Claude Code Source Leaked via npm: Full Architecture Breakdown

On March 31, 2026, security researcher Chaofan Shou posted on X that Anthropic had accidentally published a 57MB source map file (cli.js.map) inside the @anthropic-ai/claude-code npm package. The file referenced a Cloudflare R2 storage URL containing the complete, unobfuscated TypeScript source: 512,000 lines across 1,900 files. Anthropic removed the file and deleted old npm versions within hours, but mirrors had already spread to GitHub, where they quickly accumulated over 1,100 stars and 1,900 forks.

This is not the first time. Versions v0.2.8 and v0.2.28 shipped with full source maps back in 2025. Anthropic quietly pulled those versions, but one developer recovered the source using Sublime Text’s undo history after Anthropic tried to wipe cached npm files. And just five days before this leak, on March 26, a CMS configuration error exposed unreleased Claude Mythos model details, draft blog posts, and 3,000 unpublished assets. Three incidents in a year. Two in the same week.

What Actually Leaked (and What Did Not)

This is client-side code only. No model weights, no training data, no Claude LLM internals. What leaked is the CLI tool that developers install and run locally: the agent loop, tool-calling system, permission model, UI layer, and telemetry infrastructure.

That said, the codebase includes details Anthropic clearly did not intend to make public.

Unreleased model codenames. References to a new model family codenamed Capybara appeared in the code, split into three tiers: capybara, capybara-fast, and capybara-fast[1m]. This aligns with the Claude Mythos details from the CMS leak five days earlier.

Granular telemetry. Claude Code tracks user behavior in more detail than most developers expected. It logs frustration signals (including when users swear), tracks patterns like repeated “continue” prompts, and routes session metadata through Datadog. Safeguards prevent transmission of user code or file paths, and telemetry can be disabled via environment variables.

Feature flags. The code contains several internal flags gating unreleased features:

Flag	Purpose
VOICE_MODE	Voice input, gated behind a GrowthBook flag (tengu_amber_quartz)
PROACTIVE	Likely proactive suggestions
BRIDGE_MODE	Unknown
KAIROS	Unknown
BUDDY	Tamagotchi-style digital pet with species, rarity tiers, shiny variants, procedurally generated stats, and hat accessories. Planned for April 1-7 teaser, full launch May 2026.

DMCA Takedowns and the Open Source Debate

Anthropic’s response went beyond technical remediation. The company filed DMCA takedown notices against GitHub repositories hosting the deobfuscated source, including ghuntley’s cleanroom deobfuscation repository, which had accumulated 908 stars before being archived. This was not new behavior: Anthropic had previously filed a DMCA complaint when a developer deobfuscated the minified JavaScript from an earlier version.

The timing made this visible. OpenAI had released its competing tool, Codex CLI, under an Apache 2.0 license, allowing full distribution and commercial use. Within a week of its release, OpenAI had merged dozens of community contributions, including one that let Codex CLI call Anthropic’s own models. Meanwhile, Anthropic was sending takedown notices to developers studying the code for a tool under a restrictive commercial license.

The backlash on social media was sharp. The contrast between the two approaches became a flashpoint for the broader debate about how AI companies engage with developer communities. For a company that markets Claude’s code-writing capabilities as a selling point, issuing DMCAs against developers reading that same code carried an obvious irony.

The DMCA approach has practical limits. Within hours of the leak, @instructkr on GitHub used OpenAI’s Codex (via the oh-my-codex workflow layer) to port the core architecture to a clean-room Python rewrite called Claw Code. It captures Claude Code’s agent harness patterns without copying proprietary source, and rapidly surpassed 30,000 stars on GitHub. A Rust port is now in progress.

Because Claw Code is a rewrite in a different language, not a copy of the TypeScript source, it sits outside the reach of the DMCA takedowns Anthropic has been filing against direct mirrors. The repository includes a companion essay examining whether running copyrighted source through an LLM to produce a rewrite in another language constitutes a derivative work. It does not. Deriving new work from copyrighted source material is what large language models do by design. It is, quite literally, Anthropic’s own business model. Claude was trained on vast amounts of copyrighted code and text to produce original output. An LLM rewriting TypeScript into Python is the same process. Anthropic has not targeted the Python rewrite, and it would be difficult to argue they should be able to.

Architecture: A While Loop, Not a DAG

The most significant finding from the leaked code is how simple the architecture is. The entire AI agent runs on a while(tool_call) loop. Simplified to pseudocode:

while (claude_response.has_tool_call) {
  results = execute_tools(tool_calls)
  claude_response = send_to_claude(results)
}
return claude_response.text

There is no intent classifier, no task router, no RAG pipeline, no DAG orchestrator, and no planner/executor split. The model itself decides which tools to call, in what order, and when to stop. Anthropic has described this as the “agentic loop” pattern in blog posts, but seeing it in 512,000 lines of production code confirms just how literally they mean it.

The stack is Bun (not Node.js), React with Ink for the terminal UI, and Zod for schema validation. The core logic lives in three large files:

File	Lines	Responsibility
QueryEngine.ts	46,000	LLM API calls, streaming, caching, tool orchestration, token tracking
Tool.ts	29,000	~40 agent tool definitions and permission schemas
commands.ts	25,000	~85 slash command registry and execution

Eight Core Tools

Claude Code ships exactly eight built-in tools:

Tool	Purpose
Bash	Execute shell commands (the universal adapter)
Read	Read file contents (max 2,000 lines, handles truncation)
Edit	Diff-based file modification (requires exact match)
Write	Create or overwrite files
Grep	Ripgrep-based regex search
Glob	Find files by pattern
Task	Spawn sub-agents with isolated context
TodoWrite	Structured task tracking

Bash is the most important. Because the model has been trained on massive amounts of shell data, it functions as a universal adapter: git, npm, docker, curl, or anything else becomes available without a dedicated integration. Everything beyond these eight tools extends through MCP servers.

One design decision visible in the code: Anthropic originally experimented with RAG using Voyage embeddings for semantic code search, then switched to grep-based agentic search (ripgrep) after internal benchmarks showed better performance with lower operational complexity. No index sync, no embedding provider dependency, no security concerns from shipping code to external APIs. The philosophy is “search, don’t index.”

Three-Layer Context Compression

The leaked code reveals how Claude Code manages the fundamental problem of long-running agent sessions: context window exhaustion. The system operates within a ~200K token budget:

Budget Segment	Tokens
System prompt	~5,000-15,000
Conversation history + tool results	Variable (bulk of budget)
Response buffer	~40,000-45,000

Three compression layers manage this budget.

Microcompaction runs continuously without API calls. It offloads bulky tool outputs to disk, keeping only recent results inline. Older results are replaced with file path references. No tokens spent, just local file I/O.

Auto-compaction triggers when free context drops below a reserved threshold (reported between 75-95% capacity depending on the client). It summarizes the conversation into a structured “working state,” then rehydrates critical elements:

• Recently accessed files (capped at 5,000 tokens per file)
• Active todo lists
• Continuation instructions

The system reserves a 13,000-token buffer for the compaction operation itself and generates summaries up to 20,000 tokens. A circuit breaker stops retrying after 3 consecutive failures.

Manual compaction via /compact lets users trigger summarization at logical breakpoints with optional focus hints.

The key principle: compaction is summarization plus context restoration, not truncation. After compaction, the agent receives a structured summary of what it was doing, what files it was working with, and what remains. If you are building any long-conversation agent application, this three-layer strategy is directly applicable. Most agent frameworks leave this problem to the developer.

AutoDream: Background Memory Consolidation

Claude Code includes a background memory consolidation system called AutoDream. It runs when four conditions are met: at least 24 hours since the last consolidation, at least 5 new sessions accumulated, no other consolidation running, and at least 10 minutes since the last scan. The process follows four phases:

1. Orient reads the current MEMORY.md and scans existing memory files
2. Gather checks session logs for high-value patterns: user corrections, repeated decisions, recurring themes
3. Consolidate merges related memories, removes duplicates, resolves contradictions, and converts relative dates to absolute (e.g., “yesterday” becomes “2026-03-24”)
4. Prune keeps MEMORY.md under 200 lines / 25KB

This takes about 8-10 minutes and runs as a sub-agent. The /dream command offers manual consolidation on demand. The approach of treating agent memory as something that needs periodic garbage collection, not just accumulation, is a practical solution to a real problem in persistent agents.

Sub-Agent Isolation (Depth = 1)

The Task tool spawns sub-agents with their own fresh context windows. Sub-agents receive only the task description, have access to all tools except Task itself, and return only a summary to the parent. They cannot spawn further sub-agents.

The depth-1 limit prevents recursive agent spawning, which would produce unpredictable costs and debugging nightmares. Four specialized sub-agent types are available:

Type	Access
Explore	Read-only codebase analysis
Plan	All tools except Edit/Write
Bash	Command execution only
General-purpose	Full tool access

Multi-Agent Teams: File-Based, Still Rough

The code reveals an experimental multi-agent coordination system where a lead agent assigns tasks to teammates. The coordination is entirely file-based: tasks are JSON files in ~/.claude/tasks/, claiming uses file locks to prevent race conditions, and communication happens through JSON inbox files that each agent polls.

A bug report on the public repo documents the current reliability problems. In one session, 23 agent incarnations were spawned with only 35% being productive. The mailbox polling generated 42,226 polls with no backoff, producing 15MB of debug logs. Teams are not resumable after breaks and get recreated from scratch each time.

This is clearly experimental. But the file-based approach is interesting: no background process, no message broker, just filesystem operations with lock files. The simplicity is consistent with Anthropic’s broader “less scaffolding, more model” philosophy, even when it means shipping coordination infrastructure that is not yet production-ready.

Security Context Beyond the Leak

The source map incident sits alongside more serious Claude Code security concerns. Check Point Research disclosed two CVEs earlier in 2026, both now patched:

CVE	Severity	Attack Vector
CVE-2026-21852	API key exfiltration	Malicious repo sets ANTHROPIC_BASE_URL to attacker endpoint in settings file, stealing API keys before user confirms trust
CVE-2025-59536	Remote code execution	Malicious hooks in .claude/settings.json execute shell commands when user starts Claude Code in a cloned repository, before trust dialog appears

Combined with the source map leak, the exposed permission model, authentication flows, and feature flags give a detailed map of Claude Code’s security surface. For developers using Claude Code on untrusted codebases, the exposed architecture is worth studying to understand what the tool has access to and how its guardrails work.

What This Changes

The code confirms what Anthropic has described philosophically in blog posts: production-grade coding agents do not need complex orchestration frameworks. A simple tool loop, good context management, and a strong underlying model go further than elaborate planner-executor architectures. 512,000 lines of production code is the most concrete evidence available for evaluating that claim.

For Anthropic, the strategic impact is limited. The real moat is the Claude model, not the CLI wrapper. Competitors can study the architecture, adopt the patterns, and build their own implementations. But they cannot replicate Claude’s reasoning capabilities by reading TypeScript.

The more lasting consequence may be the DMCA response. In a market where OpenAI is open-sourcing its competing tool and merging community PRs, Anthropic’s choice to issue takedowns against developers studying leaked code positions the company on the less developer-friendly side of the debate. The reimplementations are already out there, and those cannot be taken down. The architecture is public knowledge now regardless.

Audit your own build pipelines. Check your .npmignore. Make sure your source maps stay in development. And if you are building agents, the context compression and memory consolidation patterns in this codebase are worth adopting whether Anthropic intended to share them or not.