@askalf/dario 3.31.15 → 3.31.16

package/dist/accounts.js

@@ -23,6 +23,8 @@ import { randomUUID, randomBytes, createHash } from 'node:crypto';
 import { createServer } from 'node:http';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
 import { loadCredentials } from './oauth.js';
+import { openBrowser } from './open-browser.js';
+import { redactSecrets } from './redact.js';
 const DARIO_DIR = join(homedir(), '.dario');
 const ACCOUNTS_DIR = join(DARIO_DIR, 'accounts');
 /**
@@ -161,7 +163,10 @@ async function doRefreshAccountToken(creds) {
     });
     if (!res.ok) {
         const errBody = await res.text().catch(() => '');
-        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${errBody.slice(0, 200)}`);
+        // Redact tokens / JWTs / Bearer values before they hit the Error
+        // message — defense-in-depth against an upstream that ever echoes a
+        // credential into a 4xx body. See src/redact.ts.
+        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${redactSecrets(errBody.slice(0, 200))}`);
     }
     const data = await res.json();
     const updated = {
@@ -186,13 +191,10 @@ function generatePKCE() {
     const codeChallenge = base64url(createHash('sha256').update(codeVerifier).digest());
     return { codeVerifier, codeChallenge };
 }
-function openBrowser(url) {
-    const { exec } = require('node:child_process');
-    const cmd = process.platform === 'win32' ? `start "" "${url}"`
-        : process.platform === 'darwin' ? `open "${url}"`
-            : `xdg-open "${url}"`;
-    exec(cmd, () => { });
-}
+// `openBrowser` lives in src/open-browser.ts — uses execFile + argv array
+// + URL-protocol allowlist instead of shell interpolation. The previous
+// inline `exec(\`start "" "${url}"\`)` pattern would have shelled out
+// any `&` / `|` / `^` / backtick / `$()` in a URL.
 /**
  * Interactive OAuth flow that adds a new account to the pool. Uses dario's
  * auto-detected CC OAuth config (same scanner the single-account path uses).
@@ -256,7 +258,7 @@ export async function addAccountViaOAuth(alias) {
                 });
                 if (!tokenRes.ok) {
                     const body = await tokenRes.text().catch(() => '');
-                    throw new Error(`Token exchange failed (${tokenRes.status}): ${body.slice(0, 200)}`);
+                    throw new Error(`Token exchange failed (${tokenRes.status}): ${redactSecrets(body.slice(0, 200))}`);
                 }
                 const tokens = await tokenRes.json();
                 // Prefer CC identity if installed; otherwise generate fresh IDs.
@@ -299,7 +301,10 @@ export async function addAccountViaOAuth(alias) {
             console.log(`  If the browser didn't open, visit:`);
             console.log(`  ${authUrl}`);
             console.log();
-            openBrowser(authUrl);
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));

package/dist/oauth.js

@@ -11,6 +11,7 @@ import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
 import { homedir, platform } from 'node:os';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+import { redactSecrets } from './redact.js';
 // Manual-flow redirect URI. Anthropic's authorize endpoint special-cases
 // this value (also baked into CC as MANUAL_REDIRECT_URL) to render the
 // authorization code + state on a copy-paste success page instead of
@@ -255,12 +256,15 @@ export async function startAutoOAuthFlow() {
             console.log('  Opening browser to sign in...');
             console.log(`  If the browser didn't open, visit: ${authUrl}`);
             console.log('');
-            // Open browser using platform-specific commands (no external deps)
-            const { exec } = await import('node:child_process');
-            const cmd = process.platform === 'win32' ? `start "" "${authUrl}"`
-                : process.platform === 'darwin' ? `open "${authUrl}"`
-                    : `xdg-open "${authUrl}"`;
-            exec(cmd, () => { });
+            // Hardened: openBrowser uses execFile + argv array + URL protocol
+            // allowlist. Previous inline `exec(\`start "" "${authUrl}"\`)`
+            // would have shelled out any `&` / `|` / `^` / backtick / `$()` in
+            // a URL — see src/open-browser.ts.
+            const { openBrowser } = await import('./open-browser.js');
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
@@ -429,7 +433,9 @@ async function exchangeCodeManual(code, codeVerifier, state) {
     });
     if (!res.ok) {
         const body = await res.text().catch(() => '');
-        throw new Error(`Token exchange failed (HTTP ${res.status}): ${body.slice(0, 200)}`);
+        // See src/redact.ts — strip tokens / JWTs / Bearer values from upstream
+        // body before they surface in the Error message.
+        throw new Error(`Token exchange failed (HTTP ${res.status}): ${redactSecrets(body.slice(0, 200))}`);
     }
     const data = await res.json();
     const tokens = {
@@ -490,7 +496,7 @@ async function doRefreshTokens() {
         });
         if (!res.ok) {
             const errBody = await res.text().catch(() => '');
-            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${errBody.slice(0, 200)}`);
+            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${redactSecrets(errBody.slice(0, 200))}`);
             if (res.status === 401 || res.status === 403) {
                 throw new Error(`Refresh token rejected (${res.status}). Run \`dario login\` to re-authenticate.`);
             }

