Claude Code Source Leak: Inside the Accidental Open‑Source Release and New Buddy Feature

Anthropic unintentionally published the full TypeScript source map of Claude Code in an npm package, allowing the complete source to be reconstructed and mirrored on GitHub within hours.

Anthropic’s media team, citing a Decrypt interview, said the leak involved “no sensitive customer data” and was a packaging error, not a security breach; founder Boris Cherny called it “just a developer mistake.”

Developers quickly began line‑by‑line analysis, exposing internal system‑level strategies, especially around model‑capability protection and data safety.

Two anti‑distillation mechanisms were identified: one injects fabricated tool calls into the model’s output stream to poison harvested data, and the other abstracts tool‑call details into vague summaries, making reverse‑engineering of agent actions difficult.

The constants/prompts.ts file contains the complete system prompt, illustrating how Anthropic precisely controls Claude’s behavior and the rationale behind each instruction.

Claude Code also includes a hidden electronic pet located in src/buddy/. By hashing a user ID with a seeded RNG, the system generates a deterministic virtual companion (e.g., duck, cat, dragon) with species, hat, and rarity attributes, activated via the /buddy command.

Beyond the pet, the codebase ships with 187 whimsical loading verbs (e.g., “Beboppin’”, “Lollygagging”) that rotate during model thinking to avoid monotonous “Loading” messages.

In services/api/claude.ts, a feature flag adds anti_distillation: ['fake_tools'] to API requests, causing the backend to inject unusable tool definitions. The streamlinedTransform.ts file further removes the model’s thinking content and reduces tool calls to simple category counts.

Prompt caching is finely managed in promptCacheBreakDetection.ts. The system hashes the system prompt, each tool schema, model name, headers, mode flags, effort parameters, and other request fields; any change triggers a diff that records which part altered.

An “undercover mode” in utils/undercover.ts activates when the user type equals “ant”. It injects a critical instruction into the system prompt, forbidding any internal Anthropic identifiers, model codenames, or references to Claude Code from appearing in commits, PR titles, or messages.

Operational telemetry shows 1,279 sessions experienced 50+ consecutive failures, wasting roughly 250 K API calls per day. The mitigation sets MAX_CONSECUTIVE_AUTOCOMPact_FAILURES = 3 and defines token‑budget thresholds for auto‑compaction and forced compression.

When a task modifies multiple files or backend components, a separate validation agent runs to verify results. The main agent then reviews the validation output before accepting changes, ensuring no false‑positive success reports.

The services/autoDream/autoDream.ts module implements “Auto Dream”, a background memory consolidation that, after sufficient idle time and session count, forks a sub‑agent to generate a structured MEMORY.md file containing ten modules (e.g., Session Title, Errors & Corrections) limited to ~12 K tokens.

Security checks in utils/userPromptKeywords.ts (26 lines) use two regex sets to filter profanity before sending user input to the API, a measure the founder cites as a user‑experience signal.

Build‑time canary enforcement reads excluded-strings.txt during packaging; any forbidden internal identifiers or API‑key prefixes cause the build to fail.

AI researcher Sebastian Raschka highlighted the same anti‑distillation tactics, the aggressive prompt‑caching strategy, and the superiority of tool‑based interactions over plain file uploads, noting that Claude Code’s performance gains stem from these engineering optimizations.

Following the leak, the source was forked over 40 K times on GitHub within six hours. Anthropic attempted DMCA takedowns, but the code had already proliferated to decentralized storage, making removal impossible.

Community projects quickly rewrote the codebase: a Korean developer used the “oh‑my‑codex” orchestrator to port the architecture to Python, achieving >50 K stars in two hours; other forks like “claw‑code”, “open‑agent‑sdk”, and “OpenClaude” added shims, sub‑agent replacements, and performance tweaks.

Critical analysis from X user Rohan identified engineering debt: a 5 K‑line REPL component with 227 Hook calls, 89 feature flags, 472 environment variables, circular dependencies in 61 files, and over‑engineered type names, all reflecting rapid feature churn and compromised maintainability.

Overall, the Claude Code leak offers a rare glimpse into the inner workings of a high‑valued AI product, revealing both sophisticated safeguards and the messy trade‑offs of fast‑paced AI engineering, while the community’s swift response underscores the transformative impact of open‑source analysis on software development practices.