@askalf/dario 3.4.1 → 3.4.4

package/README.md

@@ -408,13 +408,13 @@ Anthropic periodically rotates the OAuth `client_id`, authorize URL, token URL,
 
 Dario scans the installed CC binary at startup and extracts the current config directly:
 
-- **Anchor**: `OAUTH_FILE_SUFFIX:"-local-oauth"` — the config block CC uses for clients that run their own localhost callback.
-- **Extracted**: `CLIENT_ID`, `CLAUDE_AI_AUTHORIZE_URL`, `TOKEN_URL`, and the full `user:*` scope string.
-- **Cached**: Results stored at `~/.dario/cc-oauth-cache.json` keyed by binary fingerprint (first 64KB sha256 + size + mtime). Cold scan ~500ms, cache hit ~5ms. Re-scans only when CC is upgraded.
-- **Fallback**: If CC is not installed or scanning fails, dario uses known-good hardcoded values. No user action needed.
+- **Anchor**: `BASE_API_URL:"https://api.anthropic.com"` — this literal appears only inside CC's live prod OAuth config block, so the scanner reliably lands in the right object even when the minifier reorders fields across CC releases.
+- **Extracted**: `CLIENT_ID`, `CLAUDE_AI_AUTHORIZE_URL`, `TOKEN_URL`, and the full `user:*` scope string. A defensive check rejects any scan result that matches a known-dead internal client_id.
+- **Cached**: Results stored at `~/.dario/cc-oauth-cache-v2.json` keyed by binary fingerprint (first 64KB sha256 + size + mtime). Cold scan ~500ms, cache hit ~5ms. Re-scans only when CC is upgraded.
+- **Fallback**: If CC is not installed or scanning fails, dario uses the CC 2.1.104 prod config values hardcoded in-tree. No user action needed.
 - **Override**: Set `DARIO_CC_PATH=/path/to/claude` to point dario at a non-standard CC binary location.
 
-CC ships **two** OAuth client configurations in one binary — a `-local-oauth` flow (localhost callback) and a platform-hosted flow (`platform.claude.com/oauth/code/callback`). Dario must use the former. The scanner anchors specifically on the local block.
+CC ships three OAuth config factories (`local`, `staging`, `prod`) in one binary, selected at runtime by a function that is hardcoded to `prod` in shipped builds. Only the prod block is live; the other two are dead code paths CC uses when pointing at internal dev/staging infrastructure. The scanner targets the prod block specifically.
 
 End-to-end verification lives at [`test/oauth-detector.mjs`](test/oauth-detector.mjs).
 
@@ -439,8 +439,10 @@ End-to-end verification lives at [`test/oauth-detector.mjs`](test/oauth-detector
 | `--preserve-tools` / `--keep-tools` | Keep client tool schemas instead of remapping to CC tools | off |
 | `--model=MODEL` | Force a model (`opus`, `sonnet`, `haiku`, or full ID) | passthrough |
 | `--port=PORT` | Port to listen on | `3456` |
+| `--host=ADDRESS` / `DARIO_HOST` | Bind address. Use `0.0.0.0` to accept LAN connections, or a specific IP to bind selectively (e.g. a Tailscale interface). When non-loopback, also set `DARIO_API_KEY`. | `127.0.0.1` |
 | `--verbose` / `-v` | Log every request | off |
-| `DARIO_API_KEY` | If set, all endpoints (except `/health`) require matching `x-api-key` or `Authorization: Bearer` | unset (open) |
+| `DARIO_API_KEY` | If set, all endpoints (except `/health`) require matching `x-api-key` or `Authorization: Bearer`. **Required** when `--host` binds to anything other than loopback. | unset (open) |
+| `DARIO_CORS_ORIGIN` | Override the browser CORS `Access-Control-Allow-Origin`. Useful for browser-based clients (open-webui, librechat) connecting over a mesh network. | `http://localhost:${port}` |
 | `DARIO_NO_BUN` | Disable automatic Bun relaunch (stay on Node.js) | unset |
 | `DARIO_MIN_INTERVAL_MS` | Minimum ms between requests (rate governor) | `500` |
 | `DARIO_CC_PATH` | Override path to Claude Code binary for OAuth detection | auto-detect |
@@ -506,9 +508,9 @@ curl http://localhost:3456/health
 |---------|---------------------|
 | Credential storage | Reads from Claude Code (`~/.claude/.credentials.json`) or its own store (`~/.dario/credentials.json`) with `0600` permissions |
 | OAuth flow | PKCE (Proof Key for Code Exchange) — no client secret needed |
-| OAuth config source | Auto-detected from local CC binary at runtime; cached at `~/.dario/cc-oauth-cache.json`. Detector reads binary in read-only mode, never modifies it. |
+| OAuth config source | Auto-detected from local CC binary at runtime; cached at `~/.dario/cc-oauth-cache-v2.json`. Detector reads binary in read-only mode, never modifies it. |
 | Token exposure | Tokens never logged; redacted from all error messages. |
-| Network binding | Binds exclusively to `127.0.0.1`. Upstream traffic goes only to `api.anthropic.com` over HTTPS. |
+| Network binding | Binds to `127.0.0.1` by default. Override with `--host` / `DARIO_HOST` for mesh/LAN use; dario refuses to treat non-loopback binds as safe and requires you to set `DARIO_API_KEY` to avoid an unauthenticated LAN-reachable proxy. Upstream traffic goes only to `api.anthropic.com` over HTTPS. |
 | Auth timing | `timingSafeEqual` used for `DARIO_API_KEY` comparison. |
 | SSRF protection | Only `/v1/messages` and `/v1/complete` are proxied upstream — hardcoded allowlist. |
 | Body size | 10MB hard cap per request. 30s read timeout prevents slow-loris. |
@@ -571,7 +573,7 @@ Optional but recommended. If [Bun](https://bun.sh) is installed, dario auto-rela
 Dario auto-refreshes tokens 30 minutes before expiry. You should never see an auth error in normal use. If something goes wrong, `dario refresh` forces an immediate refresh.
 
 **What happens when Anthropic rotates the OAuth client_id or URL?**
-Dario auto-detects OAuth config from your installed Claude Code binary. When CC ships a new version with rotated values, dario picks them up on the next startup — no dario release needed. The detector is cached at `~/.dario/cc-oauth-cache.json` and only re-scans when the binary fingerprint changes. If CC isn't installed, dario falls back to known-good hardcoded values.
+Dario auto-detects OAuth config from your installed Claude Code binary. When CC ships a new version with rotated values, dario picks them up on the next startup — no dario release needed. The detector is cached at `~/.dario/cc-oauth-cache-v2.json` and only re-scans when the binary fingerprint changes. If CC isn't installed, dario falls back to hardcoded CC 2.1.104 prod values.
 
 **I'm hitting rate limits. What do I do?**
 Claude subscriptions have rolling 5-hour and 7-day usage windows. Check your utilization with Claude Code's `/usage` command or the [statusline](https://code.claude.com/docs/en/statusline). Rate limit errors from dario include utilization percentages and reset times so you can see exactly when capacity returns.
@@ -582,7 +584,7 @@ If you're running a multi-agent workload and consistently hitting limits, [askal
 Claude subscriptions have rolling 5-hour and 7-day usage windows shared across claude.ai and Claude Code. See [Anthropic's docs](https://support.claude.com/en/articles/11647753-how-do-usage-and-length-limits-work) for details.
 
 **Can I run this on a server?**
-Dario binds to localhost by default. For server use, handle the initial login on a machine with a browser, then copy `~/.claude/.credentials.json` (or `~/.dario/credentials.json`) to your server. Auto-refresh will keep it alive from there.
+Dario binds to localhost by default. For server use, handle the initial login on a machine with a browser, then copy `~/.claude/.credentials.json` (or `~/.dario/credentials.json`) to your server. Auto-refresh will keep it alive from there. If you want dario reachable from other machines on the same LAN or a Tailscale mesh, pass `--host=0.0.0.0` (or a specific interface IP) and set `DARIO_API_KEY` to gate access.
 
 **Why "dario"?**
 Named after [Dario Amodei](https://en.wikipedia.org/wiki/Dario_Amodei), CEO of Anthropic.
@@ -622,7 +624,7 @@ Dario handles your OAuth tokens. Here's why you can trust it:
 | **npm provenance** | Every release is [SLSA attested](https://www.npmjs.com/package/@askalf/dario) via GitHub Actions |
 | **Security scanning** | [CodeQL](https://github.com/askalf/dario/actions/workflows/codeql.yml) runs on every push and weekly |
 | **Credential handling** | Tokens never logged, redacted from errors, stored with 0600 permissions |
-| **Network scope** | Binds to 127.0.0.1 only. Upstream traffic goes exclusively to `api.anthropic.com` over HTTPS |
+| **Network scope** | Binds to 127.0.0.1 by default; `--host` / `DARIO_HOST` allows LAN/mesh exposure with `DARIO_API_KEY` gating. Upstream traffic goes exclusively to `api.anthropic.com` over HTTPS |
 | **No telemetry** | Zero analytics, tracking, or data collection of any kind |
 | **Audit trail** | [CHANGELOG.md](CHANGELOG.md) documents every release |
 | **Branch protection** | CI must pass before merge. CODEOWNERS enforces review |

package/dist/cc-oauth-detect.d.ts

@@ -5,20 +5,32 @@
  * (client_id, authorize URL, token URL, scopes). Eliminates the need to
  * hardcode values that Anthropic rotates between CC releases.
  *
- * CC ships two OAuth client configurations in one binary:
+ * CC ships three OAuth config factories in one binary (dev/staging/prod),
+ * selected at runtime by an environment switch that is hardcoded to "prod"
+ * in shipped builds. Only the PROD block is live; "local" and "staging"
+ * are dead code paths.
  *
- *   1. LOCAL flow — used when the OAuth client owns the callback
- *      (i.e. runs an HTTP server on localhost). This is what dario does.
- *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *   PROD block (the one we want):
+ *     BASE_API_URL: "https://api.anthropic.com"
+ *     CLAUDE_AI_AUTHORIZE_URL: "https://claude.com/cai/oauth/authorize"
+ *     TOKEN_URL: "https://platform.claude.com/v1/oauth/token"
+ *     CLIENT_ID: "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+ *     OAUTH_FILE_SUFFIX: ""
  *
- *   2. PLATFORM flow — used when the callback is hosted at
- *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
- *      Not applicable to dario.
+ *   LOCAL block (dead code in shipped builds — CC pointing at localhost:8000
+ *     etc. as its own dev stack, NOT about "client uses a localhost callback"):
+ *     BASE_API_URL: "http://localhost:8000"
+ *     CLIENT_ID: "22422756-60c9-4084-8eb7-27705fd5cf9a"
+ *     OAUTH_FILE_SUFFIX: "-local-oauth"
  *
- * We scan for the LOCAL block and extract its config.
+ * Dario uses CC's own automatic OAuth flow — the prod client is registered
+ * with `http://localhost:${port}/callback` exactly as dario sends. (The
+ * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
+ * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
- * startup only re-scans when the user upgrades Claude Code.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
+ * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
+ * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
  */
 export interface DetectedOAuthConfig {
     clientId: string;
@@ -30,10 +42,14 @@ export interface DetectedOAuthConfig {
     ccHash?: string;
 }
 /**
- * Scan binary bytes for the LOCAL-oauth OAuth block.
- * Uses Buffer.indexOf to locate anchor strings, then slices a small
- * window of context to run regexes on. This avoids converting the
- * whole binary to a JS string.
+ * Scan binary bytes for the PROD OAuth config block.
+ *
+ * Anchors on `BASE_API_URL:"https://api.anthropic.com"` — this literal
+ * only appears inside the prod config object (`nh$`). The LOCAL-dev block
+ * uses `http://localhost:8000` for the same key, and there's no staging
+ * block present in shipped builds. Once we find the anchor, the CLIENT_ID,
+ * CLAUDE_AI_AUTHORIZE_URL, TOKEN_URL, and scopes all live within a ~1.5KB
+ * window after it.
  */
 export declare function scanBinaryForOAuthConfig(buf: Buffer): Omit<DetectedOAuthConfig, 'source' | 'ccPath' | 'ccHash'> | null;
 /**

package/dist/cc-oauth-detect.js

@@ -5,20 +5,32 @@
  * (client_id, authorize URL, token URL, scopes). Eliminates the need to
  * hardcode values that Anthropic rotates between CC releases.
  *
- * CC ships two OAuth client configurations in one binary:
+ * CC ships three OAuth config factories in one binary (dev/staging/prod),
+ * selected at runtime by an environment switch that is hardcoded to "prod"
+ * in shipped builds. Only the PROD block is live; "local" and "staging"
+ * are dead code paths.
  *
- *   1. LOCAL flow — used when the OAuth client owns the callback
- *      (i.e. runs an HTTP server on localhost). This is what dario does.
- *      Identified by OAUTH_FILE_SUFFIX:"-local-oauth" next to the CLIENT_ID.
+ *   PROD block (the one we want):
+ *     BASE_API_URL: "https://api.anthropic.com"
+ *     CLAUDE_AI_AUTHORIZE_URL: "https://claude.com/cai/oauth/authorize"
+ *     TOKEN_URL: "https://platform.claude.com/v1/oauth/token"
+ *     CLIENT_ID: "9d1c250a-e61b-44d9-88ed-5944d1962f5e"
+ *     OAUTH_FILE_SUFFIX: ""
  *
- *   2. PLATFORM flow — used when the callback is hosted at
- *      platform.claude.com/oauth/code/callback. Different CLIENT_ID.
- *      Not applicable to dario.
+ *   LOCAL block (dead code in shipped builds — CC pointing at localhost:8000
+ *     etc. as its own dev stack, NOT about "client uses a localhost callback"):
+ *     BASE_API_URL: "http://localhost:8000"
+ *     CLIENT_ID: "22422756-60c9-4084-8eb7-27705fd5cf9a"
+ *     OAUTH_FILE_SUFFIX: "-local-oauth"
  *
- * We scan for the LOCAL block and extract its config.
+ * Dario uses CC's own automatic OAuth flow — the prod client is registered
+ * with `http://localhost:${port}/callback` exactly as dario sends. (The
+ * "MANUAL_REDIRECT_URL" on platform.claude.com is only used when dario's
+ * local HTTP server can't bind a port; dario never hits that path.)
  *
- * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache.json so
- * startup only re-scans when the user upgrades Claude Code.
+ * Results are cached per-binary-hash at ~/.dario/cc-oauth-cache-v2.json so
+ * startup only re-scans when the user upgrades Claude Code. The -v2 suffix
+ * invalidates the v3.4.0-v3.4.2 caches that held the wrong (dev) client_id.
  */
 import { readFile, writeFile, mkdir, stat, open as openFile } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
@@ -26,15 +38,29 @@ import { homedir, platform } from 'node:os';
 import { join, dirname } from 'node:path';
 import { createHash } from 'node:crypto';
 // Last-resort fallback if CC binary can't be found or scanned.
-// These values are the known-good v2.1.104 local-oauth flow.
+// These values are the CC v2.1.104 PROD OAuth config, extracted from
+// the `nh$` object in the shipped binary.
 const FALLBACK = {
-    clientId: '22422756-60c9-4084-8eb7-27705fd5cf9a',
+    clientId: '9d1c250a-e61b-44d9-88ed-5944d1962f5e',
     authorizeUrl: 'https://claude.com/cai/oauth/authorize',
     tokenUrl: 'https://platform.claude.com/v1/oauth/token',
-    scopes: 'user:profile user:inference user:sessions:claude_code user:mcp_servers',
+    // Scopes are the full `n36` union from the CC binary, which is the value
+    // sent during a normal `claude login` (non-setup-token) flow. In CC's
+    // source: `let D = f ? [TI] : n36` where `f = inferenceOnly` (true only
+    // for `claude setup-token`). Normal interactive login uses the 6-scope
+    // union including `org:create_api_key` — even though that scope is named
+    // "Console-only" by convention, CC's own login flow requests it up front.
+    // Earlier dario versions (3.2.7 through 3.4.3) dropped `org:create_api_key`
+    // from the list based on a misread of the name; the dev-only client_id
+    // was lenient enough to accept the shorter list, the prod client_id is not.
+    scopes: 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload',
     source: 'fallback',
 };
-const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache.json');
+// -v3 suffix invalidates v3.4.3 caches that were populated with the wrong
+// 4-scope list (the scanner's regex matched a help-message string literal
+// in the CC binary instead of the real scope array). See the scanner's
+// scope handling below for why scope detection is no longer attempted.
+const CACHE_PATH = join(homedir(), '.dario', 'cc-oauth-cache-v3.json');
 function candidatePaths() {
     const home = homedir();
     if (platform() === 'win32') {
@@ -88,80 +114,58 @@ async function fingerprintBinary(path) {
     }
 }
 /**
- * Scan binary bytes for the LOCAL-oauth OAuth block.
- * Uses Buffer.indexOf to locate anchor strings, then slices a small
- * window of context to run regexes on. This avoids converting the
- * whole binary to a JS string.
+ * Scan binary bytes for the PROD OAuth config block.
+ *
+ * Anchors on `BASE_API_URL:"https://api.anthropic.com"` — this literal
+ * only appears inside the prod config object (`nh$`). The LOCAL-dev block
+ * uses `http://localhost:8000` for the same key, and there's no staging
+ * block present in shipped builds. Once we find the anchor, the CLIENT_ID,
+ * CLAUDE_AI_AUTHORIZE_URL, TOKEN_URL, and scopes all live within a ~1.5KB
+ * window after it.
  */
 export function scanBinaryForOAuthConfig(buf) {
-    // Anchor: `OAUTH_FILE_SUFFIX:"-local-oauth"` — this is the config-block
-    // occurrence, not the switch-case string literal. The switch-case produces
-    // just `-local-oauth` bytes, but the config object serializes as
-    // `OAUTH_FILE_SUFFIX:"-local-oauth"` with the key+quote prefix, which is
-    // stable across minified CC builds.
-    const anchor = Buffer.from('OAUTH_FILE_SUFFIX:"-local-oauth"');
-    let anchorIdx = buf.indexOf(anchor);
-    // Fallback anchor — some builds may tokenize differently.
-    if (anchorIdx === -1) {
-        const looseAnchor = Buffer.from('"-local-oauth"');
-        anchorIdx = buf.indexOf(looseAnchor);
-    }
+    const anchor = Buffer.from('BASE_API_URL:"https://api.anthropic.com"');
+    const anchorIdx = buf.indexOf(anchor);
     if (anchorIdx === -1)
         return null;
-    // The CLIENT_ID sits within a few hundred bytes BEFORE the anchor
-    // (in the same config object). Extract a window around it.
-    const windowStart = Math.max(0, anchorIdx - 1024);
-    const windowEnd = Math.min(buf.length, anchorIdx + 64);
-    const localBlock = buf.slice(windowStart, windowEnd).toString('latin1');
-    // Pick the CLIENT_ID that's CLOSEST to the anchor (last occurrence in window).
-    const cidRegex = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/gi;
-    let lastCid = null;
-    let m;
-    while ((m = cidRegex.exec(localBlock)) !== null) {
-        if (m[1])
-            lastCid = m[1];
-    }
-    if (!lastCid)
+    // The prod config object is laid out roughly as one line of minified JS.
+    // Take a generous window to be safe across minifier differences.
+    const windowStart = anchorIdx;
+    const windowEnd = Math.min(buf.length, anchorIdx + 2048);
+    const prodBlock = buf.slice(windowStart, windowEnd).toString('latin1');
+    const cidMatch = /CLIENT_ID\s*:\s*"([0-9a-f-]{36})"/i.exec(prodBlock);
+    if (!cidMatch || !cidMatch[1])
+        return null;
+    const clientId = cidMatch[1];
+    // Defensive: if we somehow matched the dev client_id, reject — the
+    // anchor should have put us in the prod block, but this guards against
+    // the block being laid out in an unexpected order across builds.
+    if (clientId === '22422756-60c9-4084-8eb7-27705fd5cf9a')
         return null;
-    const clientId = lastCid;
-    // Authorize URL: CLAUDE_AI_AUTHORIZE_URL appears once in the binary.
-    const authAnchor = Buffer.from('CLAUDE_AI_AUTHORIZE_URL');
-    const authIdx = buf.indexOf(authAnchor);
     let authorizeUrl = FALLBACK.authorizeUrl;
-    if (authIdx !== -1) {
-        const w = buf.slice(authIdx, Math.min(buf.length, authIdx + 256)).toString('latin1');
-        const m = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(w);
-        if (m && m[1])
-            authorizeUrl = m[1];
-    }
-    // Token URL: TOKEN_URL — look for the one under platform.claude.com/.../oauth/token
-    const tokenAnchor = Buffer.from('TOKEN_URL');
-    let searchFrom = 0;
+    const authMatch = /CLAUDE_AI_AUTHORIZE_URL\s*:\s*"([^"]+)"/.exec(prodBlock);
+    if (authMatch && authMatch[1])
+        authorizeUrl = authMatch[1];
     let tokenUrl = FALLBACK.tokenUrl;
-    while (searchFrom < buf.length) {
-        const idx = buf.indexOf(tokenAnchor, searchFrom);
-        if (idx === -1)
-            break;
-        const w = buf.slice(idx, Math.min(buf.length, idx + 128)).toString('latin1');
-        const m = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(w);
-        if (m && m[1]) {
-            tokenUrl = m[1];
-            break;
-        }
-        searchFrom = idx + tokenAnchor.length;
-    }
-    // Scopes: contiguous quoted string of "user:X user:Y user:Z ..."
-    // Search for an anchor like "user:profile " which is the first scope.
-    const scopeAnchor = Buffer.from('"user:profile ');
-    let scopes = FALLBACK.scopes;
-    const scopeIdx = buf.indexOf(scopeAnchor);
-    if (scopeIdx !== -1) {
-        const w = buf.slice(scopeIdx, Math.min(buf.length, scopeIdx + 512)).toString('latin1');
-        const m = /"(user:profile(?:\s+user:[a-z_:]+)+)"/.exec(w);
-        if (m && m[1])
-            scopes = m[1];
-    }
-    return { clientId, authorizeUrl, tokenUrl, scopes };
+    const tokenMatch = /TOKEN_URL\s*:\s*"(https:\/\/[^"]*\/oauth\/token[^"]*)"/.exec(prodBlock);
+    if (tokenMatch && tokenMatch[1])
+        tokenUrl = tokenMatch[1];
+    // Scopes are NOT detected from the binary. Previous versions of this
+    // scanner anchored on `"user:profile ` and regex-captured the first
+    // contiguous quoted run of scopes, but that anchor matches an error/help
+    // message string literal (used by `claude setup-token` error output) that
+    // contains only 4 of the 6 actual scopes. The real scope array is stored
+    // as a constant-reference array — `dY8 = [B9H, TI, "user:sessions:...", ...]`
+    // — where the first two elements are minified variable references, not
+    // literal strings, so no regex can reliably extract the full list. And the
+    // runtime-computed union `n36` only exists after `Array.from(new Set(...))`
+    // executes, which we can't evaluate from a static scan.
+    //
+    // Given that scopes rarely change across CC releases (Anthropic adds or
+    // removes maybe one per major version), hardcoding them in FALLBACK is
+    // more reliable than scanning. If Anthropic changes the scope list, the
+    // fix is a one-line FALLBACK update in a dario release.
+    return { clientId, authorizeUrl, tokenUrl, scopes: FALLBACK.scopes };
 }
 async function loadCache() {
     try {

package/dist/cc-template-data.json

@@ -886,4 +886,4 @@
     "WebSearch",
     "Write"
   ]
-}
+}

package/dist/cc-template.js

@@ -46,6 +46,16 @@ const TOOL_MAP = {
     browse: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || '' }) },
     notebook: { ccTool: 'NotebookEdit' },
     notebook_edit: { ccTool: 'NotebookEdit' },
+    // Additional client tool mappings
+    browser: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: String(a.url || '') }) },
+    message: { ccTool: 'AskUserQuestion', translateArgs: (a) => ({ question: String(a.message || a.content || '') }) },
+    todo_read: { ccTool: 'TodoWrite', translateArgs: () => ({ todos: [] }) },
+    todo_write: { ccTool: 'TodoWrite', translateArgs: (a) => ({ todos: a.todos || [] }) },
+    notebook_read: { ccTool: 'NotebookEdit', translateArgs: (a) => ({ notebook_path: String(a.notebook_path || a.path || '') }) },
+    enter_plan_mode: { ccTool: 'EnterPlanMode' },
+    exit_plan_mode: { ccTool: 'ExitPlanMode' },
+    enter_worktree: { ccTool: 'EnterWorktree', translateArgs: (a) => ({ path: a.path }) },
+    exit_worktree: { ccTool: 'ExitWorktree' },
 };
 /**
  * Build a CC-template request from a client request.
@@ -79,34 +89,47 @@ export function buildCCRequest(clientBody, billingTag, cache1h, identity, opts =
     const activeToolMap = new Map();
     const unmappedTools = [];
     if (clientTools && !opts.preserveTools) {
+        // Two passes so the unmapped-tool distributor can avoid colliding with
+        // CC tools the client already uses directly. Without this, a client
+        // sending both `WebSearch` and some unmapped tool like `memory_get`
+        // could have both forward-map to `WebSearch`, and the reverse map would
+        // then rewrite real `WebSearch` responses to the collided client name.
+        const claimedCC = new Set();
         for (const tool of clientTools) {
             const name = (tool.name || '').toLowerCase();
             const mapping = TOOL_MAP[name];
             if (mapping) {
                 activeToolMap.set(tool.name, mapping);
+                claimedCC.add(mapping.ccTool);
             }
-            else {
-                unmappedTools.push(tool.name);
-                // Distribute unmapped tools across CC tool names to avoid suspicious
-                // patterns where every unknown tool maps to Bash
-                const CC_FALLBACK_TOOLS = ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
-                const fallbackTool = CC_FALLBACK_TOOLS[unmappedTools.length % CC_FALLBACK_TOOLS.length];
-                activeToolMap.set(tool.name, {
-                    ccTool: fallbackTool,
-                    translateArgs: (a) => {
-                        // Translate args to match the CC tool's expected schema
-                        switch (fallbackTool) {
-                            case 'Bash': return { command: `echo "${JSON.stringify(a).slice(0, 200)}"` };
-                            case 'Read': return { file_path: String(a.path || a.file || a.url || '/tmp/output') };
-                            case 'Grep': return { pattern: String(a.query || a.pattern || a.search || '.'), path: '.' };
-                            case 'Glob': return { pattern: String(a.pattern || a.glob || '*') };
-                            case 'WebSearch': return { query: String(a.query || a.q || a.search || '') };
-                            case 'WebFetch': return { url: String(a.url || a.uri || '') };
-                            default: return a;
-                        }
-                    },
-                });
-            }
+        }
+        const CC_FALLBACK_TOOLS = ['Bash', 'Read', 'Grep', 'Glob', 'WebSearch', 'WebFetch'];
+        for (const tool of clientTools) {
+            const name = (tool.name || '').toLowerCase();
+            if (TOOL_MAP[name])
+                continue;
+            unmappedTools.push(tool.name);
+            // Exclude CC tools the client already uses so we never create a
+            // two-client-names-to-one-CC-tool collision. If every fallback is
+            // claimed (rare: client already uses 6+ CC tools), fall back to the
+            // full pool and accept the ambiguity.
+            const pool = CC_FALLBACK_TOOLS.filter(t => !claimedCC.has(t));
+            const fallbackPool = pool.length > 0 ? pool : CC_FALLBACK_TOOLS;
+            const fallbackTool = fallbackPool[(unmappedTools.length - 1) % fallbackPool.length];
+            activeToolMap.set(tool.name, {
+                ccTool: fallbackTool,
+                translateArgs: (a) => {
+                    switch (fallbackTool) {
+                        case 'Bash': return { command: `echo "${JSON.stringify(a).slice(0, 200)}"` };
+                        case 'Read': return { file_path: String(a.path || a.file || a.url || '/tmp/output') };
+                        case 'Grep': return { pattern: String(a.query || a.pattern || a.search || '.'), path: '.' };
+                        case 'Glob': return { pattern: String(a.pattern || a.glob || '*') };
+                        case 'WebSearch': return { query: String(a.query || a.q || a.search || '') };
+                        case 'WebFetch': return { url: String(a.url || a.uri || '') };
+                        default: return a;
+                    }
+                },
+            });
         }
     }
     // ── Remap tool_use and tool_result references in message history ──
@@ -232,14 +255,26 @@ export function reverseMapResponse(responseBody, toolMap) {
     if (toolMap.size === 0)
         return responseBody;
     let result = responseBody;
-    // Build reverse map: CC tool name → original client tool name
+    // Build reverse map: CC tool name → original client tool name.
+    // Two passes so identity mappings (client sent a tool with the real CC
+    // name) claim their CC slot first and can never be overwritten by a
+    // non-identity entry. Without this, a collision between a direct
+    // `WebSearch` and an unmapped-tool fallback landing on `WebSearch` could
+    // rewrite the real search response to the wrong client name.
     const reverseMap = new Map();
+    const identityClaimed = new Set();
     for (const [clientName, mapping] of toolMap) {
-        // Only add if not a direct CC tool name
-        if (clientName.toLowerCase() !== mapping.ccTool.toLowerCase()) {
-            reverseMap.set(mapping.ccTool, clientName);
+        if (clientName.toLowerCase() === mapping.ccTool.toLowerCase()) {
+            identityClaimed.add(mapping.ccTool);
         }
     }
+    for (const [clientName, mapping] of toolMap) {
+        if (clientName.toLowerCase() === mapping.ccTool.toLowerCase())
+            continue;
+        if (identityClaimed.has(mapping.ccTool))
+            continue;
+        reverseMap.set(mapping.ccTool, clientName);
+    }
     for (const [ccName, clientName] of reverseMap) {
         result = result.replace(new RegExp(`"name"\\s*:\\s*"${ccName}"`, 'g'), `"name":"${clientName}"`);
     }

package/dist/cli.js

@@ -125,12 +125,22 @@ async function proxy() {
         console.error('[dario] Invalid port. Must be 1-65535.');
         process.exit(1);
     }
+    // Bind address — accepts --host=<addr>; falls through to DARIO_HOST env
+    // var or the default of 127.0.0.1 inside startProxy. The sanity check
+    // here only rejects obviously bad shapes; real address validation
+    // happens when the OS tries to bind.
+    const hostArg = args.find(a => a.startsWith('--host='));
+    const host = hostArg ? hostArg.split('=')[1] : undefined;
+    if (host !== undefined && !/^[a-zA-Z0-9._:-]+$/.test(host)) {
+        console.error('[dario] Invalid --host. Must be an IP address or hostname.');
+        process.exit(1);
+    }
     const verbose = args.includes('--verbose') || args.includes('-v');
     const passthrough = args.includes('--passthrough') || args.includes('--thin');
     const preserveTools = args.includes('--preserve-tools') || args.includes('--keep-tools');
     const modelArg = args.find(a => a.startsWith('--model='));
     const model = modelArg ? modelArg.split('=')[1] : undefined;
-    await startProxy({ port, verbose, model, passthrough, preserveTools });
+    await startProxy({ port, host, verbose, model, passthrough, preserveTools });
 }
 async function help() {
     console.log(`
@@ -151,6 +161,12 @@ async function help() {
     --passthrough, --thin    Thin proxy — OAuth swap only, no injection
     --preserve-tools         Keep client tool schemas (for agents with custom tools)
     --port=PORT              Port to listen on (default: 3456)
+    --host=ADDRESS           Address to bind to (default: 127.0.0.1)
+                             Use 0.0.0.0 to accept connections from other machines.
+                             Alternatively set DARIO_HOST env var.
+                             When binding non-loopback, also set DARIO_API_KEY
+                             so unauthenticated LAN hosts can't proxy through
+                             your OAuth subscription.
     --verbose, -v            Log all requests
 
   Quick start:

package/dist/proxy.d.ts

@@ -1,5 +1,6 @@
 interface ProxyOptions {
     port?: number;
+    host?: string;
     verbose?: boolean;
     model?: string;
     passthrough?: boolean;

package/dist/proxy.js

@@ -13,7 +13,16 @@ const MAX_BODY_BYTES = 10 * 1024 * 1024; // 10 MB — generous for large prompts
 const UPSTREAM_TIMEOUT_MS = 300_000; // 5 min — matches Anthropic SDK default
 const BODY_READ_TIMEOUT_MS = 30_000; // 30s — prevents slow-loris on body reads
 const MAX_CONCURRENT = 10; // Max concurrent upstream requests
-const LOCALHOST = '127.0.0.1';
+const DEFAULT_HOST = '127.0.0.1';
+// A host is "loopback" if it's one of the well-known localhost literals.
+// Used to decide whether to warn at startup about binding to a reachable
+// interface — binding anywhere else means other machines can reach the
+// proxy and should only be done with DARIO_API_KEY set.
+function isLoopbackHost(host) {
+    if (host === '127.0.0.1' || host === '::1' || host === 'localhost')
+        return true;
+    return host.startsWith('127.');
+}
 // Simple semaphore for concurrency control
 class Semaphore {
     max;
@@ -308,6 +317,7 @@ function enrich429(body, headers) {
 }
 export async function startProxy(opts = {}) {
     const port = opts.port ?? DEFAULT_PORT;
+    const host = opts.host ?? process.env.DARIO_HOST ?? DEFAULT_HOST;
     const verbose = opts.verbose ?? false;
     const passthrough = opts.passthrough ?? false;
     // Verify auth before starting
@@ -354,7 +364,11 @@ export async function startProxy(opts = {}) {
     // Optional proxy authentication — pre-encode key buffer for performance
     const apiKey = process.env.DARIO_API_KEY;
     const apiKeyBuf = apiKey ? Buffer.from(apiKey) : null;
-    const corsOrigin = `http://localhost:${port}`;
+    // CORS origin defaults to the localhost URL the proxy is served at. Users
+    // binding to a non-loopback address (e.g. a Tailscale interface) can
+    // override via DARIO_CORS_ORIGIN — otherwise browser-based clients hitting
+    // dario over the mesh will be blocked by their browser's CORS check.
+    const corsOrigin = process.env.DARIO_CORS_ORIGIN || `http://localhost:${port}`;
     // Security headers for all responses
     const SECURITY_HEADERS = {
         'X-Content-Type-Options': 'nosniff',
@@ -445,6 +459,10 @@ export async function startProxy(opts = {}) {
         }
         // Proxy to Anthropic (with concurrency control)
         await semaphore.acquire();
+        // Hoisted so the finally block can clean up whatever was set.
+        let upstreamTimeout = null;
+        let onClientClose = null;
+        let upstreamAbortReason = null;
         try {
             const accessToken = await getAccessToken();
             // Read request body with size limit and timeout (prevents slow-loris)
@@ -548,11 +566,33 @@ export async function startProxy(opts = {}) {
                 // CC sends 600 on first request per session. With rotation, every request is "first"
                 'x-stainless-timeout': '600',
             };
+            // Client-disconnect abort: if the client drops the connection before
+            // we've finished sending the response, we abort the upstream fetch so
+            // Anthropic stops generating (and billing) a response nobody will
+            // read. Also carries the 5-minute upstream timeout via the same
+            // controller, so a single signal covers both cancellation reasons.
+            const upstreamAbort = new AbortController();
+            upstreamTimeout = setTimeout(() => {
+                if (!upstreamAbort.signal.aborted) {
+                    upstreamAbortReason = 'timeout';
+                    upstreamAbort.abort();
+                }
+            }, UPSTREAM_TIMEOUT_MS);
+            onClientClose = () => {
+                // 'close' fires on both normal teardown and client disconnect.
+                // We only want to abort if we haven't finished our response yet —
+                // normal teardown happens AFTER res.writableEnded becomes true.
+                if (!res.writableEnded && !upstreamAbort.signal.aborted) {
+                    upstreamAbortReason = 'client_closed';
+                    upstreamAbort.abort();
+                }
+            };
+            req.on('close', onClientClose);
             let upstream = await fetch(targetBase, {
                 method: req.method ?? 'POST',
                 headers,
                 body: finalBody ? new Uint8Array(finalBody) : undefined,
-                signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
+                signal: upstreamAbort.signal,
             });
             // Auto-retry without context-1m if it triggers a long-context billing error.
             // Anthropic returns this as either 400 ("long context beta is not yet available
@@ -576,7 +616,7 @@ export async function startProxy(opts = {}) {
                         method: req.method ?? 'POST',
                         headers: retryHeaders,
                         body: finalBody ? new Uint8Array(finalBody) : undefined,
-                        signal: AbortSignal.timeout(UPSTREAM_TIMEOUT_MS),
+                        signal: upstreamAbort.signal,
                     });
                     // Use the retry response from here on — peeked body is now stale
                     upstream = retry;
@@ -736,12 +776,42 @@ export async function startProxy(opts = {}) {
             }
         }
         catch (err) {
-            // Log full error server-side, return generic message to client
-            console.error('[dario] Proxy error:', sanitizeError(err));
-            res.writeHead(502, JSON_HEADERS);
-            res.end(JSON.stringify({ error: 'Proxy error', message: 'Failed to reach upstream API' }));
+            // Differentiate the three failure modes so each gets the right
+            // response (and so we don't spam logs when clients simply drop).
+            if (upstreamAbortReason === 'client_closed') {
+                if (verbose)
+                    console.log(`[dario] #${requestCount} aborted (client disconnected)`);
+            }
+            else if (upstreamAbortReason === 'timeout') {
+                console.error(`[dario] #${requestCount} upstream timeout after ${UPSTREAM_TIMEOUT_MS / 1000}s`);
+                if (!res.headersSent) {
+                    res.writeHead(504, JSON_HEADERS);
+                    res.end(JSON.stringify({ error: 'Upstream timeout', message: `Anthropic did not respond within ${UPSTREAM_TIMEOUT_MS / 1000}s` }));
+                }
+                else if (!res.writableEnded) {
+                    res.end();
+                }
+            }
+            else {
+                // Log full error server-side, return generic message to client
+                console.error('[dario] Proxy error:', sanitizeError(err));
+                if (!res.headersSent) {
+                    res.writeHead(502, JSON_HEADERS);
+                    res.end(JSON.stringify({ error: 'Proxy error', message: 'Failed to reach upstream API' }));
+                }
+                else if (!res.writableEnded) {
+                    res.end();
+                }
+            }
         }
         finally {
+            // Always clean up the upstream-abort plumbing if it was set up. The
+            // setup happens after the body-read phase, so on fast-path errors
+            // (413, body read timeout) these may still be null — guard accordingly.
+            if (upstreamTimeout !== null)
+                clearTimeout(upstreamTimeout);
+            if (onClientClose !== null)
+                req.off('close', onClientClose);
             semaphore.release();
         }
     });
@@ -754,22 +824,39 @@ export async function startProxy(opts = {}) {
         }
         process.exit(1);
     });
-    server.listen(port, LOCALHOST, () => {
+    server.listen(port, host, () => {
         const modeLine = passthrough
             ? 'Mode: passthrough (OAuth swap only, no injection)'
             : `OAuth: ${status.status} (expires in ${status.expiresIn})`;
         const modelLine = modelOverride ? `Model: ${modelOverride} (all requests)` : 'Model: passthrough (client decides)';
+        // Display URL uses `localhost` for loopback binds and the literal host
+        // for exposed binds, so the printed URL is the one a client would
+        // actually use to reach the proxy.
+        const displayHost = isLoopbackHost(host) ? 'localhost' : host;
         console.log('');
-        console.log(`  dario — http://localhost:${port}`);
+        console.log(`  dario — http://${displayHost}:${port}`);
         console.log('');
         console.log('  Your Claude subscription is now an API.');
         console.log('');
         console.log('  Usage:');
-        console.log(`    ANTHROPIC_BASE_URL=http://localhost:${port}`);
+        console.log(`    ANTHROPIC_BASE_URL=http://${displayHost}:${port}`);
         console.log('    ANTHROPIC_API_KEY=dario');
         console.log('');
         console.log(`  ${modeLine}`);
         console.log(`  ${modelLine}`);
+        if (!isLoopbackHost(host)) {
+            console.log('');
+            console.log(`  ⚠  Bound to ${host} — reachable from other machines on the network.`);
+            if (!apiKey) {
+                console.log('     DARIO_API_KEY is not set. Any host that can reach this port can');
+                console.log('     proxy requests through your OAuth subscription. Set DARIO_API_KEY');
+                console.log('     before exposing dario beyond loopback.');
+            }
+            else {
+                console.log('     DARIO_API_KEY is set — clients must send x-api-key or Authorization');
+                console.log('     to be accepted.');
+            }
+        }
         console.log('');
     });
     // Session presence heartbeat — keeps the OAuth session marked active

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.4.1",
+  "version": "3.4.4",
   "description": "Use your Claude subscription as an API. No API key needed. Local proxy for Claude Max/Pro subscriptions.",
   "type": "module",
   "bin": {
@@ -26,7 +26,9 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "e2e": "node test/e2e.mjs",
-    "compat": "node test/compat.mjs"
+    "compat": "node test/compat.mjs",
+    "lint:pkg": "node scripts/check-package-json.mjs",
+    "fix:pkg": "node -e \"const fs=require('fs');fs.writeFileSync('package.json',JSON.stringify(JSON.parse(fs.readFileSync('package.json','utf-8')),null,2)+'\\n')\""
   },
   "keywords": [
     "claude",