package/dist/open-browser.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { type ExecFileException } from 'node:child_process';
+export interface OpenBrowserOptions {
+    /** Test hook — defaults to node:child_process execFile. */
+    exec?: (file: string, args: readonly string[], callback: (error: ExecFileException | null, stdout: string, stderr: string) => void) => void;
+}
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export declare function browserDispatchCommand(url: string, platform?: NodeJS.Platform): {
+    bin: string;
+    args: string[];
+};
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export declare function openBrowser(url: string, opts?: OpenBrowserOptions): void;

package/dist/open-browser.js

@@ -0,0 +1,68 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { execFile } from 'node:child_process';
+const ALLOWED_PROTOCOLS = new Set(['http:', 'https:']);
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export function browserDispatchCommand(url, platform = process.platform) {
+    const parsed = new URL(url);
+    if (!ALLOWED_PROTOCOLS.has(parsed.protocol)) {
+        throw new Error(`openBrowser: refusing to open URL with protocol "${parsed.protocol}" (only http/https allowed)`);
+    }
+    const safe = parsed.toString();
+    if (platform === 'win32') {
+        // explorer.exe accepts a URL as a single argv element and routes it
+        // through the registered URL handler. Avoids `cmd /c start "" "URL"`,
+        // which re-parses cmd metacharacters even when called via execFile
+        // because the cmd builtin runs *inside* cmd's parser, not Node's.
+        return { bin: 'explorer.exe', args: [safe] };
+    }
+    if (platform === 'darwin') {
+        return { bin: 'open', args: [safe] };
+    }
+    // Linux / BSD / other Unix.
+    return { bin: 'xdg-open', args: [safe] };
+}
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export function openBrowser(url, opts = {}) {
+    const { bin, args } = browserDispatchCommand(url);
+    const exec = opts.exec ?? execFile;
+    exec(bin, args, () => { });
+}

package/dist/proxy.js

@@ -13,6 +13,7 @@ import { Analytics, billingBucketFromClaim } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
 import { getOpenAIBackend, isOpenAIModel, forwardToOpenAI } from './openai-backend.js';
 import { RequestQueue, QueueFullError, QueueTimeoutError, DEFAULT_MAX_CONCURRENT, DEFAULT_MAX_QUEUED, DEFAULT_QUEUE_TIMEOUT_MS } from './request-queue.js';
+import { redactSecrets } from './redact.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
@@ -345,12 +346,10 @@ function translateStreamChunk(line) {
 }
 const OPENAI_MODELS_LIST = { object: 'list', data: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'].map(id => ({ id, object: 'model', created: 1700000000, owned_by: 'anthropic' })) };
 export function sanitizeError(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    // Never leak tokens, JWTs, or bearer values in error messages
-    return msg
-        .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
-        .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
-        .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
+    // Pattern set lives in src/redact.ts so OAuth call sites can run the
+    // same redaction directly on response-body strings without importing
+    // proxy (which imports oauth — would circle).
+    return redactSecrets(err instanceof Error ? err.message : String(err));
 }
 /**
  * API-key auth via DARIO_API_KEY (x-api-key or Authorization: Bearer).

package/dist/redact.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export declare const SECRET_PATTERNS: ReadonlyArray<readonly [RegExp, string]>;
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export declare function redactSecrets(s: string): string;

package/dist/redact.js

@@ -0,0 +1,38 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export const SECRET_PATTERNS = [
+    [/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]'],
+    [/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]'],
+    [/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]'],
+];
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export function redactSecrets(s) {
+    let out = s;
+    for (const [pat, repl] of SECRET_PATTERNS) {
+        out = out.replace(pat, repl);
+    }
+    return out;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.31.15",
+  "version": "3.31.16",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -28,6 +28,7 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "e2e": "node test/e2e.mjs",
+    "stress": "node test/stress.mjs",
     "compat": "node test/compat.mjs",
     "lint:pkg": "node scripts/check-package-json.mjs",
     "drift:sdk": "node scripts/check-sdk-drift.mjs",