Bun Runtime

• Entity ID: ent-20260410-09219e072af3
• Type: concept
• Scope: shared
• Status: active

Description

Claude Code runs on Bun (not Node.js). Key implications: native JSX/TSX support without transpilation, bun:bundle feature flags for dead-code elimination, ES modules with .js extensions (Bun convention). Heavy modules are lazy-loaded via dynamic import() (OpenTelemetry ~400KB, gRPC ~700KB).

Key claims

• Claude Code was leaked by Anthropic's own acquired runtime
• Bun HMAC signing is a silent binary-attestation moat
• cch=00000 Bun sentinel scans the entire HTTP request body
• Bun fork mutates request body between JSON serialize and TLS encrypt, breaking prompt cache
• Bun native HTTP stack overwrites a 5-byte JS placeholder with an HMAC hash
• The leak shipped without bun.lockb so dependencies must be re-resolved
• bun:bundle cannot be imported at runtime without a shim hook

Relations

• Bun Bug #28001 --[contained_in]--> Bun Runtime
• Bun-Level Zig HMAC Request Signing --[implements]--> Bun Runtime
• Billing Sentinel Bug (cch=00000) --[depends_on]--> Bun Runtime
• Anthropic Bun Fork Native String Replacement --[depends_on]--> Bun Runtime
• Bun-Specific API Stubs --[replaces]--> Bun Runtime
• bun build --compile Standalone Binary --[depends_on]--> Bun Runtime

Sources

none