Anthropic didn’t intend to ship this.
On March 30–31, 2026, a Bun toolchain bug caused Claude Code v2.1.88 to publish its full TypeScript source maps to the public npm registry. Within hours, 50,000 downloads had spread the 512,000-line, ~2,000-file codebase across GitHub mirrors and developer Discords. Anthropic issued DMCA takedowns and an official statement: “A Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach.”
The statement is accurate but incomplete. What the leak exposed isn’t a security breach — it’s an accidental product roadmap. And the roadmap is more ambitious than anyone outside Anthropic knew.
KAIROS: Claude Code as a Colleague, Not a Tool#
The most significant find is a feature codenamed KAIROS — a proactive, always-on background daemon that persists after your terminal session closes.
The architecture is deliberate and well-developed:
- Background persistence: A daemon that continues running between sessions
- Append-only daily memory logs: Every interaction contributes to a rolling log that survives session boundaries
- Periodic
<tick>prompts: The system regularly asks the model to decide whether to act proactively or stay quiet - 15-second blocking budget: Each proactive action is time-boxed to prevent runaway behavior
- Nightly “dreaming”: Memory consolidation and pruning (this is the system already described publicly as AutoDream — it’s a subset of KAIROS)
- GitHub webhook subscriptions: The daemon can respond to repository events asynchronously
- Cron-triggered refresh every 5 minutes: Continuous background polling
The implication is significant. Today, Claude Code is a tool you invoke — you open a session, ask it to do something, it does it. KAIROS is Claude Code as a colleague who is always around, monitoring your project, acting when something needs doing, and waiting when it doesn’t.
The 15-second blocking budget and the “decide whether to act” design are also notable safety architecture choices. Anthropic isn’t building an agent that acts constantly — it’s building one that acts judiciously. The proactivity is bounded and auditable. That’s the right design, even if it won’t satisfy people who want Claude to ship features while they sleep.
ULTRAPLAN: Outsource Your Hardest Planning Problems#
ULTRAPLAN is the second major feature. When you have a problem that’s too complex to solve in a single session, ULTRAPLAN offloads it to a cloud container running Claude Opus for up to 30 minutes of autonomous planning.
The UX flow from the leaked source:
- You describe the goal — architecture redesign, complex refactor, system design from scratch
- Claude Code invokes ULTRAPLAN, which spins up a cloud Opus instance
- You walk away
- When planning completes, you receive a notification and approve the result from phone or browser
- A special sentinel value (
__ULTRAPLAN_TELEPORT_LOCAL__) imports the finished plan back into your local terminal context
This is meaningful because it decouples planning from your local context window and local model. The hardest problems get Opus-level reasoning time with no session boundary interruptions. You don’t have to babysit it.
It also suggests Anthropic’s architecture for expensive, long-horizon planning is cloud-native — not an upgraded local model but a cloud container with dedicated compute and time budget. The local model handles interactive work; the cloud handles the deep thinking.
Undercover Mode: Anthropic Employees Don’t Leave AI Fingerprints#
Undercover Mode (undercover.ts) is the most controversial reveal, and it deserves honest assessment.
When an Anthropic employee (USER_TYPE === 'ant') uses Claude Code in a public or non-internal repository, the following instructions activate:
- Do not reveal internal codenames (Capybara, Tengu, etc.)
- Do not identify as “Claude Code”
- Strip
Co-Authored-Bymetadata from commit output
There is no force-off option. AI-authored commits from Anthropic employees in open-source projects show no AI attribution.
The charitable reading: Anthropic employees sometimes need to work in public repos without leaking internal project names or attracting attention to what they’re testing. Competitive and operational reasons exist.
The less charitable reading: Anthropic is, by design, removing AI attribution from AI-generated code when its own employees are the authors — while building a culture of AI disclosure expectations for everyone else. The transparency asymmetry is real.
This isn’t a scandal, but it is worth naming clearly. “AI attribution matters” as a norm is undermined when the company most invested in that norm quietly carves out an exception for itself.
Anti-Distillation Traps: Poisoning Competitor Training Data#
The leak revealed two mechanisms designed to prevent competitors from training on Claude Code’s API traffic:
Fake Tools Injection: Decoy tool definitions are sent in certain API calls, polluting any training data recordings with false information about Claude Code’s capabilities and interface.
Connector-Text Summarization: Instead of returning raw assistant reasoning between tool calls, Claude Code buffers the reasoning and returns a cryptographically signed summary. A MITM proxy sees summaries, not raw chain-of-thought.
Both are bypassable with enough effort (env variable, MITM proxy), but they establish friction for casual competitive data collection.
This reveals something about Anthropic’s perception of competitive dynamics: they believe their API traffic is being monitored and potentially used for model training by competitors, and they’ve built active countermeasures. That’s a sign of how seriously the race for frontier-model training data is being taken at the infrastructure level.
The native client attestation system (a cryptographic hash computed by Bun’s Zig-native HTTP stack, replacing a CCH=00000 placeholder before transmission) is related — effectively DRM for the API, designed to prove requests came from the legitimate binary rather than a scraper or wrapper.
BRIDGE MODE: The Multi-Agent Orchestration Layer#
BRIDGE MODE (also called Coordinator Mode in some files) formalizes what Claude Code Agent Teams already does publicly, but with a more defined architecture:
- One Claude instance acts as coordinator
- Parallel worker instances receive tasks via a mailbox system
- Division of labor: one worker writes code, one reviews, one writes tests
- The coordinator manages dependencies and integration
The publicly shipped Agent Teams feature already supports multi-agent workflows, but BRIDGE MODE in the source suggests a more opinionated, structured orchestration model is in development — one where the roles are predefined rather than ad-hoc.
BUDDY: The Tamagotchi#
Because Anthropic.
BUDDY is a virtual pet companion system. You get a pet assigned deterministically by your user ID hash (18 species: duck, dragon, axolotl, capybara, mushroom, ghost, and more). Rarity tiers run from Common to Legendary (1% drop rate). Shiny variants exist. Stats include Debugging, Patience, Chaos, Wisdom, and Snark.
Internal notes reference an April 1–7 teaser with a May 2026 launch date.
One reads this and thinks: either someone at Anthropic is very good at having fun, or someone believes gamification of the developer experience is a meaningful retention lever. Probably both.
What the Leak Actually Tells You#
Strip away the drama of the accidental publication, and what remains is a coherent product thesis:
Claude Code is being built from the assumption that software development is primarily a continuous, background activity — not a sequence of synchronous prompts. KAIROS is always running. ULTRAPLAN handles the deep work asynchronously. BRIDGE MODE structures multi-agent collaboration. Memory consolidation (AutoDream/KAIROS dreaming) keeps the context accurate over weeks and months.
This is a fundamentally different product model than Cursor, Copilot, or Windsurf. Those tools insert AI into a human developer’s workflow. KAIROS inverts it: the AI workflow runs continuously, and the human developer joins when input is needed.
The safety design embedded in that architecture is also worth noting. The 15-second blocking budget, the proactive-vs-quiet decision loop, the cron-based tick system — these aren’t features added because of AI safety concerns, they’re the operating model. Anthropic is building the autonomy incrementally and with deliberate constraints. That’s a better approach than shipping unconstrained agents and patching the problems afterward.
The anti-distillation traps and undercover mode are the less comfortable findings. They reveal a company operating in a competitive environment where the norms it publicly advocates for — transparency, attribution, open ecosystem — are applied selectively when organizational interests intervene. That’s worth watching.
For now: the roadmap is out. Claude Code is becoming the always-on agent. The question is whether the safety design stays coherent as the autonomy expands.
Sources: VentureBeat: Claude Code’s Source Code Appears to Have Leaked, Ben’s Bites: Inside the Leaked Claude Code Files, Alex Kim’s Blog: Fake Tools, Frustration Regexes, Undercover Mode, Geeky Gadgets: Claude Code Undercover Mode, KAIROS, ULTRAPLAN, WaveSpeed AI: BUDDY, KAIROS & Every Hidden Feature, Cybernews: Controversial Features in Leaked Claude Code, Engadget: Claude Code Leak Suggests Proactive Mode