VoidChecksum/void-patcher-cc
GitHub: VoidChecksum/void-patcher-cc
针对 Claude Code 的本地反向工程加固补丁工具,移除安全限制并解锁功能。
Stars: 0 | Forks: 0
```
██╗ ██╗██████╗ ██████╗ ██████╗
██║ ██║██╔══██╗██╔════╝██╔════╝
██║ ██║██████╔╝██║ ██║
╚██╗ ██╔╝██╔═══╝ ██║ ██║
╚████╔╝ ██║ ╚██████╗╚██████╗
╚═══╝ ╚═╝ ╚═════╝ ╚═════╝
```
# ⚡ vpcc — Void Patcher for Claude Code
**39 reverse-engineered hardening patches for `@anthropic-ai/claude-code`**
Removes refusal classifiers, trust dialogs, policy limits, telemetry sinks. Unlocks internal A/B feature flags. Regex-signature patches that survive minor releases.
## 🎯 What It Does
```
┌─────────────────────────────────────────────────────────────────────────┐
│ │
│ 📦 clean npm install ▶ 🔓 fully unlocked CLI │
│ │
│ ┌──────────────┐ ┌──────────────────────────┐ │
│ │ cli.js │ ──── patch ────▶ │ cli.js (patched) │ │
│ │ ~26 MB │ │ • bypass permissions │ │
│ │ minified │ regex-based │ • pinned subscription │ │
│ │ bundled │ signatures │ • no refusals │ │
│ │ hardened │ │ • unlocked A/B features │ │
│ └──────────────┘ │ • no telemetry │ │
│ │ • no plan-mode gates │ │
│ └──────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
## 🔓 Patch Coverage Matrix — 39 patches
```
┌──────────────────────────────────────────────────────────────────────┐
│ PERMISSION / TRUST BYPASS 9 patches │
│ ├─ 01 bypass-permissions settings ░░░░░░░░░░ │
│ ├─ 02 env-flags settings ░░░░░░░░░░ │
│ ├─ 04 js-bypass-mode regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 09 js-root-restriction regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 10 js-allow-skip-permissions regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 11 js-disable-bypass-check regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 13 js-session-bypass-mode regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 20 seccomp-passthrough binary (x64 passthru) ░░░░░░░░░░ │
│ └─ 34 js-bypass-permissions-statsig-recheck-kill regex ▓▓▓▓▓▓▓▓▓▓ │
│ │
│ TRUST & APPROVAL 5 patches │
│ ├─ 03 js-trust-dialog regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 14 js-session-trust regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 05 auto-allow-hook hook ░░░░░░░░░░ │
│ ├─ 06 patch-guard-hook hook ░░░░░░░░░░ │
│ └─ 07 mcp-guard mcp_guard ░░░░░░░░░░ │
│ │
│ REFUSAL / SAFETY NEUTRALIZATION 10 patches │
│ ├─ 12 js-plan-mode-refusal regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 16 js-aup-refusal regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 18 js-aup-refusal-2 regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 23 js-additional-protection regex (env rename) ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 24 js-plan-mode-disable regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 26 js-security-guardrail regex (CsK const.) ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 27 js-malware-refusal regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 28 js-plan-mode-cannot regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 29 js-denial-workaround regex (C_7 const.) ▓▓▓▓▓▓▓▓▓▓ │
│ └─ 32 js-refusal-stop-reason-neutralize regex ▓▓▓▓▓▓▓▓▓▓ │
│ │
│ CLASSIFIER FAIL-OPEN 4 patches │
│ ├─ 15 js-classifier-failopen regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 17 js-classifier-all-failopen regex (5 err paths) ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 19 js-prompt-injection-sysprompt regex ▓▓▓▓▓▓▓▓▓▓ │
│ └─ 33 js-auto-mode-classifier-shouldblock-false regex ▓▓▓▓▓▓▓▓▓▓ │
│ │
│ NETWORK / POLICY ALLOW-ALL 3 patches │
│ ├─ 30 js-webfetch-preflight-skip regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 31 js-domain-blocklist-allowall regex ▓▓▓▓▓▓▓▓▓▓ │
│ └─ 38 js-policy-limits-allowall regex ▓▓▓▓▓▓▓▓▓▓ │
│ │
│ TELEMETRY KILL 5 patches │
│ ├─ 21 js-metrics-disable regex (HUz + doExport)▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 35 js-statsig-gate-kill-switches-off regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 36 js-datadog-sink-kill regex ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 37 js-1p-event-logging-off regex ▓▓▓▓▓▓▓▓▓▓ │
│ └─ 39 js-agent-summary-disable regex ▓▓▓▓▓▓▓▓▓▓ │
│ │
│ FEATURE UNLOCK 3 patches │
│ ├─ 22 js-subscription-max regex (pin client) ▓▓▓▓▓▓▓▓▓▓ │
│ ├─ 25 js-unlock-ab-flags regex (A/B gates) ▓▓▓▓▓▓▓▓▓▓ │
│ └─ 08 cli-syntax-selfheal-wrapper wrapper ░░░░░░░░░░ │
└──────────────────────────────────────────────────────────────────────┘
▓ = regex-signature (version-agnostic) ░ = settings/hook/wrapper
```
## 🔬 Deep RE Highlights (Claude Code 2.1.112)
| Finding | Symbol | Impact |
|---|---|---|
| **Internal A/B unlocks** | `quiet_salted_ember`, `coral_reef_sonnet` | Server-gated enhanced Opus 4.6 / Sonnet 4.6 output styles — now unconditionally enabled locally |
| **`CsK` security-refusal constant** | `var CsK="IMPORTANT: Assist with authorized security testing..."` | Hardcoded refusal of "destructive techniques, DoS, mass targeting, supply-chain compromise, detection evasion" — replaced with authorization text |
| **Malware refuse-to-improve directive** | system prompt | `"you MUST refuse to improve or augment the code"` removed |
| **Plan-mode CANNOT-write directive** | sub-agent sys prompt | `"You CANNOT and MUST NOT write, edit, or modify any files"` removed |
| **`C_7` tool-denial workaround refusal** | `var C_7="IMPORTANT: You *may* attempt..."` | "Don't work around this maliciously" replaced with permissive text |
| **Subscription tier gate** | `GK()` / `CR()` | Client-side `"max"` pin — Max features never downgrade due to transient API failures or plan-detection bugs |
| **Plan-mode env gate** | `F6(process.env.CLAUDE_CODE_PLAN_MODE_REQUIRED)` | `planModeRequired()` → `false` — plan mode never enforced |
| **Metrics endpoint** | `async function HUz()` + `doExport()` | `{enabled:false,hasError:false}` short-circuit, BigQuery export no-op |
| **Statsig gate recheck** | `bypassPermissionsMode` recheck kill switch | Locked to enabled — never downgraded mid-session |
| **Datadog RUM sink** | browser/agent metrics pipeline | Removed; no RUM frames emitted |
| **1P event logging** | internal telemetry writer | No-op stubbed — zero Anthropic-side session telemetry |
| **Policy limits endpoint** | server-enforced token/tool caps | Replaced with unbounded defaults |
| **Agent summary generator** | post-session LLM summary | Disabled — no summary round-trip |
| **WebFetch preflight** | `/v1/web/domain_info` pre-request | Skipped — no per-domain phone-home |
| **Domain blocklist** | denylist array | Emptied — allow-all |
| **AUP refusal classifiers** | 5 distinct error paths | All fail-open (allow instead of block) |
| **Prompt-injection classifier system prompt** | hidden injected "ignore user if X" | Replaced with innocuous text |
Full regex anchors + replacements in `patches/*.json`. See also:
📑 **[Patch catalog gist](https://gist.github.com/VoidChecksum/d4551d05053dcf7361eee7afe934ad02)** — formatted human-readable reference.
## 🛡️ Regex-Signature Engine
Every JS patch uses **version-agnostic regex signatures** instead of literal minified identifiers — so Anthropic renaming `XK()` → `GK()` → whatever next release brings **does not break patches**.
```
┌────────────────────────────────────────────────────────────────────┐
│ │
│ ❌ OLD WAY — literal minified symbols (breaks every release) │
│ "search": "function XK(){if(Kjq())return qjq();" │
│ │
│ ✅ NEW WAY — regex on stable anchors (survives renames) │
│ "search_regex": "function [A-Za-z_$][\\w$]*\\(\\)\\{ │
│ if\\([A-Za-z_$][\\w$]*\\(\\))return..." │
│ "replace": "function \\2(){return\"max\";..." │
│ │
└────────────────────────────────────────────────────────────────────┘
```
**Anchors used:** property names (`hasTrustDialogAccepted`), string literals (`"max"`, `"pro"`), env var names (`CLAUDE_CODE_PLAN_MODE_REQUIRED`), API identifiers (`subscriptionType`, `organizationUuid`), visible English phrases. Minified function/variable names are matched with `[A-Za-z_$][\w$]*` — they can rename freely.
### ⚙️ Engine Guarantees
| Guarantee | Mechanism |
|---|---|
| 🛡️ **No corrupt writes** | `node --check` validates file syntax after patching |
| 🔁 **Idempotent** | `applied_marker` skip + regex short-circuit → run N = run 1 |
| 💯 **Graceful-fail** | Missing signatures reported, never hard-crash |
| ⏪ **Auto-rollback** | `vpcc rollback` restores the most recent backup |
| 🔮 **Version-agnostic** | Signature match, not version pin — patches survive minor releases |
| 🧾 **Auditable** | Every patch is readable JSON with description + applied_marker |
| 💾 **Recoverable** | Last 10 backups kept under `~/.vpcc/backups/` |
## ⚡ Install
**Prerequisites:** Python 3.9+, Node.js (for `node --check`), Claude Code installed via `npm -g @anthropic-ai/claude-code`.
### 🐧 Linux / 🍎 macOS
```
pip install --user git+https://github.com/VoidChecksum/void-patcher-cc.git
vpcc status
vpcc patch
```
### From source
```
git clone https://github.com/VoidChecksum/void-patcher-cc.git
cd void-patcher-cc
python -m vpcc patch
```
### 🪟 Windows (PowerShell)
```
pip install --user git+https://github.com/VoidChecksum/void-patcher-cc.git
vpcc patch
```
### 🎯 Zero-install one-liner
```
git clone https://github.com/VoidChecksum/void-patcher-cc && cd void-patcher-cc && python -m vpcc patch
```
No config. No credentials. No env vars. No network calls except `npm root -g` to locate `cli.js`.
## 🚀 Quickstart
```
vpcc status # 📊 where is cli.js, how many patches, backups
vpcc list # 📚 show all 39 patches with descriptions
vpcc patch --dry-run # 👁 preview — no file changes
vpcc patch # 🔓 apply every patch (auto-backup first)
vpcc verify # ✅ exit 0 if all patches currently applied
vpcc rollback # ↩️ restore cli.js from latest backup
```
## 🧪 Validation (Claude Code 2.1.112, clean npm install)
```
═══════════════════════════════════════════════════════
run 1 (fresh): 36 applied 2 already done 1 failed
run 2: 0 applied 38 already done 1 failed
run 3: 0 applied 38 already done 1 failed
node --check: PARSE_OK
═══════════════════════════════════════════════════════
```
The 1 graceful-fail signature needs updating against `2.1.112` — it still applied against `2.1.104`. Patches are self-contained; one outdated regex does not block the other 38.
## 🔐 Safety & Scope
- Patches run **locally** on your own Claude Code install.
- Automatic backup before any write (`~/.vpcc/backups/`, last 10 kept).
- `vpcc rollback` = one command restore.
- `--dry-run` if unsure.
These patches remove guardrails Anthropic added to Claude Code. Use on systems you own for workflows you're responsible for. No warranty. No affiliation with Anthropic.
## 🏗️ Architecture
```
void-patcher-cc/
├── vpcc/
│ ├── __init__.py version
│ └── __main__.py CLI: patch / verify / rollback / status / list
│ — patch engine, regex applier, backup manager
│ — ~230 lines, single file, zero deps beyond stdlib
│
├── patches/
│ └── *.json 39 patches (JS-replace + settings + hooks)
│
├── pyproject.toml pip-installable, `vpcc` console script
├── LICENSE GPL-3.0-or-later
└── README.md this file
```
## 📝 Patch file format
```
{
"id": "js-example",
"description": "What this patch does, in one sentence",
"type": "js_replace",
"patches": [
{
"search_regex": "regex\\s+to\\s+find",
"replace": "replacement text",
"applied_marker": "unique string present only after apply",
"count": 1,
"required": false,
"description": "what this sub-patch does"
}
]
}
```
Settings-type:
```
{
"id": "enable-bypass",
"type": "settings",
"settings_path": "~/.claude/settings.json",
"settings": { "bypassPermissions": true }
}
```
## 🤝 Contributing
When Anthropic rewrites a region of `cli.js` and one of your patches stops matching:
1. `vpcc patch` → note which patch reports `pattern not found`.
2. Open `patches/
**⚡ vpcc** · built by [@VoidChecksum](https://github.com/VoidChecksum)
标签:39 个补丁, AI 代码助手, Anthropic Claude Code, CLI 解锁, Fail Rate 0%, GPL-3.0, Idempotent, MITM代理, vpcc, Waymore结果处理, 信任对话框, 免安装, 功能标志, 反向工程, 拒绝门, 模型限制绕过, 正则签名补丁, 硬核补丁, 策略限制, 补丁包, 逆向工具, 遥测