Inside the Claude Code Leak: A Complete Breakdown of Harness Engineering
The Core Question This Article Answers
Why does Claude Code feel noticeably more reliable and capable than other AI coding tools? Is it solely because of the underlying model, or does the engineering system wrapped around it play the decisive role? The 1,902 leaked source files provide a definitive answer: 60% of the experience comes from the model’s raw capability, while the remaining 40% is driven by a meticulously engineered “harness.”
The Incident: A Basic Mistake That Became a Public Masterclass
Anthropic made a surprisingly basic error while updating the Claude Code npm package. They accidentally left a 60MB source map debug file in the published package. This file should have been stripped out during the build process, but the pipeline failed to catch it. Anyone could use this source map to reconstruct the complete TypeScript source code for Claude Code.
All 1,902 files were exposed to the public.
The most notable detail is that this was not an isolated incident. When Claude Code first launched in February 2025, the exact same accident occurred. Anthropic urgently deleted the old npm packages back then. Over a year later, the identical mistake was repeated.
While this leak represents a fundamental engineering oversight, it serves as an unprecedented learning resource for developers paying attention to AI Agent engineering practices. The source code fully reveals how Anthropic builds an entire engineering system around a large language model—a practice increasingly referred to as “harness engineering” in 2026.
1. System Prompts: You Think the AI Sees One Sentence, But It Receives an Entire Manual
Core Question: When I type a short instruction in Claude Code, what is the complete information the AI actually receives?
The sentence you type is merely the tip of the iceberg. The prompts.ts file in the source code reveals that Claude Code assembles a massive system prompt for every single interaction, carefully divided into static and dynamic segments.
The Static Segment (Shared across all users, optimized for caching)
| Module | Description |
|---|---|
| Identity Definition | “You are Claude Code, Anthropic’s official CLI tool” |
| Safety Guidelines | Behavioral boundaries specifically written by the safety team |
| Operational Principles | Do not over-engineer, do not fabricate data, do not delete files arbitrarily |
| Tool Usage Rules | Prioritize dedicated tools over raw Bash commands |
| Style Requirements | No emojis, keep it concise and direct |
The Dynamic Segment (Loaded independently per user)
| Module | Description |
|---|---|
| CLAUDE.md Configuration | User-defined, project-level custom instructions |
| Working Directory & OS Info | Runtime environment context |
| Connected MCP Server Descriptions | Capability definitions for external tools |
| Auto-Memory Files | Historically accumulated user preferences |
| Git Repository Status | Current branch, modifications, merge conflicts, etc. |
Consider the analogy of a restaurant kitchen. The customer only orders one dish (your instruction), but the chef simultaneously sees the recipe manual, the ingredient list, allergy information, plating standards, and the dining history of that specific table. All of this context collectively determines the quality of the final dish.
The Caching Boundary Design
The source code contains a critical constant called SYSTEM_PROMPT_DYNAMIC_BOUNDARY that cleanly slices the system prompt into two halves. Everything above this boundary is shared across all users and cached, significantly saving computational costs and reducing response latency. Everything below the boundary is loaded independently for each user, ensuring a personalized experience.
The Hidden Cost of MCP Servers
According to the source code analysis, every connected MCP server consumes approximately 4,000 to 6,000 tokens just for its tool definitions. If you connect five MCP Servers, the tool descriptions alone consume about 12% of the context window. This means tools are not inherently “the more, the better.” Every single additional tool carries a tangible cognitive cost, eating into the space available for actual problem-solving.
Reflection: This design forced me to re-evaluate how I use MCP servers daily. I used to think connecting more tools made the AI more “capable.” In reality, every additional tool shrinks the context space the AI can use to understand the actual problem. Restraint is more important than abundance.
2. Safety Review: A “Second AI” Is Guarding the Fully Automatic Mode
Core Question: Does Claude Code’s Auto mode truly execute all operations without any oversight?
It does not. Behind the Auto mode, two separate AI instances are actually running. The primary AI handles the task execution, while a completely independent AI classifier evaluates whether each operation is safe.
