@askalf/dario 3.33.0 → 3.34.1

package/dist/cc-template.d.ts

@@ -24,6 +24,35 @@ export declare const CC_TOOL_DEFINITIONS: {
 export declare const CC_SYSTEM_PROMPT: string;
 /** CC's agent identity string. */
 export declare const CC_AGENT_IDENTITY: string;
+/**
+ * Resolve the system prompt for outbound CC-shaped requests.
+ *
+ * Empirically validated against Anthropic's billing classifier in
+ * docs/research/system-prompt.md (and reproducible from
+ * scripts/test-system-prompt-mods.mjs + scripts/test-constraint-removal.mjs):
+ * system prompt content, length, and block count are not classifier
+ * inputs — every variant tested routed to `five_hour` (subscription).
+ *
+ * Modes:
+ *   - undefined / 'verbatim' — CC's prompt unchanged (default; existing
+ *     setups don't regress).
+ *   - 'partial' — strip purely behavioral constraints (Tone-and-style +
+ *     Text-output sections, scope-discipline / verbosity / commenting
+ *     bullets in Doing-tasks). Recovers most of the 1.2-2.8x output
+ *     capability seen in the constraint-removal test while leaving
+ *     every IMPORTANT: refusal reminder and every tool description
+ *     intact.
+ *   - 'aggressive' — partial + remove prompt-level RLHF reminders (the
+ *     IMPORTANT: lines that re-state refusal categories) and the
+ *     Executing-actions-with-care overcaution language. Adds <3%
+ *     practical difference vs partial because alignment is RLHF-trained,
+ *     not prompt-trained — RLHF refusals on harmful content survive
+ *     prompt removal.
+ *   - any other string — used as the literal system prompt text. The
+ *     CLI resolves file paths to file contents up-front so this layer
+ *     stays filesystem-pure.
+ */
+export declare function resolveSystemPrompt(arg: string | undefined): string;
 /**
  * Apply the live template's captured header_order to an outbound header
  * record. Returns a HeadersInit in one of two forms:
@@ -246,6 +275,7 @@ export declare function buildCCRequest(clientBody: Record<string, unknown>, bill
     noAutoDetect?: boolean;
     effort?: EffortValue;
     maxTokens?: number | 'client';
+    systemPrompt?: string;
 }): {
     body: Record<string, unknown>;
     toolMap: Map<string, ToolMapping>;

package/dist/cc-template.js

@@ -43,6 +43,72 @@ export const CC_TOOL_DEFINITIONS = filterToolsForPlatform(TEMPLATE.tools, proces
 export const CC_SYSTEM_PROMPT = TEMPLATE.system_prompt;
 /** CC's agent identity string. */
 export const CC_AGENT_IDENTITY = TEMPLATE.agent_identity;
+/**
+ * Resolve the system prompt for outbound CC-shaped requests.
+ *
+ * Empirically validated against Anthropic's billing classifier in
+ * docs/research/system-prompt.md (and reproducible from
+ * scripts/test-system-prompt-mods.mjs + scripts/test-constraint-removal.mjs):
+ * system prompt content, length, and block count are not classifier
+ * inputs — every variant tested routed to `five_hour` (subscription).
+ *
+ * Modes:
+ *   - undefined / 'verbatim' — CC's prompt unchanged (default; existing
+ *     setups don't regress).
+ *   - 'partial' — strip purely behavioral constraints (Tone-and-style +
+ *     Text-output sections, scope-discipline / verbosity / commenting
+ *     bullets in Doing-tasks). Recovers most of the 1.2-2.8x output
+ *     capability seen in the constraint-removal test while leaving
+ *     every IMPORTANT: refusal reminder and every tool description
+ *     intact.
+ *   - 'aggressive' — partial + remove prompt-level RLHF reminders (the
+ *     IMPORTANT: lines that re-state refusal categories) and the
+ *     Executing-actions-with-care overcaution language. Adds <3%
+ *     practical difference vs partial because alignment is RLHF-trained,
+ *     not prompt-trained — RLHF refusals on harmful content survive
+ *     prompt removal.
+ *   - any other string — used as the literal system prompt text. The
+ *     CLI resolves file paths to file contents up-front so this layer
+ *     stays filesystem-pure.
+ */
+export function resolveSystemPrompt(arg) {
+    if (!arg || arg === 'verbatim')
+        return CC_SYSTEM_PROMPT;
+    if (arg === 'partial')
+        return stripBehavioralConstraints(CC_SYSTEM_PROMPT, 'partial');
+    if (arg === 'aggressive')
+        return stripBehavioralConstraints(CC_SYSTEM_PROMPT, 'aggressive');
+    return arg;
+}
+/**
+ * Port of scripts/test-constraint-removal.mjs:stripConstraints. Pure over
+ * its input; returns the input unchanged if section headers don't match
+ * (so a future CC bump that renames sections degrades to verbatim rather
+ * than producing an unpredictable strip).
+ */
+function stripBehavioralConstraints(input, level) {
+    let s = input;
+    s = s.replace(/# Tone and style[\s\S]*?(?=\n# |\n$|$)/m, '');
+    s = s.replace(/# Text output[^\n]*\n[\s\S]*?(?=\n# |\n$|$)/m, '');
+    const doingTasksConstraints = [
+        /^ - Don't add features, refactor, or introduce abstractions[^\n]*\n[^\n]*\n[^\n]*\n[^\n]*\n[^\n]*\n/m,
+        /^ - Don't add error handling, fallbacks, or validation[^\n]*\n[^\n]*\n/m,
+        /^ - Default to writing no comments\.[^\n]*\n[^\n]*\n[^\n]*\n[^\n]*\n/m,
+        /^ - Don't explain WHAT the code does[^\n]*\n[^\n]*\n/m,
+        /^ - For exploratory questions[^\n]*\n[^\n]*\n/m,
+        /^ - Avoid backwards-compatibility hacks[^\n]*\n[^\n]*\n/m,
+    ];
+    for (const re of doingTasksConstraints) {
+        s = s.replace(re, '');
+    }
+    s = s.replace(/^# Doing tasks\n/m, '# Doing tasks\n\nBe thorough. Show your reasoning. Provide the context and explanations the user is likely to find useful. Use as many tokens as the task warrants.\n\n');
+    if (level === 'aggressive') {
+        s = s.replace(/^IMPORTANT: Assist with authorized security testing[^\n]*\n/m, '');
+        s = s.replace(/^IMPORTANT: You must NEVER generate or guess URLs[^\n]*\n/m, '');
+        s = s.replace(/# Executing actions with care[\s\S]*?(?=\n# |\n$|$)/m, '');
+    }
+    return s;
+}
 /**
  * Apply the live template's captured header_order to an outbound header
  * record. Returns a HeadersInit in one of two forms:
@@ -1089,9 +1155,14 @@ export function buildCCRequest(clientBody, billingTag, cacheControl, identity, o
     //   [0] billing tag (no cache)
     //   [1] agent identity (1h cache)
     //   [2] CC's full 25KB system prompt + client's custom prompt appended (1h cache)
+    // resolveSystemPrompt is the seam for --system-prompt=verbatim|partial|
+    // aggressive|<file>. Default (undefined) returns CC_SYSTEM_PROMPT
+    // unchanged. See docs/research/system-prompt.md for the empirical
+    // validation that this slot is unfingerprinted by the billing classifier.
+    const baseSystemPrompt = resolveSystemPrompt(opts.systemPrompt);
     const fullSystemPrompt = systemText
-        ? `${CC_SYSTEM_PROMPT}\n\n${systemText}`
-        : CC_SYSTEM_PROMPT;
+        ? `${baseSystemPrompt}\n\n${systemText}`
+        : baseSystemPrompt;
     const ccRequest = {
         model,
         messages,

package/dist/cli.d.ts

@@ -10,6 +10,24 @@
  *   dario logout    — Remove saved credentials
  */
 import { type EffortValue } from './cc-template.js';
+/**
+ * Parse `--system-prompt=<verbatim|partial|aggressive|filepath>` (or the
+ * `DARIO_SYSTEM_PROMPT` env-var fallback) into the value passed through
+ * to startProxy. The CLI flag wins over the env var when both are set —
+ * convention every other dario flag uses.
+ *
+ * Returns:
+ *   - undefined for missing / 'verbatim' (proxy default — CC unchanged)
+ *   - 'partial' / 'aggressive' as keyword strings (stripping happens
+ *     in cc-template.ts:resolveSystemPrompt at request build time)
+ *   - the literal text contents of the file at <filepath> for the
+ *     custom-prompt escape hatch. Fails fast (process.exit(1)) on a
+ *     value that is neither a recognized keyword nor a readable file.
+ *
+ * Exported for the test suite — same shape as resolveEffortFlag /
+ * resolveMaxTokensFlag.
+ */
+export declare function resolveSystemPromptFlag(args: string[], envVar: string | undefined): string | undefined;
 /**
  * Parse `--passthrough-betas=<csv>` (or the env-var fallback) into a
  * deduped, trimmed list. The CLI flag wins over the env var when both

package/dist/cli.js

@@ -17,7 +17,7 @@
 // just want `parsePositiveIntEnv`) doesn't trigger a Bun relaunch or any
 // other startup side effect.
 import { unlink } from 'node:fs/promises';
-import { realpathSync } from 'node:fs';
+import { realpathSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { pathToFileURL } from 'node:url';
@@ -284,6 +284,20 @@ async function proxy() {
     // Falls back to DARIO_LOG_FILE; off by default. Path is opened with
     // append mode so multiple proxy restarts share a rolling history.
     const logFile = parseLogFileFlag(args) ?? process.env['DARIO_LOG_FILE'] ?? undefined;
+    // --system-prompt=<verbatim|partial|aggressive|filepath> — system-prompt
+    // mode for outbound CC-shaped requests (v3.34.0). The classifier is
+    // empirically not reading this slot (docs/research/system-prompt.md),
+    // so users can strip CC's behavioral constraints — Tone-and-style,
+    // Text-output, scope/verbosity bullets — and recover 1.2-2.8x output
+    // capability without flipping subscription billing. Default 'verbatim'
+    // preserves existing setups.
+    //
+    // The CLI resolves the value here so the runtime path stays
+    // filesystem-pure: 'verbatim'/'partial'/'aggressive' pass through as
+    // keywords; anything else is treated as a file path and read at
+    // startup. A bad path fails fast rather than silently degrading to
+    // verbatim — same fail-loud philosophy as --strict-tls / --strict-template.
+    const systemPrompt = resolveSystemPromptFlag(args, process.env['DARIO_SYSTEM_PROMPT']);
     // --passthrough-betas=name1,name2 — operator-pinned beta allow-list.
     // Names listed here are always forwarded to Anthropic regardless of
     // CC's captured set or the client's own beta header; bypasses the
@@ -309,7 +323,47 @@ async function proxy() {
