@askalf/dario 3.3.0 → 3.4.1

package/dist/cc-oauth-detect.js

@@ -0,0 +1,232 @@
+/**
+ * CC OAuth Auto-Detection
+ *
+ * Scans the installed Claude Code binary to extract its OAuth configuration
+ * (client_id, authorize URL, token URL, scopes). Eliminates the need to
+ * hardcode values that Anthropic rotates between CC releases.
+ *
+ * CC ships two OAuth client configurations in one binary:
+ *
+ *   1. LOCAL flow — used when the OAuth client owns the callback
+ *      (i.e. runs an HTTP server on localhost). This is what dario does.
+ *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *
+ *   2. PLATFORM flow — used when the callback is hosted at
+ *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
+ *      Not applicable to dario.
+ *
+ * We scan for the LOCAL block and extract its config.
+ *
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
+ * startup only re-scans when the user upgrades Claude Code.
+ */
+import { readFile, writeFile, mkdir, stat, open as openFile } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { homedir, platform } from 'node:os';
+import { join, dirname } from 'node:path';
+import { createHash } from 'node:crypto';
+// Last-resort fallback if CC binary can't be found or scanned.
+// These values are the known-good v2.1.104 local-oauth flow.
+const FALLBACK = {
+    clientId: '22422756-60c9-4084-8eb7-27705fd5cf9a',
+    authorizeUrl: 'https://claude.com/cai/oauth/authorize',
+    tokenUrl: 'https://platform.claude.com/v1/oauth/token',
+    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers',
+    source: 'fallback',
+};
+const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache.json');
+function candidatePaths() {
+    const home = homedir();
+    if (platform() === 'win32') {
+        return [
+            join(home, '.local', 'bin', 'claude.exe'),
+            join(home, 'AppData', 'Roaming', 'npm', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+            join(home, 'AppData', 'Roaming', 'npm', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+            join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+            join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+        ];
+    }
+    return [
+        join(home, '.local', 'bin', 'claude'),
+        '/usr/local/bin/claude',
+        '/opt/homebrew/bin/claude',
+        '/usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.js',
+        '/usr/local/lib/node_modules/@anthropic-ai/claude-code/cli.mjs',
+        '/opt/homebrew/lib/node_modules/@anthropic-ai/claude-code/cli.js',
+        join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.js'),
+        join(home, '.claude', 'local', 'node_modules', '@anthropic-ai', 'claude-code', 'cli.mjs'),
+    ];
+}
+function findCCBinary() {
+    const override = process.env['DARIO_CC_PATH'];
+    if (override && existsSync(override))
+        return override;
+    for (const p of candidatePaths()) {
+        if (existsSync(p))
+            return p;
+    }
+    return null;
+}
+/**
+ * Fast fingerprint of a binary for caching. We hash the first 64KB plus
+ * size+mtime — this discriminates CC versions without reading GBs off disk.
+ */
+async function fingerprintBinary(path) {
+    const st = await stat(path);
+    const fh = await openFile(path, 'r');
+    try {
+        const buf = Buffer.alloc(Math.min(65536, st.size));
+        await fh.read(buf, 0, buf.length, 0);
+        const h = createHash('sha256');
+        h.update(buf);
+        h.update(String(st.size));
+        h.update(String(st.mtimeMs));
+        return h.digest('hex').slice(0, 16);
+    }
+    finally {
+        await fh.close();
+    }
+}
+/**
+ * Scan binary bytes for the LOCAL-oauth OAuth block.
+ * Uses Buffer.indexOf to locate anchor strings, then slices a small
+ * window of context to run regexes on. This avoids converting the
+ * whole binary to a JS string.
+ */
+export function scanBinaryForOAuthConfig(buf) {
+    // Anchor: `OAUTH_FILE_SUFFIX:"-local-oauth"` — this is the config-block
+    // occurrence, not the switch-case string literal. The switch-case produces
+    // just `-local-oauth` bytes, but the config object serializes as
+    // `OAUTH_FILE_SUFFIX:"-local-oauth"` with the key+quote prefix, which is
+    // stable across minified CC builds.
+    const anchor = Buffer.from('OAUTH_FILE_SUFFIX:"-local-oauth"');
+    let anchorIdx = buf.indexOf(anchor);
+    // Fallback anchor — some builds may tokenize differently.
+    if (anchorIdx === -1) {
+        const looseAnchor = Buffer.from('"-local-oauth"');
+        anchorIdx = buf.indexOf(looseAnchor);
+    }
+    if (anchorIdx === -1)
+        return null;
+    // The CLIENT_ID sits within a few hundred bytes BEFORE the anchor
+    // (in the same config object). Extract a window around it.
+    const windowStart = Math.max(0, anchorIdx - 1024);
+    const windowEnd = Math.min(buf.length, anchorIdx + 64);
+    const localBlock = buf.slice(windowStart, windowEnd).toString('latin1');
+    // Pick the CLIENT_ID that's CLOSEST to the anchor (last occurrence in window).
+    const cidRegex = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/gi;
+    let lastCid = null;
+    let m;
+    while ((m = cidRegex.exec(localBlock)) !== null) {
+        if (m[1])
+            lastCid = m[1];
+    }
+    if (!lastCid)
+        return null;
+    const clientId = lastCid;
+    // Authorize URL: CLAUDE_AI_AUTHORIZE_URL appears once in the binary.
+    const authAnchor = Buffer.from('CLAUDE_AI_AUTHORIZE_URL');
+    const authIdx = buf.indexOf(authAnchor);
+    let authorizeUrl = FALLBACK.authorizeUrl;
+    if (authIdx !== -1) {
+        const w = buf.slice(authIdx, Math.min(buf.length, authIdx + 256)).toString('latin1');
+        const m = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(w);
+        if (m && m[1])
+            authorizeUrl = m[1];
+    }
+    // Token URL: TOKEN_URL — look for the one under platform.claude.com/.../oauth/token
+    const tokenAnchor = Buffer.from('TOKEN_URL');
+    let searchFrom = 0;
+    let tokenUrl = FALLBACK.tokenUrl;
+    while (searchFrom < buf.length) {
+        const idx = buf.indexOf(tokenAnchor, searchFrom);
+        if (idx === -1)
+            break;
+        const w = buf.slice(idx, Math.min(buf.length, idx + 128)).toString('latin1');
+        const m = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(w);
+        if (m && m[1]) {
+            tokenUrl = m[1];
+            break;
+        }
+        searchFrom = idx + tokenAnchor.length;
+    }
+    // Scopes: contiguous quoted string of "user:X user:Y user:Z ..."
+    // Search for an anchor like "user:profile " which is the first scope.
+    const scopeAnchor = Buffer.from('"user:profile ');
+    let scopes = FALLBACK.scopes;
+    const scopeIdx = buf.indexOf(scopeAnchor);
+    if (scopeIdx !== -1) {
+        const w = buf.slice(scopeIdx, Math.min(buf.length, scopeIdx + 512)).toString('latin1');
+        const m = /"(user:profile(?:\s+user:[a-z_:]+)+)"/.exec(w);
+        if (m && m[1])
+            scopes = m[1];
+    }
+    return { clientId, authorizeUrl, tokenUrl, scopes };
+}
+async function loadCache() {
+    try {
+        const raw = await readFile(CACHE_PATH, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed?.hash && parsed?.config?.clientId) {
+            return { hash: parsed.hash, config: parsed.config };
+        }
+    }
+    catch { /* no cache */ }
+    return null;
+}
+async function saveCache(hash, config) {
+    try {
+        await mkdir(dirname(CACHE_PATH), { recursive: true });
+        await writeFile(CACHE_PATH, JSON.stringify({ hash, config, savedAt: Date.now() }, null, 2));
+    }
+    catch { /* ignore cache write errors */ }
+}
+let memoized = null;
+/**
+ * Get the OAuth config for dario to use. Scans the installed CC binary
+ * on first call, caches to disk, and memoizes in-process for subsequent
+ * calls. If no binary is found or scanning fails, falls back to the
+ * known-good v2.1.104 values.
+ */
+export async function detectCCOAuthConfig() {
+    if (memoized)
+        return memoized;
+    try {
+        const ccPath = findCCBinary();
+        if (!ccPath) {
+            memoized = FALLBACK;
+            return memoized;
+        }
+        const hash = await fingerprintBinary(ccPath);
+        // Check cache
+        const cached = await loadCache();
+        if (cached && cached.hash === hash) {
+            memoized = { ...cached.config, source: 'cached', ccPath, ccHash: hash };
+            return memoized;
+        }
+        // Read binary and scan
+        const buf = await readFile(ccPath);
+        const scanned = scanBinaryForOAuthConfig(buf);
+        if (!scanned) {
+            memoized = { ...FALLBACK, ccPath, ccHash: hash };
+            return memoized;
+        }
+        const detected = {
+            ...scanned,
+            source: 'detected',
+            ccPath,
+            ccHash: hash,
+        };
+        await saveCache(hash, detected);
+        memoized = detected;
+        return memoized;
+    }
+    catch {
+        memoized = FALLBACK;
+        return memoized;
+    }
+}
+/** Test-only: reset in-process memoization. */
+export function _resetDetectorCache() {
+    memoized = null;
+}

