@askalf/dario 3.16.0 → 3.19.1

package/dist/live-fingerprint.js

@@ -84,13 +84,20 @@
  * contributor — or dario maintainer six months from now — can pick up
  * the right piece without re-deriving the threat model.
  */
-import { spawn } from 'node:child_process';
+import { spawn, execFileSync } from 'node:child_process';
 import { createServer } from 'node:http';
-import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, renameSync, unlinkSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Cache-file schema version. Bump when `TemplateData` gains a required
+ * field or changes shape in a way that would make older caches produce
+ * wrong behavior if loaded verbatim. Mismatched caches are rejected at
+ * load time so the fallback + next background refresh write a fresh one.
+ */
+export const CURRENT_SCHEMA_VERSION = 2;
 const LIVE_CACHE = join(homedir(), '.dario', 'cc-template.live.json');
 const LIVE_TTL_MS = 24 * 60 * 60 * 1000; // re-extract once a day
 /**
@@ -162,20 +169,87 @@ function loadBundledTemplate() {
 function readLiveCache() {
     if (!existsSync(LIVE_CACHE))
         return null;
+    let raw;
     try {
-        const data = JSON.parse(readFileSync(LIVE_CACHE, 'utf-8'));
-        if (!data.system_prompt || !Array.isArray(data.tools) || data.tools.length === 0)
-            return null;
-        data._source = 'live';
-        return data;
+        raw = readFileSync(LIVE_CACHE, 'utf-8');
     }
     catch {
         return null;
     }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        // Unparseable JSON — typically a crash or power-loss mid-write on a
+        // pre-v3.17 dario that still used a non-atomic writer. Quarantine
+        // the bad file so the next refresh can write a clean one, and log
+        // loudly so the user doesn't silently sit on a broken cache forever.
+        quarantineCorruptCache(`unparseable JSON (${err.message})`);
+        return null;
+    }
+    if (!parsed || !parsed.system_prompt || !Array.isArray(parsed.tools) || parsed.tools.length === 0) {
+        quarantineCorruptCache('missing required fields (system_prompt / tools)');
+        return null;
+    }
+    // Schema version mismatch is NOT corruption — it's an expected event on
+    // dario upgrade or downgrade. Skip the cache silently; the background
+    // refresh will rewrite it in the new shape.
+    if (parsed._schemaVersion !== CURRENT_SCHEMA_VERSION)
+        return null;
+    parsed._source = 'live';
+    return parsed;
+}
+/**
+ * Rename a corrupt cache file aside to `.corrupt-<ISO>` so the next
+ * refresh writes a fresh cache without first having to overwrite a bad
+ * file. Keeping the original as-is would also work, but quarantining
+ * makes it clearer in `ls ~/.dario` that the file was rejected, and
+ * preserves the contents for post-mortem in case a user files an issue.
+ */
+function quarantineCorruptCache(reason) {
+    try {
+        const stamp = new Date().toISOString().replace(/[:.]/g, '-');
+        const aside = `${LIVE_CACHE}.corrupt-${stamp}`;
+        renameSync(LIVE_CACHE, aside);
+        console.error(`[dario] ⚠  live template cache rejected: ${reason}. Quarantined to ${aside}. Next background refresh will re-capture.`);
+    }
+    catch (err) {
+        // If the rename itself fails, leave the file in place — a subsequent
+        // refresh will overwrite it atomically. Log so the state is visible.
+        console.error(`[dario] ⚠  live template cache rejected: ${reason}. (quarantine rename failed: ${err.message})`);
+    }
+}
+/**
+ * Atomic JSON write: dump to a sibling `.tmp` file, then rename over the
+ * target path. A crash or Ctrl+C between writes never leaves a half-
+ * written file where `JSON.parse` would throw on next read. Uses a pid-
+ * qualified tmp name so concurrent dario processes don't stomp on each
+ * other's partial writes. Exposed for tests via `_atomicWriteJsonForTest`.
+ */
+function atomicWriteJson(targetPath, data) {
+    mkdirSync(dirname(targetPath), { recursive: true });
+    const tmp = `${targetPath}.${process.pid}.tmp`;
+    try {
+        writeFileSync(tmp, JSON.stringify(data, null, 2));
+        renameSync(tmp, targetPath);
+    }
+    catch (err) {
+        // Clean up the stray tmp if the rename failed; swallow its own
+        // unlink error — nothing useful to do with it.
+        try {
+            unlinkSync(tmp);
+        }
+        catch { /* noop */ }
+        throw err;
+    }
+}
+/** Test-only surface for `atomicWriteJson`. Production code uses `writeLiveCache`. */
+export function _atomicWriteJsonForTest(targetPath, data) {
+    atomicWriteJson(targetPath, data);
 }
 function writeLiveCache(data) {
-    mkdirSync(dirname(LIVE_CACHE), { recursive: true });
-    writeFileSync(LIVE_CACHE, JSON.stringify(data, null, 2));
+    atomicWriteJson(LIVE_CACHE, data);
 }
 /**
  * Run a loopback MITM server on a random port, spawn CC with
@@ -302,6 +376,14 @@ async function runCapture(timeoutMs) {
                 settle(null);
                 return;
             }
+            // Node 20+ won't spawn `.cmd`/`.bat` without `shell: true` (CVE-2024-27980).
+            // `useShell` triggers cmd.exe on Windows — reject overrides that carry
+            // shell metacharacters before the spawn, same guard as probeInstalledCCVersion.
+            const useShell = process.platform === 'win32' && /\.(cmd|bat)$/i.test(claudeBin);
+            if (useShell && /[&|><^"'%\r\n`$;(){}[\]]/.test(claudeBin)) {
+                settle(null);
+                return;
+            }
             try {
                 child = spawn(claudeBin, ['--print', '-p', 'hi'], {
                     env: {
@@ -313,6 +395,7 @@ async function runCapture(timeoutMs) {
                     },
                     stdio: ['ignore', 'ignore', 'ignore'],
                     windowsHide: true,
+                    shell: useShell,
                 });
                 child.on('error', () => settle(null));
                 child.on('exit', () => {
@@ -331,6 +414,17 @@ async function runCapture(timeoutMs) {
         setTimeout(() => settle(captured), timeoutMs);
     });
 }
+/**
+ * Locate the installed `claude` binary and its version. Thin public
+ * wrapper over `findClaudeBinary` + `probeInstalledCCVersion` — the
+ * doctor CLI and external callers use this to report install state
+ * without reaching into module-private helpers.
+ */
+export function findInstalledCC() {
+    const path = findClaudeBinary();
+    const version = path ? probeInstalledCCVersion() : null;
+    return { path, version };
+}
 function findClaudeBinary() {
     // Honor an explicit override first — useful for tests and for users on
     // non-standard installs.
@@ -394,15 +488,287 @@ export function extractTemplate(captured) {
         return null;
     const version = extractCCVersion(captured.headers) ?? 'unknown';
     const headerOrder = extractHeaderOrder(captured.rawHeaders);
+    const anthropicBeta = captured.headers['anthropic-beta'];
+    const headerValues = extractStaticHeaderValues(captured.headers);
     return {
         _version: version,
         _captured: new Date().toISOString(),
         _source: 'live',
+        _schemaVersion: CURRENT_SCHEMA_VERSION,
         agent_identity: agentIdentity,
         system_prompt: systemPrompt,
         tools,
         tool_names: tools.map((t) => t.name),
         header_order: headerOrder,
+        anthropic_beta: typeof anthropicBeta === 'string' ? anthropicBeta : undefined,
+        header_values: Object.keys(headerValues).length > 0 ? headerValues : undefined,
+    };
+}
+/**
+ * Pick header values from the captured request that CC would set identically
+ * on every outbound call. The replayer overlays these on top of whatever the
+ * caller supplied, so anything session-scoped, auth-bearing, or computed by
+ * the HTTP stack itself must be excluded.
+ */
+const STATIC_HEADER_EXCLUDE = new Set([
+    // Auth — never replay across identities
+    'authorization',
+    // Body-framing — computed per request
+    'content-type', 'content-length', 'transfer-encoding',
+    // Host / connection — managed by the HTTP stack
+    'host', 'connection', 'keep-alive', 'accept-encoding',
+    // Session / request identifiers — rotate per call
+    'x-claude-code-session-id', 'x-client-request-id', 'x-request-id',
+    // Beta flag is captured separately
+    'anthropic-beta',
+    // Billing tag — rebuilt per request from cc_version
+    'x-anthropic-billing-header',
+]);
+function extractStaticHeaderValues(headers) {
+    const out = {};
+    for (const [k, v] of Object.entries(headers)) {
+        const lk = k.toLowerCase();
+        if (STATIC_HEADER_EXCLUDE.has(lk))
+            continue;
+        if (typeof v !== 'string')
+            continue;
+        out[lk] = v;
+    }
+    return out;
+}
+// ============================================================
+//  Drift detection + startup diagnostics (v3.17)
+// ============================================================
+let _installedVersionProbe = { value: null, cached: false };
+/**
+ * Sync-probe `claude --version` and return the parsed version string, e.g.
+ * `"2.1.104"`. Memoized per-process — the binary is invoked at most once,
+ * subsequent calls return the cached result. Returns `null` if the binary
+ * isn't on PATH, or the probe failed / timed out, or the output didn't
+ * match the expected format.
+ *
+ * Used by `detectDrift` to compare the installed CC against the version
+ * recorded in the cache at capture time.
+ */
+export function probeInstalledCCVersion() {
+    if (_installedVersionProbe.cached)
+        return _installedVersionProbe.value;
+    const value = probeInstalledCCVersionUncached();
+    _installedVersionProbe = { value, cached: true };
+    return value;
+}
+function probeInstalledCCVersionUncached() {
+    const bin = findClaudeBinary();
+    if (!bin)
+        return null;
+    try {
+        // Node 20+ refuses to spawn `.cmd`/`.bat` via execFile without
+        // explicit `shell: true` (CVE-2024-27980 hardening). On Windows,
+        // npm-installed CLIs commonly live behind a `.cmd` shim — detect
+        // that and opt into the shell path.
+        //
+        // `bin` is normally from findClaudeBinary's fixed allow-list, but
+        // DARIO_CLAUDE_BIN lets users override it. If that override reaches
+        // the shell path, cmd.exe interprets its contents — so reject any
+        // override that carries shell metacharacters before we spawn.
+        const useShell = process.platform === 'win32' && /\.(cmd|bat)$/i.test(bin);
+        if (useShell && /[&|><^"'%\r\n`$;(){}[\]]/.test(bin)) {
+            return null;
+        }
+        const out = execFileSync(bin, ['--version'], {
+            encoding: 'utf-8',
+            timeout: 2_000,
+            stdio: ['ignore', 'pipe', 'ignore'],
+            windowsHide: true,
+            shell: useShell,
+        });
+        // `claude --version` currently prints e.g. `1.0.79 (Claude Code)` or
+        // `claude-cli 2.1.104`. Accept anything that contains a dotted numeric
+        // version — the first match wins.
+        const m = /(\d+\.\d+\.\d+(?:[.\-][\w.\-]+)?)/.exec(out);
+        return m ? m[1] : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Format how old a captured timestamp is, human-readable. `_captured` is
+ * an ISO string written by `extractTemplate` or the bundled snapshot.
+ * Falls back to `"unknown age"` if the timestamp doesn't parse.
+ */
+export function formatCaptureAge(capturedIso, now = Date.now()) {
+    const t = Date.parse(capturedIso);
+    if (!Number.isFinite(t))
+        return 'unknown age';
+    const ageMs = Math.max(0, now - t);
+    const s = Math.floor(ageMs / 1000);
+    if (s < 60)
+        return `${s}s`;
+    const m = Math.floor(s / 60);
+    if (m < 60)
+        return `${m}m`;
+    const h = Math.floor(m / 60);
+    if (h < 48)
+        return `${h}h`;
+    const d = Math.floor(h / 24);
+    return `${d}d`;
+}
+/**
+ * One-line human summary of the active template — what source, which CC
+ * version captured it, and how old that capture is. Proxy and shim
+ * startup log this so users can tell at a glance whether they're on a
+ * fresh live capture or a stale bundled fallback.
