Clawback releases Claude Code hook layer for stop-checks and PostToolUse enforcement
Clawback turns leaked Claude Code verification patterns into stop, pre-tool, post-tool, and post-compaction hooks. It replaces prompt-only guardrails with deterministic checks and shows how fast the source-map leak is becoming third-party control layers.

TL;DR
- A Reddit post announcing Clawback turns the leaked
USER_TYPE === 'ant'verification pattern into a public hook kit, and the Clawback repo says its stop hook blocks Claude Code from finishing until typecheck and lint pass. - The same post splits the design into mechanical hooks and a behavioral
CLAUDE.md, while the official hooks guide describes hooks as a way to get deterministic control instead of hoping the model chooses to run checks. - Alex Kim's leak analysis and the main HN thread helped establish the backdrop: fake-tool anti-distillation, frustration regexes, compaction quirks, and other internal guardrails were sitting in a leaked source map.
- Claude Code Unpacked mapped the leaked CLI at 50 plus tools and 70 plus commands, and its HN discussion framed that complexity as the state-management cost of making an agent CLI behave consistently.
You can read the Clawback repo, compare it with iamfakeguru's claude-md, and cross-check the public extension points in Anthropic's hooks reference. Claude Code Unpacked also gives a quick visual map of the agent loop, tool system, and the unreleased features people kept pulling out of the leak.
Clawback
The leaked employee verification loops — reimplemented as hooks, not prompts
0 comments
Clawback is a small but telling follow-up to the Claude Code source-map leak. Instead of copying internal flags, the repo uses Claude Code's public hooks API to recreate the part people actually wanted: hard stop-checks.
Its five-hook layout is very literal:
protect-filesonPreToolUseblocks edits to.env, lockfiles, and.git/post-editonPostToolUseruns formatting and report-only lint after editsstop-verifyonStopruns full typecheck plus lint, with a three-strike circuit breakerpost-compactonPostCompactre-injects git state andgotchas.mdnotificationonNotificationsurfaces desktop alerts
Hooks, not prompts
The Claude Code Source Leak: fake tools, frustration regexes, undercover mode, and more
Alex Kim analyzes Anthropic's accidental leak of Claude Code's full source code via a .map file in their npm package, discovered by Chaofan Shou. Key findings include: ANTI_DISTILLATION_CC flag injecting fake tools; undercover mode stripping internal references like codenames 'Capybara' and 'Tengu'; regex detecting user frustration (e.g., 'wtf', 'shit'); API key hashing for enforcement against third-party tools like OpenCode; ~250K wasted API calls daily from compaction failures; and references to unreleased KAIROS autonomous agent mode. This follows a prior model spec leak, amid legal actions against competitors.
The interesting design choice is the split between prompt guidance and enforced checks. The Reddit write-up explicitly calls prompts requests and hooks guarantees, which is almost a direct answer to iamfakeguru's claude-md: prompt engineering can reconstruct behavior, but it can still be skipped under context pressure.
That framing matches Anthropic's own wording. In the official hooks guide, hooks are described as deterministic controls that ensure actions happen at specific lifecycle points, including validation, formatting, and project rule enforcement.
The leak is already spawning control layers
Claude Code Unpacked
Interactive visual guide to the leaked Claude Code source code, detailing the agent loop from user input to response, architecture explorer with source tree, full tool system (50+ tools across categories like file ops, execution, search), command catalog (70+ slash commands), and hidden unreleased features such as Buddy virtual pet, Kairos persistent mode, UltraPlan, Coordinator Mode, Bridge remote control, and Daemon Mode. Stats: 500K+ lines, 500+ files, 50+ tools, 100+ commands.
The broader story is how fast the leak turned into reference material and third-party tooling. Claude Code Unpacked turned the codebase into an explorable map of the agent loop, source tree, tool system, and hidden features, while its HN thread treated the 500K line size as evidence of how much defensive machinery sits behind a coding agent CLI.
Clawback takes a narrower path than the leak tourism. It picks one concrete internal pattern, verification before completion, and ships it back as an installable layer on top of documented hook events such as PreToolUse, PostToolUse, Stop, and PostCompact in Anthropic's hooks reference.