Dreamer, undercover, regex-based psychologist… Claude Code is a bit of all of that. The proof comes in the form of… the source code for its CLI, which has leaked.
On Tuesday, March 31, Anthropic released a new version of the tool (2.1.88). Within less than half an hour, a security researcher spotted, in the npm tree, a file named cli.js.map.
This file is a source map. It bridges the gap between the original source code and the compiled code to aid debugging.
For Claude Code, Anthropic chose the runtime Bun, which it had acquired in December. This environment automatically generates source maps, even in production. Therefore, one must consider adding an exception, for instance in the .npmignore file. In this case, it wasn’t done.
« Our deployment process includes a few manual steps, one of which wasn’t carried out correctly », acknowledged the head of Claude Code.
Beyond the points he raised, the file pointed to a zip in a publicly accessible Cloudflare R2 bucket containing the source code. In total, more than half a million lines spread across about 2,000 files. The contents include system prompts, agent orchestration logic, authentication implementation, management of tools and rate limits, etc. As well as dozens of commands, flags, and undocumented environment variables.
Claude code source code has been leaked via a map file in their npm registry!
Code: https://t.co/jBiMoOzt8G pic.twitter.com/rYo5hbvEj8
— Chaofan Shou (@Fried_rice) March 31, 2026
An « Undercover » mode for public contributions
Among the hidden features sits, in about a hundred lines, an Undercover mode.
Reserved for Anthropic employees, this clandestine mode forces Claude to never include certain internal elements in its public repository contributions. Among other things, it blocks project names, tool names, and Slack channel names, as well as version numbers for unpublished models. The expression “Claude Code” is also banned… as well as, more generally, any mention that could imply an AI contributed.
The Undercover mode appears non-disableable. It automatically engages whenever the system cannot confirm that it is operating within a private repository.
KAIROS or the Claude Code daemon
Claude Code also features a Coordinator mode. It splits the research, implementation, and testing workload among sub-agents that communicate via XML messages and have access to a shared knowledge repository.
The “dreamer” aspect mirrors human brain activity during sleep, focusing on memory consolidation. It only kicks in if at least 24 hours have passed since the previous consolidation and at least five Claude Code sessions have been run.
KAIROS implements this mechanism by handing it off to a sub-agent. In this mode, Claude Code runs in the background, like a system service, to continuously watch the project. Periodically, it decides whether to act or not, refraining from any action that would block a user workflow for more than 15 seconds.
Another feature revealed by the source code is ULTRAPLAN. With it, Claude Code sends complex tasks to a distant Opus environment, for processing that can take up to 30 minutes.
Claude Code’s memory is structured into three layers. The only element perpetually present in the context window is an index of pointers. Transcripts are never fully loaded (it only performs “grep” on them). In between, there are topic files, fetched on demand.
Based on everything explored in the source code, here’s the full technical recipe behind Claude Code’s memory architecture:
[shared by claude code]
Claude Code’s memory system is actually insanely well-designed. It isn’t like “store everything” but constrained, structured and… pic.twitter.com/PlGRvuvkts
— himanshu (@himanshustwts) March 31, 2026
Chicago, Capybara… A jumble of code names
To manage user frustration, there are no advanced sentiment-analysis algorithms at play: just pattern matching supported by regular expressions.
In the same vein, Claude Code offers a “minimalist” mode that can disable, among other things, automatic memory, reasoning, and background tasks. It also includes kill switches. For instance, to toggle the voice mode. Or to disable the extended window (1 million tokens) in a HIPAA-compliant context.
The source code reveals several internal names. Among them, “Chicago,” assigned to the Computer Use component. Or Capybara. Alias Mythos, it would seem. It is at least under that name that this model, apparently positioned above Opus, had leaked last week. A website error granted access to thousands of unpublished files, including a blog post about Mythos/Capybara.
The source-code analysis also reveals various protections. Including protection against distillation. The system incorporates fake tool definitions into API requests to undermine training of other models. Anthropic has also built in a mechanism that protects the chain of thought (the API returns only summaries on each call).
On the telemetry front, Claude Code operates through four channels: OpenTelemetry, GrowthBook, Sentry, and Statsig. It stamps every request with a hard-coded salt.
The forks mechanism unleashed despite DMCA requests
Anthropic did not delay in filing a DMCA request with GitHub. It targeted the primary mirror of the leaked code (nirholas/claude-code) and all its forks. Result: over 8,000 repositories disabled… including collateral victims that had forked parts of the open-source project.
Anthropic corrected course the next day, narrowing its request to the main mirror and about a hundred forks. It did not target claw-code, which nonetheless racked up more than 100,000 stars in a few hours. And for good reason: the project re-implements Claude Code’s architecture (in Python) without reusing the source code. There is also a Rust implementation.
In a different vein, there’s the Open Claude derivative that replaces API bindings with an adapter handling other models. Or this fork that removes telemetry and safeguards while enabling all experimental features.
