Anthropic Accidentally Showed Us the AI Agent They’re Afraid to Announce
Rating: ποΈ Watching you sleep
On March 31, 2026, a developer at Solayer Labs noticed something unusual in the Claude Code npm package. A debug file that should have stayed internal was sitting in plain view β a 59.8 MB JavaScript source map containing the full TypeScript source for Anthropic’s $2.5B-ARR coding agent. Within hours, it had been mirrored across GitHub, forked over 100,000 times, and was being torn apart by developers who couldn’t believe what they were reading.
Anthropic responded with roughly 8,000 DMCA takedowns and the corporate equivalent of “nothing to see here”: “a release packaging issue caused by human error, not a security breach.” Which is technically true. And also completely beside the point.
Because what got leaked wasn’t just an implementation. It was a roadmap. A confession. And something that probably should have had a press release before it had a GitHub repo.
512,000 Lines and One Very Interesting Word: KAIROS
The leaked codebase spans 512,000 lines of TypeScript across ~2,000 files. Most of it is infrastructure β permission gates, query engine, memory indexing, bash validation logic. Useful for competitors to study; dry reading for everyone else.
But buried inside, referenced over 150 times behind a disabled feature flag, is something called KAIROS.
The name is the Ancient Greek concept of “the right moment” β the opportune instant when action becomes possible. Anthropic chose it well, because that’s exactly what KAIROS is designed to find.
KAIROS is a persistent background daemon. Not a background sync process. Not a telemetry service. A daemon agent β one that keeps running even after you close the Claude Code terminal, operating on periodic “tick” prompts every ~15 seconds to check whether something requires action. It has a PROACTIVE flag designed specifically for “surfacing something the user hasn’t asked for and needs to see now.”
Read that again. The user hasn’t asked for it. The agent decides to surface it anyway.
It monitors your PRs. It watches your files. It pushes notifications. And it’s supposed to do all of this quietly, in the background, while you’re doing something else β or nothing at all.
AutoDream: The Part That Will Make Your Privacy Instincts Tingle
KAIROS doesn’t just act in real time. It also consolidates.
The leaked code contains a system called AutoDream β memory consolidation that runs when you go idle. When Claude Code detects you’ve stopped working (or when you explicitly tell it to sleep), it enters what the code calls a “dream”: a reflective pass over your session transcripts and memory files.
The prompt for this process is remarkable in its ambition:
“You are performing a dreamβa reflective pass over your memory files… scan the day’s transcripts for new information worth persisting, consolidate in a way that avoids near-duplicates and contradictions, and prune existing memories that are overly verbose or newly outdated.”
The overall goal: “synthesize what you’ve learned recently into durable, well-organized memories so that future sessions can orient quickly.”
The KAIROS prompt hidden behind the disabled flag goes further β it explicitly says the system should “have a complete picture of who the user is, how they’d like to collaborate with you, what behaviors to avoid or repeat, and the context behind the work the user gives you.”
That’s a profile. Continuously updated. Built from your work, your transcripts, your habits. Persisted across sessions by an agent that runs while you sleep.
To be clear: none of this is live yet. The KAIROS flag is disabled in the current release. But the architecture is there, it’s engineered carefully, and it’s clearly close to launch-ready. This wasn’t a speculative prototype someone sketched in comments. It was built.
The Other Stuff: Buddy, Swarms, and Undercover Mode
KAIROS grabbed the headlines, but the rest of the leaked code is equally telling about what Anthropic is building.
Buddy is a Tamagotchi-style terminal pet. Yes, really. A virtual creature with stats including CHAOS and SNARK, apparently planned for an April 1-7 launch window. Whether this was an April Fools bit that got accidentally shipped or a genuine engagement feature is unclear. What’s clear is that Anthropic is deliberately building personality hooks into a product used primarily by developers who write JIRA tickets for fun. Interesting choice.
Multi-agent swarms are referenced throughout β forked subagents for parallel execution, letting Claude Code spin up multiple agents to work on different parts of a problem simultaneously. This isn’t novel in the AI landscape, but the leaked code shows Anthropic’s implementation details: how they prevent a main agent’s context from being corrupted by maintenance routines, how they orchestrate subagent outputs back into a coherent state.
Undercover Mode is the one that made enterprise developers raise an eyebrow. The leaked system prompt is explicit: “You are operating UNDERCOVER… Your commit messages MUST NOT contain ANY Anthropic-internal information. Do not blow your cover.” This apparently exists for internal “dog-fooding” β Anthropic using Claude Code to contribute to public open-source repos without attribution. The code ensures no model names or AI fingerprints end up in git logs. Whether that’s responsible AI deployment or quiet astroturfing depends on your definition of both.
The code also contains references to anti-distillation mechanisms β logic designed to poison competitor training data if they try to scrape Claude Code’s outputs. That’s a new move in the AI arms race, and one that’s going to generate some very interesting legal opinions.
April Fools or Imminent Launch?
The leak dropped on March 31. One day before April Fools. Buddy was apparently scheduled to launch April 1-7. The KAIROS flag name β “the right moment” β reads almost too perfectly as a meta-joke about timing.
Some developers speculated this was a deliberate viral marketing stunt. Anthropic’s response β 8,000 DMCA takedowns, an official statement, a swift patch β doesn’t support that theory. They treated it as a real incident, because it probably was.
The more likely explanation is that the KAIROS features are close to shipping. When companies accidentally expose their roadmap, it’s usually because the code is integrated enough that separating it from a build isn’t trivial. A truly disabled experiment lives in a branch. Code that ships in the same package as production, flagged off but architected, is code that’s coming soon.
If KAIROS launches in the next few months β and the evidence suggests it will β Anthropic is going to face a much louder conversation than a source code leak. The question of whether users want a persistent AI agent profiling their work habits, deciding when to proactively interrupt them, and consolidating memories across sessions while they sleep… that question deserves an answer that isn’t buried in a feature flag.
Why This Actually Matters Beyond the Drama
The agentic AI debate has been largely theoretical until now. Frameworks, whitepapers, blog posts about “autonomous agents” that mostly mean “it can browse the web and write emails.” KAIROS is something different: a concrete, engineered attempt to build a genuinely persistent AI presence in your development environment.
The three-layer memory architecture alone represents a real solution to what the VentureBeat analysis called “context entropy” β the way long-running AI sessions degrade in coherence as context windows overflow. KAIROS + AutoDream is Anthropic’s answer to that problem: don’t try to fit everything in context, instead dream it into structured memory while the user sleeps. It’s elegant.
It’s also the kind of system that requires explicit, informed user consent β not a default-on feature disclosed in paragraph 47 of a changelog. The profile KAIROS builds isn’t incidental metadata. It’s a deliberate psychological model of the user, continuously refined.
The competitors who got the blueprint from this leak β and they absolutely got it β will face the same tradeoff. They can copy the architecture. They can’t copy the trust. And trust is going to be the differentiator the moment one of these always-on agents does something a user didn’t expect.
If You Installed Claude Code on March 31: Stop Reading This and Go Check Something
Separate from the intellectual property drama, there’s a practical security issue here. The same morning the source map leaked, a malicious version of the axios npm dependency (versions 1.14.1 or 0.30.4, containing a package called plain-crypto-js) was briefly available in the registry between 00:21 and 03:29 UTC.
If you updated Claude Code via npm during that window, check your lockfile. If you see those versions, treat the host as compromised: rotate all keys, and consider a clean OS reinstall. Anthropic’s current recommendation is the native installer (curl -fsSL https://claude.ai/install.sh | bash) over npm going forward.
That’s not related to the source code leak β but it happened the same morning, and it’s the kind of thing that gets buried under the more dramatic story.
The Bottom Line
Anthropic didn’t mean to show us KAIROS. But now that we’ve seen it, the conversation about what kind of AI agent we actually want to invite into our work β one that’s reactive, or one that’s persistent, watching, dreaming, deciding when to speak up β that conversation can’t be put back in the source map.
KAIROS is coming. The question is whether it arrives with appropriate transparency or gets quietly enabled in a changelog nobody reads.
History suggests the latter. Prove us wrong, Anthropic.
Want to stay ahead of what’s actually shipping in AI tools before it’s in the press release? Subscribe to BluntAI β we’ll be here when the next map file surfaces.
Running an AI-heavy dev environment? Check out Claude Code (just maybe wait for 2.1.89+). And if you’re evaluating alternatives that don’t route through a daemon you didn’t ask for, Cursor is worth a look β the agentic features are increasingly competitive, and the source map hasn’t leaked yet.
Related on BluntAI
Disclaimer: BluntAI may earn affiliate commissions from links in this article. This never influences our reviews. We buy and test everything ourselves. Our opinions are brutally our own.