# Inside the Build: Claude Desktop's Government Deployment Mode > A binary analysis of Claude Desktop 1.1.3363. How Anthropic's FedRAMP High government product is implemented, what changed from prior releases, and how it maps to Palantir's FedStart infrastructure. **URL:** https://aaddrick.com/blog/inside-the-build-claude-desktops-government-deployment-mode --- Claude Desktop 1.1.3363, released February 17, 2026, contains the complete implementation of Anthropic's Claude for Government product. The entire feature set was added in a single release, with no trace in any prior version. This report documents what was found in the binary. --- **Source:** `claude-desktop-1.1.3363-amd64.AppImage` **Extracted:** `/tmp/claude-gov-inspect/app-extracted/` **Date:** 2026-02-17 > **Note on code samples:** All JavaScript in this report has been renamed for readability. > The original source is minified and obfuscated; single-letter variables (`t`, `e`, `r`, > `LC`, `F`, `Pe`, etc.) have been replaced with descriptive names inferred from context, > string literals, log messages, and surrounding logic. Function names like `uWe()`, `en()`, > `ho()`, `Je()`, and `UJe()` have been replaced with best-guess semantic equivalents. > These reconstructions are accurate in structure and behavior but are **not** the literal > source code. Treat them as annotated pseudocode. --- ## Summary Claude Desktop 1.1.3363 contains a fully-implemented "custom government deployment" mode gated behind an enterprise configuration key (`customDeploymentUrl`). When activated, the app connects to Palantir-hosted federal infrastructure (`claude.fedstart.com`) instead of `claude.ai`, uses Keycloak/Palantir SSO for authentication, disables all Sentry telemetry, displays a "public sector" banner, and blocks all renderer network egress to non-approved domains. **This code was not present in any prior release.** Version history analysis confirms the entire gov mode implementation was added in a single release: claude 1.1.3363, published February 17, 2026, nearly a year after the public FedStart partnership announcement. --- ## Key Findings ### 1. Dedicated Government Domains Four hardcoded domains are whitelisted exclusively for government mode: ```js // Production "https://claude.fedstart.com" // Staging "https://claude-staging.fedstart.com" // Palantir SSO (production) "access-claude.palantirfedstart.com" // Palantir SSO (staging) "access-claude-staging.palantirfedstart.com" ``` `fedstart.com` is Palantir's FedStart platform, a FedRAMP-authorized cloud environment used to deploy commercial SaaS products for US federal agencies. --- ### 2. The `isUsingCustomGovDeployment` Global Flag All gov-mode behavior is gated on a single global: ```js // Set during app init from enterprise config function initCustomDeployment() { const config = getEnterpriseConfig(); if (config.customDeploymentUrl) { try { new URL(config.customDeploymentUrl); } catch { logger.error("invalid customDeploymentUrl in enterprise config: %s", config.customDeploymentUrl); return; } customBaseUrl = config.customDeploymentUrl; globalThis.isUsingCustomGovDeployment = true; logger.info("custom deployment enabled, base URL: %s", customBaseUrl); } } ``` `customBaseUrl` becomes the base URL (replacing `https://claude.ai`). Every URL in the app is then derived from `getBaseUrl()`: ```js function getBaseUrl() { const buildConfig = getBuildConfig(); const defaultUrl = "https://claude.ai"; return ( customBaseUrl || (buildConfig.buildType === "dev" && (process.env.CLAUDE_AI_URL || getUserConfig().claudeAiUrl)) || defaultUrl ); } ``` --- ### 3. Origin Allowlist (IPC / WebRequest gates) Three separate origin checks in `index.js` and `mainView.js` use the same pattern. The trusted origin set is: | Origin | When allowed | |--------|-------------| | `https://claude.ai` | Always | | `https://preview.claude.ai` | Always | | `https://claude.com` | Always | | `https://preview.claude.com` | Always | | `https://beacon.claude-ai.staging.ant.dev` | `isUsingCustomGovDeployment` | | `https://claude-staging.fedstart.com` | `isUsingCustomGovDeployment` | | `https://claude.fedstart.com` | `isUsingCustomGovDeployment` | | `localhost` | Dev flag / unpackaged | ```js // Simplified structure (appears 3x in code) globalThis.isUsingCustomGovDeployment && (origin === "https://beacon.claude-ai.staging.ant.dev" || origin === "https://claude-staging.fedstart.com" || origin === "https://claude.fedstart.com") ``` --- ### 4. Authentication: Keycloak + WorkOS SSO The app accepts SSO auth flows from two identity providers: ```js function isTrustedLoginUrl(url) { return !!