The Four-Layer Permission Pipeline
Chen Cheng (creator of Umi.js) from Ant Group previously reverse-engineered this system, and the source code confirms a sophisticated four-layer pipeline architecture:
| Layer | Logic | Result |
|---|---|---|
| Layer 1 | Query existing rules; if matched, let it pass | Allow |
| Layer 2 | Check if it is a low-risk operation; if yes, skip | Allow |
| Layer 3 | Whitelist read-only tools | Allow |
| Layer 4 | Invoke an independent Claude Sonnet for safety classification (temperature set to 0) | Allow / Soft Deny / Hard Deny |
The independent classifier has its own distinct system prompt, entirely different from the primary AI. It outputs judgments in three tiers:
-
Allow: Execute directly -
Soft Deny: Requires manual user confirmation -
Hard Deny: Block immediately, no execution permitted
The Circuit Breaker Mechanism
The system also features a circuit breaker protection mechanism: if the AI is denied three consecutive times, or reaches a cumulative total of 20 denials, it automatically degrades into manual confirmation mode. This prevents the AI from repeatedly attempting high-risk operations in an abnormal state.
This design is analogous to a multi-tier building security system: the first door opens automatically with an employee badge, the second door verifies your employment status, the third checks floor-level authorization, and only the fourth involves a human security guard. Rejected three times in a row? The security guard escorts you to the lobby to wait for a supervisor.
Unique Insight: The core of harness engineering lies not in telling the AI “what to do,” but in designing the conditions under which it “cannot do” something. Safety boundaries are not constraints on capability; they are the foundation of trust. Because users believe the system has a bottom line, they feel comfortable granting it broader permissions. This logic applies to all AI Agent product designs.
3. The Memory System: Store Preferences, Never Store Code
Core Question: How does Claude Code “automatically remember” user preferences without letting that memory become misleading?
Claude Code’s auto memory feature is one of the most impressive experiences for many users—it automatically remembers that you prefer TypeScript, like using specific quotation marks, or dislike text that sounds too much like “AI.” However, the source code reveals that the design behind this system is far more rigorous than the surface experience suggests.
The Trigger Mechanism for Memory Extraction
Memory extraction is not triggered by every single message. It operates under strict conditions:
-
It only activates after the AI completes a full turn of response -
It has a built-in rate limiter, checking only every N turns -
The extraction work is performed by an independent fork agent
This sub-agent inherits the context of the main conversation, but its permissions are strictly locked down: it can only read files and write to the memory directory. It cannot even execute Bash commands. This ensures the memory extraction process itself creates zero side effects on the system.
The Four Categories of Memory
Extracted memories are strictly partitioned into four categories:
| Category | Stored Content | Examples |
|---|---|---|
| user | Personal user preferences | Prefers a specific language, coding style |
| feedback | Behavioral feedback regarding AI actions | “That approach was wrong last time, test first” |
| project | Project-specific information | Tech stack used, directory structure conventions |
| reference | External resource references | Frequently used documentation links, API endpoints |
The “Do Not Store Code” Design Decision
This is arguably the most valuable principle in the entire memory system. Code changes constantly during development, but memory does not auto-update. If a memory stored “Function X is at line 30 of File Y,” by the next conversation, the code might have been refactored, turning that memory into misleading information.
Claude Code’s approach is absolute: memory only stores human preferences and judgments. Code-related facts are always read in real-time from the source code.
The autoDream Mechanism: Automatic Organization
The source code also reveals a feature called autoDream. When the following conditions are met, a background agent automatically launches to organize memory files:
-
It has been more than 24 hours since the last organization -
At least 5 new conversation sessions have accumulated
This feature is named “Dream,” a metaphor for how humans consolidate their daily memories while sleeping.
Reflection: The “do not store code” decision seems simple, but it actually requires immense engineering restraint. Intuitively, storing code details makes the AI appear “smarter” in the short term. But the long-term cost of outdated information causing hallucinations far outweighs the short-term benefit. This design philosophy of “doing less is better than doing more” is worth deep consideration for anyone building AI products.
4. Context Compression: A 9-Segment Structured Extraction
Core Question: When a conversation grows long, how does Claude Code compress historical content without losing critical information?
Claude Code’s context compression is not a simple “summarize what we talked about.” It is a highly structured, 9-segment extraction protocol:
| Segment | Extracted Content | Purpose |
|---|---|---|
| 1 | Core Request | The original problem the user wanted to solve |
| 2 | Key Concepts | Important technical concepts discussed |
| 3 | Files and Code | Specific file paths and code snippets involved |
| 4 | Errors and Fixes | Errors encountered and their corresponding solutions |
| 5 | Resolution Process | The reasoning chain of the troubleshooting |
| 6 | All User Messages | Every single sentence the user has said (Fully preserved) |
| 7 | Pending Tasks | Items that remain unfinished |
| 8 | Current Work | The operation currently in progress |
| 9 | Next Steps | What should be done next |
The Most Critical Design: Fully Preserving All User Messages
Every sentence a user says might contain implicit preferences. The AI might have been corrected on a specific approach in the third turn of conversation. If that correction is dropped during compression, the AI will repeat the same mistake in subsequent turns. Therefore, all user messages must be fully preserved; they are never summarized or omitted during the compression process.
Practical Takeaway
If you need to maintain AI memory consistency across long multi-turn conversations, you can adopt this exact mindset. Never tell an AI to “summarize what we talked about.” Instead, provide explicit, structured instructions specifying exactly which information must be retained, what can be discarded, and how it should be formatted. Structured extraction is exponentially more reliable than free-form summarization.
5. Multi-Agent Collaboration: Operating Like a Real Company
Core Question: How does Claude Code coordinate multiple AI Agents to work together seamlessly in multi-task scenarios?
The utils/swarm/ directory in the source code contains a complete multi-agent collaboration framework, likely the most complex portion of the entire leaked codebase.
Organizational Architecture
| Design Element | Implementation Method |
|---|---|
| Role Division | Every Team has a Leader and multiple Teammates |
| Execution Isolation | Supports three modes: in-process isolation, tmux windows, iTerm2 split panes |
| Async Communication | Each Agent possesses its own independent mailbox file |
| Code Isolation | Each Agent works within an independent Git Worktree, preventing interference |
The Permission Bubbling Mechanism
When a Teammate encounters an operation that requires confirmation during execution, the permission request does not pop up directly to the user. Instead, it “bubbles up” to the Leader. The Leader then decides whether to approve the request.
This mirrors the exact logic of managing a real human team: how tasks are split, how information flows, how conflicts are resolved, and how results are merged.
Unique Insight: After reviewing this architecture, I understand why Claude Code’s multi-tasking capability feels distinctly superior to other tools. Many competitors’ multi-agent implementations are essentially just “parallel API calls.” Claude Code, however, implements an enterprise-grade organizational management architecture. The difference lies not in how many Agents are used, but in how elegantly they coordinate.
6. Internal vs. External Versions: What Anthropic Employees Actually Use
Core Question: What are the functional differences between the Claude Code used by Anthropic employees and the public version?
The source code contains numerous USER_TYPE === 'ant' conditional checks, revealing significant differences between the internal and external builds.
Key Differences Compared
| Dimension | External Version | Internal Version |
|---|---|---|
| Code Comments | No special requirements | “Do not write comments by default”; only add when the WHY is not obvious |
| Honesty | No special instructions | Contains anti-false-statement directives: “If a test fails, say it failed, do not sugarcoat. If you didn’t run verification, say so, do not imply it passed.” |
| Output Style | “Concise and direct” | “Write like text meant for a human to read, not logs dumped to a console” and “Assume the user has walked away and lost context.” |
| Undercover Mode | Not available | When enabled, strips all model names from the system prompt to prevent leaking info when testing unreleased models. |
| Verification Agent | Not available | In internal A/B testing, an independent agent automatically launches for adversarial verification after complex implementations. It must pass before reporting completion. |
These differences demonstrate that Anthropic treats Claude Code as the core tool for its own internal efficiency. The strict requirements of the internal version represent their ideal vision of “how AI should work.”
Lesson Learned: If you want higher-quality results from AI, you can borrow these principles immediately in your own prompts. Explicitly instruct the AI: “Say ‘I don’t know’ when uncertain” and “You must verify results before declaring completion.” Do not leave fuzzy loopholes for the AI to slip through.
7. Search Strategy: The Most Advanced AI Tool Uses the Most Primitive Search
Core Question: Does Claude Code use vector databases or traditional text search to find code?
Many people assume Claude Code uses vector databases, Embedding indexes, or some sophisticated RAG pipeline to search through codebases. In reality, the source code shows it relies on grep and ripgrep—the most primitive text search tools available. There are no Embeddings, and there is no vector database.
The logic behind this choice is straightforward: when you have a sufficiently intelligent brain (the LLM) to interpret search results, you do not need a highly intelligent search engine. grep provides precise, deterministic matching, and the LLM handles the semantic understanding of the relationships between those results.
Rather than making every component in the pipeline complex, it is far more effective to make one component overwhelmingly strong and keep the rest simple. This is arguably the most fundamental design principle underlying the entire harness engineering philosophy.
8. Unreleased Features and Easter Eggs
Core Question: What does the future direction of Claude Code look like based on the source code’s feature flags?
The feature flags in the source code expose a batch of features currently under active development:
| Feature Name | Frequency | Inferred Direction |
|---|---|---|
| PROACTIVE | — | Proactive mode; the AI works without waiting for instructions |
| KAIROS | 154 times | Assistant mode; the highest frequency flag, exact function TBD |
| DAEMON | — | Daemon process; runs persistently in the background |
| ULTRAPLAN | — | Ultra-planning capabilities |
Furthermore, a complete virtual pet system (unreleased) was hidden in the src/buddy/ directory. Each user would get a companion sprite generated via a deterministic algorithm: 18 species (duck, cat, dragon, capybara, cactus, etc.), 6 eye styles, and a complete rarity system ranging from common to legendary. A comment in the code notes: “Mulberry32, good enough for picking ducks.”
These indicators suggest Claude Code is not content with being a “you ask, it answers” coding assistant. It is evolving toward an AI companion capable of proactive thought and continuous operation.
9. Final Reflections: Harness Engineering Is the True Battleground for Product Differentiation
Core Question: Why does the user experience differ so drastically across AI coding tools when they all call the same underlying large language model APIs?
After reviewing all 1,902 files, the core judgment is crystal clear: Claude Code’s competitiveness is 60% model capability and 40% harness engineering.
Model capability determines whether a task can be done. The harness determines how well, how stably, and how safely it gets done:
-
You feel “this AI is reliable and won’t go rogue”—behind that is a four-layer safety pipeline. -
You feel “this AI actually remembers my preferences”—behind that is a strictly gated memory extraction pipeline. -
You feel “this AI searches code accurately”—behind that is literally just greppaired with a sufficiently intelligent brain.
The exact same underlying model, wrapped in a different harness, results in a completely different product. A massive number of AI coding tools on the market are calling Claude or GPT APIs under the hood, yet the user experiences are worlds apart. The difference is not the model; it is the harness.
Final Thought: Commentators on Hacker News noted that Anthropic’s code looks “vibe coded”—written in a “if it feels right, ship it” style. Whether that assessment is entirely fair is debatable, but it highlights a crucial point: Claude Code’s competitiveness does not lie in code elegance. It lies in making the right system design decisions. For everyone currently building AI products, this might be the most important lesson: focus your energy on the quality of architectural decisions, not the cosmetic refinement of the code itself.
Practical Summary / Action Checklist
Below are the design principles extracted directly from the Claude Code source code that you can apply to your own AI engineering practices today:
-
[ ] Layered Prompt Caching: Split your system prompt into shared static segments and personalized dynamic segments; leverage caching for the static parts to reduce latency and cost. -
[ ] Control Tool Quantity: Every MCP/tool integration carries a fixed token cost. Connect based on strict necessity, not abundance. -
[ ] Multi-Layer Safety Review: Use rule-based whitelists to filter low-risk operations automatically; only invoke an independent AI classifier for ambiguous operations. -
[ ] Implement Circuit Breakers: Auto-degrade to manual mode after consecutive failures to prevent runaway behavior in abnormal states. -
[ ] Memory Stores Preferences, Not Facts: Read code-related information from the source in real-time to prevent stale memory from causing hallucinations. -
[ ] Preserve User Messages During Compression: Every user message might contain implicit corrections or preferences; never discard them during context window management. -
[ ] Use Structured Extraction Over Free Summarization: Explicitly define what to keep, what to drop, and the output format. -
[ ] Simple Tools + Strong Model > Complex Tools + Weak Model: A grepplus an LLM outperforms a convoluted RAG pipeline for localized code search. -
[ ] Demand Honesty and Verification in Prompts: Explicitly instruct the AI to “state when uncertain” and “verify before completing.”
One-page Summary
| Dimension | Claude Code’s Approach | Core Principle |
|---|---|---|
| System Prompts | Static/Dynamic split with shared caching | Balance cost reduction with personalization |
| Safety Mechanism | 4-layer pipeline + independent AI classifier + circuit breaker | Never trust a single judgment; narrow down layer by layer |
| Memory System | Only stores preferences, not code; 4 categories; rate-limited triggers | Prevent stale memory from becoming toxic |
| Context Compression | 9-segment structured extraction; user messages fully preserved | Structured extraction is vastly superior to free summarization |
| Multi-Agent | Leader/Teammate architecture; permission bubbling; Git Worktree isolation | Simulate real-world team management structures |
| Code Search | grep + ripgrep; no vector databases |
Simple tools paired with a strong model |
| Internal vs. External | Anti-false-statement directives; adversarial verification; Undercover mode | Leave zero fuzzy loopholes for the AI |
| Future Direction | PROACTIVE, KAIROS, DAEMON, ULTRAPLAN | Transitioning from a passive tool to a proactive companion |
Frequently Asked Questions
Is Claude Code’s “Auto mode” completely unrestricted?
No. Behind the Auto mode runs an independent AI safety classifier. Every single operation is screened through a four-layer permission pipeline, and high-risk operations are still intercepted or require manual confirmation.
Does Claude Code’s memory system remember my actual code?
It does not. The memory system is strictly designed to store user preferences and judgments only. Code-related facts are read in real-time from the source files during every interaction to prevent outdated memory from causing errors.
Why doesn’t Claude Code use a vector database for code search?
Because when the LLM itself is sufficiently intelligent, precise text matching via grep or ripgrep combined with the LLM’s semantic understanding is highly effective. A simple tool paired with a strong model outperforms making every component in the pipeline complex.
How large is Claude Code’s system prompt?
The exact size depends on user configuration, but MCP tool definitions alone consume about 4,000 to 6,000 tokens per server. Connecting 5 MCP Servers could consume roughly 12% of the context window just for tool descriptions.
Will my past messages be lost during context compression?
No. The 9-segment compression protocol explicitly mandates that “All User Messages” are a fully preserved category. Every correction or preference you stated is retained, as dropping them would cause the AI to repeat past mistakes.
What are the main differences between Anthropic’s internal version and the public version?
The internal version adds anti-false-statement directives (demanding honest reporting of test results), an adversarial Verification Agent, stricter output style requirements, and an Undercover mode that hides model names during testing.
How do Claude Code’s multiple agents collaborate?
It uses a Leader/Teammate organizational structure. Agents communicate asynchronously via mailbox files, work in isolated Git Worktrees to prevent code conflicts, and route permission requests up to the Leader rather than interrupting the user.
What is the core principle of harness engineering?
The engineering system built around the model (tools, constraints, feedback loops, safety mechanisms, memory systems) determines the upper limit of the product experience. The core principles are “make one component overwhelmingly strong while keeping the rest simple” and “designing what the AI cannot do is more important than designing what it can do.”
