claude-scionos 4.1.7 → 4.1.9

package/README.fr.md

@@ -93,7 +93,7 @@ Backends de stockage sécurisés :
 - macOS : Keychain
 - Linux : Secret Service via `secret-tool`
 
-Sous Windows, si le fichier local du token est vide ou corrompu, `claude-scionos` le traite désormais comme absent au lieu d'essayer de l'utiliser. Il faut relancer `claude-scionos auth login` pour enregistrer un nouveau token.
+Sous Windows, `claude-scionos` laisse maintenant PowerShell gérer uniquement le chiffrement et le déchiffrement DPAPI, tandis que Node.js écrit et lit directement le fichier sécurisé. Cela corrige le cas où le fichier du token était créé mais restait vide. Si un ancien fichier local est vide ou corrompu, `claude-scionos` le traite comme absent au lieu d'essayer de l'utiliser. Il faut relancer `claude-scionos auth login` pour enregistrer un nouveau token.
 
 Gestion du token :
 
@@ -137,6 +137,7 @@ Cas courants :
 - `Claude Code CLI not found` : installer `@anthropic-ai/claude-code`
 - `Git Bash is required on Windows` : installer Git for Windows
 - `ANTHROPIC_AUTH_TOKEN ... is required when using --no-prompt` : définir la variable d'environnement ou stocker le token au préalable
+- `Secure token file was created but no encrypted content was written` : mettre à jour vers `4.1.9` ou plus récent, puis relancer `claude-scionos auth login`
 - `Stored token` est indiqué comme absent sous Windows alors qu'un login a déjà été fait : relancer `claude-scionos auth login`, car le fichier DPAPI local peut être vide ou corrompu
 - `secret-tool not found` : installer un client Secret Service sous Linux ou utiliser la variable d'environnement
 

package/README.md

@@ -93,7 +93,7 @@ Secure storage backends:
 - macOS: Keychain
 - Linux: Secret Service via `secret-tool`
 
-On Windows, if the secure token file is empty or corrupted, `claude-scionos` now treats it as missing instead of trying to use it. Run `claude-scionos auth login` again to store a fresh token.
+On Windows, `claude-scionos` now lets PowerShell handle only DPAPI encryption and decryption, while Node.js writes and reads the secure token file directly. This fixes the case where the secure token file was created but left empty. If an older file is empty or corrupted, `claude-scionos` treats it as missing instead of trying to use it. Run `claude-scionos auth login` again to store a fresh token.
 
 Manage the token with:
 
@@ -137,6 +137,7 @@ Common cases:
 - `Claude Code CLI not found`: install `@anthropic-ai/claude-code`
 - `Git Bash is required on Windows`: install Git for Windows
 - `ANTHROPIC_AUTH_TOKEN ... is required when using --no-prompt`: set the environment variable or store the token first
+- `Secure token file was created but no encrypted content was written`: update to `4.1.9` or later, then re-run `claude-scionos auth login`
 - `Stored token` is missing on Windows even though you already logged in: re-run `claude-scionos auth login` because the local DPAPI token file may be empty or corrupted
 - `secret-tool not found`: install a Secret Service client on Linux or rely on the environment variable
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-scionos",
-    "version": "4.1.7",
+    "version": "4.1.9",
     "description": "RouterLab launcher, strategy proxy and secure token wrapper for Claude Code CLI",
     "type": "module",
     "main": "index.js",
@@ -48,7 +48,7 @@
     "devDependencies": {
         "@eslint/js": "^10.0.1",
         "eslint": "^10.2.0",
-        "globals": "^17.4.0",
+        "globals": "^17.5.0",
         "vitest": "^4.1.4"
     }
 }

package/src/routerlab.js

@@ -234,6 +234,23 @@ function hasVerifiedModelIds(modelIds) {
   return Array.isArray(modelIds) && modelIds.length > 0;
 }
 
+function hasExploitableModelIds(modelIds, serviceValue = DEFAULT_SERVICE) {
+  if (!hasVerifiedModelIds(modelIds)) {
+    return false;
+  }
+
+  const serviceStrategies = getServiceStrategies(serviceValue);
+  const knownModelIds = new Set(
+    serviceStrategies.flatMap((strategy) => getRequiredModels(strategy)),
+  );
+
+  if (knownModelIds.size === 0) {
+    return false;
+  }
+
+  return modelIds.some((modelId) => knownModelIds.has(modelId));
+}
+
 function assessStrategy(strategyValue, modelIds = [], serviceValue = DEFAULT_SERVICE) {
   const serviceLabel = getServiceLabel(serviceValue);
   const strategy = findStrategy(strategyValue, serviceValue);
@@ -256,7 +273,7 @@ function assessStrategy(strategyValue, modelIds = [], serviceValue = DEFAULT_SER
     };
   }
 
-  if (!hasVerifiedModelIds(modelIds)) {
+  if (!hasExploitableModelIds(modelIds, serviceValue)) {
     return {
       available: true,
       level: 'unknown',
@@ -316,7 +333,7 @@ function assessStrategyLaunch(strategyValue, modelIds = [], serviceValue = DEFAU
     };
   }
 
-  if (!requiredModels.length || !hasVerifiedModelIds(modelIds)) {
+  if (!requiredModels.length || !hasExploitableModelIds(modelIds, serviceValue)) {
     return {
       ready: availability.level !== 'unavailable',
       note: availability.note,
@@ -351,7 +368,7 @@ function assessStrategyLaunch(strategyValue, modelIds = [], serviceValue = DEFAU
 }
 
 function getFallbackStrategy(strategyValue, modelIds = [], serviceValue = DEFAULT_SERVICE) {
-  if (hasVerifiedModelIds(modelIds)) {
+  if (hasExploitableModelIds(modelIds, serviceValue)) {
     return assessStrategyLaunch(strategyValue, modelIds, serviceValue).ready ? strategyValue : null;
   }
 
@@ -448,14 +465,10 @@ function storeToken(token, serviceValue = DEFAULT_SERVICE) {
     const tokenFile = getWindowsTokenFile(service.value);
     const encodedToken = encodeTokenForPowerShell(token);
     fs.mkdirSync(path.dirname(tokenFile), {recursive: true});
-    runPowerShell(
-      `$token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${encodedToken}')); if ([string]::IsNullOrEmpty($token)) { throw "Token input is empty" }; $secure = ConvertTo-SecureString $token -AsPlainText -Force; $encrypted = ConvertFrom-SecureString $secure; Set-Content -Path $env:SCIONOS_TOKEN_FILE -Value $encrypted -NoNewline`,
-      {
-        env: {
-          SCIONOS_TOKEN_FILE: tokenFile,
-        },
-      },
+    const encrypted = runPowerShell(
+      `$token = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${encodedToken}')); if ([string]::IsNullOrEmpty($token)) { throw "Token input is empty" }; $secure = ConvertTo-SecureString $token -AsPlainText -Force; ConvertFrom-SecureString $secure`,
     );
+    fs.writeFileSync(tokenFile, encrypted, 'utf8');
 
     if (!hasNonEmptyWindowsTokenFile(tokenFile)) {
       throw new Error('Secure token file was created but no encrypted content was written');
@@ -522,16 +535,17 @@ function getStoredToken(serviceValue = DEFAULT_SERVICE) {
       return null;
     }
 
+    const encrypted = fs.readFileSync(tokenFile, 'utf8').trim();
+    if (!encrypted) {
+      return null;
+    }
+
+    const encodedEncrypted = encodeTokenForPowerShell(encrypted);
     const token = runPowerShell(
-      '$secure = Get-Content -Path $env:SCIONOS_TOKEN_FILE -Raw | ConvertTo-SecureString; $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure); try { [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr) } finally { [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr) }',
-      {
-        env: {
-          SCIONOS_TOKEN_FILE: tokenFile,
-        },
-      },
+      `$secure = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('${encodedEncrypted}')) | ConvertTo-SecureString; $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure); try { [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ptr) } finally { [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ptr) }`,
     );
     return token || null;
-  }
+  }
 
   if (process.platform === 'darwin') {
     const result = runCommand('security', [
@@ -628,6 +642,7 @@ export {
   getServiceStrategies,
   getStoredToken,
   getStoredTokenStatus,
+  hasExploitableModelIds,
   getStrategyChoices,
   hasVerifiedModelIds,
   listStrategies,