Advisory Opinion — v1.1 (Daemon)

I. Executive Summary

v1.0 of inference-relay shipped as a TypeScript npm library that spawned the Claude Code CLI as a child process from within a Node.js application. v1.1 ships the same compliance posture inside a different container: a long-lived, memory-safe Rust daemon bound to 127.0.0.1:7421 that exposes Anthropic-shape HTTP and drives the Claude Code CLI through a managed pseudo-terminal.

The architectural change does not move any of the compliance load-bearing facts:

• Inference still executes through Anthropic's own published binary.
• The CLI is still invoked through documented programmatic interfaces.
• Prompt caching is still preserved; compute load remains 1× of manual CLI use.
• Anthropic still receives standard Claude Code telemetry.
• Both the developer and the user still independently pay Anthropic.
• No content of any kind transits inference-relay servers.

What v1.1 changes is the distribution: any-language SDKs (Python, Go, Rust, curl) can now reach a Claude Code session via a one-line baseURL override. The legal analysis is unchanged because Anthropic's own software remains the inference path.

II. What Changed Since the v1.0 Opinion

A. The April 4, 2026 Enforcement (Unchanged Conclusions)

The v1.0 advisory opinion analyzed Anthropic's February-April 2026 enforcement against OpenClaw and tools that extracted OAuth tokens and called api.anthropic.com directly, bypassing Claude Code entirely. v1.0's architecture invoked Claude Code rather than replacing it; the same is true of v1.1's. The enforcement-target distinction — replacement vs. invocation — does not shift with the v1.1 architecture.

B. The June 15, 2026 Agent SDK Billing Split (Validates v1.1's Posture)

Effective June 15, 2026, Anthropic split Claude subscription billing into two pools (Pro / Max 5x / Max 20x):

• Interactive use of Claude Code (the CLI binary), Claude.ai, and Cowork → remains subsidized at the subscription tier.
• Programmatic use via the Agent SDK, claude -p, ACP, and third-party harnesses built on the Agent SDK → moves to a metered monthly credit pool ($20 / $100 / $200) billed at full API rates beyond the credit.

This change has the effect of formalizing the interactive-vs-programmatic distinction Anthropic implied in its February 2026 clarification. The clarification stated that OAuth authentication

is designed to support ordinary use of Claude Code and other native Anthropic applications

developers building products or services that interact with Claude's capabilities, including those using the Agent SDK, should use API key authentication.

inference-relay v1.1's mechanism — driving the interactive Claude Code CLI via PTY — sits squarely on the subscription-subsidized side of the new split. The daemon does not call the Agent SDK. It does not invoke claude -p. It does not use ACP. It drives the same interactive Claude Code that a human at a terminal would.

The billing split makes the compliance posture more legible, not less. Where the v1.0 opinion had to defend “programmatic invocation of the interactive CLI” as inside the spirit of the terms, v1.1 operates inside the exact path Anthropic has now formally subsidized at the subscription tier.

III. Why v1.1 Is Compliant

A. It Drives Interactive Claude Code, Not the Agent SDK

The daemon spawns the standard claude binary as a child process attached to a pseudo-terminal. It feeds keystrokes through the PTY and reads the terminal output via vt100 emulation. From Anthropic's telemetry perspective, every session is indistinguishable from a human running Claude Code interactively in iTerm or Windows Terminal. There is no Agent SDK in the call path.

This is the architectural opposite of OpenClaw: OpenClaw bypassed Claude Code and called the API directly; v1.1 puts Claude Code in the call path of every single request, by design.

B. The Daemon Is a Local Adapter, Not a Remote Proxy

Loopback-only binding (127.0.0.1:7421, enforced at the socket layer) means the daemon is unreachable from any other machine on the local network or from the public internet. Each install services exactly one user's subscription on exactly one machine. The daemon is the local equivalent of a database connection pool — it manages the user's own session to the user's own subscription.

C. Programmatic CLI Invocation Is Documented Public Use

Anthropic's Claude Code CLI documentation describes flags like --print, --no-tty, and --continue-session as “non-interactive” modes designed for scripting. inference-relay v1.1 drives the CLI through these same documented interfaces. v1.1 differs from v1.0 only in substrate (Rust + PTY instead of Node.js + child_process); the public interface contract is identical.

D. No Resale; Two Independent Payments

Both parties independently pay Anthropic:

• The end user pays Anthropic for their Claude subscription (Pro / Max). This is where execution is metered post-June-15.
• The developer pays inference-relay for the routing daemon (license key).

Neither party pays the other for Anthropic access; the developer does not resell Anthropic compute, and the user does not pay inference-relay for inference. The daemon sells routing software, not Anthropic access — the same legal posture as Terraform, a CI runner, or a Postgres connection pool.

E. Zero Reverse Engineering

The daemon treats the claude binary as a black box. It writes keystrokes to the binary's stdin via PTY, reads bytes from stdout via PTY, and parses the rendered terminal output via a public vt100 implementation. The binary is never decompiled, disassembled, or inspected as code. The interface is what Anthropic publishes — terminal I/O — and nothing more.

F. Zero Additional Compute Burden

Each daemon-driven Claude Code session is, from Anthropic's perspective, a standard Claude Code session. Prompt caching is fully preserved because the binary handles its own cache. The Session Pool reuses long-lived PTYs to amortize the ~2 s cold-spawn cost across many calls, which if anything reduces aggregate compute compared to a naive “new session per call” pattern.

G. No Competing Product

inference-relay v1.1 is not a chatbot, coding assistant, collaborative workspace, foundation model, or API service. It is a daemon that adapts an HTTP interface onto an interactive CLI on the user's own machine. The daemon does not compete with any Anthropic product — every user must independently maintain an active Claude subscription, which means each install increases Anthropic's recurring revenue.

IV. New Compliance Considerations Introduced by v1.1

1. Rust Runtime + Auditability (Strengthens Posture)

v1.1 is implemented in Rust. The runtime is memory-safe by construction, statically linked, and reproducible-build-capable. Enterprise customers can verify a deployed binary against a published sha256 and an open audit of the source. The Rust posture also removes an entire category of memory-corruption attack vectors that an audit might raise against a Node.js or Electron equivalent.

2. Signed Update Chain (Strengthens Posture)

Update bundles are signed with an ed25519 key whose public half is embedded in the daemon at compile time. The daemon refuses to apply an update whose signature does not verify against the embedded key. This eliminates the supply-chain risk a per-version npm dependency would have carried.

3. Loopback-Only Network Surface (Strengthens Posture)

The daemon binds 127.0.0.1:7421 exclusively. It refuses to bind any non-loopback address. This is enforced at the socket layer at startup (the daemon panics if a non-loopback bind is requested). The practical consequence: no firewall configuration on the user's machine, no exposed surface for credential exfiltration, and no possibility of remote unauthenticated access.

4. Distribution as a Signed Installer (Strengthens Posture)

v1.1 ships as a Tauri-bundled .dmg / .exe rather than an npm package. End-user installation is mediated by the OS's installer flow — Gatekeeper on macOS, SmartScreen on Windows. Apple Developer ID and Windows EV signing land in a near-term point release; current v1.1.x ships Gatekeeper-warned, which the user explicitly acknowledges at install time.

V. The OpenClaw Distinction (v1.1 Updated)

VI. Updated Risk Matrix

VII. Recommended Posture

1. Maintain the v1.0 marketing reframe — Lead with privacy, enterprise compliance, zero-trust architecture, and local execution. The June 15 split makes “subscription-rate agent infrastructure” a clean second pitch.
2. Document the interactive-not-SDK posture explicitly — Every published technical doc should reinforce that the daemon drives interactive Claude Code, not the Agent SDK.
3. Ship Developer ID + EV cert signing — Removes the Gatekeeper/SmartScreen warnings; finalizes the trust chain end-to-end.
4. Publish update-bundle pubkey rotation policy — Document the keypair rotation cadence and the migration path if a signing key is ever compromised.
5. Continue monitoring enforcement — Track which third-party tools draw enforcement after June 15 and what telemetry patterns Anthropic uses to distinguish permitted from prohibited use.

VIII. Conclusion

v1.1 inherits every compliance argument made for v1.0 and strengthens each axis the architectural change touches. The daemon drives Anthropic's own software, on the user's own machine, through documented interfaces, with two independent revenue streams, without burdening Anthropic's infrastructure, and without exposing any attack surface to the network.

The June 15, 2026 billing split formalizes the line v1.1 was already sitting on: interactive Claude Code is subsidized; Agent SDK use is metered. The daemon runs the interactive binary. Customers running agents through inference-relay stay on the subsidized pool that every other third-party harness just moved off of.

v1.1's compliance posture is stronger than v1.0's, not because the legal terms have shifted, but because Anthropic's own product decisions have made the architecture's posture more legible.