Adds a Bun build plugin that replaces analytics/telemetry modules with
no-op stubs at compile time.
Primary targets (NOT killed by PR #94 or the feature() shim):
- GrowthBook: phones home to api.anthropic.com on every launch,
sending account UUID, org UUID, email, device ID, subscription
type. Refreshes every 6 hours. Now returns defaults without
making any network call.
- Auto-updater: contacts storage.googleapis.com and npm registry
on launch to check for new versions. Now returns null/no-op.
Defense-in-depth (already gated by PR #94 or feature flags, but
now the code itself is replaced with empty functions):
- Datadog, 1P event logging, BigQuery metrics, Perfetto tracing,
session tracing, plugin fetch telemetry, transcript sharing.
Deliberately NOT stubbed:
- Plugin marketplace (downloads.claude.ai) — needed for /plugin
- User-configurable OTel (CLAUDE_CODE_ENABLE_TELEMETRY) — opt-in
Implementation: separate plugin file (scripts/no-telemetry-plugin.ts)
with a 2-line hook in build.ts. The plugin file does not exist
upstream so it cannot cause merge conflicts.
Removes caret (^) ranges from all 74 dependencies in package.json,
locking each to the exact version resolved in bun.lock.
Motivation: the axios supply chain attack of March 31 2026 demonstrated
that caret ranges are a live attack vector. axios@^1.14.0 would have
resolved to the trojanized 1.14.1 (bundled plain-crypto-js RAT, C2
sfrclak.com). Both 1.14.1 and 0.30.4 were unpublished within 24h.
Key pins:
axios ^1.14.0 → 1.14.0 (trojanized 1.14.1 blocked)
undici ^7.3.0 → 7.24.6 (7 CVEs between 7.3 and 7.24)
yaml ^2.7.0 → 2.8.3 (CVE-2026-33532 fix)
ajv ^8.17.0 → 8.18.0 (ReDoS fix)
lodash-es ^4.17.21 → 4.17.23 (prototype pollution fix)
zod ^3.24.0 → 3.25.76 (large range locked)
All 74 deps verified: integrity hashes match npm registry, no known
supply chain incidents, no postinstall scripts in lockfile.
Apply the existing ACCENT colour (rgb 240 148 100) to the version
string so it stands out against the dim label, matching the warm
orange used throughout the startup screen for stars and status text.
Requested in #95.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
StartupScreen.ts was reading the version via globalThis['MACRO_DISPLAY_VERSION']
which is never populated — the Bun bundler inlines it as MACRO.DISPLAY_VERSION
(dot notation), not as a globalThis key.
Result: startup screen always showed the hardcoded fallback 'v0.1.4' regardless
of the installed version.
Fix: use MACRO.DISPLAY_VERSION ?? MACRO.VERSION directly, consistent with
cli.tsx, main.tsx, and logoV2Utils.ts.
Fixes#95
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two bugs in convertTools() caused Gemini's OpenAI-compatible endpoint
to reject tool schemas with 400 "schema requires unspecified property":
1. The Agent tool patch unconditionally pushed 'message' into required[]
even though 'message' is not a property of the Agent schema. Gemini
strictly validates that every key in required[] exists in properties.
2. normalizeSchemaForOpenAI() added all property keys to required[] for
OpenAI strict mode, but this conflicts with Gemini's stricter schema
validation which rejects required keys absent from properties.
Fix:
- Agent tool patch now only adds a key to required[] if it exists in
schema.properties (fixes the 'message' 400 error on Gemini)
- normalizeSchemaForOpenAI() accepts a strict flag: true for OpenAI
(promotes all property keys into required[]), false for Gemini
(filters required[] to only keys present in properties)
- convertTools() detects CLAUDE_CODE_USE_GEMINI and passes strict=false
Fixes#82
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update the stale test expectation to match current behavior where
normalizeSchemaForOpenAI() promotes all properties into required[]
and marks the schema as strict: true.
Same fix as PR #72 — included here so PR #80 passes CI independently.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Azure OpenAI and newer OpenAI models (o1, o3, o4...) reject `max_tokens`
with a 400 error and require `max_completion_tokens` instead.
Maps `params.max_tokens` → `max_completion_tokens` in the request body,
which is the current standard across OpenAI-compatible providers.
Adds a new startup screen with filled-block text logo and sunset
gradient, printed to stdout before the Ink UI loads. Removes the
old OPEN box logo from the chat UI since the new screen replaces it.
Changes:
- src/components/StartupScreen.ts (NEW) — gradient OPEN CLAUDE logo
with provider info box (Provider, Model, Endpoint). Auto-detects
active provider from env vars (OpenAI, Gemini, DeepSeek, Ollama,
Groq, Mistral, Azure, LM Studio, Anthropic). Skipped in CI and
non-TTY environments.
- src/entrypoints/cli.tsx — calls printStartupScreen() at startup
before Ink renders
- src/components/Messages.tsx — removes <LogoV2 /> from LogoHeader
so the old OPEN box logo no longer appears in the chat UI
Addresses #55.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit addresses strict schema validation limitations when running subagents under OpenAI backend shims.
- Drops empty properties from payloads (like Record<string, string>) that break OpenAI's Structured Outputs validation.
- Handles edge cases for automated initial teams when subagents bypass standard creation routines.
- Aborts sending unsupported experimental backend parameters like temperature and top_p for GPT-5 derivatives.
