@askalf/dario 3.31.14 → 3.31.16

package/dist/accounts.js

@@ -23,6 +23,8 @@ import { randomUUID, randomBytes, createHash } from 'node:crypto';
 import { createServer } from 'node:http';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
 import { loadCredentials } from './oauth.js';
+import { openBrowser } from './open-browser.js';
+import { redactSecrets } from './redact.js';
 const DARIO_DIR = join(homedir(), '.dario');
 const ACCOUNTS_DIR = join(DARIO_DIR, 'accounts');
 /**
@@ -161,7 +163,10 @@ async function doRefreshAccountToken(creds) {
     });
     if (!res.ok) {
         const errBody = await res.text().catch(() => '');
-        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${errBody.slice(0, 200)}`);
+        // Redact tokens / JWTs / Bearer values before they hit the Error
+        // message — defense-in-depth against an upstream that ever echoes a
+        // credential into a 4xx body. See src/redact.ts.
+        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${redactSecrets(errBody.slice(0, 200))}`);
     }
     const data = await res.json();
     const updated = {
@@ -186,13 +191,10 @@ function generatePKCE() {
     const codeChallenge = base64url(createHash('sha256').update(codeVerifier).digest());
     return { codeVerifier, codeChallenge };
 }
-function openBrowser(url) {
-    const { exec } = require('node:child_process');
-    const cmd = process.platform === 'win32' ? `start "" "${url}"`
-        : process.platform === 'darwin' ? `open "${url}"`
-            : `xdg-open "${url}"`;
-    exec(cmd, () => { });
-}
+// `openBrowser` lives in src/open-browser.ts — uses execFile + argv array
+// + URL-protocol allowlist instead of shell interpolation. The previous
+// inline `exec(\`start "" "${url}"\`)` pattern would have shelled out
+// any `&` / `|` / `^` / backtick / `$()` in a URL.
 /**
  * Interactive OAuth flow that adds a new account to the pool. Uses dario's
  * auto-detected CC OAuth config (same scanner the single-account path uses).
@@ -256,7 +258,7 @@ export async function addAccountViaOAuth(alias) {
                 });
                 if (!tokenRes.ok) {
                     const body = await tokenRes.text().catch(() => '');
-                    throw new Error(`Token exchange failed (${tokenRes.status}): ${body.slice(0, 200)}`);
+                    throw new Error(`Token exchange failed (${tokenRes.status}): ${redactSecrets(body.slice(0, 200))}`);
                 }
                 const tokens = await tokenRes.json();
                 // Prefer CC identity if installed; otherwise generate fresh IDs.
@@ -299,7 +301,10 @@ export async function addAccountViaOAuth(alias) {
             console.log(`  If the browser didn't open, visit:`);
             console.log(`  ${authUrl}`);
             console.log();
-            openBrowser(authUrl);
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));

