Claude Code leak analysis reports Conway and KAIROS always-on agent scaffolding

• The Claude Code leak appears to have come from a source map shipped in Anthropic's npm package, exposing a large chunk of the CLI implementation rather than model weights HN summary Alex Kim analysis.
• Independent analysis and a code visualization both point to internals that matter to agent builders: anti-distillation flags, hook lifecycles, permission gates, multi-tool orchestration, and a large hidden command surface Alex Kim analysis Claude Code Unpacked.
• The most interesting unreleased thread is KAIROS, described in community analysis as a persistent or always-on agent mode, with later discussion focusing on its interruption-aware background behavior Alex Kim analysis Fresh HN discussion on Unpacked.
• A separate thread claims Conway is another Anthropic agent project with its own UI, browser operation, connectors, webhooks, and extensions, but that evidence comes from a leaked presentation clip rather than official docs TestingCatalog thread.
• Community posts now also claim Claude Code's cch= signing system has been reverse engineered, extending the fallout from the original package exposure cch reverse engineering claim HN thread.

You can read Alex Kim's writeup, browse the interactive architecture map, and compare the leak chatter with Anthropic's public hooks docs. The weird part is how much of the product surface was already visible in public docs, while the leak filled in the hidden mechanics: fake tools, background-agent scaffolding, and internal permission flow.

The first public thread framed this as a source-map exposure in Anthropic's npm registry, with the package left reachable even after deprecation chatter started on Hacker News HN summary. That makes this closer to a packaging failure than a conventional breach.

Alex Kim's analysis pegs the exposed codebase at thousands of TypeScript files and highlights several internals that were never part of Claude Code's polished public story, including ANTI_DISTILLATION_CC, an undercover mode, a frustration detector, and references to unreleased agent modes Alex Kim analysis. The HN thread also zeroed in on a possible Bun source-map bug, though that remained a commenter theory rather than a settled cause.

One reason engineers kept reading past the leak headline is that the code appears to expose a fairly clean agent runtime. HN commenters called out the PreToolUse and PostToolUse lifecycle as unusually usable plumbing for building real tooling on top Fresh discussion on Alex Kim post.

Anthropic's own hooks reference documents the same basic lifecycle in public: SessionStart, PreToolUse, PostToolUse, permission-related events, async hooks, and HTTP hooks. The leak analysis adds the part the docs do not show, namely how those lifecycles interact with conservative context management, repeated file rereads, and fragile resume behavior once sessions get long Fresh HN discussion on Unpacked.

KAIROS is the reveal that kept surfacing in both writeups and discussion. Alex Kim describes it as an unreleased autonomous agent mode, while the Unpacked project lists Kairos persistent mode alongside other hidden features such as Bridge remote control, Coordinator Mode, UltraPlan, and Daemon Mode Alex Kim analysis Claude Code Unpacked.

The Conway material is thinner but still notable. TestingCatalog posted a slide and follow-up claim describing a separate UI, browser control, connectors, Claude Code integration, webhook invocation, and a CNW zip standard for extensions TestingCatalog Conway thread. Put together, KAIROS looks like leaked code scaffolding, Conway looks like leaked product positioning, and both point toward Anthropic working on more persistent agent workflows than the current CLI exposes.

A smaller but concrete follow-on claim is that Claude Code's cch= signing system has now been reverse engineered cch reverse engineering claim. Earlier leak analysis had already described cch=00000 checks as a mechanism that appeared to fence off third-party tools such as OpenCode Alex Kim analysis.

That shifts the story from code voyeurism to ecosystem consequences. Once the signing scheme becomes understandable outside Anthropic, the practical boundary between official and unofficial Claude Code tooling gets a lot thinner, at least for people willing to build around leaked implementation details.