Native Attestation

• Entity ID: ent-20260409-eaad8d36f26d
• Type: service
• Scope: shared
• Status: active
• Aliases: native attestation, cch hash, binary attestation

Description

Native attestation is a DRM-like mechanism that proves an API request originated from an official Claude Code binary. The system works by embedding a cch=00000 placeholder string in the HTTP attribution header at the TypeScript layer, which Bun's native Zig HTTP stack then overwrites in-place with a computed hash before the request leaves the process. The server side verifies this token to confirm the request came from a real Claude Code client rather than a third-party tool or replay.

The implementation in constants/system.ts (getAttributionHeader) constructs the full x-anthropic-billing-header containing cc_version, cc_entrypoint, and conditionally the cch=00000 placeholder when the NATIVE_CLIENT_ATTESTATION build feature flag is enabled. The critical design decision is that the placeholder is the same length as the final hash value, so Bun's Zig layer can perform an in-place byte replacement without changing Content-Length or triggering buffer reallocation. The actual hash computation lives outside the TypeScript source -- in bun-anthropic/src/http/Attestation.zig -- where the Zig HTTP stack intercepts serialized request body bytes, finds the placeholder pattern, and overwrites it with the computed attestation token.

The attestation header also coexists with other attribution fields. A cc_workload field was later added for QoS routing (e.g., routing cron-initiated requests to a lower-priority pool). The code comments note that cc_workload is safe with respect to both fingerprint computation (computed from message chars + version only) and cch attestation (placeholder overwritten in serialized body bytes after the header string is built), and that the server's _parse_cc_header tolerates unknown extra fields so old API deploys silently ignore new additions.

Key claims

• clm-20260409-2c43addb1990: Bun acquired partly to own native attestation in Zig
• clm-20260410-d1: The cch=00000 placeholder uses same-length replacement to avoid Content-Length changes and buffer reallocation. The placeholder is injected conditionally via feature('NATIVE_CLIENT_ATTESTATION'). Evidence: constants/system.ts lines 64-72 -- "We use a placeholder (instead of injecting from Zig) because same-length replacement avoids Content-Length changes and buffer reallocation."
• clm-20260410-d2: The attestation hash computation happens in Bun's Zig HTTP stack (bun-anthropic/src/http/Attestation.zig), not in the TypeScript layer. The TS code only places the placeholder; the Zig code finds and overwrites it in serialized body bytes. Evidence: constants/system.ts lines 67-68 -- "Bun's native HTTP stack finds this placeholder in the request body and overwrites the zeros with a computed hash."
• clm-20260410-d3: The attribution header contains cc_version (including a fingerprint suffix computed from message chars + version), cc_entrypoint (how Claude Code was launched), and optionally cch (attestation) and cc_workload (QoS routing hint). Evidence: constants/system.ts getAttributionHeader() -- cc_version=${version}; cc_entrypoint=${entrypoint};${cch}${workloadPair}.

Relations

• rel-20260409-e18c0a09: ent-20260409-88dfb37a6820 --[contains]--> ent-20260409-eaad8d36f26d
• rel-20260410-d1: ent-20260409-eaad8d36f26d --[implemented_in]--> src/constants/system.ts (getAttributionHeader)
• rel-20260410-d2: ent-20260409-eaad8d36f26d --[depends_on]--> bun-anthropic/src/http/Attestation.zig (Zig-side hash computation)

Sources

src-20260409-2e2e605ea18f src-20260410-attestation-a: src/constants/system.ts lines 59-95