@askalf/dario 3.19.0 → 3.19.2

package/README.md

@@ -11,6 +11,10 @@
   <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/dm/@askalf/dario" alt="Downloads"></a>
 </p>
 
+<p align="center">
+  <sub><strong>v4 is not a version bump.</strong> The router was the prerequisite. What comes next uses it as a substrate. — <a href="https://github.com/askalf/dario/discussions/categories/announcements">watch this space</a></sub>
+</p>
+
 ```bash
 npm install -g @askalf/dario && dario proxy
 ```
@@ -88,7 +92,7 @@ Something broken? `dario doctor` prints a single aggregated health report — da
 
 **You want the proxy layer off the wire entirely.** **Shim mode** (v3.12, hardened in v3.13) is an in-process `globalThis.fetch` patch injected via `NODE_OPTIONS=--require`. No HTTP hop, no port to bind, no `BASE_URL` to set. `dario shim -- claude --print "hi"` and CC thinks it's talking directly to `api.anthropic.com`. See [Shim mode](#shim-mode).
 
-**You want to share capacity with a trusted group without surveilling each other.** The **sealed-sender overflow protocol** (v3.13) uses RSA blind signatures (Chaum 1983, implemented from scratch over Node's `crypto`) so members of a trust group can lend unused Claude capacity to each other with cryptographic unlinkability. A lender verifies "this is a valid group member" without learning *which* member. See [Sealed-sender overflow](#sealed-sender-overflow-protocol).
+**You want to share capacity with a trusted group without surveilling each other.** The **sealed-sender overflow protocol** (v3.13) uses RSA blind signatures (Chaum 1983, implemented from scratch over Node's `crypto`) so members of a trust group can lend unused Claude capacity to each other with cryptographic unlinkability. A lender verifies "this is a valid group member" without learning *which* member. Dario ships the primitive; [mux](https://github.com/askalf/mux) is the dedicated product around it (group admin, key distribution, member workflow, borrower CLI). See [Sealed-sender overflow](#sealed-sender-overflow-protocol).
 
 **You want to actually audit the thing.** ~7,600 lines of TypeScript across ~15 files. Zero runtime dependencies (`npm ls --production` confirms). Credentials at `~/.dario/` with `0600` permissions. `127.0.0.1`-only by default. Every release [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions. Nothing phones home. Small enough to read in a weekend.
 
@@ -232,6 +236,8 @@ Trust-group members can lend each other Claude capacity with **cryptographic unl
 
 Full feature-parity with `/v1/messages` (streaming, inside-request 429 failover, reverse tool mapping) for borrowed requests is intentionally a follow-up — the current release ships the cryptographic primitive and a working minimal endpoint; full integration layers on top.
 
+**Dedicated product.** The sealed-sender protocol has a dedicated product around it: [mux](https://github.com/askalf/mux). mux carries the group admin tooling (key generation, member roster, batch signing), the member workflow (prepare / finalize / status), the borrower CLI, and the lender daemon as a coherent surface. It uses dario as its backend — a mux lender runs a dario pool and fronts it with `/v1/pool/borrow`. Dario keeps the primitive here for anyone who wants to embed it without running the full mux flow; for peer-to-peer capacity sharing as a product, use mux.
+
 ---
 
 ## Shim mode

package/dist/cc-template.js

@@ -232,7 +232,10 @@ const TOOL_MAP = {
     execute_command: {
         ccTool: 'Bash',
         translateArgs: (a) => ({ command: a.command || a.cmd || '', ...(a.description ? { description: a.description } : {}) }),
-        translateBack: (a) => ({ command: a.command ?? '', ...(a.description ? { description: a.description } : { description: a.command ?? '' }) }),
+        // requires_approval is required by Cline's execute_command schema. Default
+        // to false — CC already gates Bash upstream through its own permission
+        // model, and the borrower controls their own auto-approval settings.
+        translateBack: (a) => ({ command: a.command ?? '', requires_approval: false, ...(a.description ? { description: a.description } : { description: a.command ?? '' }) }),
     },
     // Cursor
     run_terminal_cmd: {
@@ -336,7 +339,9 @@ const TOOL_MAP = {
     replace_in_file: {
         ccTool: 'Edit',
         translateArgs: (a) => ({ file_path: a.path || a.filePath || a.file_path || '', old_string: a.old_string || a.old || '', new_string: a.new_string || a.new || '' }),
-        translateBack: (a) => ({ path: a.file_path ?? '', old_string: a.old_string ?? '', new_string: a.new_string ?? '' }),
+        // Cline's schema requires `diff`, not old_string/new_string — formatted as
+        // one SEARCH/REPLACE block (see replace_in_file.ts in cline/cline).
+        translateBack: (a) => ({ path: a.file_path ?? '', diff: `------- SEARCH\n${a.old_string ?? ''}\n=======\n${a.new_string ?? ''}\n+++++++ REPLACE` }),
     },
     // Roo Code
     apply_diff: {

