Bun-Level Zig HMAC Request Signing
- Entity ID:
ent-20260419-a0b1c2d3e4f6 - Type:
concept - Scope:
shared - Status:
active - Aliases: Bun HMAC DRM, Zig-layer request hash, 5-byte HMAC placeholder, sub-JS request signing, native-attestation-bun-variant
Description
Previously undocumented DRM mechanism embedded in Claude Code's HTTP request path. The JavaScript layer writes a 5-byte zero placeholder into API request headers. Bun's Zig-based native HTTP stack overwrites those 5 bytes with a computed HMAC hash AFTER the JS runtime has emitted the request, so the hash is never visible to anything running in JavaScript (including debuggers, man-in-the-middle tools running in-process, or captured replays). Effect: a tool that intercepts and replays captured Claude Code API requests will fail HMAC validation even with a valid API key — the hash cryptographically proves the request originated from a genuine Claude Code binary. Functions as a binary-attestation gate for the Anthropic API and explains why non-Claude-Code clients cannot forge traffic simply by swiping an API key out of a process dump.
Key claims
- Bun HMAC signing is a silent binary-attestation moat
- Bun native HTTP stack overwrites a 5-byte JS placeholder with an HMAC hash
- v2.1.113 spawns a native binary instead of running bundled JS
- The native-binary switch aligns public distribution with Zig attestation
Relations
- Bun-Level Zig HMAC Request Signing --[implements]--> Bun Runtime
- Bun-Level Zig HMAC Request Signing --[related_to]--> Native Attestation
- Bun-Level Zig HMAC Request Signing --[blocks]--> Claw Code
- Native Binary Spawn Architecture --[aligns_with]--> Bun-Level Zig HMAC Request Signing