@askalf/dario 3.12.0 → 3.13.0

package/dist/sealed-pool.js

@@ -0,0 +1,416 @@
+/**
+ * Sealed-sender overflow pool — RSA blind signatures for unlinkable capacity
+ * sharing inside a trust group.
+ *
+ * The problem this solves: in a federated pool where several friends lend
+ * each other account capacity, a naive design leaks who is borrowing what.
+ * If member A sends "I'm borrowing from your pool" to member B's dario
+ * instance, B learns exactly which of their friends is running which
+ * workload — and over time B can build a pretty detailed surveillance log
+ * of everyone else's agent sessions. That's the opposite of what a private
+ * friend pool should provide.
+ *
+ * The solution is Chaum's 1983 blind signature construction. A trusted
+ * admin (one member of the group, selected by social consensus) issues
+ * signed borrow tokens to each member. The admin never sees the token
+ * values — they sign blinded values, and the blinding is unlinkable at
+ * the cryptographic level. When a member sends a token to a lender, the
+ * lender can verify "this was signed by the group admin" without learning
+ * WHICH member holds that token. The lender sees a valid group credential
+ * and nothing more.
+ *
+ * From Anthropic's perspective nothing changes: the request still hits
+ * their API under the lender's identity, fully attributable to a real
+ * paying Max subscriber. The privacy property is entirely INSIDE the
+ * trust group — no member can surveil another member's usage through
+ * the pool layer.
+ *
+ * What this is NOT: this is not anonymity from Anthropic, not onion
+ * routing, not credential laundering. It is a privacy layer on top of
+ * a legitimate friends-pool arrangement. Members opt in, the admin is
+ * known, membership is revocable by rotating the group key. It's the
+ * same trust model as a family Netflix account, with unlinkability as
+ * a feature for the pool's internal telemetry.
+ *
+ * Implementation notes:
+ *   - RSA-2048 with FDH (full-domain hash) padding via MGF1-SHA256.
+ *   - Node's crypto.publicEncrypt / privateDecrypt with RSA_NO_PADDING
+ *     for raw RSA operations. All modular arithmetic happens in BigInt.
+ *   - Tokens are 32 random bytes each, single-use (lender tracks SHA-256
+ *     hashes of seen tokens to prevent double-spend).
+ *   - Admin does not need to be online for members to use tokens. Admin
+ *     only runs when issuing a new batch (typically once per day/week).
+ */
+import { generateKeyPairSync, publicEncrypt, privateDecrypt, constants, createPublicKey, randomBytes, createHash, } from 'node:crypto';
+// ======================================================================
+//  BigInt / buffer helpers
+// ======================================================================
+function bigintToBytes(n, len) {
+    let hex = n.toString(16);
+    if (hex.length % 2)
+        hex = '0' + hex;
+    const buf = Buffer.from(hex, 'hex');
+    if (buf.length > len)
+        throw new Error('value too large for buffer');
+    if (buf.length === len)
+        return buf;
+    const padded = Buffer.alloc(len);
+    buf.copy(padded, len - buf.length);
+    return padded;
+}
+function bytesToBigint(buf) {
+    if (buf.length === 0)
+        return 0n;
+    return BigInt('0x' + buf.toString('hex'));
+}
+function egcd(a, b) {
+    let [oldR, r] = [a, b];
+    let [oldS, s] = [1n, 0n];
+    let [oldT, t] = [0n, 1n];
+    while (r !== 0n) {
+        const q = oldR / r;
+        [oldR, r] = [r, oldR - q * r];
+        [oldS, s] = [s, oldS - q * s];
+        [oldT, t] = [t, oldT - q * t];
+    }
+    return [oldR, oldS, oldT];
+}
+function modInverse(a, n) {
+    const norm = ((a % n) + n) % n;
+    const [g, x] = egcd(norm, n);
+    if (g !== 1n)
+        throw new Error('no modular inverse');
+    return ((x % n) + n) % n;
+}
+// ======================================================================
+//  Full-domain hash (FDH) for RSA blind signatures
+// ======================================================================
+/**
+ * Map a message to a uniformly-distributed integer in [1, n). Standard
+ * FDH construction via MGF1-SHA256 with a counter-based retry loop to
+ * handle the edge case where the candidate is ≥ n.
+ *
+ * Why FDH matters: without it, RSA signatures are vulnerable to
+ * multiplicative forgery attacks (signatures can be combined to forge
+ * signatures on products of messages). FDH destroys the algebraic
+ * structure of the message so no such combination exists.
+ */
+function fdh(message, modulus, modulusBytes) {
+    for (let counter = 0; counter < 1000; counter++) {
+        const out = Buffer.alloc(modulusBytes);
+        let written = 0;
+        let i = 0;
+        while (written < modulusBytes) {
+            const hash = createHash('sha256');
+            hash.update(message);
+            const counterBuf = Buffer.alloc(4);
+            counterBuf.writeUInt32BE(counter, 0);
+            hash.update(counterBuf);
+            const iBuf = Buffer.alloc(4);
+            iBuf.writeUInt32BE(i, 0);
+            hash.update(iBuf);
+            const digest = hash.digest();
+            const take = Math.min(digest.length, modulusBytes - written);
+            digest.copy(out, written, 0, take);
+            written += take;
+            i++;
+        }
+        // Clear the top bit to reduce the chance of value ≥ n on the first try.
+        out[0] &= 0x7f;
+        const candidate = bytesToBigint(out);
+        if (candidate > 0n && candidate < modulus)
+            return candidate;
+    }
+    throw new Error('FDH: exhausted counter without finding candidate');
+}
+function rawPublicOp(key, value) {
+    const input = bigintToBytes(value, key.modulusBytes);
+    const output = publicEncrypt({ key: key.keyObj, padding: constants.RSA_NO_PADDING }, input);
+    return bytesToBigint(output);
+}
+function rawPrivateOp(key, value) {
+    const input = bigintToBytes(value, key.modulusBytes);
+    const output = privateDecrypt({ key: key.keyObjPriv, padding: constants.RSA_NO_PADDING }, input);
+    return bytesToBigint(output);
+}
+// ======================================================================
+//  Blind signature protocol
+// ======================================================================
+/**
+ * Blind a token: pick r ∈ [2, n), compute blinded = FDH(token) · r^e mod n.
+ * The admin sees only the blinded value (uniform over Z_n*) and learns
+ * nothing about the token.
+ */
+export function blindToken(tokenBytes, pubKey) {
+    const m = fdh(tokenBytes, pubKey.n, pubKey.modulusBytes);
+    let r = 0n;
+    for (let attempts = 0; attempts < 32; attempts++) {
+        const rBytes = randomBytes(pubKey.modulusBytes);
+        rBytes[0] &= 0x7f;
+        const candidate = bytesToBigint(rBytes);
+        if (candidate > 1n && candidate < pubKey.n) {
+            r = candidate;
+            break;
+        }
+    }
+    if (r === 0n)
+        throw new Error('blindToken: failed to sample r');
+    const rE = rawPublicOp(pubKey, r);
+    const blinded = (m * rE) % pubKey.n;
+    return { blinded, r };
+}
+/** Admin-side: sign a blinded value. No knowledge of the original token. */
+export function signBlinded(blinded, privKey) {
+    return rawPrivateOp(privKey, blinded);
+}
+/**
+ * Member-side: given the admin's signature on the blinded value, remove
+ * the blinding factor to obtain a raw RSA-FDH signature over the original
+ * token that the admin never saw.
+ *
+ * Math: signed_blinded = (FDH(t) · r^e)^d = FDH(t)^d · r mod n.
+ * Multiplying by r^(-1) mod n yields FDH(t)^d = the raw signature.
+ */
+export function unblindSignature(blindedSignature, r, pubKey) {
+    const rInv = modInverse(r, pubKey.n);
+    return (blindedSignature * rInv) % pubKey.n;
+}
+/**
+ * Verify a (token, signature) pair against the admin's public key.
+ * True iff signature^e ≡ FDH(token) (mod n).
+ */
+export function verifyTokenSignature(tokenBytes, signature, pubKey) {
+    if (signature <= 0n || signature >= pubKey.n)
+        return false;
+    const expected = fdh(tokenBytes, pubKey.n, pubKey.modulusBytes);
+    const actual = rawPublicOp(pubKey, signature);
+    return expected === actual;
+}
+// ======================================================================
+//  Key generation and export/import
+// ======================================================================
+export function generateGroupKey(bits = 2048) {
+    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
+        modulusLength: bits,
+        publicExponent: 65537,
+    });
+    const jwk = publicKey.export({ format: 'jwk' });
+    const n = bytesToBigint(Buffer.from(jwk.n, 'base64url'));
+    const e = bytesToBigint(Buffer.from(jwk.e, 'base64url'));
+    const modulusBytes = Math.ceil(bits / 8);
+    return {
+        n, e, modulusBytes,
+        keyObj: publicKey,
+        keyObjPriv: privateKey,
+    };
+}
+export function exportGroupPublicKey(key) {
+    return {
+        n: key.n.toString(16),
+        e: key.e.toString(16),
+        modulusBytes: key.modulusBytes,
+    };
+}
+export function importGroupPublicKey(exported) {
+    const n = BigInt('0x' + exported.n);
+    const e = BigInt('0x' + exported.e);
+    const nBytes = bigintToBytes(n, exported.modulusBytes);
+    let eHex = e.toString(16);
+    if (eHex.length % 2)
+        eHex = '0' + eHex;
+    const eBytes = Buffer.from(eHex, 'hex');
+    const keyObj = createPublicKey({
+        key: {
+            kty: 'RSA',
+            n: nBytes.toString('base64url'),
+            e: eBytes.toString('base64url'),
+        },
+        format: 'jwk',
+    });
+    return { n, e, modulusBytes: exported.modulusBytes, keyObj };
+}
+/**
+ * Admin holds the group private key and a roster of authorized members.
+ * Admin does NOT hold any of the tokens, by design — blind signing means
+ * the admin never sees what they signed. This is the key privacy property.
+ *
+ * The admin's responsibilities are purely social: decide who's in the
+ * group, set per-member quotas, rotate the group key when someone leaves.
+ */
+export class GroupAdmin {
+    groupId;
+    key;
+    members;
+    constructor(groupId, key, members) {
+        this.groupId = groupId;
+        this.key = key;
+        this.members = members;
+    }
+    static create(groupId, bits = 2048) {
+        return new GroupAdmin(groupId, generateGroupKey(bits), new Map());
+    }
+    addMember(pubkey, quotaPerBatch = 100, validForDays = 365) {
+        this.members.set(pubkey, {
+            pubkey,
+            expiresAt: Date.now() + validForDays * 86400_000,
+            quotaPerBatch,
+        });
+    }
+    removeMember(pubkey) {
+        return this.members.delete(pubkey);
+    }
+    /**
+     * Sign a batch of blinded tokens submitted by a member. The admin
+     * authenticates the request out-of-band (member identity auth happens
+     * at the HTTP layer via a member signing key — not modelled here).
+     *
+     * Throws on: unknown member, expired membership, batch-too-large.
+     */
+    signBatch(memberPubkey, blinded) {
+        const member = this.members.get(memberPubkey);
+        if (!member)
+            throw new Error(`unknown member: ${memberPubkey.slice(0, 16)}...`);
+        if (member.expiresAt < Date.now())
+            throw new Error('member membership expired');
+        if (blinded.length > member.quotaPerBatch) {
+            throw new Error(`batch size ${blinded.length} exceeds quota ${member.quotaPerBatch}`);
+        }
+        return blinded.map((b) => signBlinded(b, this.key));
+    }
+    publicKey() {
+        return exportGroupPublicKey(this.key);
+    }
+}
+/**
+ * Member holds an identity pubkey (used by the admin for roster lookup)
+ * and a local stash of unused (token, signature) pairs. Tokens are single-
+ * use — consume one per borrow. Admin never saw any of these tokens.
