A comprehensive look at Anthropic's Claude Code source code: Why is it better than others?

PA荐读
PA荐读
  • On March 31, 2026, security researchers discovered that Claude Code's TypeScript source code was leaked, exposing 510,000 lines of code.
  • Claude Code is designed as an operating system rather than a simple AI assistant, with a strict security framework for local environment access.
  • The prompt system uses dynamic assembly and caching boundaries to optimize costs and speed.
  • The tool system includes 42 tools with lazy loading and fail-closed design, enforcing read-before-edit rules for safety.
  • The memory system employs AI retrieval and nightly consolidation to remember user preferences and context.
  • Multi-agent architecture allows for sub-agent generation and coordinator mode, enabling parallel task handling.
  • Three-layer context compression prevents conversation limits, including micro-compaction, auto-compaction, and AI summarization.
  • Key insights: AI Agent development focuses on engineering infrastructure, prompt engineering is systematic, and design must account for failures.
Summary

Author: Yuker

On March 31, 2026, security researcher Chaofan Shou discovered that the source map files were not stripped from the Claude Code package published to npm by Anthropic.

This means that Claude Code's complete TypeScript source code, 512,000 lines and 1,903 files, has been exposed to the public internet.

I certainly couldn't possibly read through all that code in just a few hours, so I approached the source code with three questions in mind:

  1. What are the fundamental differences between Claude Code and other AI programming tools?

  2. Why does he have a better "feel" for coding than others?

  3. What is hidden in 510,000 lines of code?

After reading it, my first reaction was: This is not an AI programming assistant, it is an operating system.

First, let me tell you a story: If you were to hire a remote programmer

Imagine you hire a remote programmer and give him remote access to your computer.

what will you do?

If you're a Cursor , here's what you'd do: Have him sit next to you, and before he types a command, glance at him and click "allow." Simple and straightforward, but you'll have to keep an eye on him.

If you're a GitHub Copilot Agent , here's what you do: give them a brand new virtual machine and let them experiment freely. When they're done, they commit their code, you review it, and then you merge it. It's secure, but they can't see your local environment.

If you are using Claude Code :

You let him use your computer directly—but you've equipped him with an extremely sophisticated security system. What he can and cannot do, which operations require your approval, which he can do himself, and even his use of `rm -rf` requires nine layers of review before execution.

These are three completely different security philosophies:

Why did Anthropic choose the most difficult path?

Only in this way can AI work using your terminal, your environment, and your configuration —this is what it truly means to "write code for you," rather than "writing a piece of code for you in a clean room and then copying it over."

But what was the cost? They wrote 510,000 lines of code for it.

II. Your perception of Claude Code vs. the actual Claude Code

Most people imagine AI programming tools to look like this:

 The Claude Code is actually as follows: 
 I'm sure everyone is curious about what's on top. Don't worry, let's take it apart one by one.
 Third, the first secret: the clue words are not written down, but "assembled".
 Open src/constants/prompts.ts, and you will see this function:
 export async function getSystemPrompt( tools: Tools, model: string, additionalWorkingDirectories?: string[], mcpClients?: MCPServerConnection[], ): Promise<string[]> { return [ // --- 静态内容(可缓存)--- getSimpleIntroSection(outputStyleConfig), getSimpleSystemSection(), getSimpleDoingTasksSection(), getActionsSection(), getUsingYourToolsSection(enabledTools), getSimpleToneAndStyleSection(), getOutputEfficiencySection(), // === 缓存边界=== ...(shouldUseGlobalCacheScope() ? [SYSTEM_PROMPT_DYNAMIC_BOUNDARY] : []), // --- 动态内容(每次不同)--- ...resolvedDynamicSections, ].filter(s => s !== null) }
 Did you notice SYSTEM_PROMPT_DYNAMIC_BOUNDARY ?
 This is a caching boundary . Content above the boundary is static; the Claude API can cache it to save on token costs. Content below the boundary is dynamic—your current Git branch, your CLAUDE.md project configuration, the preferences you previously told it to remember… it changes with every interaction.
 what does that mean?
 Anthropic treats prompts as compiler output for optimization. The static part is the "compiled binary," and the dynamic part is the "runtime parameters." The advantages of this approach are:
  1.  Cost-effective : Static data is cached, preventing duplicate billing.
  2.  Fast : Cache hits directly skip the processing of these tokens.
  3.  Flexible : The dynamic component allows each conversation to be aware of the current environment.
 ⛏️Each tool comes with its own "user manual"
 What shocked me even more was that each tool directory contained a prompt.ts file— a user manual specifically written for LLM users.
 Take a look at BashTool's file (src/tools/BashTool/prompt.ts, around line 370): 
 This isn't a document written for humans; it's a code of conduct written for AI . These rules are injected into the system prompts every time Claude Code is launched.
 This is why Claude Code never arbitrarily calls `git push --force`, while some tools do— not because the model is smarter, but because the rules are clearly stated in the prompts.
 Furthermore, the internal version of Anthropic is different from the one you are using.
 The code contains a large number of branches like this: 
 Ant refers to internal staff at Anthropic. Their version has more detailed code style guidelines ("Don't write comments unless the WHY is not obvious"), a more aggressive output strategy ("Inverted pyramid writing"), and some experimental features that are still being A/B tested (Verification Agent, Explore & Plan Agent).
 This shows that Anthropic itself is Claude Code's biggest user. They are using their own product to develop their own product.
 Fourth, the second secret: 42 tools, but you've only seen the tip of the iceberg.
 Open src/tools.ts, and you will see the tool registry: 
 There are 42 tools, but you'll never see most of them directly. This is because many tools are lazily loaded —they are only injected on demand via ToolSearchTool when the LLM needs them.
 Why do this?
 Because each additional tool requires an extra description for the system prompts, and the token costs extra. If you just want Claude Code to help you modify a single line of code, it doesn't need to load the "scheduled task scheduler" and the "team collaboration manager."
 There's an even smarter design: 
 Setting CLAUDE_CODE_SIMPLE=true reduces Claude Code to only three tools: Bash, file reading, and file editing. This is a backdoor for minimalists.
 1️⃣ All tools come from the same factory. 
 Note the default values: isConcurrencySafe defaults to false, and isReadOnly defaults to false.
 This is called fail-closed design—if a tool's author forgets to declare security attributes, the system assumes it's "insecure and writable." It's better to be overly conservative than to overlook a risk.
 2️⃣ The Ironclad Rule of "Read First, Then Revise" 
 FileEditTool will check if you have already read the file using FileReadTool. If not, it will report an error and prevent you from making changes.
 This is why Claude Code doesn't "write code out of thin air and overwrite your file" like some tools do—it's required to understand before you modify.
 Fifth, the third secret: the memory system—why it can "remember you"
 Anyone who has used Claude Code has one thing in common: it seems to really know you.
 If you tell it "Don't mock the database in tests," it won't mock it again in the next conversation. If you tell it "I'm a backend engineer, React newbie," it will use backend analogies when explaining frontend code.
 Behind this is a complete memory system.
 1️⃣ Use AI to retrieve memories 
 Claude Code uses another AI (Claude Sonnet) to determine "which memories are relevant to the current conversation".
 It's not keyword matching, nor is it vector search—it's about having a small model quickly scan the titles and descriptions of all the memory files, select up to five of the most relevant ones, and then inject their full content into the context of the current conversation.
 The strategy is "precision over recall" —it's better to miss a potentially useful memory than to include an irrelevant memory that pollutes the context.
 ⏰KAIROS Mode: Nighttime "Dreaming"
 This is the part that I find most sci-fi.
 There's a feature flag in the code called KAIROS. In this mode, memories from long sessions aren't stored in structured files, but rather in date-based append-only logs . Then, a /dream skill runs during "nighttime" (low-activity periods) to distill these raw logs into structured topic files. 
 AI organizes its memories while it's "sleeping." This is no longer engineering; it's bionics.
 Sixth, the fifth secret: It is not an agent, but a group of...
 When you ask Claude Code to do a complex task, it might be doing this quietly: 
 It generated a sub-Agent .
 Furthermore, the sub-agent has strict "self-awareness" injection to prevent it from recursively generating more sub-agents: 
 This code is saying: "You are a worker, not a manager. Don't think about hiring anyone else; do the work yourself."
 👤 Coordinator Mode: Manager Mode
 In coordinator mode, Claude Code becomes a pure task orchestrator, doing nothing itself but assigning tasks: 
 The core principles are written in the code comments:
 "Parallelism is your superpower" Read-only research task: run in parallel. Writing file task: run serially in groups by file (avoid conflicts).
 🗣️Optimized Prompt Cache
 To maximize the cache hit rate of the child agents, the tool results for all forked child agents use the same placeholder text : 
 Why? Because the Claude API's prompt cache is based on byte-level prefix matching . If the prefix bytes of 10 sub-agents are completely identical, then only the first one needs a "cold start," and the following 9 will directly hit the cache.
 This is an optimization that saves a few cents per call, but with large-scale use, it can save a lot of costs.
 VII. The Sixth Secret: Three-Layer Compression ensures dialogue "never exceeds limits"
 All LLMs have a context window limit. The longer the conversation and the more historical messages, the more likely it is to exceed the limit.
 Claude Code employs a three-layer compression design for this purpose:
 1️⃣ First layer: Micro-compression – minimum cost
 export async function microcompactMessages(messages, toolUseContext, querySource) { // 时间触发:如果上次交互已过很久,服务器缓存已冷const timeBasedResult = maybeTimeBasedMicrocompact(messages, querySource) if (timeBasedResult) return timeBasedResult // 缓存编辑路径:通过API 的缓存编辑功能直接删除旧内容if (feature('CACHED_MICROCOMPACT')) { return await cachedMicrocompactPath(messages, querySource) } }
 Micro-compression only affects the results of old tool calls—replacing " the contents of the 500-line file read 10 minutes ago" with "[Old tool result content cleared]" .
 The prompts and main dialogue are fully preserved.
 2️⃣ Second layer: Automatic compression – active shrinkage
 Automatic triggering occurs when the token consumption approaches 87% of the context window (window size - 13,000 buffer). A circuit breaker is implemented: after three consecutive failed compression attempts, attempts cease to attempt, preventing an infinite loop.
 3️⃣ Third Layer: Complete Compression – AI Summary
 The AI ​​generates a summary of the entire conversation, then replaces all historical messages with the summary. There is a strict pre-command for generating the summary: 
 Why be so strict? Because if the AI ​​calls upon tools again during the summary process, it will consume even more tokens , which is counterproductive. This prompt is essentially saying: "Your task is to summarize; don't do anything else."
 Compressed token budget:
  •  File recovery: 50,000 tokens
  •  Maximum of 5,000 tokens per file
  •  Skill Requirements: 25,000 tokens
 These numbers weren't just arbitrary figures—they represent a balance between "preserving enough context to continue working" and "making enough room to receive new messages."
 8. What did I learn after reading this source code?
 1️⃣ 90% of the workload for AI Agents is outside of "AI".
 Of the 510,000 lines of code, less than 5% actually calls the LLM API. What's the remaining 95%?
  •  Security check (18 files for a single BashTool)
  •  Access control system (allow/deny/ask/passthrough four-state decision-making)
  •  Context management (three-layer compression + AI memory retrieval)
  •  Error recovery (circuit breakers, exponential backoff, Transcript persistence)
  •  Multi-agent coordination (swarm orchestration + email communication)
  •  UI Interaction (140 React Components + IDE Bridge)
  •  Performance optimization (prompt cache stability + parallel prefetching at startup)
 If you're developing an AI agent product, this is the real problem you need to solve. It's not about whether the model is smart enough, but whether your scaffolding is sturdy enough.
 2️⃣ A good prompt word project is a systematic project.
 It's not enough to just write a nice prompt. The Claude Code hints are:
  •  7-layer dynamic assembly
  •  Each tool comes with its own user manual.
  •  Precise Cache Boundary Delineation
  •  Internal and external versions have different instruction sets.
  •  The tool sorting is fixed to keep the cache stable.
 This is engineered prompt management, not handcrafted.
 3️⃣ Designed for failure
 Each external dependency has a corresponding failure strategy:
 
 4️⃣Anthropic is treating Claude Code like an operating system.
 42 tools = System call permission system = User permission management skills system = App store MCP protocol = Device driver agent swarm = Process management context compression = Memory management Transcript persistence = File system
 This is not a "chatbot plus a few tools", it is an operating system with an LLM kernel.
 Summarize
 510,000 lines of code. 1,903 files. 18 security files for a single Bash tool.
 Nine layers of review are all to ensure that AI can safely type a single command for you.
 This is Anthropic's answer: To make AI truly useful, you can't cage it, nor can you let it run naked. You have to build a complete trust system for it.
 The cost of this trust system is 510,000 lines of code.
Share to:
Author: PA荐读
Opinions belong to the column author and do not represent PANews.
This content is not investment advice.
Image source: PA荐读. If there is any infringement, please contact the author for removal.
Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
PA一线
PA一线
OpenAI loses favor in the secondary market, investors flock to Anthropic
PA一线
PA一线
Cango raises $75 million to further its Bitcoin mining and AI infrastructure development.
PA一线
PA一线
Machi revealed that he has paid over $1.94 million in transaction fees to Hyperliquid.
PA一线
PA一线
SoftBank executed its first $10 billion investment in OpenAI.
Odaily星球日报
Odaily星球日报
Stripe goes up, PayPal goes down: The new king of digital economy payments ascends the throne in 2026.
PA一线
PA一线
ARK plans to include private company OpenAI in part of its ETF.
Popular Articles
Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
Paradigm is developing a prediction market trading terminal, betting on professional trading needs.
PANews Newsflash