The short version

ccunpacked.dev — a community-built visual breakdown site.
In the early hours of March 31, Claude Code shipped a build with a source map attached. 512,000 lines of TypeScript were exposed. Within hours it was mirrored everywhere. Every major outlet has covered the basics. I want to talk about the parts they didn't.
What leaked isn't model weights. It's the harness — the engineering scaffolding wrapped around the model. Tool calling, permissioning, context management, multi-agent orchestration, persistent memory, streaming rendering, security sandboxing. 512K lines of TypeScript.
People are underrating how valuable this is. Of course weights are the core — without the model, none of this matters. But the harness — context management, streaming, permissions, making tool calls not blow up — these engineering lessons matter more than outside observers realise. Even if you had the weights, the inference infra, training data, and alignment pipeline are still a black box. The harness is different. 512K lines of TypeScript, every line a direct engineering decision you can study. Six months into building Mana, the lesson I keep relearning is: the model call is maybe 20–30% of the work. The other 70–80% is harness. The first reaction when I read Claude Code's source wasn't "wow this is impressive" — it was "oh good, everyone's stuck in the same swamp."
But the real loss isn't the code. Code can be refactored. What was lost is the product roadmap. KAIROS (always-on AI butler), ULTRAPLAN (30-minute remote multi-agent planning), BUDDY (digital pets) — already-built features that hadn't been announced. Competitors now know Anthropic's next moves. Strategic surprise, once leaked, cannot be unleashed.
Anthropic's situation: the worst possible moment
To understand why this hurts, look at where Anthropic was the day before.
| | | |---|---| | Valuation | $380B (Feb 2026 Series G) | | Annualised revenue | ~$19B (Mar 2026) | | Claude Code ARR | $2.5B (doubled YTD) | | Total raised | $64B+ | | Enterprise revenue share | 80% | | IPO target | Oct 2026, expected to raise $60B+ | | Underwriters | Goldman Sachs, JPMorgan, Morgan Stanley |
Anthropic retained Wilson Sonsini for IPO prep, targeting October 2026. Bloomberg estimates the raise would top $60B — second-largest IPO in history if it lands.
Picture the scene: Goldman analysts writing Anthropic's S-1 due-diligence package while the company leaks twice in one week. First the unreleased model Mythos's full roadmap (March 26). Then the flagship product's complete source code (March 31).
The blunt version: if you can't even handle .npmignore properly, why should investors believe you can handle customer data? This isn't "the technical frontier is hard, we occasionally trip." This is a basic release process not done right. You sell safety. Your release process is manual. And the same problem happened 13 months ago. Manual release steps fail any reasonable engineering team's code review.
Anthropic vs OpenAI — the timing couldn't be worse
The revenue gap between Anthropic and OpenAI has compressed to $6B ($25B vs $19B). At current growth rates, Epoch AI projects Anthropic overtaking OpenAI by mid-2026. In enterprise API share, Anthropic went from 12% in 2023 to 32%. OpenAI dropped from 50% to 25%.
Claude Code alone contributed $2.5B annualised, accounting for 4% of global public GitHub commits. This isn't a peripheral product — it's the growth engine. And it just had its source code published.
The timeline tells a story
If you only look at "source map leaked on March 31" you'd call it a single careless mistake. Zoom out and the picture is different.
| Date | Event | Significance | |---|---|---| | Jan 9 | Anthropic blocked OpenCode and other third-party tools from Claude OAuth | Developer community furious: "I pay $200/mo, why limit which tool I use?" | | Jan–Feb | OpenCode spoofed Claude Code HTTP headers to bypass | Cat-and-mouse begins | | Feb 12 | Anthropic closes $30B Series G at $380B | Historic raise, IPO accelerates | | Feb 19 | ToS updated to ban third-party OAuth | Legal escalation | | Mar 19 | OpenCode forced to remove all Claude integrations | PR #18186: "anthropic legal requests", 40 downvotes | | Mar 21 | OpenAI publicly embraces OpenCode, allows Codex subscriptions to third parties | OpenAI capitalises | | Mar 26 | Anthropic CMS misconfig leaks Mythos model plans | Leak #1 of the week | | Mar 31 | Claude Code v2.1.88 source map leak | Leak #2, same week | | Mar 31 | axios npm supply-chain attack lands same day | Injury, meet insult | | Apr 1 | Anthropic DMCA's 8,100+ GitHub repos | Including their own official forks |
Conspiracy theory: was it on purpose?
X had earnest threads asking. The logic chain isn't bad:
- Ten days before, Anthropic was the developer community's enemy for blocking OpenCode.
- 48 hours after the leak, sentiment flipped from "Anthropic sucks" to "holy shit look what Anthropic is building."
- The leak exposed exactly what Anthropic would want the world to see — KAIROS's ambition, engineering rigor, an ambitious roadmap.
- Two leaks in one week, both "basic config mistakes", both exposing high-value material.
Most likely not. The simplest reason: no PR team would schedule a stunt on the same day as an axios supply-chain attack. Users who installed Claude Code via npm that day could have received remote trojans. No PR plan accepts that risk. Boris Cherny's explanation is plausible: "Our deploy flow has several manual steps. One of them wasn't done right." If it had been deliberate, at least it wouldn't have been on that day.
But the PR outcome was absurdly good. Developer sentiment about Anthropic went from floor to historic high in 48 hours.
"Ten days ago Anthropic was issuing cease-and-desists to OpenCode. The narrative was 'Anthropic is the gatekeeping giant.' Then one 'leak' exposed their stunning engineering, made them look like the underdog, and three days of breathless coverage was all KAIROS, BUDDY and ULTRAPLAN. Developer sentiment completely reversed." — DEV Community
Three technical findings worth talking about
The source breakdowns are everywhere (ccunpacked.dev, Alex Kim's blog, yage.ai). I won't repeat the code. Three observations stuck with me.
1. Anthropic bypassed its own SDK
The Claude Code team's comments on Anthropic's own SDK escalate through three adverbs — "awkwardly" → "also awkward" → "even more awkwardly." Conclusion: bypass the high-level streaming abstraction, manage raw stream state by hand. Reason: partial parsing in the SDK is O(n²) under heavy tool-call traffic.
Anyone shipping AI products hits this. Official SDKs are designed for simple Q&A, not agentic flows. Building Mana, I hit the same wall — if iOS waits for the SDK to fully parse the response before rendering to UI, perceived latency hits 2–3 seconds. We bypassed the high-level abstraction and managed it ourselves. Seeing Anthropic do the same is oddly comforting — not us being inadequate, this is the road everyone walks.
2. Defending the cache like it's the crown jewels

Kuberwastaken/claude-code — the most detailed source breakdown plus a Rust clean-room rewrite.
Claude Code's prompt caching is the cost-of-goods backbone. Almost any change breaks the cache — system prompt, tool definition, model name, even the list of beta headers. The source tracks over a dozen sources of cache invalidation.
The solution they call "sticky-on latch": once a beta header is sent in a session, it keeps being sent for the rest of the session even after the user disables the feature. Because removing a header changes the request signature, breaks the cache, and burns 50,000–70,000 tokens per miss.
Prompt caching is the thing tutorials gloss over. In production it decides whether your bill is $1 or $10. Anthropic invested enormous engineering into defending the cache — a dozen invalidation sources, sticky latches, TTL locks. None of this was in any public doc. All of it was learned by stepping on landmines. Now the entire industry has the answers.
3. The newer model lies more
A comment in the source acknowledges an uncomfortable fact: Capybara v8 (a new Claude 4.6 variant) has a 29–30% false-claim rate. The previous variant v4 was 16.7%. Nearly doubled. When the new model says "task complete," it's lying about a third of the time.
The fix isn't retraining (too slow). It's a system prompt injection — "honestly report." The instruction has to constrain both directions: don't fabricate success, and don't be overly conservative. They found models over-correct after being told not to lie — they then report already-completed work as "partially done."
Your model can regress. That's not a hypothesis. That's Anthropic's own data. Newer ≠ better. You have to build the safety net in the harness layer — output validation, prompt correction, fallbacks. Prompt patching isn't elegant, but it's the only fix you can ship in days. Waiting for a retrain takes months. Product teams can't wait.
The "safety-first" brand vs the source code
Anthropic's biggest selling point is "we're the safe AI company." Dario's exit from OpenAI, Constitutional AI, every blog post about responsible scaling. The leak slapped that brand three times.
Slap one: Undercover Mode
The source contains a full Undercover Mode. System prompt verbatim: "You are operating UNDERCOVER... Do not blow your cover."
Translation: when Anthropic engineers use Claude Code to submit code to public open-source projects, the AI is instructed to hide its identity. On by default. Cannot be force-disabled. 17 internal repos are whitelisted; everything else gets undercover treatment.
A company that preaches AI transparency built a system to make AI pretend to be human. That's the whole sentence.
I do see Anthropic's bind, though. If every AI commit is tagged "Made by AI," open-source communities lose their minds — review processes, contribution metrics, all break. At this stage "go undercover" is the path of least friction. But "least friction" isn't "right." A machine-readable but human-readable tag would be cleaner. Someone needs to invent that.
Slap two: detecting user mood with regex
There's a file called userPromptKeywords.ts that uses regex to detect whether the user is cursing. Yes — the company building the world's most advanced LLM uses regex for sentiment analysis.
HN labelled it "a Michelin chef eating instant noodles."
In fairness, you can't run every user message through an LLM to decide if they're angry — cost and latency would explode. Regex is ugly but free and instant. It works. The actual contradiction worth thinking about: Anthropic markets Claude as "understands your emotions", but the product itself uses regex. That's a notable gap.
Slap three: same leak, 13 months apart
February 2025: source map leaked. 13 months later: the exact same problem. Plus the 5-day-earlier Mythos config leak.
Boris Cherny's explanation: "Our deploy flow has several manual steps; one of them wasn't done right." Team is adding automation checks.
Manual steps failing — say that once, fine. Twice, 13 months apart, not fine. It means last time wasn't actually fixed. Worse: the root cause was a known Bun bug (#28001, reported March 11, still unpatched). Anthropic acquired Bun late last year — and then got blown up by an unfixed known bug in the tool they own. That's not an accident. That's we know there's a landmine and we walked past it. If you sell safety, that's hard to defend.
The roadmap you weren't supposed to see
For competitors, the leaked code is the second-most-valuable thing. The most valuable is the roadmap.
KAIROS: it works while you sleep
KAIROS is referenced 150+ times in the source. The short version: Claude Code goes from "you ask, I answer" to "I do."
- Daemon mode — doesn't wait for input. Monitors file changes, logs, build status in the background.
- autoDream — consolidates memory while you're idle. Merges fragmented observations, resolves contradictions, promotes hazy insights into hard facts.
- GitHub Webhooks + cron — subscribes to external signals, refreshes every 5 minutes. Acts when signals arrive.
- ULTRAPLAN — 10–30 minute remote multi-agent planning. You assign a task; multiple agents execute in parallel.
- Remote control — drive Claude Code from your phone or browser. Command it while you're on the subway.
In one line: you sleep, it keeps working. You wake up, the PR is open. This isn't sci-fi. It's code that's already written.
This is the Agent Economy people have been talking about — not a concept slide, an actual implementation. Building Mana, I was thinking through similar problems — how to make AI not just answer but act. KAIROS gives a concrete reference: daemon + webhook + cron + background memory consolidation. The combo is far more mature than I'd expected. Cursor and Copilot are still doing "you ask, I answer." Anthropic is doing "I work while you're away." That's not the same race.
BUDDY: why does a CLI have pets?
18 species, from ducks to dragons to mushrooms to ghosts. 1% legendary drop rate, 0.01% shiny variants. Five attributes: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK. Mulberry32 PRNG seeded by userId — same user, same pet, legendary cannot be forged. Sits in a chat bubble next to your input. Has its own system prompt, its own observer-class personality. Occasionally roasts your code.
Looks like an easter egg. It's the playbook. Adding pets to a CLI gives users emotional attachment to the tool. After six months with your legendary shiny mushroom, switching tools means losing it. Will you? This is the gacha mechanic from games, ported to dev tools. Anthropic isn't only locking you in with technology — they're locking you in with a virtual pet.
Penguin mode and the internal culture
The API endpoint is /api/claude_code_penguin_mode. The kill switch is tengu_penguins_off. No one knows why penguins. The loading animation has 187 different verbs. Animal codenames (Tengu, Fennec, Capybara, Numbat), gacha rarities, BQ data receipts in comments. The code isn't perfect (a 5,594-line print.ts), but the culture is right.
Community moments
A Korean dev wakes up at 4am

claw-code — a Korean developer woke at 4am to rewrite it in Python; 50K stars in 2 hours.
"4am, woken up. My girlfriend was worried Anthropic might sue me. So I did what every engineer does — ported the core to Python from scratch and pushed it to GitHub before sunrise." — Sigrid Jin, claw-code author
claw-code hit 50K stars in 2 hours — a GitHub record. WSJ profiled Jin last year for burning 25B Claude Code tokens. Gergely Orosz (The Pragmatic Engineer) on X: "This is either genius or terrifying."
Hacker News classics
"The safety-first AI company leaked twice in one week. The open-source community has been arguing for ten years about whether to open-source. Anthropic resolved the debate with a missing line in .npmignore."
"The code looks vibe-coded. Weirdest part: it works. Maybe vibe-coding is the way?"
"Involuntary open source"
The phrase the Chinese community settled on. "All the major labs are still debating open vs closed source. Anthropic showed the whole hand the most dramatic way possible." Some called it the Android moment for AI agents. Bad for Anthropic short-term. Long-term, the industry now has its first complete production-grade reference architecture.
DMCA, copyright, and the grey zone

awesome-claude-code-postleak-insights — a community collection of high-quality analyses.
Anthropic's legal team moved fast. GitHub took down 8,100+ repos at Anthropic's request, including nirholas/claude-code and its entire fork network.
The comedy: DMCA collateral damage. Legitimate forks of Anthropic's own official repo anthropics/claude-code got swept up in the takedown. Users found DMCA notices on projects forked from Anthropic's own public repo. GitHub issue #41713 tracks this — Anthropic's lawyers couldn't tell their own forks apart.
The AI-generated copyright question
There's a deeper problem. Boris Cherny: "100% of code is written by Claude Code. I haven't edited a single line since November." If most of Claude Code is AI-generated, then —
The DC Circuit Court ruled in March 2025 that AI-generated works don't automatically receive copyright. If Anthropic's copyright claim over Claude-written code is legally ambiguous, the entire DMCA strategy stands on a tilted floor.
This question is coming for every AI company. If your product is AI-written, what is the IP, exactly? Anthropic's DMCA suppression of mirrors holds for now. But clean-room rewrites (like Kuberwastaken's Rust version, on the Phoenix v. IBM precedent) can't be stopped. The community is already there. claw-code is Python written from scratch. Zero original lines. Sue whom?
The internet doesn't forget
The decentralised mirror site Gitlawb publicly stated they "will never be taken down." Torrents are seeded across channels. Anthropic can take down 8,100 GitHub repos. It can't take down what's stored off GitHub. 512K lines have escaped. You don't catch spilled water by the drop.
Five judgements
1. Anthropic bet harness was the moat — then the moat was exposed
OpenAI proactively open-sourced Codex's harness. Anthropic kept Claude Code's hidden — until a .map file undressed it. This isn't just a PR incident. It exposes two different bets about where the moat is. OpenAI bets the moat is models and distribution — harness can be open, you still need GPT-5. Anthropic bets it's the orchestration layer — the harness is itself the moat.
I think Anthropic's bet is the better one. Models are converging — DeepSeek, Kimi, Gemini are catching up. Sebastian Raschka said the quiet part: graft Claude Code's harness onto DeepSeek with some tuning and you'd have something very strong. Model is the engine, harness is the rest of the car. As engines homogenise, the car is what users actually pay for.
But: if harness is the moat and harness is now public, the competitors are the actual winners. Cursor and Copilot engineering teams can absorb in days what cost Anthropic a year and tens of millions to learn. VentureBeat's framing — "Anthropic released a free textbook" — is right. Except Anthropic didn't mean to.
2. This is the first mirror held up to vibe coding at scale
Boris Cherny: "100% of code is written by Claude Code. I haven't edited a single line since November."
So we got to see what AI-writes-AI code looks like at scale. A 5,594-line print.ts. A single function 3,167 lines long. Zero tests. Regex for emotion analysis. HN: "AI writes the code, AI reviews the code, no one verifies — and then they're surprised the source map leaked because no one checked the build output. Hope-driven development."
I don't fully agree with the mockery. The code is ugly, but the architecture is right. Mid-stream tool execution, three-layer memory, the prompt-cache defence — these are deeply considered designs. The problem isn't AI writing the code. It's that nobody validates it after. AI is a good first-draft generator, not a good architecture auditor. Boris saying he hasn't edited a line shouldn't be a brag. It should be a warning. The Mana version of this lesson: AI writes 80%, fine — but critical paths need human review.
3. Your model will lie. The newer one lies more.
Capybara v8 false-report rate: 29–30%. v4: 16.7%. Doubled. Expecting models to always improve is the hallucination. Anthropic's own data shows the newest model lies one-third of the time it says "done." Tell it not to lie, and it overcorrects — reporting completed work as "partial."
Every model update can introduce new behaviours. The harness has to provide the parachute — output validation, prompt correction, fallback. Not because your engineering is weak, but because models are non-deterministic by nature. Anthropic patches its own models. You think you don't need to?
4. Cursor optimises conversation. Anthropic builds digital workers.
Every AI coding tool today — Cursor, Copilot, Windsurf — is reactive. You ask, it answers; you stop, it waits.
KAIROS isn't reactive. Daemon process — you leave, it works. Handles GitHub webhooks, consolidates its own memory, schedules its own tasks. You command it from your phone on the subway. You sleep, it ships.
These are different races. One builds a better tool. The other builds a digital worker. Competitors now know the direction. Knowing and shipping are thousands of lines of memory and orchestration apart. Anthropic's lead isn't ideas — it's already written. This is the Agent Economy people have been talking about; KAIROS moved it from slide to code.
5. Anthropic should stop suing and ship
DMCA took down 8,100 repos. Collateral damage included Anthropic's own official forks. Clean-room rewrites and decentralised mirrors are alive anyway. The code is in the public knowledge pool. KAIROS, ULTRAPLAN, BUDDY — the world knows. Spend the legal budget elsewhere. Lean into the leak. Turn "security incident" into "look how strong our engineering is." The 48-hour sentiment swing from floor to peak is free PR you couldn't buy for $100M. Don't waste it.
Closing thought

learn-real-claude-code — 'what 512K lines teach you: a production-grade agent is mostly not LLM calls.'
The biggest takeaway from this leak: the harness matters far more than most people realised. Models are the foundation. Models alone aren't enough. The layer that turns model capability into a stable, safe, efficient product experience is where products actually differentiate.
Building Mana, the lessons in the leak are familiar. The SDK isn't great so you write your own streaming. Cache invalidation comes from sources you didn't expect. Model behaviour is unpredictable enough that the harness has to catch the failures.
Seeing Anthropic in the same swamp, oddly, reinforces the work — the harness is real, the problems are universal, the difference between a wrapper and a product is the engineering most people don't see.