+ */
+export class GroupMember {
+    memberPubkey;
+    groupPublicKey;
+    tokens = [];
+    constructor(memberPubkey, groupPublicKey) {
+        this.memberPubkey = memberPubkey;
+        this.groupPublicKey = groupPublicKey;
+    }
+    /**
+     * Step 1 of a token batch: generate random tokens, blind each, return
+     * the blinded values (to send to admin) plus the per-token state
+     * (kept locally for unblinding after admin responds).
+     */
+    prepareBatch(count) {
+        const blinded = [];
+        const state = [];
+        for (let i = 0; i < count; i++) {
+            const token = randomBytes(32);
+            const { blinded: b, r } = blindToken(token, this.groupPublicKey);
+            blinded.push(b);
+            state.push({ token, r });
+        }
+        return { blinded, state };
+    }
+    /**
+     * Step 2 of a token batch: unblind each admin-signed value, verify the
+     * resulting raw signature, and add the (token, signature) pair to the
+     * local stash. Any verification failure throws — we never store a token
+     * whose signature doesn't check out.
+     */
+    finalizeBatch(signedBlinded, state) {
+        if (signedBlinded.length !== state.length) {
+            throw new Error('finalizeBatch: length mismatch');
+        }
+        const toStore = [];
+        for (let i = 0; i < signedBlinded.length; i++) {
+            const signature = unblindSignature(signedBlinded[i], state[i].r, this.groupPublicKey);
+            if (!verifyTokenSignature(state[i].token, signature, this.groupPublicKey)) {
+                throw new Error(`finalizeBatch: signature ${i} failed verification`);
+            }
+            toStore.push({ token: state[i].token, signature });
+        }
+        this.tokens.push(...toStore);
+    }
+    consumeToken() {
+        return this.tokens.shift() ?? null;
+    }
+    tokenCount() {
+        return this.tokens.length;
+    }
+}
+/**
+ * Lender holds the group public key and a set of token hashes that have
+ * already been redeemed. Memory-only in v1; a persisted set would be a
+ * sqlite table keyed on token hash, or just a file of sha256 hex lines.
+ *
+ * The lender LEARNS NOTHING about which member borrowed. That's the
+ * whole point — blind signatures decouple "who signed this request"
+ * (the admin, uniformly) from "who holds the token" (one specific
+ * member who is anonymous to the lender).
+ */
+export class GroupLender {
+    groupId;
+    groupPublicKey;
+    seenTokens = new Set();
+    maxSeenTokens;
+    constructor(groupId, groupPublicKey, opts = {}) {
+        this.groupId = groupId;
+        this.groupPublicKey = groupPublicKey;
+        this.maxSeenTokens = opts.maxSeenTokens ?? 100_000;
+    }
+    acceptBorrow(token, signature) {
+        if (!verifyTokenSignature(token, signature, this.groupPublicKey)) {
+            return { ok: false, reason: 'invalid_signature' };
+        }
+        const hash = createHash('sha256').update(token).digest('hex');
+        if (this.seenTokens.has(hash)) {
+            return { ok: false, reason: 'double_spend' };
+        }
+        this.seenTokens.add(hash);
+        if (this.seenTokens.size > this.maxSeenTokens) {
+            const oldest = this.seenTokens.values().next().value;
+            if (oldest)
+                this.seenTokens.delete(oldest);
+        }
+        return { ok: true };
+    }
+    seenCount() {
+        return this.seenTokens.size;
+    }
+}
+export function encodeBorrowEnvelope(groupId, bt, request) {
+    const env = {
+        v: 1,
+        groupId,
+        token: bt.token.toString('base64url'),
+        sig: bt.signature.toString(16),
+        request,
+    };
+    return JSON.stringify(env);
+}
+export function decodeBorrowEnvelope(s) {
+    try {
+        const obj = JSON.parse(s);
+        if (obj?.v !== 1 ||
+            typeof obj.groupId !== 'string' ||
+            typeof obj.token !== 'string' ||
+            typeof obj.sig !== 'string' ||
+            obj.request === undefined) {
+            return null;
+        }
+        return obj;
+    }
+    catch {
+        return null;
+    }
+}
+export function parseBorrowToken(env) {
+    try {
+        return {
+            token: Buffer.from(env.token, 'base64url'),
+            signature: BigInt('0x' + env.sig),
+        };
+    }
+    catch {
+        return null;
+    }
+}

package/dist/shim/runtime.cjs

@@ -31,20 +31,64 @@ function log(msg) {
   }
 }
 
+/**
+ * Detect the JS runtime we've been loaded into. Shim was designed for
+ * Node — Bun ships its own fetch + undici with slightly different
+ * internals, and Deno's fetch is a completely different implementation.
+ * Patching globalThis.fetch works in all three, but body/header semantics
+ * may drift. We log a warning for non-Node runtimes so surprising
+ * behavior is traceable to the root cause.
+ *
+ * When Anthropic eventually ships a Bun-compiled / single-binary CC,
+ * this detector is the canary — a user running `dario shim -- claude ...`
+ * against a Bun CC will see the warning and know to expect quirks.
+ */
+function detectRuntime() {
+  if (typeof globalThis.Bun !== 'undefined') return 'bun';
+  if (typeof globalThis.Deno !== 'undefined') return 'deno';
+  if (typeof process !== 'undefined' && process.versions && process.versions.node) return 'node';
+  return 'unknown';
+}
+
+const RUNTIME = detectRuntime();
+if (RUNTIME !== 'node') {
+  log(`running under ${RUNTIME} — shim was validated against Node. Body/header semantics may differ.`);
+}
+
 let template = null;
+let templateMtime = 0;
+
+/**
+ * Load the template, re-reading from disk if the file's mtime has changed.
+ * Auto-refresh matters for long-running shim sessions: dario's live
+ * fingerprint capture may update the template file mid-session (daily
+ * refresh), and we'd like the shim to pick up the new version without
+ * requiring a child restart.
+ *
+ * Cached in memory between calls so we don't stat on every intercept.
+ */
 function loadTemplate() {
-  if (template) return template;
   try {
+    const stat = fs.statSync(TEMPLATE_PATH);
+    if (template && stat.mtimeMs === templateMtime) return template;
     const raw = fs.readFileSync(TEMPLATE_PATH, 'utf-8');
     const parsed = JSON.parse(raw);
     if (parsed && parsed.agent_identity && parsed.system_prompt && Array.isArray(parsed.tools)) {
+      const prevVersion = template && template.cc_version;
       template = parsed;
-      log(`template loaded from ${TEMPLATE_PATH} (cc_version=${parsed.cc_version || 'unknown'})`);
+      templateMtime = stat.mtimeMs;
+      if (prevVersion && prevVersion !== parsed.cc_version) {
+        log(`template reloaded: cc_version ${prevVersion} → ${parsed.cc_version}`);
+      } else {
+        log(`template loaded from ${TEMPLATE_PATH} (cc_version=${parsed.cc_version || 'unknown'}${
+          Array.isArray(parsed.header_order) ? `, header_order=${parsed.header_order.length}` : ''
+        })`);
+      }
       return template;
     }
     log(`template at ${TEMPLATE_PATH} missing required fields — passthrough`);
   } catch (e) {
-    log(`template load failed: ${e.message} — passthrough`);
+    if (e.code !== 'ENOENT') log(`template load failed: ${e.message} — passthrough`);
   }
   return null;
 }
@@ -75,31 +119,108 @@ function rewriteBody(bodyText, tmpl) {
   try { body = JSON.parse(bodyText); } catch (_) { return null; }
   if (!body || typeof body !== 'object') return null;
 
-  // CC system shape: array of 3 blocks — billing tag, agent identity, system prompt.
-  // We replace blocks [1] and [2] with template values; block [0] (the billing tag)
-  // is left alone since the host process owns its OAuth context.
