@askalf/dario 3.29.1 → 3.30.0

package/README.md

@@ -11,10 +11,6 @@
   <a href="https://www.npmjs.com/package/@askalf/dario"><img src="https://img.shields.io/npm/dm/@askalf/dario" alt="Downloads"></a>
 </p>
 
-<p align="center">
-  <sub><strong>v4 is not a version bump.</strong> The router was the prerequisite. What comes next uses it as a substrate. — <a href="https://github.com/askalf/dario/discussions/categories/announcements">watch this space</a></sub>
-</p>
-
 ```bash
 npm install -g @askalf/dario && dario proxy
 ```
@@ -26,7 +22,7 @@ One command, one local URL, every provider behind it. Point `ANTHROPIC_BASE_URL`
 - `llama-3.3-70b`, `deepseek-v3`, anything else → **Groq**, **OpenRouter**, **local LiteLLM**, **vLLM**, **Ollama**, whichever OpenAI-compat backend you wired up
 - Force a backend explicitly with a prefix: `openai:gpt-4o`, `groq:llama-3.3-70b`, `local:qwen-coder`, `claude:opus`
 
-Switching providers is a **model-name change** in your tool. Not a reconfigure. Not new base URLs. Not new API keys. Not a new SDK import. **Zero runtime dependencies. ~11,300 lines of TypeScript across ~25 files. ~1,250 assertions across 32 test suites. [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) on every release. Nothing phones home, ever.**
+Switching providers is a **model-name change** in your tool. Not a reconfigure. Not new base URLs. Not new API keys. Not a new SDK import. **Zero runtime dependencies. ~10,750 lines of TypeScript across ~24 files. ~1,185 assertions across 32 test suites. [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) on every release. Nothing phones home, ever.**
 
 ---
 
@@ -98,11 +94,9 @@ Something broken? `dario doctor` prints a single aggregated health report — da
 
 **You want dario itself addressable from inside Claude Code or any MCP client.** `dario subagent install` registers a first-party sub-agent under `~/.claude/agents/dario.md` so CC can delegate diagnostics and template-refresh in-session ([Claude Code sub-agent hook](#claude-code-sub-agent-hook-v326)). `dario mcp` turns dario itself into a read-only MCP server — Claude Desktop, Cursor, Zed, any MCP-aware editor can introspect dario's state (auth, pool, backends, template, fingerprint, runtime) without leaving the editor ([dario as MCP server](#dario-as-mcp-server-v327)).
 
-**You want to share capacity with a trusted group without surveilling each other.** The **sealed-sender overflow protocol** uses RSA blind signatures (Chaum 1983, implemented from scratch over Node's `crypto`) so members of a trust group can lend unused Claude capacity to each other with cryptographic unlinkability. Dario ships the primitive; [mux](https://github.com/askalf/mux) is the dedicated product around it. See [Sealed-sender overflow](#sealed-sender-overflow-protocol).
-
 **You want certainty that the proxy isn't trivially fingerprintable.** The "get ahead of Anthropic" release track (v3.22 – v3.28) closed six observable divergence axes between dario and real Claude Code: body field order (v3.22), TLS ClientHello (v3.23), inter-request timing (v3.24), stream-consumption shape (v3.25), sub-agent/MCP reach (v3.26/v3.27), and session-id lifecycle (v3.28). See [Fingerprint axes](#fingerprint-axes).
 
-**You want to actually audit the thing.** ~11,300 lines of TypeScript across ~25 files. Zero runtime dependencies (`npm ls --production` confirms). Credentials at `~/.dario/` with `0600` permissions. `127.0.0.1`-only by default. Every release [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions. Nothing phones home. Small enough to read in a weekend.
+**You want to actually audit the thing.** ~10,750 lines of TypeScript across ~24 files. Zero runtime dependencies (`npm ls --production` confirms). Credentials at `~/.dario/` with `0600` permissions. `127.0.0.1`-only by default. Every release [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions. Nothing phones home. Small enough to read in a weekend.
 
 ---
 
@@ -246,26 +240,6 @@ Every request carries a `billingBucket` field (`subscription` / `subscription_fa
 
 ---
 
-## Sealed-sender overflow protocol
-
-Trust-group members can lend each other Claude capacity with **cryptographic unlinkability**: a lender can verify the borrower is a valid group member without learning *which* member, so no one in the pool can surveil another through borrow telemetry.
-
-**The primitive.** RSA blind signatures (Chaum 1983), implemented from scratch on top of Node's `crypto` module using `RSA_NO_PADDING` for raw `m^e mod n` / `c^d mod n` primitives. Full-Domain Hash via MGF1-SHA256 (with counter retry) prevents multiplicative forgery. The flow: the group admin signs *blinded* tokens in a batch without seeing their real values; the member unblinds locally to obtain valid RSA-FDH signatures on random tokens the admin has never seen. When a member spends a token with a lender, the lender verifies the signature with the group public key — it proves "some member got this signed" without identifying who.
-
-**What this is, and what it isn't.** This is **privacy between group members**, not anonymity from Anthropic. When a lender accepts a borrow, the actual upstream request still lands under the lender's attributable Claude account identity — Anthropic sees the lender as the originator, exactly as they would for any other request on that account. The cryptographic unlinkability protects group members from each other.
-
-**What's in the release:**
-
-- `src/sealed-pool.ts` — ~550 lines. `GroupAdmin` / `GroupMember` / `GroupLender` classes with quota/expiry enforcement, SHA-256-hashed double-spend set, JSON wire envelope (`{v:1, groupId, token, sig, request}`), and key export/import for distributing group credentials.
-- `POST /v1/pool/borrow` endpoint on the proxy, gated on `~/.dario/group.json`. Positioned before `checkAuth` — the group signature *is* the authentication, so doubling it with a local API key would add nothing. Verified borrows delegate to `pool.select()` and forward upstream under the lender's account.
-- 85 test assertions in `test/sealed-pool.mjs` covering raw RSA roundtrip, unlinkability, wrong-key / tampered-sig / wrong-group / double-spend rejection, key export/import, admin membership / quota / expiry enforcement, concurrent-borrow double-spend prevention, and end-to-end two-member unlinkability.
-
-Full feature-parity with `/v1/messages` (streaming, inside-request 429 failover, reverse tool mapping) for borrowed requests is intentionally a follow-up — the current release ships the cryptographic primitive and a working minimal endpoint; full integration layers on top.
-
-**Dedicated product.** The sealed-sender protocol has a dedicated product around it: [mux](https://github.com/askalf/mux). mux carries the group admin tooling (key generation, member roster, batch signing), the member workflow (prepare / finalize / status), the borrower CLI, and the lender daemon as a coherent surface. It uses dario as its backend — a mux lender runs a dario pool and fronts it with `/v1/pool/borrow`. Dario keeps the primitive here for anyone who wants to embed it without running the full mux flow; for peer-to-peer capacity sharing as a product, use mux.
-
----
-
 ## Shim mode
 
