@askalf/dario 3.31.15 → 3.31.17

package/dist/accounts.js

@@ -23,6 +23,8 @@ import { randomUUID, randomBytes, createHash } from 'node:crypto';
 import { createServer } from 'node:http';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
 import { loadCredentials } from './oauth.js';
+import { openBrowser } from './open-browser.js';
+import { redactSecrets } from './redact.js';
 const DARIO_DIR = join(homedir(), '.dario');
 const ACCOUNTS_DIR = join(DARIO_DIR, 'accounts');
 /**
@@ -161,7 +163,10 @@ async function doRefreshAccountToken(creds) {
     });
     if (!res.ok) {
         const errBody = await res.text().catch(() => '');
-        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${errBody.slice(0, 200)}`);
+        // Redact tokens / JWTs / Bearer values before they hit the Error
+        // message — defense-in-depth against an upstream that ever echoes a
+        // credential into a 4xx body. See src/redact.ts.
+        throw new Error(`Refresh failed for ${creds.alias} (${res.status}): ${redactSecrets(errBody.slice(0, 200))}`);
     }
     const data = await res.json();
     const updated = {
@@ -186,13 +191,10 @@ function generatePKCE() {
     const codeChallenge = base64url(createHash('sha256').update(codeVerifier).digest());
     return { codeVerifier, codeChallenge };
 }
-function openBrowser(url) {
-    const { exec } = require('node:child_process');
-    const cmd = process.platform === 'win32' ? `start "" "${url}"`
-        : process.platform === 'darwin' ? `open "${url}"`
-            : `xdg-open "${url}"`;
-    exec(cmd, () => { });
-}
+// `openBrowser` lives in src/open-browser.ts — uses execFile + argv array
+// + URL-protocol allowlist instead of shell interpolation. The previous
+// inline `exec(\`start "" "${url}"\`)` pattern would have shelled out
+// any `&` / `|` / `^` / backtick / `$()` in a URL.
 /**
  * Interactive OAuth flow that adds a new account to the pool. Uses dario's
  * auto-detected CC OAuth config (same scanner the single-account path uses).
@@ -256,7 +258,7 @@ export async function addAccountViaOAuth(alias) {
                 });
                 if (!tokenRes.ok) {
                     const body = await tokenRes.text().catch(() => '');
-                    throw new Error(`Token exchange failed (${tokenRes.status}): ${body.slice(0, 200)}`);
+                    throw new Error(`Token exchange failed (${tokenRes.status}): ${redactSecrets(body.slice(0, 200))}`);
                 }
                 const tokens = await tokenRes.json();
                 // Prefer CC identity if installed; otherwise generate fresh IDs.
@@ -299,7 +301,10 @@ export async function addAccountViaOAuth(alias) {
             console.log(`  If the browser didn't open, visit:`);
             console.log(`  ${authUrl}`);
             console.log();
-            openBrowser(authUrl);
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));

