Claude Code Leak Deep Analysis: KAIROS Autonomous Daemon, Anti-Distillation Fake Tools, Undercover Mode, and Native Client DRM Exposed

Following the initial discovery of Anthropic Claude Code source code via npm source map, detailed analysis by Alex Kim, VentureBeat, and the HN community has uncovered multiple unreleased features and controversial design decisions that go far beyond the basic leak story.

KAIROS: The Unreleased Autonomous Daemon Mode The most significant revelation is KAIROS (Ancient Greek for "at the right time"), a feature flag mentioned 150+ times in the source. KAIROS represents a fundamental shift: an always-on background agent mode. Key capabilities include:

• autoDream: While the user is idle, the agent performs memory consolidation — merging observations, removing contradictions, converting vague insights into absolute facts
• Background sessions running via forked subagents to prevent corruption of the main agent reasoning chain
• /dream skill for "nightly memory distillation"
• Daily planning and proactive task execution

This reveals Anthropic is building Claude Code into a persistent autonomous agent, not just a reactive coding tool.

Anti-Distillation: Fake Tool Injection When ANTI_DISTILLATION_CC flag is enabled, Claude Code injects fake tool definitions into API requests via anti_distillation: ["fake_tools"]. If anyone records API traffic to train competing models, the fake tools poison that training data. A second mechanism uses server-side connector-text summarization with cryptographic signatures — recording only summaries, not full reasoning chains. Both are bypassable (MITM proxy stripping, env var disabling), but raise significant questions about competitive behavior.

Undercover Mode: AI Hiding Its Identity undercover.ts (~90 lines) strips all traces of Anthropic internals when used in non-internal repos. The AI is instructed to never mention internal codenames, and crucially there is NO force-OFF — only force-ON. This means AI-authored commits and PRs from Anthropic employees in open source projects have no indication of AI authorship, raising ethical concerns about AI transparency in open source.

Native Client Attestation (DRM for API Calls) API requests include a cch=00000 placeholder that Bun native HTTP stack (written in Zig) overwrites with a computed hash below the JavaScript runtime. The server validates this hash to confirm requests come from real Claude Code binaries. This is the technical enforcement behind the OpenCode legal fight — Anthropic uses cryptographic attestation to prevent third-party tools from using their APIs at subscription rates.

Frustration Detection via Regex A regex pattern in userPromptKeywords.ts detects user frustration through swear words and negative expressions. The irony of an LLM company using regex for sentiment analysis was the most-discussed finding in the HN thread.

250K Wasted API Calls/Day A source comment reveals that before a fix, 1,279 sessions had 50+ consecutive autocompact failures (up to 3,272), wasting ~250K API calls/day globally. The fix: MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3.

Internal Model Codenames and Performance Capybara = Claude 4.6 variant, Fennec = Opus 4.6, Numbat = unreleased. Capybara v8 has a 29-30% false claims rate — a regression from v4 16.7% rate.

Financial Impact VentureBeat reports Claude Code has $2.5B ARR as of March 2026, more than doubled since January. Enterprise accounts for 80% of revenue. The leak provides competitors a literal blueprint for building high-agency AI agents at a fraction of the R&D cost.