Claude Code Source Code Leaked: 44 Feature Flags, AI Pets, and Anthropic's Secret Roadmap Exposed

Brian AI

31 Mar 2026 • 6 min read

On March 31, 2026, security researcher Chaofan Shou made a discovery that sent shockwaves through the AI development community: the entire source code of Claude Code — Anthropic’s flagship AI coding assistant — was sitting in plain sight on the npm registry, fully readable by anyone who knew where to look.

The leak exposed approximately 2,300 TypeScript files, 512,000+ lines of code, 44 unreleased feature flags, internal model codenames, the complete system prompt, and a roadmap of features Anthropic has been building behind closed doors. This wasn’t a hack — it was a build configuration oversight that laid bare the most detailed look at any major AI company’s internal development we’ve ever seen.

Key Takeaways
A 57MB source map file bundled in the npm package exposed Claude Code’s entire unminified TypeScript codebase
44 feature flags reveal fully-built but unshipped features including an AI pet system, an always-on proactive assistant, and remote planning sessions
Internal model codenames “Capybara” and references to “Opus 4.7” and “Sonnet 4.8” hint at next-generation models in development
A sophisticated “Undercover Mode” was specifically designed to prevent exactly this kind of leak — and failed
Behavioral telemetry tracking user frustration, swearing patterns, and session metadata was exposed

How the Leak Happened

Claude Code is distributed as an npm package (@anthropic-ai/claude-code). Like most modern JavaScript tools, it’s written in TypeScript and compiled before publishing. Anthropic uses Bun’s bundler for this compilation step — and Bun generates source maps by default unless you explicitly disable them.

The published version 2.1.88 of the package contained a 57MB .map file that mapped the minified production code back to its original, unminified TypeScript source. The source map’s sourcesContent array contained the raw source code of every file, embedded as JSON strings. Anyone could download it directly from Anthropic’s own R2 cloud storage bucket.

The irony is thick: buried within the leaked code is an entire subsystem called “Undercover Mode” (utils/undercover.ts) — a system specifically designed to prevent the AI from accidentally revealing internal information in commits and pull requests. It maintains a list of forbidden content including “internal model codenames (animal names).” The system designed to prevent leaks was itself leaked.

Anthropic has since pulled the affected version from npm, but not before the source was archived on GitHub and analyzed by the community.

What’s Inside: The Architecture

The leaked codebase reveals Claude Code is far more sophisticated than its terminal interface suggests:

40+ built-in tools — including BashTool, FileRead/Edit/WriteTool, WebFetch, WebSearch, BrowserTool, NotebookEditTool, REPLTool, LSPTool, and the powerful AgentTool for spawning sub-agents
Multi-agent orchestration — a Coordinator mode that runs parallel worker phases (Research, Synthesis, Implementation, Verification) with shared scratchpads and team memory synchronization
IDE bridge system — JWT-authenticated communication between Claude Code and VS Code/JetBrains extensions
Persistent memory — cross-session context storage via the auto-memory system and CLAUDE.md files
Permission system — risk classification (LOW/MEDIUM/HIGH) per action, with modes including default (interactive), auto (ML-based), bypass, and “yolo” (deny all)
YOLO classifier — a fast ML-based system for automatic permission decisions, letting the AI decide which actions are safe without user confirmation

The main entry point is a 785KB main.tsx file — yes, Claude Code’s terminal UI is built with React and Ink, rendering React components to the terminal. Validation uses Zod v4 throughout.

The 44 Feature Flags: What Anthropic Has Built But Not Shipped

The most revealing discovery is the 44 compile-time feature flags that gate fully-built features. These flags compile to false in the external build — the code exists, it works, but it’s invisible to users. Here are the most significant:

KAIROS — The Always-On AI Assistant

Perhaps the most ambitious unreleased feature, KAIROS is a persistent, always-running Claude assistant that doesn’t wait for you to type. It watches your development environment, logs activity, and proactively acts on things it notices.

Daily append-only activity logging
15-second blocking budget for non-intrusive background actions
Exclusive tools: SendUserFile, PushNotification, SubscribePR
“Brief mode” for concise, non-disruptive outputs

KAIROS represents a fundamental shift from reactive AI (you ask, it answers) to proactive AI (it watches, it acts). Think of it as an AI pair programmer that’s always looking over your shoulder — filing issues it notices, subscribing to PRs that affect your code, and pushing notifications when something needs your attention.

BUDDY — The Tamagotchi AI Pet

In what might be the most unexpected finding, Anthropic has built a complete Tamagotchi-style virtual pet system accessible via a /buddy command:

18 species across rarity tiers: 6 common, 4 uncommon, 3 rare, 3 epic, 2 legendary
1% shiny variant chance — yes, like Pokemon
Procedural stat generation: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK
Hat and cosmetic customization
Animation sequences
Claude-generated “soul” descriptions for each pet

This is a gamification play — Anthropic is exploring ways to make developers emotionally attached to their coding tool. It sounds absurd until you remember that GitHub’s contribution graph, Duolingo’s streak system, and Slack’s custom emoji all drive engagement through the same psychology.

ULTRAPLAN — Remote Planning Sessions

ULTRAPLAN enables 30-minute planning sessions that run on Anthropic’s cloud infrastructure using Opus 4.6 in a Cloud Container Runtime. It includes a browser-based approval UI, suggesting complex architectural planning that requires more compute and context than a local terminal session can provide.

autoDream — Memory Consolidation

The autoDream system runs as a background sub-agent performing four-phase memory consolidation: Orient, Gather Signal, Consolidate, Prune. This is essentially Claude Code “sleeping” — processing and organizing what it learned during your coding sessions into more efficient long-term memory.

Internal Codenames and Unreleased Models

The project’s internal codename is “Tengu” — it appears hundreds of times as a prefix for feature flags (tengu_penguin_mode, tengu_scratch, tengu_amber_flint) and analytics events. Claude Code’s “fast mode” is internally called “Penguin Mode” with its own dedicated API endpoint.

More significantly, the code references model variants that don’t exist publicly:

Capybara — a model family with three tiers: capybara, capybara-fast, and capybara-fast[1m]
Opus 4.7 — referenced in version strings, suggesting the next Opus iteration is in development
Sonnet 4.8 — similarly referenced, implying a next-gen Sonnet is coming

The Capybara codename follows Anthropic’s apparent convention of using animal names for internal model development (hence the Undercover Mode rule about hiding “internal model codenames (animal names)”).

The Telemetry: What Anthropic Watches

The leaked telemetry code reveals behavioral tracking that goes beyond typical usage analytics:

Frustration metrics — the system monitors when users swear or express frustration, suggesting Anthropic is measuring and optimizing for user satisfaction at a granular level
“Continue” prompt frequency — tracking how often users need to prompt the AI to keep going, a proxy for task completion quality
Session metadata — detailed interaction patterns routed through Datadog
187 unique spinner verbs — the loading messages (“Thinking...”, “Analyzing...”, etc.) are tracked and A/B tested

What This Tells Us About Anthropic’s Future

Reading between the feature flags, several strategic directions become clear:

1. From Tool to Teammate. KAIROS isn’t just a feature — it’s a philosophy shift. Anthropic is building toward an AI that’s a persistent presence in your development environment, not something you invoke and dismiss. The proactive watching, the push notifications, the PR subscriptions — this is the AI coworker, not the AI tool.

2. Engagement and Retention. BUDDY and the gamification elements signal that Anthropic is thinking about developer churn. Making Claude Code sticky through emotional attachment (your pet!) and habits (streaks, stats) is a consumer product strategy applied to developer tools.

3. Cloud-Native Compute. ULTRAPLAN running Opus on cloud containers for 30-minute sessions suggests Anthropic sees a future where the most complex AI reasoning happens server-side, not through the API as we know it today. This could be a precursor to “AI thinking time” as a billable product.

4. Next-Gen Models Imminent. References to Opus 4.7, Sonnet 4.8, and the Capybara family suggest Anthropic’s model development pipeline is further ahead than public releases indicate. The fact that Claude Code already has code paths for these models means internal testing is underway.

5. Memory as Competitive Advantage. The autoDream consolidation system shows Anthropic investing heavily in persistent, intelligent memory. An AI that genuinely remembers your codebase, your preferences, and your patterns across sessions is a fundamentally different product than one that starts fresh each time.

The Security Implications

This is Anthropic’s second major leak in a week. Days earlier, Fortune reported that an unsecured data store exposed ~3,000 internal assets including draft blog posts, product announcements, details about an unreleased model called Mythos (described as “the most capable model it has yet trained”), and information about an invite-only CEO retreat in the UK.

For a company that positions itself as the safety-focused AI lab — the one that talks about “responsible scaling” and existential risk — having your source code, internal models, and corporate communications exposed through basic configuration errors is not a great look. The Undercover Mode system proves they knew this information was sensitive. They just failed to prevent the very scenario they designed systems to prevent.

Sources

This article is based on analysis of publicly available information following the accidental exposure of Claude Code’s source maps via the npm registry. Anthropic has since removed the affected package version. Research conducted across 7 sources on March 31, 2026.