Claude Code Source-Map Leak Exposes Unreleased Features and a 3,167-Line Function

When a debugging artifact ships by accident, it can expose an entire architecture. That's what happened with Claude Code, Anthropic's AI coding agent, when a source map file made its way into a public npm package and handed the community a near-complete reconstruction of the original TypeScript source. Independent engineer and researcher Liran Baba published a detailed technical analysis cataloging what that single .map file contained: roughly 1,700 TypeScript files spanning utilities, UI components, command definitions, tool implementations, services, hooks, and bridging code.

The structural headline alone is striking. Baba flagged a single function spanning 3,167 lines across 12 levels of nesting, a maintenance crisis waiting to crystallize for any codebase that expects auditors or contributors to reason about correctness.

The reconstructed source also revealed features that Anthropic had not announced publicly: KAIROS, described as an autonomous operating mode, and an "undercover mode" designed to conceal AI authorship from collaborators. The codebase contained more than 35 distinct tools across several categories, 73 or more slash commands, and over 200 server-side feature gates, a scale of internal configurability that no external observer had previously mapped.

The leak traces to .map files, the debugging artifacts that bundlers emit to correlate minified output back to original source. Shipping one in a public package is exactly what CI packaging reviews are supposed to catch. The bundler involved was Bun, the runtime associated with Jared Sumner, its creator, who joined Anthropic. Sumner publicly ruled out a simple bun serve artifact as the cause, leaving the precise packaging failure unresolved.

Anthropic opted for package deprecation rather than an immediate unpublish. That distinction mattered: deprecation left some residual access to the leaked map file, which contributed to the spread of community-generated architecture diagrams tracing the agent loop from keypress to model output.

For Rust developers building agents or CLIs, the analysis reads as a design postmortem with three patterns worth encoding directly into practice. The "undercover mode" design, where tool behavior changes based on hidden runtime state, creates audit boundaries that are nearly impossible to reason about without source access. If a tool's behavior depends on a flag not surfaced in its type signature or help output, it is a hidden mode, and hidden modes undermine the inspectability that makes Rust agents worth building. The mega-function pattern (3,167 lines, 12 nesting levels) is precisely what Rust's ownership model and explicit error types are supposed to discourage; breaking agent dispatch into small, single-responsibility functions pays dividends during incident review at zero compile-time cost. The 200-plus feature gate pattern needs a single authoritative registry queryable at runtime so operators can enumerate what is actually active in any given deployment.

The practical hardening checklist: fail CI if any .map, .pdb, or debug-symbol artifact appears in the release set; enforce a function line-length lint via clippy configuration; surface all feature flags through a structured list-features subcommand; log every tool invocation with its arguments and exit code to a structured sink before returning control to the agent loop; and treat any mode that changes tool visibility as a documented API, not a runtime hack.

The community's instinct to rebuild on a Rust-native runtime surface was reasonable: statically linked binaries eliminate the Node and Bun attack surface and produce artifacts that are far easier to audit. Baba urged careful legal and security review before adopting any derivative artifact born from the leak. The harder discipline, as any Rust project that survives its first year discovers, is keeping the surface auditable once momentum picks up.