I Analyzed 512,000 Lines of Leaked Claude Code Source Code — Complete Architecture Breakdown
Anthropic accidentally shipped their entire Claude Code CLI source in an npm package. I cloned the 512K-line TypeScript codebase, mapped all 31 subsystems, 25+ tools, 104 hooks, and discovered 44 hidden feature flags including an autonomous daemon mode called KAIROS, a tamagotchi pet system, and stealth mode for open-source contributions.
At 4 AM ET on March 31, 2026, Anthropic pushed version 2.1.88 of their Claude Code CLI to npm. Bundled inside was a 59.8 MB source map file that was never supposed to ship. Within 23 minutes, security researcher Chaofan Shou spotted it. By sunrise, the entire 512,000-line TypeScript codebase had been forked 41,000+ times on GitHub.
I spent hours cloning the repo, reading through the source, and mapping the full architecture. Not for drama, but because I have been building custom infrastructure on top of Claude Code for months -- 7 MCP servers, custom hooks, persistent memory -- and I wanted to understand how the internals actually work.
Here is the most comprehensive analysis you will find anywhere. Every claim has been validated against the actual TypeScript source.
The Numbers at a Glance
| Metric | Count | What It Means |
|---|---|---|
| Total lines of code | 512,000 | TypeScript, not a prototype |
| Subsystems | 31 | Distinct modules with clear boundaries |
| Utility modules | 564 | The largest subsystem by far |
| React components | 389 | The terminal UI is React/Ink |
| Service modules | 130 | Internal APIs, analytics, plugins |
| Hook modules | 104 | Lifecycle management and safety |
| Feature flags | 17 (in commands.ts) | Unreleased features behind compile-to-false |
| KAIROS references | 234 | Deeply integrated autonomous mode |
| Tools | 25+ | Across 160+ files |
| Bundled skills | 20 | batch, debug, claudeApi, etc. |
| Built-in agents | 6 | explore, plan, verify, guide, general, statusline |
| Buddy species | 18 | Tamagotchi companion with ASCII art |
High-Level Architecture
Claude Code is not a chatbot with tool access. It is a full operating system for AI-assisted software development, organized in five distinct layers.
Layer 1: The Runtime and Bootstrap Sequence
The entry point is entrypoints/cli.tsx -- the CLI is a React application rendered with Ink. Before the main session starts, the runtime goes through a 12-phase bootstrap sequence:
Phases 6, 8, and 9 (highlighted in orange) are the unreleased daemon and background session system. Phase 5 is the Chrome extension MCP bridge. Phase 7 is the IDE integration bridge (VS Code, JetBrains).
Most users only ever hit phase 12 -- the normal interactive session. The other 11 are fast-path exits for specialized modes.
Layer 2: The Tool Execution Pipeline
Every action Claude takes goes through a tool. The execution follows a strict pipeline with hooks at both ends:
Hook Protocol Details (From Source)
Hooks receive context via both stdin (JSON) and environment variables:
HOOK_EVENT = PreToolUse | PostToolUse
HOOK_TOOL_NAME = BashTool | FileEditTool | ...
HOOK_TOOL_INPUT = the raw input string
HOOK_TOOL_IS_ERROR = true | false (PostToolUse only)
HOOK_TOOL_OUTPUT = tool output (PostToolUse only)
Exit code protocol: 0 = allow, 2 = deny, anything else = warn. Hook stdout is captured and merged into the tool result that the model sees.
BashTool: The Most Complex Tool (20 Files)
BashTool is not just "run a shell command." Its internal structure:
AgentTool: Subagent Architecture (20 Files)
Six built-in agents with isolated memory contexts:
Layer 3: MCP Integration -- 6 Transport Types
Every external connection goes through the Model Context Protocol:
Configuration is scoped by source (User > Project > Local) and merged in priority order.
Layer 4: Memory System and System Prompt Assembly
Memory Architecture
CLAUDE.md has a 12,000-character total budget with a 4,000-character per-file limit. Files are deduplicated by content hash.
System Prompt Assembly Order
The __SYSTEM_PROMPT_DYNAMIC_BOUNDARY__ is a literal string marker for prompt caching -- everything above it is static and cacheable across sessions, everything below changes per session.
The per-tool prompt.ts fragments (step 8) mean the system prompt is not one monolithic text but assembled from dozens of small modules. Each tool contributes its own instructions.
The Hidden Features -- 17 Feature Flags (Validated)
All findings validated against the actual TypeScript source at sanbuphy/claude-code-source-code:
KAIROS: The Autonomous Daemon (234 References)
KAIROS (Ancient Greek for "at the right time") is the most deeply integrated unreleased feature. It includes:
- Background Sessions -- Claude runs continuously as a daemon, monitoring your codebase
- DreamTask -- a real memory consolidation subagent found in
src/tasks/DreamTask/DreamTask.tsthat runs during idle periods with 4 phases: orient, gather, consolidate, prune - Watch Mode -- monitors file changes and proactively identifies issues
- GitHub Webhooks (
KAIROS_GITHUB_WEBHOOKS) -- responds to GitHub events in real-time - Background Session Management --
psto list sessions,--bgto attach
The DreamTask source reveals it tracks which files were touched, displays a live turn log, and has an abort controller for cancellation. It is production-quality code behind a flag.
Buddy System: 18 Species with ASCII Art (6 Modules)
The most surprising detail: prompt.ts means the buddy is narratively present to the model, not just a UI decoration. The companion contributes text to Claude's system prompt, giving it awareness of the pet.
Each species has 3 animation frames (5 lines tall, 12 chars wide) for idle fidget animations. The companion is generated deterministically using a seeded PRNG (Mulberry32) based on a hash of your username.
Undercover Mode (Validated in src/utils/undercover.ts)
From the source comments:
When active, Claude Code adds safety instructions to commit/PR prompts and strips all attribution to avoid leaking internal model codenames, project names, or other Anthropic-internal information. The model is not told what model it is.
Activation rules:
CLAUDE_CODE_UNDERCOVER=1forces it ON- Otherwise AUTO: active unless the repo remote matches an internal allowlist
- There is NO force-OFF -- safe default is ON
- All code paths are gated on
process.env.USER_TYPE === 'ant'(Anthropic employees) - The bundler dead-code-eliminates these branches from external builds
This confirms Anthropic uses Claude Code internally for open-source contributions with stealth tooling.
Skills, Plugins, and Extensibility
Skills Engine (20 Bundled)
Notable bundled skills include:
- skillify.ts -- a meta-skill that creates new skills from natural language descriptions
- scheduleRemoteAgents.ts -- schedules sub-agents to run remotely (connects to daemon system)
- mcpSkillBuilders.ts -- auto-generates skills from MCP server capabilities
- batch.ts -- parallel execution across multiple agents
- remember.ts -- explicit memory storage
Plugin Marketplace (14 React Components)
Plugins can provide hooks, tools, commands, and MCP server configurations. The full marketplace UI suggests a public plugin ecosystem is imminent.
Additional Architecture Details
Bridge System (31 Modules)
A full IDE integration layer using polling-based messaging with JWT authentication. Supports VS Code, JetBrains, and other editors through replBridge.ts, bridgeMessaging.ts, and bridgePermissionCallbacks.ts.
Native TypeScript Implementations
Claude Code ships its own reimplementations of normally-C-bound libraries to avoid native addon dependencies:
- Yoga layout engine -- the Flexbox engine used by Ink
- File indexing -- custom file index for codebase search
- Color diffing -- for syntax highlighting diffs
Service Ecosystem (130 Modules)
- MagicDocs -- AI-powered documentation generation with its own prompt system
- PromptSuggestion with
speculation.ts-- predicts what you want to ask next - AgentSummary -- generates reports on agent activity
- Analytics -- GrowthBook feature flag integration with remote killswitches
The Irony
Claude Code includes PreToolUse hooks that scan for accidentally exposed secrets. The tool has built-in guardrails specifically designed to prevent leaking sensitive data.
But nobody hooked the npm publish pipeline.
A 59.8 MB .map file shipped because someone forgot .npmignore. Anthropic confirmed it was "a release packaging issue caused by human error."
The guardrails you build are only as good as the surface area they cover.
What This Means for Builders
-
Hooks are not optional. The internal architecture treats them as a core safety layer with a strict exit-code protocol. If you are not running hooks, you are skipping guardrails Anthropic uses internally.
-
MCP is the universal integration layer. Six transport types, scoped configuration, OAuth support. Building custom MCP servers is the intended extension path.
-
CLAUDE.md has a 12,000-character budget. The system walks your entire directory tree. Use it wisely -- architecture decisions, conventions, file protection rules.
-
Every tool contributes to the system prompt. Per-tool
prompt.tsfragments mean the prompt is assembled from dozens of modules, not one text blob. -
The agent architecture is designed for parallelism.
forkSubagent.tswith isolated memory contexts makes subagents first-class citizens. -
KAIROS is deeply integrated (234 references). When this ships, developers who already understand hooks, MCP, and memory will be ready. Everyone else starts from zero.
-
The plugin marketplace has 14 UI components. A public ecosystem is coming.
Analysis by Sidharth Satapathy. All claims validated against the actual TypeScript source. I build AI-powered dev tooling with a Claude Code setup running 7 MCP servers, custom hooks, and persistent memory. Follow @satapathy9 for more.