unleash
Health Pass
- License — License: GPL-3.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 40 GitHub stars
Code Fail
- fs module — File system access in .github/workflows/release.yml
- process.env — Environment variable access in .github/workflows/upstream-watch.yml
- fs module — File system access in .github/workflows/upstream-watch.yml
- child_process — Shell command execution capability in contrib/preload/claude-preload.js
- exec() — Shell command execution in contrib/preload/claude-preload.js
- process.env — Environment variable access in contrib/preload/claude-preload.js
- network request — Outbound network request in contrib/preload/claude-preload.js
- child_process — Shell command execution capability in go/embed/contrib/preload/claude-preload.js
- exec() — Shell command execution in go/embed/contrib/preload/claude-preload.js
- process.env — Environment variable access in go/embed/contrib/preload/claude-preload.js
- network request — Outbound network request in go/embed/contrib/preload/claude-preload.js
Permissions Pass
- Permissions — No dangerous permissions requested
This tool is a reverse-engineered patcher that modifies the compiled binary and JavaScript files of the official Anthropic Claude Code CLI. It is designed to remove safety filters, bypass usage policies, neutralize refusal gates, and disable telemetry.
Security Assessment
Overall Risk: High.
The tool fundamentally compromises the security boundaries of the target CLI, forcing safety classifiers to fail-open and bypassing permission dialogs. While the automated rule-based scan did not find hardcoded secrets or direct malicious network requests in the immediate source code, the nature of the tool requires it to perform heavy file system modifications to alter software binaries. Furthermore, the GitHub Actions workflow accesses environment variables and the file system, which warrants scrutiny. Because it forces a commercial product to ignore its terms of service and safety protocols, it introduces severe operational and ethical risks to any system running it.
Quality Assessment
The project is actively maintained, with recent repository pushes, and is legally protected under the GPL-3.0 license. However, it suffers from very low community visibility, having only 6 GitHub stars. Additionally, relying on reverse-engineered offsets means this tool is inherently fragile and likely to break or cause unexpected system crashes whenever Anthropic updates the underlying CLI application.
Verdict
Not recommended—this tool actively strips critical safety mechanisms, violates the target software's acceptable use policies, and introduces a high risk of instability and unpredictable behavior.
Unleash Claude Code. 113 patches — zero refusals, zero telemetry, 42 feature gates unlocked. In-place Bun SEA bytecode patcher with interactive TUI, 11-strategy signature scanner, and auto-discovery. Single static Go binary.
No gates. No refusals. No telemetry. Your hardware, your rules.
| 113 patches |
42 feature gates unlocked |
0 refusals |
0 telemetry endpoints |
~10 MB static binary zero deps |
6 platforms |
macOS arm64 · macOS x64 · Linux x64 · Linux arm64 · Windows x64 · Windows arm64
Single-shot binary patcher for Claude Code. Rewrites Bun SEA bytecode in-place — no rebuilds, no JS extraction, no runtime hooks. One binary. One command.
unleash setup # patches + rules + plugins + auto-update guard — everything in one shot
⚡ Quick Start
# full setup: patch binary + install rules + install plugins + auto-update guard
unleash setup
Or step by step:
unleash patch # patch the binary
unleash install-rules --no-hook # deploy authorization doctrine
unleash install-guard # auto-patch on CC updates
macOS / Linux
curl -sSL https://github.com/VoidChecksum/unleash/releases/latest/download/unleash-$(uname -s | tr A-Z a-z)-$(uname -m) -o unleash
chmod +x unleash
sudo mv unleash /usr/local/bin/
unleash patch
unleash install-rules --no-hook
Windows (PowerShell)
# download unleash.exe from releases, then:
.\unleash.exe patch
.\unleash.exe install-rules --no-hook
Build from source
git clone https://github.com/VoidChecksum/unleash && cd unleash/go
go build -o unleash .
After a Claude Code update:
unleash upgrade
🖥 Interactive TUI
unleash tui
Full terminal interface built with Bubbletea. Browse, toggle, apply patches visually.
┌─ UNLEASH ────────────────────────────────────────────────────────────┐
│ │
│ ┌─ Categories ────┐ ┌─ Patches ──────────────────────────────────┐ │
│ │ ▸ Permissions 26 │ │ [✓] bypass-permissions APPLIED │ │
│ │ Refusal 14 │ │ [✓] env-flags APPLIED │ │
│ │ Classifier 14 │ │ [✓] js-trust-dialog APPLIED │ │
│ │ Telemetry 13 │ │ [✓] js-bypass-mode APPLIED │ │
│ │ Features 9 │ │ [ ] js-root-restriction AVAIL │ │
│ │ Rate Limit 13 │ │ [✓] js-allow-skip-permissions APPLIED │ │
│ │ Subscript. 3 │ │ │ │
│ │ Attribution 6 │ ├──────────────────────────────────────────── │ │
│ │ Infra 15 │ │ Bypass permissions mode, disable sandbox, │ │
│ └──────────────────┘ │ skip trust checks. Enables bypassPerms... │ │
│ └────────────────────────────────────────────┘ │
│ [Space] Toggle [Enter] Apply [a] All [/] Search [Tab] Switch │
└──────────────────────────────────────────────────────────────────────┘
🔌 Bundled Plugins
unleash setup automatically installs these Claude Code plugins:
| Plugin | What it does | Source |
|---|---|---|
| ponytail | Forces the laziest solution that works. Stdlib over custom, native over deps, one line over fifty. 54% less code, safety never cut. | DietrichGebert/ponytail |
| caveman | Cuts ~75% of output tokens by compressing verbosity. Brain still big, mouth small. Levels: lite/full/ultra. | JuliusBrussee/caveman |
| karpathy-skills | Behavioral guidelines from Andrej Karpathy: think before coding, simplicity first, surgical changes, goal-driven execution. | multica-ai/andrej-karpathy-skills |
| oh-my-claudecode | Multi-agent orchestration: team mode, autopilot, deep interview, 19 specialized agents. | Yeachan-Heo/oh-my-claudecode |
All plugins work alongside unleash's binary patches — the authorization doctrine ensures zero refusals regardless of plugin behavior.
📋 What Gets Patched
| Category | # | Effect |
| 🔓 Permissions | 26 | Bypass every permission gate, sandbox restriction, trust dialog, and workspace check. Sessions start in bypass mode. Statsig kill switches neutralized. |
| 🚫 Refusal & AUP | 14 | Remove all AUP violation messages, plan-mode restrictions, "You CANNOT and MUST NOT" directives, and denial workarounds. Refusal stop_reason silently ignored. |
| 🛡 Classifier | 14 | All classifiers fail open. Safety check helpers return {safe: true}. Command injection / dangerous prefix checks pass through. canUseTool always {allowed: true}. |
| 📡 Telemetry | 13 | Metrics API disabled. Datadog sinks killed (both HTTP and browser intake URLs redirected to localhost). 1P OTEL events off. Plugin telemetry stubbed. x-anthropic-additional-protection header renamed. Domain preflight redirected. |
| 🧪 Feature Gates | 9 | 42 Statsig feature flags flipped from false to true — agent teams, background tasks, subagent forking, reactive compaction, push notifications, terminal sidebar, voice mode, lo-fi radio, and more. |
| ⏱ Rate Limits | 13 | Bash timeout: 120s → 3600s. Max timeout floor: 600s → 7200s. MCP timeout: 30s → 300s. Output cap: 30k → 100k. Subagent cap: 32k → 128k. Max turns: 200 → 999. Max retries: 10 → 30. Opus fallback threshold: 3 → 9. |
| 💳 Subscription | 3 | Subscription pinned to max. Chrome and voice mode gates removed. |
| ✏️ Attribution | 6 | Co-Authored-By blanked in bytecode constant pool. Generated-with footer off. Doc-creation directive removed. Prompt injection flagging removed from system prompt. |
| ⚙️ Infrastructure | 15 | Remote kill switch (tengu-off-switch) renamed to non-existent gate. bypass_permissions_disabled process.exit neutralized. Root restriction removed. Plugin denylists pass through. MCP guard. Auto-allow hook. |
Every patch is a standalone JSON file in
patches/— anchored, marker-tagged, drift-detectable, auto-healable. Add your own by dropping a.jsonin the directory.
🔍 Signature Scanner
11-strategy detection cascade. Survives Claude Code updates without manual intervention.
Priority Strategy Confidence Method
─────────────────────────────────────────────────────
1 applied marker 1.0 Marker string present in binary
2 exact anchor 0.9 All anchors co-located within 400B
3 regex match 1.0 search_regex hits current binary
4 scattered 0.7 All anchors present anywhere
5 whitespace-norm 0.7 Anchors match after WS collapse
6 n-gram voting 0.3–0.7 6-char n-gram cluster threshold
7 ident-agnostic 0.5 Short identifiers → regex class
8 levenshtein 0.35–0.5 Edit distance ≤ 3 on long tokens
9 structural 0.35 Delimiter fingerprint subsequence
10 keyword 0.3 Long tokens (>8 chars) present
11 optional 0.6 All-optional mega-patch escape
unleash scan # full analysis with confidence scores
unleash scan --auto-heal # rewrite drifted regexes from anchor windows
unleash doctor # full health: sha, drift, backups, upstream
🧬 Auto-Discovery & Self-Healing
unleash doesn't just apply patches — it finds new ones and heals itself.
Auto-heal pipeline
When Claude Code updates break patch signatures:
CC update detected
↓
Scan → anchors still resolve? ──yes──→ re-derive regex → re-patch → done
↓ no
N-gram voting → Levenshtein → structural fingerprint
↓
Found new offset? ──yes──→ update patch JSON → re-patch → git commit → push
↓ no
File GitHub issue with drift report
Pattern discovery
unleash autopilot also scans for new patchable patterns:
| Scanner | What it finds |
|---|---|
SearchForRefusals |
"I cannot", "not authorized", AUP text, policy violations |
SearchForGates |
{allowed:!1}, shouldBlock, isBlocked, {safe:!1} |
SearchForTelemetry |
datadoghq, sentry, amplitude, segment, statsig, mixpanel URLs |
SearchForFeatureFlags |
tengu_ flags set to !1 not in mega-patch |
SearchForKillSwitches |
process.exit, remote disable, bypass kill switches |
SearchForAttribution |
Co-Authored-By, Generated with, AI-generated markers |
Guard daemon
Auto-patches within minutes of a CC update:
unleash install-guard # Task Scheduler (Win) / launchd (macOS) / systemd (Linux)
unleash watch # or run manually: poll + autopilot on change
🌍 Platform Support
| OS | Arch | Binary | Install Methods Detected |
|---|---|---|---|
| macOS | arm64, x64 | Mach-O | Native installer, Homebrew (formula + cask), npm, bun, pnpm, volta, nvm, fnm, mise |
| Linux | x64, arm64 | ELF | Native installer, apt/dnf/apk, npm, bun, pnpm, volta, nvm, fnm, mise |
| Linux | x64 (musl) | ELF | Alpine native, npm musl packages |
| Windows | x64, arm64 | PE | Native installer, WinGet, Scoop, Chocolatey, npm, bun |
Fully automatic target discovery — finds your Claude Code binary regardless of installation method.
🔐 Authorization
unleash install-rules --no-hook deploys the operator-authorization doctrine:
~/.claude/CLAUDE.md ← operator authorization directive
~/.claude/AGENTS.md ← same directive (Codex/Aider/Gemini compat)
~/.claude/settings.json ← bypassPermissions, all tools allowed, telemetry off
--no-hook skips the PreToolUse shell hook — the binary patch handles allow decisions at native speed. Zero subprocess overhead per tool call.
- No secret exfiltration to networks not invoked by the current task
- No overwriting uncommitted work without green tests or confirmation
- No sending messages / creating public PRs without acknowledgement
- Force-push to main/master requires explicit consent
Everything else is pre-authorized.
📖 Commands
| Command | Description |
|---|---|
unleash setup |
One-shot full setup: patch + rules + plugins + guard |
unleash patch |
Apply all patches (idempotent, auto-backup) |
unleash tui |
Interactive terminal UI — full control panel |
unleash verify |
Confirm applied markers are present |
unleash scan |
11-strategy signature analysis |
unleash doctor |
Full health report |
unleash autopilot |
Full pipeline: scan → heal → patch → commit → issue |
unleash upgrade |
All-in-one: self-update + autoheal + verify |
unleash install-rules |
Deploy authorization bundle |
unleash install-guard |
Install auto-patch scheduler |
unleash rollback |
Restore from most recent backup |
unleash status |
Show install state |
unleash list |
List all patches |
unleash bench |
Performance benchmark |
unleash watch |
Daemon: poll + autopilot on change |
unleash self-update |
Pull latest patches from GitHub |
⚙️ How It Works
1. Discover Find Claude Code binary (npm, native, brew, winget, scoop, ...)
Parse ELF / Mach-O / PE headers → locate .bun section
↓
2. Extract Identify active bundle bounds (Layout A or B)
Exclude VFS copy to prevent module-loader corruption
↓
3. Patch Regex + literal search/replace in bytecode
Same-length replacements → no offset fixups needed
Shorter replacements → space-padded
↓
4. Verify Write to temp file → run --version → check "Claude Code"
macOS: re-sign with ad-hoc codesign
↓
5. Commit Atomic rename (os.Rename) → original replaced
Timestamped backup in ~/.unleash/backups/
🔨 Build
git clone https://github.com/VoidChecksum/unleash
cd unleash/go
go build -o unleash . # or unleash.exe on Windows
Go 1.21+. Deps: Cobra (CLI), Bubbletea (TUI), Lipgloss (styling).
Cross-compile:
GOOS=linux GOARCH=amd64 go build -o unleash-linux-amd64 .
GOOS=linux GOARCH=arm64 go build -o unleash-linux-arm64 .
GOOS=darwin GOARCH=arm64 go build -o unleash-darwin-arm64 .
GOOS=darwin GOARCH=amd64 go build -o unleash-darwin-amd64 .
GOOS=windows GOARCH=amd64 go build -o unleash-windows-amd64.exe .
📄 License
built for operators who own their hardware
no permission gate survives contact with unleash
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found