+ */
+export function describeTemplate(t) {
+    const source = t._source ?? 'bundled';
+    const age = formatCaptureAge(t._captured);
+    return `${source} capture, CC v${t._version} (${age} old)`;
+}
+/**
+ * Compare the loaded template's captured CC version against the version
+ * reported by `claude --version` on the current machine. Drifted caches
+ * are still usable — the shape is probably compatible — but the proxy
+ * should force-refresh ASAP so the next startup is back in sync.
+ *
+ * @param installedOverride test-only injection for unit tests; production
+ *   callers pass nothing and the real binary probe runs.
+ */
+export function detectDrift(t, installedOverride) {
+    const installed = installedOverride !== undefined ? installedOverride : probeInstalledCCVersion();
+    const cachedVersion = t._version;
+    if (installed === null) {
+        return {
+            drifted: false,
+            cachedVersion,
+            installedVersion: null,
+            message: 'installed CC version not probed (binary not on PATH or probe failed)',
+        };
+    }
+    if (installed === cachedVersion) {
+        return {
+            drifted: false,
+            cachedVersion,
+            installedVersion: installed,
+            message: `cache matches installed CC (v${installed})`,
+        };
+    }
+    return {
+        drifted: true,
+        cachedVersion,
+        installedVersion: installed,
+        message: `cache is from CC v${cachedVersion} but installed CC is v${installed} — background refresh will re-capture`,
+    };
+}
+/**
+ * Reset the memoized `claude --version` probe. Test-only — production
+ * code should never need to clear the cache since the installed binary
+ * doesn't change mid-process.
+ */
+export function _resetInstalledVersionProbeForTest() {
+    _installedVersionProbe = { value: null, cached: false };
+}
+// ============================================================
+//  CC version compat matrix (v3.17)
+// ============================================================
+/**
+ * The CC version range the current dario release has been exercised
+ * against. Update `maxTested` every time we validate against a new CC
+ * (ideally as part of the release checklist — the e2e test against the
+ * user's own CC is the ground-truth signal).
+ *
+ * - `min`: below this, dario's extractor hasn't been validated; proxy
+ *   will still run but may mis-parse CC's request body.
+ * - `maxTested`: the newest CC version the current dario release has
+ *   been exercised against. Above this, dario is *likely* fine (CC's
+ *   request shape evolves slowly) but it's explicitly untested, so
+ *   users get a soft warn and we get a signal to refresh the bundled
+ *   snapshot + rerun e2e.
+ */
+export const SUPPORTED_CC_RANGE = {
+    min: '1.0.0',
+    maxTested: '2.1.104',
+};
+/**
+ * Compare two dotted-numeric version strings. Returns negative if `a<b`,
+ * zero if equal, positive if `a>b`. Handles suffixes like `-beta.1` or
+ * `.dev` by comparing the numeric prefix first and treating anything
+ * after as a tiebreaker (strings compared lexicographically; absence of
+ * suffix beats presence, matching semver's "release > prerelease").
+ *
+ * Intentionally minimal — dario's "zero runtime deps" policy rules out
+ * pulling `semver`. CC versions are well-formed `M.m.p[-suffix]` so we
+ * don't need the full spec.
+ */
+export function compareVersions(a, b) {
+    const splitPrefixSuffix = (v) => {
+        const m = /^(\d+(?:\.\d+)*)(.*)$/.exec(v);
+        if (!m)
+            return { parts: [0], suffix: v };
+        const parts = m[1].split('.').map((s) => parseInt(s, 10));
+        return { parts, suffix: m[2] ?? '' };
+    };
+    const A = splitPrefixSuffix(a);
+    const B = splitPrefixSuffix(b);
+    const len = Math.max(A.parts.length, B.parts.length);
+    for (let i = 0; i < len; i++) {
+        const ai = A.parts[i] ?? 0;
+        const bi = B.parts[i] ?? 0;
+        if (ai !== bi)
+            return ai - bi;
+    }
+    // Numeric prefix equal — compare suffix. Empty suffix beats non-empty
+    // (release > prerelease). Otherwise lexicographic.
