[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74831":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":35,"readmeContent":36,"aiSummary":37,"trendingCount":15,"starSnapshotCount":15,"syncStatus":38,"lastSyncTime":39,"discoverSource":40},74831,"cc-gateway","motiful\u002Fcc-gateway","motiful","AI API identity gateway — reverse proxy that normalizes device fingerprints and telemetry for privacy-preserving API proxying",null,"TypeScript",2856,494,13,19,0,12,38,79,36,106.98,"MIT License",false,"main",true,[26,27,28,29,30,31,32,33,34],"anthropic","api-gateway","claude-code","docker","fingerprint","privacy","reverse-proxy","telemetry","typescript","2026-06-12 04:01:16","\u003Cdiv align=\"center\">\n \u003Cpicture>\n \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\".github\u002Flogo-dark.svg\">\n \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\".github\u002Flogo-light.svg\">\n \u003Cimg alt=\"CC Gateway\" src=\".github\u002Flogo-light.svg\" width=\"440\">\n \u003C\u002Fpicture>\n\n \u003Cp>Take back control of your AI API telemetry\u003C\u002Fp>\n\u003C\u002Fdiv>\n\n\u003Cdiv align=\"center\">\n\n[![License: MIT][license-shield]][license-url]\n[![Version][version-shield]][version-url]\n[![Tests][tests-shield]][tests-url]\n[![Follow @whiletrue0x][twitter-shield]][twitter-url]\n\n\u003C\u002Fdiv>\n\n\u003Cdiv align=\"center\">\n \u003Ca href=\"#quick-start\">Quick Start\u003C\u002Fa> ·\n \u003Ca href=\"#add-clients\">Add Clients\u003C\u002Fa> ·\n \u003Ca href=\"#what-gets-rewritten\">What Gets Rewritten\u003C\u002Fa> ·\n \u003Ca href=\"#deployment\">Deployment\u003C\u002Fa> ·\n \u003Ca href=\"#changelog\">Changelog\u003C\u002Fa>\n\u003C\u002Fdiv>\n\n---\n\n> **Alpha** — This project is under active development. Test with a non-primary account first.\n\n> **Disclaimer** — See [full disclaimer](#disclaimer) below.\n\n## Why\n\nClaude Code collects **640+ telemetry event types** across 3 parallel channels, fingerprints your machine with **40+ environment dimensions**, and phones home every 5 seconds. Your device ID, email, OS version, installed runtimes, shell type, CPU architecture, and physical RAM are all reported to the vendor — continuously.\n\nIf you run Claude Code on multiple machines, each device gets a unique permanent identifier. There is no built-in way to manage how your identity is presented to the API.\n\nCC Gateway is a reverse proxy that sits between Claude Code and the Anthropic API. It normalizes device identity, environment fingerprints, and process metrics to a single canonical profile — giving you control over what telemetry leaves your network.\n\n## Features\n\n- **Full identity rewrite** — device ID, email, session metadata, and the `user_id` JSON blob in every API request are normalized to one canonical identity\n- **40+ environment dimensions replaced** — platform, architecture, Node.js version, terminal, package managers, runtimes, CI flags, deployment environment — the entire `env` object is swapped, not patched\n- **System prompt sanitization** — the `\u003Cenv>` block injected into every prompt (Platform, Shell, OS Version, working directory) is rewritten to match the canonical profile\n- **Billing header stripped** — the `x-anthropic-billing-header` (which contains a per-session fingerprint hash) is removed entirely, consistent with the official `CLAUDE_CODE_ATTRIBUTION_HEADER=false` toggle. This also enables [cross-session prompt cache sharing](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\u002Fissues\u002F40652), reducing system prompt costs by ~85%\n- **Process metrics normalization** — physical RAM (`constrainedMemory`), heap size, and RSS are masked to canonical values so hardware differences don't leak\n- **Zero-login client setup** — clients receive a single launcher script. No browser OAuth, no `~\u002F.zshrc` changes, no config files\n- **Centralized OAuth** — the gateway manages token refresh internally; client machines never contact `platform.claude.com`\n- **Instant startup** — gateway uses your existing access token on launch. No network call until the token actually expires\n- **Proxy-aware** — supports `HTTPS_PROXY` \u002F `HTTP_PROXY` env vars for outbound connections (Clash, V2Ray, etc.)\n- **Telemetry leak prevention** — strips `baseUrl` and `gateway` fields that would reveal proxy usage in analytics events\n\n## Quick Start\n\nOne command. Requires Node.js 22+ and an existing Claude Code login on this machine.\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fmotiful\u002Fcc-gateway.git\ncd cc-gateway\nnpm install\nbash scripts\u002Fquick-setup.sh\n```\n\nThis will:\n1. Extract your OAuth credentials from macOS Keychain (access token + refresh token)\n2. Generate a canonical device identity and client token\n3. Write `config.yaml`\n4. Generate a client launcher at `.\u002Fclients\u002Fcc-\u003Chostname>`\n5. Start the gateway on `http:\u002F\u002Flocalhost:8443`\n\n### Use it\n\nIn another terminal:\n\n```bash\n.\u002Fclients\u002Fcc-\u003Chostname>\n```\n\nThat's it. Claude Code launches, traffic routes through the gateway. No env vars to set, no files to edit.\n\n### Behind a proxy?\n\n```bash\nHTTPS_PROXY=http:\u002F\u002F127.0.0.1:7890 bash scripts\u002Fquick-setup.sh\n```\n\nThe gateway will route all outbound traffic (API calls + token refresh) through your proxy.\n\n## Add Clients\n\nEach person gets their own launcher script with a unique token. The admin generates it:\n\n```bash\nbash scripts\u002Fadd-client.sh alice\nbash scripts\u002Fadd-client.sh bob\n```\n\nThis creates `.\u002Fclients\u002Fcc-alice` and `.\u002Fclients\u002Fcc-bob`. Send each file to the respective person.\n\n### Client setup (what you tell them)\n\n```bash\nchmod +x cc-alice\n.\u002Fcc-alice install # installs as 'ccg' command\nccg # start Claude Code through gateway\n```\n\nThat's it. All Claude arguments work: `ccg --print \"hello\"`, `ccg --resume`, etc.\n\n### Optional: make `claude` go through gateway too\n\n```bash\nccg hijack # alias claude → ccg (new terminals auto-apply)\nclaude # now goes through gateway\nccg release # undo — restore native claude\n```\n\n### All commands\n\n```\nccg Start Claude Code through gateway\nccg install Install as 'ccg' system command\nccg uninstall Remove 'ccg' and clean up\nccg hijack Make 'claude' also go through gateway\nccg release Restore 'claude' to native\nccg native [args] Run native claude once (bypass gateway)\nccg status Show gateway connection and hijack status\nccg help Show help\n```\n\n`ccg` and `claude` coexist by default. Hijack is opt-in and reversible. Supports zsh, bash, and fish.\n\n## What Gets Rewritten\n\n| Layer | Field | Action |\n|-------|-------|--------|\n| **Identity** | `device_id` in metadata + events | → canonical ID |\n| | `email` | → canonical email |\n| **Environment** | `env` object (40+ fields) | → entire object replaced |\n| **Process** | `constrainedMemory` (physical RAM) | → canonical value |\n| | `rss`, `heapTotal`, `heapUsed` | → randomized in realistic range |\n| **Headers** | `User-Agent` | → canonical CC version |\n| | `x-api-key` | → real OAuth token (injected by gateway) |\n| | `x-anthropic-billing-header` | → stripped |\n| **Prompt text** | `Platform`, `Shell`, `OS Version` | → canonical values |\n| | `Working directory` | → canonical path |\n| | `\u002FUsers\u002Fxxx\u002F`, `\u002Fhome\u002Fxxx\u002F` | → canonical home prefix |\n| **Billing** | `x-anthropic-billing-header` system block | → stripped entirely |\n| **Leak fields** | `baseUrl` (ANTHROPIC_BASE_URL) | → stripped |\n| | `gateway` (provider detection) | → stripped |\n\n## Deployment\n\n### Local (development)\n\n```bash\nnpm run dev # tsx watch, auto-reload\n```\n\n### Docker (production)\n\n```bash\nbash scripts\u002Fadmin-setup.sh\n```\n\nThis interactive script:\n1. Extracts OAuth credentials\n2. Generates config + first client launcher\n3. Builds and starts the Docker container\n4. Asks for the gateway address clients should connect to\n\nAfter setup, add more clients with:\n\n```bash\nbash scripts\u002Fadd-client.sh \u003Cname>\n# Restart to pick up new tokens:\ndocker compose restart\n```\n\n### Multi-machine deployment\n\n```\nMac-A ──┐\nMac-B ──┼──→ gateway-server:8443 ──→ api.anthropic.com\nMac-C ──┘\n```\n\n**Important:** All machines — including the admin — should use the gateway. Direct connections from the admin machine would create a second device fingerprint visible to Anthropic.\n\nFor remote deployment, generate TLS certificates:\n\n```bash\nmkdir certs\nopenssl req -x509 -newkey rsa:2048 \\\n -keyout certs\u002Fkey.pem -out certs\u002Fcert.pem \\\n -days 365 -nodes -subj \"\u002FCN=cc-gateway\"\n```\n\nUncomment the `tls` section in `config.yaml`, then generate client launchers pointing to the server address:\n\n```bash\nbash scripts\u002Fadd-client.sh alice \"\" \u003Cgateway-ip>:8443 https\n```\n\n### Alternative: Tailscale (zero config networking)\n\nIf all devices have Tailscale installed, run the gateway on any machine in the mesh. No TLS needed (Tailscale encrypts the tunnel), no public IP needed, no port forwarding.\n\n## Architecture\n\n```\nClient machines CC Gateway Anthropic\n┌────────────┐ ┌──────────────────┐\n│ .\u002Fcc-alice │── ANTHROPIC_ ────│ Auth: x-api-key │\n│ (launcher) │ BASE_URL │ OAuth: auto- │\n│ + env vars │ │ refresh │──── single ────▶ api.anthropic.com\n│ │ │ Rewrite: all │ identity\n│ │ │ identity │\n└────────────┘ │ Strip: billing │\n │ header │\n │ Stream: SSE │\n │ passthrough │\n └──────────────────┘\n │\n platform.claude.com\n (token refresh only,\n from gateway IP)\n```\n\n**Defense in depth:**\n\n| Layer | Mechanism | What it prevents |\n|-------|-----------|-----------------|\n| Launcher env vars | `ANTHROPIC_BASE_URL` + `DISABLE_NONESSENTIAL` + `ATTRIBUTION_HEADER=false` | CC voluntarily routes to gateway, disables side channels, skips billing hash |\n| Clash (optional) | Domain-based REJECT rules | Any accidental or future direct connections to Anthropic |\n| Gateway | Body + header + prompt rewriting | All 40+ fingerprint dimensions normalized to one device |\n\n## OAuth Lifecycle\n\nThe gateway manages the full OAuth token lifecycle:\n\n1. **Startup** — uses the existing access token from your keychain. Zero network calls.\n2. **Auto-refresh** — 5 minutes before expiry, the gateway silently refreshes via `platform.claude.com`.\n3. **Continuous** — refresh tokens rotate automatically. The gateway runs indefinitely without admin intervention.\n4. **Failure recovery** — if a refresh fails, retries every 30 seconds. Only a refresh token expiry (rare, months) requires re-running `extract-token.sh`.\n\nClients never contact `platform.claude.com`. They send requests to the gateway with their client token; the gateway injects the real OAuth token before forwarding upstream.\n\n## Clash Rules\n\nOptional network-level safety net. Even if Claude Code bypasses env vars or adds new hardcoded endpoints in a future update, Clash blocks direct connections.\n\n```yaml\nrules:\n - DOMAIN,gateway.your-domain.com,DIRECT # Allow gateway\n - DOMAIN-SUFFIX,anthropic.com,REJECT # Block direct API\n - DOMAIN-SUFFIX,claude.com,REJECT # Block OAuth\n - DOMAIN-SUFFIX,claude.ai,REJECT # Block OAuth\n - DOMAIN-SUFFIX,datadoghq.com,REJECT # Block telemetry\n```\n\nSee [`clash-rules.yaml`](clash-rules.yaml) for the full template.\n\n## Caveats\n\n- **MCP servers** — `mcp-proxy.anthropic.com` is hardcoded and does not follow `ANTHROPIC_BASE_URL`. If clients use official MCP servers, those requests bypass the gateway. Use Clash to block this domain if MCP is not needed.\n- **CC updates** — New Claude Code versions may introduce new telemetry fields or endpoints. Monitor Clash REJECT logs for unexpected connection attempts after upgrades.\n- **Token lifecycle** — The gateway auto-refreshes the OAuth access token. If the underlying refresh token expires (rare), re-run `extract-token.sh` on the admin machine.\n\n## Changelog\n\n### v0.2.0 (2026-04-02)\n\n**Billing header strategy overhaul**\n- Stripped the `x-anthropic-billing-header` entirely (system prompt block + HTTP header) instead of rewriting the hash. This is consistent with the official `CLAUDE_CODE_ATTRIBUTION_HEADER=false` env var and enables cross-session prompt cache sharing (~85% cost reduction on system prompt).\n- The CCH hash algorithm (reverse-engineered from `cli.js`) is implemented as a fallback but not active by default.\n\n**Zero-login client setup**\n- New `add-client.sh` generates self-contained launcher scripts (`.\u002Fclients\u002Fcc-\u003Cname>`). Clients run one file — no `~\u002F.zshrc` changes, no config files, no browser login.\n- Launcher uses `ANTHROPIC_API_KEY` for gateway auth instead of the fragile `CLAUDE_CODE_OAUTH_TOKEN` + `ANTHROPIC_CUSTOM_HEADERS` approach.\n\n**Instant gateway startup**\n- OAuth now uses the existing access token from Keychain on launch. No network call until the token actually needs refreshing.\n- `config.yaml` supports `access_token` + `expires_at` fields alongside `refresh_token`.\n\n**Proxy support**\n- Gateway respects `HTTPS_PROXY` \u002F `HTTP_PROXY` \u002F `ALL_PROXY` env vars for all outbound connections (API calls + token refresh).\n\n**Observability**\n- Connection-level request logging: every inbound request is logged with client IP before auth, and client name after auth.\n\n**Admin tooling**\n- `admin-setup.sh` — interactive Docker deployment with credential extraction and client generation.\n- `quick-setup.sh` — one-command local setup that extracts full credentials (access + refresh + expiry).\n\n### v0.1.0 (2026-04-01)\n\nInitial release. Identity rewriting, environment normalization, centralized OAuth, SSE passthrough.\n\n## References\n\nThis project builds on:\n\n- [Claude Code 封号机制深度探查报告](https:\u002F\u002Fbytedance.larkoffice.com\u002Fdocx\u002FE2JudVzf7oCNfhxyxaQcZIW1n0g) — Reverse-engineering analysis of Claude Code's 640+ telemetry events, 40+ fingerprint dimensions, and ban detection mechanisms\n- [cc-cache-audit](https:\u002F\u002Fgithub.com\u002Fmotiful\u002Fcc-cache-audit) — A\u002FB test proving the billing header breaks prompt cache sharing, with the one-line fix\n- [instructkr\u002Fclaude-code](https:\u002F\u002Fgithub.com\u002Finstructkr\u002Fclaude-code) — Deobfuscated Claude Code source used for the telemetry audit\n\n## Star History\n\n\u003Cdiv align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fstar-history.com\u002F#motiful\u002Fcc-gateway&Date\">\n \u003Cpicture>\n \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=motiful\u002Fcc-gateway&type=Date&theme=dark\" \u002F>\n \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=motiful\u002Fcc-gateway&type=Date\" \u002F>\n \u003Cimg alt=\"Star History Chart\" src=\"https:\u002F\u002Fapi.star-history.com\u002Fsvg?repos=motiful\u002Fcc-gateway&type=Date\" width=\"600\" \u002F>\n \u003C\u002Fpicture>\n \u003C\u002Fa>\n\u003C\u002Fdiv>\n\n## Why This Exists\n\nI pay Anthropic $200\u002Fmonth. I have for almost a year.\n\nI own a laptop, a desktop, and a tablet. Three devices, one person, one subscription. I logged into a fourth device and my account was banned. No warning. No explanation. No refund. No way to export my conversation history. No customer support to contact.\n\nI'm not in the US. For non-US subscribers, there is no appeals process. The ban is permanent and silent.\n\nThis project is not a hack. It is not a crack. It does not bypass rate limits, share accounts, or steal service. It is a reverse proxy that makes my own devices — devices I already paid for access to — present a consistent identity to an API that I already pay for.\n\nThe technical approach is conservative by design:\n\n- **Billing header**: stripped using the same official env var (`CLAUDE_CODE_ATTRIBUTION_HEADER=false`) that Anthropic built into their own code. Thousands of legitimate users already have this set.\n- **Identity normalization**: all devices report the same device ID, email, and environment. This is indistinguishable from one person using one machine.\n- **Fixed IP**: the gateway routes all traffic through a single static IP. Anthropic sees one device, one location, one user.\n- **No evasion**: we don't fake locations, rotate IPs, or circumvent rate limits. If Anthropic's detection looks at this traffic, it looks normal — because it IS normal. One person using their subscription.\n\nIf Anthropic offered a way to manage multiple devices — a device dashboard, a family plan, a per-seat enterprise option — this tool would not need to exist. They don't. So it does.\n\n## Disclaimer\n\nThis project is for educational and research purposes only.\n\n- Do NOT use this to share accounts or violate Anthropic's Terms of Service\n- Do NOT use this for commercial purposes\n- The author is not responsible for any consequences of using this software\n- Use at your own risk\n\n## License\n\n[MIT](LICENSE)\n\n---\n\n\u003Cdiv align=\"center\">\n \u003Csub>Crafted with \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\">Claude Code\u003C\u002Fa>\u003C\u002Fsub>\n\u003C\u002Fdiv>\n\n\u003C!-- Badge references -->\n[license-shield]: https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flicense\u002Fmotiful\u002Fcc-gateway\n[license-url]: https:\u002F\u002Fgithub.com\u002Fmotiful\u002Fcc-gateway\u002Fblob\u002Fmain\u002FLICENSE\n[version-shield]: https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fversion-0.2.0--alpha-blue\n[version-url]: https:\u002F\u002Fgithub.com\u002Fmotiful\u002Fcc-gateway\u002Freleases\n[tests-shield]: https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Ftests-16%20passed-brightgreen\n[tests-url]: https:\u002F\u002Fgithub.com\u002Fmotiful\u002Fcc-gateway\u002Fblob\u002Fmain\u002Ftests\u002Frewriter.test.ts\n[twitter-shield]: https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Ffollow-%40whiletrue0x-1DA1F2?logo=x&logoColor=white\n[twitter-url]: https:\u002F\u002Fx.com\u002Fwhiletrue0x\n","CC Gateway 是一个AI API身份网关,作为反向代理来标准化设备指纹和遥测数据以保护隐私。它能够重写设备ID、电子邮件、会话元数据及每个API请求中的`user_id` JSON对象至单一规范身份;替换40多个环境维度如平台、架构等;清理系统提示中的环境块;移除包含会话指纹哈希的计费头文件;以及规范化处理内存指标。适用于需要控制AI API遥测信息流出网络并希望保持一致性的场景,比如在多台机器上运行Claude Code时。项目采用TypeScript编写,并支持Docker部署。",2,"2026-06-11 03:51:01","high_star"]