@askalf/dario 4.8.124 → 4.8.126
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/oauth.js +7 -4
- package/dist/scrub-template.js +14 -3
- package/package.json +1 -1
package/dist/oauth.js
CHANGED
|
@@ -454,8 +454,8 @@ export async function startAutoOAuthFlow() {
|
|
|
454
454
|
// Exchange the code for tokens
|
|
455
455
|
server.close();
|
|
456
456
|
exchangeCodeWithRedirect(code, codeVerifier, state, port)
|
|
457
|
-
.then(resolve)
|
|
458
|
-
.catch(reject);
|
|
457
|
+
.then((tokens) => { clearTimeout(loginTimeout); resolve(tokens); })
|
|
458
|
+
.catch((e) => { clearTimeout(loginTimeout); reject(e); });
|
|
459
459
|
});
|
|
460
460
|
let port = 0;
|
|
461
461
|
server.listen(0, 'localhost', async () => {
|
|
@@ -490,11 +490,14 @@ export async function startAutoOAuthFlow() {
|
|
|
490
490
|
server.on('error', (err) => {
|
|
491
491
|
reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
|
|
492
492
|
});
|
|
493
|
-
// Timeout after 5 minutes
|
|
494
|
-
|
|
493
|
+
// Timeout after 5 minutes. unref so a completed login (server already
|
|
494
|
+
// closed, promise resolved on the success path) does not pin the process
|
|
495
|
+
// for 5 min — the #642-audit CLI hang. Also cleared on success below.
|
|
496
|
+
const loginTimeout = setTimeout(() => {
|
|
495
497
|
server.close();
|
|
496
498
|
reject(new Error('OAuth flow timed out. Try again with `dario login`.'));
|
|
497
499
|
}, 300_000);
|
|
500
|
+
loginTimeout.unref();
|
|
498
501
|
});
|
|
499
502
|
}
|
|
500
503
|
/**
|
package/dist/scrub-template.js
CHANGED
|
@@ -141,7 +141,7 @@ function removeHostContextSections(systemPrompt) {
|
|
|
141
141
|
* drift signals and leaks the bake host's repo state.
|
|
142
142
|
*/
|
|
143
143
|
function removeGitStatusBlock(systemPrompt) {
|
|
144
|
-
return systemPrompt.replace(/\ngitStatus:[\s\S]*?(?=\n# |$)/, '');
|
|
144
|
+
return systemPrompt.replace(/\r?\ngitStatus:[\s\S]*?(?=\r?\n# |$)/, '');
|
|
145
145
|
}
|
|
146
146
|
/**
|
|
147
147
|
* Strip one named top-level section (`\n# <name>\n` through the next
|
|
@@ -150,7 +150,9 @@ function removeGitStatusBlock(systemPrompt) {
|
|
|
150
150
|
*/
|
|
151
151
|
function removeSection(systemPrompt, name) {
|
|
152
152
|
const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
|
|
153
|
-
|
|
153
|
+
// \r?\n tolerates a CRLF capture; [ \t]* tolerates trailing whitespace on the
|
|
154
|
+
// heading line — either would otherwise leave a host-context section unstripped.
|
|
155
|
+
const heading = new RegExp(`\\r?\\n# ${escaped}[ \\t]*\\r?\\n`);
|
|
154
156
|
let out = systemPrompt;
|
|
155
157
|
while (true) {
|
|
156
158
|
const m = heading.exec(out);
|
|
@@ -158,7 +160,7 @@ function removeSection(systemPrompt, name) {
|
|
|
158
160
|
return out;
|
|
159
161
|
const sectionStart = m.index;
|
|
160
162
|
const afterHeading = out.slice(sectionStart + m[0].length);
|
|
161
|
-
const nextHeading = /\n# /.exec(afterHeading);
|
|
163
|
+
const nextHeading = /\r?\n# /.exec(afterHeading);
|
|
162
164
|
const sectionEnd = nextHeading
|
|
163
165
|
? sectionStart + m[0].length + nextHeading.index
|
|
164
166
|
: out.length;
|
|
@@ -203,5 +205,14 @@ export function findUserPathHits(text) {
|
|
|
203
205
|
if (matches)
|
|
204
206
|
hits.push(...matches);
|
|
205
207
|
}
|
|
208
|
+
// A host-context section still present here means removeSection failed to
|
|
209
|
+
// strip it (e.g. a CRLF capture or a renamed heading). Flag it so the drift-
|
|
210
|
+
// gate fails the release rather than shipping the leak (#642-audit).
|
|
211
|
+
for (const name of HOST_CONTEXT_SECTION_HEADINGS) {
|
|
212
|
+
const esc = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
|
|
213
|
+
if (new RegExp(`\\r?\\n# ${esc}[ \\t]*\\r?\\n`).test(text)) {
|
|
214
|
+
hits.push(`# ${name} (host-context section not stripped)`);
|
|
215
|
+
}
|
|
216
|
+
}
|
|
206
217
|
return hits;
|
|
207
218
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@askalf/dario",
|
|
3
|
-
"version": "4.8.
|
|
3
|
+
"version": "4.8.126",
|
|
4
4
|
"description": "Use your Claude Pro/Max subscription in any tool — Cursor, Cline, Aider, the Agent SDK, your scripts — at subscription pricing, not per-token API bills. One local Anthropic + OpenAI-compatible endpoint.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|