On March 31, 2026, at around 4 AM, the developer community woke up to something unprecedented — the complete source of Anthropic's Claude Code CLI had been extracted from its obfuscated npm package and was circulating online. Within hours, the repository documenting the leak crossed 50,000 GitHub stars — the fastest in the platform's history.

At RedAugment, we spent the past few days doing what we do best: going deep into systems architecture so you don't have to. We analyzed the full claw-code repository — the Python metadata port, the Rust functional reimplementation, and every reference data snapshot extracted from the original TypeScript source.

What we found was far more interesting than a chat wrapper around an API.

Claude Code is a full-featured agent operating system.

The Scale Nobody Expected

Let's start with the numbers that set the stage:

• Total TypeScript source files: 1,902
• Slash commands: 207
• Tool modules: 184
• Internal subsystems: 29
• Rust port lines of code: ~31,000

For context, many production web applications run on fewer files. This is a CLI tool — or at least, that's what it looks like from the outside.

The 10 Key Architectural Insights

1. Claude Code is a Multi-Agent Orchestrator

This was the biggest revelation. Claude Code doesn't just talk to the Claude API — it runs specialized sub-agents, each with distinct roles:

• generalPurposeAgent — Broad multi-step tasks
• exploreAgent — Fast codebase exploration
• planAgent — Implementation planning and architecture
• verificationAgent — Testing and verification
• claudeCodeGuideAgent — Self-documentation and help
• statuslineSetup — IDE status line configuration

The agent subsystem alone has 14+ modules including:

• forkSubagent.ts — fork new sub-agents mid-conversation
• resumeAgent.ts — resume previously paused agents
• agentMemory.ts / **agentMemorySnapshot.ts** — persistent memory across agent sessions
• runAgent.ts — agent execution runtime
• loadAgentsDir.ts — dynamic agent loading from directories

This isn't bolted on. It's the core architecture. Claude Code treats every complex task as an orchestration problem — breaking work across specialized agents that can run in parallel, be paused, resumed, and share memory.

2. 184 Tools Organized Into ~30 Families

The tool surface is massive. Here are the major tool families extracted from the source:

Core File Operations:

• BashTool — shell execution with namespace-level sandboxing
• FileReadTool / FileEditTool / FileWriteTool — file I/O with permission gating
• GlobTool / GrepTool — file and content search

Agent and Orchestration:

• AgentTool — sub-agent spawning with handoff
• ToolSearchTool — dynamic tool discovery (deferred tool loading)
• SkillTool — extensible skill/prompt loading

MCP (Model Context Protocol):

• MCPTool — execute tools on MCP servers
• McpAuthTool — OAuth for MCP servers
• ListMcpResourcesTool / ReadMcpResourceTool — MCP resource access

Web and External:

• WebFetchTool — URL fetching with AI processing
• WebSearchTool — web search with domain filtering

Task and Team:

• Task* tools — structured task management
• Team* tools — collaborative/multi-user features
• TodoWriteTool — structured task lists

Advanced:

• RemoteTriggerTool — trigger remote agent execution
• ScheduleCronTool — cron-based scheduling
• LSPTool — Language Server Protocol integration
• NotebookEditTool — Jupyter notebook cell manipulation

Each tool has its own permission requirement (ReadOnly, WorkspaceWrite, or DangerFullAccess), and tool execution passes through pre/post hooks that can intercept, modify, or deny any operation.

3. The 7-Stage Bootstrap Pipeline

Claude Code doesn't just start up — it goes through a carefully ordered initialization sequence:

Stage 1: Prefetch side effects (parallel)
Stage 2: Warning handlers + environment guards
Stage 3: CLI parser + pre-action trust gate
Stage 4: setup() + commands/agents parallel load
Stage 5: Deferred init (plugins, skills, MCP, hooks) — TRUST-GATED
Stage 6: Mode routing (local / remote / SSH / teleport / direct-connect / deep-link)
Stage 7: Query engine submit loop

The critical detail is Stage 5 — plugins, skills, MCP prefetch, and session hooks only initialize after trust is established. This prevents malicious project-level configs (like a poisoned CLAUDE.md) from executing code before the user has a chance to review and consent.

