🚀 Socket Launch Week Day 4:Socket MCP Adds Org Alerts, Threat Feed Review, and Package Inspection.Learn more
Sign In

@askalf/dario

Package Overview
Dependencies
Maintainers
1
Versions
293
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@askalf/dario - npm Package Compare versions

Comparing version
4.8.77
 to
4.8.78
+8
-0
dist/cch.d.ts

@@ -19,1 +19,9 @@ /** Verified per-release seeds, keyed on `major.minor.patch`. */

export declare function cchForBody(bodyText: string, version: string): string | null;
/**
* Return `bodyText` with the billing-tag cch replaced in place by the
* deterministic value for `version`, or unchanged when the version has no
* known seed or the body has no billing token. The replacement is anchored to
* the billing tag (CCH_RE), so conversation content that quotes a cch is never
* touched. Used by the proxy at outbound-serialize time.
*/
export declare function stampCch(bodyText: string, version: string): string;
+24
-2
dist/cch.js

@@ -105,6 +105,15 @@ // Deterministic Claude Code request-integrity hash (`cch`) — dario#528.

}
const CCH_RE = /cch=[0-9a-fA-F]{5}/;
// Match the cch token INSIDE the billing tag specifically — never a stray
// `cch=#####` quoted in conversation content (which sorts before `system` in
// the body, so a naive first-match would grab it, mis-hash, AND silently
// rewrite the user's text at stamp time — dario#528). Anchor on the
// `cc_entrypoint=<value>; cch=` that immediately precedes it in the billing
// header. The entrypoint value is BOUNDED ({1,32}) so the match stays linear
// on a 10 MB body — an unbounded `[^"]*?` span here is O(n^2) when the anchor
// repeats (CodeQL js/polynomial-redos). Anchoring is also what real CC must
// do, so this matches upstream behavior, not just our own correctness.
const CCH_RE = /(cc_entrypoint=[a-z0-9-]{1,32}; cch=)[0-9a-fA-F]{5}(?=;)/;
/** Build the canonical cch pre-image bytes from a serialized request body. */
function cchMaterial(bodyText) {
const zeroed = bodyText.replace(CCH_RE, 'cch=00000'); // first occurrence only
const zeroed = bodyText.replace(CCH_RE, (_m, prefix) => `${prefix}00000`);
const body = JSON.parse(zeroed);

@@ -141,1 +150,14 @@ body.model = '';

}
/**
* Return `bodyText` with the billing-tag cch replaced in place by the
* deterministic value for `version`, or unchanged when the version has no
* known seed or the body has no billing token. The replacement is anchored to
* the billing tag (CCH_RE), so conversation content that quotes a cch is never
* touched. Used by the proxy at outbound-serialize time.
*/
export function stampCch(bodyText, version) {
const cch = cchForBody(bodyText, version);
if (cch === null)
return bodyText;
return bodyText.replace(CCH_RE, (_m, prefix) => `${prefix}${cch}`);
}
+1
-1
package.json
{
"name": "@askalf/dario",
"version": "4.8.77",
"version": "4.8.78",
"description": "Use your Claude Pro/Max subscription in any tool — Cursor, Cline, Aider, the Agent SDK, your scripts — at subscription pricing, not per-token API bills. One local Anthropic + OpenAI-compatible endpoint.",

@@ -5,0 +5,0 @@ "type": "module",

dist/proxy.js

Sorry, the diff of this file is too big to display