package/dist/cc-template.d.ts

@@ -1,11 +1,11 @@
 /**
- * Claude Code request template — auto-extracted from CC v2.1.104 MITM capture.
+ * Claude Code request template.
  *
  * Tool definitions, system prompt, and request structure are loaded from
- * cc-template-data.json (extracted via MITM proxy from real CC session).
- * This ensures byte-level fidelity with real CC requests.
+ * cc-template-data.json and sent verbatim — this gives byte-level fidelity
+ * with the shape of a real Claude Code request.
  */
-/** CC's exact tool definitions — loaded from MITM capture. */
+/** CC's exact tool definitions — loaded from the template JSON. */
 export declare const CC_TOOL_DEFINITIONS: {
     name: string;
     description: string;

package/dist/cc-template.js

@@ -1,9 +1,9 @@
 /**
- * Claude Code request template — auto-extracted from CC v2.1.104 MITM capture.
+ * Claude Code request template.
  *
  * Tool definitions, system prompt, and request structure are loaded from
- * cc-template-data.json (extracted via MITM proxy from real CC session).
- * This ensures byte-level fidelity with real CC requests.
+ * cc-template-data.json and sent verbatim — this gives byte-level fidelity
+ * with the shape of a real Claude Code request.
  */
 import { readFileSync } from 'node:fs';
 import { join, dirname } from 'node:path';
@@ -11,7 +11,7 @@ import { fileURLToPath } from 'node:url';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // Load template data at module init — fail fast if missing
 const TEMPLATE = JSON.parse(readFileSync(join(__dirname, 'cc-template-data.json'), 'utf-8'));
-/** CC's exact tool definitions — loaded from MITM capture. */
+/** CC's exact tool definitions — loaded from the template JSON. */
 export const CC_TOOL_DEFINITIONS = TEMPLATE.tools;
 /** CC's static system prompt (~25KB). */
 export const CC_SYSTEM_PROMPT = TEMPLATE.system_prompt;
@@ -182,7 +182,7 @@ export function buildCCRequest(clientBody, billingTag, cache1h, identity, opts =
         systemText = systemText.replace(pattern, '');
     }
     // ── Build the CC request from template ──
-    // Key order matches CC v2.1.104 MITM capture exactly:
+    // Key order matches CC v2.1.104 exactly:
     // model, messages, system, tools, metadata, max_tokens, thinking, context_management, output_config, stream
     //
     // System prompt structure (3 blocks, matching real CC):

package/dist/cli.js

@@ -126,12 +126,11 @@ async function proxy() {
         process.exit(1);
     }
     const verbose = args.includes('--verbose') || args.includes('-v');
-    const cliBackend = args.includes('--cli');
     const passthrough = args.includes('--passthrough') || args.includes('--thin');
     const preserveTools = args.includes('--preserve-tools') || args.includes('--keep-tools');
     const modelArg = args.find(a => a.startsWith('--model='));
     const model = modelArg ? modelArg.split('=')[1] : undefined;
-    await startProxy({ port, verbose, model, cliBackend, passthrough, preserveTools });
+    await startProxy({ port, verbose, model, passthrough, preserveTools });
 }
 async function help() {
     console.log(`
@@ -149,15 +148,14 @@ async function help() {
                              Shortcuts: opus, sonnet, haiku
                              Full IDs: claude-opus-4-6, claude-sonnet-4-6
                              Default: passthrough (client decides)
-    --cli                    Use Claude CLI as backend (bypasses rate limits)
-    --passthrough            Thin proxy — OAuth swap only, no injection
+    --passthrough, --thin    Thin proxy — OAuth swap only, no injection
     --preserve-tools         Keep client tool schemas (for agents with custom tools)
     --port=PORT              Port to listen on (default: 3456)
     --verbose, -v            Log all requests
 
   Quick start:
     dario login              # auto-detects Claude Code credentials
-    dario proxy              # or: dario proxy --cli --model=opus
+    dario proxy --model=opus # or: dario proxy --passthrough
 
   Then point any Anthropic SDK at http://localhost:3456:
     export ANTHROPIC_BASE_URL=http://localhost:3456

package/dist/oauth.js

@@ -8,13 +8,17 @@ import { randomBytes, createHash } from 'node:crypto';
 import { readFile, writeFile, mkdir, rename } from 'node:fs/promises';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
-// Claude Code's public OAuth client (PKCE, no secret needed) — extracted from CC v2.1.104 binary
-const OAUTH_CLIENT_ID = '22422756-60c9-4084-8eb7-27705fd5cf9a';
-// Max Plan OAuth (for Claude Pro/Max subscriptions) — claude.com/cai/oauth/authorize
-const OAUTH_AUTHORIZE_URL = 'https://claude.com/cai/oauth/authorize';
-const OAUTH_TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
-// Max plan scopes (excludes org:create_api_key which requires Console plan)
-const OAUTH_SCOPES = 'user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
+import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+// OAuth config is auto-detected at runtime from the installed Claude Code
+// binary. This eliminates the "Anthropic rotated the client_id again" class
+// of bugs — dario stays in sync with whatever CC version the user has
+// installed, forever. See cc-oauth-detect.ts for the scanner.
+//
+// Hardcoded fallbacks live in cc-oauth-detect.ts and are the known-good
+// CC v2.1.104 local-oauth flow values.
+async function getOAuthConfig() {
+    return detectCCOAuthConfig();
+}
 // Refresh 30 min before expiry
 const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // After a failed refresh, don't retry for 60s to avoid spam
@@ -116,17 +120,18 @@ export async function startAutoOAuthFlow() {
         server.listen(0, 'localhost', async () => {
             const addr = server.address();
             port = typeof addr === 'object' && addr ? addr.port : 0;
+            const cfg = await getOAuthConfig();
             const params = new URLSearchParams({
                 code: 'true',
-                client_id: OAUTH_CLIENT_ID,
+                client_id: cfg.clientId,
                 response_type: 'code',
                 redirect_uri: `http://localhost:${port}/callback`,
-                scope: OAUTH_SCOPES,
+                scope: cfg.scopes,
                 code_challenge: codeChallenge,
                 code_challenge_method: 'S256',
                 state,
             });
-            const authUrl = `${OAUTH_AUTHORIZE_URL}?${params.toString()}`;
+            const authUrl = `${cfg.authorizeUrl}?${params.toString()}`;
             // Open browser
             console.log('  Opening browser to sign in...');
             console.log(`  If the browser didn't open, visit: ${authUrl}`);
@@ -152,12 +157,13 @@ export async function startAutoOAuthFlow() {
  * Exchange code using the localhost redirect URI.
  */
 async function exchangeCodeWithRedirect(code, codeVerifier, state, port) {
-    const res = await fetch(OAUTH_TOKEN_URL, {
+    const cfg = await getOAuthConfig();
+    const res = await fetch(cfg.tokenUrl, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
             grant_type: 'authorization_code',
-            client_id: OAUTH_CLIENT_ID,
+            client_id: cfg.clientId,
             code,
             redirect_uri: `http://localhost:${port}/callback`,
             code_verifier: codeVerifier,
@@ -201,16 +207,17 @@ async function doRefreshTokens() {
         throw new Error('No refresh token available. Run `dario login` first.');
     }
     const oauth = creds.claudeAiOauth;
+    const cfg = await getOAuthConfig();
     for (let attempt = 0; attempt < 3; attempt++) {
         if (attempt > 0)
             await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
-        const res = await fetch(OAUTH_TOKEN_URL, {
+        const res = await fetch(cfg.tokenUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
             body: new URLSearchParams({
                 grant_type: 'refresh_token',
                 refresh_token: oauth.refreshToken,
-                client_id: OAUTH_CLIENT_ID,
+                client_id: cfg.clientId,
             }),
             signal: AbortSignal.timeout(15000),
         });

package/dist/proxy.d.ts

@@ -2,7 +2,6 @@ interface ProxyOptions {
     port?: number;
     verbose?: boolean;
     model?: string;
-    cliBackend?: boolean;
     passthrough?: boolean;
     preserveTools?: boolean;
 }