package/dist/oauth.js

@@ -11,6 +11,7 @@ import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
 import { homedir, platform } from 'node:os';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+import { redactSecrets } from './redact.js';
 // Manual-flow redirect URI. Anthropic's authorize endpoint special-cases
 // this value (also baked into CC as MANUAL_REDIRECT_URL) to render the
 // authorization code + state on a copy-paste success page instead of
@@ -255,12 +256,15 @@ export async function startAutoOAuthFlow() {
             console.log('  Opening browser to sign in...');
             console.log(`  If the browser didn't open, visit: ${authUrl}`);
             console.log('');
-            // Open browser using platform-specific commands (no external deps)
-            const { exec } = await import('node:child_process');
-            const cmd = process.platform === 'win32' ? `start "" "${authUrl}"`
-                : process.platform === 'darwin' ? `open "${authUrl}"`
-                    : `xdg-open "${authUrl}"`;
-            exec(cmd, () => { });
+            // Hardened: openBrowser uses execFile + argv array + URL protocol
+            // allowlist. Previous inline `exec(\`start "" "${authUrl}"\`)`
+            // would have shelled out any `&` / `|` / `^` / backtick / `$()` in
+            // a URL — see src/open-browser.ts.
+            const { openBrowser } = await import('./open-browser.js');
+            try {
+                openBrowser(authUrl);
+            }
+            catch { /* non-fatal: user has the URL printed above */ }
         });
         server.on('error', (err) => {
             reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
@@ -429,7 +433,9 @@ async function exchangeCodeManual(code, codeVerifier, state) {
     });
     if (!res.ok) {
         const body = await res.text().catch(() => '');
-        throw new Error(`Token exchange failed (HTTP ${res.status}): ${body.slice(0, 200)}`);
+        // See src/redact.ts — strip tokens / JWTs / Bearer values from upstream
+        // body before they surface in the Error message.
+        throw new Error(`Token exchange failed (HTTP ${res.status}): ${redactSecrets(body.slice(0, 200))}`);
     }
     const data = await res.json();
     const tokens = {
@@ -490,7 +496,7 @@ async function doRefreshTokens() {
         });
         if (!res.ok) {
             const errBody = await res.text().catch(() => '');
-            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${errBody.slice(0, 200)}`);
+            console.error(`[dario] Refresh attempt ${attempt + 1}/3 failed: HTTP ${res.status} — ${redactSecrets(errBody.slice(0, 200))}`);
             if (res.status === 401 || res.status === 403) {
                 throw new Error(`Refresh token rejected (${res.status}). Run \`dario login\` to re-authenticate.`);
             }

package/dist/open-browser.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { type ExecFileException } from 'node:child_process';
+export interface OpenBrowserOptions {
+    /** Test hook — defaults to node:child_process execFile. */
+    exec?: (file: string, args: readonly string[], callback: (error: ExecFileException | null, stdout: string, stderr: string) => void) => void;
+}
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export declare function browserDispatchCommand(url: string, platform?: NodeJS.Platform): {
+    bin: string;
+    args: string[];
+};
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export declare function openBrowser(url: string, opts?: OpenBrowserOptions): void;

package/dist/open-browser.js

@@ -0,0 +1,68 @@
+/**
+ * Safe URL → default-browser dispatch.
+ *
+ * Replaces the inline `child_process.exec` template-string patterns that
+ * previously lived in `src/oauth.ts` and `src/accounts.ts`. Those used
+ * shell interpolation of an external URL (`exec(\`start "" "${url}"\`)`,
+ * `exec(\`xdg-open "${url}"\`)`) — defense-in-depth concern: a malicious
+ * `DARIO_OAUTH_AUTHORIZE_URL` override, a backdoored `claude` binary
+ * smuggling a different `CLAUDE_AI_AUTHORIZE_URL` literal through the
+ * cc-oauth-detect scanner, or any future code path that lets a less-
+ * trusted source reach this function would inject shell metacharacters
+ * (`&`, `|`, `>`, `^`, ``$()``, backtick) and execute arbitrary commands.
+ *
+ * Hardened path:
+ *   1. Parse the URL with WHATWG `URL` — throws on malformed input.
+ *   2. Allow only `http:` and `https:` (rejects `file:`, `javascript:`,
+ *      `vbscript:`, `data:`, custom schemes that route through
+ *      registered URL handlers).
+ *   3. Re-serialize via `parsed.toString()` so any pre-parse oddities
+ *      get normalized through the URL spec.
+ *   4. Spawn the platform's URL-handler binary directly with the URL as
+ *      a single argv element — no shell, no template interpolation.
+ *      Windows uses `explorer.exe` (System32 binary, accepts URLs as
+ *      argv, no cmd hop) instead of `cmd /c start`, which would parse
+ *      `&`/`|` as command separators after Node's argv → cmd quoting.
+ *   5. Errors from the spawned process are swallowed: a failed browser
+ *      open is non-fatal because every caller also prints the URL to
+ *      stdout for manual paste.
+ *
+ * Tests use the `exec` option to inject a stub.
+ */
+import { execFile } from 'node:child_process';
+const ALLOWED_PROTOCOLS = new Set(['http:', 'https:']);
+/**
+ * Build the (binary, argv) pair the current platform uses to dispatch a
+ * URL to its default browser. Exported for tests.
+ */
+export function browserDispatchCommand(url, platform = process.platform) {
+    const parsed = new URL(url);
+    if (!ALLOWED_PROTOCOLS.has(parsed.protocol)) {
+        throw new Error(`openBrowser: refusing to open URL with protocol "${parsed.protocol}" (only http/https allowed)`);
+    }
+    const safe = parsed.toString();
+    if (platform === 'win32') {
+        // explorer.exe accepts a URL as a single argv element and routes it
+        // through the registered URL handler. Avoids `cmd /c start "" "URL"`,
+        // which re-parses cmd metacharacters even when called via execFile
+        // because the cmd builtin runs *inside* cmd's parser, not Node's.
+        return { bin: 'explorer.exe', args: [safe] };
+    }
+    if (platform === 'darwin') {
+        return { bin: 'open', args: [safe] };
+    }
+    // Linux / BSD / other Unix.
+    return { bin: 'xdg-open', args: [safe] };
+}
+/**
+ * Open `url` in the user's default browser. See module docstring.
+ *
+ * @throws if the URL is malformed or has a protocol other than http/https.
+ *         Browser-launch failures (handler missing, etc.) are swallowed —
+ *         every caller already prints the URL for manual paste.
+ */
+export function openBrowser(url, opts = {}) {
+    const { bin, args } = browserDispatchCommand(url);
+    const exec = opts.exec ?? execFile;
+    exec(bin, args, () => { });
+}

package/dist/pool.d.ts

@@ -19,6 +19,20 @@ export interface RateLimitSnapshot {
     status: string;
     util5h: number;
     util7d: number;
+    /**
+     * Per-model 7-day utilization buckets — Anthropic carves separate
+     * weekly windows for some model families. As of 2026-04-25 the live
+     * API emits `anthropic-ratelimit-unified-7d_sonnet-utilization` on
+     * Sonnet responses (corresponds to the "Sonnet only" line on the user
+     * dashboard); other families do not yet have dedicated buckets but
+     * the parser scans the header set generically so any future
+     * `7d_<family>` header is captured automatically.
+     *
+     * Keyed by the family suffix as it arrived on the wire (lowercase,
+     * e.g. `sonnet` / `opus` / `haiku`). Empty when no per-model headers
+     * were on the response.
+     */
+    perModel7d: Record<string, number>;
     overageUtil: number;
     claim: string;
     reset: number;
@@ -45,6 +59,30 @@ export interface PoolStatus {
 }
 /** Parse an Anthropic response's rate-limit headers into a snapshot. */
 export declare function parseRateLimits(headers: Headers): RateLimitSnapshot;
+/**
+ * Extract the model family (`opus` / `sonnet` / `haiku`) from a request's
+ * model id. Used to look up the per-model 7d bucket in
+ * `RateLimitSnapshot.perModel7d` during routing decisions. Returns null
+ * for non-Claude models or model ids that don't carry a recognizable
+ * family token (those requests just use the unified buckets).
+ *
+ * Generous on input shape: matches `claude-opus-4-7`, `opus`, `claude-3-7-sonnet-…`,
+ * `claude-haiku-4-5`, anything containing the family token. Lowercase-normalized
+ * so it pairs cleanly with `parseRateLimits`'s lowercase family keys.
+ */
+export declare function modelFamily(modelId: string | null | undefined): string | null;
+/**
+ * Compute headroom for a single account given its rate-limit snapshot.
+ * Headroom is the slack between the most-saturated relevant bucket and
+ * full utilization: `1 - max(util5h, util7d, util_per_model_if_known)`.
+ *
+ * When `family` is supplied AND the snapshot has a corresponding per-
+ * model 7d bucket, that bucket is included in the max. When the family
+ * isn't represented in the snapshot (e.g. account hasn't seen a Sonnet
+ * request yet so `7d_sonnet` is unknown), headroom is computed from the
+ * unified buckets only — best-effort, populated on the next response.
+ */
+export declare function computeHeadroom(snapshot: RateLimitSnapshot, family?: string | null): number;
 export declare class AccountPool {
     private accounts;
     private queue;
@@ -61,8 +99,14 @@ export declare class AccountPool {
     }): void;
     remove(alias: string): boolean;
     get size(): number;
-    /** Select the best account for the next request. */
-    select(): PoolAccount | null;
+    /**
+     * Select the best account for the next request. `family` (when supplied)
+     * is the request's model family (`opus` / `sonnet` / `haiku`); when
+     * present and the account has a matching per-model 7d bucket, that
+     * bucket joins the headroom max. Family-less calls fall back to the
+     * unified-buckets-only headroom — same behavior as before this PR.
+     */
+    select(family?: string | null): PoolAccount | null;
     /**
      * Select with session stickiness. If `stickyKey` is already bound to a
      * healthy account (not rejected, token not near expiry, headroom > 2%),
@@ -79,7 +123,7 @@ export declare class AccountPool {
      *
      * Also performs lazy cleanup of expired bindings (TTL or size cap).
      */
-    selectSticky(stickyKey: string | null): PoolAccount | null;
+    selectSticky(stickyKey: string | null, family?: string | null): PoolAccount | null;
     /**
      * Rebind a sticky key to a different account — called by proxy after an
      * in-request 429 failover moves to the next-best account. Without this
@@ -99,7 +143,7 @@ export declare class AccountPool {
     /** Test/inspection helper — current alias bound to a key, or null. */
     stickyAliasFor(stickyKey: string): string | null;
     /** Select the next-best account, excluding the given set of aliases. */
-    selectExcluding(excluded: Set<string>): PoolAccount | null;
+    selectExcluding(excluded: Set<string>, family?: string | null): PoolAccount | null;
     updateRateLimits(alias: string, snapshot: RateLimitSnapshot): void;
     markRejected(alias: string, snapshot: RateLimitSnapshot): void;
     updateTokens(alias: string, accessToken: string, refreshToken: string, expiresAt: number): void;

package/dist/pool.js

@@ -28,19 +28,44 @@ export const EMPTY_SNAPSHOT = {
     status: 'unknown',
     util5h: 0,
     util7d: 0,
+    perModel7d: {},
     overageUtil: 0,
     claim: 'unknown',
     reset: 0,
     fallbackPct: 0,
     updatedAt: 0,
 };
+/**
+ * Match `anthropic-ratelimit-unified-7d_<family>-utilization`. Generic on
+ * `<family>` so a future `7d_opus` / `7d_haiku` (or anything Anthropic
+ * adds without notice) is captured automatically. The family is
+ * normalized to lowercase to match `modelFamily()` output.
+ */
+const PER_MODEL_7D_HEADER = /^anthropic-ratelimit-unified-7d_([a-z0-9-]+)-utilization$/i;
 /** Parse an Anthropic response's rate-limit headers into a snapshot. */
 export function parseRateLimits(headers) {
     const get = (key) => headers.get(`anthropic-ratelimit-unified-${key}`) ?? '';
+    const perModel7d = {};
+    // Iterate the full header set — `headers.get` only retrieves known
+    // keys, but Anthropic can add new `7d_<family>-utilization` shapes
+    // unannounced. Scanning the iterator means the parser is automatically
+    // forward-compatible. Real `Headers` instances and test-side mocks
+    // (which implement `.entries()` but not direct iteration) both work
+    // through the explicit `.entries()` call.
+    const entries = (typeof headers.entries === 'function')
+        ? headers.entries()
+        : headers;
+    for (const [k, v] of entries) {
+        const m = k.match(PER_MODEL_7D_HEADER);
+        if (m && m[1]) {
+            perModel7d[m[1].toLowerCase()] = parseFloat(v) || 0;
+        }
+    }
     return {
         status: get('status') || 'unknown',
         util5h: parseFloat(get('5h-utilization')) || 0,
         util7d: parseFloat(get('7d-utilization')) || 0,
+        perModel7d,
         overageUtil: parseFloat(get('overage-utilization')) || 0,
         claim: get('representative-claim') || 'unknown',
         reset: parseInt(get('reset')) || 0,
@@ -48,6 +73,49 @@ export function parseRateLimits(headers) {
         updatedAt: Date.now(),
     };
 }
+/**
+ * Extract the model family (`opus` / `sonnet` / `haiku`) from a request's
+ * model id. Used to look up the per-model 7d bucket in
+ * `RateLimitSnapshot.perModel7d` during routing decisions. Returns null
+ * for non-Claude models or model ids that don't carry a recognizable
+ * family token (those requests just use the unified buckets).
+ *
+ * Generous on input shape: matches `claude-opus-4-7`, `opus`, `claude-3-7-sonnet-…`,
+ * `claude-haiku-4-5`, anything containing the family token. Lowercase-normalized
+ * so it pairs cleanly with `parseRateLimits`'s lowercase family keys.
+ */
+export function modelFamily(modelId) {
+    if (!modelId)
+        return null;
+    const m = modelId.toLowerCase();
+    if (m.includes('opus'))
+        return 'opus';
+    if (m.includes('sonnet'))
+        return 'sonnet';
+    if (m.includes('haiku'))
+        return 'haiku';
+    return null;
+}
+/**
+ * Compute headroom for a single account given its rate-limit snapshot.
+ * Headroom is the slack between the most-saturated relevant bucket and
+ * full utilization: `1 - max(util5h, util7d, util_per_model_if_known)`.
+ *
+ * When `family` is supplied AND the snapshot has a corresponding per-
+ * model 7d bucket, that bucket is included in the max. When the family
+ * isn't represented in the snapshot (e.g. account hasn't seen a Sonnet
+ * request yet so `7d_sonnet` is unknown), headroom is computed from the
+ * unified buckets only — best-effort, populated on the next response.
+ */
+export function computeHeadroom(snapshot, family) {
+    const utils = [snapshot.util5h, snapshot.util7d];
+    if (family) {
+        const perModel = snapshot.perModel7d[family];
+        if (perModel !== undefined)
+            utils.push(perModel);
+    }
+    return 1 - Math.max(...utils);
+}
 const STICKY_TTL_MS = 6 * 60 * 60 * 1000; // 6h
 const STICKY_MAX_ENTRIES = 2_000; // lazy cleanup cap
 /**
@@ -87,8 +155,14 @@ export class AccountPool {
     get size() {
         return this.accounts.size;
     }
-    /** Select the best account for the next request. */
-    select() {
+    /**
+     * Select the best account for the next request. `family` (when supplied)
+     * is the request's model family (`opus` / `sonnet` / `haiku`); when
+     * present and the account has a matching per-model 7d bucket, that
+     * bucket joins the headroom max. Family-less calls fall back to the
