The accidental exposure of Anthropic’s flagship CLI tool has provided a rare, unfiltered look at the engineering philosophy, defensive tactics, and unreleased roadmap of one of the world’s leading AI labs.
- Defensive Engineering: Anthropic is actively “poisoning” its API responses with fake tools and summarized reasoning to prevent competitors from training models on Claude’s output.
- The “KAIROS” Reveal: Hidden in the code is a massive, unreleased autonomous agent framework featuring background workers, “nightly memory distillation,” and GitHub integration.
- Technical Sovereignty: The leak confirms a sophisticated, low-level “DRM” system implemented in Zig to ensure only official Anthropic clients can access high-end models at subscription rates.
Earlier today, a simple oversight turned into a massive industry headline. Anthropic accidentally shipped a .map file in their npm package for Claude Code. This oversight effectively handed the public the keys to the kingdom: the full, readable source code of their advanced CLI tool. While the package was quickly pulled, the code was mirrored and dissected across Hacker News and social media within minutes.
This isn’t just a technical stumble; it’s a strategic blow. Coming just days after a model spec leak and a legal battle with OpenCode over API usage, the source code reveals that Anthropic is playing a high-stakes game of cat-and-mouse with both its users and its competitors.
Anti-Distillation and the War on “Copycats”
Perhaps the most striking find is the ANTI_DISTILLATION_CC flag. When active, Claude Code silently injects “fake tools” into the system prompt. This isn’t for the user’s benefit—it’s a trap. If a competitor tries to “distill” Claude’s intelligence by recording its API traffic to train a new model, the fake data pollutes their training set.
Furthermore, the code reveals “connector-text summarization.” Instead of providing full reasoning chains, the API sends back signed summaries. This ensures that while the user gets the result, a data-scraper only gets a truncated version of the AI’s internal logic. It highlights a growing industry reality: AI companies are now more afraid of their data being stolen than their software being pirated.
Undercover Mode: When AI Hides Its Identity
The source leak also uncovered a file named undercover.ts. This module implements a “one-way door” mode that prevents the AI from mentioning internal Anthropic codenames like “Capybara” or “Tengu.” More controversially, it instructs the model to avoid the phrase “Claude Code” entirely in non-internal repositories.
The implication is clear: Anthropic employees using the tool to contribute to open-source projects can effectively hide the fact that their code was AI-authored. While scrubbing internal Slack channels from prompts makes sense for security, a mode designed to help an AI “pretend” to be human raises significant transparency questions in the developer community.
KAIROS: The Autonomous Future
For those looking toward the future, the most “spicy” discovery is KAIROS. This appears to be a massive, unreleased autonomous agent mode. Unlike the current version of Claude Code, which waits for user input, KAIROS is built for background operation. The code references:
- A
/dreamskill used for “nightly memory distillation.” - Cron-scheduled refreshes every five minutes.
- Background daemon workers and GitHub webhook subscriptions.
This suggests that Anthropic is preparing to move beyond a “chat-box” interface into a world where Claude lives in your terminal as a permanent, self-improving digital employee.
DRM at the Metal
The leak also explains the technical “teeth” behind Anthropic’s recent legal threats against third-party tool makers. In system.ts, the tool uses Bun’s native HTTP stack (written in Zig) to inject a cryptographic hash into headers at the transport level.
This is essentially “Client Attestation” or DRM for LLMs. It allows Anthropic’s servers to verify that a request is coming from their official, paid binary rather than a third-party app trying to bypass their pricing Tiers. It is a sophisticated layer of protection that sits below the JavaScript runtime, making it invisible to standard debugging tools.
The Irony of the Leak
The ultimate irony lies in how this happened. Anthropic recently acquired Bun, the JavaScript runtime. A known bug in Bun, reported just weeks ago, causes source maps to be served in production even when disabled. It appears Anthropic may have fallen victim to a bug in their own acquired toolchain.
As the industry digests these findings, one thing is certain: the “black box” of AI development just got a little more transparent. Between the 23-step security checks for bash commands and a hidden “Tamagotchi-style” April Fools’ companion, the Claude Code source leak shows an organization that is simultaneously obsessed with security, terrified of distillation, and sprinting toward a future of autonomous agents.