This repository preserves a publicly exposed Claude Code
src/snapshot that became reachable on 2026-03-31 through source-map exposure in the npm distribution. It is maintained as a reference set for defensive security research, software supply-chain review, and architecture analysis.
Claude Code is Anthropic's terminal-native CLI for working with Claude on software engineering tasks such as code search, file editing, command execution, session recovery, and workflow coordination.
This repository should be read as a technical archive and analysis target, not as an official upstream project.
- Exposure identified: 2026-03-31
- Primary language: TypeScript
- Runtime: Bun
- Terminal UI: React + Ink
- Snapshot scale: archive notes bundled with this snapshot describe the exposed corpus as roughly 1,900 files and 512,000+ lines of code
- Ownership: the original Claude Code source remains Anthropic property
What this repository provides is not just a CLI snapshot, but a useful sample for studying:
- packaging and release-surface exposure
- agentic developer-tool architecture
- permission-aware tool execution
- terminal application engineering
- remote and multi-agent workflow design
Chaofan Shou (@Fried_rice) publicly noted that Claude Code source material was reachable through a .map file exposed in the npm package:
"Claude code source code has been leaked via a map file in their npm registry!"
The published source map referenced unobfuscated TypeScript sources hosted in Anthropic's R2 storage bucket, which made the src/ snapshot publicly downloadable.
From an engineering standpoint, Claude Code is best understood as a stateful terminal agent runtime, not a thin wrapper over a model API.
The exposed source shows a system that combines:
- bootstrap and environment initialization
- session persistence and history management
- a centralized model-and-tool orchestration loop
- a permission and policy enforcement layer
- a full-screen React + Ink terminal application
- extension surfaces for MCP, IDE bridges, plugins, remote sessions, and background agents
The architectural implication is straightforward: the product is designed as a software engineering workstation in the terminal, where prompt handling, tool execution, interaction design, and operational safety are all first-class concerns.
| Layer | Responsibility | Representative paths |
|---|---|---|
| Bootstrap and session setup | Initializes startup state, config, hooks, worktrees, terminal recovery, and remote/session wiring | src/main.tsx, src/setup.ts |
| Context assembly | Builds system and user context, including git snapshots and memory attachments | src/context.ts, src/memdir/* |
| Model loop and conversation kernel | Maintains messages, runs turns, invokes tools, tracks usage, and preserves continuity | src/QueryEngine.ts, src/query.ts |
| Tool control plane | Defines tool contracts, discovery, enablement, and permission-aware execution | src/Tool.ts, src/tools.ts, src/tools/* |
| Command surface | Exposes user-invoked slash commands and higher-level workflows | src/commands.ts, src/commands/* |
| Terminal application | Implements the REPL, dialogs, task views, permission prompts, and operator UX | src/screens/*, src/components/*, src/state/* |
| Rendering runtime | Provides the custom Ink-based renderer, layout, event dispatch, selection, and terminal diff logic | src/ink/* |
| Task and agent orchestration | Runs local agents, shell tasks, remote agents, teammate tasks, and progress reporting | src/tasks/*, src/coordinator/*, src/tools/AgentTool/* |
| Integration layer | Connects MCP servers, IDE bridges, auth flows, telemetry, plugins, LSP, and remote controls | src/services/*, src/bridge/* |
| Productivity subsystems | Adds Vim editing, keybindings, migrations, memory, proxying, and auxiliary UX | src/vim/*, src/keybindings/*, src/migrations/*, src/upstreamproxy/* |
src/
├── main.tsx # Main CLI bootstrap and orchestration entrypoint
├── setup.ts # Session/bootstrap setup and worktree handling
├── QueryEngine.ts # Conversation and tool orchestration kernel
├── query.ts # Model request pipeline
├── commands.ts # Slash-command registry
├── tools.ts # Tool registry and environment-based filtering
├── Tool.ts # Tool contracts, permission context, execution types
├── context.ts # System/user context assembly
├── history.ts # Local prompt history and pasted-content tracking
├── assistant/ # Session history and assistant-mode support
├── bridge/ # IDE and remote bridge layer
├── commands/ # Built-in slash commands
├── components/ # Terminal UI components
├── coordinator/ # Multi-agent coordination entrypoints
├── hooks/ # React and permission-related hooks
├── ink/ # Customized Ink renderer/runtime
├── keybindings/ # Keyboard shortcut infrastructure
├── memdir/ # Persistent memory model and prompt assembly
├── migrations/ # Settings and model migration logic
├── plugins/ # Plugin loading and plugin-facing integration
├── query/ # Query helpers and request shaping
├── remote/ # Remote-session support
├── screens/ # REPL, doctor, resume, and full-screen flows
├── server/ # Server/direct-connect entrypoints
├── services/ # API, MCP, auth, analytics, LSP, tips, sync
├── state/ # App state stores and selectors
├── tasks/ # Background agent/shell task implementations
├── types/ # Shared TypeScript types
├── upstreamproxy/ # Proxy bootstrap and relay for remote environments
├── utils/ # Shared infrastructure and utility code
├── vim/ # Vim-style editing subsystem
└── voice/ # Voice-related integrations
Claude Code treats tools as first-class runtime modules. Each tool is defined with an input schema, permission behavior, execution path, and UI/progress surface where needed.
Representative tool groups include:
- Local execution and search:
BashTool,FileReadTool,FileEditTool,FileWriteTool,GlobTool,GrepTool,NotebookEditTool - Web and external context:
WebFetchTool,WebSearchTool,MCPTool,LSPTool,ReadMcpResourceTool - Workflow orchestration:
AgentTool,SkillTool,TaskCreateTool,TaskUpdateTool,TaskOutputTool,SendMessageTool - Execution-mode controls:
EnterPlanModeTool,ExitPlanModeTool,EnterWorktreeTool,ExitWorktreeTool,ScheduleCronTool,RemoteTriggerTool,SyntheticOutputTool
This organization makes the tool layer closer to a governed execution platform than a loose collection of helper commands.
Slash commands provide the user-facing workflow layer on top of the runtime. Notable command families include:
- Repository and review workflow:
/commit,/review,/diff,/branch,/pr_comments,/resume - Environment and configuration:
/doctor,/config,/permissions,/hooks,/mcp,/statusline,/model,/theme,/effort - Productivity and context:
/memory,/skills,/tasks,/vim,/context,/stats,/share,/desktop,/mobile
The separation between commands and tools is architecturally important: commands are explicit user workflows, while tools are capabilities the model can call during execution.
| Service area | Role |
|---|---|
api/ |
API client, bootstrap calls, file/session interactions |
mcp/ |
MCP server connection, config parsing, resource and command exposure |
oauth/ |
Authentication and token flows |
lsp/ |
Language server lifecycle and editor-aware language tooling |
analytics/ |
Feature flags, GrowthBook integration, telemetry hooks |
plugins/ |
Plugin loading, versioning, and plugin command discovery |
compact/ |
Context compaction, replay, and post-compact cleanup |
policyLimits/ |
Organization and policy limit enforcement |
remoteManagedSettings/ |
Remote settings overlays and managed configuration |
extractMemories/ / teamMemorySync/ |
Memory extraction and synchronization workflows |
PromptSuggestion/, tips/, notifier.ts |
Assistive UX, suggestion, and notification services |
The bridge subsystem shows that Claude Code was designed to operate outside a standalone local TTY.
Key files include:
bridgeMain.ts— bridge bootstrap and coordination loopbridgeMessaging.ts— message protocol layerbridgePermissionCallbacks.ts— permission callbacks across the bridge boundaryreplBridge.ts— REPL session bridge wiringsessionRunner.ts— remote/session execution managementjwtUtils.ts— bridge/session authentication helpers
The src/upstreamproxy/ subsystem adds another notable capability: it bootstraps a local CONNECT-to-WebSocket relay for constrained remote environments, allowing controlled upstream access without treating remote execution as a special-case afterthought.
Permission enforcement is not an add-on. It is embedded into the runtime contract.
src/Tool.tsdefines the permission context carried alongside tool execution.src/hooks/toolPermission/PermissionContext.tsmanages approval, rejection, persistence, hook execution, and classifier-assisted decisions.src/setup.tswires session-level behavior such as hooks, worktrees, and execution context before the main loop runs.src/context.tsassembles system and user context, including git-state snapshots and memory-derived prompt content.
This is one of the clearer signals that Claude Code is engineered as a controlled execution environment, not just an API shell.
| Category | Technology / approach |
|---|---|
| Runtime | Bun |
| Language | TypeScript |
| Terminal UI | React + Ink |
| CLI parsing | @commander-js/extra-typings |
| Validation | Zod v4 |
| Search | ripgrep-backed search tooling |
| Protocols | MCP, LSP |
| API layer | Anthropic SDK and session/file APIs |
| Telemetry and gating | GrowthBook, analytics hooks, operational logging |
| Auth and session identity | OAuth, JWT, keychain/session token flows |
src/main.tsx explicitly front-loads expensive reads such as MDM settings and keychain prefetching before the broader module graph finishes loading. That is a product-level optimization for high-frequency interactive usage, not a cosmetic implementation detail.
The source makes heavy use of bun:bundle feature flags and conditional imports. Flags such as PROACTIVE, KAIROS, BRIDGE_MODE, DAEMON, VOICE_MODE, AGENT_TRIGGERS, and MONITOR_TOOL indicate a build strategy where capabilities can be compiled in or stripped out by target environment.
Large or infrequently used features are often loaded through conditional require() or deferred imports. This keeps startup time under control while preserving a broad feature surface.
The combination of src/history.ts, src/assistant/sessionHistory.ts, and src/memdir/memdir.ts shows a layered persistence model: local input history, backend session history, and typed memory are treated as separate but coordinated concerns.
The task layer is not limited to shell processes. It includes local agents, remote agents, in-process teammates, and foreground/background task transitions, which is consistent with a multi-agent workflow product rather than a single-threaded chatbot.
The src/ink/ tree includes custom layout, render diffing, event dispatch, alternate-screen control, selection, search highlighting, ANSI parsing, and terminal-state handling. That level of investment indicates a purpose-built terminal application runtime.
If the goal is to understand the project quickly, these are the highest-yield entry points in the current snapshot:
src/main.tsx— 4,683 lines; bootstrap orchestration, mode selection, startup policy, bridge/remote/worktree/session initializationsrc/QueryEngine.ts— 1,295 lines; turn execution, model loop, tool handling, usage tracking, session continuitysrc/Tool.ts— 792 lines; tool contracts, execution context, permission structures, progress typessrc/commands.ts— 754 lines; command registry, enablement logic, environment-specific command loadingsrc/screens/REPL.tsx— primary interactive application surfacesrc/history.ts,src/assistant/sessionHistory.ts,src/memdir/memdir.ts— persistence, history, and memory behaviorsrc/upstreamproxy/*,src/vim/*,src/services/mcp/*— specialized subsystems that reveal operational and product depth
This source snapshot is valuable for at least four research directions:
-
Supply-chain exposure analysis
It shows how source maps and storage-backed release artifacts can expose a far larger internal code surface than intended. -
Agent-tooling architecture study
It provides a concrete example of how a production-grade coding agent separates prompts, tools, permissions, state, and user workflows. -
Terminal product engineering
It demonstrates that serious terminal applications require dedicated rendering, interaction, state, and recovery strategies. -
Security and governance design
Permission contexts, policy limits, hooks, remote execution, MCP integration, and controlled proxying make the codebase relevant to defensive analysis of agent safety boundaries.
- This repository is maintained as a defensive security research and architecture analysis archive.
- The original Claude Code source remains the property of Anthropic.
- This repository is not affiliated with, endorsed by, or maintained by Anthropic.