+     * unified-buckets-only headroom — same behavior as before this PR.
+     */
+    select(family) {
         if (this.accounts.size === 0)
             return null;
         const now = Date.now();
@@ -97,8 +171,8 @@ export class AccountPool {
             a.expiresAt > now + 30_000);
         if (eligible.length > 0) {
             return eligible.reduce((best, curr) => {
-                const bestHeadroom = 1 - Math.max(best.rateLimit.util5h, best.rateLimit.util7d);
-                const currHeadroom = 1 - Math.max(curr.rateLimit.util5h, curr.rateLimit.util7d);
+                const bestHeadroom = computeHeadroom(best.rateLimit, family);
+                const currHeadroom = computeHeadroom(curr.rateLimit, family);
                 return currHeadroom > bestHeadroom ? curr : best;
             });
         }
@@ -126,9 +200,9 @@ export class AccountPool {
      *
      * Also performs lazy cleanup of expired bindings (TTL or size cap).
      */
-    selectSticky(stickyKey) {
+    selectSticky(stickyKey, family) {
         if (!stickyKey)
-            return this.select();
+            return this.select(family);
         this.cleanupSticky();
         const binding = this.sticky.get(stickyKey);
         if (binding) {
@@ -137,11 +211,11 @@ export class AccountPool {
             if (bound
                 && bound.rateLimit.status !== 'rejected'
                 && bound.expiresAt > now + 30_000
-                && (1 - Math.max(bound.rateLimit.util5h, bound.rateLimit.util7d)) > POOL_HEADROOM_FLOOR) {
+                && computeHeadroom(bound.rateLimit, family) > POOL_HEADROOM_FLOOR) {
                 return bound;
             }
         }
-        const picked = this.select();
+        const picked = this.select(family);
         if (picked) {
             this.sticky.set(stickyKey, { alias: picked.alias, boundAt: Date.now() });
         }
@@ -189,7 +263,7 @@ export class AccountPool {
         return this.sticky.get(stickyKey)?.alias ?? null;
     }
     /** Select the next-best account, excluding the given set of aliases. */
-    selectExcluding(excluded) {
+    selectExcluding(excluded, family) {
         if (this.accounts.size <= 1)
             return null;
         const now = Date.now();
@@ -198,8 +272,8 @@ export class AccountPool {
             a.expiresAt > now + 30_000);
         if (eligible.length > 0) {
             return eligible.reduce((best, curr) => {
-                const bestHeadroom = 1 - Math.max(best.rateLimit.util5h, best.rateLimit.util7d);
-                const currHeadroom = 1 - Math.max(curr.rateLimit.util5h, curr.rateLimit.util7d);
+                const bestHeadroom = computeHeadroom(best.rateLimit, family);
+                const currHeadroom = computeHeadroom(curr.rateLimit, family);
                 return currHeadroom > bestHeadroom ? curr : best;
             });
         }
@@ -240,7 +314,10 @@ export class AccountPool {
         const now = Date.now();
         const healthy = all.filter(a => a.rateLimit.status !== 'rejected' &&
             a.expiresAt > now + 30_000);
-        const headrooms = all.map(a => 1 - Math.max(a.rateLimit.util5h, a.rateLimit.util7d));
+        // Status is a pool-wide aggregate; family-agnostic. Per-model
+        // headroom is request-context-specific and only meaningful at
+        // select() time.
+        const headrooms = all.map(a => computeHeadroom(a.rateLimit));
         const avgHeadroom = headrooms.length > 0 ? headrooms.reduce((a, b) => a + b, 0) / headrooms.length : 0;
         const best = this.select();
         return {
@@ -260,7 +337,7 @@ export class AccountPool {
     async waitForAccount() {
         const immediate = this.select();
         if (immediate) {
-            const headroom = 1 - Math.max(immediate.rateLimit.util5h, immediate.rateLimit.util7d);
+            const headroom = computeHeadroom(immediate.rateLimit);
             if (headroom > POOL_HEADROOM_FLOOR)
                 return immediate;
         }
@@ -303,7 +380,7 @@ export class AccountPool {
             const account = this.select();
             if (!account)
                 break;
-            const headroom = 1 - Math.max(account.rateLimit.util5h, account.rateLimit.util7d);
+            const headroom = computeHeadroom(account.rateLimit);
             if (headroom <= POOL_HEADROOM_FLOOR)
                 break;
             const entry = this.queue.shift();

package/dist/proxy.js

@@ -8,11 +8,12 @@ import { arch, platform } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
 import { buildCCRequest, reverseMapResponse, createStreamingReverseMapper, orderHeadersForOutbound, CC_TEMPLATE } from './cc-template.js';
 import { describeTemplate, detectDrift, checkCCCompat } from './live-fingerprint.js';
-import { AccountPool, computeStickyKey, parseRateLimits } from './pool.js';
+import { AccountPool, computeStickyKey, parseRateLimits, modelFamily } from './pool.js';
 import { Analytics, billingBucketFromClaim } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
 import { getOpenAIBackend, isOpenAIModel, forwardToOpenAI } from './openai-backend.js';
 import { RequestQueue, QueueFullError, QueueTimeoutError, DEFAULT_MAX_CONCURRENT, DEFAULT_MAX_QUEUED, DEFAULT_QUEUE_TIMEOUT_MS } from './request-queue.js';
+import { redactSecrets } from './redact.js';
 const ANTHROPIC_API = 'https://api.anthropic.com';
 const DEFAULT_PORT = 3456;
 const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts, prevents abuse
@@ -345,12 +346,10 @@ function translateStreamChunk(line) {
 }
 const OPENAI_MODELS_LIST = { object: 'list', data: ['claude-opus-4-6', 'claude-sonnet-4-6', 'claude-haiku-4-5'].map(id => ({ id, object: 'model', created: 1700000000, owned_by: 'anthropic' })) };
 export function sanitizeError(err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    // Never leak tokens, JWTs, or bearer values in error messages
-    return msg
-        .replace(/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]')
-        .replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]')
-        .replace(/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]');
+    // Pattern set lives in src/redact.ts so OAuth call sites can run the
+    // same redaction directly on response-body strings without importing
+    // proxy (which imports oauth — would circle).
+    return redactSecrets(err instanceof Error ? err.message : String(err));
 }
 /**
  * API-key auth via DARIO_API_KEY (x-api-key or Authorization: Bearer).
@@ -461,6 +460,11 @@ export async function startProxy(opts = {}) {
     // Single-account dario keeps its existing code path unchanged.
     const accountsList = await loadAllAccounts();
     const pool = accountsList.length >= 2 ? new AccountPool() : null;
+    // Per-model rate-limit bucket families seen during this proxy run. First-
+    // sight is logged once when verbose so a new Anthropic bucket (e.g. an
+    // eventual `7d_opus`) doesn't slip past unnoticed. Pure observability —
+    // routing already handles unknown families generically.
+    const seenPerModelBuckets = new Set();
     const analytics = pool ? new Analytics() : null;
     let status;
     if (pool) {
@@ -965,7 +969,7 @@ export async function startProxy(opts = {}) {
                         // Rotating off mid-session costs cache-create on every turn.
                         stickyKey = computeStickyKey(userMsg);
                         if (pool && stickyKey) {
-                            const preferred = pool.selectSticky(stickyKey);
+                            const preferred = pool.selectSticky(stickyKey, modelFamily(requestModel));
                             if (preferred && preferred.alias !== poolAccount?.alias) {
                                 poolAccount = preferred;
                                 accessToken = preferred.accessToken;
@@ -1186,6 +1190,20 @@ export async function startProxy(opts = {}) {
                     else {
                         pool.updateRateLimits(poolAccount.alias, snapshot);
                     }
+                    // First-sight detector for per-model rate-limit buckets. Anthropic
+                    // ships these unannounced — e.g. `7d_sonnet-utilization` appeared
+                    // around 2026-04-25 — and verbose-mode users want a heads-up the
+                    // first time a new family shows up so they can decide whether to
+                    // bump dario's expectations. Pure logging; the routing path
+                    // already handles arbitrary family keys (see pool.computeHeadroom).
+                    for (const family of Object.keys(snapshot.perModel7d)) {
+                        if (!seenPerModelBuckets.has(family)) {
+                            seenPerModelBuckets.add(family);
+                            if (verbose) {
+                                console.log(`[dario] new per-model rate-limit bucket observed: 7d_${family} (util=${snapshot.perModel7d[family]?.toFixed(2)})`);
+                            }
+                        }
+                    }
                 }
                 // Auto-retry without context-1m if it triggers a long-context billing error.
                 // Anthropic returns this as either 400 ("long context beta is not yet available
@@ -1288,7 +1306,7 @@ export async function startProxy(opts = {}) {
                     else if (upstream.status === 429) {
                         // Not a context-1m issue — try pool failover before surfacing to client
                         if (pool && poolAccount) {
-                            const nextAccount = pool.selectExcluding(triedAliases);
+                            const nextAccount = pool.selectExcluding(triedAliases, modelFamily(requestModel));
                             if (nextAccount) {
                                 triedAliases.add(nextAccount.alias);
                                 poolAccount = nextAccount;
@@ -1347,7 +1365,7 @@ export async function startProxy(opts = {}) {
                 if (upstream.status === 429) {
                     // Try pool failover before surfacing to client
                     if (pool && poolAccount) {
-                        const nextAccount = pool.selectExcluding(triedAliases);
+                        const nextAccount = pool.selectExcluding(triedAliases, modelFamily(requestModel));
                         if (nextAccount) {
                             triedAliases.add(nextAccount.alias);
                             poolAccount = nextAccount;

