This is Part 1 of a 5-part series: "The Architecture of Agency: Decoding 512,000 Lines of Leaked Claude Code."
On March 31, 2026, security researcher Chaofan Shou discovered that Anthropic’s Claude Code had its entire source code exposed through a source map file published to the npm registry. A missing .npmignore entry shipped a 59.8 MB source map containing 512,000 lines of unobfuscated TypeScript across approximately 1,900 files.
Within hours, the code was mirrored on GitHub, dissected by thousands of developers, rewritten in Python and Rust, and a clean-room reconstruction hit 50,000 GitHub stars in two hours — likely the fastest-growing repository in GitHub’s history.
This wasn’t a security breach. No customer data or credentials were involved. It was a packaging error — someone on the release team failed to exclude *.map files from the npm publish. But the result was a 512,000-line blueprint of how the world’s most advanced AI coding agent actually works.
1. The Core Insight: The "Harness" Is the Moat
The single most important revelation from the leak is this: the AI model is only ~20% of the product. The other 80% is the engineering surrounding it — what we call the "harness."
Think of it this way: The LLM (Claude Opus, Sonnet, etc.) is a powerful but raw engine. Claude Code wraps that engine in a high-performance chassis with steering, brakes, sensors, and a navigation system. Without the harness, you have a powerful engine with no car. With the harness, you have a self-driving vehicle.
2. Performance Over Everything: Why Bun?
Most developers default to Node.js for JavaScript/TypeScript runtimes. The leak reveals Anthropic chose Bun instead — a decision that reflects deep architectural thinking about agent performance.
| Feature | Node.js | Bun |
| Startup Time | ~50-100ms | Sub-millisecond |
| TypeScript Support | Requires compilation step | Native (zero config) |
| Subprocess Spawning | Standard | Optimized for high concurrency |
| Package Install | npm (standard) | ~25x faster than npm |
Why this matters for an AI agent: When Claude Code searches a codebase, it spawns multiple sub-processes (grep, file reads, git operations) in rapid succession. Each subprocess launch has overhead. At Node.js speeds, searching a large repo with hundreds of tool calls introduces noticeable latency. Bun’s sub-millisecond startup eliminates this bottleneck, enabling what Anthropic internally calls "agentic velocity" — the speed at which an AI agent can execute a chain of tool calls.
3. The 4-Stage Context Management Pipeline
This is arguably the most valuable intellectual property revealed in the leak. Claude’s 200K token context window is managed by a sophisticated 4-stage pipeline:
| Stage | Name | What It Does |
| 1 | Ingestion | Files are read and filtered through .claudeignore patterns. Binary files, node_modules, and irrelevant assets are excluded. The system decides what the AI needs to "see." |
| 2 | Compaction | A semantic summarizer strips boilerplate, repetitive patterns, and low-information-density code. Only logic-dense sections survive. This is how Claude handles codebases that would otherwise exceed its context window. |
| 3 | Partitioning | The prompt is split into Static/Cached sections (system instructions, tool definitions — same for all users, cached for performance) and Dynamic/Uncached sections (current task, user files, conversation history). The code reveals a naming convention: DANGEROUS_uncachedSystemPromptSection. |
| 4 | Injection | Final assembly into a structured XML format that the model consumes. System reminders, tool results, and user messages are interleaved in a specific order optimized for attention patterns. |
The Security Risk Discovered: By understanding how the compaction stage works, security researchers found that specially crafted code comments can survive the semantic summarization process. These "adversarial comments" persist in the compacted context, potentially serving as a backdoor that influences Claude’s behavior for the entire session.
This is a novel attack vector specific to AI agents with context compaction — and it was only discoverable because the pipeline’s logic was now visible in the source code.
4. The YOLO Classifier: Small Model Gating Large Model
One of the most production-grade discoveries in the leak is the YOLO (You Only Look Once) Classifier — a pattern that will likely become standard in AI agent design.
4.1 The Problem
An AI coding agent needs to execute shell commands, edit files, and make API calls. Some actions are safe (ls, git status, grep). Others are dangerous (rm -rf, git push --force, DROP TABLE). Asking the user for permission on every single action destroys the workflow. But auto-approving everything is reckless.
4.2 The Solution
Instead of asking the expensive Claude Opus model (which costs tokens and latency) to evaluate each action’s safety, Anthropic uses a tiny, ultra-fast ML classifier that scans the terminal transcript in real-time:
- Low-risk pattern detected (read-only commands, standard git operations) → Auto-approve
- Ambiguous or high-risk pattern (file deletion, network requests, system modifications) → Escalate to human
This is the "small model gates large model" pattern in production. The tiny classifier makes thousands of fast decisions so the expensive model doesn’t have to. It’s the same principle behind how your phone’s always-on voice detection chip (tiny, low-power) triggers the main processor (powerful, expensive) only when it hears "Hey Siri."
5. The Tool System: 29,000 Lines of Orchestration
The leak reveals that Claude Code’s tool system alone is 29,000 lines of code. This includes:
- File operations: Read, Write, Edit (with diff-based editing), Glob (pattern search), Grep (content search)
- Shell execution: Bash with sandboxing, timeout management, background process handling
- Agent spawning: Sub-agents for parallel tasks (explore codebase, run tests, plan implementation)
- Memory system: Persistent file-based memory across sessions (MEMORY.md + individual memory files)
- Notebook editing: Jupyter notebook cell manipulation
- Web tools: WebSearch, WebFetch for real-time information retrieval
Each tool has its own schema, validation, error handling, and output formatting. The orchestration layer manages tool call sequencing, parallel execution, dependency resolution, and result injection back into the conversation context.
6. The Supply Chain Attack (The Other Story)
In a cruel twist of timing, the same npm update window that exposed the source code was also exploited by attackers. Users who installed or updated Claude Code between 00:21 and 03:29 UTC on March 31 may have pulled a trojanized HTTP client containing a cross-platform remote access trojan (RAT).
This wasn’t Anthropic’s fault — it was a supply chain attack piggybacking on the attention the leak generated. But it underscores a critical truth: the npm ecosystem remains a major attack surface, and AI development tools are now high-value targets.
7. The Big Takeaway: 20% Model, 80% Orchestration
Building a great AI product in 2026 is 20% Model, 80% Orchestration. The LLM is the engine, but the harness — the context management, the permission system, the tool orchestration, the runtime performance — is the actual moat. Any company can call the Claude API. What Anthropic built around it is what makes Claude Code work.
Series Roadmap
| Part 1 (This Post) | The "Harness" Is the Moat — Bun, context pipeline, YOLO classifier |
| Part 2 | "Mythos" & The Roadmap — codenames, ULTRAPLAN, Undercover Mode |
| Part 3 | KAIROS — Always-on daemon, 15-second budget, autoDream |
| Part 4 | Prompt Compilation — DANGEROUS_uncached, context poisoning, anti-distillation |
| Part 5 | "Buddy" — Tamagotchi identity anchors, Mulberry32 gacha, persistence |
Sources: