%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:xlink='http://www.w3.org/1999/xlink'%20x='0px'%20y='0px'%20viewBox='0%200%20120.17%2045.43'%20style='enable-background:new%200%200%20120.17%2045.43;'%20xml:space='preserve'%3e%3cg%3e%3cpath%20d='M32.33,0v16.13c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26c-2.21,0-4.3-0.42-6.26-1.26c-1.97-0.84-3.68-2-5.15-3.49c-1.46-1.49-2.62-3.21-3.46-5.18%20C0.42,20.42,0,18.34,0,16.13V0h6.41v16.13c0,1.34,0.25,2.62,0.76,3.82c0.5,1.2,1.2,2.24,2.09,3.13c0.89,0.89,1.92,1.58,3.1,2.09%20c1.18,0.5,2.44,0.76,3.78,0.76c1.34,0,2.62-0.25,3.82-0.76c1.2-0.5,2.24-1.2,3.13-2.09c0.89-0.89,1.58-1.93,2.09-3.13%20c0.5-1.2,0.76-2.47,0.76-3.82V0H32.33z'%20fill='%232563eb'%20/%3e%3cpath%20d='M50.4,0.14c2.26,0,4.36,0.42,6.3,1.26c1.94,0.84,3.66,1.99,5.15,3.46c1.49,1.46,2.65,3.17,3.49,5.11%20c0.84,1.94,1.26,4.04,1.26,6.3c0,2.21-0.42,4.3-1.26,6.26c-0.84,1.97-2,3.7-3.49,5.18c-1.49,1.49-3.2,2.65-5.15,3.49%20c-1.94,0.84-4.04,1.26-6.3,1.26h-9.72v12.96h-6.41V16.27c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,1.99-3.65,3.46-5.11%20c1.46-1.46,3.18-2.62,5.15-3.46C46.1,0.56,48.19,0.14,50.4,0.14z%20M54.22,25.31c1.2-0.5,2.24-1.2,3.13-2.09%20c0.89-0.89,1.58-1.93,2.09-3.13c0.5-1.2,0.76-2.47,0.76-3.82c0-1.34-0.25-2.6-0.76-3.78c-0.5-1.18-1.2-2.21-2.09-3.1%20c-0.89-0.89-1.93-1.58-3.13-2.09c-1.2-0.5-2.47-0.76-3.82-0.76c-1.34,0-2.6,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09%20c-0.89,0.89-1.58,1.92-2.09,3.1c-0.5,1.18-0.76,2.44-0.76,3.78v9.79h9.72C51.74,26.06,53.02,25.81,54.22,25.31z'%20fill='%232563eb'/%3e%3cpath%20d='M94.03,20.95l4.54,4.54l-2.23,2.23c-1.54,1.54-3.29,2.71-5.26,3.53c-1.97,0.82-4.03,1.22-6.19,1.22%20c-2.16,0-4.22-0.41-6.19-1.22c-1.97-0.82-3.72-1.99-5.26-3.53c-1.58-1.58-2.76-3.37-3.53-5.36c-0.77-1.99-1.15-4.02-1.15-6.08%20c0-2.06,0.38-4.08,1.15-6.05c0.77-1.97,1.94-3.74,3.53-5.33s3.37-2.77,5.36-3.56c1.99-0.79,4.02-1.19,6.08-1.19%20c2.06,0,4.09,0.4,6.08,1.19c1.99,0.79,3.78,1.98,5.36,3.56l2.23,2.23L80.64,25.06c1.82,0.91,3.75,1.21,5.8,0.9%20c2.04-0.31,3.83-1.24,5.36-2.77L94.03,20.95z%20M77.98,9.36c-1.92,1.92-2.88,4.22-2.88,6.91c0,1.49,0.33,2.9,1.01,4.25%20c0.58-0.58,1.45-1.45,2.63-2.63c1.18-1.18,2.42-2.42,3.74-3.74c1.32-1.32,2.59-2.58,3.82-3.78c1.22-1.2,2.17-2.14,2.84-2.81%20c-1.83-0.91-3.76-1.22-5.8-0.94C81.3,6.91,79.51,7.82,77.98,9.36z'%20fill='%232563eb'%20/%3e%3cpath%20d='M120.17,0v6.41h-3.24c-1.35,0-2.61,0.25-3.78,0.76c-1.18,0.5-2.21,1.2-3.1,2.09c-0.89,0.89-1.58,1.92-2.09,3.1%20c-0.5,1.18-0.76,2.44-0.76,3.78v16.2h-6.48v-16.2c0-2.26,0.42-4.36,1.26-6.3c0.84-1.94,2-3.65,3.49-5.11%20c1.49-1.46,3.21-2.62,5.18-3.46c1.97-0.84,4.06-1.26,6.27-1.26H120.17z'%20fill='%232563eb'/%3e%3c/g%3e%3c/svg%3e){kind=small}
The events of March 31, 2026, will be remembered as the moment the “keys to the kingdom” of AI agents were handed to the public. An accidental release of the full source map for Anthropic’s flagship Claude Code tool on the npm registry exposed 1,906 TypeScript files containing over 512,000 lines of code.1, 2
The leak, triggered by a missing .npmignore entry and a known bug in the Bun bundler (#28001), allowed researchers to reconstruct the most advanced “agentic harness” on the market.2, 7 While Anthropic scrambled with DMCA takedowns, a developer named Sigrid Jin — the world’s most active Claude user — rewrote the entire system in Python and Rust (the claw-code project) within hours, making the architecture a permanent fixture of the ecosystem.2, 6 For web developers and SEOs, this leak is a masterclass in how AI actually “consumes” the web.
The two-tier web: the “Elite 85” and the 125-character limit
The deconstruction of the WebSearchTool revealed that Claude does not view the internet as a level playing field. There is a hardcoded list of 85 pre-approved domains (including GitHub, Stack Overflow, MDN, AWS, Tailwind, React, and Django) that are treated as “trusted sources.”3, 5, 7
For the rest of the web, the rules are brutal:
- The 125-character cap: For any site not on the “Elite 85” list, Claude often extracts only tiny snippets — roughly 125 characters or 1–2 sentences. Tier-1 domains get full-text extraction with no limits.3, 7
- The 100 KB hard cap: The
WebFetchToolenforces a hard 100 KB limit on raw text per page fetch. If your article exceeds that boundary, everything beyond it is simply invisible to the agent.7, 17 - Haiku’s “censorship”: Content from “regular” sites is not passed raw to the main model (Sonnet or Opus). Instead, the smaller Haiku model acts as a copyright hygiene filter, summarizing and paraphrasing the text first. This drastically reduces the chance of a brand being directly quoted.5, 7
- The death of <head>: The parser (based on
Turndown.js) completely discards the<head>section. Meta Titles, Open Graph tags, and JSON-LD Schema.org data are invisible to the agent. For developers this is a clear signal: building Schema.org specifically for AI agents is currently a waste of effort — all semantic value must live within the<body>.7, 14 - Table “massacre”: Anthropic’s
Turndown.jsconfiguration deliberately lacks a table plugin. This is a conscious engineering decision to simplify the Markdown format, not a model bug — cell relationships are lost, making tabular data nearly useless for the agent.7, 14
Skeptical Memory: an architecture that doesn’t trust itself
The most significant discovery for RAG architects is the Self-Healing Memory system, designed to combat “context entropy” — the tendency of AI to hallucinate during long sessions. Claude uses three distinct memory layers:2, 10
- MEMORY.md — a lightweight index of pointers with a hard limit of 200 lines or 25 KB (~150 characters per line), permanently loaded in the context window. It stores locations of data, not the data itself.
- Topic Files — detailed project knowledge loaded selectively (on-demand) only when the index indicates it is relevant.
- Raw Transcripts — raw data that is never read in full; instead, the agent uses
grepto find specific identifiers.
This is governed by Strict Write Discipline: the agent only updates its memory index after a confirmed, successful file write. Furthermore, system instructions command the model to treat its own memory merely as a “hint,” requiring it to re-verify facts against the source code before taking critical actions.7, 10
The leak also confirmed that CLAUDE.md instructions are re-injected at every turn change, not loaded once at the start of a session. For developers this is a critical cost consideration: every line in that file consumes tokens at every step of the conversation — meaning a bloated CLAUDE.md directly impacts session cost.7, 19
Engineering under the hood
For developers, the leak provided a blueprint for enterprise-grade agentic systems.
UI and performance
Claude Code is a full-fledged application built on React 19 and the Ink rendering engine, using Yoga Layout (Flexbox for the terminal).17, 20
- Startup speed < 50 ms: Achieved via aggressive lazy loading (
dynamic import()). Heavy dependencies like gRPC (~700 KB) and OpenTelemetry (~400 KB) are imported dynamically only when actually needed.17, 20 - Double buffering: The rendering layer borrows game-engine techniques — double buffering and a custom ANSI patch optimizer — to deliver smooth 60 fps streaming output without terminal flicker.20
- Parallel prefetching: While the user sees the first render, the agent fires off background fetches for API keys from the Keychain and Git status checks in parallel.17
Security and telemetry
- YOLO Classifier — not simple
if-elserules, but a fast ML model (gated byTRANSCRIPT_CLASSIFIER) that analyzes conversation flow and automatically decides whether to grant tool permissions without interrupting the user.2, 7, 18 - KAIROS and autoDream — an autonomous background daemon. After 5 sessions and 24 hours of silence, it triggers autoDream — a process where a background agent consolidates memories, removes logical contradictions, and rewrites long-term memory files.5, 7, 12
- BashSecurity — every command executed by the agent passes through 23 security checkpoints. The system blocks 18 Zsh built-in functions and defends against equals expansion (
=curl) or hidden Unicode white-space injections.7, 8, 18 - Frustration detection — in
userPromptKeywords.ts, researchers found complex regex patterns (tracking words like “wtf,” “shit,” “broken”) used as telemetry to measure user frustration as a primary signal for product improvement.2, 7
The Agent Engine Optimization (AEO) manifesto
Based on the Claude Code leak, the “perfect RAG page” must be designed with these new realities in mind:
| Optimization area | Technical strategy for AEO / RAG |
|---|---|
| Text structure | Fragment content into “atomic units” (200–500 words). Use the Inverted Pyramid: place the most crucial fact in the very first sentence of the section. |
| Markdown-First | Avoid complex HTML grids or tables. Use bulleted lists and ATX-style headers (#), which the Turndown.js parser converts flawlessly.5, 14 |
| Data placement | Abandon the <head> for AI signals. Move all essential information into the first few paragraphs of the <body>.5, 6 |
| Cache optimization | Claude engineers use a SYSTEM_PROMPT_DYNAMIC_BOUNDARY marker — everything before it is static and globally cached. Stable section headers help the AI match its prompt cache (prefix matching), making your page cheaper to process.19, 20 |
| Indirect authority | Building authority now means getting your content mentioned or documented inside the 85 Tier-1 domains (e.g., in a GitHub README or a Stack Overflow answer). |
Conclusions and security alert
The leak also confirmed Anthropic’s internal roadmap, including models Capybara (Claude 4.6), Fennec (Opus 4.6), and ongoing work on Opus 4.7 and Sonnet 4.8.1, 9 It also revealed the ANTI_DISTILLATION_CC flag, which injects “fake tools” into responses to poison the training data of competitors attempting to scrape Claude’s API traffic.2, 15
It is worth highlighting the role of Sigrid Jin, whose claw-code project (a complete port in Python and Rust) made the leak a permanent part of the internet. Even if Anthropic managed to remove every original copy, the architecture of Claude Code is now open knowledge — impossible to bury.2, 6
The internet is becoming a multi-agent environment where the primary consumer of your content is not a human, but an autonomous agent. Success will belong to brands that can penetrate the persistent memory and “dreams” of these AI systems.
Critical security warning: Coinciding with the leak, a supply-chain attack was detected on the axios library (versions 1.14.1 / 0.30.4) containing a Remote Access Trojan (RAT). If you downloaded any mirrored repositories of the leak and ran npm install on March 31, your machine may be compromised. Always verify checksums and avoid running untrusted packages from unofficial mirrors.2, 8, 11
Sources
-
Anthropic Accidentally Leaked Claude Code Source — Decrypt https://decrypt.co/362917/anthropic-accidentally-leaked-claude-code-source-internet-keeping-forever
-
Claude Code Source Leak Megathread — r/ClaudeAI https://www.reddit.com/r/ClaudeAI/comments/1s9d9j9/claude_code_source_leak_megathread/
-
Claude Code Has 85 Approved Websites That Get Full Access — r/ChatGPT https://www.reddit.com/r/ChatGPT/comments/1s9hrzp/claude_code_has_85_approved_websites_that_get/
-
Arbiter: Detecting Interference in LLM Agent System Prompts — ResearchGate https://www.researchgate.net/publication/401772364_Arbiter_Detecting_Interference_in_LLM_Agent_System_Prompts
-
Claude Code Web Tools — mikhail.io https://mikhail.io/2025/10/claude-code-web-tools/
-
Claude Code’s source code appears to have leaked: here’s what we know — VentureBeat https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know
-
The Great Claude Code Leak of 2026 — dev.to https://dev.to/varshithvhegde/the-great-claude-code-leak-of-2026-accident-incompetence-or-the-best-pr-stunt-in-ai-history-3igm
-
Claude Code Source Code Has Been Leaked via a Map File — r/ClaudeAI https://www.reddit.com/r/ClaudeAI/comments/1s8ifm6/claude_code_source_code_has_been_leaked_via_a_map/
-
Claude Code Source Code Leak — Economic Times https://economictimes.com/news/international/us/claude-code-source-code-leak
-
Memory — Claude Code Documentation https://code.claude.com/docs/en/memory
-
Anthropic Claude Code Source Leak — Cybernews https://cybernews.com/security/anthropic-claude-code-source-leak/
-
Claude Code Source Leak — Technical Analysis — alex000kim.com https://alex000kim.com/posts/2026-03-31-claude-code-source-leak/
-
Claude Code’s source just leaked — I extracted its multi-agent orchestration system — r/LocalLLaMA https://www.reddit.com/r/LocalLLaMA/comments/1s8xj2e/claude_codes_source_just_leaked_i_extracted_its/
-
HTML to Markdown MCP Server — GitHub https://github.com/levz0r/html-to-markdown-mcp
-
Claude Code Leak Discussion (ANTI_DISTILLATION_CC) — Hacker News https://news.ycombinator.com/item?id=47585239
-
Claude Code Leak Exposes Many of Anthropic’s Secrets — Techzine https://techzine.eu/blogs/applications/140121/claude-code-leak-exposes-many-of-anthropics-secrets/
-
Deep Analysis of Claude Code Source Code (1): Overall Architecture — NETMIND https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)
-
Deep Analysis of Claude Code Source Code (2): Security Mechanism — NETMIND https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)
-
Claude Code Source Code Deep Analysis (3): Prompt System and Context Construction — NETMIND https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)
-
Claude Code Source Analysis (4): Performance optimization and user experience — NETMIND https://blog.netmind.ai/article/Claude_Code_Source_Code_Deep_Analysis_(in_pdf)
