+export declare function decodeBorrowEnvelope(s: string): BorrowEnvelope | null;
+export declare function parseBorrowToken(env: BorrowEnvelope): BorrowToken | null;