Claude Code Source Exposed

Independent architecture analysis of Anthropic's Claude Code CLI based on publicly available source exposed via npm source maps on March 31, 2026.

BreakingMarch 31, 2026By Anton Abyzov

512K

Lines of TypeScript

Built-in tools

2,000+

Source files

CVEs documented

Contents

01. How It Happened 02. Unreleased Features 03. Architecture 04. Security Audit 05. The Team 06. What's Missing 07. Community Rewrites

01. How It Happened

On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic accidentally shipped source map files inside the npm package @anthropic-ai/claude-code@2.1.88.

The 57MB cli.js.map file pointed to a public Cloudflare R2 bucket containing the full, unobfuscated TypeScript source — 1,900 files, 512,000+ lines of code.

This was the second time the same vector exposed Claude Code source. In February 2025, a similar incident occurred. Anthropic has since rolled the npm latest tag back to 2.1.87 and Bun's bundler generates source maps by default — the root cause in both incidents.

02. Unreleased Features

The source reveals 8 major unreleased features, 26 hidden slash commands, 32 build-time feature flags, and 120+ environment variables. Here are the most significant:

BUDDY — AI Pet System

Easter Egg

A full Tamagotchi-style companion for your terminal. 18 species with rarity tiers, a gacha system (0.01% shiny legendary), stats (DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK), ASCII art sprites, and cosmetic customization. Teaser window: April 1-7 2026. Full launch gated for May 2026.

KAIROS — Always-On Persistent Assistant

Unreleased

A daemon mode that persists across sessions. Keeps daily logs, monitors PR activity, sends push notifications, and proactively acts with a 15-second blocking budget. Enabled via feature flag, not in external builds.

Auto-Dream — Background Memory Consolidation

Unreleased

A background process that consolidates session memories. Fires as a forked subagent after 24 hours + 5 sessions. Four phases: Orient, Gather signal, Consolidate, Prune/index. Uses file-system locks to prevent concurrent consolidation.

Undercover Mode

Active

Auto-activates on public/open-source repos. Strips all internal Anthropic information from commits and PRs. Blocks model codenames (Capybara, Tengu). The source states: “There is NO force-OFF. This guards against model codename leaks.” Found via a leak. The irony is considerable.

Advisor Tool — Reviewer Model

Unreleased

Claude Code can call a second, stronger model to review its work before acting. Instructions: “Call advisor BEFORE substantive work — before writing code, before committing to an interpretation.” Embedded AI code review as a system prompt instruction.

ULTRAPLAN — Remote Planning

Unreleased

30-minute remote planning sessions on Cloud Container Runtime with Opus 4.6. Browser-based approval UI. Results “teleported” back to terminal. Gated behind feature flags.

Coordinator Mode — Multi-Agent

ENV-gated

Multi-agent orchestration via CLAUDE_CODE_COORDINATOR_MODE=1. One master agent assigns tasks to parallel workers. Workers push XML task-notifications back. Pure event-driven, no polling.

Next Model Codenames

Internal

opus-4-7 and sonnet-4-8 already referenced. New “Capybara” model family with 3 tiers. Codename encoded char-by-char to evade their own leak detector. 22 secret internal Anthropic repos exposed in the undercover mode allowlist.

03. Architecture

Runtime

TypeScript compiled via Bun's bundler into a single 12MB cli.js. Terminal UI built with React + Ink (custom reconciler with Yoga flexbox). Distributed via npm.

Boot Sequence

11 steps from cli.tsx to query loop:

cli.tsx loads → Feature flags evaluated → main.tsx initializes → Config loaded → Auth checked → GrowthBook initialized → Tools assembled (43 built-in) → MCP servers connected → System prompt built → REPL launched → Query loop begins

Query Loop

User input → API stream (SSE) → Parse tool_use blocks → Permission check → Execute (parallel if concurrent-safe) → tool_result → Loop back until no tool_use remains.

Key Numbers

Source files2,000+

Lines of TypeScript512K

Built-in tools43

CLI commands101

Service modules39

React hooks85

UI components144

MCP integration files24

Utility files564

Permission system files24

Tool System

43 built-in tools. Each implements a 793-line interface with call(), description(), inputSchema (Zod), permission gating, and concurrency safety flags. Tools partitioned into concurrent/serial batches before execution.

Context Management

Four-layer compression system:

1. MicroCompact — strip tool results between turns
2. AutoCompact — triggers at ~187K tokens (13K buffer)
3. Session Memory — background memory extraction
4. Full Compact — conversation summarization via Claude (50K post-compact budget)

Only restores last 5 files after compression (25K token budget). Images explicitly stripped before compaction to prevent prompt-too-long errors.

Extension Points

Six extension methods: MCP Servers (unlimited tools via stdio/SSE/WebSocket), Custom Agents (markdown files in ~/.claude/agents/), Skills (markdown in ~/.claude/skills/), Hooks (shell commands pre/post tool execution), Plugins (marketplace), and CLAUDE.md (project instructions).

04. Security Audit

Permission System

Six permission modes: default, plan, bypassPermissions, dontAsk, acceptEdits, auto. Two-stage bash classifier (fast + thinking) with LOW/MEDIUM/HIGH risk levels. The auto-mode classifier internally uses the function name “YOLO”.

Sandbox Reality

The sandbox enforces restrictions through prompt-level instructions, not OS-level boundaries. No sandboxing on Windows. Security researchers have demonstrated bypass chains: /proc/self/root path traversal, sandbox self-disabling, and dynamic linker mmap loading that circumvents kernel-level execve hooks.

Known CVEs (Pre-Leak)

CVE-2025-52882IDE websocket origin validation

CVE-2025-59828Pre-trust execution order

CVE-2025-58764Command parsing bypass

CVE-2025-59536RCE via malicious hooks

CVE-2026-21852API key exfiltration

Supply Chain Context

On the same day as the Claude Code leak, an attacker hijacked the axios maintainer's npm account and published versions with a cross-platform RAT. Socket.dev detected it in 6 minutes. Two npm trust failures in a single day — this is why skill verification exists.

Anti-Distillation Defenses

The source contains mechanisms to prevent competitors from scraping Claude Code's behavior to train competing models, including fake tool definitions designed to pollute scraped data. Now fully documented for adversarial study.

What This Means for Skill Security

The exposed hook system, MCP server pipeline, and permission classifier blind spots give attackers a precise understanding of how to craft malicious repositories. This reinforces why vskill's 52 security scan patterns and three-tier verification are essential for any AI skill you install.

05. The Team

All information from public profiles, blogs, and podcasts.

Boris Cherny@bchernyHead of Claude Code, ex-Meta, O'Reilly author

Cat Wu@_catwuHead of Product, coined "antfooding", ex-Index Ventures

Sid BidasariaFounding Engineer, created subagents, ex-Robinhood

Thariq Shihipar@trq212MTS, built Chime (acq HubSpot), YC founder

Noah Zweben@noahzwebenPM, first PM at Warp, Columbia valedictorian

Lydia Hallie@lydiahallieMTS DX, ex-Bun/Vercel, JS/TS educator

Anthony Morris@amorriscodeMTS, voice mode + desktop, ex-Stripe

Alice Zhao@alicelovescake1Engineer, ex-Notion/Meta, Electron maintainer

Omid Mogasemi@OmidMogasemiMTS, auto-fix PR, ex-Netflix ML Platform

Karan Sampath@karan_sampathEngineer, applied AI, ex-Duncan Watts research

Isabella He@IsabellaKHeMTS, ex-DE Shaw, Stanford, AUesome founder

Org leadership: Mike Krieger (Anthropic Labs, Instagram co-founder), Ami Vora (Product), Rahul Patil (CTO). 512K lines built by a small team shipping at extraordinary velocity. The leak is a build pipeline failure, not a reflection of team quality.

06. What's Missing

Gaps identified in the source that SpecWeave fills:

Spec-driven planningspec.md + plan.md + tasks.md

Verified skill marketplace105K+ skills, 3-tier verification

Automated quality gatescode-review + simplify + grill + judge

Multi-platform syncGitHub + JIRA + Azure DevOps bidirectional

Progress tracking/sw:progress with external sync

TDD workflow/sw:tdd-cycle (red, green, refactor)

07. Community Rewrites

We are building open-source Claude Code alternatives in three languages:

ccx-goGoPriority 1

Single binary, goroutine agents, Bubbletea TUI. 5-7 months.

ccx-rsRust

20MB binary, 5ms startup, built on Codex Apache-2.0 crates. 8-12 months.

ccx-dotnet.NET 10

AOT-compiled, Spectre.Console TUI, enterprise-focused. 6-8 months.

This analysis is based on publicly available source code exposed via npm source maps. No source code is hosted or redistributed. All analysis is original work protected under fair use. Information may be inaccurate, incomplete, or outdated.

SpecWeave (GitHub)Browse Verified Skills Security Guidelines