# The Boot Sequence: From Typing `claude` to System Ready From the moment the user types `claude` to when the system is ready to accept input, three phases unfoldβ€”Pre-import preloading, initialization, and UI rendering. This chapter dissects the implementation details of the boot sequence, along with the trade-offs in optimizations like preconnection and deferred loading. > **🌍 Industry Context: The CLI Boot Sequence Is Standard Engineering Practice** > > Nearly every CLI tool must solve the "what to do at startup" problem; the difference lies in complexity and optimization: > > - **Aider** (Python CLI AI coding assistant): Relatively simple startupβ€”parse arguments, load config, establish API connection. Python module loading is itself slow, but Aider's dependency tree is far smaller than Claude Code's, so startup overhead is mainly the Python interpreter. > - **Cursor** (VS Code extension): As an editor extension, its "startup" is extension activation (`activate()`), not launching a standalone process. The VS Code extension host manages the lifecycle, a completely different problem domain from CLI cold start. > - **gh CLI** (GitHub's official CLI): A single statically-linked Go binary; startup is virtually instantaneousβ€”no module loading problem, Go's static linking naturally eliminates this overhead. > - **Vercel CLI**: Also a Node.js CLI, facing the same slow module loading; mitigated via `pkg` bundling and lazy-loading subcommands. > > What makes Claude Code special is that it is a **heavyweight Node.js/Bun CLI** (a dependency tree of 1,884 files) that must simultaneously perform I/O-heavy operations like credential reading and API preconnection during startup. Hence it runs I/O in parallel during the Pre-import phaseβ€”this is not a novel technique, but it is indeed uncommon among JS/TS CLI tools, because most do not have such a heavy module-loading burden. --- ## Prologue: The Three Stages of Booting a Computer After you press the power button, three things happen: 1. **BIOS/UEFI** (firmware) wakes upβ€”performs basic hardware checks and locates the disk containing the OS 2. **Bootloader** loadsβ€”reads the OS kernel from disk into memory 3. **Kernel Init**β€”starts all subsystems, finally displaying the login screen Claude Code's startup also has three stages: 1. **Pre-import stage**β€”launches critical I/O operations *before* the bulk of module loading 2. **Initialization stage**β€”loads config, connects to APIs, starts subsystems 3. **Ready stage**β€”renders the UI and waits for user input; background prefetching continues > πŸ“š **Course Connection:** The three boot stages = the OS BIOS β†’ Bootloader β†’ Kernel startup sequence. Pre-import maps to the BIOS firmware layer (doing basic hardware probing before the main system loads), `init()` maps to the Bootloader (loading all subsystems into place), and `launchRepl()` maps to the Kernel finishing initialization and showing the login screen. > > **πŸ”‘ OS Analogy:** Just like booting a PC: press power to detect hardware (`main.tsx`) β†’ load the OS (`init.ts`) β†’ show the desktop and wait for you to act (`launchRepl()`). > > πŸ’‘ **Plain English:** The boot sequence is like your **morning routine**β€”the alarm ringing = CLI startup β†’ washing up = loading config β†’ getting dressed = initializing modules β†’ leaving the house = ready and waiting for input. While you brush your teeth, you heat breakfast (I/O parallel prefetching); before leaving, you check for keys, phone, and wallet (checking credentials and config); once you arrive at work, you can start immediately. --- ## 1. Pre-import Stage: Getting a Head Start in the Gaps of Module Loading At the **very top** of `main.tsx`, three function calls are **interleaved between import statements**: ```typescript import { profileCheckpoint } from './utils/startupProfiler.js'; profileCheckpoint('main_tsx_entry'); // Record timestamp import { startMdmRawRead } from './utils/settings/mdm/rawRead.js'; startMdmRawRead(); // Start MDM config read import { startKeychainPrefetch } from './utils/secureStorage/keychainPrefetch.js'; startKeychainPrefetch(); // Start keychain prefetch // β€”β€” Below come the remaining dozens of imports β€”β€” import { Command as CommanderCommand } from '@commander-js/extra-typings'; import chalk from 'chalk'; // ... (dependency tree of 1,884 files) ``` **Key detail:** This exploits the **Bun bundler's sequential evaluation semantics**β€”each `import` must finish loading and evaluating that module before the next statement executes. So the actual execution order is: import `profileCheckpoint` β†’ call it β†’ import `startMdmRawRead` β†’ call it β†’ import `startKeychainPrefetch` β†’ call it. Each function depends only on its own import, without waiting for the remaining modules to load. This is more precise than "before all imports"β€”it is "before the *remaining* bulk of imports." **Why interleave them this way?** JavaScript/TypeScript `import` is synchronousβ€”the parser must load and execute all imported modules before continuing. The imports for these three functions are lightweight (a few milliseconds each), but the remaining import chain involves 1,884 files, taking roughly **~135 ms** to load. These three lines trigger two I/O operations *before* the bulk of module loading: - `startMdmRawRead()` (`utils/settings/mdm/rawRead.js`): On macOS, spawns a `plutil` subprocess to read the MDM config file; on Windows, uses `reg query` to read the registry. This is a subprocess operation with non-trivial overhead. - `startKeychainPrefetch()` (`utils/secureStorage/keychainPrefetch.js`): Launches **two** keychain reads in parallel (OAuth token + legacy API key). Without this prefetch, subsequent `applySafeConfigEnvironmentVariables()` would block synchronously for ~65 ms. Both operations are asynchronousβ€”they run in the background, **in parallel** with the remaining module loading. By the time the ~135 ms of module loading finishes, these two I/O operations may already be done. Later, in the `preAction` phase (`main.tsx:914`), `ensureMdmSettingsLoaded()` and `ensureKeychainPrefetchCompleted()` await their resultsβ€”most of the time with zero wait, because the results are already ready. **Analogy:** Checking your phone while waiting for the elevatorβ€”not "finish checking your phone, then wait for the elevator," but "check your phone *while* waiting for the elevator." Stuff useful work (I/O prefetching) into unavoidable wait time (module loading). --- ## 2. The `main()` Function: Mode Router Once module loading completes, the `main()` function executes. Its core responsibility is **deciding which runtime mode to enter**: ``` main() β”œβ”€β”€ Inspect CLI arguments β”‚ β”œβ”€β”€ -p / --print β†’ runHeadless() (single-shot print mode) β”‚ β”œβ”€β”€ mcp serve β†’ Start MCP server mode β”‚ └── No special flags β†’ Continue β”‚ β”œβ”€β”€ Inspect environment variables β”‚ β”œβ”€β”€ CLAUDE_CODE_COORDINATOR_MODE=1 β†’ Coordinator mode β”‚ └── KAIROS β†’ Assistant mode (ant-only) β”‚ β”œβ”€β”€ Inspect feature flags β”‚ β”œβ”€β”€ SSH_REMOTE β†’ SSH remote mode β”‚ β”œβ”€β”€ DIRECT_CONNECT β†’ cc:// URL direct-connect mode β”‚ └── BRIDGE_MODE β†’ Bridge mode β”‚ β”œβ”€β”€ preAction hook (Commander's pre-command hook) β”‚ β”œβ”€β”€ await MDM config + keychain prefetch completion β”‚ β”œβ”€β”€ await init() ← Subsystem initialization β”‚ β”œβ”€β”€ runMigrations() ← Migrations run after init() β”‚ β”œβ”€β”€ loadRemoteManagedSettings() ← Remote settings (non-blocking) β”‚ └── loadPolicyLimits() ← Policy limits (non-blocking) β”‚ └── Default β†’ launchRepl() (interactive REPL) ``` > **Note:** The `preAction` hook is a Commander.js mechanismβ€”it fires **only when executing a command**, so `claude --help` does not call `init()`. This avoids initialization overhead when merely viewing help text. ### Runtime Modes Core modes (available in all builds): | Mode | Trigger | Purpose | |------|---------|---------| | **REPL** | Default | Interactive terminal conversation | | **Headless** | `-p/--print` | Single invocation, output and exit | | **MCP Serve** | `mcp serve` subcommand | Run as an MCP server | Feature-gated extended modes (controlled by `bun:bundle`'s `feature()` compile-time switch; some internal-only builds): | Mode | Trigger | Purpose | Note | |------|---------|---------|------| | **Coordinator** | Env var `CLAUDE_CODE_COORDINATOR_MODE=1` | Multi-worker orchestration | Feature gate: `COORDINATOR_MODE` | | **KAIROS** | Feature gate + `assistant` subcommand | Internal Assistant mode | ant-only experimental feature | | **SSH Remote** | `claude ssh ` | Remote terminal | Feature gate: `SSH_REMOTE` | | **Direct Connect** | `cc://` URL | Connect to a remote Claude Code server | Feature gate: `DIRECT_CONNECT` | | **Bridge / Remote Control** | `--remote-control` / `--rc` | claude.ai/code remotely controls local environment | Feature gate: `BRIDGE_MODE` | > **Note:** SDK mode does not go through the `main()` router; it calls Claude Code's API directly via code import, so it is not listed here. Bridge (Remote Control) and Direct Connect are opposite connection directions: Bridge is remote controlling local, while Direct Connect is local connecting to a remote server. --- ## 3. Migration System: Keeping Config and Code in Sync Inside the `preAction` hook, after `init()` completes, the system calls `runMigrations()` (main.tsx:950) to check `globalConfig.migrationVersion`. If it does not equal the current version (version 11), all migration functions are run in sequence: ``` Version 1 β†’ 2: Model string format migration Version 2 β†’ 3: Config path migration ... Version 10 β†’ 11: Latest migration ``` Each migration function is idempotentβ€”running it many times has the same effect as running it once. This guarantees that even if a crash occurs mid-migration, rerunning will not cause errors. > πŸ“š **Course Connection:** Config loading = the OS `/etc` configuration hierarchy. Just as Linux reads `/etc/fstab` (mount table), `/etc/passwd` (user table), and `/etc/resolv.conf` (DNS config) during startup, Claude Code's migration system ensures config file formats stay consistent with the current code version. > > **πŸ”‘ OS Analogy:** Just like your phone automatically migrating data during a system upgradeβ€”the new version converts old-format contacts, photo libraries, and settings into the new format. --- ## 4. Initialization Stage: Subsystem Boot > πŸ“š **Course Connection:** Permission initialization = establishing userland privileges in an OS. Just as the Linux kernel verifies user identity via PAM modules and reads `/etc/sudoers` to determine scope after boot, Claude Code's `init` stage must complete OAuth verification, keychain reads, and policy limit loadingβ€”determining "what this user is allowed to do." The `init()` function in `entrypoints/init.ts` (line 57) is the system's "kernel initialization," wrapped with `memoize` to ensure it runs only once. It starts all subsystems in a precise order: ``` init() ← memoized, runs only once β”‚ β”œβ”€β”€ 1. enableConfigs() β”‚ └── Validate and enable the config system β”‚ β”œβ”€β”€ 2. applySafeConfigEnvironmentVariables() β”‚ └── Set safe environment variables before the trust dialog β”‚ β”œβ”€β”€ 3. applyExtraCACertsFromConfig() β”‚ └── Add extra CA certificates (must happen before the first TLS connection) β”‚ β”œβ”€β”€ 4. setupGracefulShutdown() β”‚ └── Register exit handlers β”‚ β”œβ”€β”€ 5. Launch async background tasks (do not await completion) β”‚ β”œβ”€β”€ 1P event log initialization (dynamic import, lazy-loads OTel sdk-logs) β”‚ β”œβ”€β”€ OAuth account info fetch β”‚ β”œβ”€β”€ JetBrains IDE detection β”‚ β”œβ”€β”€ Git repository detection (detectCurrentRepository) β”‚ β”œβ”€β”€ Remote settings loading promise initialization (only if isEligibleForRemoteManagedSettings()) β”‚ β”œβ”€β”€ Policy limits loading promise initialization (only if isPolicyLimitsEligible()) β”‚ └── Record first startup time β”‚ Note: Remote settings and policy limits only **initialize loading promises** here; β”‚ the actual loadRemoteManagedSettings() / loadPolicyLimits() calls happen β”‚ in the preAction hook after init(). β”‚ β”œβ”€β”€ 6. configureGlobalMTLS() β”‚ └── Configure global mTLS (mutual TLS) β”‚ β”œβ”€β”€ 7. configureGlobalAgents() β”‚ └── Configure HTTP proxies and mTLS agents β”‚ β”œβ”€β”€ 8. preconnectAnthropicApi() ← Key optimization β”‚ └── Establish TCP + TLS connection early (overlaps with subsequent steps) β”‚ β”œβ”€β”€ 9. initUpstreamProxy() (CCR mode, feature-gated) β”‚ └── Start CONNECT relay for credential injection β”‚ └── 10. ensureScratchpadDir() └── Create the Scratchpad directory (for Agent communication) ``` ### Careful Dependency Ordering The initialization order is not arbitrary: - **Config must be enabled first** (steps 1–2)β€”all subsequent subsystems need to read config - **CA certificates before TLS** (step 3)β€”must configure the certificate chain before any network connection - **Multiple async tasks launched in parallel** (step 5)β€”not awaited, running in the background "while the user is still looking at the UI." Remote settings and policy limit loading promises are triggered conditionally. πŸ“š *Course Connection: Parallel initialization = the `Promise.all` concurrency patternβ€”multiple independent I/O operations are initiated simultaneously, and any completed result can be used without serial waiting.* - **mTLS before API preconnection** (steps 6–7 β†’ 8)β€”configure TLS first, then establish the connection - **`preconnectAnthropicApi()`** establishes the TCP + TLS connection to the Anthropic API during `init`, so the first API call does not need to wait for handshakingβ€”a common HTTP client preconnection technique --- ## 5. Ready Stage: Deferred Prefetching After `launchRepl()` renders the first screen (the user sees the input box), the system launches a batch of **deferred prefetches** in the background: ``` startDeferredPrefetches() β”œβ”€β”€ initUser() ← Fetch user info β”œβ”€β”€ getUserContext() ← User context (includes CLAUDE.md) β”œβ”€β”€ prefetchSystemContextIfSafe() ← System context including getGitStatus() (5 parallel git operations) β”œβ”€β”€ getRelevantTips() ← Tips and hints β”œβ”€β”€ countFilesRoundedRg() ← File count statistics β”œβ”€β”€ refreshModelCapabilities() ← Model capability cache refresh β”œβ”€β”€ settingsChangeDetector ← Settings change listener └── skillChangeDetector ← Skill change listener ``` **Design philosophy:** This information is not required for first-screen rendering, but it is needed for the first AI call. Placing it in the prefetch window "while the user is still looking at the UI / typing" means that by the time the user actually presses Enter, the information is already prepared. ### The 5 Parallel Git Commands for Git Status Obtaining git status is not a single `git status`β€”`getGitStatus()` in `context.ts` runs 5 operations in parallel via `Promise.all`: ``` Executed in parallel (Promise.all): getBranch() ← Current branch (read via gitFilesystem cache layer) getDefaultBranch() ← Default branch (same, via cache layer) git --no-optional-locks status --short ← Changed files list git --no-optional-locks log --oneline -n 5 ← Last 5 commits git config user.name ← Current git username ``` Note that `getBranch()` and `getDefaultBranch()` do not directly spawn git subprocesses; instead, they read `.git` directory files directly through the `gitFilesystem.ts` cache layerβ€”faster than spawning a subprocess. The `--no-optional-locks` flag avoids acquiring `.git/index.lock` on read-only queries, preventing conflicts with other git operations. Why parallel? Because git commands need to read the `.git` directory or spawn subprocessesβ€”in large repositories this can be noticeably slow. Five sequential operations might take 500 ms; in parallel they might take only 150 ms. --- ## 6. Complete Timeline ``` t=0ms User types the `claude` command ↓ Node.js begins parsing main.tsx β”œβ”€β”€ startMdmRawRead() launched ── I/O parallel ──┐ β”œβ”€β”€ startKeychainPrefetch() launched ─────────────── └── Begins loading import modules β”‚ β”‚ t=~135ms Module loading completes β”‚ MDM config read ← ──── may already be done β”€β”€β”€β”€β”€β”€β”˜ Keychain prefetch ← ──── may already be done β”€β”€β”€β”€β”˜ ↓ main() begins execution β”œβ”€β”€ Mode routing (Commander parses CLI args) └── preAction hook fires β”œβ”€β”€ await MDM + keychain prefetch completion β”œβ”€β”€ init() initialization β”‚ β”œβ”€β”€ Load config β”‚ β”œβ”€β”€ CA certs + mTLS + proxy β”‚ β”œβ”€β”€ API preconnection β”‚ └── Async background tasks (event logs, OAuth...) β”œβ”€β”€ runMigrations() (on first run / upgrade) └── loadRemoteManagedSettings() + loadPolicyLimits() (non-blocking) t=~300ms Initialization complete (estimated) ↓ launchRepl() renders first screen ↓ User sees the input box (can start typing) t=~300ms+ Deferred prefetches run in the background (estimated) β”œβ”€β”€ User info + user context β”œβ”€β”€ Git status (5 parallel operations) β”œβ”€β”€ File count └── Model capability cache + change detectors t=~500ms Prefetching mostly complete ↓ System fully ready ``` **From typing the command to seeing the input box: ~300 ms (estimated; no precise benchmark data is publicly availableβ€”`profileCheckpoint` instrumentation exists in the source but benchmark results have not been published).** For reference: Go-compiled `gh CLI` startup is virtually instantaneous (<50 ms), while Python's Aider cold start takes roughly 1–2 s. Claude Code's ~300 ms is reasonable for a heavyweight Node.js CLIβ€”Pre-import I/O parallelism and deferred prefetching do reduce perceived latency, but the ~135 ms module loading overhead is a floor that cannot be avoided, an inherent cost of JS/TS runtime CLI tools. --- ## 7. Design Trade-offs ### Effective Engineering Decisions 1. **Pre-import I/O parallelism**β€”stuffing work into unavoidable wait time (module loading) is a pragmatic optimization; unconventional but clearly effective 2. **Deferred prefetching design** pushes non-urgent I/O into the "user typing" windowβ€”does not block first-screen rendering, a common perceived-performance optimization in CLI tools 3. **5 parallel git operations** instead of serial queriesβ€”standard I/O parallelization practice, and `getBranch()`/`getDefaultBranch()` avoid spawning subprocesses via the filesystem cache layer 4. **Idempotent migration design**β€”crash-safe, rerunning causes no errors, standard practice from the database migration world 5. **preAction hook pattern**β€”via Commander.js's `preAction` hook, pure-info commands like `claude --help` do not trigger `init()`, avoiding unnecessary initialization overhead (keychain reads, network connections, etc.) 6. **OpenTelemetry lazy loading**β€”the ~400 KB OTel + protobuf modules are deferred via dynamic `import()` until telemetry actually initializes; the gRPC exporter (~700 KB `@grpc/grpc-js`) is further lazy-loaded only when the gRPC protocol is selected. In total, ~1.1 MB of telemetry dependencies are off the critical startup path 7. **Multiple modes routed through a single entry**β€”reduces the number of entry files, but centralizes complexity ### Costs and Limitations 1. **Pre-import side effects** violate the JavaScript convention of "imports should have no side effects"β€”may confuse developers unfamiliar with the rationale. The source marks this as intentional with `eslint-disable custom-rules/no-top-level-side-effects` 2. **~135 ms module loading time** indicates a large dependency treeβ€”the import chain of 1,884 files is unavoidable 3. **Branch logic for multiple modes** concentrated in one functionβ€”adding new modes in the future may make `main()` very long 4. **Deferred prefetching time-window assumption**β€”if the user types extremely fast (e.g., pasting text and immediately pressing Enter), prefetching may not finish in time 5. **Migration version number is hardcoded**β€”no auto-discovery mechanism; each migration requires manually incrementing the version number --- ## 8. Code Landing Points Here are the precise source locations for the key concepts in this chapter: | Concept | File | Line | Explanation | |---------|------|------|-------------| | Pre-import side effects | `src/main.tsx` | :9-20 | `profileCheckpoint` + `startMdmRawRead` + `startKeychainPrefetch` interleaved and executed between imports | | preAction hook | `src/main.tsx` | :907-967 | Commander's `preAction` hookβ€”awaits MDM/keychain β†’ `init()` β†’ `runMigrations()` β†’ `loadRemoteManagedSettings()` + `loadPolicyLimits()` | | `init()` main function | `src/entrypoints/init.ts` | :57 | Wrapped with `memoize` to ensure single execution; starts all subsystems in order | | CA certificate config | `src/entrypoints/init.ts` | :77-79 | `applyExtraCACertsFromConfig()`β€”must complete before the first TLS handshake (Bun's BoringSSL caching mechanism) | | 7 async background tasks | `src/entrypoints/init.ts` | :94-132 | 1P event logs, OAuth, JetBrains detection, git repo detection, remote settings, etc. launched in parallel | | API preconnection | `src/entrypoints/init.ts` | :153-155 | `preconnectAnthropicApi()`β€”TCP+TLS handshake overlaps with subsequent steps | --- > **[Chart placeholder 2.2-A]**: Boot timeline β€” time distribution across the three stages (Pre-import / Init / Ready) > **[Chart placeholder 2.2-B]**: Mode routing decision tree β€” mapping from CLI args / env vars / feature flags to runtime modes > **[Chart placeholder 2.2-C]**: I/O parallelism Gantt chart β€” parallel timeline of module loading / MDM read / keychain prefetch / deferred prefetch