On March 31, 2026, someone at Anthropic forgot to add *.map to .npmignore. That single oversight shipped a 59.8 MB source map inside the @anthropic-ai/claude-code v2.1.88 npm package, exposing 512,000 lines of unobfuscated TypeScript across 1,906 files. The entire internal architecture of their flagship AI coding agent, out in the open.
Anthropic filed DMCA takedowns. GitHub repos started disappearing. Then a developer in South Korea woke up at 4 a.m., rewrote the core architecture from scratch in Python and Rust, and pushed it to GitHub. The repo hit 50K stars in 2 hours and 100K in 24 hours, the fastest-growing repository in GitHub history.
Most coverage focused on the drama: the leak, the takedowns, the legal battle. But the actual code reveals things Anthropic clearly never intended anyone to see.
What actually leaked
Not the model weights. Not customer data. Not the training pipeline.
What leaked is the agent harness: the orchestration layer that turns a language model into a coding assistant. This is the system that decides which tools to call, manages permissions, compresses context when conversations get long, spawns sub-agents for parallel work, and bridges into VS Code and JetBrains.
The numbers:
- 1,906 TypeScript files
- 40+ built-in tools (bash, file read/write, web search, LSP, MCP)
- 50+ slash commands
- 46,000-line query engine handling all LLM calls, streaming, and caching
- 29,000-line base tool definition
- 2,500 lines of bash security validation (23 sequential checks per command)
- Runtime: Bun (not Node.js), UI: React with Ink for terminal rendering
This is the blueprint of a production AI agent. And some of what's inside is wild.
KAIROS: the agent that never sleeps
Buried in the feature flags is something called KAIROS. It's a persistent background daemon that doesn't wait for user input. It watches your project, logs observations, and proactively acts on what it sees, with a 15-second blocking budget per action.
The part that got people's attention: KAIROS has a "dreaming" system called autoDream. When you're idle, it performs memory consolidation. It merges observations, removes contradictions, and converts vague notes into concrete facts. It maintains append-only daily log files and can send push notifications when it finds something worth flagging.
This isn't a coding assistant anymore. It's closer to a background daemon that learns your codebase while you sleep.
BUDDY: a Tamagotchi inside your terminal
This one is genuinely unexpected. BUDDY is a virtual pet that lives in your Claude Code terminal. 18 species, rarity tiers, and it apparently reacts to your coding activity.
Anthropic, the company that publishes safety research papers about existential risk, put a Tamagotchi inside their professional development tool. It's either a brilliant retention mechanic or the most unhinged feature flag in the history of enterprise software. Probably both.
Anti-distillation traps
Here's where it gets strategic. The source reveals that Claude Code injects fake tool definitions into API requests. The purpose: if a competitor tries to scrape Claude Code's outputs to train their own model (a technique called distillation), the poisoned definitions corrupt the training data.
This is active counter-intelligence, not passive protection. Anthropic assumed competitors would try to learn from Claude Code's behavior and built traps directly into the request pipeline.
Undercover mode
The leaked code contains a stealth mode designed to hide Anthropic employee contributions to open-source projects. When active, it strips identifying metadata from commits and interactions.
Why would Anthropic need this? Likely because their engineers contribute to open-source repos as part of their work (testing, benchmarking, fixing bugs in dependencies), and they don't want those contributions traced back to Anthropic for competitive intelligence reasons. Still, the existence of an explicit "undercover mode" raised eyebrows.
44 feature flags and unreleased models
The readable source contains 44 compile-time feature flags, with at least 20 gating capabilities that are fully built and tested but hidden from users:
- VOICE_MODE: push-to-talk voice interface for Claude Code
- ULTRAPLAN: 30-minute remote planning sessions
- COORDINATOR MODE: multi-agent orchestration where Claude spawns "swarms" of sub-agents
- Persistent assistant: background mode that keeps working when you're idle
The migrations directory also references internal model codenames: Capybara (Claude 4.6 variant), Fennec (Opus 4.6), and Numbat (unreleased, still in testing).
Claw Code: 0 to 138K stars
While Anthropic was filing DMCA notices, developer Sigrid Jin took a different approach. Instead of hosting the leaked TypeScript, Jin sat down and rewrote the core architecture from scratch. Clean-room reimplementation, no copied code.
The project, called Claw Code, hit GitHub and exploded:
- 50K stars in 2 hours
- 100K stars in 24 hours
- 138K stars as of today (with 101K forks)
- Built in Rust (92.9%) with a Python scaffold (7.1%)
The architecture mirrors Claude Code's patterns: agentic conversation loop, tool execution with permission gates, SSE streaming, session compaction, and a plugin system. It doesn't have MCP support, IDE integration, or sub-agent orchestration yet, but the foundation is solid.
The legal angle matters: because it's a clean-room rewrite and not a copy, Anthropic's DMCA claims don't apply. As Gergely Orosz (The Pragmatic Engineer) noted, the rewrite is a new creative work that violates no copyright. Anthropic's takedowns hit 8,100 GitHub repos that hosted the original TypeScript, but they can't touch Claw Code.
What this means if you build with AI
The patterns inside Claude Code aren't magic. The agentic loop (user message, API call, tool execution, feed results back) is straightforward. The power comes from everything around it:
- Permission layers are mandatory for any agent that runs shell commands or edits files
- Context compaction (summarizing old turns while keeping recent ones) is how you handle long conversations without blowing the token budget
- Tool isolation (each tool as a discrete, permission-gated module) keeps the system testable and extensible
- Sub-agent spawning for parallel work is what separates a chatbot from a useful coding assistant
These patterns are now documented in the open, in production-grade form. Whether you're building an AI agent, integrating APIs into automated workflows, or just curious about how the most-used coding assistant actually works under the hood, the blueprints are public.
If you're building AI-powered features into your product, whether it's image analysis, text extraction, or face detection, the patterns exposed in this leak (tool isolation, permission gates, context budgeting) are the same ones you'll need in your own orchestration layer.
The irony: Anthropic spent years building the most sophisticated AI agent harness in the industry, and a missing .npmignore entry made it everyone's reference architecture overnight.
Sources:
Top comments (0)