package/dist/cli.js

@@ -12,34 +12,22 @@
 // ── Bun auto-relaunch ──
 // Bun's TLS fingerprint matches Claude Code's runtime (both use Bun/BoringSSL).
 // If Bun is installed and we're running on Node, relaunch under Bun for
-// network-level fingerprint fidelity.
-if (!('Bun' in globalThis) && !process.env.DARIO_NO_BUN) {
-    try {
-        const { execFileSync } = await import('node:child_process');
-        // Check if bun exists
-        execFileSync('bun', ['--version'], { stdio: 'ignore', timeout: 3000 });
-        // Relaunch under bun
-        const { spawn } = await import('node:child_process');
-        const child = spawn('bun', ['run', ...process.argv.slice(1)], {
-            stdio: 'inherit',
-            env: { ...process.env, DARIO_NO_BUN: '1' },
-        });
-        child.on('exit', (code) => process.exit(code ?? 0));
-        // Prevent this process from continuing
-        await new Promise(() => { });
-    }
-    catch {
-        // Bun not available, continue with Node
-    }
-}
+// network-level fingerprint fidelity. Moved below into the main-entry guard
+// at the bottom of the file so importing this module (e.g. from tests that
+// just want `parsePositiveIntEnv`) doesn't trigger a Bun relaunch or any
+// other startup side effect.
 import { unlink } from 'node:fs/promises';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
+import { pathToFileURL } from 'node:url';
 import { startAutoOAuthFlow, startManualOAuthFlow, detectHeadlessEnvironment, getStatus, refreshTokens, loadCredentials } from './oauth.js';
 import { startProxy, sanitizeError } from './proxy.js';
 import { VALID_EFFORT_VALUES } from './cc-template.js';
 import { listAccountAliases, loadAllAccounts, addAccountViaOAuth, removeAccount, ensureLoginCredentialsInPool, MIGRATED_LOGIN_ALIAS } from './accounts.js';
 import { listBackends, saveBackend, removeBackend } from './openai-backend.js';
+// `args` / `command` at module scope — command handlers below close over
+// `args` to read their own flags. Reading argv is harmless on import; only
+// the handler dispatch at the bottom is gated behind the main-entry check.
 const args = process.argv.slice(2);
 const command = args[0] ?? 'proxy';
 async function login() {
@@ -1159,13 +1147,42 @@ const commands = {
     '--version': version,
     '-V': version,
 };
-const handler = commands[command];
-if (!handler) {
-    console.error(`Unknown command: ${command}`);
-    console.error('Run `dario help` for usage.');
-    process.exit(1);
+// Main-entry guard. Only run the Bun auto-relaunch and handler dispatch when
+// this module is the direct entry point — importing it (from tests or for
+// a library helper like `parsePositiveIntEnv`) must NOT start the proxy.
+// Before this guard, `import { parsePositiveIntEnv } from './cli.js'` would
+// fall through to `command = args[0] ?? 'proxy'` and fire `handler()`, which
+// tried to run `startProxy()` and failed the test with "Not authenticated".
+const isDirectEntry = typeof process.argv[1] === 'string' &&
+    import.meta.url === pathToFileURL(process.argv[1]).href;
+if (isDirectEntry) {
+    // Bun auto-relaunch for TLS fingerprint fidelity. Only meaningful when
+    // dario is the direct entry — if we're imported, whoever imported us
+    // already chose their runtime.
+    if (!('Bun' in globalThis) && !process.env.DARIO_NO_BUN) {
+        try {
+            const { execFileSync, spawn } = await import('node:child_process');
+            execFileSync('bun', ['--version'], { stdio: 'ignore', timeout: 3000 });
+            const child = spawn('bun', ['run', ...process.argv.slice(1)], {
+                stdio: 'inherit',
+                env: { ...process.env, DARIO_NO_BUN: '1' },
+            });
+            child.on('exit', (code) => process.exit(code ?? 0));
+            // Prevent this process from continuing
+            await new Promise(() => { });
+        }
+        catch {
+            // Bun not available, continue with Node
+        }
+    }
+    const handler = commands[command];
+    if (!handler) {
+        console.error(`Unknown command: ${command}`);
+        console.error('Run `dario help` for usage.');
+        process.exit(1);
+    }
+    handler().catch(err => {
+        console.error('Fatal error:', sanitizeError(err));
+        process.exit(1);
+    });
 }
-handler().catch(err => {
-    console.error('Fatal error:', sanitizeError(err));
-    process.exit(1);
-});

package/dist/oauth.js

@@ -11,6 +11,7 @@ import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
 import { homedir, platform } from 'node:os';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+import { redactSecrets } from './redact.js';
 // Manual-flow redirect URI. Anthropic's authorize endpoint special-cases
 // this value (also baked into CC as MANUAL_REDIRECT_URL) to render the
 // authorization code + state on a copy-paste success page instead of
@@ -255,12 +256,15 @@ export async function startAutoOAuthFlow() {
             console.log('  Opening browser to sign in...');
             console.log(`  If the browser didn't open, visit: ${authUrl}`);
             console.log('');
-            // Open browser using platform-specific commands (no external deps)
-            const { exec } = await import('node:child_process');
-            const cmd = process.platform === 'win32' ? `start "" "${authUrl}"`
-                : process.platform === 'darwin' ? `open "${authUrl}"`
-                    : `xdg-open "${authUrl}"`;
-            exec(cmd, () => { });
+            // Hardened: openBrowser uses execFile + argv array + URL protocol
+            // allowlist. Previous inline `exec(\`start "" "${authUrl}"\`)`
+            // would have shelled out any `&` / `|` / `^` / backtick / `$()` in
+            // a URL — see src/open-browser.ts.
+            const { openBrowser } = await import('./open-browser.js');
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
@@ -429,7 +433,9 @@ async function exchangeCodeManual(code, codeVerifier, state) {
     });
     if (!res.ok) {
         const body = await res.text().catch(() => '');
-        throw new Error(`Token exchange failed (HTTP ${res.status}): ${body.slice(0, 200)}`);
+        // See src/redact.ts — strip tokens / JWTs / Bearer values from upstream
+        // body before they surface in the Error message.
+        throw new Error(`Token exchange failed (HTTP ${res.status}): ${redactSecrets(body.slice(0, 200))}`);
     }
     const data = await res.json();
     const tokens = {
@@ -490,7 +496,7 @@ async function doRefreshTokens() {
         });
         if (!res.ok) {
             const errBody = await res.text().catch(() => '');
-            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${errBody.slice(0, 200)}`);
+            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${redactSecrets(errBody.slice(0, 200))}`);
             if (res.status === 401 || res.status === 403) {
                 throw new Error(`Refresh token rejected (${res.status}). Run \`dario login\` to re-authenticate.`);
             }

package/dist/open-browser.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { type ExecFileException } from 'node:child_process';
+export interface OpenBrowserOptions {
+    /** Test hook — defaults to node:child_process execFile. */
+    exec?: (file: string, args: readonly string[], callback: (error: ExecFileException | null, stdout: string, stderr: string) => void) => void;
+}
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export declare function browserDispatchCommand(url: string, platform?: NodeJS.Platform): {
+    bin: string;
+    args: string[];
+};
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export declare function openBrowser(url: string, opts?: OpenBrowserOptions): void;

package/dist/open-browser.js

@@ -0,0 +1,68 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { execFile } from 'node:child_process';
+const ALLOWED_PROTOCOLS = new Set(['http:', 'https:']);
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export function browserDispatchCommand(url, platform = process.platform) {
+    const parsed = new URL(url);
+    if (!ALLOWED_PROTOCOLS.has(parsed.protocol)) {
+        throw new Error(`openBrowser: refusing to open URL with protocol "${parsed.protocol}" (only http/https allowed)`);
+    }
+    const safe = parsed.toString();
+    if (platform === 'win32') {
+        // explorer.exe accepts a URL as a single argv element and routes it
+        // through the registered URL handler. Avoids `cmd /c start "" "URL"`,
+        // which re-parses cmd metacharacters even when called via execFile
+        // because the cmd builtin runs *inside* cmd's parser, not Node's.
+        return { bin: 'explorer.exe', args: [safe] };
+    }
+    if (platform === 'darwin') {
+        return { bin: 'open', args: [safe] };
+    }
+    // Linux / BSD / other Unix.
+    return { bin: 'xdg-open', args: [safe] };
+}
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export function openBrowser(url, opts = {}) {
+    const { bin, args } = browserDispatchCommand(url);
+    const exec = opts.exec ?? execFile;
+    exec(bin, args, () => { });
+}

package/dist/proxy.js

@@ -13,6 +13,7 @@ import { Analytics, billingBucketFromClaim } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
 import { getOpenAIBackend, isOpenAIModel, forwardToOpenAI } from './openai-backend.js';
 import { RequestQueue, QueueFullError, QueueTimeoutError, DEFAULT_MAX_CONCURRENT, DEFAULT_MAX_QUEUED, DEFAULT_QUEUE_TIMEOUT_MS } from './request-queue.js';
+import { redactSecrets } from './redact.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
@@ -345,12 +346,10 @@ function translateStreamChunk(line) {
 }
 const OPENAI_MODELS_LIST = { object: 'list', data: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'].map(id => ({ id, object: 'model', created: 1700000000, owned_by: 'anthropic' })) };
 export function sanitizeError(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    // Never leak tokens, JWTs, or bearer values in error messages
-    return msg
-        .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
-        .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
-        .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
+    // Pattern set lives in src/redact.ts so OAuth call sites can run the
+    // same redaction directly on response-body strings without importing
+    // proxy (which imports oauth — would circle).
+    return redactSecrets(err instanceof Error ? err.message : String(err));
 }
 /**
  * API-key auth via DARIO_API_KEY (x-api-key or Authorization: Bearer).

package/dist/redact.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export declare const SECRET_PATTERNS: ReadonlyArray<readonly [RegExp, string]>;
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export declare function redactSecrets(s: string): string;

package/dist/redact.js

@@ -0,0 +1,38 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export const SECRET_PATTERNS = [
+    [/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]'],
+    [/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]'],
+    [/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]'],
+];
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export function redactSecrets(s) {
+    let out = s;
+    for (const [pat, repl] of SECRET_PATTERNS) {
+        out = out.replace(pat, repl);
+    }
+    return out;
+}

package/dist/request-queue.d.ts

@@ -50,6 +50,16 @@ export interface RequestQueueOptions {
     maxConcurrent?: number;
     maxQueued?: number;
     queueTimeoutMs?: number;
+    /**
+     * Whether timeout timers are `unref`'d so they don't by themselves keep
+     * the Node event loop alive. Default `true` — appropriate for the proxy,
+     * where a leaked queue entry should never hang shutdown. Pass `false` in
+     * tests where the queue is the only pending work on the loop: an
+     * `unref`'d timer won't fire in that case (Node exits with "unsettled
+     * top-level await" before the 50ms timeout elapses), so the reject the
+     * test is waiting for never arrives.
+     */
+    unrefTimers?: boolean;
 }
 export declare const DEFAULT_MAX_CONCURRENT = 10;
 export declare const DEFAULT_MAX_QUEUED = 128;
@@ -58,6 +68,7 @@ export declare class RequestQueue {
     readonly maxConcurrent: number;
     readonly maxQueued: number;
     readonly queueTimeoutMs: number;
+    readonly unrefTimers: boolean;
     private active;
     private queue;
     constructor(opts?: RequestQueueOptions);

package/dist/request-queue.js

@@ -47,12 +47,14 @@ export class RequestQueue {
     maxConcurrent;
     maxQueued;
     queueTimeoutMs;
+    unrefTimers;
     active = 0;
     queue = [];
     constructor(opts = {}) {
         this.maxConcurrent = opts.maxConcurrent ?? DEFAULT_MAX_CONCURRENT;
         this.maxQueued = opts.maxQueued ?? DEFAULT_MAX_QUEUED;
         this.queueTimeoutMs = opts.queueTimeoutMs ?? DEFAULT_QUEUE_TIMEOUT_MS;
+        this.unrefTimers = opts.unrefTimers ?? true;
     }
     /**
      * Acquire a concurrency slot. Resolves when admitted; throws
@@ -80,7 +82,9 @@ export class RequestQueue {
             }, this.queueTimeoutMs);
             // Keep the timer from pinning the event loop open on shutdown. A queued
             // request waiting for a slot shouldn't by itself keep the process alive.
-            timeoutHandle.unref?.();
+            // Opt-out for tests — see `unrefTimers` comment in RequestQueueOptions.
+            if (this.unrefTimers)
+                timeoutHandle.unref?.();
             const entry = { resolve, reject, enqueuedAt, timeoutHandle };
             this.queue.push(entry);
         });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.31.14",
+  "version": "3.31.16",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -28,6 +28,7 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "e2e": "node test/e2e.mjs",
+    "stress": "node test/stress.mjs",
     "compat": "node test/compat.mjs",
     "lint:pkg": "node scripts/check-package-json.mjs",
     "drift:sdk": "node scripts/check-sdk-drift.mjs",