Problem
Claude Code makes auxiliary calls that aren't real conversation turns — recap ("the user stepped
away…"), title generation, the security-monitor check, etc. They land in ai_gateway_messages
indistinguishable from real turns, so anyone analyzing a conversation silently picks up calls
the user never made.
Hard part: most of these can't be cleanly fingerprinted. The recap call uses the full Claude
Code system prompt + claude-opus-4-8 + max_tokens 64000 — headers, system prompt, model,
settings all identical to a real turn; only the injected user-message text differs. So there's
no stable signal to key on, and content-substring matching is fragile across CC versions and
risks dropping real messages. The security-monitor call is the exception — it has its own
dedicated system prompt, so it's cleanly identifiable.
Direction
- Tag, don't drop. A wrong tag is harmless; a wrong drop loses real data.
- Security-monitor: safe to identify (and optionally drop) via its dedicated system prompt.
- Recap/title and similar: no stable fingerprint today — leave as benign rows, or tag only if CC
starts emitting a reliable marker (an aux header / request-type field would make this trivial).
Done when
Aux calls carry a label (e.g. aux_kind) so conversation queries can exclude them, and no real
turn is mislabeled.
Problem
Claude Code makes auxiliary calls that aren't real conversation turns — recap ("the user stepped
away…"), title generation, the security-monitor check, etc. They land in
ai_gateway_messagesindistinguishable from real turns, so anyone analyzing a conversation silently picks up calls
the user never made.
Hard part: most of these can't be cleanly fingerprinted. The recap call uses the full Claude
Code system prompt + claude-opus-4-8 + max_tokens 64000 — headers, system prompt, model,
settings all identical to a real turn; only the injected user-message text differs. So there's
no stable signal to key on, and content-substring matching is fragile across CC versions and
risks dropping real messages. The security-monitor call is the exception — it has its own
dedicated system prompt, so it's cleanly identifiable.
Direction
starts emitting a reliable marker (an aux header / request-type field would make this trivial).
Done when
Aux calls carry a label (e.g.
aux_kind) so conversation queries can exclude them, and no realturn is mislabeled.