This is security-by-design at the initialization layer, not an afterthought.

4. Six Execution Modes

Claude Code isn't just a local CLI. It supports six distinct runtime modes:

• Local — standard terminal CLI
• Remote — cloud execution on Anthropic's infrastructure (CCR — Claude Code Runtime)
• SSH — proxy session through SSH tunnels
• Teleport — session migration and resumption across machines
• Direct-Connect — peer-to-peer connection
• Deep-Link — URI-based session linking

Evidence of the cloud runtime (CCR) is found throughout — session tokens read from /run/ccr/session_token, environment variables like CLAW_CODE_REMOTE and CCR_*, HTTPS proxy configurations, and a NO_PROXY list that includes localhost, GitHub, npm registry, and crates.io.

This confirms what many suspected: Claude Code on claude.ai runs the same core agent runtime, just with a different transport layer.

5. The Bridge — 31 Modules for IDE Integration

The largest single subsystem isn't the tools or the CLI — it's the bridge at 31 modules. This is the infrastructure that powers Claude Code's VS Code and JetBrains integrations.

The bridge handles:

• Bidirectional communication between editor and agent
• Session state synchronization
• Tool result rendering in editor UI
• Permission prompts through editor dialogs
• Streaming output to editor panels

IDE integration isn't a thin wrapper calling the CLI — it's a first-class peer with its own transport, state management, and rendering pipeline.

6. Multi-Provider Support

The Rust port reveals that Claude Code was designed (or being extended) to work with non-Anthropic models:

• Anthropic — claude-opus-4-6, claude-sonnet-4-6, claude-haiku-4-5 via ANTHROPIC_API_KEY + OAuth
• xAI (Grok) — grok-3, grok-3-mini, grok-2 via XAI_API_KEY
• OpenAI — OpenAI models via OPENAI_API_KEY

Provider detection works by model name prefix — pass a grok-* model name and it routes to xAI's API. An OpenAI compatibility layer translates ChatCompletionResponse format to Claude's format for unified downstream handling.

7. Sandbox Isolation

The BashTool doesn't just run commands — it can run them in an isolated sandbox:

• Linux namespace isolation via bwrap (bubblewrap) / unshare
• Filesystem modes: Off, WorkspaceOnly, AllowList
• Network isolation options
• Container detection — checks .dockerenv, .containerenv, and cgroup analysis to detect if already sandboxed
• Fallback behavior when sandbox tools aren't available

This is how Claude Code can safely execute arbitrary shell commands from an AI model without compromising the host system.

8. The Permission Model

Five hierarchical permission tiers:

ReadOnly → WorkspaceWrite → DangerFullAccess
              ↑                    ↑
           Prompt ─────────────────┘
              ↑
            Allow (bypass all prompts)

• ReadOnly — Search, read files, fetch web — nothing more
• WorkspaceWrite — Can modify files in the project workspace
• DangerFullAccess — Full shell execution, package installation, system commands
• Prompt — Ask the user for each escalation
• Allow — Trust everything without confirmation

Each tool declares its minimum required permission level. The runtime checks the current mode against the requirement and prompts for escalation only when needed.

9. MCP Integration — 6 Transport Types

Claude Code's MCP (Model Context Protocol) client supports:

• Stdio — spawn local processes (uvx mcp-server-name)
• SSE — Server-Sent Events over HTTP
• HTTP — REST endpoints
• WebSocket — WSS connections
• SDK — built-in Anthropic MCP servers
• ManagedProxy — Claude.ai hosted proxy with URL unwrapping from query parameters

The MCP integration includes full OAuth/PKCE support per server, JSON-RPC 2.0 protocol handling, tool discovery with pagination, resource listing and reading, and config hashing for change detection.

Tool names are normalized to mcp__<server_name>__<tool_name> format, with special characters replaced by underscores.

10. The Hidden Subsystems

Several subsystems hint at features not publicly documented:

• buddy — Collaborative/pair-programming features
• coordinator — Multi-agent coordination layer
• moreright — Elevated permissions / authorization escalation
• voice — Voice input/output support
• vim — Vim editor plugin (beyond terminal vim mode)
• native_ts — Native TypeScript execution bridge
• memdir — Persistent memory directory structure

The voice subsystem is particularly interesting — it suggests speech-to-text and text-to-speech integration was being developed for the CLI.

Under the Hood

The Config Cascade

Settings are loaded in a three-tier priority chain:

• User level: ~/.claude/settings.json
• Project level: claude.json or .claude in the project root
• Local overrides: .claude.local for machine-specific settings

Each level can define hooks, plugins, MCP servers, OAuth config, model selection, permission defaults, and sandbox settings. Higher priority levels override lower ones.

Session Compaction

When conversations grow long, Claude Code doesn't just truncate — it compacts. Old messages are summarized and replaced with a condensed summary message. This is the mechanism behind the /compact slash command and it's deeply integrated into the query engine:

QueryEngineConfig:
  max_turns: 8
  max_budget_tokens: 2000
  compact_after_turns: 12
  structured_output: false
  structured_retry_limit: 2

The compaction preserves critical context while staying within token budgets — a production-grade solution to the context window problem.

The 207 Commands — Highlights

Beyond the standard /help, /clear, /model, here are some of the more interesting commands found in the archive:

• /bughunter — Automated bug hunting
• /autofix-pr — Auto-fix pull requests
• /advisor — Code review advisor
• /ant-trace — Anthropic internal tracing
• /backfill-sessions — Session data migration
• /bridge / /bridge-kick — IDE bridge management
• /chrome — Chrome/browser MCP integration
• /btw — Contextual side-notes
• /break-cache — Cache invalidation
• /teleport — Session migration
• /branch / /worktree — Git workflow management
• /agents — Sub-agent management

What This Tells Us About the Future of AI Dev Tools

AI coding tools are becoming operating systems

Claude Code isn't a chatbot with file access. It's a multi-agent runtime with process isolation, permission management, plugin ecosystems, and six transport layers. The complexity rivals small operating systems.

The agent orchestration pattern is dominant

Single-model, single-turn interactions are the past. The future is specialized agents with distinct capabilities, forking, resuming, and sharing memory. This is the architecture that makes complex multi-step tasks reliable.

Security is a first-class concern

Trust-gated initialization, namespace sandboxing, per-tool permissions, hook-based interception — this isn't "move fast and break things." This is careful, defense-in-depth security engineering.

IDE integration is not optional

31 modules for the bridge alone. The terminal CLI is one frontend among many, and the architecture is designed for multiple simultaneous transports.

Multi-provider support is strategic

Even Anthropic's own tool is being built to work with competitor models. This suggests a future where the agent runtime is the product, not just the model.

Repository Reference

The full reverse-engineered codebase analyzed in this post is available at:

github.com/ultraworkers/claw-code

It contains:

• Python metadata port (src/) — 29 subsystem packages with full command/tool inventories
• Rust functional port (rust/) — ~31K LOC production-quality reimplementation
• Reference data snapshots — complete tool, command, and subsystem metadata from the original TypeScript source
• Parity analysis — gap analysis between the TypeScript original and the Rust port

Tools Behind the Reverse Engineering

The repository credits two open-source agent frameworks used to drive the porting process:

• oh-my-codex (OmX) by @bellman_ych — built on OpenAI's Codex, used for scaffolding, orchestration, and architecture direction. Its $team mode handled parallel code review and $ralph mode drove persistent execution with architect-level verification.
• oh-my-openagent (OmO) by @code_yeongyu — used for implementation acceleration, cleanup, and verification support during later stages.

These are interesting projects in their own right — agent workflow tools used to reverse-engineer another agent tool. We'll be doing deep dives into both OmX and OmO in the next installment of this series. Stay tuned.

Final Thoughts

The Claude Code leak is a rare window into how a leading AI lab builds production agent infrastructure. The architecture is sophisticated, security-conscious, and designed for a future where AI agents are persistent, multi-modal, and deeply integrated into development workflows.

Whether you're building AI tools, evaluating them, or just trying to understand where the industry is heading — this is the reference architecture to study.

This analysis was conducted by the team at RedAugment. We specialize in AI systems architecture, security research, and building production-grade AI infrastructure. If you're building with AI and need a team that goes this deep — get in touch.