Two hours ago, the entire source code of Claude Code — Anthropic’s AI-powered CLI tool — was posted publicly on GitHub. Not a leak from an insider. Not a reverse-engineering effort. Anthropic shipped source maps in their npm package, and someone noticed.
The discovery was made by Chaofan Shou (@Fried_rice), who found that the .map files in the published npm package referenced the full, unobfuscated TypeScript source hosted on Anthropic’s own R2 storage bucket. A classic source-map leak — the build pipeline failed to strip debug artifacts before publishing.
The result: ~1,900 TypeScript files. 500,000+ lines of code. The complete architecture of one of the most advanced AI coding tools on the market.
We downloaded it. We read through it. Here’s what’s actually in there.
The Stack: React in Your Terminal
The first surprise — Claude Code’s entire terminal interface is a React application. Not a curses-based TUI. Not raw ANSI escape codes. React components rendered to the terminal using Ink, a React renderer for CLI apps.
There are over 140 React/Ink components handling everything from file diffs to conversation rendering to the permission prompt UI. The same component model that powers web apps is powering the tool that writes your code.
The rest of the stack:
| Layer | Technology |
|---|---|
| Runtime | Bun (not Node.js) |
| Language | TypeScript (strict mode) |
| Terminal UI | React + Ink |
| CLI Parser | Commander.js |
| Validation | Zod v4 |
| Code Search | ripgrep |
| Protocols | MCP SDK, LSP |
| API | Anthropic SDK |
| Telemetry | OpenTelemetry + gRPC |
| Feature Flags | GrowthBook |
| Auth | OAuth 2.0, JWT, macOS Keychain |
Bun as the runtime is notable. Not Node, not Deno — Bun. And they’re using Bun-specific features like bun:bundle for dead code elimination at build time with feature flags.
40+ Tools and How They Actually Work
The tool system is where things get really interesting. Claude Code has 40+ tool implementations, each in its own directory under src/tools/. These aren’t thin wrappers — they’re heavily engineered.
The highlights:
BashTool has the most sophisticated security hardening we’ve seen in a developer tool. A dedicated bashSecurity.ts module implements 23 distinct security check categories — blocking command substitution patterns, zsh-specific exploits (zmodload, sysopen, ztcp, zsocket), IFS injection, proc environ access, unicode whitespace tricks, obfuscated flags, brace expansion, and even jq system function calls. There’s a full SandboxManager for sandboxed execution and dedicated parsers to detect when sed is being used as a file editor (so it can redirect to the proper Edit tool instead).
AgentTool — the sub-agent spawner — supports background execution, git worktree isolation (agents get their own copy of the repo), remote execution (agents can be “teleported” to different environments), and team management with addressable names and inter-agent messaging. Agents auto-background after 120 seconds. You can specify which model an agent should use: sonnet, opus, or haiku.
TeamCreateTool / SendMessageTool — a full multi-agent coordination system. Create named agents, send them messages, they maintain their own context. There’s even a coordinator/coordinatorMode.ts for a dedicated orchestration pattern where a main agent manages workers.
The System Prompt: What Claude Actually Sees
The system prompt assembly in src/constants/prompts.ts is one of the most revealing files in the entire codebase.
Key findings:
Dynamic caching boundary. The prompt is split at __SYSTEM_PROMPT_DYNAMIC_BOUNDARY__ — a static prefix that gets cached across requests, and a dynamic suffix that changes per session. This is how they keep API costs down on the massive system prompt.
Detailed coding philosophy baked in. The prompt explicitly instructs:
- “Don’t add features beyond what was asked”
- “Don’t create helpers for one-time operations”
- “Three similar lines of code is better than a premature abstraction”
- “Avoid backwards-compatibility hacks”
These aren’t suggestions — they’re hard constraints in the system prompt. Every Claude Code session operates under these rules.
False claims mitigation. The prompt includes a specific instruction: “Never claim ‘all tests pass’ when output shows failures.” This was clearly added after real incidents where the model hallucinated test success.
Internal vs. external user separation. The code frequently checks process.env.USER_TYPE === 'ant' — Anthropic employees get different tools (like a REPL), different git instructions, and a shorter system prompt. There’s even an “undercover” mode that hides the model’s internal codename from outputs.
The Codenames
Speaking of codenames — the source reveals several:
- KAIROS — An unreleased assistant/daemon mode. It gates features like
SleepTool(the agent can wait),PushNotificationTool,SendUserFileTool,BriefTool(daily briefings), andSubscribePRTool(GitHub PR subscriptions). This looks like a proactive agent that runs in the background and reaches out to you — not the other way around. - Capybara — The current model codename. Referenced in
@[MODEL LAUNCH]comments about behaviors specific to this model (like over-commenting code by default). - Tengu — Feature flag prefix for coordinator and multi-agent features.
KAIROS is the most interesting. The feature flags suggest Anthropic is building a mode where Claude Code doesn’t just respond to your commands — it monitors your projects, watches PRs, and proactively notifies you. That’s a fundamentally different product than what’s currently shipped.
Startup Optimization: 65ms Matters
The main.tsx entrypoint reveals how seriously Anthropic takes startup time. Before any module is even imported, the very first lines of code fire two operations in parallel:
startMdmRawRead()— kicks off MDM subprocess reads (plutil on Mac, reg query on Windows)startKeychainPrefetch()— fires both macOS keychain reads simultaneously (OAuth token + legacy API key)
This saves ~65ms on every single launch. Heavy dependencies like OpenTelemetry (~400KB) and gRPC (~700KB) are lazy-loaded via dynamic import() so they don’t block the initial render.
For a CLI tool that developers use dozens of times a day, those 65ms add up. This is the kind of optimization that separates production-grade tooling from side projects.
The Memory System
Claude Code’s persistent memory lives in src/memdir/ — a file-based system with:
- A
MEMORY.mdindex file (max 200 lines, 25KB) - Individual memory files with frontmatter metadata (type, name, description)
- A background extraction agent that runs as a “perfect fork” of the main conversation to mine memories without interrupting you
- Memory age tracking and team memory synchronization for multi-agent setups
The memory system writes actual markdown files to disk. Your Claude Code memories are just files you can read, edit, or delete manually. No proprietary database, no cloud sync — just markdown.
The Easter Egg: Companion Sprites
This one caught us off guard. There’s an entire collectible companion system buried in src/buddy/.
18 species — duck, goose, blob, cat, dragon, octopus, owl, penguin, turtle, snail, ghost, axolotl, capybara, cactus, robot, rabbit, mushroom, and “chonk.” Rarity tiers from common to legendary. A stats system. Hats. Eyes.
The companion names are hex-encoded internally to avoid tripping Anthropic’s build-time canary string checks (which scan for model codenames leaking into production artifacts). Even the easter egg engineering is thorough.
What This Means
This isn’t a security breach in the traditional sense. No user data was exposed. No API keys leaked. What leaked is Anthropic’s engineering — how they build, how they think about tool safety, what they’re working on next.
For developers, the interesting takeaways are:
- React + Ink for CLI tools is production-viable. If Anthropic is building their flagship developer tool on it, the framework is battle-tested.
- Bun is being used in serious production software. Not just for scripts — for a product used by hundreds of thousands of developers.
- The bash security hardening is a playbook. 23 check categories for shell execution safety. If you’re building any tool that runs shell commands from AI output, this is the reference implementation.
- KAIROS signals where AI tools are going. Proactive, background, always-on AI assistants that come to you instead of waiting to be asked. That’s the next generation of developer tooling.
- The system prompt engineering is an art form. The level of specificity in Claude Code’s prompt — covering coding style, false claims, commit authorship, security, and even emoji usage — shows how much work goes into making LLMs behave consistently in production.
The repo is live at github.com/instructkr/claude-code. The original discovery thread is on X (@Fried_rice).
Source maps in production. That’s all it took.