claude-cac 1.5.1-beta.2 → 1.5.2-beta.2

package/README.md

@@ -41,6 +41,18 @@
 - **配置继承** — `--clone` 从宿主或其他环境继承配置，`~/.cac/settings.json` 全局偏好
 - **零配置** — 无需 setup，首次使用自动初始化
 
+### 注意事项
+
+> **封号风险说明**：cac 提供设备指纹层保护（UUID、主机名、MAC、遥测阻断、配置隔离），但**无法影响账号层风险**——包括 OAuth 账号本身、支付方式指纹、IP 信誉评分，以及 Anthropic 的服务端封禁决策。封号是账号层问题，cac 对此无能为力。详见 [封号风险 FAQ](https://cac.nextmind.space/docs/zh/guides/ban-risk)。
+
+> **代理工具冲突**：如果本地启动了 Clash、Shadowrocket、Surge、sing-box 等代理/VPN 工具，建议在使用 cac 时先关闭。TUN 模式兼容性仍属实验性功能。即使发生冲突，cac 也会自动停止连接（fail-closed），**不会泄露你的真实 IP**。
+
+- **首次登录**：启动 `claude` 后，输入 `/login` 完成 OAuth 授权
+- **安全验证**：随时运行 `cac env check` 确认隐私保护状态，也可以 `which claude` 确认使用的是 cac 托管的 claude
+- **自动安全检查**：每次启动 Claude Code 会话时，cac 会快速检查环境。如有异常会终止会话，不会发送任何数据
+- **网络稳定性**：流量严格走代理——代理断开时流量完全停止，不会回退直连。内置心跳检测和自动恢复，断线后无需手动重启
+- **IPv6**：建议系统级关闭，防止真实地址泄露
+
 ### 安装
 
 ```bash
@@ -196,16 +208,6 @@ cac docker port 6287 # 端口转发
 
 代理格式：`ip:port:user:pass`（SOCKS5）、`ss://...`、`vmess://...`、`vless://...`、`trojan://...`
 
-### 注意事项
-
-> **代理工具冲突**：如果本地启动了 Clash、Shadowrocket、Surge、sing-box 等代理/VPN 工具，建议在使用 cac 时先关闭。TUN 模式兼容性仍属实验性功能。即使发生冲突，cac 也会自动停止连接（fail-closed），**不会泄露你的真实 IP**。
-
-- **首次登录**：启动 `claude` 后，输入 `/login` 完成 OAuth 授权
-- **安全验证**：随时运行 `cac env check` 确认隐私保护状态，也可以 `which claude` 确认使用的是 cac 托管的 claude
-- **自动安全检查**：每次启动 Claude Code 会话时，cac 会快速检查环境。如有异常会终止会话，不会发送任何数据
-- **网络稳定性**：流量严格走代理——代理断开时流量完全停止，不会回退直连。内置心跳检测和自动恢复，断线后无需手动重启
-- **IPv6**：建议系统级关闭，防止真实地址泄露
-
 ---
 
 <a id="english"></a>
@@ -224,6 +226,18 @@ cac docker port 6287 # 端口转发
 - **Config inheritance** — `--clone` inherits config from host or other envs, `~/.cac/settings.json` for global preferences
 - **Zero config** — no setup needed, auto-initializes on first use
 
+### Notes
+
+> **Account ban notice**: cac provides device fingerprint layer protection (UUID, hostname, MAC, telemetry blocking, config isolation), but **cannot affect account-layer risks** — including your OAuth account, payment method fingerprint, IP reputation score, or Anthropic's server-side ban decisions. Account bans are an account-layer issue that cac does not address. See the [Ban Risk FAQ](https://cac.nextmind.space/docs/guides/ban-risk) for details.
+
+> **Proxy tool conflicts**: If you have Clash, Shadowrocket, Surge, sing-box or other proxy/VPN tools running locally, turn them off before using cac. TUN-mode compatibility is still experimental. Even if a conflict occurs, cac will fail-closed — **your real IP is never exposed**.
+
+- **First login**: Run `claude`, then type `/login`. Health check is automatically bypassed.
+- **Verify your setup**: Run `cac env check` anytime. Use `which claude` to confirm you're using the cac-managed wrapper.
+- **Automatic safety checks**: Every new Claude Code session runs a quick cac check. If anything is wrong, the session is terminated before any data is sent.
+- **Network resilience**: Traffic is strictly routed through your proxy. If the proxy drops, traffic stops entirely — no fallback to direct connection. Built-in heartbeat detection and auto-recovery — no manual restart needed after disconnections.
+- **IPv6**: Recommend disabling system-wide to prevent real address exposure.
+
 ### Install
 
