Why this matters
This chapter follows the very first startup work. Before Claude Code knows
which workspace it is in, init() prepares the shared process state, enables
configuration, and makes the network stack safe to use.
Start with config and safe environment variables
The first pass is deliberately conservative. It enables the config system, applies only the safe environment variables, and installs graceful shutdown hooks before anything else gets a chance to run.
export const init = memoize(async (): Promise<void> => {
const initStartTime = Date.now()
logForDiagnosticsNoPII('info', 'init_started')
profileCheckpoint('init_function_start')
// Validate configs are valid and enable configuration system
try {
const configsStart = Date.now()
enableConfigs()
logForDiagnosticsNoPII('info', 'init_configs_enabled', {
duration_ms: Date.now() - configsStart,
})
profileCheckpoint('init_configs_enabled')
// Apply only safe environment variables before trust dialog
// Full environment variables are applied after trust is established
const envVarsStart = Date.now()
applySafeConfigEnvironmentVariables()
// Apply NODE_EXTRA_CA_CERTS from settings.json to process.env early,
// before any TLS connections. Bun caches the TLS cert store at boot
// via BoringSSL, so this must happen before the first TLS handshake.
applyExtraCACertsFromConfig()
logForDiagnosticsNoPII('info', 'init_safe_env_vars_applied', {
duration_ms: Date.now() - envVarsStart,
})
profileCheckpoint('init_safe_env_vars_applied')
// Make sure things get flushed on exit
setupGracefulShutdown()
profileCheckpoint('init_after_graceful_shutdown')enableConfigs() turns the config system on. applySafeConfigEnvironmentVariables()
copies in only the settings that are safe before trust is established, and
setupGracefulShutdown() makes sure the process can still flush logs and other
state cleanly if startup fails later.
Configure network plumbing next
Once the config layer is live, init() sets up TLS and HTTP transport. That is
what lets later code reuse the right agents and certificates instead of
creating one-off network behavior in the middle of a request.
// Configure global mTLS settings
const mtlsStart = Date.now()
logForDebugging('[init] configureGlobalMTLS starting')
configureGlobalMTLS()
logForDiagnosticsNoPII('info', 'init_mtls_configured', {
duration_ms: Date.now() - mtlsStart,
})
logForDebugging('[init] configureGlobalMTLS complete')
// Configure global HTTP agents (proxy and/or mTLS)
const proxyStart = Date.now()
logForDebugging('[init] configureGlobalAgents starting')
configureGlobalAgents()
logForDiagnosticsNoPII('info', 'init_proxy_configured', {
duration_ms: Date.now() - proxyStart,
})
logForDebugging('[init] configureGlobalAgents complete')
profileCheckpoint('init_network_configured')
// Preconnect to the Anthropic API — overlap TCP+TLS handshake
// (~100-200ms) with the ~100ms of action-handler work before the API
// request. After CA certs + proxy agents are configured so the warmed
// connection uses the right transport. Fire-and-forget; skipped for
// proxy/mTLS/unix/cloud-provider where the SDK's dispatcher wouldn't
// reuse the global pool.
preconnectAnthropicApi()configureGlobalMTLS() and configureGlobalAgents() make the network
transport consistent for the whole process. In plain English, this is the step
where Claude Code decides which certificates and shared connection settings it
will use for later requests. preconnectAnthropicApi() is a small performance
warmup: it starts the connection early so the first real API request has less
work to do.
Takeaways
- Global bootstrap comes before workspace-specific setup.
- Safe environment variables are applied before trust, not after.
- The network warmup only happens once the TLS and proxy plumbing is ready.