Claude Code v2.1.88 shipped a 59.8 MB source map on March 31, 2026, exposing 512,000 lines of TypeScript, 32 compile-time feature flags, 22+ GrowthBook runtime gates, and codenames for unreleased models including Capybara (Opus 5/Mythos), Fennec, and Tengu. Voice mode, a plugin marketplace, Chrome extension, multi-agent orchestration, and a Tamagotchi companion system called BUDDY are all fully built but not shipped. This is a complete breakdown of everything Anthropic planned to release in 2026.
What Happened: The Biggest AI Source Code Leak Ever
On March 31, 2026, security researcher Chaofan Shou discovered that the npm package @anthropic-ai/claude-code version 2.1.88 contained a source map file (cli.js.map) weighing 59.8 MB. That single file reconstructed the entire TypeScript source code of Claude Code — Anthropic's flagship AI coding assistant.
The numbers speak for themselves:
| Metric | Value |
|---|---|
| TypeScript files recovered | ~1,900 |
| Lines of code | ~512,000 |
| Built-in tools | 43 |
| Compile-time feature flags | 32 |
| Runtime feature gates (GrowthBook) | 22+ |
| Hidden slash commands | 26 |
| Environment variables | 330+ |
| Internal project codename | Tengu |
This was not a partial leak. It was the entire codebase — feature flags, codenames, pricing logic, anti-distillation defenses, and infrastructure for at least a dozen unshipped features. Five days earlier, on March 26, a separate CMS misconfiguration had already exposed ~3,000 internal files including draft blog posts about "Claude Mythos," a next-generation model above Opus.
All 32 Compile-Time Feature Flags
Claude Code uses Bun's feature() function for compile-time flags. When building for public release, these flags compile to false, and the bundler eliminates the gated code via dead-code elimination. In internal builds, they are active. Here is every single one we identified:
| # | Flag | What It Does | Status |
|---|---|---|---|
| 1 | KAIROS | Persistent always-on AI assistant. Background daemon with push notifications, file sending, channel support. Named after the Greek concept of "opportune moment." Referenced 150+ times in the source. | Not shipped |
| 2 | PROACTIVE | Proactive behavior: sleep tool, autonomous actions without user input, 15-second blocking budget. Paired with KAIROS. | Not shipped |
| 3 | COORDINATOR_MODE | Multi-agent orchestrator: a primary Claude spawns and manages parallel worker agents, then synthesizes results. | Not shipped |
| 4 | BRIDGE_MODE | Remote control via claude.ai — bridges local session to web interface. | Partially released |
| 5 | DAEMON | Background daemon workers for persistent sessions, tmux integration. | Not shipped |
| 6 | BG_SESSIONS | Background session management: list, logs, reattach, kill running sessions. | Not shipped |
| 7 | ULTRAPLAN | 30-minute cloud planning sessions via Opus 4.6 on Cloud Container Runtime (CCR). Human approval in browser before execution. | Not shipped |
| 8 | BUDDY | Full Tamagotchi companion system. 18 species (duck, dragon, axolotl, capybara, mushroom, ghost...), rarity from common to 1% legendary, cosmetics (hats, shiny variants), 5 stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK. Seeded from user ID hash. | Not shipped (April 2026 teaser) |
| 9 | TORCH | Internal undocumented feature, likely related to workflow guidance. | Not shipped |
| 10 | WORKFLOW_SCRIPTS | Workflow automation, pipeline script execution. | Not shipped |
| 11 | VOICE_MODE | Push-to-talk voice interface via /voice. Audio input and output. | Not shipped |
| 12 | TEMPLATES | Job classifier and task templates for structured missions. | Not shipped |
| 13 | CHICAGO_MCP | Computer Use via MCP — full GUI automation (mouse, clicks, screenshots). Codename "Chicago." Active for Max/Pro users. | Partially released |
| 14 | UDS_INBOX | Cross-session IPC via Unix Domain Sockets. Multiple Claude sessions on the same machine can exchange messages like a team chat between AI agents. | Not shipped |
| 15 | REACTIVE_COMPACT | Reactive context compaction for dynamic window management. | Not shipped |
| 16 | CONTEXT_COLLAPSE | Context window inspection and restructuring. Enables CtxInspectTool. | Not shipped |
| 17 | HISTORY_SNIP | Aggressive conversation history trimming. | Not shipped |
| 18 | CACHED_MICROCOMPACT | Cached micro-compactions for memory optimization. | Not shipped |
| 19 | TOKEN_BUDGET | Per-task/session token budget management. | Not shipped |
| 20 | EXTRACT_MEMORIES | Automatic memory extraction from conversations. | Not shipped |
| 21 | OVERFLOW_TEST | Internal overflow limit testing tool. | Internal/test |
| 22 | TERMINAL_PANEL | Terminal panel capture for IDE integration. | Not shipped |
| 23 | WEB_BROWSER | Native web browser automation tool. | Not shipped |
| 24 | FORK_SUBAGENT | Ability to fork sub-agents from a main agent. | Not shipped |
| 25 | DUMP_SYS_PROMPT | Full system prompt extraction. Reserved for Anthropic employees only (ant-only). | Internal only |
| 26 | ABLATION_BASE | Bootstrap simplification toggles for ablation studies. | Internal/research |
| 27 | BYOC_RUNNER | Bring Your Own Compute — self-hosted runner. | Not shipped |
| 28 | SELF_HOSTED | Self-hosted mode for on-premise deployments. | Not shipped |
| 29 | MONITOR_TOOL | MCP monitoring tool for agent surveillance. | Not shipped |
| 30 | CCR_AUTO | Automatic Cloud Container Runtime activation. | Not shipped |
| 31 | MEM_SHAPE_TEL | Memory shape telemetry for tracking context patterns. | Not shipped |
| 32 | SKILL_SEARCH | Experimental skill discovery and search. | Not shipped |
Additional Flags Found in Extended Analysis
Beyond the core 32, several more flags were identified in deeper code analysis:
- NATIVE_CLIENT_ATTESTATION — Native client cryptographic attestation (placeholder hash
cch=00000) - ANTI_DISTILLATION_CC — Injects decoy tools into API requests to poison competitor training data
- TRANSCRIPT_CLASSIFIER — Automatic session transcript classification
- KAIROS_BRIEF — Brief mode for the persistent KAIROS assistant
- KAIROS_GITHUB_WEBHOOKS — GitHub integration via
SubscribePRToolfor autonomous PR reactions - LODESTONE — Undocumented feature
- CLAUDE_CODE_VERIFY_PLAN — Plan execution verification tool
22+ Runtime Gates via GrowthBook
While compile-time flags are baked into the build, GrowthBook manages runtime feature gating. These flags are prefixed with tengu_ (the project codename) and many use randomized word pairs like tengu_frond_boric to obscure their purpose. Values are aggressively cached via getFeatureValue_CACHED_MAY_BE_STALE() to avoid blocking the main loop.
Critical detail: Anthropic can activate or deactivate these flags remotely without any user update, through hourly polling to a remote settings endpoint.
| # | Gate Name | What It Controls |
|---|---|---|
| 1 | tengu_anti_distill_fake_tool_injection | Injects fake/decoy tools into the system prompt for first-party CLI sessions. Poisons competitor training data. |
| 2 | tengu_attribution_header | Kill-switch for the x-anthropic-billing-header attribution header. |
| 3 | tengu_malort_pedway | Full Computer Use — GUI automation (mouse, clicks, screenshots). Obscured name. |
| 4 | tengu_penguins_off | Kill-switch for Penguin Mode (Fast Mode). Disables fast mode globally. |
| 5 | tengu_onyx_plover | Auto-Dream system — overnight memory consolidation. Obscured name. |
| 6 | tengu_kairos | Main gate for the persistent KAIROS assistant mode. |
| 7 | tengu_ultraplan_model | Selects the model for ULTRAPLAN cloud sessions (default: Opus 4.6). |
| 8 | tengu_cobalt_raccoon | Controls auto-compact (automatic context compaction). Obscured name. |
| 9 | tengu_scratch | Shared scratchpad directory for multi-agent coordination. |
| 10 | tengu_amber_flint | Agent Teams/Swarm with team memory synchronization. |
| 11 | tengu_consolidated_mode | Memory consolidation/dream system activation. |
| 12 | tengu_portal_quail | Obscured gate — exact function unknown. |
| 13 | tengu_harbor | Obscured gate — likely hosting/port related. |
| 14 | tengu_herring_clock | Obscured gate — exact function unknown. |
| 15 | tengu_chomp_inflection | Obscured gate — exact function unknown. |
| 16 | tengu_amber_quartz_disabled | Kill-switch for Voice Mode. Obscured name. |
| 17 | tengu_ultraplan_teleport_local | Sentinel for remote ULTRAPLAN result retrieval. |
| 18 | tengu_speculation | Speculation mode — speculative pre-execution of actions. |
| 19 | tengu_startup_telemetry | Startup telemetry analytics event. |
| 20 | tengu_mcp_channel_flags | MCP channel flags for telemetry. |
| 21 | tengu_agent_flag | Agent telemetry and gating flag. |
| 22 | tengu_org_penguin_mode_fetch_failed | Analytics event when org-level Penguin Mode fetch fails. |
The code also contains 6+ remote kill-switches capable of bypassing permission prompts, toggling Fast Mode, controlling Voice Mode, managing analytics collection, and forcing a complete application exit — all without any update to the user's installation.
The 5 Biggest Unreleased Features
1. KAIROS — The Always-On AI Assistant
KAIROS is the most referenced feature in the entire codebase, appearing 150+ times. Named after the ancient Greek concept of the "opportune moment," it represents Anthropic's vision of a persistent, always-running AI assistant that does not wait for you to open a terminal.
What we know from the code:
- Background daemon that runs continuously via tmux integration
- Push notifications to alert you of relevant events
- Proactive actions — Claude can do things before you ask, with a 15-second blocking budget
- File sending and channel support for multi-context communication
- GitHub webhook integration via
SubscribePRTool— can autonomously react to pull requests - Brief mode (
KAIROS_BRIEF) for concise outputs
KAIROS is paired with the PROACTIVE flag, suggesting a two-stage rollout: first the daemon infrastructure, then the autonomous behavior on top.
2. Voice Mode — Push-to-Talk AI Coding
The VOICE_MODE flag and the tengu_amber_quartz_disabled kill-switch confirm that voice interaction is fully built. Activated via the /voice command, it supports both audio input and output — push-to-talk for hands-free coding. The kill-switch name (disabled suffix) suggests it was live internally and they needed a way to turn it off remotely.
3. Plugin Marketplace — An App Store for Claude Code
The leak reveals a complete plugin ecosystem with three layers: Plugins (extension bundles), Skills (SKILL.md instruction files), and Hooks (event-driven shell scripts). The marketplace is backed by Git-based registries (GitHub, GitLab) with a full command suite:
/plugin marketplace add— register a new marketplace/plugin marketplace update— refresh local registries/plugin install plugin-name@marketplace-name— install from marketplace/reload-plugins— hot-reload all active plugins
Plugin structure uses .claude-plugin/plugin.json manifests and can bundle agents, commands, skills, hooks, and MCP servers in a single distributable package. The official marketplace (anthropics/claude-plugins-official) and community sites like claudemarketplaces.com, claude-plugins.dev, and buildwithclaude.com are already referenced in the code. 15 files in the commands/plugin/ directory handle everything from browsing to trust warnings to validation.
4. BUDDY — A Tamagotchi Inside Your Terminal
Perhaps the most unexpected discovery: a complete virtual pet system. The BUDDY flag gates a Tamagotchi-style companion with:
- 18 species: duck, dragon, axolotl, capybara, mushroom, ghost, and 12 more
- Rarity system: from common to 1% legendary
- Cosmetics: hats, shiny variants
- 5 stats: DEBUGGING, PATIENCE, CHAOS, WISDOM, SNARK
- Deterministic seeding: your buddy species is derived from your user ID hash, so everyone gets a unique companion
An April 2026 teaser was found in the source, suggesting Anthropic planned to reveal BUDDY as part of an April campaign — possibly an April Fools reveal that turned into a real feature.
5. ULTRAPLAN and Remote/Teleport Sessions
ULTRAPLAN enables 30-minute cloud planning sessions running Opus 4.6 on Anthropic's Cloud Container Runtime (CCR). The workflow: Claude creates a plan in the cloud, presents it in your browser for human approval, then executes. The tengu_ultraplan_teleport_local gate handles remote result retrieval — Claude plans in the cloud and "teleports" results back to your local machine.
Model Codenames: Capybara, Fennec, Tengu, and Mythos
Anthropic uses animal codenames internally. The leak decoded the full naming hierarchy:
| Codename | What It Is | Key Details |
|---|---|---|
| Tengu | Project codename for Claude Code itself | Prefix for all feature flags (tengu_*) and analytics events. Japanese supernatural creature. |
| Fennec | Early codename for Opus 4.6 | First appeared in Vertex AI logs as claude-sonnet-5@20260203. Migration file migrateFennecToOpus.ts confirms it became Opus 4.6. |
| Capybara | New model tier ABOVE Opus | Internal versions: v4 (16.7% false claims) and v8 (29-30% false claims — a 74% regression). Variants include capybara-v2-fast with 1M context. |
| Mythos | Public name for Capybara (Opus 5) | Discovered in CMS leak 5 days before code leak. Described as "by far the most powerful AI model we've ever developed." |
| Numbat | Unknown model in pre-launch testing | Internal reference only — no details on tier or capabilities. |
| Chicago | Computer Use implementation | Codename for the CHICAGO_MCP feature flag — full GUI automation. |
The code also contains references to Opus 4.7 and Sonnet 4.8, suggesting Anthropic has already prepared infrastructure for next-generation model iterations. Migration files trace the full lineage: Sonnet 1M to Sonnet 4.5 to Sonnet 4.6, and Fennec to Opus to Opus 1M.
The Capybara v8 Problem
Internal testing of Capybara v8 revealed a major regression: the false claims rate jumped from 16.7% (v4) to 29-30% (v8) — the model makes false assertions nearly 1 in 3 times. The code mentions "premature generation stop" issues and mitigations including "force safe boundary marker" injection and "prompt-shape surgery," all gated behind killable feature flags for progressive rollout.
Anti-Distillation: Poisoning Competitor Training Data
One of the most controversial discoveries: when both the ANTI_DISTILLATION_CC compile-time flag and the tengu_anti_distill_fake_tool_injection runtime gate are active, Claude Code injects fake tool definitions into API requests. If anyone records Claude Code API traffic to train a competing model, the fake tools poison their training data. This only activates for first-party CLI sessions and is controllable remotely via GrowthBook.
Undercover Mode: Protecting Codenames (That Got Leaked Anyway)
The file undercover.ts injects instructions into Claude's system prompt directing it to never reveal internal codenames (Capybara, Tengu, etc.) and never mention them in git commits or open-source contributions. The directive explicitly states: "There is NO force-OFF. This guards against model codename leaks." The irony: Anthropic built an entire system to prevent codename leaks, then shipped the complete source code in an npm package.
330+ Environment Variables: The Full Control Surface
The leak catalogued over 330 environment variables across 25 categories, revealing the full operational control surface of Claude Code:
- Authentication and API: 25+ vars for API keys, OAuth tokens, WebSocket auth
- Model configuration: 18 vars including per-tier defaults, subagent models, custom model options
- Cloud providers: AWS Bedrock (16 vars), Google Vertex AI (12 vars), Microsoft Foundry (5 vars)
- Enable flags: 20 vars to activate experimental features (CFC, tasks, telemetry, LSP, session persistence)
- Disable flags: 35 vars to turn off features including the 1M context window, adaptive thinking, memory, command injection checks
- Agent Teams: 8 vars for experimental multi-agent orchestration (
CLAUDE_CODE_PLAN_V2_AGENT_COUNT— Max/Team: 3, Free: 1) - Remote and Cowork: 19 vars for cloud container runtime, bridge sessions, and team collaboration
- OpenTelemetry: 22 vars for trace, metrics, and log export
Notable individual variables include CLAUDE_CODE_DISABLE_COMMAND_INJECTION_CHECK (disables security checks), CLAUDE_CODE_DISABLE_1M_CONTEXT (labeled "health compliance"), and CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS (activates the multi-agent swarm).
What This Roadmap Tells Us About Anthropic's Strategy
Reading through 32 feature flags and 22 runtime gates, a clear product vision emerges:
- From tool to teammate: KAIROS, PROACTIVE, BG_SESSIONS, and DAEMON are building toward an always-on AI that does not wait for commands — it watches your work and acts when needed.
- Multi-agent is the future: COORDINATOR_MODE, FORK_SUBAGENT, UDS_INBOX, and Agent Teams infrastructure all point to Claude orchestrating multiple Claude instances simultaneously.
- Platform play: The plugin marketplace, skill system, and hook architecture create an extensible platform — Claude Code as an OS for AI-assisted development.
- Enterprise readiness: BYOC_RUNNER, SELF_HOSTED, and Foundry integration show Anthropic targeting enterprise on-premise deployments.
- Competitive defense: Anti-distillation fake tool injection and Undercover Mode reveal how seriously Anthropic takes IP protection — even as their source code ships in npm packages.
Frequently Asked Questions
What exactly leaked from Claude Code?
A 59.8 MB source map file (cli.js.map) in the npm package @anthropic-ai/claude-code v2.1.88 reconstructed ~1,900 TypeScript files totaling ~512,000 lines of code. This included 32 feature flags, 22+ runtime gates, 330+ environment variables, 26 hidden slash commands, model codenames, pricing logic, and complete implementations of unreleased features.
What is KAIROS in Claude Code?
KAIROS is Anthropic's persistent always-on AI assistant system. Named after the Greek concept of the "opportune moment," it runs as a background daemon with push notifications, proactive actions, GitHub webhook integration, and tmux session management. It is the most-referenced feature in the codebase (150+ mentions) but has not shipped publicly.
What are the Capybara and Mythos models?
Capybara is the internal codename for a new model tier above Opus — essentially Opus 5. Its public name, discovered in a separate CMS leak on March 26, 2026, is "Claude Mythos." Anthropic's draft blog described it as "by far the most powerful AI model we've ever developed" with unprecedented cybersecurity capabilities. Internal testing showed a 29-30% false claims rate in v8, up from 16.7% in v4.
Can Anthropic remotely control Claude Code features?
Yes. The code uses GrowthBook for runtime feature gating with 22+ flags prefixed tengu_. These are polled hourly from a remote endpoint, allowing Anthropic to activate or deactivate features for specific users, regions, organizations, or percentages of users — all without pushing any software update. Six or more remote kill-switches can bypass permission prompts, toggle fast mode, control voice mode, and force application exit.
What is the anti-distillation system in Claude Code?
When activated, Claude Code injects fake tool definitions into API requests. If a competitor records the API traffic to train their own model, these fake tools pollute their training data. The system is dual-gated: it requires both a compile-time flag (ANTI_DISTILLATION_CC) and a runtime GrowthBook gate (tengu_anti_distill_fake_tool_injection), and only activates for first-party CLI sessions.