 *Experimental, opt-in. The proxy is still the default — shim mode is a second transport, not a replacement.*
@@ -582,7 +556,6 @@ curl http://localhost:3456/health
 |---|---|
 | `POST /v1/messages` | Anthropic Messages API (Claude backend) |
 | `POST /v1/chat/completions` | OpenAI-compatible Chat API (routes by model name) |
-| `POST /v1/pool/borrow` | Sealed-sender borrow endpoint. Accepts group-signed tokens and forwards the request through the lender's pool. |
 | `GET /v1/models` | Model list (Claude models — OpenAI models come from the OpenAI backend directly) |
 | `GET /health` | Proxy health + OAuth status + request count |
 | `GET /status` | Detailed Claude OAuth token status |
@@ -597,11 +570,11 @@ Dario handles your OAuth tokens and API keys locally. Here's why you can trust i
 
 | Signal | Status |
 |---|---|
-| **Source code** | ~11,300 lines of TypeScript across ~25 files — small enough to audit in a weekend |
+| **Source code** | ~10,750 lines of TypeScript across ~24 files — small enough to audit in a weekend |
 | **Dependencies** | 0 runtime dependencies. Verify: `npm ls --production` |
 | **npm provenance** | Every release is [SLSA-attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions with sigstore provenance attached to the transparency log |
 | **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
-| **Test footprint** | ~1,250 assertions across 32 test suites. Full `npm test` green on every release |
+| **Test footprint** | ~1,185 assertions across 32 test suites. Full `npm test` green on every release |
 | **Credential handling** | Tokens and API keys never logged, redacted from errors, stored with `0600` permissions. MCP server (v3.27) redacts keys at the tool boundary too — not even a `sk-…` prefix leaks. |
 | **OAuth flow** | PKCE (Proof Key for Code Exchange), no client secret. `--manual` flow for headless setups (v3.20). |
 | **Network scope** | Binds to `127.0.0.1` by default. `--host` allows LAN/mesh with `DARIO_API_KEY` gating. Upstream traffic goes only to the configured backend target URLs over HTTPS |
@@ -718,7 +691,7 @@ The CHANGELOG documents every v3.22 – v3.28 "get ahead of Anthropic" release w
 
 ## Contributing
 
-PRs welcome. The codebase is small TypeScript — ~11,300 lines across ~25 files:
+PRs welcome. The codebase is small TypeScript — ~10,750 lines across ~24 files:
 
 | File | Purpose |
 |---|---|
@@ -740,7 +713,6 @@ PRs welcome. The codebase is small TypeScript — ~11,300 lines across ~25 files
 | `src/oauth.ts` | Single-account token storage, PKCE flow, auto-refresh, manual/headless flow (v3.20) |
 | `src/accounts.ts` | Multi-account credential storage, independent OAuth lifecycle, refresh single-flight |
 | `src/pool.ts` | Account pool, headroom-aware routing, session stickiness, failover target selection |
-| `src/sealed-pool.ts` | Sealed-sender overflow protocol — RSA blind signatures for unlinkable group pooling |
 | `src/analytics.ts` | Rolling request history, per-account / per-model stats, burn-rate, billing bucket classification |
 | `src/openai-backend.ts` | OpenAI-compat backend credential storage and request forwarder |
 | `src/shim/runtime.cjs` | Hand-written CJS payload loaded into child processes via `NODE_OPTIONS=--require`; patches `globalThis.fetch` for Anthropic messages requests only |
@@ -753,7 +725,7 @@ git clone https://github.com/askalf/dario
 cd dario
 npm install
 npm run dev   # runs with tsx, no build step
-npm test      # ~1,250 assertions across 32 suites
+npm test      # ~1,185 assertions across 32 suites
 npm run e2e   # live proxy + OAuth (requires a working Claude backend)
 ```
 

package/dist/proxy.d.ts

@@ -24,11 +24,9 @@ interface ProxyOptions {
 }
 export declare function sanitizeError(err: unknown): string;
 /**
- * Two-lane auth: DARIO_API_KEY (x-api-key / Authorization: Bearer) for
- * normal clients, and MUX_COORD_SECRET (X-Mux-Coord-Secret) for the mux
- * gateway forwarding a verified sealed borrow. If neither is configured
- * the request is allowed (loopback-only default). Exported for tests.
+ * API-key auth via DARIO_API_KEY (x-api-key or Authorization: Bearer).
+ * If unset, requests are allowed (loopback-only default). Exported for tests.
  */
-export declare function authenticateRequest(headers: IncomingMessage['headers'], apiKeyBuf: Buffer | null, mcsBuf: Buffer | null): boolean;
+export declare function authenticateRequest(headers: IncomingMessage['headers'], apiKeyBuf: Buffer | null): boolean;
 export declare function startProxy(opts?: ProxyOptions): Promise<void>;
 export {};

package/dist/proxy.js

@@ -11,7 +11,6 @@ import { describeTemplate, detectDrift, checkCCCompat } from './live-fingerprint
 import { AccountPool, computeStickyKey, parseRateLimits } from './pool.js';
 import { Analytics, billingBucketFromClaim } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
-import { GroupLender, importGroupPublicKey, decodeBorrowEnvelope, parseBorrowToken, } from './sealed-pool.js';
 import { getOpenAIBackend, isOpenAIModel, forwardToOpenAI } from './openai-backend.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
@@ -334,31 +333,18 @@ export function sanitizeError(err) {
         .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
 }
 /**
- * Two-lane auth: DARIO_API_KEY (x-api-key / Authorization: Bearer) for
- * normal clients, and MUX_COORD_SECRET (X-Mux-Coord-Secret) for the mux
- * gateway forwarding a verified sealed borrow. If neither is configured
- * the request is allowed (loopback-only default). Exported for tests.
+ * API-key auth via DARIO_API_KEY (x-api-key or Authorization: Bearer).
+ * If unset, requests are allowed (loopback-only default). Exported for tests.
  */
-export function authenticateRequest(headers, apiKeyBuf, mcsBuf) {
-    if (!apiKeyBuf && !mcsBuf)
+export function authenticateRequest(headers, apiKeyBuf) {
+    if (!apiKeyBuf)
         return true;
-    if (mcsBuf) {
-        const raw = headers['x-mux-coord-secret'];
-        const provided = typeof raw === 'string' ? raw : Array.isArray(raw) ? raw[0] : undefined;
-        if (provided) {
-            const providedBuf = Buffer.from(provided);
-            if (providedBuf.length === mcsBuf.length && timingSafeEqual(providedBuf, mcsBuf))
-                return true;
-        }
-    }
-    if (apiKeyBuf) {
-        const provided = headers['x-api-key']
-            || headers.authorization?.replace(/^Bearer\s+/i, '');
-        if (provided) {
-            const providedBuf = Buffer.from(provided);
-            if (providedBuf.length === apiKeyBuf.length && timingSafeEqual(providedBuf, apiKeyBuf))
-                return true;
-        }
+    const provided = headers['x-api-key']
+        || headers.authorization?.replace(/^Bearer\s+/i, '');
+    if (provided) {
+        const providedBuf = Buffer.from(provided);
+        if (providedBuf.length === apiKeyBuf.length && timingSafeEqual(providedBuf, apiKeyBuf))
+            return true;
     }
     return false;
 }
@@ -440,30 +426,6 @@ export async function startProxy(opts = {}) {
     const accountsList = await loadAllAccounts();
     const pool = accountsList.length >= 2 ? new AccountPool() : null;
     const analytics = pool ? new Analytics() : null;
-    // Sealed-sender overflow pool — activated when ~/.dario/group.json exists.
-    // Config format: { "groupId": "<name>", "publicKey": { n, e, modulusBytes } }
-    // where publicKey is the GroupAdmin's exported RSA public key. Lender runs
-    // in addition to normal pool mode — borrow requests go through a separate
-    // /v1/pool/borrow endpoint and are verified via the admin-signed token.
-    let groupLender = null;
-    try {
-        const groupConfigPath = join(homedir(), '.dario', 'group.json');
-        const rawGroup = readFileSync(groupConfigPath, 'utf-8');
-        const parsed = JSON.parse(rawGroup);
-        if (parsed?.groupId && parsed.publicKey?.n && parsed.publicKey?.e && parsed.publicKey?.modulusBytes) {
-            const pub = importGroupPublicKey(parsed.publicKey);
-            groupLender = new GroupLender(parsed.groupId, pub);
-            console.log(`  Sealed-sender pool: group "${parsed.groupId}" loaded (${pub.modulusBytes * 8}-bit key)`);
-        }
-    }
-    catch (err) {
-        // Group config is optional — silent fallthrough if missing. Log parse
-        // errors explicitly so a broken config doesn't fail silently.
-        const e = err;
-        if (e.code && e.code !== 'ENOENT') {
-            console.warn(`[dario] group.json present but unusable: ${e.message}`);
-        }
-    }
     let status;
     if (pool) {
         for (const acc of accountsList) {
@@ -647,14 +609,6 @@ export async function startProxy(opts = {}) {
     // Optional proxy authentication — pre-encode key buffer for performance
     const apiKey = process.env.DARIO_API_KEY;
     const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
-    // Mux coord-secret — the shared secret mux uses when forwarding sealed
-    // borrow requests to this dario acting as a lender endpoint. A request
-    // carrying a matching X-Mux-Coord-Secret header is authenticated without
-    // needing DARIO_API_KEY. The sealed-sender envelope has already been
-    // verified upstream, so the coord secret is the one-hop auth between
-    // the mux gateway and this instance.
-    const mcs = process.env.MUX_COORD_SECRET;
-    const mcsBuf = mcs ? Buffer.from(mcs) : null;
     // CORS origin defaults to the localhost URL the proxy is served at. Users
     // binding to a non-loopback address (e.g. a Tailscale interface) can
     // override via DARIO_CORS_ORIGIN — otherwise browser-based clients hitting
@@ -670,7 +624,7 @@ export async function startProxy(opts = {}) {
     const CORS_HEADERS = {
         'Access-Control-Allow-Origin': corsOrigin,
         'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta, x-mux-coord-secret',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization, x-api-key, anthropic-version, anthropic-beta',
         'Access-Control-Max-Age': '86400',
         ...SECURITY_HEADERS,
     };
@@ -680,7 +634,7 @@ export async function startProxy(opts = {}) {
     const ERR_FORBIDDEN = JSON.stringify({ error: 'Forbidden', message: 'Path not allowed. Supported paths: POST /v1/messages, POST /v1/chat/completions, GET /v1/models' });
     const ERR_METHOD = JSON.stringify({ error: 'Method not allowed' });
     function checkAuth(req) {
-        return authenticateRequest(req.headers, apiKeyBuf, mcsBuf);
+        return authenticateRequest(req.headers, apiKeyBuf);
     }
     const server = createServer(async (req, res) => {
         if (req.method === 'OPTIONS') {
@@ -702,121 +656,6 @@ export async function startProxy(opts = {}) {
             }));
             return;
         }
-        // Sealed-sender borrow endpoint — runs BEFORE the API-key auth check
-        // because the admin-signed group token IS the authentication. Anyone
-        // who presents a valid unused token can borrow capacity from this
-        // instance's pool without also holding the local dario API key.
-        // See src/sealed-pool.ts for the protocol.
-        if (urlPath === '/v1/pool/borrow' && req.method === 'POST') {
-            if (!groupLender) {
-                res.writeHead(503, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'sealed-sender pool not configured on this instance' }));
-                return;
-            }
-            if (!pool) {
-                res.writeHead(503, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'pool mode required for sealed-sender borrows' }));
-                return;
-            }
-            // Read body with the same limits as normal /v1/messages.
-            const bChunks = [];
-            let bBytes = 0;
-            const bTimeout = setTimeout(() => { req.destroy(); }, BODY_READ_TIMEOUT_MS);
-            try {
-                for await (const chunk of req) {
-                    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : chunk;
-                    bBytes += buf.length;
-                    if (bBytes > MAX_BODY_BYTES) {
-                        clearTimeout(bTimeout);
-                        res.writeHead(413, JSON_HEADERS);
-                        res.end(JSON.stringify({ error: 'Request body too large' }));
-                        return;
-                    }
-                    bChunks.push(buf);
-                }
-            }
-            finally {
-                clearTimeout(bTimeout);
-            }
-            const envelope = decodeBorrowEnvelope(Buffer.concat(bChunks).toString('utf-8'));
-            if (!envelope) {
-                res.writeHead(400, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'malformed borrow envelope' }));
-                return;
-            }
-            // Envelope shape guard — envelope.request is `unknown` on the wire.
-            // We stringify it and forward to Anthropic under the lender's identity,
-            // so a borrower could otherwise waste the lender's rate-limit slot with
-            // a body Anthropic will reject. Minimum: must be a plain object with
-            // `model` (string) and `messages` (array). Anthropic validates the rest.
-            const br = envelope.request;
-            if (!br || typeof br !== 'object' || Array.isArray(br) ||
-                typeof br.model !== 'string' ||
-                !Array.isArray(br.messages)) {
-                res.writeHead(400, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'envelope.request must be an Anthropic /v1/messages body' }));
-                return;
-            }
-            if (envelope.groupId !== groupLender.groupId) {
-                res.writeHead(403, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'unknown_group', expected: groupLender.groupId }));
-                return;
-            }
-            const borrowTok = parseBorrowToken(envelope);
-            if (!borrowTok) {
-                res.writeHead(400, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'malformed token' }));
-                return;
-            }
-            const accept = groupLender.acceptBorrow(borrowTok.token, borrowTok.signature);
-            if (!accept.ok) {
-                res.writeHead(403, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'borrow_rejected', reason: accept.reason }));
-                return;
-            }
-            // Token validated. Forward the embedded /v1/messages request to
-            // Anthropic using the lender's normal pool. This path is minimal:
-            // no streaming parser, no reverse tool mapping, no 429 failover.
-            // It's enough to demonstrate sealed-sender end-to-end; the full
-            // feature-parity wire-up with the main /v1/messages path is a
-            // separate change (requires threading a pre-read body through
-            // the existing handler).
-            const lenderAccount = pool.select();
-            if (!lenderAccount) {
-                res.writeHead(503, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'lender pool exhausted' }));
-                return;
-            }
-            try {
-                const upstream = await fetch(`${ANTHROPIC_API}/v1/messages?beta=true`, {
-                    method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/json',
-                        'authorization': `Bearer ${lenderAccount.accessToken}`,
-                        'anthropic-version': '2023-06-01',
-                        'anthropic-beta': 'claude-code-20250219',
-                    },
-                    body: JSON.stringify(envelope.request),
-                });
-                const snapshot = parseRateLimits(upstream.headers);
-                pool.updateRateLimits(lenderAccount.alias, snapshot);
-                const body = Buffer.from(await upstream.arrayBuffer());
-                res.writeHead(upstream.status, {
-                    'content-type': upstream.headers.get('content-type') ?? 'application/json',
-                    'Access-Control-Allow-Origin': corsOrigin,
-                    ...SECURITY_HEADERS,
-                });
-                res.end(body);
-                if (verbose) {
-                    console.log(`[dario] borrow: group=${envelope.groupId} → ${lenderAccount.alias} (${upstream.status}, ${body.length}B)`);
-                }
-            }
-            catch (err) {
-                res.writeHead(502, JSON_HEADERS);
-                res.end(JSON.stringify({ error: 'upstream_error', message: err.message }));
-            }
-            return;
-        }
         if (!checkAuth(req)) {
             res.writeHead(401, JSON_HEADERS);
             res.end(ERR_UNAUTH);
@@ -852,10 +691,6 @@ export async function startProxy(opts = {}) {
                 mode: 'pool',
                 ...pool.status(),
                 stickyBindings: pool.stickyCount(),
-                sealedSender: groupLender ? {
-                    groupId: groupLender.groupId,
-                    seenTokens: groupLender.seenCount(),
-                } : null,
                 accounts,
             }));
             return;
@@ -1807,19 +1642,13 @@ export async function startProxy(opts = {}) {
         if (!isLoopbackHost(host)) {
             console.log('');
             console.log(`  ⚠  Bound to ${host} — reachable from other machines on the network.`);
-            if (!apiKey && !mcs) {
+            if (!apiKey) {
                 console.log('     No auth configured. Any host that can reach this port can proxy');
-                console.log('     requests through your OAuth subscription. Set DARIO_API_KEY (for');
-                console.log('     normal clients) or MUX_COORD_SECRET (for mux lender mode) before');
-                console.log('     exposing dario beyond loopback.');
+                console.log('     requests through your OAuth subscription. Set DARIO_API_KEY');
+                console.log('     before exposing dario beyond loopback.');
             }
             else {
-                const lanes = [];
-                if (apiKey)
-                    lanes.push('x-api-key / Authorization (DARIO_API_KEY)');
-                if (mcs)
-                    lanes.push('X-Mux-Coord-Secret (MUX_COORD_SECRET — mux lender mode)');
-                console.log(`     Auth required — accepted credentials: ${lanes.join(' or ')}.`);
+                console.log('     Auth required — accepted credentials: x-api-key / Authorization (DARIO_API_KEY).');
             }
         }
         console.log('');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.29.1",
+  "version": "3.30.0",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -21,7 +21,7 @@
   ],
   "scripts": {
     "build": "tsc && cp src/cc-template-data.json dist/ && node -e \"require('fs').mkdirSync('dist/shim',{recursive:true})\" && cp src/shim/runtime.cjs dist/shim/",
-    "test": "node test/issue-29-tool-translation.mjs && node test/hybrid-tools.mjs && node test/tool-schema-contract.mjs && node test/scrub-paths.mjs && node test/provider-prefix.mjs && node test/analytics-recording.mjs && node test/analytics-billing-bucket.mjs && node test/failover-429.mjs && node test/pool-sticky.mjs && node test/sealed-pool.mjs && node test/mux-coord-secret.mjs && node test/live-fingerprint.mjs && node test/shim-runtime.mjs && node test/shim-e2e.mjs && node test/proxy-header-order.mjs && node test/proxy-body-order.mjs && node test/runtime-fingerprint.mjs && node test/pacing.mjs && node test/stream-drain.mjs && node test/subagent.mjs && node test/mcp-protocol.mjs && node test/mcp-tools.mjs && node test/mcp-e2e.mjs && node test/session-rotation.mjs && node test/drift-detection.mjs && node test/cc-authorize-probe-classifier.mjs && node test/compat-range.mjs && node test/doctor-formatter.mjs && node test/atomic-write.mjs && node test/account-refresh-singleflight.mjs && node test/streaming-edge-cases.mjs && node test/client-detection.mjs && node test/manual-oauth-flow.mjs && node test/scrub-template.mjs",
+    "test": "node test/issue-29-tool-translation.mjs && node test/hybrid-tools.mjs && node test/tool-schema-contract.mjs && node test/scrub-paths.mjs && node test/provider-prefix.mjs && node test/analytics-recording.mjs && node test/analytics-billing-bucket.mjs && node test/failover-429.mjs && node test/pool-sticky.mjs && node test/live-fingerprint.mjs && node test/shim-runtime.mjs && node test/shim-e2e.mjs && node test/proxy-header-order.mjs && node test/proxy-body-order.mjs && node test/runtime-fingerprint.mjs && node test/pacing.mjs && node test/stream-drain.mjs && node test/subagent.mjs && node test/mcp-protocol.mjs && node test/mcp-tools.mjs && node test/mcp-e2e.mjs && node test/session-rotation.mjs && node test/drift-detection.mjs && node test/cc-authorize-probe-classifier.mjs && node test/compat-range.mjs && node test/doctor-formatter.mjs && node test/atomic-write.mjs && node test/account-refresh-singleflight.mjs && node test/streaming-edge-cases.mjs && node test/client-detection.mjs && node test/manual-oauth-flow.mjs && node test/scrub-template.mjs",
     "audit": "npm audit --production --audit-level=high",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli.js",

package/dist/sealed-pool.d.ts

@@ -1,202 +0,0 @@
-/**
- * Sealed-sender overflow pool — RSA blind signatures for unlinkable capacity
- * sharing inside a trust group.
- *
- * The problem this solves: in a federated pool where several friends lend
- * each other account capacity, a naive design leaks who is borrowing what.
- * If member A sends "I'm borrowing from your pool" to member B's dario
- * instance, B learns exactly which of their friends is running which
- * workload — and over time B can build a pretty detailed surveillance log
- * of everyone else's agent sessions. That's the opposite of what a private
- * friend pool should provide.
- *
- * The solution is Chaum's 1983 blind signature construction. A trusted
- * admin (one member of the group, selected by social consensus) issues
- * signed borrow tokens to each member. The admin never sees the token
- * values — they sign blinded values, and the blinding is unlinkable at
- * the cryptographic level. When a member sends a token to a lender, the
- * lender can verify "this was signed by the group admin" without learning
- * WHICH member holds that token. The lender sees a valid group credential
- * and nothing more.
- *
- * From Anthropic's perspective nothing changes: the request still hits
- * their API under the lender's identity, fully attributable to a real
- * paying Max subscriber. The privacy property is entirely INSIDE the
- * trust group — no member can surveil another member's usage through
- * the pool layer.
- *
- * What this is NOT: this is not anonymity from Anthropic, not onion
- * routing, not credential laundering. It is a privacy layer on top of
- * a legitimate friends-pool arrangement. Members opt in, the admin is
- * known, membership is revocable by rotating the group key. It's the
- * same trust model as a family Netflix account, with unlinkability as
- * a feature for the pool's internal telemetry.
- *
- * Implementation notes:
- *   - RSA-2048 with FDH (full-domain hash) padding via MGF1-SHA256.
- *   - Node's crypto.publicEncrypt / privateDecrypt with RSA_NO_PADDING
- *     for raw RSA operations. All modular arithmetic happens in BigInt.
- *   - Tokens are 32 random bytes each, single-use (lender tracks SHA-256
- *     hashes of seen tokens to prevent double-spend).
- *   - Admin does not need to be online for members to use tokens. Admin
- *     only runs when issuing a new batch (typically once per day/week).
- */
-import { type KeyObject } from 'node:crypto';
-export interface RSAPublicKey {
-    n: bigint;
-    e: bigint;
-    modulusBytes: number;
-    keyObj: KeyObject;
-}
-export interface RSAPrivateKey extends RSAPublicKey {
-    keyObjPriv: KeyObject;
-}
-/**
- * Blind a token: pick r ∈ [2, n), compute blinded = FDH(token) · r^e mod n.
- * The admin sees only the blinded value (uniform over Z_n*) and learns
- * nothing about the token.
- */
-export declare function blindToken(tokenBytes: Buffer, pubKey: RSAPublicKey): {
-    blinded: bigint;
-    r: bigint;
-};
-/** Admin-side: sign a blinded value. No knowledge of the original token. */
-export declare function signBlinded(blinded: bigint, privKey: RSAPrivateKey): bigint;
-/**
- * Member-side: given the admin's signature on the blinded value, remove
- * the blinding factor to obtain a raw RSA-FDH signature over the original
- * token that the admin never saw.
- *
- * Math: signed_blinded = (FDH(t) · r^e)^d = FDH(t)^d · r mod n.
- * Multiplying by r^(-1) mod n yields FDH(t)^d = the raw signature.
- */
-export declare function unblindSignature(blindedSignature: bigint, r: bigint, pubKey: RSAPublicKey): bigint;
-/**
- * Verify a (token, signature) pair against the admin's public key.
- * True iff signature^e ≡ FDH(token) (mod n).
- */
-export declare function verifyTokenSignature(tokenBytes: Buffer, signature: bigint, pubKey: RSAPublicKey): boolean;
-export declare function generateGroupKey(bits?: number): RSAPrivateKey;
-export interface ExportedGroupKey {
-    n: string;
-    e: string;
-    modulusBytes: number;
-}
-export declare function exportGroupPublicKey(key: RSAPublicKey): ExportedGroupKey;
-export declare function importGroupPublicKey(exported: ExportedGroupKey): RSAPublicKey;
-export interface MemberRecord {
-    pubkey: string;
-    expiresAt: number;
-    quotaPerBatch: number;
-}
-/**
- * Admin holds the group private key and a roster of authorized members.
- * Admin does NOT hold any of the tokens, by design — blind signing means
- * the admin never sees what they signed. This is the key privacy property.
- *
- * The admin's responsibilities are purely social: decide who's in the
- * group, set per-member quotas, rotate the group key when someone leaves.
- */
-export declare class GroupAdmin {
-    readonly groupId: string;
-    readonly key: RSAPrivateKey;
-    readonly members: Map<string, MemberRecord>;
-    constructor(groupId: string, key: RSAPrivateKey, members: Map<string, MemberRecord>);
-    static create(groupId: string, bits?: number): GroupAdmin;
-    addMember(pubkey: string, quotaPerBatch?: number, validForDays?: number): void;
-    removeMember(pubkey: string): boolean;
-    /**
-     * Sign a batch of blinded tokens submitted by a member. The admin
-     * authenticates the request out-of-band (member identity auth happens
-     * at the HTTP layer via a member signing key — not modelled here).
-     *
-     * Throws on: unknown member, expired membership, batch-too-large.
-     */
-    signBatch(memberPubkey: string, blinded: bigint[]): bigint[];
-    publicKey(): ExportedGroupKey;
-}
-export interface PreparedBatch {
-    blinded: bigint[];
-    state: Array<{
-        token: Buffer;
-        r: bigint;
-    }>;
-}
-export interface BorrowToken {
-    token: Buffer;
-    signature: bigint;
-}
-/**
- * Member holds an identity pubkey (used by the admin for roster lookup)
- * and a local stash of unused (token, signature) pairs. Tokens are single-
- * use — consume one per borrow. Admin never saw any of these tokens.
- */
-export declare class GroupMember {
-    readonly memberPubkey: string;
-    readonly groupPublicKey: RSAPublicKey;
-    private tokens;
-    constructor(memberPubkey: string, groupPublicKey: RSAPublicKey);
-    /**
-     * Step 1 of a token batch: generate random tokens, blind each, return
-     * the blinded values (to send to admin) plus the per-token state
-     * (kept locally for unblinding after admin responds).
-     */
-    prepareBatch(count: number): PreparedBatch;
-    /**
-     * Step 2 of a token batch: unblind each admin-signed value, verify the
-     * resulting raw signature, and add the (token, signature) pair to the
-     * local stash. Any verification failure throws — we never store a token
-     * whose signature doesn't check out.
-     */
-    finalizeBatch(signedBlinded: bigint[], state: Array<{
-        token: Buffer;
-        r: bigint;
-    }>): void;
-    consumeToken(): BorrowToken | null;
-    tokenCount(): number;
-}
-export type AcceptResult = {
-    ok: true;
-} | {
-    ok: false;
-    reason: 'invalid_signature' | 'double_spend' | 'malformed';
-};
-/**
- * Lender holds the group public key and a set of token hashes that have
- * already been redeemed. Memory-only in v1; a persisted set would be a
- * sqlite table keyed on token hash, or just a file of sha256 hex lines.
- *
- * The lender LEARNS NOTHING about which member borrowed. That's the
- * whole point — blind signatures decouple "who signed this request"
- * (the admin, uniformly) from "who holds the token" (one specific
- * member who is anonymous to the lender).
- */
-export declare class GroupLender {
-    readonly groupId: string;
-    readonly groupPublicKey: RSAPublicKey;
-    private seenTokens;
-    private maxSeenTokens;
-    constructor(groupId: string, groupPublicKey: RSAPublicKey, opts?: {
-        maxSeenTokens?: number;
-    });
-    acceptBorrow(token: Buffer, signature: bigint): AcceptResult;
-    seenCount(): number;
-}
-/**
- * Envelope the member sends to a lender's /v1/pool/borrow endpoint. The
- * `request` field carries an embedded Anthropic /v1/messages body that
- * the lender will proxy to api.anthropic.com under its own identity.
- *
- * Version field lets us rotate crypto or protocol details without
- * breaking older members in the same group.
- */
-export interface BorrowEnvelope {
-    v: 1;
-    groupId: string;
-    token: string;
-    sig: string;
-    request: unknown;
-}
-export declare function encodeBorrowEnvelope(groupId: string, bt: BorrowToken, request: unknown): string;
-export declare function decodeBorrowEnvelope(s: string): BorrowEnvelope | null;
-export declare function parseBorrowToken(env: BorrowEnvelope): BorrowToken | null;

package/dist/sealed-pool.js

@@ -1,416 +0,0 @@
-/**
- * Sealed-sender overflow pool — RSA blind signatures for unlinkable capacity
- * sharing inside a trust group.
- *
- * The problem this solves: in a federated pool where several friends lend
- * each other account capacity, a naive design leaks who is borrowing what.
- * If member A sends "I'm borrowing from your pool" to member B's dario
- * instance, B learns exactly which of their friends is running which
- * workload — and over time B can build a pretty detailed surveillance log
- * of everyone else's agent sessions. That's the opposite of what a private
- * friend pool should provide.
- *
- * The solution is Chaum's 1983 blind signature construction. A trusted
- * admin (one member of the group, selected by social consensus) issues
- * signed borrow tokens to each member. The admin never sees the token
- * values — they sign blinded values, and the blinding is unlinkable at
- * the cryptographic level. When a member sends a token to a lender, the
- * lender can verify "this was signed by the group admin" without learning
- * WHICH member holds that token. The lender sees a valid group credential
- * and nothing more.
- *
- * From Anthropic's perspective nothing changes: the request still hits
- * their API under the lender's identity, fully attributable to a real
- * paying Max subscriber. The privacy property is entirely INSIDE the
- * trust group — no member can surveil another member's usage through
- * the pool layer.
- *
- * What this is NOT: this is not anonymity from Anthropic, not onion
- * routing, not credential laundering. It is a privacy layer on top of
- * a legitimate friends-pool arrangement. Members opt in, the admin is
- * known, membership is revocable by rotating the group key. It's the
- * same trust model as a family Netflix account, with unlinkability as
- * a feature for the pool's internal telemetry.
- *
- * Implementation notes:
- *   - RSA-2048 with FDH (full-domain hash) padding via MGF1-SHA256.
- *   - Node's crypto.publicEncrypt / privateDecrypt with RSA_NO_PADDING
- *     for raw RSA operations. All modular arithmetic happens in BigInt.
- *   - Tokens are 32 random bytes each, single-use (lender tracks SHA-256
- *     hashes of seen tokens to prevent double-spend).
- *   - Admin does not need to be online for members to use tokens. Admin
- *     only runs when issuing a new batch (typically once per day/week).
- */
-import { generateKeyPairSync, publicEncrypt, privateDecrypt, constants, createPublicKey, randomBytes, createHash, } from 'node:crypto';
-// ======================================================================
-//  BigInt / buffer helpers
-// ======================================================================
-function bigintToBytes(n, len) {
-    let hex = n.toString(16);
-    if (hex.length % 2)
-        hex = '0' + hex;
-    const buf = Buffer.from(hex, 'hex');
-    if (buf.length > len)
-        throw new Error('value too large for buffer');
-    if (buf.length === len)
-        return buf;
-    const padded = Buffer.alloc(len);
-    buf.copy(padded, len - buf.length);
-    return padded;
-}
-function bytesToBigint(buf) {
-    if (buf.length === 0)
-        return 0n;
-    return BigInt('0x' + buf.toString('hex'));
-}
-function egcd(a, b) {
-    let [oldR, r] = [a, b];
-    let [oldS, s] = [1n, 0n];
-    let [oldT, t] = [0n, 1n];
-    while (r !== 0n) {
-        const q = oldR / r;
-        [oldR, r] = [r, oldR - q * r];
-        [oldS, s] = [s, oldS - q * s];
-        [oldT, t] = [t, oldT - q * t];
-    }
-    return [oldR, oldS, oldT];
-}
-function modInverse(a, n) {
-    const norm = ((a % n) + n) % n;
-    const [g, x] = egcd(norm, n);
-    if (g !== 1n)
-        throw new Error('no modular inverse');
-    return ((x % n) + n) % n;
-}
-// ======================================================================
-//  Full-domain hash (FDH) for RSA blind signatures
-// ======================================================================
-/**
- * Map a message to a uniformly-distributed integer in [1, n). Standard
- * FDH construction via MGF1-SHA256 with a counter-based retry loop to
- * handle the edge case where the candidate is ≥ n.
- *
- * Why FDH matters: without it, RSA signatures are vulnerable to
- * multiplicative forgery attacks (signatures can be combined to forge
- * signatures on products of messages). FDH destroys the algebraic
- * structure of the message so no such combination exists.
- */
-function fdh(message, modulus, modulusBytes) {
-    for (let counter = 0; counter < 1000; counter++) {
-        const out = Buffer.alloc(modulusBytes);
-        let written = 0;
-        let i = 0;
-        while (written < modulusBytes) {
-            const hash = createHash('sha256');
-            hash.update(message);
-            const counterBuf = Buffer.alloc(4);
-            counterBuf.writeUInt32BE(counter, 0);
-            hash.update(counterBuf);
-            const iBuf = Buffer.alloc(4);
-            iBuf.writeUInt32BE(i, 0);
-            hash.update(iBuf);
-            const digest = hash.digest();
-            const take = Math.min(digest.length, modulusBytes - written);
-            digest.copy(out, written, 0, take);
-            written += take;
-            i++;
-        }
-        // Clear the top bit to reduce the chance of value ≥ n on the first try.
-        out[0] &= 0x7f;
-        const candidate = bytesToBigint(out);
-        if (candidate > 0n && candidate < modulus)
-            return candidate;
-    }
-    throw new Error('FDH: exhausted counter without finding candidate');
-}
-function rawPublicOp(key, value) {
-    const input = bigintToBytes(value, key.modulusBytes);
-    const output = publicEncrypt({ key: key.keyObj, padding: constants.RSA_NO_PADDING }, input);
-    return bytesToBigint(output);
-}
-function rawPrivateOp(key, value) {
-    const input = bigintToBytes(value, key.modulusBytes);
-    const output = privateDecrypt({ key: key.keyObjPriv, padding: constants.RSA_NO_PADDING }, input);
-    return bytesToBigint(output);
-}
-// ======================================================================
-//  Blind signature protocol
-// ======================================================================
-/**
- * Blind a token: pick r ∈ [2, n), compute blinded = FDH(token) · r^e mod n.
- * The admin sees only the blinded value (uniform over Z_n*) and learns
- * nothing about the token.
- */
-export function blindToken(tokenBytes, pubKey) {
-    const m = fdh(tokenBytes, pubKey.n, pubKey.modulusBytes);
-    let r = 0n;
-    for (let attempts = 0; attempts < 32; attempts++) {
-        const rBytes = randomBytes(pubKey.modulusBytes);
-        rBytes[0] &= 0x7f;
-        const candidate = bytesToBigint(rBytes);
-        if (candidate > 1n && candidate < pubKey.n) {
-            r = candidate;
-            break;
-        }
-    }
-    if (r === 0n)
-        throw new Error('blindToken: failed to sample r');
-    const rE = rawPublicOp(pubKey, r);
-    const blinded = (m * rE) % pubKey.n;
-    return { blinded, r };
-}
-/** Admin-side: sign a blinded value. No knowledge of the original token. */
-export function signBlinded(blinded, privKey) {
-    return rawPrivateOp(privKey, blinded);
-}
-/**
- * Member-side: given the admin's signature on the blinded value, remove
- * the blinding factor to obtain a raw RSA-FDH signature over the original
- * token that the admin never saw.
- *
- * Math: signed_blinded = (FDH(t) · r^e)^d = FDH(t)^d · r mod n.
- * Multiplying by r^(-1) mod n yields FDH(t)^d = the raw signature.
- */
-export function unblindSignature(blindedSignature, r, pubKey) {
-    const rInv = modInverse(r, pubKey.n);
-    return (blindedSignature * rInv) % pubKey.n;
-}
-/**
- * Verify a (token, signature) pair against the admin's public key.
- * True iff signature^e ≡ FDH(token) (mod n).
- */
-export function verifyTokenSignature(tokenBytes, signature, pubKey) {
-    if (signature <= 0n || signature >= pubKey.n)
-        return false;
-    const expected = fdh(tokenBytes, pubKey.n, pubKey.modulusBytes);
-    const actual = rawPublicOp(pubKey, signature);
-    return expected === actual;
-}
-// ======================================================================
-//  Key generation and export/import
-// ======================================================================
-export function generateGroupKey(bits = 2048) {
-    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
-        modulusLength: bits,
-        publicExponent: 65537,
-    });
-    const jwk = publicKey.export({ format: 'jwk' });
-    const n = bytesToBigint(Buffer.from(jwk.n, 'base64url'));
-    const e = bytesToBigint(Buffer.from(jwk.e, 'base64url'));
-    const modulusBytes = Math.ceil(bits / 8);
-    return {
-        n, e, modulusBytes,
-        keyObj: publicKey,
-        keyObjPriv: privateKey,
-    };
-}
-export function exportGroupPublicKey(key) {
-    return {
-        n: key.n.toString(16),
-        e: key.e.toString(16),
-        modulusBytes: key.modulusBytes,
-    };
-}
-export function importGroupPublicKey(exported) {
-    const n = BigInt('0x' + exported.n);
-    const e = BigInt('0x' + exported.e);
-    const nBytes = bigintToBytes(n, exported.modulusBytes);
-    let eHex = e.toString(16);
-    if (eHex.length % 2)
-        eHex = '0' + eHex;
-    const eBytes = Buffer.from(eHex, 'hex');
-    const keyObj = createPublicKey({
-        key: {
-            kty: 'RSA',
-            n: nBytes.toString('base64url'),
-            e: eBytes.toString('base64url'),
-        },
-        format: 'jwk',
-    });
-    return { n, e, modulusBytes: exported.modulusBytes, keyObj };
-}
-/**
- * Admin holds the group private key and a roster of authorized members.
- * Admin does NOT hold any of the tokens, by design — blind signing means
- * the admin never sees what they signed. This is the key privacy property.
- *
- * The admin's responsibilities are purely social: decide who's in the
- * group, set per-member quotas, rotate the group key when someone leaves.
- */
-export class GroupAdmin {
-    groupId;
-    key;
-    members;
-    constructor(groupId, key, members) {
-        this.groupId = groupId;
-        this.key = key;
-        this.members = members;
-    }
-    static create(groupId, bits = 2048) {
-        return new GroupAdmin(groupId, generateGroupKey(bits), new Map());
-    }
-    addMember(pubkey, quotaPerBatch = 100, validForDays = 365) {
-        this.members.set(pubkey, {
-            pubkey,
-            expiresAt: Date.now() + validForDays * 86400_000,
-            quotaPerBatch,
-        });
-    }
-    removeMember(pubkey) {
-        return this.members.delete(pubkey);
-    }
-    /**
-     * Sign a batch of blinded tokens submitted by a member. The admin
-     * authenticates the request out-of-band (member identity auth happens
-     * at the HTTP layer via a member signing key — not modelled here).
-     *
-     * Throws on: unknown member, expired membership, batch-too-large.
-     */
-    signBatch(memberPubkey, blinded) {
-        const member = this.members.get(memberPubkey);
-        if (!member)
-            throw new Error(`unknown member: ${memberPubkey.slice(0, 16)}...`);
-        if (member.expiresAt < Date.now())
-            throw new Error('member membership expired');
-        if (blinded.length > member.quotaPerBatch) {
-            throw new Error(`batch size ${blinded.length} exceeds quota ${member.quotaPerBatch}`);
-        }
-        return blinded.map((b) => signBlinded(b, this.key));
-    }
-    publicKey() {
-        return exportGroupPublicKey(this.key);
-    }
-}
-/**
- * Member holds an identity pubkey (used by the admin for roster lookup)
- * and a local stash of unused (token, signature) pairs. Tokens are single-
- * use — consume one per borrow. Admin never saw any of these tokens.
- */
-export class GroupMember {
-    memberPubkey;
-    groupPublicKey;
-    tokens = [];
-    constructor(memberPubkey, groupPublicKey) {
-        this.memberPubkey = memberPubkey;
-        this.groupPublicKey = groupPublicKey;
-    }
-    /**
-     * Step 1 of a token batch: generate random tokens, blind each, return
-     * the blinded values (to send to admin) plus the per-token state
-     * (kept locally for unblinding after admin responds).
-     */
-    prepareBatch(count) {
-        const blinded = [];
-        const state = [];
-        for (let i = 0; i < count; i++) {
-            const token = randomBytes(32);
-            const { blinded: b, r } = blindToken(token, this.groupPublicKey);
-            blinded.push(b);
-            state.push({ token, r });
-        }
-        return { blinded, state };
-    }
-    /**
-     * Step 2 of a token batch: unblind each admin-signed value, verify the
-     * resulting raw signature, and add the (token, signature) pair to the
-     * local stash. Any verification failure throws — we never store a token
-     * whose signature doesn't check out.
-     */
-    finalizeBatch(signedBlinded, state) {
-        if (signedBlinded.length !== state.length) {
-            throw new Error('finalizeBatch: length mismatch');
-        }
-        const toStore = [];
-        for (let i = 0; i < signedBlinded.length; i++) {
-            const signature = unblindSignature(signedBlinded[i], state[i].r, this.groupPublicKey);
-            if (!verifyTokenSignature(state[i].token, signature, this.groupPublicKey)) {
-                throw new Error(`finalizeBatch: signature ${i} failed verification`);
-            }
-            toStore.push({ token: state[i].token, signature });
-        }
-        this.tokens.push(...toStore);
-    }
-    consumeToken() {
-        return this.tokens.shift() ?? null;
-    }
-    tokenCount() {
-        return this.tokens.length;
-    }
-}
-/**
- * Lender holds the group public key and a set of token hashes that have
- * already been redeemed. Memory-only in v1; a persisted set would be a
- * sqlite table keyed on token hash, or just a file of sha256 hex lines.
- *
- * The lender LEARNS NOTHING about which member borrowed. That's the
- * whole point — blind signatures decouple "who signed this request"
- * (the admin, uniformly) from "who holds the token" (one specific
- * member who is anonymous to the lender).
- */
-export class GroupLender {
-    groupId;
-    groupPublicKey;
-    seenTokens = new Set();
-    maxSeenTokens;
-    constructor(groupId, groupPublicKey, opts = {}) {
-        this.groupId = groupId;
-        this.groupPublicKey = groupPublicKey;
-        this.maxSeenTokens = opts.maxSeenTokens ?? 100_000;
-    }
-    acceptBorrow(token, signature) {
-        if (!verifyTokenSignature(token, signature, this.groupPublicKey)) {
-            return { ok: false, reason: 'invalid_signature' };
-        }
-        const hash = createHash('sha256').update(token).digest('hex');
-        if (this.seenTokens.has(hash)) {
-            return { ok: false, reason: 'double_spend' };
-        }
-        this.seenTokens.add(hash);
-        if (this.seenTokens.size > this.maxSeenTokens) {
-            const oldest = this.seenTokens.values().next().value;
-            if (oldest)
-                this.seenTokens.delete(oldest);
-        }
-        return { ok: true };
-    }
-    seenCount() {
-        return this.seenTokens.size;
-    }
-}
-export function encodeBorrowEnvelope(groupId, bt, request) {
-    const env = {
-        v: 1,
-        groupId,
-        token: bt.token.toString('base64url'),
-        sig: bt.signature.toString(16),
-        request,
-    };
-    return JSON.stringify(env);
-}
-export function decodeBorrowEnvelope(s) {
-    try {
-        const obj = JSON.parse(s);
-        if (obj?.v !== 1 ||
-            typeof obj.groupId !== 'string' ||
-            typeof obj.token !== 'string' ||
-            typeof obj.sig !== 'string' ||
-            obj.request === undefined) {
-            return null;
-        }
-        return obj;
-    }
-    catch {
-        return null;
-    }
-}
-export function parseBorrowToken(env) {
-    try {
-        return {
-            token: Buffer.from(env.token, 'base64url'),
-            signature: BigInt('0x' + env.sig),
-        };
-    }
-    catch {
-        return null;
-    }
-}