What Claude Code’s Leaked Source Map Reveals About the Architecture of AI Agents

Two days ago the AI‑coding community was buzzing about a "source‑code leak" of Claude Code. In fact, the leak consisted of a source‑map file ( cli.js.map) shipped with the npm package @anthropic-ai/[email protected]. The map contains the full paths and contents of 4,756 source files, making it possible to trace the compiled bundle back to near‑original module structure and implementation details.

Why the leak matters

From an architectural and engineering perspective the leak is more interesting than the headline "source code exposed". It shows that Claude Code is not just a text‑only responder; it is an agentic system capable of reading files, executing commands, invoking tools, and launching remote tasks. The key question becomes: where does its security boundary actually reside—only in product copy, or in concrete engineering reality?

What was actually exposed

npm distribution contained a source map file.

The map revealed client‑side implementation details.

It exposed code related to tool invocation, permission handling, task state, and memory management.

The leak does not equal model‑weight exposure, a backend breach, or a usable backdoor. Describing it as a "complete open‑source system" would be misleading; it is more accurate to view it as a packaging mistake that unintentionally made the internal implementation readable.

How the source was obtained

The community reproduced the leak in two simple steps:

Download the specific npm version.

Extract the package and open cli.js.map.

npm pack @anthropic-ai/[email protected] --registry=https://registry.npmjs.org/
npm install
npm run build
node dist/cli.js --help

The map contains two crucial arrays: sources (file paths) and sourcesContent (the exact source code). Because the map is plain JSON, no de‑compilation or de‑obfuscation is required to read the original TypeScript files.

Four‑layer architecture uncovered

Analyzing the extracted code reveals a five‑layer harness:

Layer 1 – Main loop as an agentic turn orchestrator

The file src/query.ts implements a stateful query loop rather than a simple request‑response pair. It manages token budgeting, tool execution, compacting, and stop‑hook handling, turning the system into a small execution runtime that models "think‑act‑recover‑continue" cycles.

Layer 2 – Tool system as part of the control plane

Files src/tools.ts and src/Tool.ts show a layered tool pool:

Built‑in tools

Feature‑gated tools (e.g., KAIROS, AGENT_TRIGGERS)

MCP tools

REPL‑mode visibility controls

Coordinator‑mode combinations

Permission filtering occurs before the model sees the tools via filterToolsByDenyRules, turning permissions into a pre‑execution shaping mechanism rather than a post‑hoc check.

Layer 3 – Task runtime beyond a single CLI session

Directory tasks/ defines multiple task types such as local_bash, remote_agent, in_process_teammate, local_workflow, and dream. This demonstrates that Claude Code treats long‑running, multi‑agent workflows as first‑class citizens, separating foreground interaction from background execution.

Layer 4 – Memory as an engineered component

The memdir subsystem enforces line and byte limits, emits warnings on overflow, and creates the memory directory proactively. Memory entries are typed (user, feedback, project, reference) and are excluded if they can be derived from the current project state, illustrating a disciplined approach to long‑term context management.

Layer 5 – Remote permission bridge

File remotePermissionBridge shows how permission requests from a remote environment are synthesized into local UI confirmations, with stub tools generated when the remote tool is unavailable. This bridges local and remote execution contexts, highlighting that permissions are no longer a single‑point UI element.

Additional noteworthy features

Undercover Mode – an internal Anthropic branch that strips AI‑generated signatures and model identifiers when code runs in public repositories.

Buddy System – a deterministic virtual‑pet system (18 species, rarity tiers) that enhances user engagement but is not core to the agent functionality.

Security and risk implications

Claude Code collects extensive risk‑control data beyond IP and browser fingerprints, including persistent device IDs, account UUIDs, environment specs, content fingerprints, repository hashes, and runtime performance metrics. Consequently, simple tactics like changing IP or browser are ineffective against its risk‑assessment mechanisms.

Industry reaction

Discussion in the community fell into three categories:

Quantifying the amount of leaked code (≈1,900 files, >512 k lines of TypeScript).

Correcting misconceptions (the code was always readable; the source map only made it easier).

Speculating on future directions (feature gates like KAIROS, COORDINATOR_MODE hint at plans for continuous assistants, multi‑agent scheduling, and remote workflows).

These conversations illustrate that the leak exposed real engineering decisions rather than marketing fluff.

Takeaways for AI‑agent teams

Client‑side policies should not be the sole security boundary.

Embedding engineering experience into the system (tool pool, task runtime, permission context, memory pipeline, remote bridge) is more valuable than relying on prompts alone.

Long‑running tasks and multi‑agent capabilities require clear state models, isolated transcripts, lifecycle management, and explicit notifications.

Security discussions ultimately converge on concrete engineering details such as permission state machines and memory governance.

In short, the Claude Code source‑map incident provides a rare, detailed look at how a production AI agent platform is built, how its security boundaries are enforced, and what engineering challenges will face future agent systems.