Claude Code leak analyses map cch signing details

• Community reverse engineers said Claude Code's cch= request-signing system is now fully mapped, after earlier posts flagged that Anthropic was computing a hash below the JavaScript layer and attaching it to API traffic Early cch signing warning Reverse engineering claim.
• The leak turned into a useful architecture map: posts and visualizations traced Claude Code's hook lifecycle, tool orchestration, permission gates, and session flow, with official docs independently confirming events like PreToolUse, PermissionRequest, PermissionDenied, PreCompact, and PostCompact (Alex Kim's analysis, Claude Code Unpacked, Hooks reference, HN summary of leak findings).
• Multiple analyses converged on context handling as the most interesting subsystem, including a four-part compaction stack and a guardrail added after repeated auto-compact failures reportedly wasted about 250,000 API calls per day Zhihu thread roundup HN summary of leak findings.
• The leak also exposed product scaffolding that had not been publicly documented, especially KAIROS, an apparent always-on background agent mode, plus related daemon, webhook, and periodic refresh plumbing HN on Claude Code Unpacked KAIROS commentary.

You can read the source leak write-up, browse the interactive Claude Code Unpacked, and compare those findings to Anthropic's own hooks reference and settings docs. The interesting bit is how much of the runtime shape is now visible: decoy tools, compaction failure counters, hook events that line up with official docs, and a client attestation scheme that the reverse-engineering crowd says they have already cracked Reverse engineering claim.

The clearest new technical thread after the initial leak was cch=. Alex Kim's read of the leaked code says Claude Code places a cch=00000 placeholder into a billing header, then Bun's native HTTP stack replaces those zeros with a computed hash before the request leaves the process, letting Anthropic validate that traffic came from a genuine Claude Code client rather than a lookalike Alex Kim's analysis.

That is the same mechanism Paolo Anzani first warned about, and later said had been fully reverse engineered by community researchers Early cch signing warning Reverse engineering claim. The public evidence here is stronger on existence than on robustness: the signing path appears real, but the only fresh claim about the bypass is the researchers' statement that they cracked it.

The leak mattered because it exposed the agent's control plane, not just its prompt text. Community analysis and the official docs now line up on the same core lifecycle surface:

• PreToolUse, before a tool call, can block execution
• PermissionRequest, when Claude Code raises a permission dialog
• PermissionDenied, after the auto mode classifier rejects a tool
• PostToolUse and PostToolUseFailure, after execution
• PreCompact and PostCompact, around context compaction
• SessionStart, SessionEnd, SubagentStart, and SubagentStop, around longer-running session and agent activity

Hooks reference documents those events directly. Claude Code settings also says project settings can be shared for permissions, hooks, and MCP servers, which fits the leak-era discussion that the hook system was clean enough to build tooling on top of Fresh HN discussion on hooks.

The most useful leak detail for people building long-running agents was the context stack. One widely shared summary broke it into four layers: HISTORY_SNIP, Microcompact, CONTEXT_COLLAPSE, and Autocompact Zhihu thread roundup.

Alex Kim's post adds the ugly production number attached to that system: a code comment saying repeated autocompact failures were wasting roughly 250,000 API calls a day globally before a MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3 cap was added Alex Kim's analysis. HN follow-up discussion around Claude Code Unpacked tied the same subsystem to conservative rereads, permission interruptions, and fragile session resume once contexts get long Fresh HN discussion on Unpacked.

The most bookmark-worthy roadmap leak was KAIROS. Across blog analysis, the interactive code map, and HN discussion, it shows up as scaffolding for an always-on agent with daily logs, GitHub webhook subscriptions, background daemon workers, and scheduled refreshes every five minutes (Alex Kim's analysis, Claude Code Unpacked).

That is distinct from the normal request-response CLI shape. Fresh HN comments highlighted a reported 15-second blocking budget and described KAIROS as a materially different interruption-aware background mode, while the same Unpacked project also surfaced adjacent unreleased pieces like Bridge remote control and Daemon Mode Fresh HN discussion on hooks HN on Claude Code Unpacked.