( // Standard claude.ai login (isDeploymentHost(url.host) && url.pathname.startsWith("/login/")) || // Dev override (url.host === "claude-ai.staging.ant.dev" && url.pathname.startsWith("/login/") && globalThis.isDeveloperApprovedDevUrlOverrideEnabled) || // WorkOS (enterprise SSO for commercial customers) (url.host === "api.workos.com" && url.pathname.startsWith("/sso/")) || // Keycloak realms, used by Palantir FedStart ((isDeploymentHost(url.host) || isPalantirFedStartHost(url.host)) && url.pathname.match(/^\/realms\/[^/]+\/protocol\/openid-connect\//)) ); } // Checks whether a host is one of the Palantir FedStart SSO endpoints: function isPalantirFedStartHost(host) { return ( host === "access-claude.palantirfedstart.com" || host === "access-claude-staging.palantirfedstart.com" ); } ``` The Keycloak `/realms/{realm}/protocol/openid-connect/` path is the standard Palantir FedStart OIDC flow. `access-claude.palantirfedstart.com` is the Keycloak instance Anthropic runs on Palantir's infrastructure. --- ### 5. Network Egress Blocking In gov mode, ALL renderer network requests are blocked unless the destination host matches the configured deployment domain: ```js electron.session.defaultSession.webRequest.onBeforeRequest((request, callback) => { if (globalThis.isUsingCustomGovDeployment) try { const requestUrl = new URL(request.url); if (!isDeploymentHost(requestUrl.host)) { logger.info( "[gov] blocked renderer egress to non-allowed domain: %s (%s)", requestUrl.host, request.resourceType ); callback({ cancel: true }); return; } } catch { callback({ cancel: true }); return; } // ... normal flow }); ``` `isDeploymentHost()` accepts only the configured deployment domain and its `.ai`/`.com` mirror: ```js function isDeploymentHost(host) { const deploymentHost = new URL(getBaseUrl()).host; if (host === deploymentHost) return true; // Also accept the .ai <-> .com mirror of the deployment host if (deploymentHost.endsWith(".ai")) { const mirrorHost = deploymentHost.replace(/\.ai$/, ".com"); return host === mirrorHost; } if (deploymentHost.endsWith(".com")) { const mirrorHost = deploymentHost.replace(/\.com$/, ".ai"); return host === mirrorHost; } return false; } ``` This means: in gov mode, even Sentry, Qualtrics surveys, and any external CDN are blocked. --- ### 6. Sentry Disabled Crash reporting and error telemetry are explicitly shut down: ```js globalThis.isUsingCustomGovDeployment && (await Promise.resolve().then(() => sentryClient)).close(); logger.info("Sentry disabled for custom deployment mode"); ``` This is consistent with FedRAMP data sovereignty requirements: no telemetry leaves the accredited boundary. --- ### 7. Public Sector Banner (`--desktop-pubsec-banner=1`) A visual "public sector" banner is injected into the renderer via a command-line argument: ```js // In main process (index.js) when creating the WebContentsView: const webContentsView = createWebContentsView({ webPreferences: { preload: path.join(electron.app.getAppPath(), ".vite/build/mainView.js"), additionalArguments: [ `--desktop-features=${JSON.stringify(getDesktopFeatures())}`, ...globalThis.isUsingCustomGovDeployment ? ["--desktop-pubsec-banner=1"] : [], ], }, }); ``` ```js // In mainView.js (preload), exposes the flag to the renderer world: const pubsecArg = process.argv.find((arg) => arg.startsWith("--desktop-pubsec-banner=")); if (pubsecArg) { const enabled = pubsecArg.slice(24); contextBridge.exposeInMainWorld("desktopPubsecBannerEnabled", enabled === "1"); } ``` The renderer (web app at `claude.fedstart.com`) reads `window.desktopPubsecBannerEnabled` to display an appropriate "This is a US Government system" style notice. --- ### 8. Enterprise Configuration: How to Enable Gov Mode The `customDeploymentUrl` key can be delivered three ways: **macOS**: CFPreferences plist at: ``` ~/Library/Preferences/com.anthropic..plist ``` **Windows**: Registry: ``` SOFTWARE\Policies\Claude\customDeploymentUrl ``` **All platforms**: `claude_desktop_config.json` (user config file): ```json { "customDeploymentUrl": "https://claude.fedstart.com" } ``` Full enterprise config schema (from Zod validation in source): ```js { isDesktopExtensionEnabled: boolean (optional), isDesktopExtensionDirectoryEnabled: boolean (optional), isDesktopExtensionSignatureRequired: boolean (optional), isLocalDevMcpEnabled: boolean (optional), isClaudeCodeForDesktopEnabled: boolean (optional), secureVmFeaturesEnabled: boolean (optional), autoUpdaterEnforcementHours: integer 1-72 (optional), disableAutoUpdates: boolean (optional), customDeploymentUrl: URL string (optional), // ← gov mode trigger isDxtEnabled: boolean (optional), isDxtDirectoryEnabled: boolean (optional), isDxtSignatureRequired: boolean (optional), } ``` --- ## Architecture Summary ```mermaid flowchart TD A["Enterprise Config\ncustomDeploymentUrl = 'https://claude.fedstart.com'"] A --> B["globalThis.isUsingCustomGovDeployment = true"] B --> C["Base URL → claude.fedstart.com"] B --> D["Sentry → DISABLED"] B --> E["Renderer egress → BLOCKED\nto non-allowed domains"] B --> F["Auth → Keycloak\naccess-claude.palantirfedstart.com"] B --> G["UI → pubsec banner injected\nwindow.desktopPubsecBannerEnabled = true"] C --> H["Palantir FedStart Platform\n(FedRAMP High / IL5 accredited)"] F --> H H --> I["claude.fedstart.com\nAnthropic's gov instance"] ``` --- ## Version History Analysis To determine when the gov mode code first appeared, AppImages were downloaded from the [aaddrick/claude-desktop-debian](https://github.com/aaddrick/claude-desktop-debian) release archive and each was extracted and searched for the presence of `fedstart.com`, `palantirfedstart`, `isUsingCustomGovDeployment`, `customDeploymentUrl`, and `pubsec`. | Claude version | Release date | Gov code present? | |----------------|-------------|-------------------| | 0.14.4 | Oct 22, 2025 | No | | 1.0.2768 | Jan 5, 2026 | No | | 1.1.381 | Jan 19, 2026 | No | | 1.1.799 | Jan 24, 2026 | No | | 1.1.2321 | Feb 8, 2026 | No | | 1.1.2685 | Feb 11, 2026 | No | | 1.1.3189 | Feb 14–17, 2026 | No | | **1.1.3363** | **Feb 17, 2026** | **Yes (first appearance)** | The entire feature set landed in a single release with no prior incremental commits visible in the shipping binary. The version number gap from 3189 to 3363 is the largest in recent history, suggesting a significant internal build cycle before shipping. ### Overall Timeline ```mermaid timeline title Claude Government Deployment Timeline Nov 2024 : Anthropic + Palantir + AWS : announce IL6 classified partnership Apr 2025 : Anthropic joins Palantir FedStart : FedRAMP High / IL5 announced Oct 2025 – Feb 2026 : claude 0.14.4 → 1.1.3189 : no gov code in desktop client Feb 17 2026 : claude 1.1.3363 ships : all gov mode code added simultaneously ``` The ~10 month gap between the FedStart announcement and the desktop implementation is consistent with the compliance and infrastructure work required to achieve FedRAMP High accreditation through FedStart before exposing the product to end users. --- ## Official Announcement (April 17, 2025) Key deployment details from the press release: - Hosted on **Google Cloud** (FedRAMP High + IL5 accredited commercial cloud) - Multi-cloud inference: **Amazon Bedrock** and **Google Cloud Vertex AI** - Product: **Claude for Enterprise** (not a stripped-down gov-only variant) - Anthropic also has a separate, older partnership with Palantir AIP on AWS (SageMaker + Bedrock) for **IL6** (classified) workloads, predating this FedStart announcement The IL6 partnership (classified environments) uses Palantir's AIP platform directly, not the desktop app's `fedstart.com` endpoints. The desktop app's gov mode (`claude.fedstart.com`) corresponds to the FedRAMP High / IL5 deployment announced April 2025. --- ## IL6 Partnership (Classified Environments) **Announced:** November 7, 2024, predating the FedStart/desktop announcement by five months. ### What It Is A three-way partnership between Anthropic, Palantir, and AWS to make Claude available in **Impact Level 6 (IL6)** classified environments, the DoD's highest security tier, covering systems that process Controlled Unclassified Information (CUI) and classified national security data. IL6 requires the strictest security protocols of any commercial cloud accreditation. ### Technical Stack | Layer | Technology | |-------|-----------| | Model | Claude 3 and Claude 3.5 family | | Platform | Palantir AIP (AI Platform) | | Hosting | AWS IL6-accredited infrastructure | | Deployment management | Amazon SageMaker | Claude does **not** run as a standalone desktop app in this context. It is integrated directly into Palantir's AIP platform, accessed through Palantir's tooling rather than the Claude Desktop application. This is why the desktop app's gov mode code points only to `claude.fedstart.com` (IL5); the IL6 pathway is a separate, API/platform-level integration. ### Relationship to the Desktop App The two partnerships are distinct tiers: | | IL6 (Nov 2024) | FedRAMP High / IL5 (Apr 2025) | |-|----------------|-------------------------------| | Partner | Palantir AIP + AWS | Palantir FedStart + Google Cloud | | Access method | Via Palantir AIP platform | Claude Desktop / web app | | Endpoint | No public domain (classified) | `claude.fedstart.com` | | Auth | Palantir AIP identity | Keycloak at `access-claude.palantirfedstart.com` | | Scope | Intelligence / defense agencies | Broad federal civilian + defense workforce | | Users | Cleared personnel | "Millions of federal workers" | | Telemetry | N/A (air-gapped) | Sentry disabled in desktop app | --- ## References ### Official Announcements **IL6 / Classified (Nov 2024)** - [Anthropic and Palantir Partner to Bring Claude AI Models to AWS for U.S. Government Intelligence and Defense Operations (BusinessWire, Nov 7 2024)](https://www.businesswire.com/news/home/20241107699415/en/Anthropic-and-Palantir-Partner-to-Bring-Claude-AI-Models-to-AWS-for-U.S.-Government-Intelligence-and-Defense-Operations) - [Palantir investor page, same announcement](https://investors.palantir.com/news-details/2024/Anthropic-and-Palantir-Partner-to-Bring-Claude-AI-Models-to-AWS-for-U.S.-Government-Intelligence-and-Defense-Operations/) - [Anthropic's Claude AI models now available for US defense agencies (Neowin)](https://www.neowin.net/news/anthropics-claude-ai-models-now-available-for-us-defense-agencies/) - [AWS, Anthropic, Palantir Join Forces to Bring Gen AI to US Defense (Analytics India Mag)](https://analyticsindiamag.com/ai-news-updates/aws-anthropic-and-palantir-join-forces-to-bring-generative-ai-to-us-defense-and-intelligence/) **FedRAMP High / IL5 (Apr 2025)** - [Anthropic Joins Palantir's FedStart Program to Deploy Claude Application (BusinessWire, Apr 17 2025)](https://www.businesswire.com/news/home/20250417172108/en/Anthropic-Joins-Palantirs-FedStart-Program-to-Deploy-Claude-Application) - [Palantir investor page, same announcement](https://investors.palantir.com/news-details/2025/Anthropic-Joins-Palantirs-FedStart-Program-to-Deploy-Claude-Application/) - [Palantir, Anthropic, Google deepen ties on government AI with Claude partnership (FedScoop)](https://fedscoop.com/palantir-anthropic-google-government-ai-claude-partnership/) - [Palantir Teams Up With Google To Supercharge FedStart (Sahm Capital)](https://www.sahmcapital.com/news/content/palantir-google-anthropic-boost-government-sourcing-2025-04-24) - [Palantir, Google and Anthropic Boost Government Sourcing (Procurement Magazine)](https://procurementmag.com/news/palantir-google-anthropic-boost-government-sourcing) ### Palantir FedStart Background - [Introducing Palantir FedStart (Palantir Blog, Jun 2023)](https://blog.palantir.com/introducing-palantir-fedstart-cd5995d0dfaa) - [Palantir FedStart product page](https://www.palantir.com/offerings/fedstart/) - [Palantir FedStart on AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-hl3mrsqacqhzo) - [Palantir FedStart on Microsoft Azure Marketplace](https://marketplace.microsoft.com/en-us/marketplace/apps/palantirtechnologies1585670280063.palantir_fedstart?tab=overview) - [Palantir Granted FedRAMP High Baseline Authorization (2024)](https://investors.palantir.com/news-details/2024/Palantir-Granted-FedRAMP-High-Baseline-Authorization/) - [Palantir FedStart and the Path to CMMC (Palantir Blog)](https://blog.palantir.com/securing-americas-defense-industrial-base-a603ff39dc92) - [Google Cloud Coming Soon to Palantir FedStart (Google Cloud Blog)](https://cloud.google.com/blog/topics/public-sector/google-public-sector-and-palantir-collaborate-to-bring-google-cloud-to-fedstart) ### Other FedStart Partners (for context) - [Unstructured.io Joins Palantir FedStart (BusinessWire, Aug 2025)](https://www.businesswire.com/news/home/20250808482862/en/Unstructured.io-Joins-Palantir-FedStart-Program-to-Accelerate-Federal-Adoption-of-AI-Ready-Data-Solutions-Through-FedRAMP-High-and-IL-5-Authorizations) - [Virtualitics Joins Palantir FedStart](https://virtualitics.com/virtualitics-joins-palantirs-fedstart-program-to-accelerate-mission-ready-ai-for-defense/) - [Hyperscience Partners with Palantir on FedRAMP](https://www.hyperscience.ai/blog/extending-success-in-the-public-sector-securing-fedramp-accreditation-in-partnership-with-palantir/) ### Code Sources - `claude-desktop-1.1.3363-amd64.AppImage` → `app.asar` → `.vite/build/index.js` - `claude-desktop-1.1.3363-amd64.AppImage` → `app.asar` → `.vite/build/mainView.js` - Extracted to `/tmp/claude-gov-inspect/app-extracted/` using `@electron/asar`