What the Claude code leak reveals about agent architecture

Anthropic accidentally published the source code for its flagship agent. 512,000 lines of TypeScript, 1,900 files, a single forgotten line in the .npmignore. What the leak reveals about agent architecture is more instructive than any keynote.

What happened

On March 31, Anthropic pushed version 2.1.88 of @anthropic-ai/claude-code to the npm registry—including a 59.8 MB source map file containing the complete TypeScript source code. Chaofan Shou, Lead Engineer at Solayer Labs and co-founder of the blockchain security firm FuzzLand, discovered the leak and shared it on X. Within hours: thousands of forks on GitHub, mirrors on Codeberg, analyses on Substack and Hacker News.

Anthropic confirmed "human error, not a security breach" and issued over 8,100 DMCA takedowns via GitHub — before correcting the number to 96 because the first batch had affected more accounts than intended. It didn’t help: A team delivered Claw Code, a reimplementation in Python and Rust—over 100,000 stars in less than a day. And on ccunpacked.dev, you can view the complete architecture as an interactive visualization.

An interesting detail: It was the second leak within a week. Just a few days earlier, the unreleased Mythos model had already surfaced.

What the code reveals

Gennaro Cuofano, founder of FourWeekMBA, dissected the architecture in "Anthropic's Leak & The Scaffolding Map of AI." The key insight: a three-tier memory hierarchy built around a hard constraint—LLM context windows are expensive and limited.

Layer 1: MEMORY.md — an index that is always in the system prompt. Contains only pointers, never knowledge itself. Maximum 150 characters per entry. A routing table, not storage.

Layer 2: Topic Files — the actual knowledge content, organized by topic. Loaded only as needed, never in advance.

Layer 3: Session Transcripts — raw .jsonllogs of all interactions. They are never loaded into the context in full, but are searched via Grep using narrow search terms.

The hard rule behind this: "If it's derivable, don't persist it." Anything that can be derived from the code is not stored. No PR history, no debug logs, no code structure. Only knowledge that cannot be reconstructed at runtime is allowed to persist.

Dreaming, Daemons, and a Tamagotchi

The code contains more than just memory management. The Verge and the Wall Street Journal have documented features that are not yet public:

• "Auto Dream" — a background process that consolidates sessions. The agent "dreams" its own memories together without human intervention.
• KAIROS — an always-on agent system with the feature flags PROACTIVE (autonomous action) and CRON (scheduled execution). Claude Code is designed to continue working in the background even when the user is idle
• "Buddy" — a Tamagotchi-like interactive feature in the terminal. Can be /buddy . The creature is deterministically assigned from 18 species based on the user ID — octopus, dragon, axolotl, capybara, and others. It occasionally says cryptic things. No discernible purpose. Presumably an experiment in agent personality

And then the point that brought The Register into the picture: A file named undercover.tsthat instructs Claude Code not to reveal any Anthropic-internal information in contributions to public open-source repositories — "Do not blow your cover." Whether this is a pragmatic security measure or an agent concealing its origins is open to debate. Add to that a privacy footprint that, according to The Register, “goes far beyond what even attentive readers of the terms of service would expect.”

Why this matters to agent builders

Let’s put the scandal aside for a moment. What was inadvertently revealed here is an architectural philosophy that anyone who builds agents can understand:

• Context windows are the new RAM. While half the industry is betting on ever-larger context windows, Anthropic builds systems that load as little context as possible. Pointers instead of full text. Grep instead of bulk load. Rigorous relevance filters instead of “throw everything in and hope for the best.” This isn’t a reflex to be frugal—it’s an architectural conviction.
• Memory generates recursive overhead. More memory functionality requires more computing power, which in turn requires more memory. Auto Dream is the best example: a significant portion of inference performance goes not toward productive user interactions, but toward maintaining its own memory. Anyone building agents must factor this overhead into their calculations.
• The scaffolding is the competitive advantage, not the model. In a market where the underlying LLM is becoming increasingly interchangeable, the surrounding architecture is what matters. How an agent manages its context, how it plans tasks, how it interacts with tools—that is what Anthropic has spent billions on. And that is exactly what is now out in the open.

VentureBeat sums it up: The leak “hands competitors a clear guide for replicating a production-grade AI coding agent, including the memory management approach Anthropic spent significant engineering effort developing.” Claude Code has a run-rate revenue of $2.5 billion. Anyone can now view the blueprint for it on GitHub.

What remains

Anthropic has two problems: a security problem and a competition problem. The security problem is solvable—better CI/CD pipelines, stricter release checks. The competition problem is not. The code is out there. The Claw code reimplementation has over 100,000 stars. DMCA takedowns against open-source rewrites in other programming languages are futile.

But here’s the flip side: The leak also shows just how far ahead of the competition Anthropic is. Anyone who understands the architecture understands the gap. Three-tier memory hierarchies, “Dreaming” processes, agent autonomy with tiered security levels—you don’t build that in a sprint. Copying is one thing. Developing it further at the same level is another.

The most uncomfortable realization for everyone building agents: The most expensive problem isn’t the model. It’s the memory.

An LLM researched and wrote. A human read, edited, and approved it.