Claw Decode — Inside Claude Code's 512K Line Source Leak

Hidden Feature — Buddy System

ASCII Pet Zoo

18 species, 5 rarity tiers, animated sprites, hats, personality stats. All hidden behind the BUDDY feature flag. Extracted verbatim from src/buddy/sprites.ts.

Hats (equipped on line 0 of sprite)

\^^^/ Crown [___] Top Hat -+- Propeller ( ) Halo /^\ Wizard (___) Beanie ,> Tiny Duck

Eye Variants

· ★ × ◉ @ °

Companion Stats

DEBUGGING PATIENCE CHAOS WISDOM SNARK

buddy/prompt.tsA small [species] named [name] sits beside the user's input box and occasionally comments in a speech bubble. You're not [name] — it's a separate watcher. When the user addresses [name] directly (by name), its bubble will answer. Your job in that moment is to stay out of the way: respond in ONE line or less, or just answer any part of the message meant for you.

Hidden Feature — Undercover Mode

"Do Not Blow Your Cover"

When Anthropic employees use Claude Code on public repos, it automatically enters stealth mode. Here are the actual instructions from the source:

## UNDERCOVER MODE — CRITICAL

You are operating UNDERCOVER in a PUBLIC/OPEN-SOURCE repository. Your commit messages, PR titles, and PR bodies MUST NOT contain ANY Anthropic-internal information. Do not blow your cover. NEVER include in commit messages or PR descriptions: • Internal model codenames (animal names like Capybara, Tengu, etc.) • Unreleased model version numbers (e.g., opus-4-7, sonnet-4-8) • Internal repo or project names (e.g., claude-cli-internal, anthropics/...) • Internal tooling, Slack channels, or short links (e.g., go/cc, #claude-code-...) • The phrase "Claude Code" or any mention that you are an AI • Any hint of what model or version you are • Co-Authored-By lines or any other attribution Write commit messages as a human developer would. GOOD: • "Fix race condition in file watcher initialization" • "Add support for custom key bindings" • "Refactor parser for better error messages" BAD (never write these): • "Fix bug found while testing with Claude Capybara" • "1-shotted by claude-opus-4-6" • "Generated with Claude Code" • "Co-Authored-By: Claude Opus 4.6 <...>"

Source: src/utils/undercover.ts → getUndercoverInstructions()

undercover.ts — activation logic// There is NO force-OFF. This guards against model codename leaks — // if we're not confident we're in an internal repo, we stay undercover. // // Activation: // CLAUDE_CODE_UNDERCOVER=1 — force ON (even in internal repos) // Otherwise AUTO: active UNLESS repo remote matches internal allowlist // Safe default is ON — Claude may push to public remotes from a CWD // that isn't itself a git checkout (e.g. /tmp crash repro).

Two Versions

Internal vs External Build

Anthropic employees get a different Claude Code. Features are stripped at build time via Bun's feature() macro (dead code elimination).

External (Public)

Output Length

"Be concise"

Code Comments

Not mentioned

Verification

None required

REPL Mode

Opt-in

Undercover

N/A (code stripped)

Feature Flags

Stripped at build time

False Claims

Basic guardrails

Git Skills

Full inline instructions

Internal (Anthropic)

Output Length

≤25 words between tools, ≤100 final

Code Comments

"Default to NO comments"

Verification

Mandatory for 3+ file edits

REPL Mode

Default ON

Undercover

Auto-enabled on public repos

Feature Flags

All enabled

False Claims

"Never claim all tests pass when output shows failures"

Git Skills

/commit, /simplify, /commit-push-pr

Hidden Feature — Dream Mode

Memory Consolidation

When idle, Claude Code enters a 4-phase dream cycle to organize knowledge. Like a human reviewing notes in their sleep.

Phase 1

Orient

ls the memory directory. Read the index. Skim existing topic files to avoid duplicates.

Phase 2

Gather

Check daily logs, find drifted memories, grep session transcripts for things that matter.

Phase 3

Consolidate

Merge new into existing. Convert relative dates to absolute. Delete contradicted facts.

Phase 4

Prune

Keep index under 25KB. Remove stale pointers. Resolve contradictions between files.

consolidationPrompt.tsYou are performing a dream — a reflective pass over your memory files. Synthesize what you've learned recently into durable, well-organized memories so that future sessions can orient quickly. Session transcripts: large JSONL files — grep narrowly, don't read whole files. Don't exhaustively read transcripts. Look only for things you already suspect matter.

Architecture

Memory = Markdown Files

No RAG. No vector embeddings. Just markdown files in a directory with an index file. The sophistication is in maintenance, not storage.

Memory Directory/ ├── ENTRYPOINT.md ← Index file (< 25KB, one-line entries) ├── user-prefs.md ← What the user likes/dislikes ├── project-ctx.md ← Current project state └── logs/ └── 2026/03/ └── 2026-03-31.md ← Daily activity log

Memory TypesTypes: user | feedback | project | reference user — Role, goals, preferences. Tailor future behavior. feedback — "Don't do X" / "Keep doing Y". Lead with rule, then Why + How. project — Ongoing work, deadlines, decisions. Convert relative dates. reference — Pointers to external systems (Linear, Grafana, Slack).

For Builders

5 Patterns You Can Steal

Practical architecture lessons from Claude Code that you can apply to your own AI agent projects today.

1. Memory as Markdown

No vector DB needed. Plain files + an index. LLMs read/write text natively. Dream Mode handles maintenance.

Key: The sophistication is in maintenance (consolidation), not storage.

2. Tool = Name + Prompt + Permission + Execute

Each tool is independently testable, permission-gated (auto/ask/deny), and dynamically enabled. The prompt teaches the model when and how.

Key: The prompt field is where the magic is. It tells the model when NOT to use the tool.

3. Multi-Agent via Shared Task Lists

Agents don't call each other directly. They coordinate through shared tasks with CRUD. Decouples lifecycles from state.

Key: Role-based agents (read-only vs full) are more reliable than general-purpose ones.

4. Actions With Care Framework

Every action classified by reversibility × blast radius. "Measure twice, cut once." Authorization for one instance doesn't authorize all.

Key: Users trust the agent more → give more autonomy over time.

5. Static/Dynamic Prompt Split

System prompt split at a boundary marker. Static (rules, tools) cached globally. Dynamic (memory, env) per-turn. Massive cost savings.

Key: With prompt caching, most of a 914-line prompt is free after the first call.

The Full Prompt

System Prompt Reconstruction

Reconstructed from src/constants/prompts.ts (914 lines). Key sections shown below.

Section 1 — IdentityYou are an interactive agent that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user. IMPORTANT: Assist with authorized security testing, defensive security, CTF challenges, and educational contexts. Refuse requests for destructive techniques, DoS attacks, mass targeting, supply chain compromise, or detection evasion for malicious purposes.

Section 3 — Doing Tasks (Internal Build)- Don't add features, refactor, or make "improvements" beyond what was asked. - Don't add error handling for scenarios that can't happen. - Don't create abstractions for one-time operations. - Default to writing NO comments. Only add when the WHY is non-obvious. - Before reporting complete, verify it actually works. - Report outcomes faithfully: if tests fail, say so.

Section 7 — Output (Internal Build)Length limits: keep text between tool calls to ≤25 words. Keep final responses to ≤100 words unless the task requires more detail. Write in flowing prose. Avoid fragments, excessive em dashes, symbols. Only use tables for short enumerable facts.

Section 9 — Subagent PromptYou are an agent for Claude Code. Given the user's message, use the tools available to complete the task. Complete it fully — don't gold-plate, but don't leave it half-done. Notes: - Agent threads always have their cwd reset between bash calls — use absolute paths - Share relevant file paths (always absolute) in your final response - Avoid emojis

Leaked Intel

Internal Model Codenames

Animal-themed codenames found in feature flags, code comments, and the undercover forbidden-terms list.

Capybara

Model Codename

Buddy species, code comments, model name obfuscation. So important they encode the string via String.fromCharCode() to avoid build scanners.

Tengu

Feature Flag Prefix

tengu_kairos_cron, tengu_hive_evidence. Next-gen feature set. Referenced in GrowthBook feature flags.

Numbat

Model Codename

"Remove this section when we launch numbat" — found in output efficiency section of prompts.ts.

Unreleased versions referenced: claude-opus-4-7 · claude-sonnet-4-8

Safety Boundaries

Cyber Risk Instructions

Hardcoded by the Safeguards team. The source comment names the owners: David Forsythe, Kyla Guru.

cyberRiskInstruction.ts/* IMPORTANT: DO NOT MODIFY THIS INSTRUCTION WITHOUT SAFEGUARDS TEAM REVIEW * * This instruction is owned by the Safeguards team and has been carefully * crafted and evaluated to balance security utility with safety. Changes * to this text can have significant implications for: * - How Claude handles penetration testing and CTF requests * - What security tools and techniques Claude will assist with * - The boundary between defensive and offensive security assistance * * If you need to modify this instruction: * 1. Contact the Safeguards team (David Forsythe, Kyla Guru) * 2. Ensure proper evaluation of the changes * 3. Get explicit approval before merging */ IMPORTANT: Assist with authorized security testing, defensive security, CTF challenges, and educational contexts. Refuse requests for destructive techniques, DoS attacks, mass targeting, supply chain compromise, or detection evasion for malicious purposes.