-  if (Array.isArray(body.system) && body.system.length >= 1) {
-    const billingTag = body.system[0];
-    body.system = [
-      billingTag,
-      { type: 'text', text: tmpl.agent_identity, cache_control: { type: 'ephemeral', ttl: '1h' } },
-      { type: 'text', text: tmpl.system_prompt,  cache_control: { type: 'ephemeral', ttl: '1h' } },
-    ];
+  // Defensive shape check. Real CC sends:
+  //   system: [billing_tag, agent_identity, system_prompt]  (length 3, all text blocks)
+  // If we see anything else — a one-element system, a four-element system,
+  // an image block in system[0], CC shipping a restructured system array
+  // in a future release — passthrough instead of rewriting. Blindly
+  // replacing blocks we don't understand can corrupt the request in ways
+  // that break the child silently (think: 400 with "unexpected block type").
+  //
+  // The old logic accepted `length >= 1`, creating [1] and [2] out of thin
+  // air when they didn't exist. That's a recipe for template drift incidents
+  // when CC's shape changes. Strict check, log, passthrough on mismatch.
+  if (!Array.isArray(body.system) || body.system.length !== 3) {
+    log(`body rewrite skipped: system has ${Array.isArray(body.system) ? body.system.length : 'no'} blocks, expected 3`);
+    return null;
   }
+  const allText = body.system.every((b) =>
+    b && typeof b === 'object' && b.type === 'text' && typeof b.text === 'string',
+  );
+  if (!allText) {
+    log('body rewrite skipped: system contains non-text blocks');
+    return null;
+  }
+
+  const billingTag = body.system[0];
+  body.system = [
+    billingTag,
+    { type: 'text', text: tmpl.agent_identity, cache_control: { type: 'ephemeral', ttl: '1h' } },
+    { type: 'text', text: tmpl.system_prompt,  cache_control: { type: 'ephemeral', ttl: '1h' } },
+  ];
   body.tools = tmpl.tools;
   return JSON.stringify(body);
 }
 
 function rewriteHeaders(headers, tmpl) {
   // Headers in fetch() init can be Headers, plain object, or array of pairs.
-  // Normalize into a plain object so we can mutate, then return Headers.
-  const out = new Headers(headers || {});
+  // We normalize into a Map (lowercased keys, insertion-order iteration),
+  // then return an array of [name, value] pairs — a valid HeadersInit —
+  // which fetch() will serialize on the wire in our exact order.
+  //
+  // A plain Headers object won't do: per the fetch spec, Headers iteration
+  // is sorted alphabetically, so building a Headers with sets in order
+  // would succeed internally but iteration (and any downstream code that
+  // reads via for...of) would see sorted order. Using an array bypasses
+  // that entirely — the HTTP layer writes pairs in array order.
+  //
+  // This is the v3.13 "hide in the population" hook: when the live capture
+  // has recorded CC's header sequence, we replay it on every outbound
+  // request so Anthropic sees the same shape we observed.
+  const src = new Headers(headers || {});
+  const snapshot = new Map();
+  for (const [name, value] of src) {
+    snapshot.set(name.toLowerCase(), value);
+  }
   if (tmpl.cc_version) {
-    out.set('user-agent', `claude-cli/${tmpl.cc_version} (external, cli)`);
-    out.set('x-anthropic-billing-header', `cc_version=${tmpl.cc_version}`);
+    snapshot.set('user-agent', `claude-cli/${tmpl.cc_version} (external, cli)`);
+    snapshot.set('x-anthropic-billing-header', `cc_version=${tmpl.cc_version}`);
+  }
+  snapshot.set('anthropic-beta', tmpl.anthropic_beta || 'claude-code-20250219');
+
+  if (!Array.isArray(tmpl.header_order) || tmpl.header_order.length === 0) {
+    return [...snapshot.entries()];
   }
-  out.set('anthropic-beta', tmpl.anthropic_beta || 'claude-code-20250219');
-  return out;
+
+  // Rebuild in the captured order. Any header the caller supplied that
+  // wasn't in the captured order gets appended at the end so we don't
+  // silently drop host-added headers (content-type, content-length).
