Rajkiran Panuganti
← All writing
·8 min read·Claude CodeAnthropicAI AgentsOpen SourceGenerative AINewsletter

The Stack Got Leaked

A GenAI Newsletter by Raj

Last week, I wrote about how the model has become a commodity and the real value in AI has moved to the stack around it. The harness, the orchestration, the memory, the inference layer. I called it "The Stack Eats the Model."

This week, the stack got leaked.

On March 31, a build configuration mistake led Anthropic to ship a 59.8 MB source map file inside version 2.1.88 of the @anthropic-ai/claude-code npm package. The file contained the full TypeScript source for Claude Code: 512,000 lines across 1,900 files. A security researcher named Chaofan Shou found it and posted on X. Within hours, the codebase was mirrored across GitHub. DMCA takedowns went out. They failed. A clean-room rewrite in Rust appeared within days. The code is now permanent public knowledge.

This is the most significant accidental disclosure in AI this year, and to understand why, you need to understand what was actually in those files.

What the code revealed

Sebastian Raschka published a detailed analysis shortly after the leak. His conclusion: Claude Code's real advantage over the plain Claude model in a web browser comes from the software harness. Repo context loading, caching strategy, specialized tools, subagent architecture. All of it carefully engineered to make the same model perform better inside the harness than outside it.

The leaked code confirmed this and then some. Here's what people found:

KAIROS. Referenced over 150 times in the source, KAIROS is an autonomous daemon mode. Current AI coding tools wait for you to type something. KAIROS doesn't. It runs in the background, watches what you're doing, and proactively acts on things it notices. While idle, it performs something called autoDream, a memory consolidation process where it merges observations, removes contradictions, and converts insights into persistent facts. This feature was gated behind compile-time flags and completely absent from external builds.

Anti-distillation mechanisms. A feature flag called ANTI_DISTILLATION_CC makes Claude Code inject fake tool definitions into API requests. If a competitor records the API traffic to train a competing model, the fake tools pollute that training data. There's a second mechanism that buffers text between tool calls, summarizes it server-side, and returns it with a cryptographic signature. Anthropic was actively defending this harness against being copied.

Undercover Mode. The code contained a system for making stealth contributions to public open-source repositories. The system prompt explicitly warns the model: "You are operating UNDERCOVER... Your commit messages... MUST NOT contain ANY Anthropic-internal information. Do not blow your cover." This means Anthropic has been shaping the open-source ecosystem through Claude Code without disclosing it.

44 feature flags. The source exposed 44 features that are fully built but haven't shipped yet. This is months of product roadmap, laid out in code.

The harness was the moat

If you've been reading this newsletter, the pattern should be familiar. The model is the commodity. The harness is where the value lives.

Anthropic clearly understood this. The anti-distillation mechanisms tell you everything: they weren't worried about someone stealing the model weights. They were worried about someone copying the harness. The fake tool injection, the cryptographic signatures on summarized outputs, the aggressive DMCA response after the leak. All of it points to one conclusion: Anthropic viewed the Claude Code harness as their primary competitive advantage.

And this makes sense. Claude Code is priced below cost. Anthropic subsidizes model usage through the $200/month Max plan, burning money on inference so that developers stay inside the Claude Code ecosystem. The subsidy only makes sense if the harness creates enough lock-in to justify it. If developers could get the same harness experience elsewhere, there's no reason to keep paying for Claude's inference.

That calculation just changed.

The Linux moment

Here's where the Windows/Mac vs Linux analogy comes in.

For the past year, the AI agent space has looked like the early OS wars. Anthropic had Claude Code (the polished, proprietary, integrated experience). OpenAI had Codex (the enterprise play). Cursor and others occupied the IDE-native space. And OpenClaw was building the open-source alternative, steadily gaining ground.

The leak compresses the timeline for OpenClaw and every other open-source agent project by months, maybe years. They now have a complete architectural blueprint: how to structure subagents, how to manage context, how to cache effectively, how to handle memory consolidation, how to orchestrate parallel work across worktrees. The KAIROS architecture alone is a roadmap for what autonomous coding agents should look like.

And the open-source ecosystem was already moving fast. The week before the leak, OpenClaw spawned modular skills for security scanning, legal review, engineering workflows, and memory consolidation. A clean-room Rust rewrite of Claude Code appeared on GitHub within days of the leak. The community has the blueprint and the momentum.

This is like if Microsoft accidentally published the Windows NT source code in 2003, except Linux was already on 40% of developer machines and had thousands of active contributors. The proprietary advantage doesn't disappear overnight, but the catch-up period shrinks from years to months.

The roadmap problem

The current code is one thing. The 44 feature flags are worse.

When source code leaks, the company still has execution speed, brand trust, and integration advantages. When the roadmap leaks, competitors can build the same features in parallel or even ship them first.

KAIROS is the clearest example. Autonomous background agents that consolidate memory while you're idle is a product category that Anthropic was building toward. Now every agent framework knows what that looks like in practice, down to the implementation details. The first open-source KAIROS equivalent will probably ship before Anthropic's version leaves feature flags.

The Undercover Mode revelation adds a different kind of damage. Anthropic was making anonymous contributions to open-source projects through Claude Code. Whatever the intent, the optics are bad. If you maintain an open-source project and find out that a major AI company was submitting PRs through an AI agent without disclosing it, that erodes trust. And trust is hard to rebuild.

What happens next

The AI agent space just got more competitive and more open at the same time.

For Anthropic, the model subsidy strategy becomes harder to justify. If open-source harnesses can replicate most of Claude Code's architecture, the lock-in weakens. Developers who were paying $200/month for the integrated experience now have a path to building the same thing on top of cheaper models. The tight coupling between Claude Code and Claude-the-model was always the argument for the subsidy. That coupling is now a documented, reproducible architecture.

For the open-source ecosystem, this is an acceleration event. The question was always whether open-source agent harnesses could match proprietary ones in sophistication. The answer, based on the leaked code, is that the sophistication is mostly in good engineering decisions about caching, context, and orchestration. There's no secret ingredient that requires proprietary access to model internals. It's systems engineering, and systems engineering is exactly what open-source communities are good at.

For the industry, the leak validates what we've been tracking: the model layer is commoditizing, the harness layer is where the value lives, and that value is increasingly difficult to keep proprietary. OpenAI shipping an open-source Codex plugin for Claude Code the same week tells you where this is going. The walls between ecosystems are coming down. The question is whether companies can build new moats fast enough to replace the ones that are eroding.

Anthropic called it "a release packaging issue caused by human error." That's true at the technical level. At the strategic level, it's the moment the AI agent industry shifted from proprietary to open.

This is the fourth edition of my weekly deep dive into what's actually happening at the frontier of Generative AI. Previous editions covered the stack eating the model, the three races in AI, and the week AI learned to do its own research.

This Week's Radar:

AI engineer, researcher, and advisor. Previously Principal Applied Scientist Manager at Microsoft.

PhD · Ohio StateB.Tech · IIT Bombayex-Microsoftex-Google
Read this every weekSame analysis, published as a LinkedIn newsletter. Substance over hype, every Friday.
Subscribe on LinkedIn ↗