Claude Code Leaked: The Secret Is Not the AI
Key insights
- Building AI agents is 80% plumbing and 20% AI. Most teams skip the plumbing and wonder why their demos crash in production.
- Workflow state and conversation state are different problems. Restoring a chat session does not restore a workflow. Your agent can still double-send messages or repeat expensive operations after a crash.
- Claude Code dynamically assembles a session-specific tool pool from 184 available tools, instead of hard-coding one fixed list per agent.
- The most common failure mode in agentic projects is overengineering, not underengineering. Teams build multi-agent coordination layers before their sessions can survive a single crash.
This is an AI-generated summary. The source video may include demos, visuals and additional context.
In Brief
Anthropic accidentally leaked the source code for Claude Code, a product generating $2.5 billion annually. The leak exposed the full internal architecture: tool registries, permission systems, session persistence, and six built-in agent types. While most coverage focused on upcoming feature flags, Nate B Jones dug into the underlying infrastructure and found 12 core primitives organized into three tiers: the boring, unsexy engineering choices that make Claude Code work reliably at scale.
Related reading:
Everyone looked at the wrong thing
Anthropic wrote 90% of its own code with AI, according to the company's claims. Its engineers ship multiple releases per day per person. That kind of velocity comes with risk: when the leak happened (a build configuration error that exposed the Claude Code repository), the most viral theory on X was that an AI model had accidentally committed the leaked file itself as part of a routine build step.
Whether that's what happened or not, the theory itself says something about where we are in 2026. The idea that an AI model committed the file containing the AI's own architecture, as part of a routine build step, was treated as a plausible chain of events. Not outlandish. Reasonable. What matters is what was inside.
Nate read through all the coverage. His conclusion: most of it focused on upcoming feature flags, on what Claude Code would ship in the next few weeks. That's fine for a few weeks. It misses the point entirely.
The features will ship and be forgotten. The architecture underneath is what actually sustains a $2.5 billion product.
The 12 primitives: day-one basics
Claude Code organizes its infrastructure into 12 primitives across three tiers. The first eight are things Nate calls "day-one non-negotiables": basics that most teams consider late, or never.
Primitive 1: Tool registry. Claude Code maintains two parallel registries: a command registry with 207 entries for user-facing actions, and a tool registry (think: a catalog that lists all the tools an AI agent can use, with descriptions, before any tool actually runs) with 184 entries for model-facing capabilities. Every entry carries a name, a source hint, and a responsibility description. The registry is the source of truth. Without it, you can't filter tools by context, and every new tool requires changes across your entire orchestration code.
Primitive 2: Permission tiers. Not all tools carry the same risk. Claude Code segments its capabilities into three trust tiers: built-in tools (always available, highest trust), plug-in tools (medium trust, can be disabled), and user-defined skills (lowest trust by default). The bash tool (the one that lets Claude run shell commands) has an 18-module security architecture. Pre-approved command patterns. Destructive command warnings. Sandbox termination. 18 separate modules for a single tool.
Nate puts the scale of this in context:
"An 18-module security stack for a single tool. That's not paranoia. That's what separates a system that works safely at a two and a half billion dollar run rate from one that works in a little notebook."
The threshold is stark: if your agent can execute code, call APIs, or modify files without a permissions layer, you have a demo. Not a product.
Primitive 3: Session persistence. Agents crash constantly. Connections drop. Users close tabs. Claude Code stores entire sessions as JSON files: conversation history, token usage, permission decisions, and configuration. Every single piece of state can be reconstructed after a failure. Not just the conversation. The whole thing.
Primitive 4: Workflow state. This is the one nobody talks about. Restoring a conversation is not the same as restoring a workflow. A chat transcript answers: "What have we said?" Workflow state answers: "What step are we on? What side effects have happened? Is this operation safe to retry?" Almost every agentic framework conflates these two problems. They are not the same problem.
"If you don't have a workflow state, you can reinstantiate the agent to be exactly where it was, but it won't remember where it was in the workflow automatically — because the workflow is something that persists beyond the agent."
A crashed agent without workflow state can double-send a message, repeat an expensive API call, or overwrite a file it already modified. That's not a crash. That's a bug.
Primitive 5: Token budgets. Claude Code defines hard limits on token usage. A token budget is a cap on how many words or text fragments an AI can consume before it must stop. Every turn calculates projected token usage, and if the projection exceeds the budget, execution stops before an API call is even made.
Primitive 6: Streaming events. Real-time typed status updates sent while an agent works. Not just a text stream: each event communicates system state, including which tools the agent is considering and how many tokens have been consumed. A special crash event with a reason code is emitted if something goes wrong — a black box for failures.
Primitive 7: System logging. A separate log that captures not just what the model said, but what it actually did: which tools ran, what permissions were granted or denied, how the session was initialized. This is what makes an agent run auditable after the fact.
Primitive 8: Verification. Two levels. First: checking that a given agent run completed correctly. Second, and often overlooked: checking that changes to the agent harness itself don't silently break existing guardrails. When you update the harness, can you prove the safety checks still hold?
Operational maturity: the advanced tier
Beyond the basics, the leak revealed four patterns that Nate groups under operational maturity.
Tool pool assembly is how Claude Code handles having 184 tools without overwhelming the model. It doesn't load all 184 on every run. Instead, it assembles a session-specific tool pool based on mode flags, permission context, and deny lists. The lesson: hard-coding a fixed tool list works for narrow agents. General-purpose agents need to select dynamically.
Transcript compaction automatically shortens old conversation history to save space, keeping recent entries and discarding older ones when a configurable threshold is hit. As agents handle longer and longer tasks, this becomes critical. You need to preserve the original instruction while cutting irrelevant intermediate steps.
Permission audit trails go beyond yes/no gates. Claude Code builds three separate permission handlers: one for a human in the loop, one for multi-agent coordination where an orchestrator hands out permissions, and one for autonomous swarm workers managed by an orchestrator. Each context has different permission structures.
The agent type system defines six built-in agent types: explore, plan, verify, guide, general purpose, and status line setup. Each type comes with its own prompt, allowed tools, and behavioral constraints. An explore agent cannot edit files. A plan agent doesn't execute code. The point isn't to clone minions randomly. Constrain roles sharply so you can manage an agent population and control what they're capable of.
80% plumbing
Nate's closing argument is simple and uncomfortable for anyone building AI products right now.
"Building agents is 80% non-glamorous plumbing work and 20% AI."
The most common failure mode Nate has seen in agentic projects is not underengineering. It's overengineering. Teams build multi-agent coordination layers before their sessions can survive a crash. They implement plugin marketplaces before their permissions work. They chase the glamorous 20% and skip the plumbing that makes the 20% actually function.
Claude Code is a $2.5 billion product. Its secret sauce is not a smarter model. It's a tool registry, 18 security modules on a single bash tool, workflow state that survives crashes, and six constrained agent types. None of that is exciting. All of it is what separates a demo from something that runs reliably at scale.
Glossary
| Term | Definition |
|---|---|
| Tool registry | A catalog listing all the tools an AI agent can use, with names and descriptions, before any tool is actually invoked |
| Permission tier | A system that groups tools by risk level: safe tools run freely, dangerous ones require explicit approval |
| Session persistence | Saving the complete state of an AI session (conversation, permissions, token usage, config) so it can be restored exactly after a crash |
| Workflow state | A record of what step a task is on and what side effects have occurred, distinct from conversation history |
| Token budget | A hard limit on how many tokens (words or text fragments) an AI agent can consume before execution stops |
| Transcript compaction | Automatically shortening old conversation history to save space while preserving recent and critical entries |
| Agent type system | Predefined agent roles (explorer, planner, verifier, etc.) each with fixed allowed tools and behavioral constraints |
| Tool pool assembly | Dynamically selecting which tools an agent gets access to for a specific session, based on context and permissions |
| Streaming events | Real-time typed status updates emitted while an agent works, including a special crash event with a reason code |
Sources and resources
Want to go deeper? Watch the full video on YouTube →