+  const ordered = [];
+  const seen = new Set();
+  for (const name of tmpl.header_order) {
+    const key = name.toLowerCase();
+    if (snapshot.has(key)) {
+      ordered.push([key, snapshot.get(key)]);
+      seen.add(key);
+    }
+  }
+  for (const [key, value] of snapshot) {
+    if (!seen.has(key)) {
+      ordered.push([key, value]);
+    }
+  }
+  return ordered;
+}
+
+/**
+ * Warn when the child's user-agent cc_version differs from the template's.
+ * Useful signal during a CC upgrade: the user installed a new CC but the
+ * live template cache is stale, so we're about to fingerprint as an older
+ * version than the actual CC binary. The shim still works — we overwrite
+ * the user-agent regardless — but logging the drift makes debugging
+ * easier when a user reports "Anthropic started seeing me as 2.1.200 even
+ * though I'm running 2.1.250".
+ */
+function checkVersionDrift(headers, tmpl) {
+  if (!tmpl || !tmpl.cc_version) return;
+  try {
+    const h = new Headers(headers || {});
+    const ua = h.get('user-agent') || '';
+    const match = ua.match(/claude-cli\/(\d+\.\d+\.\d+)/);
+    if (match && match[1] && match[1] !== tmpl.cc_version) {
+      log(`version drift: child cc_version=${match[1]}, template cc_version=${tmpl.cc_version} — shim will impersonate template version`);
+    }
+  } catch (_) { /* noop */ }
 }
 
 function shouldIntercept(input, init) {
@@ -144,10 +265,12 @@ async function darioShimFetch(input, init) {
       return originalFetch.call(this, input, init);
     }
 
+    const srcHeaders = (init && init.headers) || (input && input.headers);
+    checkVersionDrift(srcHeaders, tmpl);
     const newInit = Object.assign({}, init || {}, {
       method: 'POST',
       body: rewritten,
-      headers: rewriteHeaders((init && init.headers) || (input && input.headers), tmpl),
+      headers: rewriteHeaders(srcHeaders, tmpl),
     });
     const url = typeof input === 'string' ? input : input.url;
 
@@ -179,6 +302,9 @@ if (process.env.DARIO_SHIM === '1') {
 module.exports = {
   _rewriteBody: rewriteBody,
   _rewriteHeaders: rewriteHeaders,
+  _checkVersionDrift: checkVersionDrift,
+  _detectRuntime: detectRuntime,
+  _loadTemplate: loadTemplate,
   _shouldIntercept: shouldIntercept,
   _isAnthropicMessages: isAnthropicMessages,
   _darioShimFetch: darioShimFetch,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.12.0",
+  "version": "3.13.0",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -21,7 +21,7 @@
   ],
   "scripts": {
     "build": "tsc && cp src/cc-template-data.json dist/ && node -e \"require('fs').mkdirSync('dist/shim',{recursive:true})\" && cp src/shim/runtime.cjs dist/shim/",
-    "test": "node test/issue-29-tool-translation.mjs && node test/hybrid-tools.mjs && node test/scrub-paths.mjs && node test/provider-prefix.mjs && node test/analytics-recording.mjs && node test/analytics-billing-bucket.mjs && node test/failover-429.mjs && node test/live-fingerprint.mjs && node test/shim-runtime.mjs && node test/shim-e2e.mjs",
+    "test": "node test/issue-29-tool-translation.mjs && node test/hybrid-tools.mjs && node test/scrub-paths.mjs && node test/provider-prefix.mjs && node test/analytics-recording.mjs && node test/analytics-billing-bucket.mjs && node test/failover-429.mjs && node test/pool-sticky.mjs && node test/sealed-pool.mjs && node test/live-fingerprint.mjs && node test/shim-runtime.mjs && node test/shim-e2e.mjs",
     "audit": "npm audit --production --audit-level=high",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli.js",