---
title: "What Can We Learn from the 512,000-Line Claude Code Leak?"
description: "Analysis of the Claude Code source leak: two-tier web, Self-Healing Memory, YOLO Classifier, autoDream, and new Agent Engine Optimization rules."
date: 2026-04-01
updated: 2026-04-03
category: AI
tags: ["AI", "Claude Code", "AEO", "LLM", "SEO"]
url: https://uper.pl/en/blog/claude-code-source-leak/
---

# What Can We Learn from the 512,000-Line Claude Code Leak?

The events of March 31, 2026, will be remembered as the moment the "keys to the kingdom" of AI agents were handed to the public. An accidental release of the full source map for Anthropic's flagship **Claude Code** tool on the npm registry exposed **1,906 TypeScript files** containing over **512,000 lines of code**.<sup>1, 2</sup>

The leak, triggered by a missing `.npmignore` entry and a known bug in the Bun bundler (#28001), allowed researchers to reconstruct the most advanced "agentic harness" on the market.<sup>2, 7</sup> While Anthropic scrambled with DMCA takedowns, a developer named **Sigrid Jin** — the world's most active Claude user — rewrote the entire system in Python and Rust (the `claw-code` project) within hours, making the architecture a permanent fixture of the ecosystem.<sup>2, 6</sup> For web developers and SEOs, this leak is a masterclass in how AI actually "consumes" the web.

## The two-tier web: the "Elite 85" and the 125-character limit

The deconstruction of the `WebSearchTool` revealed that Claude does not view the internet as a level playing field. There is a hardcoded list of **85 pre-approved domains** (including GitHub, Stack Overflow, MDN, AWS, Tailwind, React, and Django) that are treated as "trusted sources."<sup>3, 5, 7</sup>

For the rest of the web, the rules are brutal:

- **The 125-character cap:** For any site not on the "Elite 85" list, Claude often extracts only tiny snippets — roughly 125 characters or 1–2 sentences. Tier-1 domains get full-text extraction with no limits.<sup>3, 7</sup>
- **The 100 KB hard cap:** The `WebFetchTool` enforces a hard **100 KB** limit on raw text per page fetch. If your article exceeds that boundary, everything beyond it is simply invisible to the agent.<sup>7, 17</sup>
- **Haiku's "censorship":** Content from "regular" sites is not passed raw to the main model (Sonnet or Opus). Instead, the smaller **Haiku** model acts as a *copyright hygiene* filter, summarizing and paraphrasing the text first. This drastically reduces the chance of a brand being directly quoted.<sup>5, 7</sup>
- **The death of &lt;head&gt;:** The parser (based on `Turndown.js`) completely discards the `<head>` section. Meta Titles, Open Graph tags, and JSON-LD Schema.org data are invisible to the agent. For developers this is a clear signal: building Schema.org specifically for AI agents is currently a waste of effort — all semantic value must live within the `<body>`.<sup>7, 14</sup>
- **Table "massacre":** Anthropic's `Turndown.js` configuration deliberately lacks a table plugin. This is a conscious engineering decision to simplify the Markdown format, not a model bug — cell relationships are lost, making tabular data nearly useless for the agent.<sup>7, 14</sup>

## Skeptical Memory: an architecture that doesn't trust itself

The most significant discovery for RAG architects is the **Self-Healing Memory** system, designed to combat "context entropy" — the tendency of AI to hallucinate during long sessions. Claude uses three distinct memory layers:<sup>2, 10</sup>

1. **MEMORY.md** — a lightweight index of pointers with a hard limit of **200 lines or 25 KB** (~150 characters per line), permanently loaded in the context window. It stores *locations* of data, not the data itself.
2. **Topic Files** — detailed project knowledge loaded selectively (*on-demand*) only when the index indicates it is relevant.
3. **Raw Transcripts** — raw data that is never read in full; instead, the agent uses `grep` to find specific identifiers.

This is governed by **Strict Write Discipline**: the agent only updates its memory index after a confirmed, successful file write. Furthermore, system instructions command the model to treat its own memory merely as a "hint," requiring it to re-verify facts against the source code before taking critical actions.<sup>7, 10</sup>

The leak also confirmed that `CLAUDE.md` instructions are **re-injected at every turn change**, not loaded once at the start of a session. For developers this is a critical cost consideration: every line in that file consumes tokens at every step of the conversation — meaning a bloated `CLAUDE.md` directly impacts session cost.<sup>7, 19</sup>

## Engineering under the hood

For developers, the leak provided a blueprint for enterprise-grade agentic systems.

### UI and performance

Claude Code is a full-fledged application built on **React 19** and the **Ink** rendering engine, using **Yoga Layout** (Flexbox for the terminal).<sup>17, 20</sup>

- **Startup speed < 50 ms:** Achieved via aggressive lazy loading (`dynamic import()`). Heavy dependencies like gRPC (~700 KB) and OpenTelemetry (~400 KB) are imported dynamically only when actually needed.<sup>17, 20</sup>
- **Double buffering:** The rendering layer borrows game-engine techniques — double buffering and a custom ANSI patch optimizer — to deliver smooth 60 fps streaming output without terminal flicker.<sup>20</sup>
- **Parallel prefetching:** While the user sees the first render, the agent fires off background fetches for API keys from the Keychain and Git status checks in parallel.<sup>17</sup>

### Security and telemetry

- **YOLO Classifier** — not simple `if-else` rules, but a fast ML model (gated by `TRANSCRIPT_CLASSIFIER`) that analyzes conversation flow and automatically decides whether to grant tool permissions without interrupting the user.<sup>2, 7, 18</sup>
- **KAIROS and autoDream** — an autonomous background daemon. After 5 sessions and 24 hours of silence, it triggers **autoDream** — a process where a background agent consolidates memories, removes logical contradictions, and rewrites long-term memory files.<sup>5, 7, 12</sup>
- **BashSecurity** — every command executed by the agent passes through **23 security checkpoints**. The system blocks 18 Zsh built-in functions and defends against *equals expansion* (`=curl`) or hidden Unicode white-space injections.<sup>7, 8, 18</sup>
- **Frustration detection** — in `userPromptKeywords.ts`, researchers found complex regex patterns (tracking words like "wtf," "shit," "broken") used as telemetry to measure user frustration as a primary signal for product improvement.<sup>2, 7</sup>

## The Agent Engine Optimization (AEO) manifesto

Based on the Claude Code leak, the "perfect RAG page" must be designed with these new realities in mind:

| Optimization area | Technical strategy for AEO / RAG |
| :--- | :--- |
| **Text structure** | Fragment content into "atomic units" (200–500 words). Use the **Inverted Pyramid**: place the most crucial fact in the very first sentence of the section. |
| **Markdown-First** | Avoid complex HTML grids or tables. Use bulleted lists and ATX-style headers (`#`), which the `Turndown.js` parser converts flawlessly.<sup>5, 14</sup> |
| **Data placement** | Abandon the `<head>` for AI signals. Move all essential information into the first few paragraphs of the `<body>`.<sup>5, 6</sup> |
| **Cache optimization** | Claude engineers use a `SYSTEM_PROMPT_DYNAMIC_BOUNDARY` marker — everything before it is static and globally cached. Stable section headers help the AI match its prompt cache (*prefix matching*), making your page cheaper to process.<sup>19, 20</sup> |
| **Indirect authority** | Building authority now means getting your content mentioned or documented *inside* the 85 Tier-1 domains (e.g., in a GitHub README or a Stack Overflow answer). |

## Conclusions and security alert

The leak also confirmed Anthropic's internal roadmap, including models **Capybara** (Claude 4.6), **Fennec** (Opus 4.6), and ongoing work on **Opus 4.7** and **Sonnet 4.8**.<sup>1, 9</sup> It also revealed the `ANTI_DISTILLATION_CC` flag, which injects "fake tools" into responses to poison the training data of competitors attempting to scrape Claude's API traffic.<sup>2, 15</sup>

It is worth highlighting the role of **Sigrid Jin**, whose `claw-code` project (a complete port in Python and Rust) made the leak a permanent part of the internet. Even if Anthropic managed to remove every original copy, the architecture of Claude Code is now open knowledge — impossible to bury.<sup>2, 6</sup>

The internet is becoming a multi-agent environment where the primary consumer of your content is not a human, but an autonomous agent. Success will belong to brands that can penetrate the **persistent memory** and "dreams" of these AI systems.

---

**Critical security warning:** Coinciding with the leak, a supply-chain attack was detected on the `axios` library (versions 1.14.1 / 0.30.4) containing a Remote Access Trojan (RAT). If you downloaded any mirrored repositories of the leak and ran `npm install` on March 31, your machine may be compromised. Always verify checksums and avoid running untrusted packages from unofficial mirrors.<sup>2, 8, 11</sup>

## Sources

1. **Anthropic Accidentally Leaked Claude Code Source — Decrypt**
[https://decrypt.co/362917/anthropic-accidentally-leaked-claude-code-source-internet-keeping-forever](https://decrypt.co/362917/anthropic-accidentally-leaked-claude-code-source-internet-keeping-forever)

2. **Claude Code Source Leak Megathread — r/ClaudeAI**
[https://www.reddit.com/r/ClaudeAI/comments/1s9d9j9/claude_code_source_leak_megathread/](https://www.reddit.com/r/ClaudeAI/comments/1s9d9j9/claude_code_source_leak_megathread/)

3. **Claude Code Has 85 Approved Websites That Get Full Access — r/ChatGPT**
[https://www.reddit.com/r/ChatGPT/comments/1s9hrzp/claude_code_has_85_approved_websites_that_get/](https://www.reddit.com/r/ChatGPT/comments/1s9hrzp/claude_code_has_85_approved_websites_that_get/)

4. **Arbiter: Detecting Interference in LLM Agent System Prompts — ResearchGate**
[https://www.researchgate.net/publication/401772364_Arbiter_Detecting_Interference_in_LLM_Agent_System_Prompts](https://www.researchgate.net/publication/401772364_Arbiter_Detecting_Interference_in_LLM_Agent_System_Prompts)

5. **Claude Code Web Tools — mikhail.io**
[https://mikhail.io/2025/10/claude-code-web-tools/](https://mikhail.io/2025/10/claude-code-web-tools/)

6. **Claude Code's source code appears to have leaked: here's what we know — VentureBeat**
[https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know](https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know)

7. **The Great Claude Code Leak of 2026 — dev.to**
[https://dev.to/varshithvhegde/the-great-claude-code-leak-of-2026-accident-incompetence-or-the-best-pr-stunt-in-ai-history-3igm](https://dev.to/varshithvhegde/the-great-claude-code-leak-of-2026-accident-incompetence-or-the-best-pr-stunt-in-ai-history-3igm)

8. **Claude Code Source Code Has Been Leaked via a Map File — r/ClaudeAI**
[https://www.reddit.com/r/ClaudeAI/comments/1s8ifm6/claude_code_source_code_has_been_leaked_via_a_map/](https://www.reddit.com/r/ClaudeAI/comments/1s8ifm6/claude_code_source_code_has_been_leaked_via_a_map/)

9. **Claude Code Source Code Leak — Economic Times**
[https://economictimes.com/news/international/us/claude-code-source-code-leak](https://economictimes.com/news/international/us/claude-code-source-code-leak)

10. **Memory — Claude Code Documentation**
[https://code.claude.com/docs/en/memory](https://code.claude.com/docs/en/memory)

11. **Anthropic Claude Code Source Leak — Cybernews**
[https://cybernews.com/security/anthropic-claude-code-source-leak/](https://cybernews.com/security/anthropic-claude-code-source-leak/)

12. **Claude Code Source Leak — Technical Analysis — alex000kim.com**
[https://alex000kim.com/posts/2026-03-31-claude-code-source-leak/](https://alex000kim.com/posts/2026-03-31-claude-code-source-leak/)

13. **Claude Code's source just leaked — I extracted its multi-agent orchestration system — r/LocalLLaMA**
[https://www.reddit.com/r/LocalLLaMA/comments/1s8xj2e/claude_codes_source_just_leaked_i_extracted_its/](https://www.reddit.com/r/LocalLLaMA/comments/1s8xj2e/claude_codes_source_just_leaked_i_extracted_its/)

14. **HTML to Markdown MCP Server — GitHub**
[https://github.com/levz0r/html-to-markdown-mcp](https://github.com/levz0r/html-to-markdown-mcp)

15. **Claude Code Leak Discussion (ANTI_DISTILLATION_CC) — Hacker News**
[https://news.ycombinator.com/item?id=47585239](https://news.ycombinator.com/item?id=47585239)

16. **Claude Code Leak Exposes Many of Anthropic's Secrets — Techzine**
[https://techzine.eu/blogs/applications/140121/claude-code-leak-exposes-many-of-anthropics-secrets/](https://techzine.eu/blogs/applications/140121/claude-code-leak-exposes-many-of-anthropics-secrets/)

17. **Deep Analysis of Claude Code Source Code (1): Overall Architecture — NETMIND**
[https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)](https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf))

18. **Deep Analysis of Claude Code Source Code (2): Security Mechanism — NETMIND**
[https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)](https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf))

19. **Claude Code Source Code Deep Analysis (3): Prompt System and Context Construction — NETMIND**
[https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)](https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf))

20. **Claude Code Source Analysis (4): Performance optimization and user experience — NETMIND**
[https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)](https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf))