@askalf/dario 3.31.4 → 3.31.7

package/dist/cc-authorize-probe.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Live probe of Anthropic's /oauth/authorize endpoint.
+ *
+ * Lifted from scripts/_authorize-probe-classifier.mjs and
+ * scripts/check-cc-authorize-probe.mjs so `dario doctor --probe` can
+ * reuse the same logic without re-importing from scripts. The .mjs
+ * files re-export from this module for the CI drift watcher.
+ *
+ * Motivating pattern: Anthropic's policy engine flips scope
+ * acceptability without changing what CC ships in its binary, so the
+ * binary-scan drift watcher can't see the flip. The live probe fills
+ * that gap — but from GitHub Actions IPs it hits Cloudflare's bot
+ * challenge and comes back "inconclusive" most of the time. Running
+ * the same probe from a user's own machine (via `dario doctor
+ * --probe`) is the workaround: CF doesn't challenge residential IPs
+ * the same way. See dario #42 / #71 for the incidents this prevents.
+ */
+/**
+ * The specific string Anthropic's authorize endpoint returns for a
+ * scope set its policy engine rejects. Observed across multiple
+ * incidents (dario #22, #42, #71) — stable across the policy flips.
+ */
+export declare const REJECT_MARKER = "Invalid request format";
+/**
+ * The minimal response shape the classifier needs. `fetch` results can
+ * be mapped to this in one call (see `probeAuthorize` below).
+ */
+export interface AuthorizeResponse {
+    status: number;
+    location: string | null;
+    body: string;
+    error: string | null;
+}
+export type ProbeVerdict = 'accepted' | 'rejected' | 'inconclusive';
+export interface ClassifiedVerdict {
+    verdict: ProbeVerdict;
+    reason: string;
+}
+/**
+ * Classify a single authorize-endpoint response.
+ *
+ *   accepted     — 3xx redirect to login/consent, OR 2xx without the
+ *                  reject marker. The scope set passed validation.
+ *   rejected     — body contains the specific "Invalid request format"
+ *                  marker. The scope set was refused.
+ *   inconclusive — fetch error, Cloudflare challenge, or any other
+ *                  response shape we can't categorize. Not drift; try
+ *                  again.
+ */
+export declare function classifyAuthorizeResponse({ status, location, body, error }: AuthorizeResponse): ClassifiedVerdict;
+export interface DriftItem {
+    probe: 'A' | 'B';
+    severity: 'high' | 'medium' | 'info';
+    message: string;
+}
+export interface CombinedVerdict {
+    outcome: 'clean' | 'drift' | 'inconclusive';
+    drift: boolean;
+    items: DriftItem[];
+}
+/**
+ * Combine the verdicts for probe A (pinned 6-scope) and probe B
+ * (5-scope, org:create_api_key removed) into a single watcher result.
+ * See scripts/check-cc-authorize-probe.mjs for the full rationale.
+ */
+export declare function combineVerdicts(a: ClassifiedVerdict, b: ClassifiedVerdict): CombinedVerdict;
+export interface ProbeConfig {
+    clientId: string;
+    authorizeUrl: string;
+    scopes: string;
+}
+export interface ProbeOptions {
+    timeoutMs?: number;
+    /** Test hook. Default: `globalThis.fetch`. */
+    fetchImpl?: typeof fetch;
+}
+export interface ProbeResult extends ClassifiedVerdict {
+    /** The exact URL sent — useful for the user to paste into a browser if the verdict is rejected. */
+    probedUrl: string;
+    /** Scope count from `scopes`, for quick human read-out. */
+    scopeCount: number;
+}
+export declare function buildProbeAuthorizeUrl(cfg: ProbeConfig): string;
+/**
+ * Probe the authorize endpoint with the given config. Follows exactly
+ * one redirect hop if the Location points at a trusted Anthropic host
+ * (claude.ai / claude.com / *.anthropic.com) — the legacy
+ * `claude.com/cai/oauth/authorize` edge 307s to claude.ai and the
+ * destination is where the validation happens. Stopping at the edge
+ * would silently treat every scope set as accepted.
+ */
+export declare function runAuthorizeProbe(cfg: ProbeConfig, opts?: ProbeOptions): Promise<ProbeResult>;

package/dist/cc-authorize-probe.js

@@ -0,0 +1,186 @@
+/**
+ * Live probe of Anthropic's /oauth/authorize endpoint.
+ *
+ * Lifted from scripts/_authorize-probe-classifier.mjs and
+ * scripts/check-cc-authorize-probe.mjs so `dario doctor --probe` can
+ * reuse the same logic without re-importing from scripts. The .mjs
+ * files re-export from this module for the CI drift watcher.
+ *
+ * Motivating pattern: Anthropic's policy engine flips scope
+ * acceptability without changing what CC ships in its binary, so the
+ * binary-scan drift watcher can't see the flip. The live probe fills
+ * that gap — but from GitHub Actions IPs it hits Cloudflare's bot
+ * challenge and comes back "inconclusive" most of the time. Running
+ * the same probe from a user's own machine (via `dario doctor
+ * --probe`) is the workaround: CF doesn't challenge residential IPs
+ * the same way. See dario #42 / #71 for the incidents this prevents.
+ */
+import { createHash, randomBytes } from 'node:crypto';
+/**
+ * The specific string Anthropic's authorize endpoint returns for a
+ * scope set its policy engine rejects. Observed across multiple
+ * incidents (dario #22, #42, #71) — stable across the policy flips.
+ */
+export const REJECT_MARKER = 'Invalid request format';
+/** Not a real callback — the probe only needs the initial response. */
+const PROBE_REDIRECT_URI = 'http://localhost:12345/callback';
+const PROBE_TIMEOUT_MS = 15_000;
+/** Cloudflare fronts claude.ai and challenges unrecognized clients. */
+function isCloudflareChallenge({ status, body }) {
+    const bodyText = typeof body === 'string' ? body : '';
+    if (bodyText.includes('Just a moment...') || bodyText.includes('/cdn-cgi/challenge-platform/')) {
+        return true;
+    }
+    if (status === 403 && bodyText.includes('cdn-cgi')) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Classify a single authorize-endpoint response.
+ *
+ *   accepted     — 3xx redirect to login/consent, OR 2xx without the
+ *                  reject marker. The scope set passed validation.
+ *   rejected     — body contains the specific "Invalid request format"
+ *                  marker. The scope set was refused.
+ *   inconclusive — fetch error, Cloudflare challenge, or any other
+ *                  response shape we can't categorize. Not drift; try
+ *                  again.
+ */
+export function classifyAuthorizeResponse({ status, location, body, error }) {
+    if (error) {
+        return { verdict: 'inconclusive', reason: `fetch error: ${error}` };
+    }
+    if (isCloudflareChallenge({ status, body })) {
+        return {
+            verdict: 'inconclusive',
+            reason: `blocked by Cloudflare bot challenge (status=${status}). ` +
+                `The live probe is unreliable from CI IPs — rely on the scope-literal ` +
+                `scan in check-cc-drift.mjs, or run this probe from a trusted network.`,
+        };
+    }
+    const bodyText = typeof body === 'string' ? body : '';
+    if (bodyText.includes(REJECT_MARKER)) {
+        return { verdict: 'rejected', reason: `body contains "${REJECT_MARKER}"` };
+    }
+    if (status >= 300 && status < 400 && typeof location === 'string' && location.length > 0) {
+        return { verdict: 'accepted', reason: `${status} redirect to ${location}` };
+    }
+    if (status >= 200 && status < 300) {
+        return { verdict: 'accepted', reason: `${status} body rendered, no reject marker` };
+    }
+    return {
+        verdict: 'inconclusive',
+        reason: `unexpected response: status=${status}, location=${location ?? 'none'}, body_len=${bodyText.length}`,
+    };
+}
+/**
+ * Combine the verdicts for probe A (pinned 6-scope) and probe B
+ * (5-scope, org:create_api_key removed) into a single watcher result.
+ * See scripts/check-cc-authorize-probe.mjs for the full rationale.
+ */
+export function combineVerdicts(a, b) {
+    if (a.verdict === 'inconclusive' || b.verdict === 'inconclusive') {
+        const items = [];
+        if (a.verdict === 'inconclusive')
+            items.push({ probe: 'A', severity: 'info', message: `probe A inconclusive: ${a.reason}` });
+        if (b.verdict === 'inconclusive')
