@askalf/dario 3.19.3 → 3.19.4

package/README.md

@@ -565,7 +565,7 @@ Yes — anything that speaks the OpenAI Chat Completions API. Groq, OpenRouter,
 `dario doctor`. One command, one aggregated report — dario version, Node, platform, CC binary compat, template source + age + drift, OAuth status, pool state, backends, home dir. Exit code 1 if any check fails. Paste the output when you file an issue.
 
 **What happens when Anthropic rotates the OAuth config?**
-Dario auto-detects OAuth config from the installed Claude Code binary. When CC ships a new version with rotated values, dario picks them up on the next run. Cache at `~/.dario/cc-oauth-cache-v3.json`, keyed by the CC binary fingerprint.
+Dario auto-detects OAuth config from the installed Claude Code binary. When CC ships a new version with rotated values, dario picks them up on the next run. Cache at `~/.dario/cc-oauth-cache-v4.json`, keyed by the CC binary fingerprint.
 
 **What happens when Anthropic changes the CC request template?**
 Dario extracts the live request template from your installed Claude Code binary on startup — the system prompt, tool schemas, user-agent, beta flags, and header insertion order — and uses those to replay requests instead of a version pinned into dario itself. When CC ships a new version with a tweaked template, the next `dario proxy` run picks it up automatically. Drift detection (v3.17) forces a refresh when the installed CC version changes under dario.

package/dist/cc-oauth-detect.d.ts

@@ -28,9 +28,10 @@
  * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
  * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
- * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
- * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v4.json so
+ * startup only re-scans when the user upgrades Claude Code. The cache suffix
+ * is bumped each time scope handling or the fallback config changes, so
+ * upgrading dario picks up the new values without a manual cache clear.
  */
 export interface DetectedOAuthConfig {
     clientId: string;

package/dist/cc-oauth-detect.js

@@ -28,9 +28,10 @@
  * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
  * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
- * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
- * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v4.json so
+ * startup only re-scans when the user upgrades Claude Code. The cache suffix
+ * is bumped each time scope handling or the fallback config changes, so
+ * upgrading dario picks up the new values without a manual cache clear.
  */
 import { readFile, writeFile, mkdir, stat, open as openFile } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
@@ -44,23 +45,25 @@ const FALLBACK = {
     clientId: '9d1c250a-e61b-44d9-88ed-5944d1962f5e',
     authorizeUrl: 'https://claude.com/cai/oauth/authorize',
     tokenUrl: 'https://platform.claude.com/v1/oauth/token',
-    // Scopes are the full `n36` union from the CC binary, which is the value
-    // sent during a normal `claude login` (non-setup-token) flow. In CC's
-    // source: `let D = f ? [TI] : n36` where `f = inferenceOnly` (true only
-    // for `claude setup-token`). Normal interactive login uses the 6-scope
-    // union including `org:create_api_key` — even though that scope is named
-    // "Console-only" by convention, CC's own login flow requests it up front.
-    // Earlier dario versions (3.2.7 through 3.4.3) dropped `org:create_api_key`
-    // from the list based on a misread of the name; the dev-only client_id
-    // was lenient enough to accept the shorter list, the prod client_id is not.
-    scopes: 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload',
+    // Scopes match CC v2.1.107+ interactive login: the 5-scope user-only set.
+    // Between CC v2.1.104 and v2.1.107, Anthropic's authorize endpoint flipped
+    // its policy on `org:create_api_key` for this client_id — the shorter list
+    // is now the only accepted one, and the 6-scope form returns "Invalid
+    // request format". CC's own binary dropped `org:create_api_key` from the
+    // `n36` union to match. Dario #42 (tetsuco, 2026-04-17) surfaced this as
+    // a fresh-login failure on macOS against CC v2.1.107.
+    //
+    // History: dario 3.2.7–3.4.3 once dropped this scope by mistake (misread
+    // of the "Console-only" name); 3.4.4 added it back after users hit auth
+    // failures with the dev client_id accepting it but prod rejecting. That
+    // situation has now inverted — prod rejects the longer list.
+    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload',
     source: 'fallback',
 };
-// -v3 suffix invalidates v3.4.3 caches that were populated with the wrong
-// 4-scope list (the scanner's regex matched a help-message string literal
-// in the CC binary instead of the real scope array). See the scanner's
-// scope handling below for why scope detection is no longer attempted.
-const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache-v3.json');
+// -v4 suffix invalidates v3.x caches populated with the 6-scope list that
+// Anthropic now rejects (dario #42). On upgrade, users regenerate the cache
+// with the new FALLBACK scopes automatically — no manual clear required.
+const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache-v4.json');
 function candidatePaths() {
     const home = homedir();
     if (platform() === 'win32') {

package/dist/cli.js

@@ -54,8 +54,31 @@ async function login() {
         await proxy();
         return;
     }
-    console.log('  No Claude Code credentials found. Starting OAuth flow...');
-    console.log('');
+    // Credentials exist but are expired — try refresh before falling through
+    // to a fresh OAuth flow. Without this, dario silently burned every
+    // fresh-login attempt (surfaced by dario #42 when Anthropic's authorize
+    // endpoint started rejecting the 6-scope list and `dario login` kept
+    // reporting "No credentials found" even though refresh would have worked).
+    if (creds?.claudeAiOauth?.refreshToken) {
+        console.log('  Existing credentials expired — attempting token refresh...');
+        try {
+            const tokens = await refreshTokens();
+            const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);
+            console.log(`  Refresh successful! Token expires in ${expiresIn} minutes.`);
+            console.log('');
+            console.log('  Run `dario proxy` to start the API proxy.');
+            console.log('');
+            return;
+        }
+        catch (err) {
+            console.log(`  Refresh failed (${sanitizeError(err)}). Starting fresh OAuth flow...`);
+            console.log('');
+        }
+    }
+    else {
+        console.log('  No Claude Code credentials found. Starting OAuth flow...');
+        console.log('');
+    }
     try {
         const tokens = await startAutoOAuthFlow();
         const expiresIn = Math.round((tokens.expiresAt - Date.now()) / 60000);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.19.3",
+  "version": "3.19.4",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {