🔒 Security Discovery: Un-gated outbound connection bypasses privacy controls
Summary
-------
preconnectAnthropicApi() unconditionally sends a TCP+TLS handshake to
api.anthropic.com on every ccb startup — even when the user has explicitly
disabled all non-essential traffic via CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
or DISABLE_TELEMETRY=1.
This is the LAST un-gated outbound connection in the entire startup path.
Every other telemetry sink (Sentry, Langfuse, OpenTelemetry, GrowthBook,
1P Event Logger, Datadog, BigQuery, etc.) already respects the
privacyLevel module's isEssentialTrafficOnly() gate. This one did not.
Impact
------
While the preconnect is a HEAD request with no payload, the connection
itself leaks the client's IP address and session timing to Anthropic's
infrastructure. For privacy-conscious users and enterprise deployments
that have disabled telemetry, this constitutes an unexpected data leak.
Fix
---
Add isEssentialTrafficOnly() check at the function entry, consistent
with every other privacy-gated code path in the codebase. The
privacyLevel module is already imported by init.ts and 12+ other
modules — no new dependencies.
Verification
------------
Reproduced and verified via strace on Linux (aarch64):
# Before fix
$ strace -f -e connect ccb -p <<< 'hello'
connect(16, sin_addr=inet_addr("160.79.104.10"), sin_port=htons(443)) = 0
# ↑ connector to api.anthropic.com despite CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
# After fix
$ strace -f -e connect ccb -p <<< 'hello'
# ↑ zero remote TCP connections — all traffic to localhost only
Changes: 1 file, +5 lines (import + gate)
Verify that when CWD equals the Claude config home directory
(/home/spark), projectSettings and localSettings do not override
userSettings. This prevents settings.local.json from silently
clobbering the user's explicit configuration.
4 tests:
- Guard active: local does NOT override user when CWD=/home/spark
- Guard inactive: local DOES override user when CWD≠/home/spark
- Edge: no settings files → empty result
- Edge: empty settings.local.json → no errors
Uses existing tests/mocks/state.ts mock infrastructure.
When CWD is the home directory, projectSettings and localSettings
resolve to files inside ~/.claude/ (e.g. settings.local.json). These
are not legitimate project-level files — they are user config files
that should not take priority over explicit userSettings.
Added a guard in loadSettingsFromDisk() that skips projectSettings
and localSettings when their resolved path is under the user's
claude config home directory.
Fixes: CCP --settings flag and default settings loading not working
when ~/.claude/settings.local.json contains model overrides.
c82f5994 — fix(openai): stop_reason null, zero usage fields, max_tokens forwarding
- streamAdapter: defer message_delta/message_stop to after stream loop
so trailing usage chunks are captured; fill all 4 usage fields
- index.ts: assemble final AssistantMessage at message_stop (not per-block);
apply stop_reason from message_delta; reset partialMessage; post-loop
safety fallback for partial messages
- buildOpenAIRequestBody: accept and forward maxTokens → max_tokens
901628b4 — fix: OpenAI provider deferred MCP tool visibility
- index.ts: prepend deferred MCP tool text list so OpenAI model can discover
and request them via ToolSearchTool
- claude.ts: pass full tools (not filteredTools) to OpenAI path so deferred
tools are searchable
- index.ts: include already-discovered deferred tools in filteredTools so
their schemas are available after ToolSearchTool loads them
Tests added:
- queryModelOpenAI.isolated.ts (674 lines): stop_reason assembly, partialMessage
reset, max_tokens truncation warning, usage tracking, cost tracking
- queryModelOpenAI.runner.ts + .test.ts: isolated subprocess runner (CCP pattern)
- streamAdapter.test.ts: 665→130 lines expanded — deferred finish, trailing
usage, length→max_tokens mapping, full usage field assertions
- formatBriefTimestamp.test.ts: beforeAll/afterAll env save/restore
3602 pass, 0 fail
loadedGetLanguage 返回类型中 name 字段改为可选,匹配 highlight.js
Language 类型中 name 为 string | undefined 的定义。
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add ImageLimits type and plumb optional limits through the chain:
callMCPTool/callMCPToolWithUrlElicitationRetry -> processMCPResult ->
transformMCPResult -> transformResultContent -> maybeResizeAndDownsampleImageBuffer.
When provided, limits override the module-level defaults
(IMAGE_TARGET_RAW_SIZE, IMAGE_MAX_WIDTH, IMAGE_MAX_HEIGHT,
API_IMAGE_MAX_BASE64_SIZE) inside maybeResizeAndDownsampleImageBuffer.
When undefined, behavior is unchanged for current callers.
Add _meta preservation in the text-block case of transformResultContent
(only when the caller opts in via includeMeta=true). transformMCPResult
passes includeMeta=true on the tool-result path; the prompt-handler call
site keeps the default false, preserving prior behavior.
Add skipLargeOutput early-return in processMCPResult after the IDE check:
when the caller passes skipLargeOutput=true and the content has no images,
the function returns content directly without large-output handling.
Add unwrap-to-text in processMCPResult for the persisted-content path:
when the large-string format gate is enabled
(MCP_TRUNCATION_PROMPT_OVERRIDE env var, or
tengu_mcp_subagent_prompt Statsig gate), and the content is a single
bare text block (no annotations, no _meta), unwrap to raw text and
switch the format description to 'Plain text'. Default-off; gate-off
behavior is unchanged.
Verified structurally against the 2.1.128 binary: function signatures,
the IDE check, gate logic, _meta-unwrap pattern, and imageLimits
plumbing match this implementation.
- Add attributionModel.ts: getRealModelName() resolves model names for
OpenAI/Gemini providers, so Git commit sign-off shows correct model
name (DeepSeek/GPT/Gemini) instead of Anthropic default.
- Wire into attribution.ts: replace multi-branch fallback logic with
simple getRealModelName() call.
- CCP's APIProvider doesn't include 'grok' — skipped that case.