Claude Code 500K Lines Code Leak Fully Organized, What's the True Core of the AI Agent?

51.2k lines of code, 1906 files, 59.8 MB source map. In the early hours of March 31, Chaofan Shou from Solayer Labs discovered that Anthropic's flagship product, Claude Code, had exposed the full source code in a public npm repository. Within hours, the code was mirrored on GitHub, with forks surpassing 41k.

This isn't Anthropic's first time making this mistake. When Claude Code was first released in February 2025, a similar source map leak occurred. The version number at that time was v2.1.88, and the leak was due to the same reason: the Bun build tool automatically generated the source map, which was not excluded in the .npmignore file.

Most reports focused on the easter eggs found in the leak, such as a virtual pet system and a "undercover mode" that allowed Claude to anonymously contribute code to open-source projects. But the real question to unpack is why the same Claude model exhibited such different behavior between the web version and Claude Code. What is the 51.2k lines of code really doing?

Model is Just the Tip of the Iceberg

The answer lies in the code structure. According to a GitHub community's reverse analysis of the leaked source code, out of the 51.2k lines of TypeScript, the interface code directly responsible for invoking the AI model accounts for only about 8000 lines, or 1.6% of the total.

What is the remaining 98.4% doing? The two largest modules are the query engine (46k lines) and the tooling system (29k lines). The query engine handles LLM API calls, streaming output, cache orchestration, and multi-turn dialogue management. The tooling system defines around 40 built-in tools and 50 slash commands, forming a plugin-like architecture where each tool has independent permissions control.

Additionally, there are 25k lines of terminal UI rendering code (with a file named print.ts stretching 5594 lines, with a single function spanning 3167 lines), 20k lines of security and permission control (including 23 numbered Bash security checks and 18 Zsh built-in commands that are disabled), and 18k lines of multi-proxy orchestration system.

Machine learning researcher Sebastian Raschka, after analyzing the leaked code, pointed out that the strength of Claude Code compared to the web version of the same model lies not in the model itself but in the software scaffolding built around the model, including repository context loading, dedicated tool dispatch, cache policies, and sub-agent collaboration. He even suggested that if the same engineering architecture were applied to other models like DeepSeek or Kimi, similar programming performance gains could be achieved.

An intuitive comparison can help understand this gap. When you input a question in the ChatGPT or Claude web version, the model processes it and returns an answer, leaving nothing behind at the end of the conversation. However, Claude Code's approach is entirely different. Upon startup, it first reads your project files, understands your codebase structure, remembers preferences like when you last said "do not mock the database in tests," and more. It can directly execute commands in your terminal, edit files, run tests, and when faced with complex tasks, it can break them down into multiple subtasks assigned to different subprocesses for parallel processing. In other words, the web version AI is a question-and-answer window, while Claude Code is a collaborator living on your computer.

Some liken this architecture to an operating system: the 42 built-in tools are akin to system calls, the permission system is similar to user management, the MCP protocol is like device drivers, and the subprocess orchestration is akin to process scheduling. Each tool is initially marked as "unsafe, writable" by default, unless a developer explicitly declares it safe. Tools for editing files will enforce a check to see if you've read the file before allowing modifications. This is not a chatbot with a few add-ons; it's an operating environment with LLM at its core and a complete security mechanism.

This implies one thing: the competitive barrier of AI products may not lie in the model layer but in the engineering layer.

Every Cache Miss Increases Costs Tenfold

Within the leaked code is a file named promptCacheBreakDetection.ts, which tracks 14 potential vectors that could cause a prompt cache invalidation. Why would Anthropic's engineers put in so much effort to prevent cache misses?

A look at Anthropic's official pricing reveals the reason. For example, with Claude Opus 4.6, the standard input price is $5 per million tokens, but if a cache hit occurs, the read price is only $0.5, a 90% discount. In other words, for every cache miss, the inference cost increases tenfold.

This explains the seemingly "overdesigned" architectural decisions in the leaked code. When Claude Code starts, it loads the current git branch, recent commit history, and CLAUDE.md file as context—these static contents are globally cached, with dynamic content separated by boundary markers to ensure conversations do not redundantly process existing contexts. There's also a mechanism called sticky latches in the code to prevent mode switches from disrupting established caches. Subagents are designed to reuse their parent process's cache rather than rebuild their context window.

Here is a detail worth expanding on. Anyone who has used AI programming tools knows that the longer the conversation, the slower the AI's response, because each round of dialogue has to resend the entire history to the model. The common practice is to delete old messages to free up space, but the problem is that deleting any message breaks the continuity of the cache, causing the entire conversation history to be reprocessed, leading to increased latency and cost.

The leaked code contains a mechanism called cache_edits, where instead of actually deleting messages, old messages are marked as "skipped" at the API layer. The model no longer sees these messages, but the cache continuity remains unbroken. This means that in a long conversation lasting hours, after clearing hundreds of old messages, the response speed in the next round is almost as fast as the first round. For the average user, this is the underlying answer to "why Claude Code can support an unlimited long dialogue without slowing down".

According to leaked internal monitoring data (from code comments in autoCompact.ts, dated March 10, 2026), before introducing the automatic compact failure limit, Claude Code wasted about 250,000 API calls per day. There were 1,279 user sessions that experienced 50 or more consecutive compact failures, with the most severe session failing consecutively 3,272 times. The fix was simply adding one line of restriction: MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3.

So, for AI products, model inference cost may not be the most expensive layer; cache management failures are.

44 Switches, Pointing in the Same Direction

The leaked code contains 44 feature flags—precompiled feature switches that have not been publicly released. According to community analysis, these flags are categorized into five groups based on functionality, with the densest being the "Autonomous Agent" class (12 flags), pointing to a system called KAIROS.

KAIROS is referenced in the source code over 150 times; it is a persistent background daemon mode. Claude Code is no longer just a tool that responds when you actively call it but an agent that runs in the background, continuously observing, recording, and proactively acting at the right moment. The condition is not to interrupt the user, and any operation that could block the user for more than 15 seconds will be delayed.

KAIROS also has built-in terminal focus awareness. There is a `terminalFocus` field in the code that detects in real time whether the user is looking at the terminal window. When you switch to the browser or another app, the agent determines that you are "away" and switches to autonomous mode, actively performing tasks, submitting code directly without waiting for your confirmation. When you switch back to the terminal, the agent immediately returns to collaborative mode: first reporting what it has done and then asking for your opinion. The level of autonomy is not fixed but fluctuates in real time with your attention. This solves an embarrassing problem that AI tools have faced for a long time: fully autonomous AI makes people uneasy, while completely passive AI is inefficient. KAIROS's approach is to dynamically adjust the AI's initiative based on the user's attention, behaving obediently when you are focused on it and taking initiative when you are away.

Another subsystem of KAIROS is called autoDream. Every 5 sessions or every 24 hours, the agent initiates a "reflection" process in the background, consisting of four steps. It first scans existing memories to understand what it currently knows. Then it extracts new knowledge from conversation logs. Next, it merges the new and old knowledge, corrects contradictions, and removes duplicates. Finally, it streamlines the index by deleting outdated entries. This design is inspired by the memory consolidation theory in cognitive science. Just as humans organize their memories during sleep, KAIROS organizes project context when the user is away. For ordinary users, this means that the longer you use Claude Code, the more accurately it understands your project, not just "remembering what you said."

The second major category is "Anti-distillation and Security" (8 flags). The most notable among them is the `fake_tools` mechanism. When four conditions are met simultaneously (compile-time flag enabled, CLI entry activated, first-party API used, and GrowthBook remote switch set to true), Claude Code injects fake tool definitions into API requests, aiming to contaminate datasets potentially used in recording API traffic or training competitive models. This represents a new form of defense in the AI arms race. Its goal is not to prevent you from copying but to make you copy incorrect information.

Additionally, the code references the Capybara model alias (divided into standard, fast, and million-context window versions), widely speculated by the community to be the internal alias for the Claude 5 series.

Easter Egg: Within 512,000 lines of code lies an electronic pet

Among all the serious engineering architecture and security mechanisms, Anthropic's engineers have also quietly built a complete virtual pet system, internally codenamed BUDDY.

According to leaked code and community analysis, BUDDY is a gamified terminal pet that will appear as an ASCII art bubble next to the user's input box. It features 18 species (including Otter, Salamander, Mushroom, Ghost, Dragon, and a range of original creatures like Pebblecrab, Dustbunny, Mossfrog), divided into five rarity levels: Common (60%), Rare (25%), Epic (10%), Legendary (4%), and Mythic (1%). Each species also has a "Shiny variant," with the rarest being the Shiny Legendary Nebulynx with a one in ten thousand chance of appearing.

Each BUDDY has five attributes: DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. They can also wear hats, including a Crown, Top Hat, Propeller Cap, Halo, Wizard Hat, and even a Mini Duck. The pet you hatch is determined by the hash of your user ID, and Claude will generate its name and personality.

As per the leaked launch schedule, BUDDY was originally set to start closed beta from April 1st to 7th, with a full launch in May, starting with Anthropic's internal employees.

With 512,000 lines of code, 98.4% hardcore engineering, but someone took the time in the end to create an electronic salamander that wears a propeller cap. Perhaps, this is the most human touch in the leaked code.