npm - @askalf/dario - Versions diffs - 3.6.1 → 3.7.1 - Mend

@askalf/dario 3.6.1 → 3.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -438,6 +438,38 @@ Dario auto-detects OAuth config from the installed Claude Code binary. When CC s
 **I'm hitting rate limits on the Claude backend. What do I do?**
 Claude subscriptions have rolling 5-hour and 7-day usage windows. Check utilization with Claude Code's `/usage` command or the [statusline](https://code.claude.com/docs/en/statusline). For multi-agent workloads, add more accounts and let pool mode distribute the load: `dario accounts add <alias>`.
+**I'm seeing `representative-claim: seven_day` in my rate-limit headers instead of `five_hour`. Am I being downgraded to API billing?**
+**No.** You're still on subscription billing. Both `five_hour` and `seven_day` are the same subscription billing mode — they're just two different accounting buckets inside it.
+Here's the full picture. Every Claude Max and Pro subscription has **two rolling usage windows**:
+- **5-hour window** — your short-term usage bucket. Refreshes on a rolling 5-hour schedule. It's the one you'll see most of the time if you use Claude casually.
+- **7-day window** — your longer-term usage bucket. Refreshes on a rolling 7-day schedule. It's intentionally larger than the 5-hour one so you can keep working past brief bursts of heavy usage.
+When Anthropic bills a request, it decides which bucket to charge it against based on your current utilization. That decision comes back to you in the `anthropic-ratelimit-unified-representative-claim` response header:
+| Claim | What it means |
+|---|---|
+| `five_hour` | You're well inside your 5-hour window; billing against the short-term bucket. |
+| `seven_day` | You've exhausted (or come close to exhausting) the 5-hour window for this rolling cycle, so Anthropic is now charging this request against the 7-day bucket. **Still subscription billing. Still your plan.** Not API pricing, not overage. |
+| `overage` | Both subscription windows are effectively exhausted. *This* is where per-token Extra Usage charges kick in — if you've enabled Extra Usage on the account. If you haven't, you get 429'd instead. |
+**Seeing `seven_day` is a healthy state.** It means your Max/Pro plan is doing exactly what it's supposed to do: letting you keep working past short bursts of heavy use by absorbing them into the larger 7-day bucket. Your subscription is not being "downgraded." You're not being charged API rates. Nothing has reclassified you to a worse billing tier. When your 5-hour window rolls forward enough, the claim on new requests will go back to `five_hour` on its own.
+**What about `overage`?** That's the state to watch. It means both windows are saturated and Anthropic is either billing you per-token under Extra Usage (if enabled) or refusing the request (if disabled). If you see this on a Claude Max account under normal use, it usually means (a) you're running a multi-agent workload that's genuinely outgrowing one subscription, or (b) Anthropic's session-level classifier has reclassified your long-running OAuth session as agentic load — see the next FAQ entry for the mechanism.
+**Checking where you stand.** You can inspect your current utilization three ways:
+1. **Claude Code's built-in command** — run `/usage` inside a `claude` session. Shows both windows as percentages with reset times.
+2. **The statusline** — see [Claude Code's statusline docs](https://code.claude.com/docs/en/statusline) for a per-prompt readout.
+3. **Dario's pool endpoint** — `curl http://localhost:3456/accounts` when running pool mode. The returned snapshot includes `util5h`, `util7d`, and `claim` per account.
+**Practical answer if `seven_day` is painful for your workload.** Add more Claude subscriptions to the pool. Each account has its own independent 5-hour and 7-day windows, and dario pool mode will route each request to the account with the most headroom (`1 - max(util5h, util7d)`). With 2-3 accounts, you almost never see the `seven_day` bucket get touched because the router steers traffic to whichever account still has `five_hour` headroom. `dario accounts add <alias>`.
+**Dario's test suite asserts `five_hour` — what if I see failures saying `got: seven_day`?** Some of dario's stealth-test assertions use `representative-claim == "five_hour"` as a shorthand for "is subscription billing classification working?" That assertion is correct for a fresh account but noisy for an account that's been developed against heavily — exactly the situation our own CI hits after an afternoon of test runs. If you're running the stealth suite against an account that's been busy recently and you see failures of the form `Billing claim is five_hour` / `got: seven_day`, that's a test infrastructure limitation, not a dario bug. The request was still billed against your subscription, which is what matters. These assertions will be tightened in a follow-up so they accept both buckets.
+Standalone writeup with more detail: [Discussion #32 — why you see `representative-claim: seven_day` and why it's not a downgrade](https://github.com/askalf/dario/discussions/32).
 **My multi-agent workload is getting reclassified to overage even though dario template-replays per request. Why?**
 Reclassification at high agent volume is not a per-request problem. Anthropic's classifier operates on cumulative per-OAuth-session aggregates — token throughput, conversation depth, streaming duration, inter-arrival timing, thinking-block volume. Dario's Claude backend can make each individual request indistinguishable from Claude Code and still hit this wall on a long-running agent session, because the wall isn't at the request level. Thorough diagnostic work on this was contributed by [@belangertrading](https://github.com/belangertrading) in [#23](https://github.com/askalf/dario/issues/23), including the v3.4.3/v3.4.5 hardening that landed as a result. The practical answer at the dario layer is **pool mode** — distribute load across multiple subscriptions so no single account accumulates enough signal to trip anything. See [Multi-Account Pool Mode](#multi-account-pool-mode).

package/dist/cc-template.d.ts CHANGED Viewed

@@ -16,8 +16,24 @@ export declare const CC_SYSTEM_PROMPT: string;
 /** CC's agent identity string. */
 export declare const CC_AGENT_IDENTITY: string;
 export declare function scrubFrameworkIdentifiers(text: string): string;
-/** Client tool name → CC tool mapping with parameter translation. */
-interface ToolMapping {
+/**
+ * Client tool name → CC tool mapping with parameter translation.
+ *
+ * `translateArgs` runs forward (client → CC) when building the upstream
+ * request. `translateBack` runs reverse (CC → client) when rewriting
+ * the upstream response so the client receives tool_use input in the
+ * shape its own validator expects. The forward direction is lossy
+ * (multiple client field names may collapse to one CC field), so the
+ * reverse picks the *primary* client field name — the first one in
+ * the forward function's `||` chain. That's the field the client's
+ * own schema defines, which is the one its validator will accept.
+ *
+ * Issue #29 (boeingchoco) is the bug this layer fixes: prior to v3.7.0,
+ * dario rewrote the tool name on response (Bash → process) but left
+ * the input shape alone, so the client saw `{command: ...}` against a
+ * schema that wanted `{action: ...}` and rejected the call.
+ */
+export interface ToolMapping {
     ccTool: string;
     translateArgs?: (args: Record<string, unknown>) => Record<string, unknown>;
     translateBack?: (args: Record<string, unknown>) => Record<string, unknown>;
@@ -42,7 +58,57 @@ export declare function buildCCRequest(clientBody: Record<string, unknown>, bill
     unmappedTools: string[];
 };
 /**
- * Reverse-map CC tool calls in a response back to client tool names.
+ * Reverse-map CC tool calls in a non-streaming response back to the
+ * client's original tool names AND parameter shapes. Walks the parsed
+ * JSON `content` array and rewrites every `tool_use` block. If the
+ * body isn't valid JSON (e.g. an error response, a partial chunk),
+ * returns it unchanged.
  */
 export declare function reverseMapResponse(responseBody: string, toolMap: Map<string, ToolMapping>): string;
-export {};
+/**
+ * Streaming reverse-mapper for SSE responses.
+ *
+ * The non-streaming reverse-map can rewrite tool_use input in one pass
+ * because it sees the whole `input` object. SSE streaming arrives in
+ * three phases per tool_use block:
+ *
+ *   content_block_start  → carries `tool_use.name` and `tool_use.input: {}`
+ *   content_block_delta  → carries `input_json_delta.partial_json` chunks
+ *                          that, concatenated, form the full input JSON
+ *   content_block_stop   → end of the block
+ *
+ * To rewrite the parameter shape we need the FULL input, which only
+ * exists at content_block_stop. So for tool_use blocks that need
+ * translation, we:
+ *
+ *   1. Forward content_block_start with the rewritten name (so clients
+ *      see their own tool name immediately and can start tracking it)
+ *   2. Swallow content_block_delta events for that block, accumulating
+ *      partial_json into a per-block buffer
+ *   3. On content_block_stop, parse the accumulated input, apply
+ *      translateBack, and emit ONE synthetic content_block_delta with
+ *      the full translated input as a single partial_json string,
+ *      followed by the original content_block_stop event
+ *
+ * Trade-off: clients that consume tool_use input as it streams (rare
+ * but possible) will see the input arrive as a single chunk at the
+ * end of the block instead of streaming character-by-character. For
+ * tool_use that's acceptable — input is usually small (<1KB) and the
+ * alternative is parameter-shape mismatch causing validation errors.
+ *
+ * For tool_use blocks that DON'T have a translateBack mapping (or
+ * aren't in the reverseMap at all), the streaming mapper passes the
+ * original SSE bytes through unchanged.
+ *
+ * Usage:
+ *
+ *   const mapper = createStreamingReverseMapper(toolMap);
+ *   for await (const chunk of upstream) res.write(mapper.feed(chunk));
+ *   const tail = mapper.end();
+ *   if (tail.length) res.write(tail);
+ */
+export interface StreamingReverseMapper {
+    feed(chunk: Uint8Array): Uint8Array;
+    end(): Uint8Array;
+}
+export declare function createStreamingReverseMapper(toolMap: Map<string, ToolMapping>): StreamingReverseMapper;

package/dist/cc-template.js CHANGED Viewed

@@ -41,42 +41,154 @@ export function scrubFrameworkIdentifiers(text) {
 }
 const TOOL_MAP = {
     // Direct maps
-    bash: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }) },
-    exec: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }) },
-    shell: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }) },
-    run: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || '' }) },
-    command: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || '' }) },
-    terminal: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.cmd || a.command || '' }) },
-    process: { ccTool: 'Bash', translateArgs: (a) => ({ command: a.action || a.cmd || '' }) },
-    read: { ccTool: 'Read', translateArgs: (a) => ({ file_path: a.path || a.file_path || '' }) },
-    read_file: { ccTool: 'Read', translateArgs: (a) => ({ file_path: a.path || a.file_path || '' }) },
-    write: { ccTool: 'Write', translateArgs: (a) => ({ file_path: a.path || a.file_path || '', content: a.content || '' }) },
-    write_file: { ccTool: 'Write', translateArgs: (a) => ({ file_path: a.path || a.file_path || '', content: a.content || '' }) },
-    edit: { ccTool: 'Edit', translateArgs: (a) => ({ file_path: a.path || a.file_path || '', old_string: a.old || a.old_string || '', new_string: a.new || a.new_string || '' }) },
+    bash: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    exec: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    shell: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || a.c || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    run: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    command: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    terminal: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.cmd || a.command || '' }),
+        translateBack: (a) => ({ cmd: a.command ?? '' }),
+    },
+    process: {
+        ccTool: 'Bash',
+        translateArgs: (a) => ({ command: a.action || a.cmd || '' }),
+        translateBack: (a) => ({ action: a.command ?? '' }),
+    },
+    read: {
+        ccTool: 'Read',
+        translateArgs: (a) => ({ file_path: a.path || a.file_path || '' }),
+        translateBack: (a) => ({ path: a.file_path ?? '' }),
+    },
+    read_file: {
+        ccTool: 'Read',
+        translateArgs: (a) => ({ file_path: a.path || a.file_path || '' }),
+        translateBack: (a) => ({ path: a.file_path ?? '' }),
+    },
+    write: {
+        ccTool: 'Write',
+        translateArgs: (a) => ({ file_path: a.path || a.file_path || '', content: a.content || '' }),
+        translateBack: (a) => ({ path: a.file_path ?? '', content: a.content ?? '' }),
+    },
+    write_file: {
+        ccTool: 'Write',
+        translateArgs: (a) => ({ file_path: a.path || a.file_path || '', content: a.content || '' }),
+        translateBack: (a) => ({ path: a.file_path ?? '', content: a.content ?? '' }),
+    },
+    edit: {
+        ccTool: 'Edit',
+        translateArgs: (a) => ({ file_path: a.path || a.file_path || '', old_string: a.old || a.old_string || '', new_string: a.new || a.new_string || '' }),
+        translateBack: (a) => ({ path: a.file_path ?? '', old: a.old_string ?? '', new: a.new_string ?? '' }),
+    },
     edit_file: { ccTool: 'Edit' },
     glob: { ccTool: 'Glob' },
-    find_files: { ccTool: 'Glob', translateArgs: (a) => ({ pattern: a.pattern || a.query || '' }) },
-    list_files: { ccTool: 'Glob', translateArgs: (a) => ({ pattern: a.pattern || '*' }) },
+    find_files: {
+        ccTool: 'Glob',
+        translateArgs: (a) => ({ pattern: a.pattern || a.query || '' }),
+        translateBack: (a) => ({ pattern: a.pattern ?? '' }),
+    },
+    list_files: {
+        ccTool: 'Glob',
+        translateArgs: (a) => ({ pattern: a.pattern || '*' }),
+        translateBack: (a) => ({ pattern: a.pattern ?? '' }),
+    },
     grep: { ccTool: 'Grep' },
-    search: { ccTool: 'Grep', translateArgs: (a) => ({ pattern: a.query || a.pattern || '' }) },
-    search_files: { ccTool: 'Grep', translateArgs: (a) => ({ pattern: a.query || a.pattern || '' }) },
-    web_search: { ccTool: 'WebSearch', translateArgs: (a) => ({ query: a.query || a.q || '' }) },
-    websearch: { ccTool: 'WebSearch', translateArgs: (a) => ({ query: a.query || a.q || '' }) },
-    web_fetch: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || a.u || '' }) },
-    webfetch: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || a.u || '' }) },
-    fetch: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || '' }) },
-    browse: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: a.url || '' }) },
+    search: {
+        ccTool: 'Grep',
+        translateArgs: (a) => ({ pattern: a.query || a.pattern || '' }),
+        translateBack: (a) => ({ query: a.pattern ?? '' }),
+    },
+    search_files: {
+        ccTool: 'Grep',
+        translateArgs: (a) => ({ pattern: a.query || a.pattern || '' }),
+        translateBack: (a) => ({ query: a.pattern ?? '' }),
+    },
+    web_search: {
+        ccTool: 'WebSearch',
+        translateArgs: (a) => ({ query: a.query || a.q || '' }),
+        translateBack: (a) => ({ query: a.query ?? '' }),
+    },
+    websearch: {
+        ccTool: 'WebSearch',
+        translateArgs: (a) => ({ query: a.query || a.q || '' }),
+        translateBack: (a) => ({ query: a.query ?? '' }),
+    },
+    web_fetch: {
+        ccTool: 'WebFetch',
+        translateArgs: (a) => ({ url: a.url || a.u || '' }),
+        translateBack: (a) => ({ url: a.url ?? '' }),
+    },
+    webfetch: {
+        ccTool: 'WebFetch',
+        translateArgs: (a) => ({ url: a.url || a.u || '' }),
+        translateBack: (a) => ({ url: a.url ?? '' }),
+    },
+    fetch: {
+        ccTool: 'WebFetch',
+        translateArgs: (a) => ({ url: a.url || '' }),
+        translateBack: (a) => ({ url: a.url ?? '' }),
+    },
+    browse: {
+        ccTool: 'WebFetch',
+        translateArgs: (a) => ({ url: a.url || '' }),
+        translateBack: (a) => ({ url: a.url ?? '' }),
+    },
     notebook: { ccTool: 'NotebookEdit' },
     notebook_edit: { ccTool: 'NotebookEdit' },
     // Additional client tool mappings
-    browser: { ccTool: 'WebFetch', translateArgs: (a) => ({ url: String(a.url || '') }) },
-    message: { ccTool: 'AskUserQuestion', translateArgs: (a) => ({ question: String(a.message || a.content || '') }) },
-    todo_read: { ccTool: 'TodoWrite', translateArgs: () => ({ todos: [] }) },
-    todo_write: { ccTool: 'TodoWrite', translateArgs: (a) => ({ todos: a.todos || [] }) },
-    notebook_read: { ccTool: 'NotebookEdit', translateArgs: (a) => ({ notebook_path: String(a.notebook_path || a.path || '') }) },
+    browser: {
+        ccTool: 'WebFetch',
+        translateArgs: (a) => ({ url: String(a.url || '') }),
+        translateBack: (a) => ({ url: a.url ?? '' }),
+    },
+    message: {
+        ccTool: 'AskUserQuestion',
+        translateArgs: (a) => ({ question: String(a.message || a.content || '') }),
+        translateBack: (a) => ({ message: a.question ?? '' }),
+    },
+    todo_read: {
+        ccTool: 'TodoWrite',
+        translateArgs: () => ({ todos: [] }),
+        translateBack: () => ({}),
+    },
+    todo_write: {
+        ccTool: 'TodoWrite',
+        translateArgs: (a) => ({ todos: a.todos || [] }),
+        translateBack: (a) => ({ todos: a.todos ?? [] }),
+    },
+    notebook_read: {
+        ccTool: 'NotebookEdit',
+        translateArgs: (a) => ({ notebook_path: String(a.notebook_path || a.path || '') }),
+        translateBack: (a) => ({ notebook_path: a.notebook_path ?? '' }),
+    },
     enter_plan_mode: { ccTool: 'EnterPlanMode' },
     exit_plan_mode: { ccTool: 'ExitPlanMode' },
-    enter_worktree: { ccTool: 'EnterWorktree', translateArgs: (a) => ({ path: a.path }) },
+    enter_worktree: {
+        ccTool: 'EnterWorktree',
+        translateArgs: (a) => ({ path: a.path }),
+        translateBack: (a) => ({ path: a.path ?? '' }),
+    },
     exit_worktree: { ccTool: 'ExitWorktree' },
 };
 /**
@@ -287,23 +399,20 @@ export function buildCCRequest(clientBody, billingTag, cache1h, identity, opts =
     return { body: ccRequest, toolMap: activeToolMap, unmappedTools };
 }
 /**
- * Reverse-map CC tool calls in a response back to client tool names.
+ * Build the CC-name → {clientName, mapping} reverse lookup used by both
+ * the non-streaming and streaming reverse-mappers. Two-pass construction
+ * preserves the original identity-protection rule: when a client sent a
+ * tool with the literal CC name (e.g. `WebSearch`), that pairing claims
+ * the CC slot first so a later unmapped-tool fallback that also lands
+ * on `WebSearch` can't overwrite it.
  */
-export function reverseMapResponse(responseBody, toolMap) {
-    if (toolMap.size === 0)
-        return responseBody;
-    let result = responseBody;
-    // Build reverse map: CC tool name → original client tool name.
-    // Two passes so identity mappings (client sent a tool with the real CC
-    // name) claim their CC slot first and can never be overwritten by a
-    // non-identity entry. Without this, a collision between a direct
-    // `WebSearch` and an unmapped-tool fallback landing on `WebSearch` could
-    // rewrite the real search response to the wrong client name.
+function buildReverseLookup(toolMap) {
     const reverseMap = new Map();
     const identityClaimed = new Set();
     for (const [clientName, mapping] of toolMap) {
         if (clientName.toLowerCase() === mapping.ccTool.toLowerCase()) {
             identityClaimed.add(mapping.ccTool);
+            reverseMap.set(mapping.ccTool, { clientName, mapping });
         }
     }
     for (const [clientName, mapping] of toolMap) {
@@ -311,10 +420,275 @@ export function reverseMapResponse(responseBody, toolMap) {
             continue;
         if (identityClaimed.has(mapping.ccTool))
             continue;
-        reverseMap.set(mapping.ccTool, clientName);
+        reverseMap.set(mapping.ccTool, { clientName, mapping });
     }
-    for (const [ccName, clientName] of reverseMap) {
-        result = result.replace(new RegExp(`"name"\\s*:\\s*"${ccName}"`, 'g'), `"name":"${clientName}"`);
+    return reverseMap;
+}
+/**
+ * Apply the reverse mapping to a single tool_use block in place.
+ * Mutates `block.name` (CC name → client name) and `block.input`
+ * (CC parameter shape → client parameter shape) when the mapping
+ * has a `translateBack`. Identity mappings and mappings with no
+ * `translateBack` defined leave the input unchanged.
+ *
+ * Issue #29 fix lives here: previously only the name was rewritten,
+ * leaving the input shape in CC's parameter names which the client's
+ * own validator would reject.
+ */
+function rewriteToolUseBlock(block, reverseMap) {
+    const ccName = block.name;
+    if (typeof ccName !== 'string')
+        return;
+    const entry = reverseMap.get(ccName);
+    if (!entry)
+        return;
+    block.name = entry.clientName;
+    if (entry.mapping.translateBack && block.input && typeof block.input === 'object') {
+        try {
+            block.input = entry.mapping.translateBack(block.input);
+        }
+        catch {
+            // If the translateBack throws on unexpected shape, leave input
+            // alone rather than crashing the response. The client will see
+            // the same broken input it would have seen pre-v3.7.0.
+        }
     }
-    return result;
+}
+/**
+ * Reverse-map CC tool calls in a non-streaming response back to the
+ * client's original tool names AND parameter shapes. Walks the parsed
+ * JSON `content` array and rewrites every `tool_use` block. If the
+ * body isn't valid JSON (e.g. an error response, a partial chunk),
+ * returns it unchanged.
+ */
+export function reverseMapResponse(responseBody, toolMap) {
+    if (toolMap.size === 0)
+        return responseBody;
+    const reverseMap = buildReverseLookup(toolMap);
+    let parsed;
+    try {
+        parsed = JSON.parse(responseBody);
+    }
+    catch {
+        return responseBody;
+    }
+    const content = parsed.content;
+    if (!Array.isArray(content))
+        return responseBody;
+    for (const block of content) {
+        if (block && typeof block === 'object' && block.type === 'tool_use') {
+            rewriteToolUseBlock(block, reverseMap);
+        }
+    }
+    return JSON.stringify(parsed);
+}
+export function createStreamingReverseMapper(toolMap) {
+    const noop = {
+        feed: (chunk) => chunk,
+        end: () => new Uint8Array(0),
+    };
+    if (toolMap.size === 0)
+        return noop;
+    const reverseMap = buildReverseLookup(toolMap);
+    // If no mapping needs translation, fall back to identity behavior
+    // so we don't pay the SSE-parsing cost on every chunk.
+    let anyNeedsTranslation = false;
+    for (const { mapping } of reverseMap.values()) {
+        if (mapping.translateBack) {
+            anyNeedsTranslation = true;
+            break;
+        }
+    }
+    if (!anyNeedsTranslation)
+        return noop;
+    const decoder = new TextDecoder();
+    const encoder = new TextEncoder();
+    // We process on SSE event-group boundaries, not line boundaries.
+    // Events are separated by a blank line (two consecutive newlines);
+    // within an event group there may be multiple header lines like
+    // `event: content_block_delta` and `data: {...}`. The old code
+    // processed one line at a time, which meant swallowed deltas left
+    // orphan `event:` lines and synthetic delta+stop emissions joined
+    // two `data:` lines without a blank-line separator — which SSE
+    // parsers concatenate into one malformed multi-line event that
+    // fails JSON.parse downstream. v3.7.1 fixes both by processing
+    // whole event groups.
+    let groupBuffer = '';
+    // index → BufferedToolBlock for tool_use content blocks currently
+    // being held for end-of-block translation.
+    const buffered = new Map();
+    /**
+     * Build a complete SSE event group string with an `event:` header
+     * and a `data:` line. Used when emitting rewritten or synthetic
+     * events so the wire format matches what upstream produces.
+     */
+    function buildEvent(type, payload) {
+        return `event: ${type}\ndata: ${JSON.stringify(payload)}`;
+    }
+    /**
+     * Process one complete SSE event group. Returns:
+     *   - a string with one or more rewritten event groups separated
+     *     by "\n\n" (no trailing blank line — the caller adds that)
+     *   - null to drop the event group entirely (swallow)
+     *   - the original `eventText` to pass through unchanged
+     *
+     * An event group is the text between blank lines. It may contain
+     * lines like `event: <type>`, `data: <payload>`, `id:`, `retry:`
+     * in any order. We only look at the `data:` line (Anthropic never
+     * uses multi-line data payloads).
+     */
+    function processEventGroup(eventText) {
+        if (eventText === '')
+            return eventText;
+        // Find the data: line. Anthropic's SSE uses one data: per event.
+        const lines = eventText.split('\n');
+        let dataLineIdx = -1;
+        let dataText = '';
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (line.startsWith('data:')) {
+                dataLineIdx = i;
+                dataText = line.slice(5).trim();
+                break;
+            }
+        }
+        if (dataLineIdx === -1 || dataText === '' || dataText === '[DONE]') {
+            return eventText;
+        }
+        let event;
+        try {
+            event = JSON.parse(dataText);
+        }
+        catch {
+            return eventText;
+        }
+        const type = event.type;
+        if (type === 'content_block_start') {
+            const idx = typeof event.index === 'number' ? event.index : -1;
+            const block = event.content_block;
+            if (block && block.type === 'tool_use' && typeof block.name === 'string') {
+                const entry = reverseMap.get(block.name);
+                if (entry && entry.mapping.translateBack && idx >= 0) {
+                    // Stash the block so we can flush a translated version at
+                    // content_block_stop. Emit a rewritten start event now so
+                    // the client sees its own tool name immediately.
+                    buffered.set(idx, {
+                        ccName: block.name,
+                        mapping: entry.mapping,
+                        clientName: entry.clientName,
+                        partial: '',
+                    });
+                    block.name = entry.clientName;
+                    // Reset input to empty so the client doesn't see CC's empty
+                    // placeholder before the translated full input arrives.
+                    block.input = {};
+                    return buildEvent('content_block_start', event);
+                }
+                // Tool we don't translate — just rewrite the name in place.
+                if (entry) {
+                    block.name = entry.clientName;
+                    return buildEvent('content_block_start', event);
+                }
+            }
+            return eventText;
+        }
+        if (type === 'content_block_delta') {
+            const idx = typeof event.index === 'number' ? event.index : -1;
+            const buf = idx >= 0 ? buffered.get(idx) : undefined;
+            if (!buf)
+                return eventText;
+            const delta = event.delta;
+            if (delta && delta.type === 'input_json_delta' && typeof delta.partial_json === 'string') {
+                buf.partial += delta.partial_json;
+                // Swallow the whole event group — including any `event:`
+                // header line the upstream emitted for it — because we'll
+                // emit a synthetic combined delta at content_block_stop.
+                return null;
+            }
+            return eventText;
+        }
+        if (type === 'content_block_stop') {
+            const idx = typeof event.index === 'number' ? event.index : -1;
+            const buf = idx >= 0 ? buffered.get(idx) : undefined;
+            if (!buf)
+                return eventText;
+            let translatedInput = {};
+            let parseOk = true;
+            try {
+                const parsedInput = JSON.parse(buf.partial || '{}');
+                translatedInput = buf.mapping.translateBack
+                    ? buf.mapping.translateBack(parsedInput)
+                    : parsedInput;
+            }
+            catch {
+                parseOk = false;
+            }
+            buffered.delete(idx);
+            if (!parseOk) {
+                // Fall back to passing the original partial through unchanged
+                // so the client at least sees whatever upstream actually sent.
+                // Emit as TWO separate SSE events with blank-line separators.
+                const passthroughDelta = {
+                    type: 'content_block_delta',
+                    index: idx,
+                    delta: { type: 'input_json_delta', partial_json: buf.partial },
+                };
+                return (buildEvent('content_block_delta', passthroughDelta) +
+                    '\n\n' +
+                    buildEvent('content_block_stop', event));
+            }
+            const synthDelta = {
+                type: 'content_block_delta',
+                index: idx,
+                delta: { type: 'input_json_delta', partial_json: JSON.stringify(translatedInput) },
+            };
+            // Emit as TWO separate SSE events joined by a blank line so
+            // downstream parsers see them as distinct events. The outer
+            // processBuffer will append one more "\n\n" after the final
+            // event in this group, which is correct SSE framing.
+            return (buildEvent('content_block_delta', synthDelta) +
+                '\n\n' +
+                buildEvent('content_block_stop', event));
+        }
+        return eventText;
+    }
+    function processBuffer(flush) {
+        // Split the accumulated buffer on "\n\n" (SSE event separator).
+        // Every complete part is a full event group; the last part is
+        // either empty (the trailing blank after a completed event) or
+        // a partial event that needs to wait for more bytes.
+        const parts = groupBuffer.split('\n\n');
+        if (!flush) {
+            // Hold the last (potentially incomplete) part back.
+            groupBuffer = parts.pop() ?? '';
+        }
+        else {
+            groupBuffer = '';
+        }
+        const out = [];
+        for (const part of parts) {
+            if (part === '')
+                continue;
+            const processed = processEventGroup(part);
+            if (processed !== null)
+                out.push(processed);
+        }
+        // Each emitted event (or multi-event group) needs a trailing
+        // blank line so the SSE framing is correct. We join with "\n\n"
+        // and append "\n\n" so both the inter-group and final
+        // separators are present.
+        return out.length > 0 ? out.join('\n\n') + '\n\n' : '';
+    }
+    return {
+        feed(chunk) {
+            groupBuffer += decoder.decode(chunk, { stream: true });
+            const out = processBuffer(false);
+            return out.length > 0 ? encoder.encode(out) : new Uint8Array(0);
+        },
+        end() {
+            groupBuffer += decoder.decode();
+            const out = processBuffer(true);
+            return out.length > 0 ? encoder.encode(out) : new Uint8Array(0);
+        },
+    };
 }

package/dist/oauth.js CHANGED Viewed

@@ -6,8 +6,9 @@
  */
 import { randomBytes, createHash } from 'node:crypto';
 import { readFile, writeFile, mkdir, rename } from 'node:fs/promises';
+import { execFile } from 'node:child_process';
 import { dirname, join } from 'node:path';
-import { homedir } from 'node:os';
+import { homedir, platform } from 'node:os';
 import { detectCCOAuthConfig } from './cc-oauth-detect.js';
 // OAuth config is auto-detected at runtime from the installed Claude Code
 // binary. This eliminates the "Anthropic rotated the client_id again" class
@@ -44,12 +45,45 @@ function getDarioCredentialsPath() {
 function getClaudeCodeCredentialsPath() {
     return join(homedir(), '.claude', '.credentials.json');
 }
+/**
+ * Read Claude Code credentials from the OS keychain.
+ *
+ * Modern CC versions (since ~1.0.17) store OAuth tokens in the OS credential
+ * store instead of ~/.claude/.credentials.json:
+ *   - macOS: Keychain, service "Claude Code-credentials"
+ *   - Linux: libsecret / Secret Service D-Bus API via `secret-tool`
+ *   - Windows: Windows Credential Manager via `cmdkey` (not yet implemented)
+ */
+async function loadKeychainCredentials() {
+    try {
+        if (platform() === 'darwin') {
+            const raw = await new Promise((resolve, reject) => {
+                execFile('security', ['find-generic-password', '-s', 'Claude Code-credentials', '-w'], { timeout: 5000 }, (err, stdout) => (err ? reject(err) : resolve(stdout.trim())));
+            });
+            const parsed = JSON.parse(raw);
+            if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+                return parsed;
+            }
+        }
+        else if (platform() === 'linux') {
+            const raw = await new Promise((resolve, reject) => {
+                execFile('secret-tool', ['lookup', 'service', 'Claude Code-credentials'], { timeout: 5000 }, (err, stdout) => (err ? reject(err) : resolve(stdout.trim())));
+            });
+            const parsed = JSON.parse(raw);
+            if (parsed?.claudeAiOauth?.accessToken && parsed?.claudeAiOauth?.refreshToken) {
+                return parsed;
+            }
+        }
+    }
+    catch { /* keychain not available or no entry */ }
+    return null;
+}
 export async function loadCredentials() {
     // Return cached if fresh
     if (credentialsCache && Date.now() - credentialsCacheTime < CACHE_TTL_MS) {
         return credentialsCache;
     }
-    // Try dario's own credentials first, then fall back to Claude Code's
+    // Try dario's own credentials first, then fall back to Claude Code's file
     for (const path of [getDarioCredentialsPath(), getClaudeCodeCredentialsPath()]) {
         try {
             const raw = await readFile(path, 'utf-8');
@@ -62,6 +96,13 @@ export async function loadCredentials() {
         }
         catch { /* try next */ }
     }
+    // Fall back to OS keychain (modern CC stores credentials here, not on disk)
+    const keychainCreds = await loadKeychainCredentials();
+    if (keychainCreds) {
+        credentialsCache = keychainCreds;
+        credentialsCacheTime = Date.now();
+        return credentialsCache;
+    }
     return null;
 }
 async function saveCredentials(creds) {

package/dist/proxy.js CHANGED Viewed

@@ -6,7 +6,7 @@ import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { arch, platform } from 'node:process';
 import { getAccessToken, getStatus } from './oauth.js';
-import { buildCCRequest, reverseMapResponse } from './cc-template.js';
+import { buildCCRequest, reverseMapResponse, createStreamingReverseMapper } from './cc-template.js';
 import { AccountPool, parseRateLimits } from './pool.js';
 import { Analytics } from './analytics.js';
 import { loadAllAccounts, loadAccount, refreshAccountToken } from './accounts.js';
@@ -872,6 +872,15 @@ export async function startProxy(opts = {}) {
                 // Stream SSE chunks through
                 const reader = upstream.body.getReader();
                 const decoder = new TextDecoder();
+                // Stateful streaming reverse-mapper for tool_use blocks. Buffers
+                // input_json_delta chunks per content block and emits a single
+                // synthetic delta with the translated parameter shape on
+                // content_block_stop. Issue #29 fix lives here for the streaming
+                // path; the non-streaming reverseMapResponse covers buffered
+                // responses below.
+                const streamMapper = ccToolMap && !isOpenAI
+                    ? createStreamingReverseMapper(ccToolMap)
+                    : null;
                 try {
                     let buffer = '';
                     const MAX_LINE_LENGTH = 1_000_000; // 1MB max per SSE line
@@ -894,15 +903,13 @@ export async function startProxy(opts = {}) {
                                     res.write(translated);
                             }
                         }
+                        else if (streamMapper) {
+                            const out = streamMapper.feed(value);
+                            if (out.length > 0)
+                                res.write(out);
+                        }
                         else {
-                            // Reverse tool names in streaming chunks
-                            if (ccToolMap && ccToolMap.size > 0) {
-                                const text = new TextDecoder().decode(value);
-                                res.write(reverseMapResponse(text, ccToolMap));
-                            }
-                            else {
-                                res.write(value);
-                            }
+                            res.write(value);
                         }
                     }
                     // Flush remaining buffer
@@ -911,6 +918,11 @@ export async function startProxy(opts = {}) {
                         if (translated)
                             res.write(translated);
                     }
+                    if (streamMapper) {
+                        const tail = streamMapper.end();
+                        if (tail.length > 0)
+                            res.write(tail);
+                    }
                 }
                 catch (err) {
                     if (verbose)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "3.6.1",
+  "version": "3.7.1",
   "description": "A local LLM router. One endpoint, every provider — Claude subscriptions, OpenAI, OpenRouter, Groq, local LiteLLM, any OpenAI-compat endpoint — your tools don't need to change.",
   "type": "module",
   "bin": {
@@ -21,6 +21,7 @@
   ],
   "scripts": {
     "build": "tsc && cp src/cc-template-data.json dist/",
+    "test": "node test/issue-29-tool-translation.mjs",
     "audit": "npm audit --production --audit-level=high",
     "prepublishOnly": "npm run build",
     "start": "node dist/cli.js",