@askalf/dario 4.8.124 → 4.8.126

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/oauth.js CHANGED
@@ -454,8 +454,8 @@ export async function startAutoOAuthFlow() {
454
454
  // Exchange the code for tokens
455
455
  server.close();
456
456
  exchangeCodeWithRedirect(code, codeVerifier, state, port)
457
- .then(resolve)
458
- .catch(reject);
457
+ .then((tokens) => { clearTimeout(loginTimeout); resolve(tokens); })
458
+ .catch((e) => { clearTimeout(loginTimeout); reject(e); });
459
459
  });
460
460
  let port = 0;
461
461
  server.listen(0, 'localhost', async () => {
@@ -490,11 +490,14 @@ export async function startAutoOAuthFlow() {
490
490
  server.on('error', (err) => {
491
491
  reject(new Error(`Failed to start OAuth callback server: ${err.message}`));
492
492
  });
493
- // Timeout after 5 minutes
494
- setTimeout(() => {
493
+ // Timeout after 5 minutes. unref so a completed login (server already
494
+ // closed, promise resolved on the success path) does not pin the process
495
+ // for 5 min — the #642-audit CLI hang. Also cleared on success below.
496
+ const loginTimeout = setTimeout(() => {
495
497
  server.close();
496
498
  reject(new Error('OAuth flow timed out. Try again with `dario login`.'));
497
499
  }, 300_000);
500
+ loginTimeout.unref();
498
501
  });
499
502
  }
500
503
  /**
@@ -141,7 +141,7 @@ function removeHostContextSections(systemPrompt) {
141
141
  * drift signals and leaks the bake host's repo state.
142
142
  */
143
143
  function removeGitStatusBlock(systemPrompt) {
144
- return systemPrompt.replace(/\ngitStatus:[\s\S]*?(?=\n# |$)/, '');
144
+ return systemPrompt.replace(/\r?\ngitStatus:[\s\S]*?(?=\r?\n# |$)/, '');
145
145
  }
146
146
  /**
147
147
  * Strip one named top-level section (`\n# <name>\n` through the next
@@ -150,7 +150,9 @@ function removeGitStatusBlock(systemPrompt) {
150
150
  */
151
151
  function removeSection(systemPrompt, name) {
152
152
  const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
153
- const heading = new RegExp(`\\n# ${escaped}\\n`);
153
+ // \r?\n tolerates a CRLF capture; [ \t]* tolerates trailing whitespace on the
154
+ // heading line — either would otherwise leave a host-context section unstripped.
155
+ const heading = new RegExp(`\\r?\\n# ${escaped}[ \\t]*\\r?\\n`);
154
156
  let out = systemPrompt;
155
157
  while (true) {
156
158
  const m = heading.exec(out);
@@ -158,7 +160,7 @@ function removeSection(systemPrompt, name) {
158
160
  return out;
159
161
  const sectionStart = m.index;
160
162
  const afterHeading = out.slice(sectionStart + m[0].length);
161
- const nextHeading = /\n# /.exec(afterHeading);
163
+ const nextHeading = /\r?\n# /.exec(afterHeading);
162
164
  const sectionEnd = nextHeading
163
165
  ? sectionStart + m[0].length + nextHeading.index
164
166
  : out.length;
@@ -203,5 +205,14 @@ export function findUserPathHits(text) {
203
205
  if (matches)
204
206
  hits.push(...matches);
205
207
  }
208
+ // A host-context section still present here means removeSection failed to
209
+ // strip it (e.g. a CRLF capture or a renamed heading). Flag it so the drift-
210
+ // gate fails the release rather than shipping the leak (#642-audit).
211
+ for (const name of HOST_CONTEXT_SECTION_HEADINGS) {
212
+ const esc = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
213
+ if (new RegExp(`\\r?\\n# ${esc}[ \\t]*\\r?\\n`).test(text)) {
214
+ hits.push(`# ${name} (host-context section not stripped)`);
215
+ }
216
+ }
206
217
  return hits;
207
218
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@askalf/dario",
3
- "version": "4.8.124",
3
+ "version": "4.8.126",
4
4
  "description": "Use your Claude Pro/Max subscription in any tool — Cursor, Cline, Aider, the Agent SDK, your scripts — at subscription pricing, not per-token API bills. One local Anthropic + OpenAI-compatible endpoint.",
5
5
  "type": "module",
6
6
  "bin": {