@askalf/dario 3.4.1 → 3.4.3

package/dist/cc-oauth-detect.d.ts

@@ -5,20 +5,32 @@
  * (client_id, authorize URL, token URL, scopes). Eliminates the need to
  * hardcode values that Anthropic rotates between CC releases.
  *
- * CC ships two OAuth client configurations in one binary:
+ * CC ships three OAuth config factories in one binary (dev/staging/prod),
+ * selected at runtime by an environment switch that is hardcoded to "prod"
+ * in shipped builds. Only the PROD block is live; "local" and "staging"
+ * are dead code paths.
  *
- *   1. LOCAL flow — used when the OAuth client owns the callback
- *      (i.e. runs an HTTP server on localhost). This is what dario does.
- *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *   PROD block (the one we want):
+ *     BASE_API_URL: "https://api.anthropic.com"
+ *     CLAUDE_AI_AUTHORIZE_URL: "https://claude.com/cai/oauth/authorize"
+ *     TOKEN_URL: "https://platform.claude.com/v1/oauth/token"
+ *     CLIENT_ID: "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+ *     OAUTH_FILE_SUFFIX: ""
  *
- *   2. PLATFORM flow — used when the callback is hosted at
- *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
- *      Not applicable to dario.
+ *   LOCAL block (dead code in shipped builds — CC pointing at localhost:8000
+ *     etc. as its own dev stack, NOT about "client uses a localhost callback"):
+ *     BASE_API_URL: "http://localhost:8000"
+ *     CLIENT_ID: "22422756-60c9-4084-8eb7-27705fd5cf9a"
+ *     OAUTH_FILE_SUFFIX: "-local-oauth"
  *
- * We scan for the LOCAL block and extract its config.
+ * Dario uses CC's own automatic OAuth flow — the prod client is registered
+ * with `http://localhost:${port}/callback` exactly as dario sends. (The
+ * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
+ * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
- * startup only re-scans when the user upgrades Claude Code.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
+ * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
+ * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
  */
 export interface DetectedOAuthConfig {
     clientId: string;
@@ -30,10 +42,14 @@ export interface DetectedOAuthConfig {
     ccHash?: string;
 }
 /**
- * Scan binary bytes for the LOCAL-oauth OAuth block.
- * Uses Buffer.indexOf to locate anchor strings, then slices a small
- * window of context to run regexes on. This avoids converting the
- * whole binary to a JS string.
+ * Scan binary bytes for the PROD OAuth config block.
+ *
+ * Anchors on `BASE_API_URL:"https://api.anthropic.com"` — this literal
+ * only appears inside the prod config object (`nh$`). The LOCAL-dev block
+ * uses `http://localhost:8000` for the same key, and there's no staging
+ * block present in shipped builds. Once we find the anchor, the CLIENT_ID,
+ * CLAUDE_AI_AUTHORIZE_URL, TOKEN_URL, and scopes all live within a ~1.5KB
+ * window after it.
  */
 export declare function scanBinaryForOAuthConfig(buf: Buffer): Omit<DetectedOAuthConfig, 'source' | 'ccPath' | 'ccHash'> | null;
 /**

package/dist/cc-oauth-detect.js

@@ -5,20 +5,32 @@
  * (client_id, authorize URL, token URL, scopes). Eliminates the need to
  * hardcode values that Anthropic rotates between CC releases.
  *
- * CC ships two OAuth client configurations in one binary:
+ * CC ships three OAuth config factories in one binary (dev/staging/prod),
+ * selected at runtime by an environment switch that is hardcoded to "prod"
+ * in shipped builds. Only the PROD block is live; "local" and "staging"
+ * are dead code paths.
  *
- *   1. LOCAL flow — used when the OAuth client owns the callback
- *      (i.e. runs an HTTP server on localhost). This is what dario does.
- *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *   PROD block (the one we want):
+ *     BASE_API_URL: "https://api.anthropic.com"
+ *     CLAUDE_AI_AUTHORIZE_URL: "https://claude.com/cai/oauth/authorize"
+ *     TOKEN_URL: "https://platform.claude.com/v1/oauth/token"
+ *     CLIENT_ID: "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+ *     OAUTH_FILE_SUFFIX: ""
  *
- *   2. PLATFORM flow — used when the callback is hosted at
- *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
- *      Not applicable to dario.
+ *   LOCAL block (dead code in shipped builds — CC pointing at localhost:8000
+ *     etc. as its own dev stack, NOT about "client uses a localhost callback"):
+ *     BASE_API_URL: "http://localhost:8000"
+ *     CLIENT_ID: "22422756-60c9-4084-8eb7-27705fd5cf9a"
+ *     OAUTH_FILE_SUFFIX: "-local-oauth"
  *
- * We scan for the LOCAL block and extract its config.
+ * Dario uses CC's own automatic OAuth flow — the prod client is registered
+ * with `http://localhost:${port}/callback` exactly as dario sends. (The
+ * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
+ * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
- * startup only re-scans when the user upgrades Claude Code.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
+ * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
+ * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
  */
 import { readFile, writeFile, mkdir, stat, open as openFile } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
@@ -26,15 +38,18 @@ import { homedir, platform } from 'node:os';
 import { join, dirname } from 'node:path';
 import { createHash } from 'node:crypto';
 // Last-resort fallback if CC binary can't be found or scanned.
-// These values are the known-good v2.1.104 local-oauth flow.
+// These values are the CC v2.1.104 PROD OAuth config, extracted from
+// the `nh$` object in the shipped binary.
 const FALLBACK = {
-    clientId: '22422756-60c9-4084-8eb7-27705fd5cf9a',
+    clientId: '9d1c250a-e61b-44d9-88ed-5944d1962f5e',
     authorizeUrl: 'https://claude.com/cai/oauth/authorize',
     tokenUrl: 'https://platform.claude.com/v1/oauth/token',
-    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers',
+    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload',
     source: 'fallback',
 };
-const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache.json');
+// -v2 suffix invalidates the v3.4.0-v3.4.2 cache that pinned the wrong
+// (dev) client_id extracted from the dead-code -local-oauth block.
+const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache-v2.json');
 function candidatePaths() {
     const home = homedir();
     if (platform() === 'win32') {
@@ -88,72 +103,47 @@ async function fingerprintBinary(path) {
     }
 }
 /**
- * Scan binary bytes for the LOCAL-oauth OAuth block.
- * Uses Buffer.indexOf to locate anchor strings, then slices a small
- * window of context to run regexes on. This avoids converting the
- * whole binary to a JS string.
+ * Scan binary bytes for the PROD OAuth config block.
+ *
+ * Anchors on `BASE_API_URL:"https://api.anthropic.com"` — this literal
+ * only appears inside the prod config object (`nh$`). The LOCAL-dev block
+ * uses `http://localhost:8000` for the same key, and there's no staging
+ * block present in shipped builds. Once we find the anchor, the CLIENT_ID,
+ * CLAUDE_AI_AUTHORIZE_URL, TOKEN_URL, and scopes all live within a ~1.5KB
+ * window after it.
  */
 export function scanBinaryForOAuthConfig(buf) {
-    // Anchor: `OAUTH_FILE_SUFFIX:"-local-oauth"` — this is the config-block
-    // occurrence, not the switch-case string literal. The switch-case produces
-    // just `-local-oauth` bytes, but the config object serializes as
-    // `OAUTH_FILE_SUFFIX:"-local-oauth"` with the key+quote prefix, which is
-    // stable across minified CC builds.
-    const anchor = Buffer.from('OAUTH_FILE_SUFFIX:"-local-oauth"');
-    let anchorIdx = buf.indexOf(anchor);
-    // Fallback anchor — some builds may tokenize differently.
-    if (anchorIdx === -1) {
-        const looseAnchor = Buffer.from('"-local-oauth"');
-        anchorIdx = buf.indexOf(looseAnchor);
-    }
+    const anchor = Buffer.from('BASE_API_URL:"https://api.anthropic.com"');
+    const anchorIdx = buf.indexOf(anchor);
     if (anchorIdx === -1)
         return null;
-    // The CLIENT_ID sits within a few hundred bytes BEFORE the anchor
-    // (in the same config object). Extract a window around it.
-    const windowStart = Math.max(0, anchorIdx - 1024);
-    const windowEnd = Math.min(buf.length, anchorIdx + 64);
-    const localBlock = buf.slice(windowStart, windowEnd).toString('latin1');
-    // Pick the CLIENT_ID that's CLOSEST to the anchor (last occurrence in window).
-    const cidRegex = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/gi;
-    let lastCid = null;
-    let m;
-    while ((m = cidRegex.exec(localBlock)) !== null) {
-        if (m[1])
-            lastCid = m[1];
-    }
-    if (!lastCid)
+    // The prod config object is laid out roughly as one line of minified JS.
+    // Take a generous window to be safe across minifier differences.
+    const windowStart = anchorIdx;
+    const windowEnd = Math.min(buf.length, anchorIdx + 2048);
+    const prodBlock = buf.slice(windowStart, windowEnd).toString('latin1');
+    const cidMatch = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/i.exec(prodBlock);
+    if (!cidMatch || !cidMatch[1])
+        return null;
+    const clientId = cidMatch[1];
+    // Defensive: if we somehow matched the dev client_id, reject — the
+    // anchor should have put us in the prod block, but this guards against
+    // the block being laid out in an unexpected order across builds.
+    if (clientId === '22422756-60c9-4084-8eb7-27705fd5cf9a')
         return null;
-    const clientId = lastCid;
-    // Authorize URL: CLAUDE_AI_AUTHORIZE_URL appears once in the binary.
-    const authAnchor = Buffer.from('CLAUDE_AI_AUTHORIZE_URL');
-    const authIdx = buf.indexOf(authAnchor);
     let authorizeUrl = FALLBACK.authorizeUrl;
-    if (authIdx !== -1) {
-        const w = buf.slice(authIdx, Math.min(buf.length, authIdx + 256)).toString('latin1');
-        const m = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(w);
-        if (m && m[1])
-            authorizeUrl = m[1];
-    }
-    // Token URL: TOKEN_URL — look for the one under platform.claude.com/.../oauth/token
-    const tokenAnchor = Buffer.from('TOKEN_URL');
-    let searchFrom = 0;
+    const authMatch = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(prodBlock);
+    if (authMatch && authMatch[1])
+        authorizeUrl = authMatch[1];
     let tokenUrl = FALLBACK.tokenUrl;
-    while (searchFrom < buf.length) {
-        const idx = buf.indexOf(tokenAnchor, searchFrom);
-        if (idx === -1)
-            break;
-        const w = buf.slice(idx, Math.min(buf.length, idx + 128)).toString('latin1');
-        const m = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(w);
-        if (m && m[1]) {
-            tokenUrl = m[1];
-            break;
-        }
-        searchFrom = idx + tokenAnchor.length;
-    }
-    // Scopes: contiguous quoted string of "user:X user:Y user:Z ..."
-    // Search for an anchor like "user:profile " which is the first scope.
-    const scopeAnchor = Buffer.from('"user:profile ');
+    const tokenMatch = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(prodBlock);
+    if (tokenMatch && tokenMatch[1])
+        tokenUrl = tokenMatch[1];
+    // Scopes live in a separate array-of-strings block elsewhere in the
+    // binary, not inside the prod config object itself. Search globally
+    // for the first quoted `user:profile ...` run.
     let scopes = FALLBACK.scopes;
+    const scopeAnchor = Buffer.from('"user:profile ');
     const scopeIdx = buf.indexOf(scopeAnchor);
     if (scopeIdx !== -1) {
         const w = buf.slice(scopeIdx, Math.min(buf.length, scopeIdx + 512)).toString('latin1');

package/dist/cc-template-data.json

@@ -886,4 +886,4 @@
     "WebSearch",
     "Write"
   ]
-}
+}

package/dist/cc-template.js

@@ -46,6 +46,16 @@ const TOOL_MAP = {
     browse: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || '' }) },
     notebook: { ccTool: 'NotebookEdit' },
     notebook_edit: { ccTool: 'NotebookEdit' },
+    // Additional client tool mappings
+    browser: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: String(a.url || '') }) },
+    message: { ccTool: 'AskUserQuestion', translateArgs: (a) => ({ question: String(a.message || a.content || '') }) },
+    todo_read: { ccTool: 'TodoWrite', translateArgs: () => ({ todos: [] }) },
+    todo_write: { ccTool: 'TodoWrite', translateArgs: (a) => ({ todos: a.todos || [] }) },
+    notebook_read: { ccTool: 'NotebookEdit', translateArgs: (a) => ({ notebook_path: String(a.notebook_path || a.path || '') }) },
+    enter_plan_mode: { ccTool: 'EnterPlanMode' },
+    exit_plan_mode: { ccTool: 'ExitPlanMode' },
+    enter_worktree: { ccTool: 'EnterWorktree', translateArgs: (a) => ({ path: a.path }) },
+    exit_worktree: { ccTool: 'ExitWorktree' },
 };
 /**
  * Build a CC-template request from a client request.
@@ -79,34 +89,47 @@ export function buildCCRequest(clientBody, billingTag, cache1h, identity, opts =
     const activeToolMap = new Map();
     const unmappedTools = [];
     if (clientTools && !opts.preserveTools) {
+        // Two passes so the unmapped-tool distributor can avoid colliding with
+        // CC tools the client already uses directly. Without this, a client
+        // sending both `WebSearch` and some unmapped tool like `memory_get`
+        // could have both forward-map to `WebSearch`, and the reverse map would
+        // then rewrite real `WebSearch` responses to the collided client name.
+        const claimedCC = new Set();
         for (const tool of clientTools) {
             const name = (tool.name || '').toLowerCase();
             const mapping = TOOL_MAP[name];
             if (mapping) {
                 activeToolMap.set(tool.name, mapping);
+                claimedCC.add(mapping.ccTool);
             }
-            else {
-                unmappedTools.push(tool.name);
-                // Distribute unmapped tools across CC tool names to avoid suspicious
-                // patterns where every unknown tool maps to Bash
-                const CC_FALLBACK_TOOLS = ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
-                const fallbackTool = CC_FALLBACK_TOOLS[unmappedTools.length % CC_FALLBACK_TOOLS.length];
-                activeToolMap.set(tool.name, {
-                    ccTool: fallbackTool,
-                    translateArgs: (a) => {
-                        // Translate args to match the CC tool's expected schema
-                        switch (fallbackTool) {
-                            case 'Bash': return { command: `echo "${JSON.stringify(a).slice(0, 200)}"` };
-                            case 'Read': return { file_path: String(a.path || a.file || a.url || '/tmp/output') };
-                            case 'Grep': return { pattern: String(a.query || a.pattern || a.search || '.'), path: '.' };
-                            case 'Glob': return { pattern: String(a.pattern || a.glob || '*') };
-                            case 'WebSearch': return { query: String(a.query || a.q || a.search || '') };
-                            case 'WebFetch': return { url: String(a.url || a.uri || '') };
-                            default: return a;
-                        }
-                    },
-                });
-            }
+        }
+        const CC_FALLBACK_TOOLS = ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
+        for (const tool of clientTools) {
+            const name = (tool.name || '').toLowerCase();
+            if (TOOL_MAP[name])
+                continue;
+            unmappedTools.push(tool.name);
+            // Exclude CC tools the client already uses so we never create a
+            // two-client-names-to-one-CC-tool collision. If every fallback is
+            // claimed (rare: client already uses 6+ CC tools), fall back to the
+            // full pool and accept the ambiguity.
+            const pool = CC_FALLBACK_TOOLS.filter(t => !claimedCC.has(t));
+            const fallbackPool = pool.length > 0 ? pool : CC_FALLBACK_TOOLS;
+            const fallbackTool = fallbackPool[(unmappedTools.length - 1) % fallbackPool.length];
+            activeToolMap.set(tool.name, {
+                ccTool: fallbackTool,
+                translateArgs: (a) => {
+                    switch (fallbackTool) {
+                        case 'Bash': return { command: `echo "${JSON.stringify(a).slice(0, 200)}"` };
+                        case 'Read': return { file_path: String(a.path || a.file || a.url || '/tmp/output') };
+                        case 'Grep': return { pattern: String(a.query || a.pattern || a.search || '.'), path: '.' };
+                        case 'Glob': return { pattern: String(a.pattern || a.glob || '*') };
+                        case 'WebSearch': return { query: String(a.query || a.q || a.search || '') };
+                        case 'WebFetch': return { url: String(a.url || a.uri || '') };
+                        default: return a;
+                    }
+                },
+            });
         }
     }
     // ── Remap tool_use and tool_result references in message history ──
@@ -232,14 +255,26 @@ export function reverseMapResponse(responseBody, toolMap) {
     if (toolMap.size === 0)
         return responseBody;
     let result = responseBody;
-    // Build reverse map: CC tool name → original client tool name
+    // Build reverse map: CC tool name → original client tool name.
+    // Two passes so identity mappings (client sent a tool with the real CC
+    // name) claim their CC slot first and can never be overwritten by a
+    // non-identity entry. Without this, a collision between a direct
+    // `WebSearch` and an unmapped-tool fallback landing on `WebSearch` could
+    // rewrite the real search response to the wrong client name.
     const reverseMap = new Map();
+    const identityClaimed = new Set();
     for (const [clientName, mapping] of toolMap) {
-        // Only add if not a direct CC tool name
-        if (clientName.toLowerCase() !== mapping.ccTool.toLowerCase()) {
-            reverseMap.set(mapping.ccTool, clientName);
+        if (clientName.toLowerCase() === mapping.ccTool.toLowerCase()) {
+            identityClaimed.add(mapping.ccTool);
         }
     }
+    for (const [clientName, mapping] of toolMap) {
+        if (clientName.toLowerCase() === mapping.ccTool.toLowerCase())
+            continue;
+        if (identityClaimed.has(mapping.ccTool))
+            continue;
+        reverseMap.set(mapping.ccTool, clientName);
+    }
     for (const [ccName, clientName] of reverseMap) {
         result = result.replace(new RegExp(`"name"\\s*:\\s*"${ccName}"`, 'g'), `"name":"${clientName}"`);
     }

package/dist/cli.js

@@ -125,12 +125,22 @@ async function proxy() {
         console.error('[dario] Invalid port. Must be 1-65535.');
         process.exit(1);
     }
+    // Bind address — accepts --host=<addr>; falls through to DARIO_HOST env
+    // var or the default of 127.0.0.1 inside startProxy. The sanity check
+    // here only rejects obviously bad shapes; real address validation
+    // happens when the OS tries to bind.
+    const hostArg = args.find(a => a.startsWith('--host='));
+    const host = hostArg ? hostArg.split('=')[1] : undefined;
+    if (host !== undefined && !/^[a-zA-Z0-9._:-]+$/.test(host)) {
+        console.error('[dario] Invalid --host. Must be an IP address or hostname.');
+        process.exit(1);
+    }
     const verbose = args.includes('--verbose') || args.includes('-v');
     const passthrough = args.includes('--passthrough') || args.includes('--thin');
     const preserveTools = args.includes('--preserve-tools') || args.includes('--keep-tools');
     const modelArg = args.find(a => a.startsWith('--model='));
     const model = modelArg ? modelArg.split('=')[1] : undefined;
-    await startProxy({ port, verbose, model, passthrough, preserveTools });
+    await startProxy({ port, host, verbose, model, passthrough, preserveTools });
 }
 async function help() {
     console.log(`
@@ -151,6 +161,12 @@ async function help() {
     --passthrough, --thin    Thin proxy — OAuth swap only, no injection
     --preserve-tools         Keep client tool schemas (for agents with custom tools)
     --port=PORT              Port to listen on (default: 3456)
+    --host=ADDRESS           Address to bind to (default: 127.0.0.1)
+                             Use 0.0.0.0 to accept connections from other machines.
+                             Alternatively set DARIO_HOST env var.
+                             When binding non-loopback, also set DARIO_API_KEY
+                             so unauthenticated LAN hosts can't proxy through
+                             your OAuth subscription.
     --verbose, -v            Log all requests
 
   Quick start:

package/dist/proxy.d.ts

@@ -1,5 +1,6 @@
 interface ProxyOptions {
     port?: number;
+    host?: string;
     verbose?: boolean;
     model?: string;
     passthrough?: boolean;

package/dist/proxy.js

@@ -13,7 +13,16 @@ const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
 const BODY_READ_TIMEOUT_MS = 30_000; // 30s — prevents slow-loris on body reads
 const MAX_CONCURRENT = 10; // Max concurrent upstream requests
-const LOCALHOST = '127.0.0.1';
+const DEFAULT_HOST = '127.0.0.1';
+// A host is "loopback" if it's one of the well-known localhost literals.
+// Used to decide whether to warn at startup about binding to a reachable
+// interface — binding anywhere else means other machines can reach the
+// proxy and should only be done with DARIO_API_KEY set.
+function isLoopbackHost(host) {
+    if (host === '127.0.0.1' || host === '::1' || host === 'localhost')
+        return true;
+    return host.startsWith('127.');
+}
 // Simple semaphore for concurrency control
 class Semaphore {
     max;
@@ -308,6 +317,7 @@ function enrich429(body, headers) {
 }
 export async function startProxy(opts = {}) {
     const port = opts.port ?? DEFAULT_PORT;
+    const host = opts.host ?? process.env.DARIO_HOST ?? DEFAULT_HOST;
     const verbose = opts.verbose ?? false;
     const passthrough = opts.passthrough ?? false;
     // Verify auth before starting
@@ -354,7 +364,11 @@ export async function startProxy(opts = {}) {
     // Optional proxy authentication — pre-encode key buffer for performance
     const apiKey = process.env.DARIO_API_KEY;
     const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
-    const corsOrigin = `http://localhost:${port}`;
+    // CORS origin defaults to the localhost URL the proxy is served at. Users
+    // binding to a non-loopback address (e.g. a Tailscale interface) can
+    // override via DARIO_CORS_ORIGIN — otherwise browser-based clients hitting
+    // dario over the mesh will be blocked by their browser's CORS check.
+    const corsOrigin = process.env.DARIO_CORS_ORIGIN || `http://localhost:${port}`;
     // Security headers for all responses
     const SECURITY_HEADERS = {
         'X-Content-Type-Options': 'nosniff',
@@ -754,22 +768,39 @@ export async function startProxy(opts = {}) {
         }
         process.exit(1);
     });
-    server.listen(port, LOCALHOST, () => {
+    server.listen(port, host, () => {
         const modeLine = passthrough
             ? 'Mode: passthrough (OAuth swap only, no injection)'
             : `OAuth: ${status.status} (expires in ${status.expiresIn})`;
         const modelLine = modelOverride ? `Model: ${modelOverride} (all requests)` : 'Model: passthrough (client decides)';
+        // Display URL uses `localhost` for loopback binds and the literal host
+        // for exposed binds, so the printed URL is the one a client would
+        // actually use to reach the proxy.
+        const displayHost = isLoopbackHost(host) ? 'localhost' : host;
         console.log('');
-        console.log(`  dario — http://localhost:${port}`);
+        console.log(`  dario — http://${displayHost}:${port}`);
         console.log('');
         console.log('  Your Claude subscription is now an API.');
         console.log('');
         console.log('  Usage:');
-        console.log(`    ANTHROPIC_BASE_URL=http://localhost:${port}`);
+        console.log(`    ANTHROPIC_BASE_URL=http://${displayHost}:${port}`);
         console.log('    ANTHROPIC_API_KEY=dario');
         console.log('');
         console.log(`  ${modeLine}`);
         console.log(`  ${modelLine}`);
+        if (!isLoopbackHost(host)) {
+            console.log('');
+            console.log(`  ⚠  Bound to ${host} — reachable from other machines on the network.`);
+            if (!apiKey) {
+                console.log('     DARIO_API_KEY is not set. Any host that can reach this port can');
+                console.log('     proxy requests through your OAuth subscription. Set DARIO_API_KEY');
+                console.log('     before exposing dario beyond loopback.');
+            }
+            else {
+                console.log('     DARIO_API_KEY is set — clients must send x-api-key or Authorization');
+                console.log('     to be accepted.');
+            }
+        }
         console.log('');
     });
     // Session presence heartbeat — keeps the OAuth session marked active

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.4.1",
+  "version": "3.4.3",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {
@@ -26,7 +26,9 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "e2e": "node test/e2e.mjs",
-    "compat": "node test/compat.mjs"
+    "compat": "node test/compat.mjs",
+    "lint:pkg": "node scripts/check-package-json.mjs",
+    "fix:pkg": "node -e \"const fs=require('fs');fs.writeFileSync('package.json',JSON.stringify(JSON.parse(fs.readFileSync('package.json','utf-8')),null,2)+'\\n')\""
   },
   "keywords": [
     "claude",