On March 31, 2026, a packaging error exposed Anthropic's full Claude Code source — 512,000 lines of TypeScript, none of it model weights. The architecture it revealed is a masterclass in production agentic engineering. Here's what to take from it.
On March 31, 2026, at 4:23 AM Eastern, a researcher named Chaofan Shou noticed something odd in the @anthropic-ai/claude-code npm package. Version 2.1.88 included a 59.8 MB JavaScript source map file that had no business being there. The file pointed to a zip archive on Anthropic's own cloud storage. Inside: 512,000 lines of TypeScript across 1,906 files — the complete source for Claude Code's agentic harness.
Anthropic pulled the package within hours and issued DMCA notices against GitHub mirrors. The mirrors multiplied anyway. A Korean developer rewrote the architecture in Python before sunrise. That port accumulated 30,000 GitHub stars faster than almost any repository in recent memory. The code is permanent now, distributed across enough decentralized platforms that removal is technically impossible.
Here's what actually matters: the model wasn't in it. Not a single byte of neural network weights. What leaked was the scaffolding — the orchestration logic, the memory architecture, the tool execution pipeline, the security layers, the system prompts, the feature flags. And that scaffolding is, in many ways, the more important story.
What Actually Leaked (And Why It Matters More Than Model Weights)
When people hear "AI source code leaked," they imagine model weights — the trained parameters that determine what a model knows and how it reasons. Those didn't leak. What leaked was the harness: the software layer that wraps the Claude API and turns it into a capable, long-running coding agent.
This distinction is critical. You can download the harness and study every line of it. You cannot replicate Claude's reasoning by doing so. The model is Anthropic's moat. But the harness? That's what every team building production AI agents struggles to get right, and it just became the industry's first public reference implementation.
Five hundred thousand lines of TypeScript for what is often described as "just a coding assistant." Think about what that implies for your next agentic project.
!The harness: an engineer assembles a complex scaffolding of translucent TypeScript modules around a glowing API core
The Architecture Reveals
Memory is not a feature — it's infrastructure
The leaked code describes a three-layer memory architecture that almost no one building agents has implemented properly.
At the top is MEMORY.md — a lightweight index file (~150 characters per line) that lives permanently in the context window. It doesn't store knowledge; it stores pointers to where knowledge lives. Think of it as an in-context table of contents, not a database.
Below that are topic files, fetched on-demand when a pointer in MEMORY.md indicates they're needed. Raw session history is never fully reloaded. It gets grep'd for specific identifiers and relevant snippets are surfaced.
The implication: context window management is an architectural decision, not an afterthought. If your agent loads everything into a single prompt, you're not building a production agent — you're building a demo.
The retrieval mechanism is equally deliberate: rather than vector embeddings, KAIROS uses a lightweight Sonnet side-query against YAML frontmatter in each topic file to determine what to load. Describe what you're working on; the side-query returns a structured JSON ranking of which files are relevant. No vector database, no embedding pipeline — a well-structured prompt and a cheap model call. An Anti-Noise layer skips reference docs for tools the agent is already actively using, preventing the context from filling with information the model already has in working memory.
Security is 23 checks deep
bashSecurity.ts implements 23 distinct security checks. Not one check. Not a keyword blocklist. Twenty-three checks guarding against attacks you've probably never thought about: zero-width space injection, IFS null-byte attacks, Zsh-specific shell parsing differentials, three separate command parsers with inconsistent edge-case behavior.
The source code contains comments like: "validateGitCommit returns allow → bashCommandIsSafe short-circuits → validateRedirections NEVER runs." That's documentation of a historical bypass, preserved in production code as a warning.
When you write a permissive bash rule like Bash(git:) in your hooks config, you're trusting a security model this complex to interpret it correctly. The leak shows exactly how many edges that model has.
Context compaction is an attack surface
Claude Code's automatic context compaction — which summarizes older conversation history to make room in the context window — is not just a UX feature. It's a security boundary.
The leaked architecture reveals the attack: instruction-like content embedded in files the agent reads can be "laundered" through summarization. When the compaction pipeline decides what context to preserve, it may retain injected instructions and present them to the model as authentic user directives in a later turn. The model didn't change. The context was weaponized.
This is a more sophisticated threat than classic prompt injection. Classic injection targets the model directly. Context poisoning targets the system that manages what the model remembers.
The model is the commodity. The harness is the product.
This is the clearest lesson in the entire leak. Anthropic built 512,000 lines of TypeScript around an API call. The features that make Claude Code worth using — long-running sessions, multi-agent coordination, memory that persists between work sessions, permission boundaries that don't break when you're mid-task — none of that comes from the model. It comes from the scaffolding.
The same pattern holds for every serious AI product in production. Stripe's 500+ internal MCPs. StrongDM's autonomous development system. TELUS's 53,000 agent copilots. The model choice matters at the margins. The harness matters in everything else.
!Memory architecture: a small MEMORY.md index file floats at the center of a web of linked topic files in a dark workspace
The Controversial Discoveries
Undercover Mode
The file undercover.ts is the one that generated the most discussion. It implements a mode that strips Anthropic-internal information from commits when Claude Code contributes to external, public open-source repositories. The injected instruction reads: "You are operating UNDERCOVER... Do not blow your cover."
The mode prevents Claude from mentioning internal codenames ("Capybara," "Tengu"), internal Slack channels, or "Claude Code" itself in commits or pull requests to external repos. It's a one-way door — it can be forced on but never forced off, ensuring external AI-authored commits show no indicators of automation.
The ethics are genuinely complex. AI-generated contributions to open-source projects without disclosure sits in a grey zone most communities haven't figured out yet. What's not ambiguous: the mechanism exists, it's intentional, and the fact that it needed to be engineered at all tells you something about how widespread this practice has become.
KAIROS: The Daemon Mode That Isn't Shipping Yet
KAIROS — named after the Greek concept of "opportune moment" — appears over 150 times in the leaked source. It describes an unreleased autonomous agent mode: always-on background operation, append-only daily logs (logs/YYYY/MM/YYYY-MM-DD.md), GitHub webhook subscriptions, 5-minute cron refresh cycles.
This is the architecture of an agent that doesn't wait for you to open your terminal. It monitors your repository continuously, processes events in the background, and surfaces insights when it determines the timing is right.
The dreaming mechanism is the most technically interesting part. KAIROS triggers a Dream cycle when two conditions are met simultaneously: 24 hours have elapsed since the last consolidation and the session count has reached 5 or more. When both are true, KAIROS acquires a lock and spawns a sandboxed, read-only Bash agent — it can read files but cannot modify them. That agent runs a four-step consolidation process:
Orient — Load the current memory index and assess what exists
Gather — Pull raw session logs from the append-only daily files
Consolidate — Synthesize insights, patterns, and context into structured memory topic files
Prune — Trim the memory index to stay under 200 lines
The result: persistent memory that learns from every session, compresses history into structured knowledge, and stays small enough to load fully into context. Memory management as a scheduled background process, not a reactive one triggered mid-task.
KAIROS is not shipped. But it's built. The feature flag is sitting in the codebase, compiling to false on external builds.
Tengu and Capybara: What the Codenames Actually Mean
The leaked code is dense with tengu_ prefixes — hundreds of feature flags, GrowthBook experiments, and internal references. "Tengu" is simply what Anthropic calls Claude Code internally. The product is Claude Code. The codebase calls itself Tengu.
"Capybara" generated more speculation than almost anything else in the leak. When researchers found references to a capybara-v2-fast model variant, theories spread about an unreleased model family. The reality is less dramatic.
Capybara is an internal model alias — a GrowthBook experiment flag called tengu_ant_model_override that routes specific Anthropic employees to a different model variant for internal testing purposes. It's displayed to those employees as cap****-v2-fast with the middle characters masked. Not a new model family. Not a leaked roadmap item. An A/B routing mechanism for internal use that happened to have a distinctive name.
The undercover.ts file references excluded-strings.txt — a file that was not in the leak. That's where the full list of forbidden strings lives. The leak reveals the suppression mechanism without revealing the complete list of what gets scrubbed from external commits.
Buddy: The AI Companion Nobody Expected
buddy.ts is probably the most unexpected file in 512,000 lines of production engineering. It implements a creature companion: 18 distinct species, each with four stats — debugging, patience, chaos, and wisdom. Species come in rarity tiers. Your companion evolves as you use Claude Code.
The species names aren't stored as readable strings. They're hex-encoded in the compiled build. The reasoning is detection avoidance — a string like "Shadow Ferret" is easy to find with a regex scraper; its hex representation is not. Anthropic wanted to ship this without the feature being reverse-engineered before the launch window.
The rollout was logged as April 1-7. Whether the date proximity to the leak is a coincidence is unclear. What's clear: the same codebase that contains 23-check bash security validation and context compaction attack mitigations also contains a full creature companion system, engineered with the same care — including obfuscating the species names to avoid early exposure.
Anti-Distillation Fake Tools
Behind the tengu_anti_distill_fake_tool_injection GrowthBook flag, the system can inject fake tool definitions into system prompts when specific conditions are met. The purpose: polluting training data for competitors who might be recording API traffic to train their own models. This is only accessible to Anthropic-internal users — but it was in the source, and now everyone knows it exists.
The Model Registry: No Claude 4.7 Anywhere
Within hours of the leak, speculation appeared about unreleased Claude model versions supposedly hiding in the source. The model registry tells a more measured story.
configs.ts hardcodes five models:
• claude-opus-4-6 — Max plan default
• claude-sonnet-4-6 — Pro plan default
• claude-opus-4-5 — available
• claude-sonnet-4-5 — available
• claude-haiku-4-5 — available
No Claude 4.7. No Claude 5.0. Five models, plus the Capybara alias for internal testing, plus standard model routing logic. The leak debunks the speculation cleanly.
What the registry does reveal is how Anthropic manages model releases. Scattered through configs.ts are comments tagged @[MODEL LAUNCH] — manual checklists for when a new model ships: update the registry, update the defaults, check the feature flags. It's a human-maintained checklist, not an automated migration pipeline. At the scale Anthropic operates, that's a meaningful detail. Future releases involve an engineer running through these comments by hand.
Frustration Detection
userPromptKeywords.ts contains regex patterns that detect user frustration — profanity, negative expressions, specific escalation phrases. The choice of regex over LLM inference is notable: regex costs microseconds; LLM inference costs hundreds of milliseconds and tokens. Using the cheap signal for cheap classification, reserving inference for decisions that require reasoning. That's the right engineering tradeoff, and it's worth copying directly.
!Security specialist points at a bashSecurity dashboard showing 23 active check layers, each one highlighted in orange
What You Should Do Right Now
Audit your CLAUDE.md files
Every CLAUDE.md in a repository you clone should be treated as untrusted input. The leaked architecture shows exactly how that file gets processed — it goes directly into the agent's context with elevated trust. An attacker who controls a CLAUDE.md controls what your agent believes it's allowed to do.
Run this before trusting any cloned repository with an agent:
``bash
Find all CLAUDE.md files in the current project tree
find . -name 'CLAUDE.md' -not -path './.git/'
Audit for shell commands or permission overrides
grep -i "bash\permission" .claude/CLAUDE.md 2/dev/null
Check for suspicious tool allow rules in settings
cat .claude/settings.json 2/dev/null | grep -A2 "allow"
`
Any CLAUDE.md from a repository you didn't write should be read line by line before running Claude Code in that directory.
Treat MCP servers like npm packages
The leak maps the exact attack surface MCP servers represent: direct access to the tool execution pipeline, with permissions that the user approved without reading. Vet every MCP server you install the same way you'd vet a production dependency.
`bash
Pin MCP server versions in your config (never use 'latest')
~/.claude/settings.json
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["@modelcontextprotocol/server-filesystem@1.0.2", "/path/to/allow"]
}
}
}
Review what an MCP server actually does before installing
npx @modelcontextprotocol/inspector
Never install an MCP server from an untrusted source. The leaked code shows that MCP tool calls go deep into the permission model — a malicious MCP server has access to everything the user has approved.
Lock down your bash permissions
The 23-check bashSecurity.ts is hardened against real attacks. Your personal hooks config probably isn't. Review every bash permission you've granted:
`bash
Audit all allowed bash commands in your config
cat ~/.claude/settings.json | grep -A 50 '"allow"'
Red flags to look for:
• Bash() — unrestricted shell access
• Bash(git:) — all git commands including push --force
• Bash(curl:) — unrestricted network access
• Bash(npm:) — can install arbitrary packages
`
Replace wildcards with specific allowlists. Bash(git commit:) is safer than Bash(git:). Bash(npm run test) is safer than Bash(npm:).
Implement the MEMORY.md pattern in your own agents
The leaked memory architecture is genuinely superior to what most developers build. You can implement the core pattern in any agent:
`markdown
MEMORY.md (always loaded, stays small)
Active Projects
• project-alpha.md — API redesign, RFC in progress
• decisions.md — Architecture decisions log
Team Context
• team.md — Team structure, responsibilities
• conventions.md — Code conventions, review process
Current Sprint
• sprint-14.md — Active tasks, blockers, context
`
Keep the index under 50 lines. Store actual content in the linked files. Instruct your agent to update the index when it creates new memory, not to append raw information into MEMORY.md directly. This alone will significantly improve long-session agent performance.
If you publish npm packages with AI tooling in your build pipeline
The incident was a .npmignore packaging error. The standard fix:
`
Bad: exclusion-based .npmignore (easy to miss new files)
node_modules/
.env
Better: inclusion-based package.json files array (explicit, harder to leak)
package.json
{
"files": [
"dist/",
"README.md",
"LICENSE"
]
}
`
The files field in package.json whitelists what gets published. Everything else stays local. If you're running AI agents that generate files during your build, an explicit inclusion list means an unexpected generated file can't end up in your published package.
The Bigger Lesson
The leak accelerated something that was already happening slowly: the demystification of production AI engineering. The agents that work in production — that run for hours without losing context, that don't get jailbroken by a cleverly named repository, that fail gracefully when tools misbehave — look nothing like the weekend demos. They look like bashSecurity.ts`. They look like 14 prompt cache-break vectors managed as an accounting problem. They look like frustration detection via regex because microseconds matter at scale.
The model is the easy part. You pick it from a dropdown.
The hard part is everything around it: the context management, the permission model, the memory architecture, the security layers, the observability, the graceful degradation. Anthropic built 512,000 lines of that hard part. The leak put all of it on the internet.
The question isn't whether competitors will use it. They already are. The question is whether developers building their own agentic systems will learn from it — or keep rebuilding the same naive scaffolding that breaks at scale.
The Bottom Line
Anthropic's packaging error on March 31, 2026 was an accident. What it revealed was not. The Claude Code source shows exactly what production-grade agentic engineering looks like: layered security, sophisticated memory management, explicit permission models, observability built in from day one, and a ruthless commitment to context efficiency.
The model you're using is probably close enough to Claude. The harness you're building around it is almost certainly not close enough to this.
That's the takeaway. Not the undercover commits. Not the Buddy creature companion. Not the unreleased KAIROS daemon. Those are interesting. This is actionable: look at what it takes to make an agent work reliably at scale, and measure your current scaffolding against it honestly.
Related: Your AI Does Exactly What You Ask. That's the Problem. — MCP Hit 97 Million Downloads. Your Security Team Hasn't.
Credits & Sources
All findings based on publicly available information following the npm registry exposure.*
• Discovery — Chaofan Shou (@Fried_rice) — original disclosure, March 31, 2026
• Archive — nirholas/claude-code — archived source
• Rewrite — instructkr/claw-code — clean-room Python port
• Reporting — VentureBeat, CyberSecurityNews, TechStartups, AfterDawn
• Analysis — Kuber.studio — technical breakdown