Anthropic left a source map file in their npm package. The entire Claude Code codebase, 1,900 files and 512,000+ lines of TypeScript, was sitting in plain sight on the npm registry. Anyone who ran npm install @anthropic-ai/claude-code got the keys to the kingdom.
This isnt the model weights. This isnt training data. This is the full production CLI, the agent that reads your files, executes shell commands, and manages your codebase. Every tool, every permission check, every hidden feature flag.
And some of whats in there is genuinely fascinating.
How It Happened
Claude Code is built with Bun as its bundler. Bun generates source maps by default unless you explicitly turn them off. Version 2.1.88 shipped with a 57MB .map file that contained the complete, unobfuscated TypeScript source. The file was even hosted on Anthropics own R2 cloud storage bucket, directly downloadable as a ZIP.
Security researcher Chaofan Shou found it first and posted about it. Within hours, multiple GitHub mirrors appeared with the full reconstructed source tree. The Hacker News thread exploded.
This is the kind of leak that happens when one build config flag gets missed. No hack, no insider, no exploit. Just a default setting nobody toggled off.
The Architecture: React in Your Terminal
Heres the first surprise: Claude Code's UI is built with React. Not React DOM, React + Ink, a library that renders React components to the terminal. Every panel, every progress bar, every diff view is a React component tree being rendered to ANSI escape codes.
This explains why the UI feels so much more responsive and polished than most terminal tools. Its using the same component lifecycle, state management, and rendering pipeline that web apps use, just targeting a different output.
The runtime is Bun, the entire thing bundles to roughly 2MB with zero production dependencies. Everything is vendored in.
The Tool System
Claude Code exposes 30+ tools, and the leaked source shows exactly how they work:
BashTool classifies every command into categories (search, read, write, silent, neutral) before execution. This is how Claude Code knows when to auto-collapse output in the UI. Dangerous commands likerm -rf and dd are caught at the classification layer.
FileEditTool tracks file modification timestamps to detect when another process modifies a file between reads and writes. This prevents the agent from overwriting changes you made manually. Theres a 1GB file size limit and LSP integration for real-time linting.
GrepTool wraps ripgrep with a 500-character line length limit (to handle minified code) and 250-line pagination. GlobTool has a hard cap of 100 files per query.
WebSearchTool uses Anthropics internal web search beta API. Each query gets up to 8 search rounds, and the tool streams partial JSON results to extract queries while the search is still running.
Every tool implements a checkPermissions() method that returns one of four decisions: allow, ask, deny, or passthrough. There are 7 permission modes including auto (internal only) and bubble (escalate to parent agent).
Bridge System: How Remote Sessions Work
The leaked code reveals how claude.ai/code works under the hood. When you connect from a web browser, the Bridge system takes over with three transport options: SSE, WebSocket, and a HybridTransport that auto-switches between them.
Authentication layers stack up: JWT + OAuth + trustedDevice + workSecret. The session runner manages the full lifecycle of remote sessions, and a systemInit message carries all the session metadata (working directory, available tools, model, permissions) to the remote container.
This is the infrastructure behind Claude Code running in the cloud. Its not a simple API proxy, its a full session management layer with reconnection logic, transcript persistence, and container restart recovery.
The CLI and Transport Layer
The CLI entry point uses Commander.js with a sophisticated transport abstraction. The cli/transports/ directory shows three implementations that can be swapped at runtime. HybridTransport starts with SSE for initial connection speed, then upgrades to WebSocket for bidirectional streaming.
Theres also an assistant/ module that manages session history through a dedicated API, separate from the main conversation flow. This seems to be how Claude Code maintains project context across multiple sessions.
The Swarm: Multi-Agent Architecture
This is the most interesting discovery. Claude Code has a full multi-agent orchestration system called Swarm.
There are 7 task types:
- LocalShellTask for running commands
- LocalAgentTask for spawning sub-agents on your machine
- RemoteAgentTask for cloud-hosted agents
- InProcessTeammateTask for running multiple agents in the same process
- DreamTask for automatic memory consolidation (more on this below)
- LocalWorkflowTask and MonitorMcpTask for workflow and MCP monitoring
The Teammate system is especially interesting. Each teammate runs in an isolated context using Nodes AsyncLocalStorage, which means multiple agents share the same process but have completely separate state. They communicate through a SendMessage tool, not through shared memory.
Team configurations are stored as JSON files in ~/.teams/, and each team member can have its own model (Haiku, Sonnet, Opus), git worktree for isolation, and tmux pane for display.
DreamTask: Your Agent Dreams While You Sleep
This one caught everyones attention. DreamTask is a background agent that runs automatically after sessions. It reviews the last 30 turns of conversation, consolidates learnings into memory files, and cleans up session state. The metaphor is literal, your agent "dreams" to organize what it learned.
The task tracks sessionsReviewing and filesTouched to avoid re-processing. It runs without user intervention and updates memory files that persist across sessions.
This explains how Claude Code gets better at understanding your project over time without you explicitly teaching it anything. The DreamTask is doing the learning loop in the background.
Permission and Security Model
The permission system is more granular than most people realize. Every tool call goes through checkPermissions() which returns a PermissionDecision. But beyond the basic allow/ask/deny, theres a passthrough mode for special handling and a bubble mode that escalates decisions to the parent agent in a swarm.
Seven permission modes exist: default, plan, acceptEdits, bypassPermissions, dontAsk, auto (internal only), and bubble. The auto mode is particularly interesting, its reserved for internal use and appears to be the permission level that autonomous features like KAIROS would operate under.
The sandbox system (utils/sandbox/) provides execution isolation, and theres a separate utils/permissions/ module that handles the policy enforcement. Settings cascade through managed settings files with a new managed-settings.d/ drop-in directory for team policy fragments.
Model Inheritance System
Sub-agents dont just pick a model. The inheritance logic handles edge cases most people wouldnt think about. When a sub-agent is set to inherit, it copies the parents model selection including the AWS Bedrock region prefix. This ensures IAM permissions work correctly when the parent is running through a specific Bedrock endpoint.
The available models (opus, sonnet, haiku) can be explicitly set or inherited. This cascading model selection is what lets you run a cheap Haiku sub-agent for simple tasks while the parent Opus agent handles the complex reasoning.
Memory System
The utils/memory/ module manages MEMORY.md and associated memory files. Memory writes follow a two-step process: write the memory content to a topic file, then update the MEMORY.md index. The index has a 25KB / 200 line truncation limit to prevent context bloat.
Memory files have frontmatter with name, description, and type fields. The system distinguishes between user, feedback, project, and reference memory types. This structured approach explains why Claude Code's memory feels more organized than a simple "dump everything into one file" approach.
Git and GitHub Integration
The utils/git/ module goes deep. Beyond basic git operations, theres change detection for context-aware behavior, worktree management for agent isolation, and commit analysis for understanding project history.
The utils/github/ module integrates with GitHub APIs for PR creation, issue management, and code review workflows. These arent thin wrappers, theyre full workflow implementations that understand branching strategies and review conventions.
Vim Mode and Voice
Two quality-of-life features have their own top-level source directories. src/vim/ implements terminal vim keybindings, explaining why vim-style navigation works in Claude Code. src/voice/ handles the voice input/output feature with native audio module integration through the vendor/ directory, which contains compiled native modules for audio capture, image processing, keyboard modifier detection, and URL handling.
Hidden Feature Flags
The source reveals several unreleased features behind build-time feature flags:
- BUDDY: A Tamagotchi-style companion creature with ASCII art sprites that sits in a speech bubble next to your input. Yes, really.
- KAIROS: An "Always-On Claude" mode. Persistent assistant that keeps working across sessions, stores memory logs, and can proactively start tasks without user prompting.
- COORDINATOR_MODE: A dedicated mode for orchestrating multiple agents simultaneously.
- ULTRAPLAN: 30-minute remote planning sessions for complex tasks.
- TRANSCRIPT_CLASSIFIER: Automatic classification of conversation transcripts.
These features are compiled out of production builds using dead code elimination. Theyre clearly in active development but not ready for users yet.
Other notable directories in the source:
- src/commands/chrome/: Browser integration for web interactions
- src/commands/desktop/: Desktop app integration
- src/commands/mobile/: Mobile device support
- src/commands/bughunter/: Automated bug detection
- src/commands/good-claude/: A praise/reward system (unclear if for the model or the user)
- src/utils/teleport/: Session migration between environments
- src/utils/ultraplan/: The planning engine behind ULTRAPLAN
Thats 50+ slash commands in the src/commands/ directory alone. Most users probably use 5-10 of them.
The System Prompt Hierarchy
Claude Code doesnt have one system prompt. It has a 6-layer priority system:
--system-prompt flagThe type system enforces this with a branded type: type SystemPrompt = readonly string[] & { readonly __brand: 'SystemPrompt' }. This prevents accidental mixing of prompt layers at compile time.
What the Community Found
The Hacker News thread surfaced some gems from the codebase:
Sentiment Detection: Claude Code has regex-based negative sentiment detection that flags words like "frustrated," "terrible," and "broken" in user messages. Developers pointed out it only covers English and misses obvious variations. The purpose seems to be adjusting agent behavior when users are visibly frustrated. Code Quality: One function was identified as 3,167 lines with 12 nesting levels and roughly 486 branch points. This was described as "the single worst function in the codebase by every metric." The async handling also drew criticism for nested promises without proper await chains. Anti-Distillation: The code includes mechanisms to inject decoy tool definitions into API requests, apparently designed to poison training data if a competitor tries to distill from Claude Code's outputs. This generated significant debate about the ethics of defensive AI measures.The Bootstrap: 100+ Properties
The src/bootstrap/ module manages the boot state of Claude Code with over 100 properties. This is the initialization sequence that runs before you see the first prompt. It handles authentication, environment detection, settings loading, plugin initialization, MCP server connections, and skill directory scanning.
The --bare flag that was added in 2.1.81 skips most of this bootstrap process for scripted usage, which explains the ~14% startup speedup they advertised.
Telemetry
The utils/telemetry/ module is present, as expected for any commercial tool. The source shows what gets collected, though the specifics would require deeper analysis of the telemetry event definitions. The presence of a full telemetry module isnt surprising, but having the source lets you see exactly what data points are being tracked.
Scale Summary
Putting it all together:
- 1,910 files total
- 30+ tools
- 50+ slash commands
- 7 task types
- 7 permission modes
- 6 system prompt layers
- 6+ feature flags
- 3 transport types (SSE, WebSocket, Hybrid)
- 100+ bootstrap properties
This is a genuinely mature production codebase. The Swarm/Team system and DreamTask in particular show that Anthropics internal development is significantly ahead of whats currently exposed to users.
What This Means
For Claude Code users: nothing changes practically. The tool still works the same way. But knowing the architecture is useful.
Now you know why sub-agents behave the way they do (AsyncLocalStorage isolation, not separate processes). You know why file edits sometimes catch external changes (timestamp tracking). You know that the memory system isnt magic, its a DreamTask running post-session consolidation.
For the broader AI tools ecosystem: this is a wake-up call about supply chain security. Source maps in production packages is a beginner mistake, but it happened to one of the most well-funded AI companies on the planet. If Anthropic can ship a 57MB source map to npm by accident, so can anyone.
Check your own build configs. Audit your published packages. And maybe, just maybe, disable source maps before you npm publish.
The Irony
Multiple developers on Hacker News pointed out the contradiction: Anthropic trained Claude on the entire internet's publicly available code, but implements anti-distillation measures to prevent competitors from learning from Claude Code's outputs.
Fair point. But thats the game now. Everyone scrapes, everyone protects. The source map leak just made the protecting part a lot harder.