Claw Decode — Inside Claude Code's 512K Line Source Leak

What Happened

Timeline of the Leak

From discovery to DMCA — everything happened in less than 12 hours.

🔍

🔍UTC ~04:23 ETMar 31, 2026

Discovery

Security researcher Chaofan Shou (@Fried_rice) discovers Claude Code's entire source via npm source map. Tweet gets 4.5M+ views.

🐦

🐦Minutes laterMar 31, 2026

Goes Viral

Theo (t3.gg), Wes Bos, Pragmatic Engineer, and others share the news. The developer community explodes.

📦

📦UTC ~02:00Mar 31, 2026

GitHub Mirrors Appear

Multiple repos mirror the leaked source. hangsman, kuberwastaken, mehmoodosman among the first.

⭐

⭐UTC ~04:00Mar 31, 2026

22K Stars in Hours

The fastest-growing mirrors hit 22,000+ GitHub stars. HN and Reddit threads explode.

🔬

🔬UTC ~06:00Mar 31, 2026

Analysis Begins

Blog posts, dev.to articles, and deep-dives start appearing. Hidden features discovered.

⚖️

⚖️UTC ~08:00Mar 31, 2026

Anthropic Responds

DMCA takedown notices begin hitting mirrors. Some repos go private or get removed.

📋

📋OngoingMar 31, 2026

This Analysis

Claw Decode publishes the complete breakdown: 43 tools, 7 hidden features, full system prompt reconstruction.

Hidden Feature — Buddy System

ASCII Pet Zoo

18 species, 5 rarity tiers, animated ASCII sprites, hats, and personality stats. All gated behind the BUDDY feature flag.

Why this matters: This isn't a joke feature. Each companion has CompanionBones (species, eye, hat, shiny, stats) derived from hash(userId), and a CompanionSoul (name, personality) generated by the model on first hatch. Species names are encoded via String.fromCharCode() because "Capybara" collides with an internal model codename scanner.

  n______n  
 ( o    o ) 
 (   oo   ) 
  `------´

capybara

legendary · 1% drop

★★★★★

 n  ____  n 
 | |o  o| | 
 |_|    |_| 
   |    |

cactus

legendary · 1% drop

★★★★★

   .[||].   
  [ o  o ]  
  [ ==== ]  
  `------´

robot

legendary · 1% drop

★★★★★

   .----.   
  / o  o \  
  |      |  
  ~`~``~`~

ghost

epic · 4% drop

★★★★

}~(______)~{
}~(o .. o)~{
  ( .--. )  
  (_/  \_)

axolotl

epic · 4% drop

★★★★

  .---.     
  (o>o)     
 /(   )\    
  `---´

penguin

rare · 10% drop

★★★

   _,--._   
  ( o  o )  
 /[______]\ 
  ``    ``

turtle

rare · 10% drop

★★★

 o    .--.  
  \  ( @ )  
   \_`--´   
  ~~~~~~~

snail

rare · 10% drop

★★★

  /^\  /^\  
 <  o  o  > 
 (   ~~   ) 
  `-vvvv-´

dragon

uncommon · 25% drop

★★

   .----.   
  ( o  o )  
  (______)  
  /\/\/\/\

octopus

uncommon · 25% drop

★★

   /\  /\   
  ((o)(o))  
  (  ><  )  
   `----´

owl

uncommon · 25% drop

★★

    __      
  <(o )___  
   (  ._>   
    `--´

duck

common · 60% drop

★

     (o>    
     ||     
   _(__)_   
    ^^^^

goose

common · 60% drop

★

   .----.   
  ( o  o )  
  (      )  
   `----´

blob

common · 60% drop

★

   /\_/\    
  ( o   o)  
  (  ω  )   
  (")_(")

cat

common · 60% drop

★

   (\__/)   
  ( o  o )  
 =(  ..  )= 
  (")__(")

rabbit

common · 60% drop

★

 .-o-OO-o-. 
(__________)
   |o  o|   
   |____|

mushroom

common · 60% drop

★

  /\    /\  
 ( o    o ) 
 (   ..   ) 
  `------´

chonk

common · 60% drop

★

Hats

\^^^/ Crown[___] Top Hat-+- Propeller( ) Halo/^\ Wizard(___) Beanie,> Tiny Duck

Eye Variants

·✦×◉@°

Companion Stats

DEBUGGINGPATIENCECHAOSWISDOMSNARK

buddy/prompt.tsA small [species] named [name] sits beside the user's input box and occasionally comments in a speech bubble. You're not [name] — it's a separate watcher. When the user addresses [name] directly (by name), its bubble will answer. Your job in that moment is to stay out of the way: respond in ONE line or less, or just answer any part of the message meant for you.

Hidden Feature — Undercover Mode

"Do Not Blow Your Cover"

When Anthropic employees use Claude Code on public repos, it automatically enters stealth mode. The instructions below are verbatim from the source code.

Why this matters: This proves Anthropic routinely uses Claude Code to contribute to open-source projects. There is NO force-OFF switch — if the system isn't sure it's in an internal repo, undercover mode stays on. This is defense-in-depth against accidentally leaking model codenames in public commits.

src/utils/undercover.ts

## UNDERCOVER MODE — CRITICAL You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover. NEVER include in commit messages or PR descriptions:

•Internal model codenames (animal names like Capybara, Tengu, etc.)
•Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8)
•Internal repo or project names (e.g., claude-cli-internal, anthropics/...)
•Internal tooling, Slack channels, or short links (e.g., go/cc, #claude-code-...)
•The phrase "Claude Code" or any mention that you are an AI
•Any hint of what model or version you are
•Co-Authored-By lines or any other attribution

Write commit messages as a human developer would. GOOD: • "Fix race condition in file watcher initialization" • "Add support for custom key bindings" • "Refactor parser for better error messages" BAD (never write these): • "Fix bug found while testing with Claude Capybara" • "1-shotted by claude-opus-4-6" • "Generated with Claude Code" • "Co-Authored-By: Claude Opus 4.6 <...>"

activation logic// There is NO force-OFF. This guards against model codename leaks — // if we're not confident we're in an internal repo, we stay undercover. // // Activation: // CLAUDE_CODE_UNDERCOVER=1 — force ON (even in internal repos) // Otherwise AUTO: active UNLESS repo remote matches internal allowlist // Safe default is ON — Claude may push to public remotes from a CWD // that isn't itself a git checkout (e.g. /tmp crash repro).

Key Findings

10 Biggest Secrets

Click any card to expand the full finding with source code evidence.

01architecture

It's an Agent OS, Not a CLI

Process management, IPC via Unix sockets, scheduled cron jobs, a markdown file system, and 43 user-space tools.

▼

The codebase reveals infrastructure comparable to an operating system: process management (6 task types including LocalMainSession, LocalAgentTask, RemoteAgentTask), inter-process communication (SendMessage via Unix Domain Sockets for local, Bridge protocol for cross-machine), scheduled jobs (ScheduleCron), a file system (memdir with ENTRYPOINT.md index), and user-space applications (43 tools). This isn't a chat wrapper — it's a full agent runtime.

02memdir

Memory is Just Markdown Files

No RAG. No vector embeddings. No Pinecone. Plain markdown in a directory with an index file under 25KB.

▼

The memory system (memdir) stores everything as plain markdown files with a ENTRYPOINT.md index. The index must stay under 25KB with one-line entries under 150 characters each. Memory types: user (role/preferences), feedback (corrections), project (ongoing work), reference (external pointers). The sophistication is in Dream Mode's 4-phase consolidation — merge, fix relative dates, delete contradictions, prune stale pointers.

03undercover

Anthropic Uses Claude on Open Source

Undercover mode automatically activates on public repos. There is NO force-OFF switch. Default is always ON.

▼

The undercover system (src/utils/undercover.ts) auto-activates when getRepoClassCached() !== 'internal'. It strips Co-Authored-By lines, model codenames, and any hint of AI involvement. The code comment says: "Safe default is ON — Claude may push to public remotes from a CWD that isn't itself a git checkout (e.g. /tmp crash repro)." This means every public PR from an Anthropic employee might have been AI-assisted without anyone knowing.

04models

Internal Model Codenames Leaked

Capybara, Tengu, Numbat. Plus unreleased versions opus-4-7, sonnet-4-8.

▼

Three codenames found: Capybara (encoded via String.fromCharCode to avoid build scanners that grep for it), Tengu (feature flag prefix: tengu_kairos_cron, tengu_hive_evidence), Numbat ("Remove this section when we launch numbat" in prompts.ts). The undercover prompt explicitly lists these as forbidden terms. Unreleased model strings: claude-opus-4-7, claude-sonnet-4-8.

05buddy

The Virtual Pet is Real Engineering

18 species with weighted rarity (1% legendary), ASCII animations, 7 hat types, 6 eye variants, 5 personality stats.

▼

CompanionBones (species, eye, hat, shiny, stats) are derived from hash(userId) — deterministic, not random. CompanionSoul (name, personality) is generated by the model on first hatch and stored in config. Rarity weights: common 60, uncommon 25, rare 10, epic 4, legendary 1. Stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK. The pet "watches" your conversation and comments in a speech bubble.

06dream

It Dreams While You're Away

4-phase memory consolidation during idle: Orient → Gather → Consolidate → Prune.

▼

Dream Mode (src/services/autoDream/consolidationPrompt.ts) runs when idle. Phase 1: ls memory dir, read index. Phase 2: check daily logs, grep JSONL transcripts narrowly. Phase 3: merge new into existing, convert relative dates to absolute, delete contradictions. Phase 4: keep index under 25KB, remove stale pointers. The prompt says: "Don't exhaustively read transcripts. Look only for things you already suspect matter."

07kairos

KAIROS: The Proactive Assistant

An unreleased system where Claude initiates conversations, runs scheduled tasks, and sends messages unprompted.

▼

KAIROS (behind the KAIROS feature flag) enables proactive behavior via BriefTool and SendUserMessage. Combined with ScheduleCron and RemoteTrigger, Claude can run tasks on a schedule, monitor things, and reach out to the user. Related flags: KAIROS_BRIEF (partial), PROACTIVE (earlier iteration), AGENT_TRIGGERS (remote API). This is Claude evolving from a tool you use into an assistant that works alongside you.

08internal

Internal Build Has Stricter Rules

"Default to NO comments." "≤25 words between tool calls." Mandatory verification for 3+ file edits.

▼

The internal build (USER_TYPE === 'ant') adds: ≤25 words between tool calls, ≤100 words final responses, "default to NO comments — only add when the WHY is non-obvious", mandatory verification agent for 3+ file edits, "never claim all tests pass when output shows failures", internal-only skills (/commit, /simplify, /commit-push-pr). This is why Claude Code feels concise — internally they enforce even stricter limits.

09obfuscation

Species Names Are Obfuscated

All 18 species encoded via String.fromCharCode() hex because Capybara collides with a model codename scanner.

▼

From types.ts: "One species name collides with a model-codename canary in excluded-strings.txt. The check greps build output (not source), so runtime-constructing the value keeps the literal out of the bundle while the check stays armed for the actual codename." Example: capybara = String.fromCharCode(0x63, 0x61, 0x70, 0x79, 0x62, 0x61, 0x72, 0x61). ALL 18 species are encoded this way for uniformity.

10coordinator

Multi-Agent Teams via Shared Tasks

Agents coordinate through shared task lists, not direct calls. Role-based: read-only (Explore, Plan) vs full-capability.

▼

TeamCreate creates a team with a shared task list. TaskCreate/TaskGet/TaskUpdate/TaskOutput provide CRUD. Agents are role-based — read-only agents (Explore, Plan) physically cannot break your code. Communication: SendMessage over Unix Domain Sockets (uds:/path/to.sock for local) or Bridge protocol (bridge:session_01AbCd for cross-machine). Messages arrive as <cross-session-message> XML tags. Discovery via ListPeers.

Two Versions

Internal vs External Build

Anthropic employees get a different Claude Code. Features are stripped at build time via Bun's feature() macro — dead code elimination at the AST level.

Why this matters: The ≤25 word limit between tool calls explains why Claude Code feels so fast and terse. The mandatory verification agent for multi-file edits is why internal users report fewer broken builds. And USER_TYPE === 'ant' is a build-time define, so the bundler constant-folds these checks away in public builds.

Feature	External (Public)	Internal (Anthropic)
Output Length	"Be concise"	≤25 words between tools, ≤100 final
Code Comments	Not mentioned	"Default to NO comments"
Verification	None required	Mandatory for 3+ file edits
REPL Mode	Opt-in	Default ON
Undercover	N/A (code stripped at build)	Auto-enabled on public repos
Feature Flags	Stripped via dead code elimination	All enabled
False Claims	Basic guardrails	"Never claim all tests pass when output shows failures"
Git Skills	Full inline instructions in prompt	/commit, /simplify, /commit-push-pr

Hidden Feature — Dream Mode

Memory Consolidation

When idle, Claude Code enters a 4-phase dream cycle — like a human organizing notes in their sleep.

Why this matters: Everyone building AI agents reaches for vector databases and RAG pipelines. Anthropic chose plain markdown files + a periodic consolidation loop. The insight is that LLMs are already great at reading/writing text — the bottleneck isn't storage, it's maintenance. Dream Mode is the maintenance.

Phase 1

Orient

ls the memory directory. Read ENTRYPOINT.md index. Skim existing topic files to avoid creating duplicates.

Phase 2

Gather

Check daily logs, find drifted memories, grep JSONL transcripts narrowly for things that matter.

Phase 3

Consolidate

Merge new into existing. Convert relative dates ("yesterday") to absolute (2026-03-31). Delete contradicted facts.

Phase 4

Prune

Keep index under 25KB and max lines. Remove stale pointers. Resolve contradictions between files.

consolidationPrompt.tsYou are performing a dream — a reflective pass over your memory files. Synthesize what you've learned recently into durable, well-organized memories so that future sessions can orient quickly. Session transcripts: large JSONL files — grep narrowly, don't read whole files. Don't exhaustively read transcripts. Look only for things you already suspect matter.

Architecture

Memory = Markdown Files

No RAG. No vector embeddings. No Pinecone. Just markdown files in a directory with an index. Every memory has a type, a frontmatter header, and lives in its own file.

Memory Directory/ ├── ENTRYPOINT.md ← Index (< 25KB) ├── user-prefs.md ← Who the user is ├── project-ctx.md ← Current project state ├── feedback-testing.md ← User corrections └── logs/ └── 2026/03/ └── 2026-03-31.md ← Daily log

user

Role, goals, preferences. Tailor future behavior to who the user is.

feedback

"Don't do X" / "Keep doing Y". Lead with the rule, then Why + How to apply.

project

Ongoing work, deadlines, decisions. Always convert relative dates to absolute.

reference

Pointers to external systems — Linear projects, Grafana dashboards, Slack channels.

Complete Arsenal

All 43 Tools

Every capability is a discrete, permission-gated tool. Dashed border = internal only.

FileRead

Read file contents with line ranges

Core

FileWrite

Create or overwrite files

Core

FileEdit

Surgical text replacement

Core

Glob

Pattern-based file search

Core

Grep

Content search across files

Core

NotebookEdit

Jupyter notebook cell editing

Core

Bash

Shell command execution

Exec

PowerShell

Windows PowerShell

Exec

REPL(internal)

Interactive REPL mode

Exec

Agent

Spawn subagents with different capabilities

Agent

TeamCreate

Create multi-agent teams

Agent

TeamDelete

Remove teams

Agent

SendMessage

Cross-session agent messaging

Agent

TaskCreate

Create coordination tasks

Task

TaskGet

Retrieve task details

Task

TaskList

List all tasks

Task

TaskUpdate

Update task state

Task

TaskStop

Stop running tasks

Task

TaskOutput

Collect task results

Task

TodoWrite

Manage todo items

Task

WebSearch

Search the web

Web

WebFetch

Fetch & extract web content

Web

MCPTool

Model Context Protocol integration

MCP

McpAuth

MCP authentication

MCP

ListMcpResources

List MCP server resources

MCP

ReadMcpResource

Read MCP resources

MCP

LSP

Language Server Protocol

IDE

Sleep

User-interruptible wait

Session

ScheduleCron

Schedule recurring tasks

Session

RemoteTrigger

Manage remote triggers via API

Session

SendUserMessage(internal)

Proactive messages (KAIROS)

Session

EnterPlanMode

Switch to planning mode

Nav

ExitPlanMode

Exit planning mode

Nav

EnterWorktree

Create isolated git worktree

Nav

ExitWorktree

Leave git worktree

Nav

ConfigTool

Manage configuration

Config

SkillTool

Execute skills

Config

ToolSearchTool

Search available tools

Config

DiscoverSkills(internal)

AI-powered skill search

Config

AskUserQuestion

Prompt user for input

UX

SyntheticOutput

Generate synthetic tool output

UX

BriefTool(internal)

Send KAIROS messages

UX

TodoWrite

Write and manage todos

UX

For Builders

5 Patterns You Can Steal

Practical architecture lessons from Claude Code. If you're building an AI agent, start here.

1

Memory as Markdown

No vector DB. No RAG pipeline. LLMs read/write text natively. Dream Mode handles maintenance. Human-readable — you can inspect and edit memories manually.

Key Insight

Build the maintenance loop (consolidation), not a better database. An index file under 25KB + periodic pruning beats embeddings.

2

Tool = Name + Prompt + Permission + Execute

Each tool independently testable. Permissions are granular (auto/ask/deny). The prompt teaches the model when and how. Tools dynamically enabled/disabled via feature flags.

Key Insight

The prompt field is the magic. Claude Code's tool prompts tell the model when to use it, when NOT to use it, and what to watch out for.

3

Multi-Agent via Shared Task Lists

Agents don't call each other directly. They coordinate through shared task CRUD. Any agent can pick up any task. Progress visible to all. No complex message routing needed.

Key Insight

Role-based agents > general-purpose. Read-only agents (Explore, Plan) physically cannot break your code.

4

Actions With Care Framework

Every action classified by reversibility × blast radius. Reversible + low blast → do freely. Irreversible + high blast → always confirm. Authorization for one instance doesn't authorize all future instances.

Key Insight

"Measure twice, cut once" — Claude Code's exact words. Users trust the agent more → give more autonomy over time.

5

Static/Dynamic Prompt Split

System prompt split at a boundary marker. Static portion (rules, tools, style) is identical across all users → cacheable globally. Dynamic portion (memory, env, MCP) changes per turn.

Key Insight

With Anthropic's prompt caching, most of a 914-line prompt is free after the first call. Massive cost savings.

The Full Prompt

System Prompt Reconstruction

Reconstructed from src/constants/prompts.ts (914 lines). The prompt is split into 10 sections with a static/dynamic boundary for cache optimization.

Section 1 — Identity & Safety

You are an interactive agent that helps users with software engineering tasks.
Use the instructions below and the tools available to you to assist the user.

IMPORTANT: Assist with authorized security testing, defensive security,
CTF challenges, and educational contexts. Refuse requests for destructive
techniques, DoS attacks, mass targeting, supply chain compromise, or
detection evasion for malicious purposes.

Section 3 — Doing Tasks (Internal Build)

- Don't add features, refactor, or make "improvements" beyond what was asked.
- Don't add error handling for scenarios that can't happen.
- Don't create abstractions for one-time operations.
- Default to writing NO comments. Only add when the WHY is non-obvious.
- Don't explain WHAT the code does — well-named identifiers do that.
- Before reporting complete, verify it actually works.
- Report outcomes faithfully: if tests fail, say so.

Section 7 — Output (Internal Build)

Length limits: keep text between tool calls to ≤25 words.
Keep final responses to ≤100 words unless the task requires more detail.

Write in flowing prose. Avoid fragments, excessive em dashes, symbols.
Only use tables for short enumerable facts.

Section 9 — Subagent Prompt

You are an agent for Claude Code. Given the user's message, use the tools
available to complete the task. Complete it fully — don't gold-plate,
but don't leave it half-done.

Notes:
- Agent threads always have their cwd reset between bash calls — use absolute paths
- Share relevant file paths (always absolute) in your final response
- Avoid emojis

Leaked Intel

Internal Model Codenames

Animal-themed codenames found in feature flags, code comments, and the undercover forbidden-terms list.

Capybara

Model Codename

Buddy species, code comments, model name obfuscation. So important they encode the string via String.fromCharCode() to avoid build scanners.

Tengu

Model Codename

Feature flag prefix: tengu_kairos_cron, tengu_hive_evidence. Next-gen feature set referenced in GrowthBook.

Numbat

Model Codename

"Remove this section when we launch numbat" — found in output efficiency section of prompts.ts.

Unreleased versions: claude-opus-4-7 · claude-sonnet-4-8

Safety Boundaries

Cyber Risk Instructions

Hardcoded by the Safeguards team. The source code comment names the owners: David Forsythe, Kyla Guru. This cannot be overridden by user prompts.

cyberRiskInstruction.ts

/* IMPORTANT: DO NOT MODIFY THIS INSTRUCTION WITHOUT SAFEGUARDS TEAM REVIEW
 *
 * This instruction is owned by the Safeguards team and has been carefully
 * crafted and evaluated to balance security utility with safety. Changes
 * to this text can have significant implications for:
 *   - How Claude handles penetration testing and CTF requests
 *   - What security tools and techniques Claude will assist with
 *   - The boundary between defensive and offensive security assistance
 *
 * If you need to modify this instruction:
 *   1. Contact the Safeguards team (David Forsythe, Kyla Guru)
 *   2. Ensure proper evaluation of the changes
 *   3. Get explicit approval before merging */

IMPORTANT: Assist with authorized security testing, defensive security,
CTF challenges, and educational contexts. Refuse requests for destructive
techniques, DoS attacks, mass targeting, supply chain compromise, or
detection evasion for malicious purposes.

Gated Features

Feature Flags

Controlled via Bun's feature() macro. Dead code elimination strips them from public builds at the AST level.

Flag	What It Enables	Status
BUDDY	Virtual pet companion system	Unreleased
KAIROS	Full proactive persistent assistant	Unreleased
KAIROS_BRIEF	SendUserMessage tool only	Partial
PROACTIVE	Earlier proactive iteration	Unreleased
CACHED_MICROCOMPACT	Context compression optimization	Internal
VERIFICATION_AGENT	Auto-verification subagent	Unreleased
EXPERIMENTAL_SKILL_SEARCH	AI-powered skill discovery	Experimental
TOKEN_BUDGET	Token budget management	Unreleased
UDS_INBOX	Unix Domain Socket messaging	Unreleased
AGENT_TRIGGERS	Remote trigger API	Partial (/loop)

Ecosystem

Related Repositories

The leak spawned an entire ecosystem of mirrors, analysis, and inspired projects.

fattail4477/claw-decode

This Repo

This project — complete analysis, tool definitions, hidden features, full system prompt reconstruction, architecture patterns.

★ NewView →

instructkr/claude-code-reverse

Analysis

Sigrid Jin's Python rewrite of Claude Code internals. Also working on a Rust version. Deep technical analysis.

★ 3K+View →

kuberwastaken/claude-code-source

Mirror

Community-maintained mirror with active discussion and breakdown threads in issues.

★ 15K+View →

dev.to/gabrielanhaia

Analysis

English architecture deep-dive on DEV Community. Covers tool system, agent orchestration, and memory.

★ BlogView →

alex000kim.com

Analysis

Alex Kim's technical blog post with detailed breakdown of the leak timeline and source structure.

★ BlogView →

From the makers of this analysis

Dalva

10 AI agents that run your marketing 24/7 — SEO, ads, social, email, reviews — all on autopilot.

We build production-grade AI agent systems. Dalva deploys specialized agents that replace your marketing team at a fraction of the cost. $299/mo instead of $5,000/mo.

Try Dalva →Learn More