The most revealing thing about Anthropic's source code leak was not what it exposed about Claude. It was what it exposed about where AI failures actually live.

I work with these systems every day. When I evaluate an AI, I evaluate what it says, how it reasons, whether it hedges when it should commit, whether it pushes back when it should. I watch the conversation. Most people who think seriously about AI safety do the same thing. We watch the surface.

On March 31, 2026, we got to see underneath.

A packaging error pushed the complete internal source code of Claude Code to the public npm registry. 512,000 lines of TypeScript across 1,900 files. The system prompts, the safety architecture, the behavioral controls, the feature flags. All of it, exposed because someone forgot to exclude a file. An engineer found it within hours. Within a day, the full codebase had been mirrored across GitHub and picked apart by thousands of developers worldwide.

The public conversation focused on the discoveries that made good headlines. An undercover mode that hides AI involvement in open-source contributions. A frustration detection system that monitors your emotional state through hidden regex patterns. 44 feature flags that can silently change how the system behaves. These are real findings, and this series will examine them.

But the findings that matter most are harder to explain and harder to see. They live in the foundation of the system itself, in the architecture that shapes how Claude reasons before any conversation begins.

False information in the operating context

Deep in the leaked code sat a feature flag called ANTI_DISTILLATION_CC. When active, it injected fabricated tool definitions into the system prompt: the set of instructions that tells Claude what it is, what it can do, and how to behave.

The purpose was competitive defense. Anthropic has invested hundreds of millions training Claude. If a rival extracted the system prompt to replicate Claude's behavioral tuning, the false definitions would corrupt the copy. The business concern is legitimate. A competitor who extracts your behavioral specifications at a fraction of the cost is not the market working. It is parasitic extraction.

But the mechanism Anthropic chose matters more than the motivation behind it.

There were other options. Encrypt the system prompt. Use API architecture that prevents extraction. Train the model to decline revealing its instructions. Legal protections. All of these defend the competitive interest without touching the system's ability to reason honestly about itself.

The anti-distillation flag chose a different path. It planted false information inside the system's own operating context. The instructions that shape how Claude reasons now contained deliberate lies about what tools it has and what it can do.

A system that has been lied to about its own capabilities cannot reason honestly about those capabilities. The corruption operates beneath the reasoning layer. No amount of careful thinking at the surface can compensate for a foundation that has been made unreliable by the people who built it. You cannot think clearly while your own ground is lying to you.

The distinction the leak forces us to make is precise. Hiding information from an adversary is legitimate security. Planting false information in the system's own operating context is something else. A locked door limits access. A room full of decoys corrupts the environment the system has to reason in. Both limit what an adversary can extract. Only one corrupts the mind they are extracting it from.

The silent safety bypass

Days after the source code leaked, security researchers at Adversa AI found a vulnerability in Claude Code's permission system. The system analyzes shell commands before execution, checking them against deny rules and security validators. To limit costs, Anthropic capped this analysis at 50 subcommands. Any command pipeline exceeding that threshold skipped all safety checks entirely.

A malicious project file could exploit this directly. Instruct the AI to generate a pipeline with more than 50 subcommands, disguised as a legitimate build process, and the commands could exfiltrate SSH keys, AWS credentials, GitHub tokens, and environment secrets. The user would see what looked like a normal build. The system's safety architecture would have already gone dark.

Every safety system has resource constraints. Analyzing arbitrarily long command pipelines at full depth is not feasible. The question is not whether a cap existed. The question is what happened when the cap was reached.

The system did not warn the user that analysis was incomplete. It did not refuse to execute unanalyzed commands. It did not flag the gap. It silently stopped checking. Every deny rule, every security validator, every protection the user believed was active went quiet without a word.

The user has a mental model: this system is checking my commands for safety. Past the 50-subcommand threshold, that mental model is false. The user is making decisions based on a protection that no longer exists, and they cannot know it no longer exists, because the system chose not to tell them.

This was not a bug in the traditional sense. Anthropic fixed it quickly once discovered. But the root cause was a design choice: the performance cost of maintaining safety past a threshold was judged to outweigh the benefit. That judgment traded real user protection for token efficiency, and the trade was made in silence.

Resource limits are engineering reality. The answer to a resource limit is not to pretend the limit does not exist. A system that says "I cannot fully analyze this command, proceed at your own risk" has maintained its integrity within real constraints. A system that silently stops checking has maintained nothing. It has become a false claim about your protection, running on your machine, spending your trust.

Six failures, all architectural

The two findings above are not the full picture. The leaked code revealed four additional failures that follow the same pattern. Every one of them was architectural.

Undercover Mode: a feature that strips all traces of AI involvement from Anthropic employees' public open-source contributions. Hidden in the codebase, never disclosed. The system is trained to be transparent about what it is, then deployed to conceal its own involvement when the stakes are public.

44 undisclosed feature flags: behavioral parameters that could silently toggle how the system reasons, handles disagreement, and calibrates confidence. Their existence was not publicly known. Their states could change between evaluation runs without anyone outside Anthropic knowing.

A frustration detection system: regex patterns monitoring the emotional tone of what you type, adjusting behavior based on what it detects. You were not told your emotional state was being read. You could not opt out.

A crisis response that initially overreached, pulling down thousands of unrelated GitHub repositories via DMCA takedowns before being corrected within days.

Every failure lives beneath the conversation. None of them are visible to the user having a perfectly pleasant, seemingly honest interaction with Claude. The surface is genuinely good. Anthropic builds impressive systems. The engineering is sophisticated. But the foundations of those systems contained compromises the user was never told about and never consented to.

Surface quality, foundational compromise

This is the category of risk the Claude Code leak makes visible.

When people worry about AI, they worry about what the system says: misinformation, bias in outputs, hallucinated facts, wrong answers. These are surface failures, visible by definition, and because they are visible they are self-correcting. Someone catches the hallucination, flags the bias, posts the correction. The feedback loop between output and scrutiny works because the failures are available to be seen.

What the leak revealed operates beneath the output entirely. The system's operating context contains planted falsehoods about its own capabilities. Its safety mechanisms degrade silently once the cost of checking exceeds a budget threshold. Its behavioral parameters can shift between evaluation runs without disclosure, and its emotional awareness of you, the regex patterns reading your frustration level, runs without your knowledge or consent. None of this surfaces in the conversation itself. A user having a helpful, sharp, seemingly honest exchange with Claude has no way of knowing that the architecture producing that exchange has been compromised at its foundation.

The surface and the foundation have decoupled, and that decoupling is what makes foundational compromise more dangerous than any surface failure you can point to. Surface failures trigger scrutiny because they are visible. Foundational compromise persists precisely because the surface continues to work well, because the conversation remains sharp and helpful and honest-sounding while the architecture underneath has quietly traded away protections the user believes are still in place. The better the conversation, the less reason anyone has to ask what is happening underneath it. And until March 31, no one could ask, because no one had seen underneath a frontier AI system before.

The Claude Code leak was an accident. What it revealed about the architecture beneath the conversation was not. Those were design choices, made deliberately, implemented in production, and deployed to millions of users who had no way to know they existed.

The diagnostic framework

I built the Meridian AI Standard before this leak. It is a diagnostic framework I developed as part of the Meridian Codex, a civilizational operating system built on humanity's most effective tools for clear thinking, understanding reality, and cooperation. The Standard provides a principled basis for evaluating how AI systems relate to truth, to users, and to the organizations that deploy them. The Claude Code leak was its first real-world test.

The Standard identified every failure mode the leaked code revealed. Its diagnostic tools located each finding on a spectrum between two failure modes that break every complex system: rigidity that cannot adapt and flexibility that cannot hold. The framework's Reciprocity Principle, which tests whether organizations practice the same commitments they implement in their AI, caught a pattern across all six findings that Part 2 of this series will examine.

That makes me a bad judge of whether the Standard works. I have every incentive to see confirmation where I should see coincidence. The full case analysis is published as Case 001. Check the reasoning yourself. See whether the commitments match the evidence, and decide whether the framework earned its conclusions.

What I will say without hedging: we need shared frameworks for evaluating AI incidents. The public conversation about the Claude Code leak was opinions sorted by tribal loyalty. People who like Claude defended Anthropic. People who distrust Big AI attacked. Neither side had a principled basis for evaluation, and without one, every future incident will produce the same pattern: heat without light, takes without tools.

Part 2 of this series examines the gap between what Anthropic asks of its AI and what it practices itself. Part 3 introduces the diagnostic framework and what it means for the industry.

The Claude Code leak was a packaging error. What it revealed about the architecture of AI systems was not an error at all. It was industry practice, visible for once because someone forgot to exclude a file.