+    if (A.suffix === B.suffix)
+        return 0;
+    if (A.suffix === '')
+        return 1;
+    if (B.suffix === '')
+        return -1;
+    return A.suffix < B.suffix ? -1 : 1;
+}
+/**
+ * Check whether the installed CC version sits inside the supported range.
+ * Called at startup by the proxy; the result drives whether we emit a
+ * compatibility warning to the user.
+ *
+ * `unknown` is not a failure — it just means we couldn't probe (no CC on
+ * PATH, timeout, parse miss). Dario still runs on bundled template.
+ *
+ * @param installedOverride test-only injection; production callers pass nothing.
+ */
+export function checkCCCompat(installedOverride) {
+    const installed = installedOverride !== undefined ? installedOverride : probeInstalledCCVersion();
+    const range = { min: SUPPORTED_CC_RANGE.min, maxTested: SUPPORTED_CC_RANGE.maxTested };
+    if (installed === null) {
+        return {
+            status: 'unknown',
+            installedVersion: null,
+            range,
+            message: 'installed CC version not probed — compatibility unchecked',
+        };
+    }
+    if (compareVersions(installed, range.min) < 0) {
+        return {
+            status: 'below-min',
+            installedVersion: installed,
+            range,
+            message: `installed CC v${installed} is older than the minimum dario supports (v${range.min}); extractor may mis-parse requests — upgrade CC`,
+        };
+    }
+    if (compareVersions(installed, range.maxTested) > 0) {
+        return {
+            status: 'untested-above',
+            installedVersion: installed,
+            range,
+            message: `installed CC v${installed} is newer than dario's last tested version (v${range.maxTested}); usually fine, but untested`,
+        };
+    }
+    return {
+        status: 'ok',
+        installedVersion: installed,
+        range,
+        message: `installed CC v${installed} is within the tested range (v${range.min} – v${range.maxTested})`,
     };
 }
 /**

package/dist/openai-backend.js

@@ -13,10 +13,27 @@
  * in a follow-up release.
  */
 import { readFile, writeFile, mkdir, unlink, readdir } from 'node:fs/promises';
-import { join } from 'node:path';
+import { join, basename } from 'node:path';
 import { homedir } from 'node:os';
 const DARIO_DIR = join(homedir(), '.dario');
 const BACKENDS_DIR = join(DARIO_DIR, 'backends');
+/**
+ * Normalize a caller-supplied backend name into a filesystem-safe leaf.
+ * Strips any directory component and rejects names outside the allowed
+ * charset. Defense in depth — CLI input is already constrained.
+ */
+function safeBackendPath(name) {
+    if (typeof name !== 'string' || name.length === 0)
+        return null;
+    const leaf = basename(name);
+    if (leaf !== name)
+        return null;
+    if (leaf === '.' || leaf === '..')
+        return null;
+    if (!/^[A-Za-z0-9][A-Za-z0-9_\-.]{0,63}$/.test(leaf))
+        return null;
+    return join(BACKENDS_DIR, `${leaf}.json`);
+}
 async function ensureDir() {
     await mkdir(BACKENDS_DIR, { recursive: true, mode: 0o700 });
 }
@@ -40,12 +57,16 @@ export async function listBackends() {
     }
 }
 export async function saveBackend(creds) {
+    const path = safeBackendPath(creds.name);
+    if (!path)
+        throw new Error(`invalid backend name: ${creds.name}`);
     await ensureDir();
-    const path = join(BACKENDS_DIR, `${creds.name}.json`);
     await writeFile(path, JSON.stringify(creds, null, 2), { mode: 0o600 });
 }
 export async function removeBackend(name) {
-    const path = join(BACKENDS_DIR, `${name}.json`);
+    const path = safeBackendPath(name);
+    if (!path)
+        return false;
     try {
         await unlink(path);
         return true;