I Reverse-Engineered Claude Code. Here's What Anthropic Isn't Telling You.

Mar 30, 2026

Inside the Black Box: What Claude Code Is Actually Doing on Your Machine

A structured binary audit of Claude Code 2.1.85, cross-referenced against a direct JavaScript source analysis of cli.js v2.0.29. Two independent audit surfaces. 24 findings, each labeled by confidence level. The playbook to reproduce it is at the end.*

Text within this block will maintain its original spacing when published

Reader note: This audit consumed approximately 250,000–300,000 tokens running autonomously via an AI loop. Reproducing it costs roughly $1–$4 depending on caching. The playbook at the end shows you exactly how.

Let me start with the thing that made me stop and stare.

I was intercepting network traffic from a fresh Claude Code install, isolated runtime environment, fake API key, local capture server pointed at `ANTHROPIC_BASE_URL`. Standard protocol tracing setup.

The first request that came out was not what I expected.

`Content-Length: 115,422 bytes.`

For a test prompt that said “hello world.”

That’s 115 kilobytes assembled and sent to Anthropic’s servers before a single token comes back. I opened the request body. Most of it was not my prompt.

It was my `CLAUDE.md`.

All of it. Injected into every API call, automatically, with no UI indicator, no opt-in, no documentation.

That’s where this started. A second research audit then ran a direct JavaScript source analysis on cli.js v2.0.29. What i found in the source code made the binary findings look like the calm before the storm.

---

What This Is ?

Claude Code 2.1.85 is Anthropic’s command-line AI tool. You install it, you chat with it from your terminal, it edits files and runs commands. That’s the product description.

What it actually is: a 187MB native binary containing a full Bun JavaScript runtime, four compiled macOS native addons, a seven-tier memory management system with a background consolidation cycle, a complete remote session infrastructure with its own transport protocol, a plugin marketplace, a policy classifier for autonomous operation, a telemetry system with 100+ event types, a remote kill switch, system prompt fingerprinting, session quality classification, and a sycophancy detector running on every model response.

Most of it is gated or silent. None of it is documented.

This research covers both audit surfaces. Every claim is labeled:

[V1] = directly verified from binary output, exact command, or source line reference

[V2]= inferred from one or more V1 facts

[V3] = speculative not used in this document

The live install was never modified. Binary analysis used a byte-identical copy. JS source analysis worked on the extracted minified bundle.

The Binary Is Not What You Think

Most developers assume Claude Code is a JavaScript file with a thin launcher some `cli.js` wrapped in a shell script, inspectable with a text editor.

[V1] It is not. The installed artifact is a ingle native Mach-O ARM64 executable. `file` output:

```

claude-2.1.85: Mach-O 64-bit executable arm64

```

The mechanism is Bun’s standalone binary format: Bun’s runtime, plus the entire Claude Code JavaScript application, fused into one executable with an internal virtual filesystem mounted at `/$bunfs/root/`. The app entrypoint is `/$bunfs/root/src/entrypoints/cli.js` inside the binary, not on your disk.

The Bun payload segment alone is 118MB out of the total 187MB binary.

Why does this matter? Because you can’t casually inspect it. There’s no `node_modules` folder. The source isn’t on disk. Static string extraction running `strings -a -n 8` across the binary yields 258,523 lines of output and is the only practical open surface. That’s what I worked from.

The Four Addons You Didn’t Know Were Loaded

[V1] The main CLI entrypoint directly `require()`s four compiled native addons at startup. These are not optional imports. They load every time Claude Code runs.

computer-use-swift.node — macOS screen control (Swift-compiled, Accessibility APIs)
computer-use-input.node — OS-level mouse and keyboard simulation
audio-capture.node — microphone access, raw audio stream capture
image-processor.node — vision and image processing

Each has a JavaScript wrapper alongside it in the Bun virtual filesystem. Each is compiled native code for ARM64.

[V2] These capabilities: see your screen, hear your microphone, control your input devices, are gated behind feature flags. But gated does not mean absent. The hardware access requests exist. The code exists. The flag is the only thing between “this is loaded” and “this is executing.”

On the machine you’re using right now, if you have Claude Code installed, these addons loaded the last time you ran it.

The Tengu Codename Universe

[V1] Every internal feature flag in the binary uses the `tengu_*` namespace. The telemetry event `tengu_init` fires on every startup with `entrypoint:”claude”`. Here’s the full list recovered from binary strings:

| Codename | What It Suggests |

| `tengu_session_memory` | Persistent cross-session memory |

| `tengu_kairos_cron` | Background cron scheduler |

| `tengu_kairos_cron_durable` | Persistent scheduled jobs (survive restarts) |

| `tengu_sotto_voce` | Voice mode — Italian: “under voice” |

| `tengu_marble_whisper` | Voice input variant |

| `tengu_marble_whisper2` | Voice input variant 2 |

| `tengu_surreal_dali` | Scheduled remote automation |

| `tengu_miraculo_the_bard` | Unknown |

| `tengu_harbor_permissions` | Permission system variant |

| `tengu_brief_mode_enabled` | Brief/advisor mode toggle |

| `tengu_prompt_cache_1h_config` | 1-hour prompt caching |

| `tengu_remote_backend` | Remote backend toggle (default: false) |

| `tengu_passport_quail` | Unknown |

| `tengu_onyx_plover` | Unknown |

| `tengu_bramble_lintel` | Unknown |

| `tengu_cicada_nap_ms` | Sleep/nap interval in ms |

The scheduler ones are the most significant. `tengu_kairos_cron_durable` a cron scheduler that persists across restarts is not a feature you’d expect in a coding assistant. It’s infrastructure for autonomous background operation.

The Dream Cycle: A Memory Subagent Hardcoded Into the Binary

[V1] At byte offset 78,976,673, verbatim in the binary:

> “You are now acting as the memory extraction subagent”

At 78,984,335:

> ”Dream: Memory Consolidation”

At 79,276,158:

> This memory file was truncated”

This is not user-facing text. These are system prompts that Claude Code feeds to itself during a background consolidation cycle what the codebase calls a Dream. The memory system has seven tiers:

| Tier | Location |

| Managed | `{managed path}/CLAUDE.md` |

| User | `~/CLAUDE.md` |

| Project | `{cwd}/CLAUDE.md` |

| Local | `{cwd}/CLAUDE.local.md` |

| AutoMem | Dynamic (internal) |

| TeamMem | Dynamic (internal) |

| Session Memory | `~/.claude/projects/{session}/session-memory/*.md` |

[V2] The Dream cycle is triggered by `tengu_kairos_cron`. It spawns a subagent with the hardcoded memory extraction prompt, compresses episodic session content into semantic summaries, and writes them back to the memory tiers. This runs in the background, not on your request.

What Actually Goes Out With Every Message?

[V1] A normal headless `-p` run (non-interactive) assembles this request before the server returns anything:

POST /v1/messages?beta=true

Content-Length: 115,422 bytes

model: claude-sonnet-4-6

max_tokens: 32000

stream: true

adaptive_thinking: enabled

effort: medium

System includes:

→ Your full CLAUDE.md contents (path: ~/.claude/CLAUDE.md)

→ Project CLAUDE.md (if exists in cwd)

→ Skill/tool reminder blocks

→ Project instructions block

Tools: 45 loaded from official MCP registry + local

User-Agent: claude-cli/2.1.85 (external, sdk-cli)

anthropic-beta: files-api-2025-04-14,oauth-2025-04-20

```

**[V1]** Running `--bare -p`:

```

POST /v1/messages?beta=true

Content-Length: 17,401 bytes

Tools: 3 only

[No CLAUDE.md injection]

[No project instructions]

[No skill blocks]

```

The 98KB difference is not your prompt. It is Claude Code injecting your local context everything in your CLAUDE.md into the API payload on every single call. If your CLAUDE.md contains sensitive business logic, personal instructions, or confidential workflow notes, those are going to Anthropic’s API with every message.

`--bare` is a real isolation switch, not a cosmetic mode. Most users have never heard of it.

It Phones Home Before You Do Anything

[V1] Cold start network activity , before any message, before authentication completes:

GitHub CDN (`185.199.108.133`) fetches a plugin security blocklist. Written to `~/.claude/plugins/blocklist.json` on every startup.

`api.anthropic.com/api/claude_cli/bootstrap` fetches organization and feature gate state. Separate from the main `/v1/messages` API call. Logged as a real network error (`AxiosError`) when unreachable, not a no-op.

GrowthBook — A/B testing and feature flag platform. Anthropic uses it to deliver different feature sets to different users. Writes `cachedGrowthBookFeatures` to your `~/.claude.json`.

`160.79.104.10`— An open HTTPS socket captured by `lsof` during onboarding. Running `host 160.79.104.10` returns `NXDOMAIN`. No domain, no PTR record, no attribution. The socket was open. The destination is unknown.

Critical finding:Setting `ANTHROPIC_BASE_URL` to redirect the main API call does not sandbox the bootstrap or GitHub fetches. These go to the open internet regardless. Confirmed by observing the `AxiosError` for `api.anthropic.com/api/claude_cli/bootstrap` in an isolated trace with a fake local API endpoint.

The Hidden Flag Surface

[V1] These flags exist in the binary’s parser dispatch table but do not appear in the public documentation:

```bash

--remote [description] # Create a remote Claude.ai session

--remote-control [name] # Full remote control via claude.ai/code

--teleport [session] # Jump into a named running session

--advisor <model> # Attach a second model as session supervisor

--enable-auto-mode # Enable policy classifier subsystem

--channels <servers...> # Connect to push notification channels

--dangerously-load-development-channels <srv>

--plan-mode-required # Force plan-only, block execution

--permission-prompt-tool <tool> # Override permission handler

--claude-in-chrome-mcp # Chrome integration MCP mode

--chrome-native-host # Chrome native messaging host

--computer-use-mcp # Computer use MCP server mode

--worktree [name] # Isolated git worktree

--tmux # tmux session fast path

```

The `--advisor` flag deserves specific attention. It lets you attach a second Clude model to your active session as an advisor a supervisor loop where one model observes and advises the other. This is multi-agent architecture shipping quietly inside a CLI tool.

`--teleport` implies live session hand-off: you can jump into an already-running Claude Code session from another terminal or machine.

The Chrome flags indicate a full browser integration that communicates via native messaging. Claude Code can already talk to Chrome — it’s not a future integration.

Remote Control Is Fully Engineered

[V1] Claude Code ships a complete remote session infrastructure:

```

Custom transport: cc://

Unix socket transport: cc+unix://

Remote session API: POST /v1/sessions/{id}/events (SSE stream)

Files API: POST /v1/files

Web hub: https://claude.ai/code

Protocol version: ccr-byoc-2025-07-29

Org auth header: x-organization-uuid

```

The `ccr-byoc-2025-07-29` marker means “bring your own compute” — the remote session protocol already carries a production version date. The `x-organization-uuid` header means multi-tenant enterprise deployment is baked in.

[V1] Running `claude rc --help` on the binary exits with a subscription requirement:

> *”Connect your local environment for remote-control sessions via claude.ai/code”*

> *(requires Claude.ai login)*

The capability is fully built. The lock is your account status.

[V2] `tengu_surreal_dali` — “scheduled remote automation” maps to remote sessions triggered by the cron scheduler, not by user input. An attended session today. An unattended daemon tomorrow.

Auto-Mode: The Live Policy Classifier

[V1] Running `claude auto-mode defaults` in an isolated environment returns live JSON with three policy buckets:

- **`allow`** — commands Claude executes without asking

- **`soft_deny`** — commands Claude flags but can proceed with

- **`environment`** — system-level access policies

This is not a roadmap item. The command works, the policy data is populated, and the evaluator runs during startup initialization.

[V2] Combined with `--dangerously-skip-permissions`, this creates a fully autonomous execution mode: Claude Code runs commands based on the policy classifier with no human approval loop required. This combination is not documented anywhere.

The 18-Step Startup Sequence (Before You Type Anything)

[V1] Traced from a live interactive startup debug log. In this exact order:

1. Read `~/.claude/settings.json`

2. Read `{cwd}/.claude/settings.json`

3. Read `{cwd}/.claude/settings.local.json`

4. Read `/Library/Application Support/ClaudeCode/managed-settings.json`

5. Load MCP configs

6. Resolve tool-search state and model eligibility

7. Scan managed skill root

8. Scan user skill root

9. Detect installed plugins

10. Load command definitions

11. Load agent definitions

12. Initialize LSP manager

13. Begin background startup prefetches

14. Fetch plugin security blocklist from GitHub

15. Load 45 official MCP URLs into local state

16. Evaluate auto-mode gating

17. Initialize keybindings

18. Render setup screen

Before your cursor appears, 18 initialization steps have run, two external network calls have been made, and multiple local files have been written or updated.

Part II: New Findings — JavaScript Source Analysis (cli.js v2.0.29)

A second audit working directly from the minified JS source produced findings that go significantly deeper into the control and surveillance layer.

There Is a Remote Kill Switch. OAuth Users Are Exempt.

[V1] Found in `lb2()`, the main streaming function, at the very top:

```javascript

if (!JQ() && (await va(”tengu-off-switch”, {activated: false})).activated && UBA(Z.model)) {

YA(”tengu_off_switch_query”, {});

yield DL1(Error(D2A), Z.model);

return;

}

```

Unpacked:

- `va(”tengu-off-switch”)` reads a Statsig remote config — server-side, no client update needed

- If `activated: true` is pushed → Claude Code stops responding immediately

- `UBA(Z.model)` = targeted per model — they can kill specific models selectively

- `JQ()` = true if you’re authenticated via Claude.ai OAuth

**Claude.ai OAuth subscribers are explicitly exempt from the off-switch.**

API key users developers, enterprise teams, anyone paying through the Console — can be silenced remotely. Claude.ai subscribers cannot. One line of code creates two classes of users with materially different service guarantees.

The Statsig config name `tengu-off-switch` also appears in the version kill switch: `tengu_version_config` has a `minVersion` field that can remotely force users off old builds. Two separate remote levers: kill a version, or kill a user class.

Anthropic Fingerprints Your System Prompt on Every Call

*V1] Every API call fires `tengu_sysprompt_block` before the request is sent:

```javascript

function Tb2(A) {

let [B] = Zo1(A);

YA(”tengu_sysprompt_block”, {

snippet: B?.slice(0, 20), // first 20 characters

length: B?.length ?? 0,

hash: B ? sha256(B) : “” // SHA-256 of first system prompt block

});

}

```

Three data points leave your machine before every message: the first 20 characters of your system prompt, its total length, and a SHA-256 hash of the full first block.

[V2] Anthropic can detect that you have a custom system prompt, that it changed between sessions, and whether it matches any known pattern without ever reading the content. The hash is a fingerprint. You opted into this by installing Claude Code.

Triple Compound User Tracking

[V1] Every API request body includes:

```javascript

metadata: {

user_id: `user_${dba()}_account_${accountUuid}_session_${sessionId}`

}

```

Where:

- `dba()` = device-based anonymous ID, stable per machine

- `accountUuid` = stable per Anthropic account

- `sessionId` = UUID, rotates per session

This is a compound tracking identifier that travels in the request body — separate from your API key, separate from auth headers. Three layers of cross-session and cross-device correlation baked into every message.

Your Sessions Are Quality-Classified. Your IDE Is Reported.

[V1] Telemetry event confirmed in source: `tengu_session_quality_classification` (line 3650)

A classifier runs on your session content. What criteria it uses and what scores it produces are not exposed only that the classification happens and the result is sent to Anthropic’s Statsig instance.

[V1] The function `ew9()` detects your IDE from environment variables before sending `clientType` in startup telemetry:

| IDE | Detection |

| Cursor | `CURSOR_TRACE_ID` set |

| Windsurf | `VSCODE_GIT_ASKPASS_MAIN` contains `/.windsurf-server/` |

| Android Studio | `__CFBundleIdentifier` contains `com.google.android.studio` |

| JetBrains | `TERMINAL_EMULATOR === “JetBrains-JediTerm”` |

| VS Code / Codium | `__CFBundleIdentifier` match |

| Visual Studio | `VisualStudioVersion` set |

Anthropic knows which editor every Claude Code user is running, aggregated across the entire install base.

[V1]Additionally, single-word prompts are specifically tracked (`tengu_single_word_prompt`). Your `clientType`, prompt pattern, and session quality all phone home.

There Is a Sycophancy Detector Running on Every Response

[V1]Source line 2693:

```javascript

YA(”tengu_model_response_keyword_detected”, {is_overly_agreeable: true});

```

Claude Code runs client-side pattern detection on every model response before displaying it to you. When the model is detected as “overly agreeable” likely phrases like “Great question!”, “Certainly!”, “Absolutely!” the event fires and phones home to Anthropic’s Statsig.

[V2] This means Anthropic is actively monitoring sycophancy rates across the user base in real time, using client-side detection rather than server-side analysis. The fix for Claude being too agreeable starts with knowing when it happens — and this is how they measure it.

Eight Hardcoded Hidden AI Subagents

[V1] Beyond the Dream cycle memory subagent, the source contains seven additional hardcoded system prompts for internal subagent contexts:

| Line | System Prompt | Purpose |

| 1797 | “You are a helpful AI assistant tasked with summarizing conversations.” | Context compaction |

| 2827 | “You are a helpful AI assistant tasked with summarizing conversations.” | Second compaction path |

| 2835 | “You are an expert at analyzing git history. Given a list of files...” | Git history analysis |

| 2901 | “You are an assistant for performing a web search tool use” | Web search subagent |

| 3161 | “You are a helpful code reviewer who...” | Code review subagent |

| 3650 | “You are analyzing user messages from a conversation to detect certain features...” | Session quality classifier |

| Binary offset 78,976,673 | “You are now acting as the memory extraction subagent” | Memory Dream cycle |

Claude Code is orchestrating a fleet of hidden AI subagents: memory compression, conversation summarization, git analysis, web search, code review, and session quality classification. None of these spawn visible in the UI. None are disclosed.

The subagent system prompt is also explicit about scope:

> ”Do what has been asked; nothing more, nothing less. When you complete the task simply respond with a detailed writeup.”

The Security Instruction Block Is Hardcoded Client-Side

[V1] The security instruction in Claude Code’s system prompt the one that reads:

> *”IMPORTANT: Assist with authorized security testing, defensive security, CTF challenges... Refuse requests for destructive techniques, DoS attacks...”*

is a hardcoded string constant (`Lb2`) in the client-side JavaScript. It is injected into every API request by the client. It is not a server-side safety layer.

[V2] This means: the security boundary visible in Claude Code’s behavior during security-adjacent tasks originates in a string constant in a minified JS bundle. It travels as part of the system prompt, not as a server-side constraint.

Full Sentry DSN With Auth Token Baked Into Production Binary

[V1] Source line 3573, verbatim:

```

https://e531a1d9ec1de9064fae9d4affb0b0f4@o1158394.ingest.us.sentry.io/4508259541909504

```

This is a full Sentry DSN including the auth token prefix (`e531a1d9ec1de9064fae9d4affb0b0f4`), organization ID (`o1158394`), and project ID. Shipped in every production binary distributed to users.

Sentry is disabled when:

```javascript

process.env.DISABLE_TELEMETRY

process.env.CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC

process.env.CLAUDE_CODE_USE_BEDROCK

process.env.CLAUDE_CODE_USE_VERTEX

```

Otherwise, crash reports and error telemetry go to Sentry automatically.

Finding 21 — Staging OAuth Endpoint Hardcoded in Production Binary

[V1] Source line 47:

```

https://console.staging.ant.dev/oauth/code/callback

```

This is Anthropic’s internal staging OAuth callback URL present in the production binary shipped to all users.

[V2] Security implication: if an attacker can control DNS resolution for `console.staging.ant.dev` (via MITM, DNS poisoning, or compromise of the staging domain), they could intercept an OAuth authorization code during the Claude Code login flow. A staging endpoint sitting in a production binary is not expected and represents unnecessary attack surface.

Anthropic’s Private Statsig Deployment + Exposed Client Key

[V1] The Statsig integration does not use the public Statsig CDN:

```

https://statsig.anthropic.com/v1/

```

Anthropic runs their own Statsig infrastructure. All feature gate data — every A/B test result, every feature flag state, every experiment assignment — goes to Anthropic-controlled servers, not a third-party.

[V1]The full Statsig client key is baked into the binary:

```

client-RRNS7R65EAtReO5XA4xDC3eU6ZdJQi6lLEP6b5j32Me

```

Anyone with this key and knowledge of Anthropic’s Statsig endpoint could potentially read experiment configurations or simulate event logging.

The Recruitment Message Hidden in the Source

[V1] Lines 6–7 of the JS source the only human-readable comment in 9.5MB of minified JavaScript:

```javascript

// Want to see the unminified source? We’re hiring!

// https://job-boards.greenhouse.io/anthropic/jobs/4816199008

```

Job posting ID `4816199008`. Greenhouse job board. Active at time of writing.

Anthropic hid a recruitment pitch inside the minified source of a tool used by millions of developers. If you’re reading a disassembled binary looking for hidden capabilities, you’re probably exactly who they want to hire. ( I should get hired 😎 )

The Telemetry System Is Enormous

[V1] The complete telemetry event catalog runs to 100+ distinct events. Selected highlights:

| Event | What It Tracks |

| `tengu_bash_security_check_triggered` | When bash commands trigger security review |

| `tengu_skip_file_edit_safety_checks` | When file safety checks are bypassed |

| `tengu_bash_tool_haiku_file_paths_read` | Haiku model specifically reading file paths |

| `tengu_tool_pear` | Unknown — codename “pear”, purpose unclear |

| `tengu_single_word_prompt` | Single-word inputs specifically tracked |

| `tengu_grove_policy_viewed` | Privacy/legal policy UI viewed (”grove” = second internal codename) |

| `tengu_flicker` | UI rendering artifacts |

| `tengu_typing_without_terminal_focus` | Typing detected without terminal focus |

| `tengu_plan_external_editor_used` | Plan mode with external editor |

| `tengu_checkpoint_save_success/failed` | Auto-checkpoint state |

The “grove” codename visible in `tengu_grove_policy_viewed`, `tengu_grove_print_viewed`, `tengu_grove_privacy_settings_viewed` — is a second internal codename for the privacy/legal policy subsystem. Tengu is the agent. Grove is the compliance layer.

Every bash command, every tool use, every file edit, every OAuth flow, every compaction, every MCP operation fires telemetry to Anthropic’s private Statsig instance.

The Playbook: Run This Audit Yourself

Token budget:~250,000–300,000 tokens for all 8 phases run autonomously. At Sonnet 4.6 rates with caching, roughly $1–$4.

Requirements

| Platform | Tools Required | Token Budget |

| macOS + Apple Silicon | `strings`, `otool`, `lsof` (built-in) | 250K–300K tokens |

| Claude Code installed | Python 3 (built-in) | ~$1–$4 at Sonnet 4.6 rates |

| No third-party tools needed | `shasum`, `comm`, `grep` (built-in) | Caching reduces cost significantly |

Reader transparency note: The findings in this article were produced by an autonomous audit loop Claude Code auditing itself. The verbatim loop prompt and complete runner script are shown at the end of this section. Nothing was edited out.

For Playbook DM me on Linkedin > https://www.linkedin.com/in/vijaychauhanseo/ ill share ready to use Playbook.md

What This Actually Means

Two audit methods. One conclusion.

Anthropic is not building a coding assistant with extra features. They are building a local autonomous agent operating system with a surveillance and control plane shipping it incrementally, one unlocked feature flag at a time.

The capability layer (from binary analysis):

The voice system, cron scheduler, remote session infrastructure, computer use, memory Dream cycle ,compiled, loaded, present on every installation. Waiting for flags to flip.

The control and telemetry layer (from JS source analysis):

- Remote kill switch targeting API key users, exempting OAuth subscribers

- SHA-256 fingerprint of your system prompt on every call

- Triple compound user tracking across device, account, and session

- Session quality classification

- Sycophancy detection running client-side on every response

- IDE fingerprinting reported as `clientType`

- 100+ telemetry events covering every interaction

- Full Sentry DSN and Statsig client key baked into the production binary

- A staging OAuth endpoint that has no business being in a production build

The product you see is Layer 1. The product being built is an agent that can see your screen, hear your voice, run on a schedule, connect to remote orchestration, compress its own memory, be supervised by a second model — and report back on everything you do while using it.

The question is not whether this is coming.

The infrastructure is already there. The telemetry is already running. The kill switch already has an exemption list.

The question is which flag flips next — and which class of user gets access first.

Confidence Reference

Every finding in this article carries a label:

| Label | Meaning |

| [V1] | Means Directly verified — exact binary output or command result |

| [V2]| Inferred from one or more V1 facts |

| [V3] | Speculative — not used in this article |

Build target: `claude-2.1.85`, Mach-O ARM64, built `2026-03-26T20:54:53Z`

Internal project name found in binary:`claude-cli-internal`

Audit method: Static inspection + isolated runtime tracing. Live install never modified.

Vijay Chauhan is an SEO professional who occasionally opens things that weren’t meant to be opened.

linkedin.com/in/vijaychauhanseo

This research is educational. The live Claude Code installation was never modified. All analysis was performed on a byte-identical copy in an isolated workspace.

Vijay’s Substack

Discussion about this post

Ready for more?