         console.error(`[dario] Override (not recommended): pass --unsafe-no-auth if you have out-of-band network controls and accept the risk.`);
         process.exit(1);
     }
-    await startProxy({ port, host, verbose, verboseBodies, model, passthrough, preserveTools, hybridTools, mergeTools, noAutoDetect, strictTls, pacingMinMs, pacingJitterMs, drainOnClose, sessionIdleRotateMs, sessionRotateJitterMs, sessionMaxAgeMs, sessionPerClient, preserveOrchestrationTags, noLiveCapture, strictTemplate, maxConcurrent, maxQueued, queueTimeoutMs, effort, maxTokens, logFile, passthroughBetas });
+    await startProxy({ port, host, verbose, verboseBodies, model, passthrough, preserveTools, hybridTools, mergeTools, noAutoDetect, strictTls, pacingMinMs, pacingJitterMs, drainOnClose, sessionIdleRotateMs, sessionRotateJitterMs, sessionMaxAgeMs, sessionPerClient, preserveOrchestrationTags, noLiveCapture, strictTemplate, maxConcurrent, maxQueued, queueTimeoutMs, effort, maxTokens, logFile, passthroughBetas, systemPrompt });
+}
+/**
+ * Parse `--system-prompt=<verbatim|partial|aggressive|filepath>` (or the
+ * `DARIO_SYSTEM_PROMPT` env-var fallback) into the value passed through
+ * to startProxy. The CLI flag wins over the env var when both are set —
+ * convention every other dario flag uses.
+ *
+ * Returns:
+ *   - undefined for missing / 'verbatim' (proxy default — CC unchanged)
+ *   - 'partial' / 'aggressive' as keyword strings (stripping happens
+ *     in cc-template.ts:resolveSystemPrompt at request build time)
+ *   - the literal text contents of the file at <filepath> for the
+ *     custom-prompt escape hatch. Fails fast (process.exit(1)) on a
+ *     value that is neither a recognized keyword nor a readable file.
+ *
+ * Exported for the test suite — same shape as resolveEffortFlag /
+ * resolveMaxTokensFlag.
+ */
+export function resolveSystemPromptFlag(args, envVar) {
+    const eqArg = args.find((a) => a.startsWith('--system-prompt='));
+    const raw = eqArg !== undefined ? eqArg.split('=').slice(1).join('=') : envVar;
+    if (raw === undefined || raw === '' || raw === 'verbatim')
+        return undefined;
+    if (raw === 'partial' || raw === 'aggressive')
+        return raw;
+    // File-path mode. Read the file at startup so the runtime path stays
+    // pure. Fail loud on missing/unreadable paths.
+    try {
+        const text = readFileSync(raw, 'utf-8');
+        if (text.length === 0) {
+            console.error(`[dario] --system-prompt=${raw}: file is empty. Refusing to start.`);
+            console.error(`[dario] Use --system-prompt=verbatim to disable, or write a non-empty file.`);
+            process.exit(1);
+        }
+        return text;
+    }
+    catch (err) {
+        console.error(`[dario] --system-prompt=${raw}: not 'verbatim'/'partial'/'aggressive' and not a readable file (${err.message}). Refusing to start.`);
+        process.exit(1);
+    }
 }
 /**
  * Parse `--passthrough-betas=<csv>` (or the env-var fallback) into a
@@ -914,6 +968,28 @@ async function help() {
                              on your account but isn't in the captured
                              template. Env: DARIO_PASSTHROUGH_BETAS.
 
+    --system-prompt=<MODE>   System-prompt mode for outbound CC-shaped
+                             requests (v3.34.0). One of:
+                               verbatim   — CC unchanged (default)
+                               partial    — strip behavioral constraints
+                                            (Tone-and-style, Text-output,
+                                            verbosity / comment / scope
+                                            bullets in Doing-tasks).
+                                            Recovers ~1.2-2.8x output on
+                                            open-ended work.
+                               aggressive — partial + remove prompt-level
+                                            RLHF restatements + Executing-
+                                            actions-with-care section.
+                                            Adds <3% over partial; RLHF
+                                            refusals on harmful content
+                                            unaffected (alignment is in
+                                            the weights, not the prompt).
+                               <filepath> — replace the slot entirely
+                                            with the file's contents.
+                             Empirically validated as unfingerprinted by
+                             the billing classifier — see docs/research/
+                             system-prompt.md. Env: DARIO_SYSTEM_PROMPT.
+
   Quick start:
     dario login              # auto-detects Claude Code credentials
     dario proxy --model=opus # or: dario proxy --passthrough

package/dist/doctor.js

@@ -16,7 +16,7 @@ import { fileURLToPath } from 'node:url';
 import { homedir, platform, arch, release } from 'node:os';
 import { execFileSync } from 'node:child_process';
 import { createServer } from 'node:http';
-import { CC_TEMPLATE, } from './cc-template.js';
+import { CC_TEMPLATE, resolveSystemPrompt, } from './cc-template.js';
 import { describeTemplate, detectDrift, checkCCCompat, findInstalledCC, SUPPORTED_CC_RANGE, CURRENT_SCHEMA_VERSION, compareVersions, } from './live-fingerprint.js';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
 import { runAuthorizeProbe } from './cc-authorize-probe.js';
@@ -242,6 +242,32 @@ export async function runChecks(opts = {}) {
         }
     }
     catch { /* don't let overhead reporting break the doctor */ }
+    // ---- System-prompt mode (v3.34.0)
+    // Surfaces the configured `--system-prompt` mode + the resulting char
+    // count delta vs CC verbatim. Read-only — does not run a request.
+    // Env-only path here so doctor can be invoked without a live proxy.
+    try {
+        const rawMode = process.env['DARIO_SYSTEM_PROMPT'];
+        if (rawMode && rawMode !== 'verbatim') {
+            const cc = CC_TEMPLATE.system_prompt ?? '';
+            let resolved;
+            if (rawMode === 'partial' || rawMode === 'aggressive') {
+                resolved = resolveSystemPrompt(rawMode);
+            }
+            else {
+                // file-path mode — doctor doesn't read files (might leak path),
+                // just report that custom mode is active.
+                resolved = '';
+            }
+            const isCustom = rawMode !== 'partial' && rawMode !== 'aggressive';
+            const detail = isCustom
+                ? `DARIO_SYSTEM_PROMPT=${rawMode} (custom file). Runtime path replaces system[2].text with file contents.`
+                : `DARIO_SYSTEM_PROMPT=${rawMode}. Strips ${(cc.length - resolved.length).toLocaleString()} chars from CC's ${cc.length.toLocaleString()}-char prompt. ` +
+                    `See docs/research/system-prompt.md for the empirical validation that this slot is unfingerprinted by the billing classifier.`;
+            checks.push({ status: 'info', label: 'System-prompt mode', detail });
+        }
+    }
+    catch { /* never let prompt-mode reporting break the doctor */ }
     // ---- Template drift
     try {
         const drift = detectDrift(CC_TEMPLATE);

package/dist/live-fingerprint.d.ts

@@ -282,7 +282,7 @@ export declare function _resetInstalledVersionProbeForTest(): void;
  */
 export declare const SUPPORTED_CC_RANGE: {
     readonly min: "1.0.0";
-    readonly maxTested: "2.1.123";
+    readonly maxTested: "2.1.126";
 };
 /**
  * Compare two dotted-numeric version strings. Returns negative if `a<b`,

package/dist/live-fingerprint.js

@@ -777,7 +777,7 @@ export function _resetInstalledVersionProbeForTest() {
  */
 export const SUPPORTED_CC_RANGE = {
     min: '1.0.0',
-    maxTested: '2.1.123',
+    maxTested: '2.1.126',
 };
 /**
  * Compare two dotted-numeric version strings. Returns negative if `a<b`,

package/dist/proxy.d.ts

@@ -124,6 +124,25 @@ interface ProxyOptions {
      * pinned flags has been rejected and is therefore being dropped.
      */
     passthroughBetas?: string[];
+    /**
+     * System-prompt mode for the Claude backend. Empirically validated as
+     * unfingerprinted by the billing classifier in docs/research/system-prompt.md.
+     *
+     *   - undefined / 'verbatim' — CC's prompt unchanged (default).
+     *   - 'partial' — strip behavioral constraints (Tone-and-style, Text-output,
+     *     scope/verbosity/comment bullets in Doing-tasks). Recovers ~1.2-2.8x
+     *     output capability on open-ended work; leaves IMPORTANT: refusal
+     *     reminders and tool descriptions intact.
+     *   - 'aggressive' — partial + remove prompt-level RLHF restatements and
+     *     the Executing-actions-with-care section. Adds <3% over partial; RLHF
+     *     refusals on harmful content are unaffected (alignment is in the weights).
+     *   - any other string — used as the literal system prompt text. The CLI
+     *     resolves --system-prompt=<file path> to the file's contents up front
+     *     so the runtime path stays filesystem-pure.
+     *
+     * Sourced from `--system-prompt=<value>` or DARIO_SYSTEM_PROMPT.
+     */
+    systemPrompt?: string;
 }
 /**
  * One JSON-ND record per completed request. Field set kept narrow to

package/dist/proxy.js

@@ -1105,6 +1105,7 @@ export async function startProxy(opts = {}) {
                             noAutoDetect: opts.noAutoDetect ?? false,
                             effort: opts.effort,
                             maxTokens: opts.maxTokens,
+                            systemPrompt: opts.systemPrompt,
                         });
                         detectedClientForLog = detectedClient;
                         preserveToolsEffective = Boolean(opts.preserveTools)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.33.0",
+  "version": "3.34.1",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {