@askalf/dario 3.3.0 → 3.4.0

package/README.md

@@ -74,6 +74,8 @@ Opus, Sonnet, Haiku — all models, streaming, tool use. **Zero dependencies.**
 </tr>
 </table>
 
+> **Need more than a proxy?** Dario solves the API access problem. If you need a full agent fleet — desktop control, browser automation, scheduling, custom tools, persistent memory — check out the [askalf platform](https://askalf.org). Same team, different execution model that solves the proxy ceiling entirely.
+
 ---
 
 ## Why dario

package/dist/cc-oauth-detect.d.ts

@@ -0,0 +1,47 @@
+/**
+ * CC OAuth Auto-Detection
+ *
+ * Scans the installed Claude Code binary to extract its OAuth configuration
+ * (client_id, authorize URL, token URL, scopes). Eliminates the need to
+ * hardcode values that Anthropic rotates between CC releases.
+ *
+ * CC ships two OAuth client configurations in one binary:
+ *
+ *   1. LOCAL flow — used when the OAuth client owns the callback
+ *      (i.e. runs an HTTP server on localhost). This is what dario does.
+ *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *
+ *   2. PLATFORM flow — used when the callback is hosted at
+ *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
+ *      Not applicable to dario.
+ *
+ * We scan for the LOCAL block and extract its config.
+ *
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
+ * startup only re-scans when the user upgrades Claude Code.
+ */
+export interface DetectedOAuthConfig {
+    clientId: string;
+    authorizeUrl: string;
+    tokenUrl: string;
+    scopes: string;
+    source: 'detected' | 'cached' | 'fallback';
+    ccPath?: string;
+    ccHash?: string;
+}
+/**
+ * Scan binary bytes for the LOCAL-oauth OAuth block.
+ * Uses Buffer.indexOf to locate anchor strings, then slices a small
+ * window of context to run regexes on. This avoids converting the
+ * whole binary to a JS string.
+ */
+export declare function scanBinaryForOAuthConfig(buf: Buffer): Omit<DetectedOAuthConfig, 'source' | 'ccPath' | 'ccHash'> | null;
+/**
+ * Get the OAuth config for dario to use. Scans the installed CC binary
+ * on first call, caches to disk, and memoizes in-process for subsequent
+ * calls. If no binary is found or scanning fails, falls back to the
+ * known-good v2.1.104 values.
+ */
+export declare function detectCCOAuthConfig(): Promise<DetectedOAuthConfig>;
+/** Test-only: reset in-process memoization. */
+export declare function _resetDetectorCache(): void;

package/dist/cc-oauth-detect.js

@@ -0,0 +1,232 @@
+/**
+ * CC OAuth Auto-Detection
+ *
+ * Scans the installed Claude Code binary to extract its OAuth configuration
+ * (client_id, authorize URL, token URL, scopes). Eliminates the need to
+ * hardcode values that Anthropic rotates between CC releases.
+ *
+ * CC ships two OAuth client configurations in one binary:
+ *
+ *   1. LOCAL flow — used when the OAuth client owns the callback
+ *      (i.e. runs an HTTP server on localhost). This is what dario does.
+ *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *
+ *   2. PLATFORM flow — used when the callback is hosted at
+ *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
+ *      Not applicable to dario.
+ *
+ * We scan for the LOCAL block and extract its config.
+ *
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
+ * startup only re-scans when the user upgrades Claude Code.
+ */
+import { readFile, writeFile, mkdir, stat, open as openFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { homedir, platform } from 'node:os';
+import { join, dirname } from 'node:path';
+import { createHash } from 'node:crypto';
+// Last-resort fallback if CC binary can't be found or scanned.
+// These values are the known-good v2.1.104 local-oauth flow.
+const FALLBACK = {
+    clientId: '22422756-60c9-4084-8eb7-27705fd5cf9a',
+    authorizeUrl: 'https://claude.com/cai/oauth/authorize',
+    tokenUrl: 'https://platform.claude.com/v1/oauth/token',
+    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers',
+    source: 'fallback',
+};
+const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache.json');
+function candidatePaths() {
+    const home = homedir();
+    if (platform() === 'win32') {
+        return [
+            join(home, '.local', 'bin', 'claude.exe'),
+            join(home, 'AppData', 'Roaming', 'npm', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+            join(home, 'AppData', 'Roaming', 'npm', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+            join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+            join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+        ];
+    }
+    return [
+        join(home, '.local', 'bin', 'claude'),
+        '/usr/local/bin/claude',
+        '/opt/homebrew/bin/claude',
+        '/usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.js',
+        '/usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.mjs',
+        '/opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js',
+        join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+        join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+    ];
+}
+function findCCBinary() {
+    const override = process.env['DARIO_CC_PATH'];
+    if (override && existsSync(override))
+        return override;
+    for (const p of candidatePaths()) {
+        if (existsSync(p))
+            return p;
+    }
+    return null;
+}
+/**
+ * Fast fingerprint of a binary for caching. We hash the first 64KB plus
+ * size+mtime — this discriminates CC versions without reading GBs off disk.
+ */
+async function fingerprintBinary(path) {
+    const st = await stat(path);
+    const fh = await openFile(path, 'r');
+    try {
+        const buf = Buffer.alloc(Math.min(65536, st.size));
+        await fh.read(buf, 0, buf.length, 0);
+        const h = createHash('sha256');
+        h.update(buf);
+        h.update(String(st.size));
+        h.update(String(st.mtimeMs));
+        return h.digest('hex').slice(0, 16);
+    }
+    finally {
+        await fh.close();
+    }
+}
+/**
+ * Scan binary bytes for the LOCAL-oauth OAuth block.
+ * Uses Buffer.indexOf to locate anchor strings, then slices a small
+ * window of context to run regexes on. This avoids converting the
+ * whole binary to a JS string.
+ */
+export function scanBinaryForOAuthConfig(buf) {
+    // Anchor: `OAUTH_FILE_SUFFIX:"-local-oauth"` — this is the config-block
+    // occurrence, not the switch-case string literal. The switch-case produces
+    // just `-local-oauth` bytes, but the config object serializes as
+    // `OAUTH_FILE_SUFFIX:"-local-oauth"` with the key+quote prefix, which is
+    // stable across minified CC builds.
+    const anchor = Buffer.from('OAUTH_FILE_SUFFIX:"-local-oauth"');
+    let anchorIdx = buf.indexOf(anchor);
+    // Fallback anchor — some builds may tokenize differently.
+    if (anchorIdx === -1) {
+        const looseAnchor = Buffer.from('"-local-oauth"');
+        anchorIdx = buf.indexOf(looseAnchor);
+    }
+    if (anchorIdx === -1)
+        return null;
+    // The CLIENT_ID sits within a few hundred bytes BEFORE the anchor
+    // (in the same config object). Extract a window around it.
+    const windowStart = Math.max(0, anchorIdx - 1024);
+    const windowEnd = Math.min(buf.length, anchorIdx + 64);
+    const localBlock = buf.slice(windowStart, windowEnd).toString('latin1');
+    // Pick the CLIENT_ID that's CLOSEST to the anchor (last occurrence in window).
+    const cidRegex = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/gi;
+    let lastCid = null;
+    let m;
+    while ((m = cidRegex.exec(localBlock)) !== null) {
+        if (m[1])
+            lastCid = m[1];
+    }
+    if (!lastCid)
+        return null;
+    const clientId = lastCid;
+    // Authorize URL: CLAUDE_AI_AUTHORIZE_URL appears once in the binary.
+    const authAnchor = Buffer.from('CLAUDE_AI_AUTHORIZE_URL');
+    const authIdx = buf.indexOf(authAnchor);
+    let authorizeUrl = FALLBACK.authorizeUrl;
+    if (authIdx !== -1) {
+        const w = buf.slice(authIdx, Math.min(buf.length, authIdx + 256)).toString('latin1');
+        const m = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(w);
+        if (m && m[1])
+            authorizeUrl = m[1];
+    }
+    // Token URL: TOKEN_URL — look for the one under platform.claude.com/.../oauth/token
+    const tokenAnchor = Buffer.from('TOKEN_URL');
+    let searchFrom = 0;
+    let tokenUrl = FALLBACK.tokenUrl;
+    while (searchFrom < buf.length) {
+        const idx = buf.indexOf(tokenAnchor, searchFrom);
+        if (idx === -1)
+            break;
+        const w = buf.slice(idx, Math.min(buf.length, idx + 128)).toString('latin1');
+        const m = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(w);
+        if (m && m[1]) {
+            tokenUrl = m[1];
+            break;
+        }
+        searchFrom = idx + tokenAnchor.length;
+    }
+    // Scopes: contiguous quoted string of "user:X user:Y user:Z ..."
+    // Search for an anchor like "user:profile " which is the first scope.
+    const scopeAnchor = Buffer.from('"user:profile ');
+    let scopes = FALLBACK.scopes;
+    const scopeIdx = buf.indexOf(scopeAnchor);
+    if (scopeIdx !== -1) {
+        const w = buf.slice(scopeIdx, Math.min(buf.length, scopeIdx + 512)).toString('latin1');
+        const m = /"(user:profile(?:\s+user:[a-z_:]+)+)"/.exec(w);
+        if (m && m[1])
+            scopes = m[1];
+    }
+    return { clientId, authorizeUrl, tokenUrl, scopes };
+}
+async function loadCache() {
+    try {
+        const raw = await readFile(CACHE_PATH, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed?.hash && parsed?.config?.clientId) {
+            return { hash: parsed.hash, config: parsed.config };
+        }
+    }
+    catch { /* no cache */ }
+    return null;
+}
+async function saveCache(hash, config) {
+    try {
+        await mkdir(dirname(CACHE_PATH), { recursive: true });
+        await writeFile(CACHE_PATH, JSON.stringify({ hash, config, savedAt: Date.now() }, null, 2));
+    }
+    catch { /* ignore cache write errors */ }
+}
+let memoized = null;
+/**
+ * Get the OAuth config for dario to use. Scans the installed CC binary
+ * on first call, caches to disk, and memoizes in-process for subsequent
+ * calls. If no binary is found or scanning fails, falls back to the
+ * known-good v2.1.104 values.
+ */
+export async function detectCCOAuthConfig() {
+    if (memoized)
+        return memoized;
+    try {
+        const ccPath = findCCBinary();
+        if (!ccPath) {
+            memoized = FALLBACK;
+            return memoized;
+        }
+        const hash = await fingerprintBinary(ccPath);
+        // Check cache
+        const cached = await loadCache();
+        if (cached && cached.hash === hash) {
+            memoized = { ...cached.config, source: 'cached', ccPath, ccHash: hash };
+            return memoized;
+        }
+        // Read binary and scan
+        const buf = await readFile(ccPath);
+        const scanned = scanBinaryForOAuthConfig(buf);
+        if (!scanned) {
+            memoized = { ...FALLBACK, ccPath, ccHash: hash };
+            return memoized;
+        }
+        const detected = {
+            ...scanned,
+            source: 'detected',
+            ccPath,
+            ccHash: hash,
+        };
+        await saveCache(hash, detected);
+        memoized = detected;
+        return memoized;
+    }
+    catch {
+        memoized = FALLBACK;
+        return memoized;
+    }
+}
+/** Test-only: reset in-process memoization. */
+export function _resetDetectorCache() {
+    memoized = null;
+}

package/dist/oauth.js

@@ -8,13 +8,17 @@ import { randomBytes, createHash } from 'node:crypto';
 import { readFile, writeFile, mkdir, rename } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
-// Claude Code's public OAuth client (PKCE, no secret needed) — extracted from CC v2.1.104 binary
-const OAUTH_CLIENT_ID = '22422756-60c9-4084-8eb7-27705fd5cf9a';
-// Max Plan OAuth (for Claude Pro/Max subscriptions) — claude.com/cai/oauth/authorize
-const OAUTH_AUTHORIZE_URL = 'https://claude.com/cai/oauth/authorize';
-const OAUTH_TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
-// Max plan scopes (excludes org:create_api_key which requires Console plan)
-const OAUTH_SCOPES = 'user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
+import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+// OAuth config is auto-detected at runtime from the installed Claude Code
+// binary. This eliminates the "Anthropic rotated the client_id again" class
+// of bugs — dario stays in sync with whatever CC version the user has
+// installed, forever. See cc-oauth-detect.ts for the scanner.
+//
+// Hardcoded fallbacks live in cc-oauth-detect.ts and are the known-good
+// CC v2.1.104 local-oauth flow values.
+async function getOAuthConfig() {
+    return detectCCOAuthConfig();
+}
 // Refresh 30 min before expiry
 const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // After a failed refresh, don't retry for 60s to avoid spam
@@ -116,17 +120,18 @@ export async function startAutoOAuthFlow() {
         server.listen(0, 'localhost', async () => {
             const addr = server.address();
             port = typeof addr === 'object' && addr ? addr.port : 0;
+            const cfg = await getOAuthConfig();
             const params = new URLSearchParams({
                 code: 'true',
-                client_id: OAUTH_CLIENT_ID,
+                client_id: cfg.clientId,
                 response_type: 'code',
                 redirect_uri: `http://localhost:${port}/callback`,
-                scope: OAUTH_SCOPES,
+                scope: cfg.scopes,
                 code_challenge: codeChallenge,
                 code_challenge_method: 'S256',
                 state,
             });
-            const authUrl = `${OAUTH_AUTHORIZE_URL}?${params.toString()}`;
+            const authUrl = `${cfg.authorizeUrl}?${params.toString()}`;
             // Open browser
             console.log('  Opening browser to sign in...');
             console.log(`  If the browser didn't open, visit: ${authUrl}`);
@@ -152,12 +157,13 @@ export async function startAutoOAuthFlow() {
  * Exchange code using the localhost redirect URI.
  */
 async function exchangeCodeWithRedirect(code, codeVerifier, state, port) {
-    const res = await fetch(OAUTH_TOKEN_URL, {
+    const cfg = await getOAuthConfig();
+    const res = await fetch(cfg.tokenUrl, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
             grant_type: 'authorization_code',
-            client_id: OAUTH_CLIENT_ID,
+            client_id: cfg.clientId,
             code,
             redirect_uri: `http://localhost:${port}/callback`,
             code_verifier: codeVerifier,
@@ -201,16 +207,17 @@ async function doRefreshTokens() {
         throw new Error('No refresh token available. Run `dario login` first.');
     }
     const oauth = creds.claudeAiOauth;
+    const cfg = await getOAuthConfig();
     for (let attempt = 0; attempt < 3; attempt++) {
         if (attempt > 0)
             await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
-        const res = await fetch(OAUTH_TOKEN_URL, {
+        const res = await fetch(cfg.tokenUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
             body: new URLSearchParams({
                 grant_type: 'refresh_token',
                 refresh_token: oauth.refreshToken,
-                client_id: OAUTH_CLIENT_ID,
+                client_id: cfg.clientId,
             }),
             signal: AbortSignal.timeout(15000),
         });

package/dist/proxy.js

@@ -767,12 +767,22 @@ export async function startProxy(opts = {}) {
                 body: finalBody ? new Uint8Array(finalBody) : undefined,
                 signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
             });
-            // Auto-retry without context-1m if it triggers a long-context billing error
-            if (upstream.status === 429 && !passthrough) {
-                const peekBody = await upstream.text().catch(() => '');
-                if (peekBody.includes('long context') || peekBody.includes('Extra usage is required')) {
+            // Auto-retry without context-1m if it triggers a long-context billing error.
+            // Anthropic returns this as either 400 ("long context beta is not yet available
+            // for this subscription") or 429 ("Extra usage is required for long context
+            // requests") depending on the endpoint — we handle both.
+            //
+            // Note: `upstream.text()` consumes the body, so once we peek we MUST
+            // handle the response here (can't fall through to the normal forwarder).
+            let peekedBody = null;
+            if ((upstream.status === 400 || upstream.status === 429) && !passthrough) {
+                peekedBody = await upstream.text().catch(() => '');
+                const isLongContextError = peekedBody.includes('long context')
+                    || peekedBody.includes('Extra usage is required')
+                    || peekedBody.includes('long_context');
+                if (isLongContextError) {
                     if (verbose)
-                        console.log(`[dario] #${requestCount} context-1m rejected — retrying without it`);
+                        console.log(`[dario] #${requestCount} context-1m rejected (${upstream.status}) — retrying without it`);
                     const reducedBeta = beta.replace(',context-1m-2025-08-07', '').replace('context-1m-2025-08-07,', '');
                     const retryHeaders = { ...headers, 'anthropic-beta': reducedBeta };
                     const retry = await fetch(targetBase, {
@@ -781,13 +791,13 @@ export async function startProxy(opts = {}) {
                         body: finalBody ? new Uint8Array(finalBody) : undefined,
                         signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
                     });
-                    // Use the retry response from here on
+                    // Use the retry response from here on — peeked body is now stale
                     upstream = retry;
+                    peekedBody = null;
                 }
-                else {
-                    // Not a context-1m issue — handle as normal 429 below
-                    // Re-wrap the already-consumed body for downstream handling
-                    const enriched = enrich429(peekBody, upstream.headers);
+                else if (upstream.status === 429) {
+                    // Not a context-1m issue — return enriched 429 directly
+                    const enriched = enrich429(peekedBody, upstream.headers);
                     if (!(cliAvailable && !useCli)) {
                         const responseHeaders = {
                             'Content-Type': 'application/json',
@@ -804,7 +814,25 @@ export async function startProxy(opts = {}) {
                         res.end(enriched);
                         return;
                     }
-                    // Fall through to CLI fallback below
+                    // Fall through to CLI fallback below — need to re-handle 429 with
+                    // already-consumed body; stash it for the fallback path.
+                }
+                else if (upstream.status === 400) {
+                    // Non-long-context 400 — forward upstream error directly.
+                    // The body is already consumed, so we write it straight out.
+                    const responseHeaders = {
+                        'Content-Type': upstream.headers.get('content-type') ?? 'application/json',
+                        'Access-Control-Allow-Origin': corsOrigin,
+                        ...SECURITY_HEADERS,
+                    };
+                    for (const [key, value] of upstream.headers.entries()) {
+                        if (key === 'request-id')
+                            responseHeaders[key] = value;
+                    }
+                    requestCount++;
+                    res.writeHead(400, responseHeaders);
+                    res.end(peekedBody);
+                    return;
                 }
             }
             // Enrich 429 errors with rate limit details from headers (Anthropic only returns "Error")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {