@askalf/dario 3.37.10 → 3.37.11

package/README.md

@@ -344,3 +344,20 @@ npm run e2e   # live proxy + OAuth (requires a working Claude backend)
 ## License
 
 MIT — see [LICENSE](LICENSE) and [DISCLAIMER.md](DISCLAIMER.md).
+
+---
+
+## Also by askalf
+
+| Project | What it does |
+|---------|-------------|
+| [arnie](https://github.com/askalf/arnie) | Portable IT troubleshooting companion. Networking, AD, Windows Update, package managers, log triage, hardware checks. |
+| [brio](https://github.com/askalf/brio) | Capability layer for AI workloads — semantic cache, cost tiering, policy. Sits in front of any Anthropic-compat endpoint. |
+| [browser-bridge](https://github.com/askalf/browser-bridge) | Stealth headless Chromium in a container. CDP on 9222 — Playwright/Puppeteer/MCP-compatible. |
+| [claude-bridge](https://github.com/askalf/claude-bridge) | Bridge Claude Code sessions to Discord. |
+| [deepdive](https://github.com/askalf/deepdive) | Local research agent. Plan → search → fetch → extract → synthesize. Cited answers. |
+| [git-providers](https://github.com/askalf/git-providers) | Unified GitHub + GitLab + Bitbucket Cloud REST clients behind one GitProvider interface. Plus a 44-entry api-key-provider taxonomy. |
+| [hands](https://github.com/askalf/hands) | Cross-platform computer-use agent. Mouse, keyboard, screen. |
+| [install-kit](https://github.com/askalf/install-kit) | curl-pipe-bash template for self-hosted Docker apps. |
+| [pgflex](https://github.com/askalf/pgflex) | One Postgres API. Two modes (real PG ↔ PGlite WASM). |
+| [redisflex](https://github.com/askalf/redisflex) | One Redis API. Two modes (ioredis ↔ in-process). |

package/dist/cli.js

@@ -38,9 +38,24 @@ async function login() {
     console.log('  ───────────────────');
     console.log('');
     const manualFlag = args.includes('--manual') || args.includes('--headless');
+    // --force-reauth skips the existing-credentials short-circuit entirely.
+    // Use when the refresh token is dead and you need a clean OAuth re-auth
+    // without manually deleting credentials.json first.
+    const forceReauth = args.includes('--force-reauth') || args.includes('--force');
+    // --no-proxy keeps `dario login` to its name — it just does auth, doesn't
+    // try to start the proxy as a side effect. Useful in containerised deploys
+    // where the proxy is the container's CMD and is already running. Implicitly
+    // set by --manual since manual flow is for headless / scripted contexts
+    // where proxy lifecycle is managed externally.
+    const noProxy = args.includes('--no-proxy') || manualFlag;
     // Check for existing credentials (Claude Code or dario's own)
-    const creds = await loadCredentials();
+    const creds = forceReauth ? null : await loadCredentials();
     if (creds?.claudeAiOauth?.accessToken && creds.claudeAiOauth.expiresAt > Date.now()) {
+        if (noProxy) {
+            console.log('  Found valid credentials. (--no-proxy / --manual: not starting proxy.)');
+            console.log('');
+            return;
+        }
         console.log('  Found credentials. Starting proxy...');
         console.log('');
         await proxy();
@@ -67,6 +82,10 @@ async function login() {
             console.log('');
         }
     }
+    else if (forceReauth) {
+        console.log('  --force-reauth: skipping credential detection, starting fresh OAuth flow...');
+        console.log('');
+    }
     else {
         console.log('  No Claude Code credentials found. Starting OAuth flow...');
         console.log('');
@@ -90,7 +109,12 @@ async function login() {
         console.log('  Login successful!');
         console.log(`  Token expires in ${expiresIn} minutes (auto-refreshes).`);
         console.log('');
-        console.log('  Run `dario proxy` to start the API proxy.');
+        if (noProxy) {
+            console.log('  (--no-proxy / --manual: credentials saved, proxy not started.)');
+        }
+        else {
+            console.log('  Run `dario proxy` to start the API proxy.');
+        }
         console.log('');
     }
     catch (err) {
@@ -150,8 +174,19 @@ async function logout() {
         await unlink(path);
         console.log('[dario] Credentials removed.');
     }
-    catch {
-        console.log('[dario] No credentials found.');
+    catch (err) {
+        const code = err?.code;
+        if (code === 'ENOENT') {
+            console.log('[dario] No credentials found.');
+        }
+        else {
+            // Permission denied, EISDIR, EBUSY, etc — surface the real error so the
+            // operator can fix it. Previous catch-all silently lied with "No
+            // credentials found" even when the file was clearly there but unreadable
+            // (e.g. ownership got mangled by a `docker run --user 0` recovery op).
+            console.error(`[dario] Could not remove ${path}: ${err.message}`);
+            process.exit(1);
+        }
     }
 }
 async function proxy() {
@@ -796,10 +831,19 @@ async function help() {
   dario — Use your Claude subscription as an API.
 
   Usage:
-    dario login [--manual]   Detect credentials + start proxy (or run OAuth)
+    dario login [--manual] [--no-proxy] [--force-reauth]
+                             Detect credentials + start proxy (or run OAuth).
                              --manual (alias: --headless) for container / SSH
                              setups — prints an authorize URL and reads the
-                             code you paste back instead of a local redirect
+                             code you paste back instead of a local redirect.
+                             --no-proxy stops after auth — do not start the
+                             proxy (implied by --manual). Use this when the
+                             proxy is already running in a separate process /
+                             container so login doesn't collide on the port.
+                             --force-reauth (alias: --force) ignores any
+                             existing credentials and runs a fresh OAuth
+                             flow — for when the refresh token is dead and
+                             /health still reports access-token countdown.
     dario proxy [options]    Start the API proxy server
     dario status             Check authentication status
     dario refresh            Force token refresh

package/dist/oauth.d.ts

@@ -103,11 +103,19 @@ export declare function refreshTokens(): Promise<OAuthTokens>;
 export declare function getAccessToken(): Promise<string>;
 /**
  * Get token status info.
+ *
+ * `status` returns 'broken' when refresh has failed REFRESH_BROKEN_THRESHOLD
+ * times in a row — this matters because the access token can still be ticking
+ * down (so naive "expiresIn" looks fine) while every actual upstream call
+ * returns 401. Operators relying on /health for a docker healthcheck or for
+ * `depends_on: service_healthy` need to see this state.
  */
 export declare function getStatus(): Promise<{
     authenticated: boolean;
-    status: 'healthy' | 'expiring' | 'expired' | 'none';
+    status: 'healthy' | 'expiring' | 'expired' | 'broken' | 'none';
     expiresAt?: number;
     expiresIn?: string;
     canRefresh?: boolean;
+    refreshFailures?: number;
+    lastRefreshError?: string;
 }>;

package/dist/oauth.js

@@ -6,7 +6,7 @@
  */
 import { randomBytes, createHash } from 'node:crypto';
 import { existsSync, readFileSync } from 'node:fs';
-import { readFile, writeFile, mkdir, rename } from 'node:fs/promises';
+import { readFile, writeFile, mkdir, rename, unlink } from 'node:fs/promises';
 import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
 import { homedir, platform } from 'node:os';
@@ -33,6 +33,12 @@ const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // After a failed refresh, don't retry for 60s to avoid spam
 let lastRefreshFailure = 0;
 const REFRESH_COOLDOWN_MS = 60 * 1000;
+// Track consecutive refresh failures so /health can surface a dead refresh
+// token instead of cheerfully reporting `oauth: "expiring"` while every
+// upstream call returns 401.
+let consecutiveRefreshFailures = 0;
+let lastRefreshError;
+const REFRESH_BROKEN_THRESHOLD = 3;
 // In-memory credential cache — avoids disk reads on every request
 let credentialsCache = null;
 let credentialsCacheTime = 0;
@@ -65,6 +71,34 @@ function getDarioCredentialsPath() {
 function getClaudeCodeCredentialsPath() {
     return join(homedir(), '.claude', '.credentials.json');
 }
+/**
+ * Verify the credentials directory is writable BEFORE we open the OAuth URL.
+ *
+ * Why: an unwritable ~/.dario (e.g. EACCES from a `--user 0` docker op that
+ * left the volume owned by root) is a silent killer — the OAuth round-trip
+ * succeeds, the user pastes the code, and saveCredentials() crashes with
+ * EACCES on the .tmp file. The auth code is now consumed and unrecoverable;
+ * the user has to start over and re-paste a fresh code, only to hit the same
+ * EACCES. Probing first surfaces the permission problem cleanly while the
+ * user still holds an un-burned auth code.
+ */
+async function probeWritability() {
+    const dir = dirname(getDarioCredentialsPath());
+    await mkdir(dir, { recursive: true });
+    const probe = join(dir, `.write-probe.${process.pid}`);
+    try {
+        await writeFile(probe, '', { mode: 0o600 });
+        await unlink(probe);
+    }
+    catch (err) {
+        const code = err?.code;
+        throw new Error(`Credentials directory is not writable: ${dir} (${code || 'unknown'}). ` +
+            `Fix permissions before running 'dario login' so the OAuth code isn't ` +
+            `consumed by a flow that can't persist the result. ` +
+            `On Docker volumes left root-owned by a '--user 0' op, run: ` +
+            `chown -R dario:dario ${dir}`);
+    }
+}
 /**
  * Read Claude Code credentials from the OS keychain.
  *
@@ -242,6 +276,8 @@ async function saveCredentials(creds) {
  * Opens browser, captures the authorization code automatically.
  */
 export async function startAutoOAuthFlow() {
+    // Fail fast on unwritable credentials dir BEFORE the auth code is issued.
+    await probeWritability();
     const { createServer } = await import('node:http');
     const { codeVerifier, codeChallenge } = generatePKCE();
     // 32 random bytes → 43-char base64url state. See dario#71 — Anthropic's
@@ -438,6 +474,8 @@ export function detectHeadlessEnvironment() {
  * (it's CSRF protection for a redirect we don't have here).
  */
 export async function startManualOAuthFlow() {
+    // Fail fast on unwritable credentials dir BEFORE the auth code is issued.
+    await probeWritability();
     const { codeVerifier, codeChallenge } = generatePKCE();
     // 32 bytes — same reason as startAutoOAuthFlow. See dario#71.
     const state = base64url(randomBytes(32));
@@ -555,6 +593,8 @@ async function doRefreshTokens() {
             scopes: oauth.scopes,
         };
         await saveCredentials({ claudeAiOauth: tokens });
+        consecutiveRefreshFailures = 0;
+        lastRefreshError = undefined;
         return tokens;
     }
     throw new Error('Token refresh failed after 3 attempts');
@@ -584,13 +624,26 @@ export async function getAccessToken() {
     }
     catch (err) {
         lastRefreshFailure = Date.now();
-        console.error(`[dario] Refresh failed: ${err instanceof Error ? err.message : err}. Will retry in 60s. Run \`dario login\` if this persists.`);
+        consecutiveRefreshFailures++;
+        // Redact tokens/JWTs/Bearer values and truncate before storing — this
+        // string surfaces on /status and /health (CodeQL js/stack-trace-exposure
+        // dario#17). The raw err.message can include URLs, partial response
+        // bodies, and stack-derived paths from fetch/JSON-parse errors.
+        const raw = err instanceof Error ? err.message : String(err);
+        lastRefreshError = redactSecrets(raw.slice(0, 200));
+        console.error(`[dario] Refresh failed (${consecutiveRefreshFailures} consecutive): ${lastRefreshError}. Will retry in 60s. Run \`dario login\` if this persists.`);
         // Return current token — it might still work for a few more minutes
         return oauth.accessToken;
     }
 }
 /**
  * Get token status info.
+ *
+ * `status` returns 'broken' when refresh has failed REFRESH_BROKEN_THRESHOLD
+ * times in a row — this matters because the access token can still be ticking
+ * down (so naive "expiresIn" looks fine) while every actual upstream call
+ * returns 401. Operators relying on /health for a docker healthcheck or for
+ * `depends_on: service_healthy` need to see this state.
  */
 export async function getStatus() {
     const creds = await loadCredentials();
@@ -599,19 +652,29 @@ export async function getStatus() {
     }
     const { expiresAt } = creds.claudeAiOauth;
     const now = Date.now();
+    const broken = consecutiveRefreshFailures >= REFRESH_BROKEN_THRESHOLD;
     if (expiresAt < now) {
-        // Expired but has refresh token — can be refreshed
-        const canRefresh = !!creds.claudeAiOauth.refreshToken;
-        return { authenticated: false, status: 'expired', expiresAt, canRefresh };
+        // Expired but has refresh token — can be refreshed (unless refresh itself is dead)
+        const canRefresh = !!creds.claudeAiOauth.refreshToken && !broken;
+        return {
+            authenticated: false,
+            status: broken ? 'broken' : 'expired',
+            expiresAt,
+            canRefresh,
+            refreshFailures: consecutiveRefreshFailures,
+            lastRefreshError,
+        };
     }
     const ms = expiresAt - now;
     const hours = Math.floor(ms / 3600000);
     const mins = Math.floor((ms % 3600000) / 60000);
     const expiresIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
     return {
-        authenticated: true,
-        status: ms < REFRESH_BUFFER_MS ? 'expiring' : 'healthy',
+        authenticated: !broken,
+        status: broken ? 'broken' : (ms < REFRESH_BUFFER_MS ? 'expiring' : 'healthy'),
         expiresAt,
         expiresIn,
+        refreshFailures: consecutiveRefreshFailures || undefined,
+        lastRefreshError,
     };
 }

package/dist/proxy.js

@@ -792,14 +792,25 @@ export async function startProxy(opts = {}) {
         // Strip query parameters for endpoint matching
         const urlPath = req.url?.split('?')[0] ?? '';
         // Health check
+        //
+        // Returns HTTP 503 when OAuth is in a state that will cause every upstream
+        // call to fail: refresh has failed N consecutive times ('broken'), or the
+        // access token is expired with no usable refresh path. Docker healthchecks
+        // and dependent services (`depends_on: service_healthy`) need this to
+        // react instead of cheerfully passing while every /v1/messages 401s.
         if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
-            res.writeHead(200, JSON_HEADERS);
+            const dead = s.status === 'broken' || s.status === 'none' ||
+                (s.status === 'expired' && s.canRefresh === false);
+            const httpStatus = dead ? 503 : 200;
+            res.writeHead(httpStatus, JSON_HEADERS);
             res.end(JSON.stringify({
-                status: 'ok',
+                status: dead ? 'degraded' : 'ok',
                 oauth: s.status,
                 expiresIn: s.expiresIn,
                 requests: requestCount,
+                ...(s.refreshFailures ? { refreshFailures: s.refreshFailures } : {}),
+                ...(s.lastRefreshError ? { lastRefreshError: s.lastRefreshError } : {}),
             }));
             return;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.37.10",
+  "version": "3.37.11",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {