hardening: isolate third-party paths and clean external-build metadata (#311)

* hardening: isolate third-party paths and clean external-build metadata

* fix: restore external feedback flow and make privacy check portable

src/utils/http.ts

@@ -10,6 +10,7 @@ import {
   handleOAuth401Error,
   isClaudeAISubscriber,
 } from './auth.js'
+import { getAPIProvider } from './model/providers.js'
 import { getClaudeCodeUserAgent } from './userAgent.js'
 import { getWorkload } from './workloadContext.js'
 
@@ -54,7 +55,11 @@ export function getMCPUserAgent(): string {
 // operators match in robots.txt); the claude-code suffix lets them distinguish
 // local CLI traffic from claude.ai server-side fetches.
 export function getWebFetchUserAgent(): string {
-  return `Claude-User (${getClaudeCodeUserAgent()}; +https://support.anthropic.com/)`
+  const supportUrl =
+    getAPIProvider() === 'firstParty'
+      ? 'https://support.anthropic.com/'
+      : 'https://github.com/Gitlawb/openclaude'
+  return `Claude-User (${getClaudeCodeUserAgent()}; +${supportUrl})`
 }
 
 export type AuthHeaders = {