Thorsten Meyer | ThorstenMeyerAI.com | April 2026

---

Executive Summary

On March 31, 2026, a misconfigured source map file in Anthropic’s npm package inadvertently exposed the complete TypeScript source code for Claude Code — 1,900 files, 512,000+ lines, the DNA of the industry’s most advanced CLI agent. Within hours, security researcher Chaofan Shou had identified the path. The repository was forked over 41,500 times before Anthropic could respond. Anthropic confirmed it was a release packaging error caused by human error, not a security breach.

This was the moment the black box of agentic AI was opened.

What the source reveals is not just a CLI tool. It is a distributed operating system for intelligence — with a dynamic system prompt assembly line, a sophisticated permission engine (the “YOLO classifier”), auto-compaction memory management, a teleportation protocol for moving agent state between local and cloud environments, a mobile bridge for phone-to-desktop task dispatch, and an unreleased autonomous daemon called “Kairos” that watches, logs, and proactively acts without waiting for human input.

Claude Code is not winning because it has the smartest model. It is winning because Anthropic has engineered the harness — the code around the model — at a level of sophistication that no competitor has publicly demonstrated. The 6x performance gap that Stanford’s IRIS Lab documented between harness implementations is visible in every directory of this codebase.

For enterprise leaders, the leak reveals the architecture that will define the next generation of AI agents: dynamic prompt assembly, autonomous permission engines, long-running daemon modes, distributed execution across local and cloud environments, and memory systems that persist across sessions. Every organization deploying AI agents should study this blueprint.

Metric	Value
Source files exposed	1,900 TypeScript files
Lines of code	512,000+
GitHub forks (within hours)	41,500+
Built-in tools	~40 (permission-gated)
Base tool definition	29,000 lines TypeScript
Leak cause	npm source map → R2 bucket
Discovery	Chaofan Shou (@fried_rice)
Date	March 31, 2026
Auto-compact threshold	13,000-token buffer
Max consecutive compact failures	3 (circuit breaker)
YOLO fast-reject stage	64 tokens
YOLO deep-thinking stage	4,096 tokens
Consecutive denial limit	3 (fallback to manual)
Session denial limit	20 (force human control)
Bridge polling	POST /v1/environments/{id}/work/poll
Transport V1	WebSockets + batched HTTP (500 msgs)
Transport V2	SSE with sequence numbers
Internal codenames	Capybara (Claude 4.6), Fennec (Opus 4.6), Numbat (unreleased)
Claude Code ARR	$2.5 billion (Feb 2026)
Enterprise share	>50% of CC revenue
OECD unemployment	5.0% (stable)
OECD broadband (advanced)	98.9%

---

1. The Architecture: Not a Chatbot — A Distributed Operating System

The leaked source code reveals that Claude Code is not an AI chatbot with a terminal interface. It is a multi-layered operating system for software intelligence, with distinct subsystems for cognition (prompts), perception (tools), memory (compaction), security (permissions), and distribution (teleport/bridge).

The Five Layers

Layer	Directory	Function	Enterprise Relevance
Cognition	constants/prompts.ts	Dynamic system prompt assembly	How agents understand context
Perception	tools/ (~40 tools)	Tool orchestration with concurrent/serial scheduling	How agents interact with systems
Memory	services/compact/	Auto-compaction + session memory	How agents maintain state over hours
Security	utils/permissions/	YOLO classifier + circuit breakers	How agents govern themselves autonomously
Distribution	utils/teleport.tsx, bridge/	Local↔cloud state transfer; mobile dispatch	How agents operate across environments

The Dynamic Prompt Assembly Line

The system prompt is not a static text file. It is a dynamic, cached assembly line (getSystemPrompt() at line 444 of constants/prompts.ts). The prompt is built piece-by-piece based on environment: directory, Git history, date, active tools, MCP connections, CLAUDE.md memory files, output style configuration, and language settings.

Prompt Section	Source	Caching
Core rules	Static sections	Cached (reused across turns)
Environment info	computeSimpleEnvInfo()	Dynamic (changes per context)
Memory	loadMemoryPrompt()	Dynamic (CLAUDE.md files)
MCP instructions	getMcpInstructionsSection()	Uncached (servers connect/disconnect)
Skill commands	getSkillToolCommands()	Dynamic
Output style	getOutputStyleConfig()	Dynamic
Scratchpad	getScratchpadInstructions()	Cached

The caching architecture (systemPromptSections.ts) is the speed secret. By splitting the prompt into cached and dynamic blocks, Anthropic swaps context-specific information without reprocessing static rules — saving massive latency and cost on every turn.

CLAUDE.md as Permanent Memory

The code confirms that CLAUDE.md files are treated as manual overrides for agent behavior on a per-repository basis. These files are injected directly into the user context, providing long-term project instructions that persist across sessions. This is the organic context capture mechanism that makes Claude Code’s bottom-up enterprise strategy work.

“Claude Code is not a chatbot with a terminal. It is a distributed operating system for intelligence: cognition, perception, memory, security, and distribution — five layers, 512,000 lines, and a level of engineering that explains the $2.5 billion ARR.”

---

2. The YOLO Classifier: Autonomous Permission Engineering

The most architecturally significant discovery is the autonomous permission engine — a two-stage AI governance system designed to let the agent run without human approval for safe operations while catching dangerous ones.

The Two-Stage Architecture

Stage	Location	Token Budget	Function
Fast-reject	yoloClassifier.ts	64 tokens	Catch obvious violations instantly
Deep-thinking	yoloClassifier.ts	4,096 tokens	Analyze conversation transcript for intent alignment

The classifier uses Sonnet 4.6 as the evaluation model. Critically, it only sees tool calls — not the assistant’s conversational text. This prevents prompt injection where the agent might try to convince the classifier that a dangerous action is safe.

The Safe List (Fast Path)

Certain tools skip the AI classifier entirely to save latency:

Tool Category	Examples	Rationale
Read-only operations	ls, grep, glob, LSP lookups	Cannot modify state
Task management	TodoWrite, TaskCreate, TaskList	Low-risk metadata
Coordination	Sleep tool	No external effects

The Circuit Breakers

Breaker	Threshold	Action
Consecutive denials	3 in a row	Fallback to manual approval mode
Session denials	20 total	Force human control; assume “gone rogue”
Compact failures	3 consecutive	Disable auto-compaction for session

Dangerous Rule Stripping

When entering Auto Mode, the system proactively strips dangerous permissions from the environment: it searches for and disables commands like iex, invoke-expression, and nested shells (wsl, pwsh) to prevent the agent from escaping its sandbox while the human is not watching.

What This Means for Enterprise

The YOLO classifier is the most mature autonomous permission system publicly documented. It demonstrates that AI agent governance is not just policy — it is engineering: two-stage classification, transcript sanitization, safe-list fast paths, circuit breakers, and proactive sandbox hardening. Every enterprise deploying autonomous agents should study this architecture.

“The YOLO classifier is two-stage: 64-token fast-reject, then 4,096-token deep analysis. It sees tool calls but not conversational text — preventing prompt injection. Three consecutive denials force manual mode. Twenty session denials assume the agent has gone rogue.”

---

3. The Memory System: How Agents Maintain State Over Hours

The auto-compaction system (services/compact/autoCompact.ts) is how Claude Code maintains working memory over extended sessions without losing context.

How Auto-Compaction Works

Step	Trigger	Action
1	Conversation hits 13,000-token buffer	shouldAutoCompact() returns true
2	Session memory compaction attempted	trySessionMemoryCompaction() extracts key information
3	If session memory fails	Full compactConversation() triggered
4	Summary generated	Old messages cleared; summary preserved as working memory
5	Post-compact cleanup	Cache baselines reset; prompt cache break detection updated
6	Circuit breaker	3 consecutive failures → disable for session

The Three-Tier Token Estimation

The system uses a three-tier estimation approach to predict costs before they happen — ensuring the agent does not exceed API budgets on recursive operations.

Session Memory vs. Legacy Compaction

Approach	Mechanism	Trade-off
Session memory compaction	Extract key information; prune messages	Preserves signal; loses raw detail
Legacy compaction	Full summarization; replace all messages	More aggressive; higher information loss
Circuit breaker	Disable after 3 failures	Prevents infinite retry loops

The Recompaction Chain

The code tracks whether the current compaction is a “recompaction” — a second compaction within the same chain. This prevents runaway summarization loops where the agent keeps trying to compress already-compressed content.

“Auto-compaction is not ‘forgetting.’ It is structured memory management: compress, preserve the summary, track recompaction chains, and circuit-break after 3 failures. This is how an agent maintains working memory over hours of coding.”

---

4. The Teleport Protocol and Mobile Bridge: Distributed Agent Execution

The most architecturally advanced components are the teleport protocol (utils/teleport.tsx) and the bridge system (bridge/ directory, 33+ files) — infrastructure for moving agent state across environments.

The Teleport Protocol

Function	Mechanism	Purpose
Pre-flight validation	validateGitState()	Ensure repo clean; sync with remote
Session naming	Haiku model auto-names based on task	Human-readable remote sessions
State transfer	Git bundles (standard) or direct push (autofix)	Move context to cloud
skipBundle mode	Direct Git push access on CCR	For autofix-pr: clone → fix → push

The Bridge: Phone-to-Desktop Dispatch

Component	File	Function
Long-polling server	bridgeMain.ts	Local machine polls Anthropic API for work
Dispatch endpoint	POST /v1/environments/{id}/work/poll	Cloud → local instruction passing
Mobile app	iOS/Android	User sends commands from phone
Result return	HTTP response	Execution results sent back up chain

The Two Transport Generations

Version	Protocol	Trade-off
V1 (Hybrid)	WebSockets (read) + batched HTTP POST (500 msgs, write)	Lower overhead; batch efficiency
V2 (SSE)	Server-Sent Events with sequence numbers	Internet flicker resilience; no lost output

Remote Permission Handling

When the agent runs in the cloud and needs approval for a dangerous action, it sends a SDKControlRequest down the bridge. The local UI (or a push notification on your phone) displays an approval dialog. SDKControlResponse fires back to the cloud to resume execution.

The Autofix-PR Architecture

The leaked RemoteAgentTask reveals that autofix-pr is not a local tool — it is a Remote Agent Task that teleports to Anthropic’s CCR (Claude Code Remote) infrastructure:

Step	Action
Trigger	Developer points Claude at a PR URL
Teleport	Agent moves to CCR session
Analyze	Read PR diff, scan CI failure logs, parse reviewer comments
Fix	Run in high-permission Auto Mode
Verify	Poll CI/CD pipeline; if tests fail, loop restarts
Complete	PR is green; agent reports results

“The teleport protocol moves agent state from your terminal to the cloud. The bridge lets you dispatch tasks from your phone. The autofix-PR daemon watches your PR until it is green. This is not a CLI tool. It is a distributed execution platform.”

---

5. Kairos: The Autonomous Daemon

The leak reveals an entire unreleased mode called Kairos — a persistent, always-running Claude assistant that does not wait for human input.

What Kairos Is

Feature	Description	Status
Mode	Autonomous proactive agent	Feature-flagged (not yet public)
Trigger	KAIROS feature flag in getSystemPrompt()	Internal testing
Behavior	Watches, logs, proactively acts on observations	Daemon mode
Prompt	“You are an autonomous agent. Use available tools to do useful work.”	Different from standard prompt
Memory	Includes scratchpad instructions	Persistent working state
Integration	Uses all standard tools + proactive module	Full capability access

The Proactive Module

When Kairos is active, the system prompt shifts from “assist the user” to “do useful work autonomously.” The proactive module (proactiveModule.isProactiveActive()) determines whether Kairos should activate. When it does, the entire prompt structure changes — dropping interactive guidance sections and adding autonomous execution instructions.

Kairos + Brief

The source also reveals KAIROS_BRIEF — a variant that provides condensed status updates. This suggests Anthropic is building a mode where the agent runs continuously and provides periodic briefings to the human, rather than waiting for turn-by-turn interaction.

---

6. OECD Context and Practical Actions

OECD broadband data (98.9% in advanced economies) confirms the infrastructure for distributed agent architectures is universally available. The constraint is not connectivity — it is organizational readiness for the architectural patterns this leak reveals.

Actions for Leaders

1. Study the five-layer architecture as a blueprint. Cognition (dynamic prompts), perception (tool orchestration), memory (auto-compaction), security (permission classifiers), distribution (teleport/bridge). Every enterprise agent platform will converge on this pattern. Build yours accordingly.

2. Implement two-stage permission classification. The YOLO classifier — fast-reject plus deep-analysis, with transcript sanitization and circuit breakers — is the most mature autonomous permission architecture publicly documented. Adapt it.

3. Build execution trace infrastructure for auto-compaction. Claude Code’s memory system works because it logs everything. Your agents need the same: full execution traces that support structured summarization when context limits are reached.

4. Prepare for distributed agent execution. The teleport protocol and bridge infrastructure signal that agents will operate across local, cloud, and mobile environments simultaneously. Architect your agent infrastructure for multi-environment execution from day one.

5. Watch Kairos as the preview of autonomous daemon agents. The shift from “respond when prompted” to “watch, log, and proactively act” is the next architectural phase. Kairos is Anthropic’s answer. Prepare your governance frameworks for agents that do not wait for permission to observe.

Action	Owner	Timeline
Five-layer architecture review	CTO + AI Engineering	Q2 2026
Permission classification design	CISO + AI Engineering	Q2 2026
Execution trace infrastructure	CTO + Platform	Q2 2026
Multi-environment agent architecture	CTO + Architecture	Q2–Q3 2026
Daemon agent governance framework	CISO + Legal	Q3 2026

---

The Bottom Line

512,000 lines. 1,900 files. 41,500 forks. ~40 tools. $2.5B ARR. Five architectural layers. Two-stage permission classifier. Auto-compaction with circuit breakers. Teleport protocol for local-to-cloud state transfer. Mobile bridge for phone dispatch. Kairos autonomous daemon. Internal codenames: Capybara, Fennec, Numbat.

Anthropic is not winning because it has the smartest model. It is winning because it has built a distributed operating system for intelligence — with dynamic prompt assembly, autonomous permission engineering, structured memory management, cross-environment execution, and an unreleased autonomous daemon that watches and acts without human prompting.

The deck of cards has been dropped. The trick is revealed. The architecture that powers the industry’s most advanced AI agent is now public knowledge. The question for every enterprise AI team: how fast can you learn from this blueprint?

The Claude Code leak reveals what the industry should have known: the model is not the product. The harness — the operating system for intelligence wrapped around the model — is the product. And that operating system is more sophisticated than anything the industry assumed.

---

Thorsten Meyer is an AI strategy advisor who notes that “512,000 lines of harness code” explains both the $2.5 billion ARR and the 6x performance gap from harness choice — and that “accidental open source” is what happens when you ship source maps to npm, which is, ironically, exactly the kind of packaging error that a well-configured Claude Code instance would catch. More at ThorstenMeyerAI.com.

---

Sources

1. Chaofan Shou (@fried_rice) — Discovery of Claude Code Source Map Exposure (Mar 31, 2026)
2. Anthropic — Confirmed npm Packaging Error; “Human Error, Not Security Breach”
3. The Register — “Anthropic Accidentally Exposes Claude Code Source Code” (Mar 31, 2026)
4. VentureBeat — “Claude Code Source Code Leaked: Here’s What We Know” (Mar 31, 2026)
5. Fortune — “Anthropic Leaks Own AI Tool Source Code in Second Major Breach” (Mar 31, 2026)
6. DEV Community — “Claude Code Leaked via npm Source Maps: What’s Inside” (Mar 31, 2026)
7. Alex Kim — “Claude Code Source Leak: Fake Tools, Frustration Regexes, Undercover Mode”
8. The Neuron / eWeek — “Anthropic Leaks Claude Code: A Blueprint for AI Coding Agents”
9. Apiyi.com — “512,000 Lines Accidentally Open-Sourced: AI Agent Industry Impact”
10. SiliconANGLE — “Claude Code Source Code Exposed via npm Packaging Error”
11. ccleaks.com — Claude Code Hidden Features Documentation
12. Source Analysis — getSystemPrompt(), yoloClassifier.ts, autoCompact.ts, teleport.tsx, bridge/
13. Internal Codenames — Capybara (Claude 4.6), Fennec (Opus 4.6), Numbat (Unreleased)
14. Stanford IRIS Lab — Meta-Harness: 6x Performance Gap from Harness Choice
15. Anthropic — Claude Code: $2.5B ARR, Enterprise >50% (Feb 2026)
16. OECD — 5.0% Unemployment, 11.2% Youth, 98.9% Broadband

---

© 2026 Thorsten Meyer. All rights reserved. ThorstenMeyerAI.com