On March 31, 2026, security researcher Chaofan Shou posted screenshots showing that Anthropic's Claude Code internal source code had leaked via npm source maps — .map files that were never removed from the production build. Within hours, the r/LocalLLaMA community was analyzing the exposed codebase.
1. What Happened
Claude Code was distributed as an npm package. Source map files (.map) are development artifacts that map minified code back to readable TypeScript — they should be removed before shipping. They weren't.
The leak exposed 4,600+ TypeScript/React source files across 55+ directories, licensed under Anthropic's Commercial Terms of Service, not Apache 2.0. Despite Anthropic's "open source" claims, the actual engine was proprietary.
2. What the Architecture Revealed
2.1. Eight-Layer Security Model
The codebase implements defense-in-depth with eight distinct security layers, covering input validation, permission boundaries, tool call sandboxing, and output filtering.
2.2. Four-Stage Message Compression
Claude Code compresses conversation history through four stages to fit within context windows while preserving the most relevant information for the current task. This is how it handles long sessions without degrading quality.
2.3. Cost-Aware Error Recovery
The system tracks token costs in real time and adjusts its retry and recovery strategies based on accumulated spend. If a tool call fails and retrying would be expensive, it falls back to a cheaper resolution path.
2.4. Plugin and Hook Architecture
The public GitHub repo only exposed plugin scaffolding and hook examples. The internal code shows a much richer runtime — hooks fire at every tool boundary, and the plugin system has deep access to context, permissions, and output streams.
3. Unreleased Features
The source maps also revealed Anthropic's near-term roadmap:
- Voice mode — Audio I/O integration for conversational coding
- Multi-agent orchestration — Coordinating multiple Claude instances on subtasks
- Kairos mode — Proactive/ambient mode where Claude initiates actions without being prompted
- Enhanced MCP integration — Deeper toolchain connectivity via the Model Context Protocol
4. What This Means
The incident shows two things simultaneously: how sophisticated Claude Code's production engineering is, and how a single build pipeline oversight can expose months of proprietary work.
For developers building on top of Claude, the architecture details — especially the compression and cost-tracking systems — explain behaviors that previously seemed like black boxes. For Anthropic, it's a reminder that "open source" positioning requires carefully scoping what's actually public.