@askalf/dario 4.8.37 → 4.8.39

package/dist/cc-template.d.ts

@@ -129,6 +129,7 @@ export declare function orderHeadersForOutbound(headers: Record<string, string>,
  */
 export declare function orderBodyForOutbound(body: Record<string, unknown>, overrideOrder?: string[] | undefined): Record<string, unknown>;
 export declare function scrubFrameworkIdentifiers(text: string): string;
+export declare function scrubFrameworkIdentifiersInContent(text: string): string;
 /**
  * Detect text-tool-protocol clients (Cline, Kilo Code, Roo Code and
  * their forks) by fingerprinting the incoming system prompt.

package/dist/cc-template.js

@@ -247,9 +247,31 @@ const FRAMEWORK_PATTERNS = [
     // OC's sessions_* tool-name prefix — flagged as a fingerprint in dario#23.
     /\bsessions_[a-z_]+\b/gi,
 ];
-export function scrubFrameworkIdentifiers(text) {
+// Patterns SAFE to apply to message *content* (user data: source code, docs,
+// tool output). This is the small subset of FRAMEWORK_PATTERNS that consists
+// only of distinctive, multi-word / unambiguous product identifiers which
+// effectively never appear verbatim in real code or prose. It deliberately
+// EXCLUDES every bare single-word pattern (`continue`, `cursor`, `gateway`,
+// `openai`, `hermes`, `zed`, `tabby`, `cody`, `aider`, `cline`, `copilot`,
+// `windsurf`, …) because those collide with ordinary code tokens and English.
+// Stripping those from a user's payload silently CORRUPTS it: the JS keyword
+// `continue;` became `;` (because Continue.dev is on the list), which made a
+// code auditor report a bare-semicolon "no-op" that THIS PROXY had introduced.
+// A proxy must never mutate the user's content — identity-masking of the
+// *client's framing* is the job of the system-prompt scrub, which still uses
+// the full FRAMEWORK_PATTERNS set.
+const CONTENT_FRAMEWORK_PATTERNS = [
+    /\b(roo[- ]?cline|roo[- ]?code|big[- ]?agi|claude[- ]?bridge)\b/gi,
+    /\b(librechat|typingmind)\b/gi,
+    // NOTE: deliberately omits `/powered by [a-z]+/` and `/\bgateway\b/` etc.
+    // from FRAMEWORK_PATTERNS — those would strip legitimate user content like
+    // a "Powered by Stripe" footer or a `gateway` variable. Only distinctive,
+    // multi-token product names that never occur verbatim in real code/data are
+    // safe to mask in the user's payload.
+];
+function scrubWithPatterns(text, patterns) {
     let result = text;
-    for (const pattern of FRAMEWORK_PATTERNS) {
+    for (const pattern of patterns) {
         pattern.lastIndex = 0;
         result = result.replace(pattern, (match, ...args) => {
             const offset = args[args.length - 2];
@@ -271,6 +293,15 @@ export function scrubFrameworkIdentifiers(text) {
     }
     return result;
 }
+// Scrub the CLIENT'S system prompt / identity fields — full pattern set.
+export function scrubFrameworkIdentifiers(text) {
+    return scrubWithPatterns(text, FRAMEWORK_PATTERNS);
+}
+// Scrub message CONTENT (the user's code/data) — content-safe subset only, so
+// a user's payload is never corrupted. See CONTENT_FRAMEWORK_PATTERNS.
+export function scrubFrameworkIdentifiersInContent(text) {
+    return scrubWithPatterns(text, CONTENT_FRAMEWORK_PATTERNS);
+}
 /**
  * Detect text-tool-protocol clients (Cline, Kilo Code, Roo Code and
  * their forks) by fingerprinting the incoming system prompt.
@@ -1237,25 +1268,29 @@ export function buildCCRequest(clientBody, billingTag, cacheControl, identity, o
     // system array a second time per request. Scrub applies at this
     // point so framework identifiers don't leak upstream.
     let systemText = scrubFrameworkIdentifiers(rawSystemForDetection);
-    // Also scrub framework identifiers from message content text blocks.
-    // Clients often inject their product name into user/tool messages as well,
-    // and the system-prompt-only scrub used to miss those.
+    // Also scrub framework identifiers from message content text blocks —
+    // clients can leak their product name in user/tool messages too. This uses
+    // the CONTENT-SAFE subset (scrubFrameworkIdentifiersInContent), NOT the full
+    // pattern set: message content is the user's own code/data and must never be
+    // mutated. The full set ran here previously and corrupted source — the JS
+    // keyword `continue;` became `;` (Continue.dev is a scrubbed name), so a code
+    // auditor "found" a bare-semicolon no-op the proxy itself had introduced.
     for (const msg of messages) {
         if (typeof msg.content === 'string') {
-            msg.content = scrubFrameworkIdentifiers(msg.content);
+            msg.content = scrubFrameworkIdentifiersInContent(msg.content);
         }
         else if (Array.isArray(msg.content)) {
             for (const block of msg.content) {
                 if (block.type === 'text' && typeof block.text === 'string') {
-                    block.text = scrubFrameworkIdentifiers(block.text);
+                    block.text = scrubFrameworkIdentifiersInContent(block.text);
                 }
                 if (block.type === 'tool_result' && typeof block.content === 'string') {
-                    block.content = scrubFrameworkIdentifiers(block.content);
+                    block.content = scrubFrameworkIdentifiersInContent(block.content);
                 }
                 if (block.type === 'tool_result' && Array.isArray(block.content)) {
                     for (const sub of block.content) {
                         if (sub.type === 'text' && typeof sub.text === 'string') {
-                            sub.text = scrubFrameworkIdentifiers(sub.text);
+                            sub.text = scrubFrameworkIdentifiersInContent(sub.text);
                         }
                     }
                 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askalf/dario",
-  "version": "4.8.37",
+  "version": "4.8.39",
   "description": "Use your Claude Pro/Max subscription in any tool — Cursor, Cline, Aider, the Agent SDK, your scripts — at subscription pricing, not per-token API bills. One local Anthropic + OpenAI-compatible endpoint.",
   "type": "module",
   "bin": {