@askalf/dario 3.37.10 → 3.37.12

package/README.md

@@ -344,3 +344,20 @@ npm run e2e   # live proxy + OAuth (requires a working Claude backend)
 ## License
 
 MIT — see [LICENSE](LICENSE) and [DISCLAIMER.md](DISCLAIMER.md).
+
+---
+
+## Also by askalf
+
+| Project | What it does |
+|---------|-------------|
+| [arnie](https://github.com/askalf/arnie) | Portable IT troubleshooting companion. Networking, AD, Windows Update, package managers, log triage, hardware checks. |
+| [brio](https://github.com/askalf/brio) | Capability layer for AI workloads — semantic cache, cost tiering, policy. Sits in front of any Anthropic-compat endpoint. |
+| [browser-bridge](https://github.com/askalf/browser-bridge) | Stealth headless Chromium in a container. CDP on 9222 — Playwright/Puppeteer/MCP-compatible. |
+| [claude-bridge](https://github.com/askalf/claude-bridge) | Bridge Claude Code sessions to Discord. |
+| [deepdive](https://github.com/askalf/deepdive) | Local research agent. Plan → search → fetch → extract → synthesize. Cited answers. |
+| [git-providers](https://github.com/askalf/git-providers) | Unified GitHub + GitLab + Bitbucket Cloud REST clients behind one GitProvider interface. Plus a 44-entry api-key-provider taxonomy. |
+| [hands](https://github.com/askalf/hands) | Cross-platform computer-use agent. Mouse, keyboard, screen. |
+| [install-kit](https://github.com/askalf/install-kit) | curl-pipe-bash template for self-hosted Docker apps. |
+| [pgflex](https://github.com/askalf/pgflex) | One Postgres API. Two modes (real PG ↔ PGlite WASM). |
+| [redisflex](https://github.com/askalf/redisflex) | One Redis API. Two modes (ioredis ↔ in-process). |

package/dist/accounts.d.ts

@@ -35,6 +35,33 @@ export declare function addAccountViaOAuth(alias: string): Promise<AccountCreden
  */
 export declare function addAccountViaManualOAuth(alias: string): Promise<AccountCredentials>;
 export declare function getAccountsDir(): string;
+/**
+ * Error subclass for the keychain-import path so the CLI can render
+ * actionable guidance (list of candidates) without parsing message strings.
+ */
+export declare class KeychainImportError extends Error {
+    readonly kind: 'empty' | 'ambiguous' | 'no-match';
+    readonly candidates: string[];
+    constructor(message: string, kind: 'empty' | 'ambiguous' | 'no-match', candidates?: string[]);
+}
+/**
+ * Import a Claude Code keychain entry into the pool under `alias`. Skips
+ * the OAuth flow entirely — reuses tokens the user already authorised
+ * through Claude Code itself. See askalf/dario#237 for design rationale.
+ *
+ * Resolution rules:
+ *  - 0 entries on this host → throws KeychainImportError(kind: 'empty')
+ *  - 1 entry total → imports it; `target` argument ignored if supplied
+ *  - 2+ entries + no target → throws KeychainImportError(kind: 'ambiguous',
+ *    candidates: [<target1>, <target2>, ...]) so the CLI can list them
+ *  - 2+ entries + target → imports the matching one, throws
+ *    KeychainImportError(kind: 'no-match', candidates) if none match
+ *
+ * macOS currently only ever surfaces a single entry (see the comment in
+ * enumerateKeychainCredentials in oauth.ts). Linux + Windows enumerate
+ * all matching entries.
+ */
+export declare function addAccountFromKeychain(alias: string, target?: string): Promise<AccountCredentials>;
 /**
  * Alias reserved for credentials auto-migrated from the single-account
  * `dario login` store. Named `login` so it's semantically obvious where

package/dist/accounts.js

@@ -22,7 +22,7 @@ import { homedir } from 'node:os';
 import { randomUUID, randomBytes, createHash } from 'node:crypto';
 import { createServer } from 'node:http';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
-import { loadCredentials, buildManualAuthorizeUrl, parseManualPaste, readLineFromStdin } from './oauth.js';
+import { loadCredentials, buildManualAuthorizeUrl, parseManualPaste, readLineFromStdin, enumerateKeychainCredentials } from './oauth.js';
 import { openBrowser } from './open-browser.js';
 import { redactSecrets } from './redact.js';
 const MANUAL_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback';
@@ -388,6 +388,77 @@ export async function addAccountViaManualOAuth(alias) {
 export function getAccountsDir() {
     return ACCOUNTS_DIR;
 }
+/**
+ * Error subclass for the keychain-import path so the CLI can render
+ * actionable guidance (list of candidates) without parsing message strings.
+ */
+export class KeychainImportError extends Error {
+    kind;
+    candidates;
+    constructor(message, kind, candidates = []) {
+        super(message);
+        this.kind = kind;
+        this.candidates = candidates;
+        this.name = 'KeychainImportError';
+    }
+}
+/**
+ * Import a Claude Code keychain entry into the pool under `alias`. Skips
+ * the OAuth flow entirely — reuses tokens the user already authorised
+ * through Claude Code itself. See askalf/dario#237 for design rationale.
+ *
+ * Resolution rules:
+ *  - 0 entries on this host → throws KeychainImportError(kind: 'empty')
+ *  - 1 entry total → imports it; `target` argument ignored if supplied
+ *  - 2+ entries + no target → throws KeychainImportError(kind: 'ambiguous',
+ *    candidates: [<target1>, <target2>, ...]) so the CLI can list them
+ *  - 2+ entries + target → imports the matching one, throws
+ *    KeychainImportError(kind: 'no-match', candidates) if none match
+ *
+ * macOS currently only ever surfaces a single entry (see the comment in
+ * enumerateKeychainCredentials in oauth.ts). Linux + Windows enumerate
+ * all matching entries.
+ */
+export async function addAccountFromKeychain(alias, target) {
+    const entries = await enumerateKeychainCredentials();
+    if (entries.length === 0) {
+        throw new KeychainImportError('No Claude Code keychain entries found on this host. Run `claude` (login flow) first, or use `dario accounts add ' + alias + '` to start a fresh OAuth.', 'empty');
+    }
+    let chosen;
+    if (target) {
+        chosen = entries.find(e => e.target === target);
+        if (!chosen) {
+            throw new KeychainImportError(`No keychain entry matches target "${target}".`, 'no-match', entries.map(e => e.target));
+        }
+    }
+    else if (entries.length === 1) {
+        chosen = entries[0];
+    }
+    else {
+        throw new KeychainImportError(`Found ${entries.length} keychain entries — pick one with --from-keychain=<target>.`, 'ambiguous', entries.map(e => e.target));
+    }
+    const oauth = chosen.credentials.claudeAiOauth;
+    if (!oauth?.accessToken || !oauth?.refreshToken) {
+        throw new KeychainImportError(`Keychain entry "${chosen.target}" is missing accessToken/refreshToken — re-authenticate Claude Code.`, 'empty');
+    }
+    // Same identity preference as addAccountViaOAuth — prefer CC identity if
+    // installed; otherwise generate fresh IDs.
+    const identity = (await detectClaudeIdentity()) ?? {
+        deviceId: randomUUID(),
+        accountUuid: randomUUID(),
+    };
+    const creds = {
+        alias,
+        accessToken: oauth.accessToken,
+        refreshToken: oauth.refreshToken,
+        expiresAt: oauth.expiresAt,
+        scopes: oauth.scopes ?? ['user:inference'],
+        deviceId: identity.deviceId,
+        accountUuid: identity.accountUuid,
+    };
+    await saveAccount(creds);
+    return creds;
+}
 /**
  * Alias reserved for credentials auto-migrated from the single-account
  * `dario login` store. Named `login` so it's semantically obvious where

package/dist/cli.js

@@ -24,7 +24,7 @@ import { pathToFileURL } from 'node:url';
 import { startAutoOAuthFlow, startManualOAuthFlow, detectHeadlessEnvironment, getStatus, refreshTokens, loadCredentials } from './oauth.js';
 import { startProxy, sanitizeError } from './proxy.js';
 import { VALID_EFFORT_VALUES } from './cc-template.js';
-import { listAccountAliases, loadAllAccounts, addAccountViaOAuth, addAccountViaManualOAuth, removeAccount, ensureLoginCredentialsInPool, MIGRATED_LOGIN_ALIAS } from './accounts.js';
+import { listAccountAliases, loadAllAccounts, addAccountViaOAuth, addAccountViaManualOAuth, addAccountFromKeychain, KeychainImportError, removeAccount, ensureLoginCredentialsInPool, MIGRATED_LOGIN_ALIAS } from './accounts.js';
 import { listBackends, saveBackend, removeBackend } from './openai-backend.js';
 import { parseOutboundProxy, installOutboundProxyWrapper } from './outbound-proxy.js';
 // `args` / `command` at module scope — command handlers below close over
@@ -38,9 +38,24 @@ async function login() {
     console.log('  ───────────────────');
     console.log('');
     const manualFlag = args.includes('--manual') || args.includes('--headless');
+    // --force-reauth skips the existing-credentials short-circuit entirely.
+    // Use when the refresh token is dead and you need a clean OAuth re-auth
+    // without manually deleting credentials.json first.
+    const forceReauth = args.includes('--force-reauth') || args.includes('--force');
+    // --no-proxy keeps `dario login` to its name — it just does auth, doesn't
+    // try to start the proxy as a side effect. Useful in containerised deploys
+    // where the proxy is the container's CMD and is already running. Implicitly
+    // set by --manual since manual flow is for headless / scripted contexts
+    // where proxy lifecycle is managed externally.
+    const noProxy = args.includes('--no-proxy') || manualFlag;
     // Check for existing credentials (Claude Code or dario's own)
-    const creds = await loadCredentials();
+    const creds = forceReauth ? null : await loadCredentials();
     if (creds?.claudeAiOauth?.accessToken && creds.claudeAiOauth.expiresAt > Date.now()) {
+        if (noProxy) {
+            console.log('  Found valid credentials. (--no-proxy / --manual: not starting proxy.)');
+            console.log('');
+            return;
+        }
         console.log('  Found credentials. Starting proxy...');
         console.log('');
         await proxy();
@@ -67,6 +82,10 @@ async function login() {
             console.log('');
         }
     }
+    else if (forceReauth) {
+        console.log('  --force-reauth: skipping credential detection, starting fresh OAuth flow...');
+        console.log('');
+    }
     else {
         console.log('  No Claude Code credentials found. Starting OAuth flow...');
         console.log('');
@@ -90,7 +109,12 @@ async function login() {
         console.log('  Login successful!');
         console.log(`  Token expires in ${expiresIn} minutes (auto-refreshes).`);
         console.log('');
-        console.log('  Run `dario proxy` to start the API proxy.');
+        if (noProxy) {
+            console.log('  (--no-proxy / --manual: credentials saved, proxy not started.)');
+        }
+        else {
+            console.log('  Run `dario proxy` to start the API proxy.');
+        }
         console.log('');
     }
     catch (err) {
@@ -150,8 +174,19 @@ async function logout() {
         await unlink(path);
         console.log('[dario] Credentials removed.');
     }
-    catch {
-        console.log('[dario] No credentials found.');
+    catch (err) {
+        const code = err?.code;
+        if (code === 'ENOENT') {
+            console.log('[dario] No credentials found.');
+        }
+        else {
+            // Permission denied, EISDIR, EBUSY, etc — surface the real error so the
+            // operator can fix it. Previous catch-all silently lied with "No
+            // credentials found" even when the file was clearly there but unreadable
+            // (e.g. ownership got mangled by a `docker run --user 0` recovery op).
+            console.error(`[dario] Could not remove ${path}: ${err.message}`);
+            process.exit(1);
+        }
     }
 }
 async function proxy() {
@@ -625,15 +660,30 @@ async function accounts() {
             }
         }
         const manualAccountFlag = args.includes('--manual') || args.includes('--headless');
+        // --from-keychain[=<target>] imports an existing Claude Code keychain
+        // entry instead of running OAuth. Bare flag uses the only/first match;
+        // --from-keychain=<target> picks a specific entry by its platform-
+        // specific identifier (Linux account, Windows TargetName). See
+        // askalf/dario#237.
+        const keychainArg = args.find(a => a === '--from-keychain' || a === '--from-cc' || a.startsWith('--from-keychain=') || a.startsWith('--from-cc='));
+        const fromKeychain = keychainArg !== undefined;
+        const keychainTarget = keychainArg && keychainArg.includes('=') ? keychainArg.split('=', 2)[1] : undefined;
+        if (fromKeychain && manualAccountFlag) {
+            console.error('');
+            console.error('  --from-keychain and --manual are mutually exclusive (one skips OAuth, the other does it manually).');
+            console.error('');
+            process.exit(1);
+        }
         console.log('');
-        console.log(`  Adding account "${alias}" to the pool${manualAccountFlag ? ' (manual / headless flow)' : ''}...`);
+        console.log(`  Adding account "${alias}" to the pool${manualAccountFlag ? ' (manual / headless flow)' : fromKeychain ? ' (importing from OS keychain)' : ''}...`);
         console.log('');
         // Mirror the heuristic that `dario login` uses: if the user didn't
         // explicitly pick `--manual` AND we detect SSH / container / no-DISPLAY,
         // print a hint before opening the browser. Doesn't auto-flip — false
         // positives are more annoying than false negatives — but the hint keeps
-        // users from waiting for a browser redirect that can't land.
-        if (!manualAccountFlag) {
+        // users from waiting for a browser redirect that can't land. Skip the
+        // hint entirely when --from-keychain is set since no browser is opened.
+        if (!manualAccountFlag && !fromKeychain) {
             const reason = detectHeadlessEnvironment();
             if (reason) {
                 console.log(`  Note: ${reason}. If the browser redirect doesn't land,`);
@@ -642,9 +692,11 @@ async function accounts() {
             }
         }
         try {
-            const creds = manualAccountFlag
-                ? await addAccountViaManualOAuth(alias)
-                : await addAccountViaOAuth(alias);
+            const creds = fromKeychain
+                ? await addAccountFromKeychain(alias, keychainTarget)
+                : manualAccountFlag
+                    ? await addAccountViaManualOAuth(alias)
+                    : await addAccountViaOAuth(alias);
             const minutes = Math.round((creds.expiresAt - Date.now()) / 60000);
             console.log('');
             console.log(`  Account "${alias}" added.`);
@@ -662,6 +714,26 @@ async function accounts() {
             console.log('');
         }
         catch (err) {
+            // KeychainImportError carries structured kind+candidates so we can
+            // render a targeted next step without parsing the message.
+            if (err instanceof KeychainImportError) {
+                console.error('');
+                console.error(`  Failed to add account: ${err.message}`);
+                if (err.kind === 'ambiguous' && err.candidates.length > 0) {
+                    console.error('');
+                    console.error('  Available keychain entries:');
+                    for (const t of err.candidates)
+                        console.error(`    --from-keychain="${t}"`);
+                }
+                else if (err.kind === 'no-match' && err.candidates.length > 0) {
+                    console.error('');
+                    console.error('  Available keychain entries:');
+                    for (const t of err.candidates)
+                        console.error(`    --from-keychain="${t}"`);
+                }
+                console.error('');
+                process.exit(1);
+            }
             const msg = sanitizeError(err);
             console.error('');
             console.error(`  Failed to add account: ${msg}`);
@@ -669,7 +741,7 @@ async function accounts() {
             // `dario login`. Auto flow can fail on EADDRINUSE (port already
             // bound), SSH-tunnel mismatch, or the browser timing out before
             // the user signs in. `--manual` works in all of those cases.
-            if (!manualAccountFlag && /callback server|EADDRINUSE|bind|timed out|did not receive/i.test(msg)) {
+            if (!manualAccountFlag && !fromKeychain && /callback server|EADDRINUSE|bind|timed out|did not receive/i.test(msg)) {
                 console.error(`  Hint: try \`dario accounts add ${alias} --manual\` for headless / container setups.`);
             }
             console.error('');
@@ -796,22 +868,38 @@ async function help() {
   dario — Use your Claude subscription as an API.
 
   Usage:
-    dario login [--manual]   Detect credentials + start proxy (or run OAuth)
+    dario login [--manual] [--no-proxy] [--force-reauth]
+                             Detect credentials + start proxy (or run OAuth).
                              --manual (alias: --headless) for container / SSH
                              setups — prints an authorize URL and reads the
-                             code you paste back instead of a local redirect
+                             code you paste back instead of a local redirect.
+                             --no-proxy stops after auth — do not start the
+                             proxy (implied by --manual). Use this when the
+                             proxy is already running in a separate process /
+                             container so login doesn't collide on the port.
+                             --force-reauth (alias: --force) ignores any
+                             existing credentials and runs a fresh OAuth
+                             flow — for when the refresh token is dead and
+                             /health still reports access-token countdown.
     dario proxy [options]    Start the API proxy server
     dario status             Check authentication status
     dario refresh            Force token refresh
     dario logout             Remove saved credentials
     dario accounts list      List accounts in the multi-account pool
-    dario accounts add NAME [--manual]
+    dario accounts add NAME [--manual] [--from-keychain[=<target>]]
                              Add a new account to the pool (runs OAuth flow).
                              --manual (alias: --headless) prints an authorize
                              URL and reads the code you paste back — for
                              container / SSH / no-browser-on-this-machine
                              setups, or as the on-Windows escape hatch when
                              the URL dispatch chain truncates query params.
+                             --from-keychain skips OAuth and imports an
+                             existing Claude Code keychain entry on this
+                             host. With no value: uses the only/first match
+                             (errors with the candidate list if multiple
+                             entries exist). With =<target>: picks a specific
+                             entry by its platform identifier (Linux account
+                             attribute, Windows TargetName).
     dario accounts remove N  Remove an account from the pool
     dario backend list       List configured OpenAI-compat backends
     dario backend add NAME --key=sk-... [--base-url=...]

package/dist/oauth.d.ts

@@ -22,6 +22,47 @@ export interface OAuthTokens {
 export interface CredentialsFile {
     claudeAiOauth: OAuthTokens;
 }
+/**
+ * Information about a keychain entry surfaced for operator disambiguation
+ * during `dario accounts add --from-keychain`.
+ */
+export interface KeychainEntry {
+    /**
+     * Implementation-defined identifier the operator uses to pick a specific
+     * entry. Stable per-platform but not equal across platforms:
+     *  - Linux: the libsecret `account` attribute (or value when absent)
+     *  - Windows: the Credential Manager TargetName (e.g.
+     *    "Claude Code-credentials" or "Claude Code-credentials@<account-uuid>")
+     *  - macOS: always "Claude Code-credentials" until macOS-side multi-entry
+     *    enumeration is implemented (see comment in enumerateKeychainCredentials)
+     */
+    target: string;
+    credentials: CredentialsFile;
+}
+/**
+ * Enumerate every Claude Code keychain entry on this host. Pool-mode
+ * counterpart to `loadKeychainCredentials` (which returns the first hit
+ * for the single-account login flow). Used by `dario accounts add
+ * --from-keychain` to import without rerunning OAuth.
+ *
+ * Per-platform coverage:
+ *  - **Linux**: `secret-tool search --all service "Claude Code-credentials"`
+ *    enumerates every matching attribute set. Account name comes from the
+ *    `account` attribute when set, otherwise the secret hash truncated.
+ *  - **Windows**: PowerShell + CredEnumerate already iterates every
+ *    matching credential (existing pattern just wasn't exposing the
+ *    TargetName). New script variant emits target + JSON blob per line.
+ *  - **macOS**: returns at most one entry. The `security` CLI doesn't
+ *    expose a clean enumeration for `find-generic-password` results; full
+ *    macOS multi-account support would need either `dump-keychain` parsing
+ *    or a Swift/native helper. Filed as a follow-up; the common case (one
+ *    CC account in keychain) still works.
+ *
+ * Returns an empty array on any failure (keychain unavailable, no entries
+ * matching, parse errors). Callers are expected to handle empty as
+ * "nothing to import."
+ */
+export declare function enumerateKeychainCredentials(): Promise<KeychainEntry[]>;
 export declare function loadCredentials(): Promise<CredentialsFile | null>;
 /**
  * Pick the freshest of a set of `CredentialsFile` candidates by
@@ -103,11 +144,19 @@ export declare function refreshTokens(): Promise<OAuthTokens>;
 export declare function getAccessToken(): Promise<string>;
 /**
  * Get token status info.
+ *
+ * `status` returns 'broken' when refresh has failed REFRESH_BROKEN_THRESHOLD
+ * times in a row — this matters because the access token can still be ticking
+ * down (so naive "expiresIn" looks fine) while every actual upstream call
+ * returns 401. Operators relying on /health for a docker healthcheck or for
+ * `depends_on: service_healthy` need to see this state.
  */
 export declare function getStatus(): Promise<{
     authenticated: boolean;
-    status: 'healthy' | 'expiring' | 'expired' | 'none';
+    status: 'healthy' | 'expiring' | 'expired' | 'broken' | 'none';
     expiresAt?: number;
     expiresIn?: string;
     canRefresh?: boolean;
+    refreshFailures?: number;
+    lastRefreshError?: string;
 }>;

package/dist/oauth.js

@@ -6,7 +6,7 @@
  */
 import { randomBytes, createHash } from 'node:crypto';
 import { existsSync, readFileSync } from 'node:fs';
-import { readFile, writeFile, mkdir, rename } from 'node:fs/promises';
+import { readFile, writeFile, mkdir, rename, unlink } from 'node:fs/promises';
 import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
 import { homedir, platform } from 'node:os';
@@ -33,6 +33,12 @@ const REFRESH_BUFFER_MS = 30 * 60 * 1000;
 // After a failed refresh, don't retry for 60s to avoid spam
 let lastRefreshFailure = 0;
 const REFRESH_COOLDOWN_MS = 60 * 1000;
+// Track consecutive refresh failures so /health can surface a dead refresh
+// token instead of cheerfully reporting `oauth: "expiring"` while every
+// upstream call returns 401.
+let consecutiveRefreshFailures = 0;
+let lastRefreshError;
+const REFRESH_BROKEN_THRESHOLD = 3;
 // In-memory credential cache — avoids disk reads on every request
 let credentialsCache = null;
 let credentialsCacheTime = 0;
@@ -65,6 +71,34 @@ function getDarioCredentialsPath() {
 function getClaudeCodeCredentialsPath() {
     return join(homedir(), '.claude', '.credentials.json');
 }
+/**
+ * Verify the credentials directory is writable BEFORE we open the OAuth URL.
+ *
+ * Why: an unwritable ~/.dario (e.g. EACCES from a `--user 0` docker op that
+ * left the volume owned by root) is a silent killer — the OAuth round-trip
+ * succeeds, the user pastes the code, and saveCredentials() crashes with
+ * EACCES on the .tmp file. The auth code is now consumed and unrecoverable;
+ * the user has to start over and re-paste a fresh code, only to hit the same
+ * EACCES. Probing first surfaces the permission problem cleanly while the
+ * user still holds an un-burned auth code.
+ */
+async function probeWritability() {
+    const dir = dirname(getDarioCredentialsPath());
+    await mkdir(dir, { recursive: true });
+    const probe = join(dir, `.write-probe.${process.pid}`);
+    try {
+        await writeFile(probe, '', { mode: 0o600 });
+        await unlink(probe);
+    }
+    catch (err) {
+        const code = err?.code;
+        throw new Error(`Credentials directory is not writable: ${dir} (${code || 'unknown'}). ` +
+            `Fix permissions before running 'dario login' so the OAuth code isn't ` +
+            `consumed by a flow that can't persist the result. ` +
+            `On Docker volumes left root-owned by a '--user 0' op, run: ` +
+            `chown -R dario:dario ${dir}`);
+    }
+}
 /**
  * Read Claude Code credentials from the OS keychain.
  *
@@ -113,6 +147,146 @@ if ([CM]::CredEnumerate('Claude Code-credentials*', 0, [ref]$count, [ref]$ptr))
   }
 }
 `;
+// Enumeration variant of WIN_CRED_SCRIPT — emits one line per credential
+// formatted as `<TargetName>\t<JSON>` so the importer can label entries
+// for the operator to disambiguate between accounts.
+const WIN_CRED_ENUMERATE_SCRIPT = `
+$ErrorActionPreference = 'Stop'
+$sig = @"
+using System;
+using System.Runtime.InteropServices;
+public class CM2 {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  public struct CRED {
+    public uint Flags; public uint Type; public string TargetName;
+    public string Comment; public System.Runtime.InteropServices.ComTypes.FILETIME LW;
+    public uint BlobSize; public IntPtr Blob;
+    public uint Persist; public uint AC; public IntPtr Attrs;
+    public string Alias; public string UN;
+  }
+  [DllImport("advapi32.dll", EntryPoint="CredEnumerateW", CharSet=CharSet.Unicode, SetLastError=true)]
+  public static extern bool CredEnumerate(string filter, uint flag, out uint count, out IntPtr pCredentials);
+  [DllImport("advapi32.dll", EntryPoint="CredFree")]
+  public static extern void CredFree(IntPtr cred);
+}
+"@
+Add-Type -TypeDefinition $sig
+$count = 0
+$ptr = [IntPtr]::Zero
+if ([CM2]::CredEnumerate('Claude Code-credentials*', 0, [ref]$count, [ref]$ptr)) {
+  try {
+    for ($i = 0; $i -lt $count; $i++) {
+      $credPtr = [System.Runtime.InteropServices.Marshal]::ReadIntPtr($ptr, $i * [IntPtr]::Size)
+      $cred = [System.Runtime.InteropServices.Marshal]::PtrToStructure($credPtr, [type][CM2+CRED])
+      if ($cred.BlobSize -gt 0) {
+        $bytes = New-Object byte[] $cred.BlobSize
+        [System.Runtime.InteropServices.Marshal]::Copy($cred.Blob, $bytes, 0, $cred.BlobSize)
+        $blob = [System.Text.Encoding]::Unicode.GetString($bytes)
+        Write-Output ($cred.TargetName + "\`t" + $blob)
+      }
+    }
+  } finally {
+    [CM2]::CredFree($ptr)
+  }
+}
+`;
+/**
+ * Enumerate every Claude Code keychain entry on this host. Pool-mode
+ * counterpart to `loadKeychainCredentials` (which returns the first hit
+ * for the single-account login flow). Used by `dario accounts add
+ * --from-keychain` to import without rerunning OAuth.
+ *
+ * Per-platform coverage:
+ *  - **Linux**: `secret-tool search --all service "Claude Code-credentials"`
+ *    enumerates every matching attribute set. Account name comes from the
+ *    `account` attribute when set, otherwise the secret hash truncated.
+ *  - **Windows**: PowerShell + CredEnumerate already iterates every
+ *    matching credential (existing pattern just wasn't exposing the
+ *    TargetName). New script variant emits target + JSON blob per line.
+ *  - **macOS**: returns at most one entry. The `security` CLI doesn't
+ *    expose a clean enumeration for `find-generic-password` results; full
+ *    macOS multi-account support would need either `dump-keychain` parsing
+ *    or a Swift/native helper. Filed as a follow-up; the common case (one
+ *    CC account in keychain) still works.
+ *
+ * Returns an empty array on any failure (keychain unavailable, no entries
+ * matching, parse errors). Callers are expected to handle empty as
+ * "nothing to import."
+ */
+export async function enumerateKeychainCredentials() {
+    const out = [];
+    try {
+        if (platform() === 'darwin') {
+            // Single-entry path; multi-entry on macOS is a known limitation.
+            const single = await loadKeychainCredentials();
+            if (single)
+                out.push({ target: 'Claude Code-credentials', credentials: single });
+        }
+        else if (platform() === 'linux') {
+            const raw = await new Promise((resolve, reject) => {
+                execFile('secret-tool', ['search', '--all', 'service', 'Claude Code-credentials'], { timeout: 5000 }, (err, stdout) => (err ? reject(err) : resolve(stdout)));
+            });
+            // secret-tool emits blocks separated by blank lines, with lines like:
+            //   [/secret/Claude Code-credentials/0]
+            //   label = ...
+            //   secret = <json blob>
+            //   attribute.account = <account name>
+            //   attribute.service = Claude Code-credentials
+            let currentSecret;
+            let currentAccount;
+            const flush = () => {
+                if (!currentSecret)
+                    return;
+                try {
+                    const parsed = JSON.parse(currentSecret);
+                    if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+                        out.push({
+                            target: currentAccount || 'Claude Code-credentials',
+                            credentials: parsed,
+                        });
+                    }
+                }
+                catch { /* not a CC creds blob — skip */ }
+                currentSecret = undefined;
+                currentAccount = undefined;
+            };
+            for (const line of raw.split(/\r?\n/)) {
+                if (line.startsWith('[/')) {
+                    flush();
+                    continue;
+                }
+                if (line.startsWith('secret = '))
+                    currentSecret = line.slice('secret = '.length);
+                else if (line.startsWith('attribute.account = '))
+                    currentAccount = line.slice('attribute.account = '.length);
+            }
+            flush();
+        }
+        else if (platform() === 'win32') {
+            const raw = await new Promise((resolve, reject) => {
+                execFile('powershell.exe', ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-Command', WIN_CRED_ENUMERATE_SCRIPT], { timeout: 5000, windowsHide: true }, (err, stdout) => (err ? reject(err) : resolve(stdout)));
+            });
+            for (const line of raw.split(/\r?\n/)) {
+                const tab = line.indexOf('\t');
+                if (tab < 0)
+                    continue;
+                const target = line.slice(0, tab).trim();
+                const blob = line.slice(tab + 1).trim();
+                if (!target || !blob)
+                    continue;
+                try {
+                    const parsed = JSON.parse(blob);
+                    if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+                        out.push({ target, credentials: parsed });
+                    }
+                }
+                catch { /* skip non-credential entries */ }
+            }
+        }
+    }
+    catch { /* keychain unavailable / empty */ }
+    return out;
+}
 async function loadKeychainCredentials() {
     try {
         if (platform() === 'darwin') {
@@ -242,6 +416,8 @@ async function saveCredentials(creds) {
  * Opens browser, captures the authorization code automatically.
  */
 export async function startAutoOAuthFlow() {
+    // Fail fast on unwritable credentials dir BEFORE the auth code is issued.
+    await probeWritability();
     const { createServer } = await import('node:http');
     const { codeVerifier, codeChallenge } = generatePKCE();
     // 32 random bytes → 43-char base64url state. See dario#71 — Anthropic's
@@ -438,6 +614,8 @@ export function detectHeadlessEnvironment() {
  * (it's CSRF protection for a redirect we don't have here).
  */
 export async function startManualOAuthFlow() {
+    // Fail fast on unwritable credentials dir BEFORE the auth code is issued.
+    await probeWritability();
     const { codeVerifier, codeChallenge } = generatePKCE();
     // 32 bytes — same reason as startAutoOAuthFlow. See dario#71.
     const state = base64url(randomBytes(32));
@@ -555,6 +733,8 @@ async function doRefreshTokens() {
             scopes: oauth.scopes,
         };
         await saveCredentials({ claudeAiOauth: tokens });
+        consecutiveRefreshFailures = 0;
+        lastRefreshError = undefined;
         return tokens;
     }
     throw new Error('Token refresh failed after 3 attempts');
@@ -584,13 +764,26 @@ export async function getAccessToken() {
     }
     catch (err) {
         lastRefreshFailure = Date.now();
-        console.error(`[dario] Refresh failed: ${err instanceof Error ? err.message : err}. Will retry in 60s. Run \`dario login\` if this persists.`);
+        consecutiveRefreshFailures++;
+        // Redact tokens/JWTs/Bearer values and truncate before storing — this
+        // string surfaces on /status and /health (CodeQL js/stack-trace-exposure
+        // dario#17). The raw err.message can include URLs, partial response
+        // bodies, and stack-derived paths from fetch/JSON-parse errors.
+        const raw = err instanceof Error ? err.message : String(err);
+        lastRefreshError = redactSecrets(raw.slice(0, 200));
+        console.error(`[dario] Refresh failed (${consecutiveRefreshFailures} consecutive): ${lastRefreshError}. Will retry in 60s. Run \`dario login\` if this persists.`);
         // Return current token — it might still work for a few more minutes
         return oauth.accessToken;
     }
 }
 /**
  * Get token status info.
+ *
+ * `status` returns 'broken' when refresh has failed REFRESH_BROKEN_THRESHOLD
+ * times in a row — this matters because the access token can still be ticking
+ * down (so naive "expiresIn" looks fine) while every actual upstream call
+ * returns 401. Operators relying on /health for a docker healthcheck or for
+ * `depends_on: service_healthy` need to see this state.
  */
 export async function getStatus() {
     const creds = await loadCredentials();
@@ -599,19 +792,29 @@ export async function getStatus() {
     }
     const { expiresAt } = creds.claudeAiOauth;
     const now = Date.now();
+    const broken = consecutiveRefreshFailures >= REFRESH_BROKEN_THRESHOLD;
     if (expiresAt < now) {
-        // Expired but has refresh token — can be refreshed
-        const canRefresh = !!creds.claudeAiOauth.refreshToken;
-        return { authenticated: false, status: 'expired', expiresAt, canRefresh };
+        // Expired but has refresh token — can be refreshed (unless refresh itself is dead)
+        const canRefresh = !!creds.claudeAiOauth.refreshToken && !broken;
+        return {
+            authenticated: false,
+            status: broken ? 'broken' : 'expired',
+            expiresAt,
+            canRefresh,
+            refreshFailures: consecutiveRefreshFailures,
+            lastRefreshError,
+        };
     }
     const ms = expiresAt - now;
     const hours = Math.floor(ms / 3600000);
     const mins = Math.floor((ms % 3600000) / 60000);
     const expiresIn = hours > 0 ? `${hours}h ${mins}m` : `${mins}m`;
     return {
-        authenticated: true,
-        status: ms < REFRESH_BUFFER_MS ? 'expiring' : 'healthy',
+        authenticated: !broken,
+        status: broken ? 'broken' : (ms < REFRESH_BUFFER_MS ? 'expiring' : 'healthy'),
         expiresAt,
         expiresIn,
+        refreshFailures: consecutiveRefreshFailures || undefined,
+        lastRefreshError,
     };
 }

package/dist/proxy.js

@@ -792,14 +792,25 @@ export async function startProxy(opts = {}) {
         // Strip query parameters for endpoint matching
         const urlPath = req.url?.split('?')[0] ?? '';
         // Health check
+        //
+        // Returns HTTP 503 when OAuth is in a state that will cause every upstream
+        // call to fail: refresh has failed N consecutive times ('broken'), or the
+        // access token is expired with no usable refresh path. Docker healthchecks
+        // and dependent services (`depends_on: service_healthy`) need this to
+        // react instead of cheerfully passing while every /v1/messages 401s.
         if (urlPath === '/health' || urlPath === '/') {
             const s = await getStatus();
-            res.writeHead(200, JSON_HEADERS);
+            const dead = s.status === 'broken' || s.status === 'none' ||
+                (s.status === 'expired' && s.canRefresh === false);
+            const httpStatus = dead ? 503 : 200;
+            res.writeHead(httpStatus, JSON_HEADERS);
             res.end(JSON.stringify({
-                status: 'ok',
+                status: dead ? 'degraded' : 'ok',
                 oauth: s.status,
                 expiresIn: s.expiresIn,
                 requests: requestCount,
+                ...(s.refreshFailures ? { refreshFailures: s.refreshFailures } : {}),
+                ...(s.lastRefreshError ? { lastRefreshError: s.lastRefreshError } : {}),
             }));
             return;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.37.10",
+  "version": "3.37.12",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {