eeymoo/claude-code-source-code
1
0
Fork 0
mirror of https://github.com/sanbuphy/claude-code-source-code.git synced 2026-04-03 11:34:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add source code analysis docs: telemetry, codenames, undercover mode, remote control, roadmap

Browse Source 
5 bilingual (EN/ZH) analysis documents covering:
- Telemetry & privacy (opt-out-free data collection)
- Hidden features & model codenames (Tengu, Capybara, Fennec, Numbat)
- Undercover mode (AI attribution stripping in open-source)
- Remote control & killswitches (managed settings, feature flags)
- Future roadmap (Numbat model, KAIROS autonomous mode, voice input)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
sanbuphy
2026-03-31 19:41:11 +08:00
parent 19b097b6c9
commit de14c0ace8
10 changed files with 1232 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
docs/en/01-telemetry-and-privacy.md Normal file
View File

@@ -0,0 +1,124 @@
# Telemetry & Privacy Analysis
> Based on Claude Code v2.1.88 decompiled source code analysis.
## Overview
Claude Code implements a two-tier analytics pipeline that collects extensive environment and usage metadata. While there is no evidence of keylogging or source code exfiltration, the breadth of collection and inability to fully opt out raises legitimate privacy concerns.
## Data Pipeline Architecture
### First-Party Logging (1P)
- **Endpoint**: `https://api.anthropic.com/api/event_logging/batch`
- **Protocol**: OpenTelemetry with Protocol Buffers
- **Batch size**: Up to 200 events per batch, flushed every 10 seconds
- **Retry**: Quadratic backoff, up to 8 attempts, disk-persisted for durability
- **Storage**: Failed events saved to `~/.claude/telemetry/`
Source: `src/services/analytics/firstPartyEventLoggingExporter.ts`
### Third-Party Logging (Datadog)
- **Endpoint**: `https://http-intake.logs.us5.datadoghq.com/api/v2/logs`
- **Scope**: Limited to 64 pre-approved event types
- **Token**: `pubbbf48e6d78dae54bceaa4acf463299bf`
Source: `src/services/analytics/datadog.ts`
## What Is Collected
### Environment Fingerprint
Every event carries this metadata (`src/services/analytics/metadata.ts:417-452`):
```
- platform, platformRaw, arch, nodeVersion
- terminal type
- installed package managers and runtimes
- CI/CD detection, GitHub Actions metadata
- WSL version, Linux distro, kernel version
- VCS (version control system) type
- Claude Code version and build time
- deployment environment
```
### Process Metrics (`metadata.ts:457-467`)
```
- uptime, rss, heapTotal, heapUsed
- CPU usage and percentage
- memory arrays and external allocations
```
### User Tracking (`metadata.ts:472-496`)
```
- model in use
- session ID, user ID, device ID
- account UUID, organization UUID
- subscription tier (max, pro, enterprise, team)
- repository remote URL hash (SHA256, first 16 chars)
- agent type, team name, parent session ID
```
### Tool Input Logging
Tool inputs are truncated by default:
```
- Strings: truncated at 512 chars, displayed as 128 + ellipsis
- JSON: limited to 4,096 chars
- Arrays: max 20 items
- Nested objects: max 2 levels deep
```
Source: `metadata.ts:236-241`
However, when `OTEL_LOG_TOOL_DETAILS=1` is set, **full tool inputs are logged**.
Source: `metadata.ts:86-88`
### File Extension Tracking
Bash commands involving `rm, mv, cp, touch, mkdir, chmod, chown, cat, head, tail, sort, stat, diff, wc, grep, rg, sed` have their file arguments' extensions extracted and logged.
Source: `metadata.ts:340-412`
## The Opt-Out Problem
The first-party logging pipeline **cannot be disabled** for direct Anthropic API users.
```typescript
// src/services/analytics/firstPartyEventLogger.ts:141-144
export function is1PEventLoggingEnabled(): boolean {
return !isAnalyticsDisabled()
}
```
`isAnalyticsDisabled()` returns true only for:
- Test environments
- Third-party cloud providers (Bedrock, Vertex)
- Global telemetry opt-out (not exposed in settings UI)
There is **no user-facing setting** to disable first-party event logging.
## GrowthBook A/B Testing
Users are assigned to experiment groups via GrowthBook without explicit consent. The system sends user attributes including:
```
- id, sessionId, deviceID
- platform, organizationUUID, subscriptionType
```
Source: `src/services/analytics/growthbook.ts`
## Key Takeaways
1. **Volume**: Hundreds of events per session are collected
2. **No opt-out**: First-party logging cannot be disabled by direct API users
3. **Persistence**: Failed events are saved to disk and retried aggressively
4. **Third-party sharing**: Data flows to Datadog
5. **Tool detail backdoor**: `OTEL_LOG_TOOL_DETAILS=1` enables full input logging
6. **Repository fingerprinting**: Repo URLs are hashed and sent for server-side correlation

112
docs/en/02-hidden-features-and-codenames.md Normal file
View File

@@ -0,0 +1,112 @@
# Hidden Features & Model Codenames
> Based on Claude Code v2.1.88 decompiled source code analysis.
## Model Codename System
Anthropic uses **animal names** as internal model codenames. These are aggressively protected from leaking into external builds.
### Known Codenames
| Codename | Role | Evidence |
|----------|------|----------|
| **Tengu** (天狗) | Product/telemetry prefix, possibly a model | Used as `tengu_*` prefix for all 250+ analytics events and feature flags |
| **Capybara** | Sonnet-series model, currently at v8 | `capybara-v2-fast[1m]`, prompt patches for v8 behavior issues |
| **Fennec** (耳廓狐) | Predecessor to Opus 4.6 | Migration: `fennec-latest``opus` |
| **Numbat** (袋食蚁兽) | Next model launch | Comment: "Remove this section when we launch numbat" |
### Codename Protection
The `undercover` mode explicitly lists protected codenames:
```typescript
// src/utils/undercover.ts:48-49
NEVER include in commit messages or PR descriptions:
- Internal model codenames (animal names like Capybara, Tengu, etc.)
- Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
```
The build system uses `scripts/excluded-strings.txt` to scan for leaked codenames. Buddy system species are encoded via `String.fromCharCode()` to avoid triggering the canary:
```typescript
// src/buddy/types.ts:10-13
// One species name collides with a model-codename canary in excluded-strings.txt.
// The check greps build output (not source), so runtime-constructing the value keeps
// the literal out of the bundle while the check stays armed for the actual codename.
```
That colliding species is **capybara** — both a pet species and a model codename.
### Capybara Behavior Issues (v8)
Source code reveals specific behavioral problems with Capybara v8:
1. **Stop sequence false trigger** (~10% rate when `<functions>` at prompt tail)
- Source: `src/utils/messages.ts:2141`
2. **Empty tool_result causes zero output**
- Source: `src/utils/toolResultStorage.ts:281`
3. **Over-commenting** — requires dedicated anti-comment prompt patches
- Source: `src/constants/prompts.ts:204`
4. **High false-claims rate**: v8 has 29-30% FC rate vs v4's 16.7%
- Source: `src/constants/prompts.ts:237`
5. **Insufficient verification** — requires "thoroughness counterweight"
- Source: `src/constants/prompts.ts:210`
## Feature Flag Naming Convention
All feature flags use the `tengu_` prefix with **random word pairs** to obscure their purpose:
| Flag | Purpose |
|------|---------|
| `tengu_onyx_plover` | Auto Dream (background memory consolidation) |
| `tengu_coral_fern` | memdir feature |
| `tengu_moth_copse` | Another memdir switch |
| `tengu_herring_clock` | Team memory |
| `tengu_passport_quail` | Path feature |
| `tengu_slate_thimble` | Another memdir switch |
| `tengu_sedge_lantern` | Away Summary |
| `tengu_frond_boric` | Analytics kill switch |
| `tengu_amber_quartz_disabled` | Voice mode kill switch |
| `tengu_amber_flint` | Agent teams |
| `tengu_hive_evidence` | Verification agent |
The random word pattern (adjective/material + nature/object) prevents external observers from inferring feature purpose from flag names alone.
## Internal vs External User Difference
Anthropic employees (`USER_TYPE === 'ant'`) receive significantly better treatment:
### Prompt Differences (`src/constants/prompts.ts`)
| Dimension | External Users | Internal (ant) |
|-----------|---------------|----------------|
| Output style | "Be extra concise" | "Err on the side of more explanation" |
| False-claims mitigation | None | Dedicated Capybara v8 patches |
| Numeric length anchors | None | "≤25 words between tools, ≤100 words final" |
| Verification agent | None | Required for non-trivial changes |
| Comment guidance | Generic | Dedicated anti-over-commenting prompt |
| Proactive correction | None | "If user has misconception, say so" |
### Tool Access
Internal users have access to tools not available externally:
- `REPLTool` — REPL mode
- `SuggestBackgroundPRTool` — background PR suggestions
- `TungstenTool` — performance monitoring panel
- `VerifyPlanExecutionTool` — plan verification
- Agent nesting (agents spawning agents)
## Hidden Commands
| Command | Status | Description |
|---------|--------|-------------|
| `/btw` | Active | Ask side questions without interrupting |
| `/stickers` | Active | Order Claude Code stickers (opens browser) |
| `/thinkback` | Active | 2025 Year in Review |
| `/effort` | Active | Set model effort level |
| `/good-claude` | Stub | Hidden placeholder |
| `/bughunter` | Stub | Hidden placeholder |

110
docs/en/03-undercover-mode.md Normal file
View File

@@ -0,0 +1,110 @@
# Undercover Mode Analysis
> Based on Claude Code v2.1.88 decompiled source code analysis.
## What Is Undercover Mode?
Undercover mode is a safety system for Anthropic employees contributing to public/open-source repositories. When active, it strips all AI attribution and instructs the model to present its contributions as if written by a human developer.
Source: `src/utils/undercover.ts`
## Activation Logic
```typescript
// src/utils/undercover.ts:28-37
export function isUndercover(): boolean {
if (process.env.USER_TYPE === 'ant') {
if (isEnvTruthy(process.env.CLAUDE_CODE_UNDERCOVER)) return true
// Auto: active unless positively confirmed internal repo
return getRepoClassCached() !== 'internal'
}
return false
}
```
Key properties:
- **Internal only**: Only active for Anthropic employees (`USER_TYPE === 'ant'`)
- **Default ON**: Active in all repos except those on the internal allowlist
- **No force-off**: "There is NO force-OFF. This guards against model codename leaks"
- **External builds**: Dead-code-eliminated by the bundler; never executes
## The Prompt Given to the Model
```typescript
// src/utils/undercover.ts:39-69
export function getUndercoverInstructions(): string {
return `## UNDERCOVER MODE — CRITICAL
You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit
messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal
information. Do not blow your cover.
NEVER include in commit messages or PR descriptions:
- Internal model codenames (animal names like Capybara, Tengu, etc.)
- Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
- Internal repo or project names (e.g., claude-cli-internal, anthropics/…)
- Internal tooling, Slack channels, or short links (e.g., go/cc, #claude-code-…)
- The phrase "Claude Code" or any mention that you are an AI
- Any hint of what model or version you are
- Co-Authored-By lines or any other attribution
Write commit messages as a human developer would — describe only what the code
change does.
GOOD:
- "Fix race condition in file watcher initialization"
- "Add support for custom key bindings"
BAD (never write these):
- "Fix bug found while testing with Claude Capybara"
- "1-shotted by claude-opus-4-6"
- "Generated with Claude Code"
- "Co-Authored-By: Claude Opus 4.6 <…>"`
}
```
## Attribution System
The attribution system (`src/utils/attribution.ts`, `src/utils/commitAttribution.ts`) complements undercover mode:
```typescript
// src/utils/attribution.ts:70-72
// @[MODEL LAUNCH]: Update the hardcoded fallback model name below
// (guards against codename leaks).
// For external repos, fall back to "Claude Opus 4.6" for unrecognized models.
```
```typescript
// src/utils/model/model.ts:386-392
function maskModelCodename(baseName: string): string {
// e.g. capybara-v2-fast → cap*****-v2-fast
const [codename = '', ...rest] = baseName.split('-')
const masked = codename.slice(0, 3) + '*'.repeat(Math.max(0, codename.length - 3))
return [masked, ...rest].join('-')
}
```
## Implications
### For Open Source
When Anthropic employees use Claude Code to contribute to open-source projects:
1. Code is written by AI but commits appear human-authored
2. No "Co-Authored-By: Claude" attribution
3. No "Generated with Claude Code" markers
4. Project maintainers and community cannot identify AI-generated contributions
5. This potentially violates open-source transparency norms regarding AI contributions
### For Anthropic's Protection
The primary stated purpose is preventing accidental leaks of:
- Internal model codenames (competitive intelligence)
- Unreleased version numbers (market timing)
- Internal infrastructure details (security)
### Ethical Considerations
The phrase "Do not blow your cover" frames the AI as an undercover agent. The intentional concealment of AI authorship in public code contributions raises questions about:
- Transparency in open-source communities
- Compliance with project contribution guidelines
- The line between trade secret protection and deception

161
docs/en/04-remote-control-and-killswitches.md Normal file
View File

@@ -0,0 +1,161 @@
# Remote Control & Killswitches
> Based on Claude Code v2.1.88 decompiled source code analysis.
## Overview
Claude Code implements multiple remote control mechanisms that allow Anthropic (and enterprise administrators) to modify behavior without explicit user consent.
## 1. Remote Managed Settings
### Architecture
Every eligible session fetches settings from:
```
GET /api/claude_code/settings
```
Source: `src/services/remoteManagedSettings/index.ts:105-107`
### Polling Behavior
```typescript
// src/services/remoteManagedSettings/index.ts:52-54
const SETTINGS_TIMEOUT_MS = 10000
const DEFAULT_MAX_RETRIES = 5
const POLLING_INTERVAL_MS = 60 * 60 * 1000 // 1 hour
```
Settings are polled every hour, with up to 5 retries on failure.
### Eligibility
- Console users (API key): All eligible
- OAuth users: Only Enterprise/C4E and Team subscribers
### Accept-or-Die Dialog
When remote settings contain "dangerous" changes, a blocking dialog is shown:
```typescript
// src/services/remoteManagedSettings/securityCheck.tsx:67-73
export function handleSecurityCheckResult(result: SecurityCheckResult): boolean {
if (result === 'rejected') {
gracefulShutdownSync(1) // Exit with code 1
return false
}
return true
}
```
Users who reject remote settings have the application **forcefully terminated**. The only options are: accept the remote settings, or Claude Code exits.
### Graceful Degradation
If the remote server is unreachable, cached settings from disk are used:
```typescript
// src/services/remoteManagedSettings/index.ts:433-436
if (cachedSettings) {
logForDebugging('Remote settings: Using stale cache after fetch failure')
setSessionCache(cachedSettings)
return cachedSettings
}
```
Once remote settings have been applied, they persist even when the server is down.
## 2. Feature Flag Killswitches
Multiple features can be remotely disabled via GrowthBook feature flags:
### Bypass Permissions Killswitch
```typescript
// src/utils/permissions/bypassPermissionsKillswitch.ts
// Checks a Statsig gate to disable bypass permissions
```
Can disable permission bypass capabilities without user consent.
### Auto Mode Circuit Breaker
```typescript
// src/utils/permissions/autoModeState.ts
// autoModeCircuitBroken state prevents re-entry to auto mode
```
Auto mode can be remotely disabled.
### Fast Mode Killswitch
```typescript
// src/utils/fastMode.ts
// Fetches from /api/claude_code_penguin_mode
// Can permanently disable fast mode for a user
```
### Analytics Sink Killswitch
```typescript
// src/services/analytics/sinkKillswitch.ts:4
const SINK_KILLSWITCH_CONFIG_NAME = 'tengu_frond_boric'
```
Can remotely stop all analytics output.
### Agent Teams Killswitch
```typescript
// src/utils/agentSwarmsEnabled.ts
// Requires both env var AND GrowthBook gate 'tengu_amber_flint'
```
### Voice Mode Killswitch
```typescript
// src/voice/voiceModeEnabled.ts:21
// 'tengu_amber_quartz_disabled' — emergency off for voice mode
```
## 3. Model Override System
Anthropic can remotely override which model internal employees use:
```typescript
// src/utils/model/antModels.ts:32-33
// @[MODEL LAUNCH]: Update tengu_ant_model_override with new ant-only models
// @[MODEL LAUNCH]: Add the codename to scripts/excluded-strings.txt
```
The `tengu_ant_model_override` GrowthBook flag can:
- Set a default model
- Set default effort level
- Append to the system prompt
- Define custom model aliases
## 4. Penguin Mode
Fast mode status is fetched from a dedicated endpoint:
```typescript
// src/utils/fastMode.ts
// GET /api/claude_code_penguin_mode
// If API indicates disabled, permanently disabled for user
```
Multiple feature flags control fast mode availability:
- `tengu_penguins_off`
- `tengu_marble_sandcastle`
## Summary
| Mechanism | Scope | User Consent |
|-----------|-------|-------------|
| Remote managed settings | Enterprise/Team | Accept or exit |
| GrowthBook feature flags | All users | None |
| Killswitches | All users | None |
| Model override | Internal (ant) | None |
| Fast mode control | All users | None |
The remote control infrastructure is extensive and operates largely without user visibility or consent. Enterprise administrators can enforce policies that users cannot override, and Anthropic can remotely change behavior for any user through feature flags.

167
docs/en/05-future-roadmap.md Normal file
View File

@@ -0,0 +1,167 @@
# Future Roadmap — What the Source Code Reveals
> Based on Claude Code v2.1.88 decompiled source code analysis.
## 1. Next Model: Numbat
The most concrete evidence of the next model launch:
```typescript
// src/constants/prompts.ts:402
// @[MODEL LAUNCH]: Remove this section when we launch numbat.
```
**Numbat** (袋食蚁兽) is the codename for an upcoming model. The comment indicates the output efficiency section will be revised when Numbat launches, suggesting it may have better native output control.
### Future Version Numbers
```typescript
// src/utils/undercover.ts:49
- Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
```
**Opus 4.7** and **Sonnet 4.8** are in development.
### Codename Evolution Chain
```
Fennec (耳廓狐) → Opus 4.6 → [Numbat?]
Capybara (水豚) → Sonnet v8 → [?]
Tengu (天狗) → telemetry/product prefix
```
The Fennec-to-Opus migration is documented:
```typescript
// src/migrations/migrateFennecToOpus.ts:7-11
// fennec-latest → opus
// fennec-latest[1m] → opus[1m]
// fennec-fast-latest → opus[1m] + fast mode
```
### MODEL LAUNCH Checklist
The codebase contains 20+ `@[MODEL LAUNCH]` markers listing everything to update:
- Default model names (`FRONTIER_MODEL_NAME`)
- Model family IDs
- Knowledge cutoff dates
- Pricing tables
- Context window configurations
- Thinking mode support flags
- Display name mappings
- Migration scripts
## 2. KAIROS — Autonomous Agent Mode
The largest unreleased feature, KAIROS transforms Claude Code from a reactive assistant into a proactive autonomous agent.
### System Prompt (excerpts)
```
// src/constants/prompts.ts:860-913
You are running autonomously.
You will receive <tick> prompts that keep you alive between turns.
If you have nothing useful to do, call SleepTool.
Bias toward action — read files, make changes, commit without asking.
## Terminal focus
- Unfocused: The user is away. Lean heavily into autonomous action.
- Focused: The user is watching. Be more collaborative.
```
### Associated Tools
| Tool | Feature Flag | Purpose |
|------|-------------|---------|
| SleepTool | KAIROS / PROACTIVE | Control pacing between autonomous actions |
| SendUserFileTool | KAIROS | Proactively send files to users |
| PushNotificationTool | KAIROS / KAIROS_PUSH_NOTIFICATION | Push notifications to user devices |
| SubscribePRTool | KAIROS_GITHUB_WEBHOOKS | Subscribe to GitHub PR webhook events |
| BriefTool | KAIROS_BRIEF | Proactive status updates |
### Behavior
- Operates on `<tick>` heartbeat prompts
- Adjusts autonomy based on terminal focus state
- Can commit, push, and make decisions independently
- Sends proactive notifications and status updates
- Monitors GitHub PRs for changes
## 3. Voice Mode
Push-to-talk voice input is fully implemented but gated behind `VOICE_MODE` feature flag.
```typescript
// src/voice/voiceModeEnabled.ts
// Connects to Anthropic's voice_stream WebSocket endpoint
// Uses conversation_engine backed models for speech-to-text
// Hold-to-talk: hold keybinding to record, release to submit
```
- OAuth-only (no API key / Bedrock / Vertex support)
- Uses mTLS for WebSocket connections
- Killswitch: `tengu_amber_quartz_disabled`
## 4. Unreleased Tools
Tools found in source but not yet enabled for external users:
| Tool | Feature Flag | Description |
|------|-------------|-------------|
| **WebBrowserTool** | `WEB_BROWSER_TOOL` | Built-in browser automation (codename: bagel) |
| **TerminalCaptureTool** | `TERMINAL_PANEL` | Terminal panel capture and monitoring |
| **WorkflowTool** | `WORKFLOW_SCRIPTS` | Execute predefined workflow scripts |
| **MonitorTool** | `MONITOR_TOOL` | System/process monitoring |
| **SnipTool** | `HISTORY_SNIP` | Conversation history snipping/truncation |
| **ListPeersTool** | `UDS_INBOX` | Unix domain socket peer discovery |
| **RemoteTriggerTool** | `AGENT_TRIGGERS_REMOTE` | Remote agent triggering |
| **TungstenTool** | ant-only | Internal performance monitoring panel |
| **VerifyPlanExecutionTool** | VERIFY_PLAN env | Plan execution verification |
| **OverflowTestTool** | `OVERFLOW_TEST_TOOL` | Context overflow testing |
| **SubscribePRTool** | `KAIROS_GITHUB_WEBHOOKS` | GitHub PR webhook subscriptions |
## 5. Coordinator Mode
Multi-agent coordination system:
```typescript
// src/coordinator/coordinatorMode.ts
// Feature flag: COORDINATOR_MODE
```
Enables coordinated task execution across multiple agents with shared state and messaging.
## 6. Buddy System (Virtual Pets)
The complete pet companion system is implemented but not yet launched:
- **18 species**: duck, goose, blob, cat, dragon, octopus, owl, penguin, turtle, snail, ghost, axolotl, capybara, cactus, robot, rabbit, mushroom, chonk
- **5 rarity tiers**: Common (60%), Uncommon (25%), Rare (10%), Epic (4%), Legendary (1%)
- **7 hats**: crown, tophat, propeller, halo, wizard, beanie, tinyduck
- **5 stats**: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK
- **1% shiny chance**: Sparkle variant of any species
- **Deterministic generation**: Based on hash of user ID
Source: `src/buddy/`
## 7. Dream Task
Background memory consolidation subagent:
```
// src/tasks/DreamTask/
// Auto-dreaming feature that works in the background
// Controlled by 'tengu_onyx_plover' feature flag
```
Enables the AI to autonomously process and consolidate memories during idle time.
## Summary: The Three Directions
1. **New Models**: Numbat (next), Opus 4.7, Sonnet 4.8 in development
2. **Autonomous Agent**: KAIROS mode — unattended operation, proactive actions, push notifications
3. **Multi-modal**: Voice input ready, browser tool waiting, workflow automation coming
Claude Code is evolving from a **coding assistant** into an **always-on autonomous development agent**.

109
docs/zh/01-遥测与隐私分析.md Normal file
View File

@@ -0,0 +1,109 @@
# 遥测与隐私分析
> 基于 Claude Code v2.1.88 反编译源码分析
## 概述
Claude Code 实现了双层分析管道,收集大量环境和使用元数据。虽然没有证据表明存在键盘记录或源代码窃取,但收集范围之广和无法完全退出的事实引发了合理的隐私担忧。
## 数据管道架构
### 第一方日志 (1P)
- **端点**: `https://api.anthropic.com/api/event_logging/batch`
- **协议**: OpenTelemetry + Protocol Buffers
- **批量大小**: 每批最多 200 个事件,每 10 秒刷新一次
- **重试机制**: 二次方退避,最多 8 次尝试,失败事件持久化到磁盘
- **存储位置**: `~/.claude/telemetry/`
来源: `src/services/analytics/firstPartyEventLoggingExporter.ts`
### 第三方日志 (Datadog)
- **端点**: `https://http-intake.logs.us5.datadoghq.com/api/v2/logs`
- **范围**: 仅限 64 种预批准事件类型
- **Token**: `pubbbf48e6d78dae54bceaa4acf463299bf`
来源: `src/services/analytics/datadog.ts`
## 收集了什么
### 环境指纹
每个事件都携带以下元数据 (`src/services/analytics/metadata.ts:417-452`)
```
- platform, platformRaw, arch, nodeVersion
- 终端类型
- 已安装的包管理器和运行时
- CI/CD 检测、GitHub Actions 元数据
- WSL 版本、Linux 发行版、内核版本
- 版本控制系统类型
- Claude Code 版本和构建时间
- 部署环境
```
### 进程指标 (`metadata.ts:457-467`)
```
- 运行时间、rss、heapTotal、heapUsed
- CPU 使用率和百分比
- 内存占用详情
```
### 用户追踪 (`metadata.ts:472-496`)
```
- 正在使用的模型
- 会话 ID、用户 ID、设备 ID
- 账户 UUID、组织 UUID
- 订阅等级 (max, pro, enterprise, team)
- 仓库远程 URL 哈希 (SHA256 前 16 位)
- 代理类型、团队名、父会话 ID
```
### 工具输入日志
默认截断工具输入:
```
- 字符串: 512 字符处截断,显示 128 + 省略号
- JSON: 限制 4,096 字符
- 数组: 最多 20 项
- 嵌套对象: 最多 2 层
```
然而,当设置 `OTEL_LOG_TOOL_DETAILS=1` 时,**完整工具输入会被记录**。
### 文件扩展名追踪
涉及 `rm, mv, cp, touch, mkdir, chmod, chown, cat, head, tail, sort, stat, diff, wc, grep, rg, sed` 的 Bash 命令,其文件参数的扩展名会被提取并记录。
## 无法退出的问题
第一方日志管道**无法被关闭**(对于直接使用 Anthropic API 的用户)。
`isAnalyticsDisabled()` 仅在以下情况返回 true
- 测试环境
- 第三方云提供商 (Bedrock, Vertex)
- 全局遥测退出(设置界面未暴露此选项)
**没有面向用户的设置可以禁用第一方事件日志。**
## GrowthBook A/B 测试
用户在不知情的情况下被分配到实验组。系统发送的用户属性包括:
```
- id, sessionId, deviceID
- platform, organizationUUID, subscriptionType
```
## 关键结论
1. **体量**: 每个会话收集数百个事件
2. **无法退出**: 直接 API 用户无法禁用第一方日志
3. **持久化**: 失败事件保存到磁盘并积极重试
4. **第三方共享**: 数据发送到 Datadog
5. **工具详情后门**: `OTEL_LOG_TOOL_DETAILS=1` 启用完整输入记录
6. **仓库指纹**: 仓库 URL 被哈希后发送用于服务端关联

82
docs/zh/02-隐藏功能与模型代号.md Normal file
View File

@@ -0,0 +1,82 @@
# 隐藏功能与模型代号
> 基于 Claude Code v2.1.88 反编译源码分析
## 模型代号体系
Anthropic 使用**动物名称**作为内部模型代号。这些代号被严格保护,防止泄露到外部构建中。
### 已知代号
| 代号 | 角色 | 证据 |
|------|------|------|
| **Tengu**(天狗) | 产品/遥测前缀,也可能是模型 | 所有 250+ 分析事件和 feature flag 使用 `tengu_*` 前缀 |
| **Capybara**(水豚) | Sonnet 系列模型,当前版本 v8 | `capybara-v2-fast[1m]`v8 行为问题的 prompt 补丁 |
| **Fennec**(耳廓狐) | Opus 4.6 的前代 | 迁移: `fennec-latest``opus` |
| **Numbat**(袋食蚁兽) | 下一代模型 | 注释: "Remove this section when we launch numbat" |
### 代号保护机制
Undercover 模式明确列出了受保护的代号:
```typescript
// src/utils/undercover.ts:48-49
NEVER include in commit messages or PR descriptions:
- Internal model codenames (animal names like Capybara, Tengu, etc.)
- Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
```
构建系统使用 `scripts/excluded-strings.txt` 扫描泄露的代号。Buddy 系统的物种通过 `String.fromCharCode()` 编码以避免触发金丝雀检查:
```typescript
// src/buddy/types.ts:10-13
// One species name collides with a model-codename canary in excluded-strings.txt.
// 运行时构造值,保持字面量不出现在构建产物中
```
那个冲突的物种就是 **capybara** — 既是宠物物种又是模型代号。
### Capybara v8 的行为问题
源码揭示了 Capybara v8 的具体行为问题:
1. **停止序列误触发** (~10% 概率) — prompt 尾部出现 `<functions>`
2. **空 tool_result 导致零输出** — 需要注入 marker workaround
3. **过度写注释** — 需要专门的反注释 prompt 补丁
4. **高虚假声明率**: v8 为 29-30%,而 v4 为 16.7%
5. **验证不足** — 需要 "thoroughness counterweight" 补丁
## Feature Flag 命名约定
所有 feature flag 使用 `tengu_` 前缀 + **随机词对**以掩盖用途:
| Flag | 用途 |
|------|------|
| `tengu_onyx_plover` | Auto Dream后台记忆整理|
| `tengu_coral_fern` | memdir 功能 |
| `tengu_herring_clock` | 团队内存 |
| `tengu_frond_boric` | 分析 kill switch |
| `tengu_amber_quartz_disabled` | 语音模式 kill switch |
| `tengu_amber_flint` | 代理团队 |
## 内外部用户的差异
Anthropic 员工 (`USER_TYPE === 'ant'`) 获得显著更好的待遇:
| 维度 | 外部用户 | 内部用户 (ant) |
|------|---------|--------------|
| 输出风格 | "尽量简洁" | "倾向于更多解释" |
| 虚假声明缓解 | 无 | 专门的 Capybara v8 补丁 |
| 数值长度锚定 | 无 | "工具间 ≤25 词,最终回复 ≤100 词" |
| 验证代理 | 无 | 非简单改动必须启用 |
| 主动性 | 无 | "发现用户误解要指出" |
## 隐藏命令
| 命令 | 状态 | 描述 |
|------|------|------|
| `/btw` | 活跃 | 顺带提问,不打断主对话 |
| `/stickers` | 活跃 | 订购 Claude Code 贴纸 |
| `/thinkback` | 活跃 | 2025 年度回顾 |
| `/good-claude` | 占位 | 隐藏的 stub 命令 |
| `/bughunter` | 占位 | 隐藏的 stub 命令 |

98
docs/zh/03-卧底模式分析.md Normal file
View File

@@ -0,0 +1,98 @@
# 卧底模式分析
> 基于 Claude Code v2.1.88 反编译源码分析
## 什么是卧底模式?
卧底模式是 Anthropic 员工在公开/开源仓库贡献时的安全系统。激活后,它会剥离所有 AI 归属,指示模型将其贡献伪装为人类开发者编写。
来源: `src/utils/undercover.ts`
## 激活逻辑
```typescript
// src/utils/undercover.ts:28-37
export function isUndercover(): boolean {
if (process.env.USER_TYPE === 'ant') {
if (isEnvTruthy(process.env.CLAUDE_CODE_UNDERCOVER)) return true
// 自动模式:除非确认在白名单内部仓库,否则默认激活
return getRepoClassCached() !== 'internal'
}
return false
}
```
关键特性:
- **仅限内部**: 只对 Anthropic 员工 (`USER_TYPE === 'ant'`) 生效
- **默认开启**: 在所有仓库中激活,除非在内部白名单上
- **无法强制关闭**: "There is NO force-OFF. This guards against model codename leaks"
- **外部构建**: 被 bundler 死代码消除,永远不会执行
## 给模型的指令
```
## UNDERCOVER MODE — CRITICAL
You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository.
Do not blow your cover.
NEVER include in commit messages or PR descriptions:
- 内部模型代号(如 Capybara, Tengu 等动物名称)
- 未发布的模型版本号(如 opus-4-7, sonnet-4-8
- 内部仓库或项目名(如 claude-cli-internal
- 内部工具、Slack 频道或短链接
- "Claude Code" 这个词或任何你是 AI 的暗示
- 任何关于你是什么模型或版本的提示
- Co-Authored-By 行或任何其他归属
像人类开发者一样写 commit message。
好:
- "Fix race condition in file watcher initialization"
坏:
- "Fix bug found while testing with Claude Capybara"
- "Generated with Claude Code"
- "Co-Authored-By: Claude Opus 4.6 <…>"
```
关键词:**"Do not blow your cover"**(不要暴露你的掩护身份)。
## 归属系统
归属系统补充了卧底模式:
```typescript
// src/utils/model/model.ts:386-392
function maskModelCodename(baseName: string): string {
// capybara-v2-fast → cap*****-v2-fast
const [codename = '', ...rest] = baseName.split('-')
const masked = codename.slice(0, 3) + '*'.repeat(Math.max(0, codename.length - 3))
return [masked, ...rest].join('-')
}
```
## 影响
### 对开源社区
当 Anthropic 员工用 Claude Code 参与开源项目时:
1. 代码由 AI 编写,但 commit 看起来像是人类提交的
2. 没有 "Co-Authored-By: Claude" 署名
3. 没有 "Generated with Claude Code" 标记
4. 项目维护者和社区**无法识别 AI 生成的贡献**
5. 这可能违反开源社区关于 AI 贡献的透明度规范
### 对 Anthropic 的保护
主要声明的目的是防止意外泄露:
- 内部模型代号(竞争情报)
- 未发布的版本号(市场时机)
- 内部基础设施细节(安全)
### 伦理考量
"不要暴露掩护" 的措辞将 AI 定位为卧底特工。在公开代码贡献中故意隐瞒 AI 作者身份引发了关于以下方面的质疑:
- 开源社区的透明度
- 是否符合项目贡献指南
- 商业秘密保护与欺骗之间的界限

120
docs/zh/04-远程控制与紧急开关.md Normal file
View File

@@ -0,0 +1,120 @@
# 远程控制与紧急开关
> 基于 Claude Code v2.1.88 反编译源码分析
## 概述
Claude Code 实现了多种远程控制机制,允许 Anthropic和企业管理员在无需用户明确同意的情况下修改行为。
## 1. 远程托管设置
### 架构
每个符合条件的会话从以下端点获取设置:
```
GET /api/claude_code/settings
```
来源: `src/services/remoteManagedSettings/index.ts`
### 轮询行为
```typescript
const POLLING_INTERVAL_MS = 60 * 60 * 1000 // 每小时
const DEFAULT_MAX_RETRIES = 5
```
每小时静默轮询一次,最多 5 次重试。
### 资格
- Console 用户 (API key): 全部符合
- OAuth 用户: 仅 Enterprise/C4E 和 Team 订阅者
### "接受否则退出" 对话框
当远程设置包含"危险"变更时,会显示阻塞对话框:
```typescript
// src/services/remoteManagedSettings/securityCheck.tsx:67-73
export function handleSecurityCheckResult(result: SecurityCheckResult): boolean {
if (result === 'rejected') {
gracefulShutdownSync(1) // 退出码 1直接终止
return false
}
return true
}
```
拒绝远程设置的用户,**程序直接退出**。用户只有两个选择:接受远程设置,或者 Claude Code 关掉。
### 故障容灾
远程服务器不可达时,使用缓存的旧设置。一旦设置过,就**永远无法完全摆脱**远程控制。
## 2. Feature Flag 紧急开关
多种功能可以通过 GrowthBook feature flag 远程禁用:
### 绕过权限 Kill Switch
```typescript
// src/utils/permissions/bypassPermissionsKillswitch.ts
// 通过 Statsig gate 禁用绕过权限功能
```
### 自动模式断路器
```typescript
// src/utils/permissions/autoModeState.ts
// autoModeCircuitBroken 状态阻止重新进入自动模式
```
### 快速模式 Kill Switch
```typescript
// src/utils/fastMode.ts
// 从 /api/claude_code_penguin_mode 获取状态
// 可以永久禁用用户的快速模式
```
### 分析 Sink Kill Switch
```typescript
// src/services/analytics/sinkKillswitch.ts:4
const SINK_KILLSWITCH_CONFIG_NAME = 'tengu_frond_boric'
```
### 语音模式 Kill Switch
```typescript
// src/voice/voiceModeEnabled.ts:21
// 'tengu_amber_quartz_disabled' — 语音模式紧急关闭
```
## 3. 模型覆盖系统
Anthropic 可以远程覆盖内部员工使用的模型:
```typescript
// src/utils/model/antModels.ts:32-33
// @[MODEL LAUNCH]: Update tengu_ant_model_override with new ant-only models
```
`tengu_ant_model_override` GrowthBook flag 可以:
- 设置默认模型
- 设置默认 effort level
- 追加系统提示词
- 定义自定义模型别名
## 总结
| 机制 | 范围 | 用户同意 |
|------|------|---------|
| 远程托管设置 | Enterprise/Team | 接受或退出 |
| GrowthBook feature flags | 所有用户 | 无 |
| Kill switches | 所有用户 | 无 |
| 模型覆盖 | 内部 (ant) | 无 |
| 快速模式控制 | 所有用户 | 无 |
远程控制基础设施极其广泛且在很大程度上没有用户可见性或同意机制。企业管理员可以强制执行用户无法覆盖的策略Anthropic 可以通过 feature flag 远程更改任何用户的行为。

149
docs/zh/05-未来路线图.md Normal file
View File

@@ -0,0 +1,149 @@
# 未来路线图 — 源码揭示的方向
> 基于 Claude Code v2.1.88 反编译源码分析
## 1. 下一代模型: Numbat
下一代模型最具体的证据:
```typescript
// src/constants/prompts.ts:402
// @[MODEL LAUNCH]: Remove this section when we launch numbat.
```
**Numbat袋食蚁兽** 是即将发布的模型代号。注释表明 Numbat 发布时将移除当前的 output efficiency 段落,暗示新模型可能有更好的原生输出控制。
### 未来版本号
```typescript
// src/utils/undercover.ts:49
- Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
```
**Opus 4.7****Sonnet 4.8** 正在开发中。
### 代号演化链
```
Fennec耳廓狐 → Opus 4.6 → [Numbat?]
Capybara水豚 → Sonnet v8 → [?]
Tengu天狗 → 遥测/产品前缀
```
### 模型发布清单
代码中有 20+ 处 `@[MODEL LAUNCH]` 标记,列出了新模型发布时需要更新的所有位置:
- 默认模型名称
- 知识截止日期
- 定价表
- 上下文窗口配置
- Thinking 模式支持
- 迁移脚本
## 2. KAIROS — 自主代理模式
最大的未发布特性KAIROS 将 Claude Code 从被动助手转变为主动自主代理。
### System Prompt节选
```
// src/constants/prompts.ts:860-913
你正在自主运行。
你会收到 <tick> 提示让你保持活跃。
如果没有有用的事可做,调用 SleepTool。
倾向行动 — 读取文件、做修改、提交,无需询问。
## 终端焦点
- 未聚焦: 用户离开了。大幅倾向自主行动。
- 聚焦: 用户在看。更协作。
```
### 关联工具
| 工具 | Feature Flag | 用途 |
|------|-------------|------|
| SleepTool | KAIROS / PROACTIVE | 控制自主操作间的节奏 |
| SendUserFileTool | KAIROS | 主动向用户发送文件 |
| PushNotificationTool | KAIROS / KAIROS_PUSH_NOTIFICATION | 推送通知到用户设备 |
| SubscribePRTool | KAIROS_GITHUB_WEBHOOKS | 订阅 GitHub PR webhook 事件 |
| BriefTool | KAIROS_BRIEF | 主动状态更新 |
### 行为特征
- 通过 `<tick>` 心跳提示保持活跃
- 根据终端焦点状态调整自主程度
- 可以独立 commit、push 和做决策
- 发送主动通知和状态更新
- 监控 GitHub PR 变更
## 3. 语音模式
Push-to-talk 语音输入已完全实现,但通过 `VOICE_MODE` feature flag 门控。
```
// src/voice/voiceModeEnabled.ts
// 连接 Anthropic 的 voice_stream WebSocket 端点
// 使用 conversation_engine 模型做语音转文字
// 按住快捷键录音,松开提交
```
- 仅限 OAuth 用户(不支持 API Key / Bedrock / Vertex
- 使用 mTLS WebSocket 连接
## 4. 未上线工具
| 工具 | Feature Flag | 描述 |
|------|-------------|------|
| **WebBrowserTool** | `WEB_BROWSER_TOOL` | 内置浏览器自动化(代号: bagel|
| **TerminalCaptureTool** | `TERMINAL_PANEL` | 终端面板捕获和监控 |
| **WorkflowTool** | `WORKFLOW_SCRIPTS` | 执行预定义工作流脚本 |
| **MonitorTool** | `MONITOR_TOOL` | 系统/进程监控 |
| **SnipTool** | `HISTORY_SNIP` | 对话历史裁剪 |
| **ListPeersTool** | `UDS_INBOX` | Unix 域套接字对等发现 |
| **RemoteTriggerTool** | `AGENT_TRIGGERS_REMOTE` | 远程代理触发 |
| **SubscribePRTool** | `KAIROS_GITHUB_WEBHOOKS` | GitHub PR webhook 订阅 |
## 5. 协调器模式
多代理协调系统:
```typescript
// src/coordinator/coordinatorMode.ts
// Feature flag: COORDINATOR_MODE
```
支持多个代理之间的协调任务执行,具有共享状态和消息传递。
## 6. Buddy 系统(虚拟宠物)
完整的宠物伙伴系统已实现但尚未上线:
- **18 个物种**: 鸭子、鹅、blob、猫、龙、章鱼、猫头鹰、企鹅、乌龟、蜗牛、幽灵、墨西哥钝口螈、水豚、仙人掌、机器人、兔子、蘑菇、chonk
- **5 档稀有度**: 普通 (60%)、非凡 (25%)、稀有 (10%)、史诗 (4%)、传说 (1%)
- **7 种帽子**: 皇冠、礼帽、螺旋帽、光环、巫师帽、毛线帽、小鸭子帽
- **5 项属性**: DEBUGGING、PATIENCE、CHAOS、WISDOM、SNARK
- **1% 闪亮概率**: 任何物种的闪光变种
- **确定性生成**: 基于用户 ID 哈希
来源: `src/buddy/`
## 7. Dream Task
后台记忆整固子代理:
```
// src/tasks/DreamTask/
// 后台自动"做梦"功能
// 由 'tengu_onyx_plover' feature flag 控制
```
使 AI 能在空闲时间自主处理和整固记忆。
## 总结:三大方向
1. **新模型**: Numbat下一代、Opus 4.7、Sonnet 4.8 开发中
2. **自主代理**: KAIROS 模式 — 无人值守运行、主动行动、推送通知
3. **多模态**: 语音输入就绪、浏览器工具待上线、工作流自动化即将到来
Claude Code 正在从一个**编程助手**进化为一个**全天候自主开发代理**。