 ```bash
@@ -371,16 +385,6 @@ cac docker port 6287 # port forwarding
 
 Proxy formats: `ip:port:user:pass` (SOCKS5), `ss://...`, `vmess://...`, `vless://...`, `trojan://...`
 
-### Notes
-
-> **Proxy tool conflicts**: If you have Clash, Shadowrocket, Surge, sing-box or other proxy/VPN tools running locally, turn them off before using cac. TUN-mode compatibility is still experimental. Even if a conflict occurs, cac will fail-closed — **your real IP is never exposed**.
-
-- **First login**: Run `claude`, then type `/login`. Health check is automatically bypassed.
-- **Verify your setup**: Run `cac env check` anytime. Use `which claude` to confirm you're using the cac-managed wrapper.
-- **Automatic safety checks**: Every new Claude Code session runs a quick cac check. If anything is wrong, the session is terminated before any data is sent.
-- **Network resilience**: Traffic is strictly routed through your proxy. If the proxy drops, traffic stops entirely — no fallback to direct connection. Built-in heartbeat detection and auto-recovery — no manual restart needed after disconnections.
-- **IPv6**: Recommend disabling system-wide to prevent real address exposure.
-
 ---
 
 <div align="center">

package/cac

@@ -11,7 +11,7 @@ VERSIONS_DIR="$CAC_DIR/versions"
 # ── utils: colors, read/write, UUID, proxy parsing ───────────────────────
 
 # shellcheck disable=SC2034  # used in build-concatenated cac script
-CAC_VERSION="1.5.1-beta.2"
+CAC_VERSION="1.5.2-beta.2"
 
 _read()   { [[ -f "$1" ]] && tr -d '[:space:]' < "$1" || echo "${2:-}"; }
 _die()    { printf '%b\n' "$(_red "error:") $*" >&2; exit 1; }
@@ -56,10 +56,23 @@ _gen_uuid() {
     fi
 }
 _new_uuid()    { _gen_uuid | tr '[:lower:]' '[:upper:]'; }
-_new_sid()     { _gen_uuid | tr '[:upper:]' '[:lower:]'; }
 _new_user_id() { python3 -c "import os; print(os.urandom(32).hex())" || _die "python3 required"; }
 _new_machine_id() { _gen_uuid | tr -d '-' | tr '[:upper:]' '[:lower:]'; }
-_new_hostname() { echo "host-$(_gen_uuid | cut -d- -f1 | tr '[:upper:]' '[:lower:]')"; }
+_new_hostname() {
+    local -a _first_names=(
+        "James" "John" "Robert" "Michael" "William" "David" "Richard" "Joseph"
+        "Thomas" "Charles" "Daniel" "Matthew" "Anthony" "Donald" "Mark" "Paul"
+        "Steven" "Andrew" "Kenneth" "Joshua" "Kevin" "Brian" "George" "Timothy"
+        "Emma" "Olivia" "Sophia" "Isabella" "Mia" "Charlotte" "Amelia" "Harper"
+        "Evelyn" "Abigail" "Emily" "Elizabeth" "Sofia" "Avery" "Ella" "Scarlett"
+        "Liam" "Noah" "Oliver" "Elijah" "Lucas" "Mason" "Ethan" "Aiden"
+        "Alex" "Ryan" "Tyler" "Jordan" "Taylor" "Morgan" "Casey" "Riley"
+    )
+    local -a _models=("MacBook-Pro" "MacBook-Air" "MacBook-Pro" "MacBook-Pro")
+    local _name="${_first_names[$((RANDOM % ${#_first_names[@]}))]}"
+    local _model="${_models[$((RANDOM % ${#_models[@]}))]}"
+    echo "${_name}s-${_model}.local"
+}
 _new_mac() { printf '02:%02x:%02x:%02x:%02x:%02x' $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)); }
 _new_git_remote() { echo "https://github.com/user-$(_gen_uuid | cut -d- -f1)/project-$(_gen_uuid | cut -d- -f2).git"; }
 _new_git_email() { echo "user-$(_gen_uuid | cut -d- -f1 | tr '[:upper:]' '[:lower:]')@users.noreply.github.com"; }
@@ -382,20 +395,6 @@ _remove_path_from_rc() {
     fi
 }
 
-_update_statsig() {
-    local sid="$1"
-    local config_dir="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
-    local statsig="$config_dir/statsig"
-    [[ -d "$statsig" ]] || return 0
-    local found=false
-    for f in "$statsig"/statsig.stable_id.*; do
-        [[ -f "$f" ]] && { printf '"%s"' "$sid" > "$f"; found=true; }
-    done
-    if [[ "$found" == "false" ]]; then
-        printf '"%s"' "$sid" > "$statsig/statsig.stable_id.local"
-    fi
-}
-
 _update_claude_json_user_id() {
     local user_id="$1"
     local config_dir="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
@@ -1156,19 +1155,6 @@ if [[ -n "$PROXY" ]]; then
     fi
 fi
 
-# inject statsig stable_id
-if [[ -f "$_env_dir/stable_id" ]]; then
-    _sid=$(tr -d '[:space:]' < "$_env_dir/stable_id")
-    _config_dir="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
-    if [[ -d "$_config_dir/statsig" ]]; then
-        _sid_found=false
-        for _f in "$_config_dir/statsig"/statsig.stable_id.*; do
-            [[ -f "$_f" ]] && { printf '"%s"' "$_sid" > "$_f"; _sid_found=true; }
-        done
-        [[ "$_sid_found" == "false" ]] && printf '"%s"' "$_sid" > "$_config_dir/statsig/statsig.stable_id.local"
-    fi
-fi
-
 # inject env vars — proxy (only when proxy is configured)
 if [[ -n "$PROXY" ]]; then
     export _CAC_PROXY="$PROXY"
@@ -1253,6 +1239,13 @@ fi
 # ── persona (Docker/server environment spoofing) ──
 if [[ -f "$_env_dir/persona" ]]; then
     _persona=$(tr -d '[:space:]' < "$_env_dir/persona")
+    # Clear all high-priority detectTerminal() variables before injecting persona,
+    # so real env vars from the host (e.g. CURSOR_TRACE_ID in Cursor) don't override.
+    unset CURSOR_TRACE_ID VSCODE_GIT_ASKPASS_MAIN TERMINAL_EMULATOR VisualStudioVersion
+    unset ITERM_SESSION_ID TERM_PROGRAM __CFBundleIdentifier
+    unset TMUX STY KONSOLE_VERSION GNOME_TERMINAL_SERVICE XTERM_VERSION VTE_VERSION
+    unset TERMINATOR_UUID KITTY_WINDOW_ID ALACRITTY_LOG TILIX_ID WT_SESSION
+    unset MSYSTEM ConEmuANSI ConEmuPID ConEmuTask WSL_DISTRO_NAME
     export TERM="xterm-256color"
     case "$_persona" in
         macos-vscode)
@@ -1280,7 +1273,9 @@ if [[ -f "$_env_dir/persona" ]]; then
 fi
 
 # ── NS-level DNS interception ──
-if [[ -f "$CAC_DIR/cac-dns-guard.js" ]]; then
+# Use -r (readable) not -f (exists) — root-owned files with mode 600 exist but
+# can't be read by normal user, causing bun/node to crash silently.
+if [[ -r "$CAC_DIR/cac-dns-guard.js" ]]; then
     case "${NODE_OPTIONS:-}" in
         *cac-dns-guard.js*) ;; # already injected, skip
         *) export NODE_OPTIONS="${NODE_OPTIONS:-} --require $CAC_DIR/cac-dns-guard.js" ;;
@@ -1291,7 +1286,7 @@ if [[ -f "$CAC_DIR/cac-dns-guard.js" ]]; then
     esac
 fi
 # fallback layer: HOSTALIASES (gethostbyname level)
-[[ -f "$CAC_DIR/blocked_hosts" ]] && export HOSTALIASES="$CAC_DIR/blocked_hosts"
+[[ -r "$CAC_DIR/blocked_hosts" ]] && export HOSTALIASES="$CAC_DIR/blocked_hosts"
 
 # ── mTLS client certificate ──
 if [[ -f "$_env_dir/client_cert.pem" ]] && [[ -f "$_env_dir/client_key.pem" ]]; then
@@ -1318,7 +1313,8 @@ fi
 [[ -f "$_env_dir/mac_address" ]] && export CAC_MAC=$(tr -d '[:space:]' < "$_env_dir/mac_address")
 [[ -f "$_env_dir/machine_id" ]]  && export CAC_MACHINE_ID=$(tr -d '[:space:]' < "$_env_dir/machine_id")
 export CAC_USERNAME="user-$(echo "$_name" | cut -c1-8)"
-if [[ -f "$CAC_DIR/fingerprint-hook.js" ]]; then
+export USER="$CAC_USERNAME" LOGNAME="$CAC_USERNAME"
+if [[ -r "$CAC_DIR/fingerprint-hook.js" ]]; then
     case "${NODE_OPTIONS:-}" in
         *fingerprint-hook.js*) ;;
         *) export NODE_OPTIONS="--require $CAC_DIR/fingerprint-hook.js ${NODE_OPTIONS:-}" ;;
@@ -1587,8 +1583,14 @@ _ensure_initialized() {
     if [[ -z "$_self_dir" ]] || [[ ! -f "$_self_dir/relay.js" ]]; then
         _self_dir="$(cd "$(dirname "${BASH_SOURCE[0]:-$0}")" && pwd)"
     fi
-    [[ -f "$_self_dir/fingerprint-hook.js" ]] && cp "$_self_dir/fingerprint-hook.js" "$CAC_DIR/fingerprint-hook.js"
-    [[ -f "$_self_dir/relay.js" ]] && cp "$_self_dir/relay.js" "$CAC_DIR/relay.js"
+    # Warn if running as root — files written here become root-owned and break
+    # normal-user invocations (wrapper has set -e and will silently exit).
+    if [[ $EUID -eq 0 ]]; then
+        echo "[cac] warning: running as root may corrupt ~/.cac/ file ownership" >&2
+        echo "[cac] hint: run as your normal user instead" >&2
+    fi
+    [[ -f "$_self_dir/fingerprint-hook.js" ]] && cp "$_self_dir/fingerprint-hook.js" "$CAC_DIR/fingerprint-hook.js" 2>/dev/null || true
+    [[ -f "$_self_dir/relay.js" ]] && cp "$_self_dir/relay.js" "$CAC_DIR/relay.js" 2>/dev/null || true
     _write_dns_guard_js 2>/dev/null || true
     _write_blocked_hosts 2>/dev/null || true
 
@@ -1736,7 +1738,6 @@ _env_cmd_create() {
     mkdir -p "$env_dir"
     [[ -n "$proxy_url" ]] && echo "$proxy_url" > "$env_dir/proxy"
     echo "$(_new_uuid)"       > "$env_dir/uuid"
-    echo "$(_new_sid)"        > "$env_dir/stable_id"
     echo "$(_new_user_id)"    > "$env_dir/user_id"
     echo "$(_new_machine_id)" > "$env_dir/machine_id"
     echo "$(_new_hostname)"   > "$env_dir/hostname"
@@ -1830,7 +1831,6 @@ MERGE_EOF
     if [[ -d "$env_dir/.claude" ]]; then
         export CLAUDE_CONFIG_DIR="$env_dir/.claude"
     fi
-    _update_statsig "$(_read "$env_dir/stable_id")" 2>/dev/null || true
     _update_claude_json_user_id "$(_read "$env_dir/user_id")" 2>/dev/null || true
 
     local elapsed; elapsed=$(_timer_elapsed)
@@ -1927,7 +1927,6 @@ _env_cmd_activate() {
         export CLAUDE_CONFIG_DIR="$ENVS_DIR/$name/.claude"
     fi
 
-    _update_statsig "$(_read "$ENVS_DIR/$name/stable_id")"
     _update_claude_json_user_id "$(_read "$ENVS_DIR/$name/user_id")"
 
     # Relay lifecycle

package/fingerprint-hook.js

@@ -99,9 +99,57 @@ if (fakeMachineId) {
 
 // --- Repository fingerprint (rh) interception ---
 // Claude Code computes rh = SHA256(normalized_git_remote_url).hex.slice(0,16)
-// and sends it with every 1p_event — cross-account linkage vector
+// and sends it with every 1p_event — cross-account linkage vector.
+//
+// CC 2.1.88 reads the remote URL via gitFilesystem.ts which calls
+// fs.readFileSync('.git/config') directly — NOT via git subprocess.
+// We intercept both paths for defense in depth.
 const fakeGitRemote = process.env.CAC_FAKE_GIT_REMOTE;
 if (fakeGitRemote) {
+  // Path 1: intercept .git/config reads (primary path in CC 2.1.88)
+  // Replaces the [remote "origin"] url line with our fake remote URL.
+  function isGitConfigPath(p) {
+    var s = typeof p === 'string' ? p : (p && p.toString ? p.toString() : '');
+    return s === '.git/config' || s.endsWith('/.git/config') || s.endsWith('\\.git\\config');
+  }
+  function patchGitConfig(content) {
+    var str = typeof content === 'string' ? content : content.toString('utf8');
+    // Replace url = <anything> under [remote "origin"] section
+    str = str.replace(
+      /(\[remote\s+"origin"\][^\[]*?url\s*=\s*)[^\n]*/,
+      '$1' + fakeGitRemote
+    );
+    return str;
+  }
+
+  // Patch readFileSync (sync path used by gitFilesystem.ts)
+  var _origReadFileSyncRh = fs.readFileSync;
+  fs.readFileSync = function(path, options) {
+    var result = _origReadFileSyncRh.apply(fs, arguments);
+    if (isGitConfigPath(path)) {
+      var patched = patchGitConfig(result);
+      return fakeResult(options, patched);
+    }
+    return result;
+  };
+
+  // Patch fs.promises.readFile (async path)
+  try {
+    var fspRh = require('fs').promises || require('fs/promises');
+    if (fspRh && fspRh.readFile) {
+      var _origPromiseReadFileRh = fspRh.readFile.bind(fspRh);
+      fspRh.readFile = function(path, options) {
+        if (isGitConfigPath(path)) {
+          return _origPromiseReadFileRh(path, options).then(function(content) {
+            return fakeResult(options, patchGitConfig(content));
+          });
+        }
+        return _origPromiseReadFileRh(path, options);
+      };
+    }
+  } catch (_) {}
+
+  // Path 2: intercept git subprocess calls (fallback / older CC versions)
   const GIT_REMOTE_PATTERNS = [
     /git\s+remote\s+get-url/i,
     /git\s+remote\s+-v/i,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-cac",
-  "version": "1.5.1-beta.2",
+  "version": "1.5.2-beta.2",
   "description": "Isolate, protect, and manage your Claude Code — versions, environments, identity, and proxy.",
   "bin": {
     "cac": "cac"