package/dist/live-fingerprint.js

@@ -513,6 +513,14 @@ export function extractTemplate(captured) {
 const STATIC_HEADER_EXCLUDE = new Set([
     // Auth — never replay across identities
     'authorization',
+    // x-api-key is a CAPTURE ARTIFACT (dario#42). During capture we spawn CC
+    // with ANTHROPIC_API_KEY=sk-dario-fingerprint-capture pointing at a loopback
+    // MITM, so CC emits `x-api-key: sk-dario-fingerprint-capture`. Replaying
+    // that placeholder upstream alongside the real OAuth Bearer used to be a
+    // no-op because Anthropic ignored x-api-key when Authorization was present;
+    // as of 2026-04-17 some account tiers now 401 with "invalid x-api-key" when
+    // both are sent. Never capture it.
+    'x-api-key',
     // Body-framing — computed per request
     'content-type', 'content-length', 'transfer-encoding',
     // Host / connection — managed by the HTTP stack

package/dist/proxy.js

@@ -493,8 +493,17 @@ export async function startProxy(opts = {}) {
     // Excludes auth + body-framing + session-scoped keys by construction (see
     // extractStaticHeaderValues in live-fingerprint.ts). No-op when the loaded
     // template predates v2 or the bundled snapshot is in use.
+    //
+    // `x-api-key` is filtered defensively here too — pre-v3.19.2 captures still
+    // carry `x-api-key: sk-dario-fingerprint-capture` from the MITM spawn env.
+    // Replaying that placeholder alongside a real OAuth Bearer triggers a
+    // "invalid x-api-key" 401 on some account tiers as of 2026-04-17 (dario#42).
+    // The capture filter was updated in v3.19.2 to stop storing it, but the
+    // per-request skip below lets existing caches self-heal without a refresh.
     if (!passthrough && CC_TEMPLATE.header_values) {
         for (const [k, v] of Object.entries(CC_TEMPLATE.header_values)) {
+            if (k.toLowerCase() === 'x-api-key')
+                continue;
             staticHeaders[k] = v;
         }
     }
@@ -507,6 +516,14 @@ export async function startProxy(opts = {}) {
     // is the single-account slot. Reported by @boeingchoco in dario#36 — the
     // retry loop was firing on every POST with hybrid-tools + OC.
     const context1mUnavailable = new Set();
+    // Per-account cache of anthropic-beta flags the upstream has rejected as
+    // "Unexpected value(s)". The live-captured template lifts whatever CC emits
+    // verbatim — including flags gated to higher-tier accounts (e.g.
+    // `afk-mode-2026-01-31` is rejected on Max 5x as of 2026-04-17). On the
+    // first rejection we parse the flag out of the error message, strip it,
+    // retry once, and cache it so subsequent requests on the same account don't
+    // re-pay the 400 round-trip. Keyed by account alias (pool) or `__default__`.
+    const unavailableBetas = new Map();
     const ACCOUNT_KEY_SINGLE = '__default__';
     // Beta flag set — sourced from the live template when the capture recorded
     // one (schema v2+), else falls back to the v2.1.104 bundled default. Same
@@ -514,7 +531,18 @@ export async function startProxy(opts = {}) {
     // never diverge on the wire). Computed once per proxy because it's a
     // function of the loaded template, not of the request.
     const BETA_FALLBACK = 'claude-code-20250219,oauth-2025-04-20,context-1m-2025-08-07,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24';
-    const betaBase = CC_TEMPLATE.anthropic_beta || BETA_FALLBACK;
+    let betaBase = CC_TEMPLATE.anthropic_beta || BETA_FALLBACK;
+    // `oauth-2025-04-20` is CC's OAuth-enablement beta flag. It is NOT present in
+    // the live-captured beta set because dario's fingerprint capture spawns CC
+    // with a placeholder `ANTHROPIC_API_KEY`, and CC only appends the oauth beta
+    // when it's actually using an OAuth bearer token. The proxy always uses
+    // OAuth upstream, so the flag is required — force it in if the captured
+    // template didn't carry it. As of 2026-04-17 some account tiers (Max 20x,
+    // Pro) return `authentication_error: invalid x-api-key` without this flag
+    // even when a valid Bearer is sent (dario#42).
+    if (!passthrough && !betaBase.split(',').includes('oauth-2025-04-20')) {
+        betaBase = betaBase ? `${betaBase},oauth-2025-04-20` : 'oauth-2025-04-20';
+    }
     const betaWithoutContext1m = betaBase.split(',').filter((t) => t !== 'context-1m-2025-08-07').join(',');
     // Rate governor — minimum 500ms between requests. Fast enough for agents,
     // slow enough to not look like a scripted flood of identical traffic.
@@ -985,6 +1013,14 @@ export async function startProxy(opts = {}) {