+            items.push({ probe: 'B', severity: 'info', message: `probe B inconclusive: ${b.reason}` });
+        return { outcome: 'inconclusive', drift: false, items };
+    }
+    const items = [];
+    if (a.verdict !== 'accepted') {
+        items.push({
+            probe: 'A',
+            severity: 'high',
+            message: `Pinned FALLBACK.scopes (6-scope) no longer accepted by authorize endpoint (${a.reason}). ` +
+                `This is the dario #42 / #71 failure mode: users will hit "Invalid request format" on fresh login. ` +
+                `Investigate which scope the server now rejects and update FALLBACK.scopes in src/cc-oauth-detect.ts; ` +
+                `bump the cache suffix (CACHE_PATH) so existing users regenerate.`,
+        });
+    }
+    if (b.verdict === 'accepted') {
+        items.push({
+            probe: 'B',
+            severity: 'info',
+            message: `5-scope form (org:create_api_key removed) is ALSO accepted. Anthropic's authorize ` +
+                `endpoint appears permissive for this client_id — both the 6-scope form our users send ` +
+                `and the 5-scope form are accepted. Nothing to fix; recorded so we notice when it flips.`,
+        });
+    }
+    const hasDrift = items.some((i) => i.severity === 'high');
+    return {
+        outcome: hasDrift ? 'drift' : 'clean',
+        drift: hasDrift,
+        items,
+    };
+}
+function base64url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function pkceChallenge() {
+    const verifier = base64url(randomBytes(32));
+    return base64url(createHash('sha256').update(verifier).digest());
+}
+export function buildProbeAuthorizeUrl(cfg) {
+    const params = new URLSearchParams({
+        code: 'true',
+        client_id: cfg.clientId,
+        response_type: 'code',
+        redirect_uri: PROBE_REDIRECT_URI,
+        scope: cfg.scopes,
+        code_challenge: pkceChallenge(),
+        code_challenge_method: 'S256',
+        state: base64url(randomBytes(16)),
+    });
+    return `${cfg.authorizeUrl}?${params.toString()}`;
+}
+const PROBE_HEADERS = {
+    'User-Agent': 'dario-cc-authorize-probe/1 (+https://github.com/askalf/dario)',
+    Accept: 'text/html,application/xhtml+xml;q=0.9,*/*;q=0.8',
+};
+async function fetchOnce(url, opts) {
+    const fetchImpl = opts.fetchImpl ?? fetch;
+    const timeoutMs = opts.timeoutMs ?? PROBE_TIMEOUT_MS;
+    try {
+        const res = await fetchImpl(url, {
+            method: 'GET',
+            redirect: 'manual',
+            signal: AbortSignal.timeout(timeoutMs),
+            headers: PROBE_HEADERS,
+        });
+        const location = res.headers.get('location');
+        let body = '';
+        try {
+            body = await res.text();
+        }
+        catch (err) {
+            return { status: res.status, location, body: '', error: `read body failed: ${err?.message ?? String(err)}` };
+        }
+        return { status: res.status, location, body, error: null };
+    }
+    catch (err) {
+        return { status: 0, location: null, body: '', error: err?.message ?? String(err) };
+    }
+}
+/**
+ * Probe the authorize endpoint with the given config. Follows exactly
+ * one redirect hop if the Location points at a trusted Anthropic host
+ * (claude.ai / claude.com / *.anthropic.com) — the legacy
+ * `claude.com/cai/oauth/authorize` edge 307s to claude.ai and the
+ * destination is where the validation happens. Stopping at the edge
+ * would silently treat every scope set as accepted.
+ */
+export async function runAuthorizeProbe(cfg, opts = {}) {
+    const url = buildProbeAuthorizeUrl(cfg);
+    const first = await fetchOnce(url, opts);
+    const trustedRedirect = first.status >= 300 && first.status < 400 &&
+        typeof first.location === 'string' &&
+        /^https:\/\/(claude\.ai|claude\.com|[\w-]+\.anthropic\.com)\//.test(first.location);
+    const response = trustedRedirect && first.location !== null
+        ? await fetchOnce(first.location, opts)
+        : first;
+    const classified = classifyAuthorizeResponse(response);
+    const scopeCount = cfg.scopes.split(/\s+/).filter(Boolean).length;
+    return { ...classified, probedUrl: url, scopeCount };
+}

package/dist/cc-template-data.json

@@ -1,6 +1,6 @@
 {
-  "_version": "2.1.117",
-  "_captured": "2026-04-22T15:16:42.429Z",
+  "_version": "2.1.118",
+  "_captured": "2026-04-23T15:14:02.377Z",
   "_source": "bundled",
   "_schemaVersion": 3,
   "agent_identity": "You are a Claude agent, built on Anthropic's Claude Agent SDK.",
@@ -622,7 +622,7 @@
     },
     {
       "name": "Read",
-      "description": "Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: \"1-5\"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To read a directory, use an ls command via the Bash tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.",
+      "description": "Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: \"1-5\"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To list files in a directory, use the registered shell tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.",
       "input_schema": {
         "$schema": "https://json-schema.org/draft/2020-12/schema",
         "type": "object",
@@ -973,7 +973,7 @@
   "anthropic_beta": "claude-code-20250219,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24,afk-mode-2026-01-31",
   "header_values": {
     "accept": "application/json",
-    "user-agent": "claude-cli/2.1.117 (external, sdk-cli)",
+    "user-agent": "claude-cli/2.1.118 (external, sdk-cli)",
     "x-stainless-arch": "x64",
     "x-stainless-lang": "js",
     "x-stainless-os": "Windows",
@@ -998,5 +998,5 @@
     "output_config",
     "stream"
   ],
-  "_supportedMaxTested": "2.1.117"
+  "_supportedMaxTested": "2.1.118"
 }

package/dist/cli.js

@@ -643,6 +643,11 @@ async function help() {
                              CLI. (v3.27)
     dario doctor             Print a health report: dario / Node / CC /
                              template / drift / OAuth / pool / backends
+    dario doctor --probe     Also hit Anthropic's authorize endpoint with
+                             dario's effective OAuth config and surface
+                             the server's verdict — the single reliable
+                             signal for scope-policy drift (dario#42/#71
+                             class). One GET to claude.ai; no PII.
 
   Proxy options:
     --model=MODEL            Force a model for all requests
@@ -943,16 +948,20 @@ async function mcp() {
 }
 async function doctor() {
     const { runChecks, formatChecks, exitCodeFor } = await import('./doctor.js');
+    const probe = args.includes('--probe');
     console.log('');
     console.log('  dario — Doctor');
     console.log('  ─────────────');
     console.log('');
-    const checks = await runChecks();
+    const checks = await runChecks({ probe });
     console.log(formatChecks(checks));
     console.log('');
     const code = exitCodeFor(checks);
     if (code !== 0) {
         console.log('  One or more checks failed. Address the [FAIL] rows and re-run `dario doctor`.');
+        if (!probe) {
+            console.log('  For a live check against Anthropic\'s authorize endpoint, re-run with `--probe`.');
+        }
         console.log('');
     }
     process.exit(code);

package/dist/doctor.d.ts

@@ -31,6 +31,18 @@ export declare function formatChecks(checks: Check[]): string;
  * a user's machine just because they're on an untested CC version.
  */
 export declare function exitCodeFor(checks: Check[]): number;
+export interface RunChecksOptions {
+    /**
+     * Opt-in: hit Anthropic's authorize endpoint with the scope set dario
+     * would use on `accounts add`, and surface the server's verdict as a
+     * check row. Default off — `dario doctor` without `--probe` is a
+     * read-only local scan, no outbound traffic beyond what the other
+     * checks already make (OAuth token refresh, CC binary version probe,
+     * npm drift check). Enable with `dario doctor --probe`; costs one
+     * GET to `claude.ai` and runs in parallel with the other checks.
+     */
+    probe?: boolean;
+}
 /**
  * Run every available health check. Never throws — each check is
  * individually try/caught so a broken subsystem (e.g. unreadable accounts
@@ -40,4 +52,4 @@ export declare function exitCodeFor(checks: Check[]): number;
  * version, platform) so a reader scanning the output top-down sees
  * the environment before the subsystems.
  */
-export declare function runChecks(): Promise<Check[]>;
+export declare function runChecks(opts?: RunChecksOptions): Promise<Check[]>;

package/dist/doctor.js

@@ -16,6 +16,8 @@ import { fileURLToPath } from 'node:url';
 import { homedir, platform, arch, release } from 'node:os';
 import { CC_TEMPLATE, } from './cc-template.js';
 import { describeTemplate, detectDrift, checkCCCompat, findInstalledCC, SUPPORTED_CC_RANGE, CURRENT_SCHEMA_VERSION, } from './live-fingerprint.js';
+import { detectCCOAuthConfig } from './cc-oauth-detect.js';
+import { runAuthorizeProbe } from './cc-authorize-probe.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 /**
  * Pretty-print a list of Check results as aligned ASCII. No color codes —
@@ -50,7 +52,7 @@ export function exitCodeFor(checks) {
  * version, platform) so a reader scanning the output top-down sees
  * the environment before the subsystems.
  */
-export async function runChecks() {
+export async function runChecks(opts = {}) {
     const checks = [];
     // ---- dario version
     try {
@@ -159,6 +161,50 @@ export async function runChecks() {
     catch (err) {
         checks.push({ status: 'warn', label: 'OAuth', detail: `check failed: ${err.message}` });
     }
+    // ---- Authorize-URL probe (opt-in, --probe).
+    // One GET to the authorize endpoint with dario's effective OAuth config.
+    // This is the single reliable signal for the class of bug that broke
+    // #42 / #71 — Anthropic flipping server-side scope policy without
+    // changing the CC binary. The nightly probe in check-cc-authorize-
+    // probe.mjs hits Cloudflare challenges from CI IPs; running from a
+    // user's machine bypasses that. No PII leaves: the probe uses a
+    // fresh PKCE challenge and a dummy redirect_uri, and only reads the
+    // status code / Location header / response body markers.
+    if (opts.probe) {
+        try {
+            const cfg = await detectCCOAuthConfig();
+            const result = await runAuthorizeProbe({
+                clientId: cfg.clientId,
+                authorizeUrl: cfg.authorizeUrl,
+                scopes: cfg.scopes,
+            });
+            const status = result.verdict === 'accepted'
+                ? 'ok'
+                : result.verdict === 'rejected'
+                    ? 'fail'
+                    : 'warn';
+            const label = 'Authorize probe';
+            const summary = `${result.scopeCount}-scope ${result.verdict} — ${result.reason}`;
+            checks.push({ status, label, detail: summary });
+            if (result.verdict !== 'accepted') {
+                // On rejection: the URL is the one `accounts add` would open —
+                // surface it so the user can paste and diff against `claude
+                // /login`'s URL. On inconclusive (often Cloudflare from our
+                // fetch-based probe — CF challenges non-browser clients
+                // regardless of IP): the same URL pasted into the user's
+                // browser bypasses CF since a real browser passes the
+                // challenge. Either way, the URL is the actionable artifact.
+                checks.push({ status: 'info', label: 'Probe URL', detail: result.probedUrl });
+            }
+        }
+        catch (err) {
+            checks.push({
+                status: 'warn',
+                label: 'Authorize probe',
+                detail: `check failed: ${err.message}`,
+            });
+        }
+    }
     // ---- Account pool
     try {
         const { listAccountAliases, loadAllAccounts } = await import('./accounts.js');

package/dist/live-fingerprint.d.ts

@@ -210,6 +210,7 @@ export declare function findInstalledCC(): {
     path: string | null;
     version: string | null;
 };
+export declare function enumerateClaudeCandidates(): string[];
 /**
  * Given a captured /v1/messages request body, pull out the fields that
  * matter for template replay: agent identity, system prompt, tool list,

package/dist/live-fingerprint.js

@@ -449,30 +449,77 @@ function findClaudeBinary() {
     // non-standard installs.
     if (process.env.DARIO_CLAUDE_BIN)
         return process.env.DARIO_CLAUDE_BIN;
-    // Try the obvious name. On Windows spawn resolves `.cmd` shims
-    // automatically when shell:true, but we don't want shell:true for
-    // safety. The `where` / `which` probe handles Windows via PATHEXT.
-    const candidates = process.platform === 'win32'
-        ? ['claude.cmd', 'claude.exe', 'claude']
-        : ['claude'];
-    for (const name of candidates) {
-        if (existsOnPath(name))
-            return name;
+    const candidates = enumerateClaudeCandidates();
+    if (candidates.length === 0)
+        return null;
+    if (candidates.length === 1)
+        return candidates[0];
+    // Multiple installs on PATH — common on Windows where an npm-wrapper
+    // (~/AppData/Roaming/npm/claude.cmd) coexists with a native install
+    // (~/.local/bin/claude.exe). Version-probe each and pick the newest.
+    // Falls back to the first candidate if no probe succeeds (e.g. every
+    // spawn fails on a sandboxed runtime).
+    const probed = [];
+    for (const path of candidates) {
+        const version = probeOneVersion(path);
+        if (version)
+            probed.push({ path, version });
     }
-    return null;
+    if (probed.length === 0)
+        return candidates[0];
+    probed.sort((a, b) => compareVersions(b.version, a.version));
+    return probed[0].path;
 }
-function existsOnPath(name) {
+// Exported for unit tests.
+export function enumerateClaudeCandidates() {
     const pathEnv = process.env.PATH ?? '';
     const sep = process.platform === 'win32' ? ';' : ':';
     const dirs = pathEnv.split(sep).filter(Boolean);
+    // `.exe` first on Windows: the native binary beats a `.cmd` wrapper
+    // when both live in the same dir. Across dirs we version-probe anyway
+    // so order here only matters when probes all fail.
+    const names = process.platform === 'win32'
+        ? ['claude.exe', 'claude.cmd', 'claude']
+        : ['claude'];
+    const found = [];
+    const seen = new Set();
     for (const d of dirs) {
-        try {
-            if (existsSync(join(d, name)))
-                return true;
+        for (const name of names) {
+            const full = join(d, name);
+            if (seen.has(full))
+                continue;
+            try {
+                if (existsSync(full)) {
+                    seen.add(full);
+                    found.push(full);
+                }
+            }
+            catch { /* noop */ }
         }
-        catch { /* noop */ }
     }
-    return false;
+    return found;
+}
+// Version-probe one specific binary path. Same safety logic as
+// probeInstalledCCVersionUncached below (reject shell metacharacters in
+// override paths before spawning with shell:true on Windows).
+function probeOneVersion(bin) {
+    try {
+        const useShell = process.platform === 'win32' && /\.(cmd|bat)$/i.test(bin);
+        if (useShell && /[&|><^"'%\r\n`$;(){}[\]]/.test(bin))
+            return null;
+        const out = execFileSync(bin, ['--version'], {
+            encoding: 'utf-8',
+            timeout: 2_000,
+            stdio: ['ignore', 'pipe', 'ignore'],
+            windowsHide: true,
+            shell: useShell,
+        });
+        const m = /(\d+\.\d+\.\d+(?:[.\-][\w.\-]+)?)/.exec(out);
+        return m ? m[1] : null;
+    }
+    catch {
+        return null;
+    }
 }
 /**
  * Given a captured /v1/messages request body, pull out the fields that

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.31.4",
+  "version": "3.31.7",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {