On March 31, 2026, I was reviewing a Claude Code release when I found something unexpected: a complete JavaScript source map — a .js.map file — shipped inside the production bundle. Source maps are development artifacts. They contain the original, pre-minified source code, internal file paths, variable names, and architectural structure. In a production bundle, they're a blueprint of your codebase handed to anyone who looks.
This wasn't an Anthropic-specific failure. Source map leakage is one of the most common pre-publish mistakes in modern JavaScript tooling. Bundlers generate them by default. Developers forget to exclude them. CI pipelines don't check for them. And AI coding tools — which generate and publish code faster than any human can review — make the problem worse.
I built five open-source security tools in response. This post explains what I found, why it matters for AI agent systems specifically, and what each tool does.
What a Source Map Leak Actually Exposes
A .js.map file contains the original unminified source code, internal file paths and project structure, pre-mangled variable and function names, and source-to-output mappings that let anyone reconstruct your build process.
For a company like Anthropic, this means internal architecture details, module boundaries, and naming conventions that would normally take months of reverse engineering — handed over in a single file.
For any organization shipping AI agents, the risk is compounded: agents generate and publish code autonomously, often faster than security review can keep up.
Why AI Tooling Makes This Worse
Traditional developer tools have a human in the loop at publish time. You run npm publish, you notice the 847KB .map file in the tarball, you stop.
AI coding agents change this. An agent that can write, commit, and publish code can do all three faster than a human can review. The attack surface isn't just "developer forgets to exclude source maps" — it's "agent generates a release, publishes it, and the source map was never on anyone's checklist."
This is the gap the five tools address. Not fixing the underlying problem (that's a toolchain problem), but making the gap visible and catchable before it becomes public.
1. tenter — Pre-publish artifact scanner
Repos: goweft/tenter (Python, GitHub Actions) · goweft/tenter-rs (Rust, static binary)
tenter scans a directory before publish and fails if it finds artifacts that shouldn't ship: source maps, .env files, private keys, debug builds, or secrets matching common patterns.
v1 ships as a GitHub Action on the Marketplace — three lines of YAML, zero config:
- uses: goweft/tenter@v1
with:
path: ./dist
fail-on: source-maps,env-files,secrets
v2 (tenter-rs) is a Rust rewrite: a single ~2MB static binary, no runtime dependencies, identical rule set and config format. Runs anywhere including minimal containers and non-GitHub CI.
The source map that triggered this whole sprint would have failed a tenter scan immediately.
2. unshear — Fork divergence detector
Repo: goweft/unshear · Rust
When someone forks an AI agent framework and removes safety mechanisms, unshear finds the delta. It compares a forked codebase against its upstream and surfaces files where safety-related patterns — guardrails, validation, rate limits, audit logging — were removed or weakened.
Named after the shear lines in composite materials: the place where layers separate under stress. A forked agent that stripped its safety layer looks structurally similar to the original until you pull on it.
Rust was a deliberate choice: a security tool that itself has 200 transitive dependencies is a liability.
3. ratine — Agent memory poisoning detection
Repo: goweft/ratine · Python
Ratine detects prompt injection attempts in agent memory stores. As agents accumulate context — conversation history, retrieved documents, tool results — that context becomes an attack surface. A malicious document retrieved during a research task can contain instructions that persist into future agent actions.
Ratine scans memory stores (ChromaDB, plain JSON, SQLite) for patterns consistent with injection: instruction-like language in unexpected positions, escalation patterns, attempts to override system-level constraints.
Named after a type of textured yarn — the attack surface is threaded through otherwise normal content.
4. crocking — AI authorship detection
Repo: goweft/crocking · Python
Crocking identifies code likely generated by an LLM. This matters for supply chain security: AI-generated code has characteristic patterns that differ from human-written code, and knowing provenance helps assess risk. Code that was generated, not written, may not have been reviewed with the same scrutiny.
This is not about whether AI-generated code is "bad." It's about provenance transparency — knowing what you're actually running.
Named after the textile term for dye that rubs off. The AI fingerprint is often visible if you know what to look for.
5. heddle — Runtime trust enforcement
Repo: goweft/heddle · Python
Heddle is the most architectural of the five. It's a self-hosted MCP (Model Context Protocol) mesh runtime where agents are defined as YAML configs, auto-register as MCP servers, and can bidirectionally consume and expose tools.
Every tool call passes through deterministic contract enforcement before execution. Trust tiers (T1 read-only through T4 admin) control what each agent can do. Every action is audit-logged. The security model maps directly to OWASP Agentic Top 10 and NIST AI RMF.
The name comes from the heddle in a loom — the component that controls which threads are lifted. Security is in the architecture, not bolted on afterward.
What the Source Map Leak Actually Tells Us
The Anthropic source map incident was minor in isolation. No credentials were exposed, no production systems were affected. But it's a useful signal: even organizations with mature security practices miss pre-publish checks on non-traditional artifact types.
AI tooling generates a category of artifact — bundles, packages, compiled agents, memory exports — that existing security tooling wasn't designed to inspect. The gap isn't in the tools that exist; it's in the tools that don't exist yet.
These five tools are a start. They're all open source, every repo has tests and CI. The more interesting question is what the full picture looks like when AI agents are generating and publishing code at scale, autonomously, faster than human review can keep up.
That's the problem worth solving.
Links
- goweft/tenter — Python, GitHub Marketplace
- goweft/tenter-rs — Rust static binary
- goweft/unshear — Rust
- goweft/ratine — Python
- goweft/crocking — Python
- goweft/heddle — Python, MCP runtime
Top comments (0)