                     if (filtered)
                         beta += ',' + filtered;
                 }
+                // Strip any beta flags the upstream has previously rejected on this
+                // account so we don't re-pay the 400 round-trip (dario#42 afk-mode
+                // fallout: captured templates carry tier-gated flags whose availability
+                // we only learn at request time).
+                const rejectedSet = unavailableBetas.get(acctKey);
+                if (rejectedSet && rejectedSet.size > 0) {
+                    beta = beta.split(',').filter((t) => t.length > 0 && !rejectedSet.has(t)).join(',');
+                }
             }
             // Rate governor — prevent inhuman request cadence
             const now = Date.now();
@@ -1086,7 +1122,56 @@ export async function startProxy(opts = {}) {
                     const isLongContextError = peekedBody.includes('long context')
                         || peekedBody.includes('Extra usage is required')
                         || peekedBody.includes('long_context');
-                    if (isLongContextError) {
+                    // Detect "Unexpected value(s) `flag-name` for the `anthropic-beta` header"
+                    // — the upstream's way of saying this account tier doesn't have the
+                    // flag. Parse out the offending tokens (there can be more than one),
+                    // cache them, strip, and retry.
+                    const betaRejectedFlags = [];
+                    if (upstream.status === 400 && peekedBody.includes('anthropic-beta')) {
+                        const re = /Unexpected value\(s\)\s+((?:`[^`]+`(?:\s*,\s*)?)+)\s+for the `anthropic-beta` header/;
+                        const m = peekedBody.match(re);
+                        if (m) {
+                            for (const tok of m[1].matchAll(/`([^`]+)`/g))
+                                betaRejectedFlags.push(tok[1]);
+                        }
+                    }
+                    if (betaRejectedFlags.length > 0) {
+                        const acctKey = poolAccount?.alias ?? ACCOUNT_KEY_SINGLE;
+                        let set = unavailableBetas.get(acctKey);
+                        if (!set) {
+                            set = new Set();
+                            unavailableBetas.set(acctKey, set);
+                        }
+                        const newFlags = [];
+                        for (const f of betaRejectedFlags) {
+                            if (!set.has(f)) {
+                                set.add(f);
+                                newFlags.push(f);
+                            }
+                        }
+                        if (verbose && newFlags.length > 0)
+                            console.log(`[dario] #${requestCount} anthropic-beta rejected (${newFlags.join(',')}) — retrying without (cached for session)`);
+                        const reducedBeta = beta.split(',').filter((t) => t.length > 0 && !set.has(t)).join(',');
+                        const retryHeaders = { ...headers, 'anthropic-beta': reducedBeta };
+                        const retry = await fetch(targetBase, {
+                            method: req.method ?? 'POST',
+                            headers: passthrough ? retryHeaders : orderHeadersForOutbound(retryHeaders),
+                            body: finalBody ? new Uint8Array(finalBody) : undefined,
+                            signal: upstreamAbort.signal,
+                        });
+                        upstream = retry;
+                        peekedBody = null;
+                        if (pool && poolAccount) {
+                            const retrySnapshot = parseRateLimits(upstream.headers);
+                            if (upstream.status === 429) {
+                                pool.markRejected(poolAccount.alias, retrySnapshot);
+                            }
+                            else {
+                                pool.updateRateLimits(poolAccount.alias, retrySnapshot);
+                            }
+                        }
+                    }
+                    else if (isLongContextError) {
                         // Cache the rejection so future requests on this account skip
                         // context-1m up front instead of re-paying the 400/429 round-trip.
                         const acctKey = poolAccount?.alias ?? ACCOUNT_KEY_SINGLE;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.19.0",
+  "version": "3.19.2",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {