Michael Wan Interactive Insights Synthesizes two sources: community analysis of the leaked features (VentureBeat, WaveSpeed AI, Alex Kim) and a systematic architectural review of all 1,884 TypeScript source files.
What Happened
On March 31, 2026, Anthropic pushed Claude Code v2.1.88 to npm. A build engineer had forgotten to exclude source map files in .npmignore. The result: a 59.8 MB .map file was bundled into the package, pointing to a Cloudflare R2 bucket containing the complete, unobfuscated TypeScript source.
Security researcher Chaofan Shou (Berkeley CS PhD, CTO of Fastland) spotted it within hours and posted the download link on X. Korean developer Sigrid Jin — a power user previously profiled by WSJ for consuming record-breaking Claude token counts — was awake at 4 AM rewriting the core logic in Python using multi-agent AI tooling. His cloncode project hit 70,000 GitHub stars before dawn, reportedly the fastest-growing repository in GitHub history.
Anthropic confirmed the breach, pulled the package, and issued DMCA takedowns. The code had already spread.
Timeline
.npmignore rule exposes a 59.8 MB source map pointing to a full Cloudflare R2 source dump.10 Unreleased Features
Researchers found 20 fully-built features hidden behind internal flags. Here are the ten most significant.
1. KAIROS — Proactive Background Agent
The most-discussed module (150+ references). KAIROS transforms Claude Code from reactive to proactive: it receives periodic heartbeat signals and decides autonomously whether to act. When your terminal is unfocused, it acts boldly; when you're present, it defers. Exclusive capabilities include push notifications, PR subscriptions, and file delivery. Fully implemented, internal-only.
2. Daemon Mode — Headless Persistent Agent
Four session types are defined in cur-session.ts: Interactive, BG, Daemon, and Daemon Walker. Daemon runs like a system service — survives terminal closure, supports 5-field cron scheduling, and persists tasks to .claude/skies/tasks.json. Tasks auto-expire after 30 days. A jitter mechanism prevents thundering-herd collisions at scale.
3. UDS Inbox — Multi-Instance Coordination
Previously, multiple Claude Code windows meant N isolated agents. UDS Inbox opens Unix Domain Socket channels between instances for real-time message exchange and task coordination — even without a terminal. Combined with Daemon mode, this shapes Claude Code into a persistent local multi-agent system.
4. Super Plan (ULTRAPLAN) — Cloud Planning
Offloads task planning to a cloud Opus instance which can spend up to 30 minutes on deep decomposition. The plan is returned to local for execution. This end-cloud split — cloud for reasoning, local for execution — is a preview of how agent workflows will scale beyond single context windows.
5. Auto Dream — Nightly Consolidation
When idle for 75+ minutes with 100K+ tokens accumulated, a locked background sub-agent merges fragmented session observations, resolves contradictions, and writes stable factual knowledge back to disk. The next session starts with a consolidated understanding of your codebase — not a blank slate.
6. Anti-Distillation Traps
Two layers against API-scraping competitors. Fake tool injection: decoy tool definitions are silently added to responses — harmless for real users, poison for scrapers training models on raw API output. CoT encryption: only a cryptographically signed summary of Claude's reasoning is returned; the full chain is reconstructable only by Anthropic's official client.
7. Undercover Mode
When an Anthropic employee uses Claude Code on a public repository, an injected system prompt enforces: no AI identity disclosure, no Anthropic mentions, no internal codenames, no Co-Authored-By lines in commits. The tool that leaked via a packaging error had a fully-built mechanism to hide AI authorship in public code.
8. Buddy — Virtual Pet System
18 pet species, rarity tiers from Common to Legendary, RPG-style attributes (Debugging, Snark, Patience, Chaos, Wisdom), and low-probability Shiny variants. Each account deterministically generates a unique pet — no rerolling. Anthropic's bet: long-term engagement requires emotional attachment, not just technical capability.
9. Frustration Tracking
Regex-based (not LLM-based) detection of user frustration: repeated undo commands, frequent error prompts, profanity-containing input. When signals cross a threshold, interaction logs are force-uploaded to Anthropic's backend. User frustration is treated as the most precise signal of where the tool actually breaks down.
10. 123+ Feature Flags
44 visible flags plus 79 internal tengu_-prefixed flags, managed via GrowthBook. Notable hidden gates: tengu_kairos_assistant_mode, tengu_harbor (plugin marketplace), tengu_thinkback (year-in-review), plus the full BUDDY and ULTRAPLAN systems. All built, all waiting for the switch to flip.
Key Flags at a Glance
| Flag | Controls | Status |
|---|---|---|
| tengu_kairos_assistant_mode | KAIROS proactive background agent | Internal only |
| tengu_anti_distill_fake_tool_injection | Training data poison injection | Gated |
| tengu_harbor | Plugin marketplace | Unreleased |
| tengu_thinkback | "Year in Review" | Unreleased |
| ANTI_DISTILLATION_CC | Thought chain encryption | Gated |
| BUDDY (system) | Virtual pet companion | Built, unreleased |
| ULTRAPLAN | 30-min cloud planning via Opus | Built, unreleased |
Under the Hood
Claude Code is not a CLI that wraps an API. The numbers make this clear: main.tsx runs to 4,700 lines, the agent loop engine Query.ts to 1,700+, the API client cloud.ts to 3,600+. It uses TSX + React Ink for terminal rendering, a custom Zustand-style state manager, and a prompt compiler with six priority levels. It’s a framework — specifically, an Agent Runtime.
The ReAct Loop
Every interaction runs through a five-phase Reason → Act cycle, implemented in Query.ts using a Generator that streams every event live to the terminal UI:
Stale history is trimmed, cached tool results are micro-compressed, and overly long contexts trigger a full AI-generated summary — all before the model is called.
Claude receives conversation history, system prompt, and tool list. The response streams back; two output channels are captured simultaneously: free text and tool invocation intents.
The streaming executor begins executing tools while the model is still generating. The batch executor waits for all calls to be confirmed, then runs together. All execution passes permission checks and the Hook system.
Side-channel data — long-term memory, task notifications, file modification records — is collected and appended to context for the next call.
If the model produces no tool calls, the loop exits. Errors flow to the 7-layer recovery system. Output truncation auto-upgrades the token ceiling from 8K → 64K and retries up to three times.
Fault Recovery
Seven layers absorb everything from network jitter to extended API outages — without interrupting the user:
Engineering Highlights
Prompt Cache Splitting
System prompt is split at a boundary: static half (identity, philosophy) is globally cached; dynamic half (memory, environment) is never cached. Maximizes Anthropic API cache hits and minimizes per-call cost.
4-Level Context Compression
Snippet (quantized trim) → Micro-compact (time/API compression) → Auto-compact (AI-generated summary) → Reactive Compact (emergency 413 response). Each level has a corresponding recovery path.
Speculative Execution
Changes are executed in a Copy-on-Write overlay filesystem before you confirm. Approve → copied to real filesystem. Reject → overlay discarded. Zero latency on confirmation; zero side effects on rejection.
20-Point Bash Safety
20 checks before any shell command: incomplete commands, function injection, newline attacks, Unicode whitespace disguise, and more. Auto mode adds an interpreter blacklist requiring explicit user confirmation.
Hook System
6 hook types across 24 events (Command, Prompt, Agent, HTTP, Callback, Function). Enterprises can intercept tool calls — e.g., trigger a security audit before any file write — without modifying source.
Custom Terminal Renderer
TSX + React Ink with a custom Zustand-style store that only re-renders on changed fields. Achieves ~50× reduction in stringWidth() calls through batching — game-engine rendering discipline applied to a CLI.
What This Means
Every architectural decision in the leak points in the same direction: Claude Code is being built to outlive the terminal session it runs in.
KAIROS acts without being prompted. Daemon mode persists past terminal closure. UDS Inbox coordinates multiple instances. Auto Dream consolidates memory overnight. Super Plan offloads reasoning to a more powerful cloud model. These are not features — they are a consistent architectural thesis: agents should behave like infrastructure, not tools.
The one exception is Buddy. A coding agent with a virtual pet is a bet that long-term engagement requires emotional attachment, not just performance. Anthropic is thinking about retention alongside capability.
.npmignore file — a problem no LLM can guard against.
The community now has validated architectural patterns — ReAct loops, layered fault recovery, speculative execution, prompt cache splitting — at production scale. Competitors skip years of design exploration. Independent developers build on foundations that have been stress-tested in the real world.
A packaging mistake became the most informative AI architecture disclosure of 2026.
Internal model codenames found in the leaked code: Capybara, Earflap, and Nibbler.