What the Claude Code Source Leak Reveals About Anthropic’s AI Agent Architecture

Event Overview

On March 31 2026, the npm package @anthropic-ai/[email protected] unintentionally included a 57 MB cli.js.map source‑map file. The map contains 1,906 Claude Code TypeScript/TSX source files (over 512 k lines), exposing a near‑complete client‑side implementation of Anthropic’s AI Agent Harness.

Scope of the Leak

The leaked content is limited to client‑side code and does not contain model weights, core LLM services, or backend infrastructure. It reveals three main layers:

Source‑map metadata with full file paths and content for both Claude Code sources and node_modules dependencies.

Client implementation details such as CLI construction, tool invocation flow, permission handling, and task state management.

Core Agent Harness modules—including the main loop, tool pool, memory pipeline, and remote permission bridge—that are of high reference value for AI‑Agent engineering.

Leak Chain

Anthropic published the package without stripping the debug cli.js.map file.

Developers downloaded the package via standard npm commands and unpacked it.

The map is a JSON object containing sources and sourcesContent arrays, which can be read directly to retrieve the original source files.

Typical reproduction commands (for research only):

npm pack @anthropic-ai/[email protected] --registry=https://registry.npmjs.org/
npm install
npm run build
node dist/cli.js --help

These commands let researchers locate key files such as src/query.ts (main loop), src/tools.ts (tool system), src/Tool.ts (tool definition), and src/services/autoDream/autoDream.ts (memory consolidation).

Five‑Layer Harness Architecture

Claude Code implements a five‑layer Agent Harness that goes beyond a simple chat‑plus‑tool model:

Layer 1 – Main Loop Orchestration: The REPL‑style loop in src/query.ts manages a stateful “Agentic Turn” with phases of thinking, execution, compression, and iteration.

Layer 2 – Tool Control Plane: Tools are assembled in a layered pool (built‑in, feature‑gated, MCP‑specific, mode‑specific) with pre‑filtering via filterToolsByDenyRules and a full permission state machine (alwaysAllow, alwaysDeny, alwaysAsk, etc.).

Layer 3 – Task Runtime: A flexible task system defines seven task types (local bash, local agent, remote agent, in‑process teammate, local workflow, monitor MCP, dream) and supports background sessions with separate logging.

Layer 4 – Memory Engineering: The memdir module enforces capacity limits, typed storage (user, feedback, project, reference), and proactive directory creation. The autoDream service runs asynchronously when time, session count, and lock conditions are met, consolidating recent interactions into structured memory.

Layer 5 – Remote Permission Bridge: The remotePermissionBridge synchronizes remote permission requests to the local UI, creates tool stubs when needed, and guarantees consistent permission handling across environments.

Industry Implications

The leak shifts community discussion from “source‑code exposure” to the concrete engineering of a production‑grade AI Agent. Key takeaways include:

Agent security must be enforced at the engineering level (pre‑filtering, hard caps, remote bridge consistency) rather than relying on UI warnings.

Long‑running tasks require clear separation of foreground interaction and background execution, with dedicated logs and state models.

Memory should be treated as a first‑class engineering component, with capacity controls, typed categorization, and asynchronous cleanup.

Future AI Agents will be judged not only on model capability but also on the robustness of their harness architecture.

Practical Recommendations for AI‑Agent Teams

Remove source‑maps and debug artifacts before publishing npm packages.

Adopt a permission state machine with pre‑filtering to prevent high‑risk tool misuse.

Separate UI and background task execution, storing logs in isolated paths.

Design memory systems with typed storage, size limits, and asynchronous consolidation.

Implement a remote permission bridge that mirrors local permission flows for cross‑environment agents.