package/dist/redact.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export declare const SECRET_PATTERNS: ReadonlyArray<readonly [RegExp, string]>;
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export declare function redactSecrets(s: string): string;

package/dist/redact.js

@@ -0,0 +1,38 @@
+/**
+ * Secret redaction for free-form strings emitted by dario.
+ *
+ * Used wherever an externally-sourced string (an upstream HTTP response
+ * body, an exception message, a verbose log line) might transit through
+ * to a place a user can see (stderr, an Error message, a JSON response).
+ * Even though Anthropic's documented API is not known to echo tokens in
+ * error responses, defense-in-depth: a future API change, a CDN error
+ * page that captures the request headers, or an intermediary's debug
+ * dump could surface a token, and we'd rather redact in transit than
+ * audit every call site for novel leak shapes.
+ *
+ * Patterns match formats actually seen in the Anthropic ecosystem:
+ *   - `sk-ant-…`     — long-lived API keys
+ *   - JWT triple     — OAuth access tokens (`eyJhdr.eyJpyld.sig`)
+ *   - `Bearer <…>`   — auth headers, raw or quoted
+ *
+ * Re-exported by `proxy.ts:sanitizeError` so the proxy's existing leak-
+ * shield benefits from any new patterns added here, and consumed
+ * directly by the OAuth code paths in `oauth.ts` / `accounts.ts` for
+ * sanitizing upstream error bodies before they hit `throw new Error`.
+ */
+export const SECRET_PATTERNS = [
+    [/sk-ant-[a-zA-Z0-9_-]+/g, '[REDACTED]'],
+    [/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, '[REDACTED_JWT]'],
+    [/Bearer\s+[^\s,;]+/gi, 'Bearer [REDACTED]'],
+];
+/**
+ * Apply every redaction pattern to a string. Idempotent — running a
+ * pre-redacted string through this is a no-op.
+ */
+export function redactSecrets(s) {
+    let out = s;
+    for (const [pat, repl] of SECRET_PATTERNS) {
+        out = out.replace(pat, repl);
+    }
+    return out;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.31.15",
+  "version": "3.31.17",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -28,6 +28,7 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "e2e": "node test/e2e.mjs",
+    "stress": "node test/stress.mjs",
     "compat": "node test/compat.mjs",
     "lint:pkg": "node scripts/check-package-json.mjs",
     "drift:sdk": "node scripts/check-sdk-drift.mjs",