Summary

A detailed analysis of Claude Code’s accidentally exposed 512,000-line TypeScript source code (51.2万行, 1903 files), organized around three core questions: what makes Claude Code different, why it “feels better,” and what the architecture reveals. The answer: Claude Code is not a chatbot with tools but an operating system — 42 tools as system calls, a permission system as user rights management, skills as an app store, and agents as process management.

對 Claude Code 意外外洩的 51.2 萬行 TypeScript 源碼的深度分析。核心答案:Claude Code 不是「聊天機器人加幾個工具」,而是以 LLM 為內核的作業系統。42 個工具等同系統呼叫、權限系統等同用戶權限管理、Skill 系統等同 App Store、Agent Swarm 等同進程管理、上下文壓縮等同記憶體管理。

Key Points

  • System prompt assembled from 7 layers with a cache boundary: static sections cached (shared cost), dynamic sections (CLAUDE.md, git state, memories) loaded fresh per session
  • Each tool has its own prompt.ts file — AI-readable behavior manuals, not human documentation
  • 42 tools use fail-closed defaults: isConcurrencySafe=false, isReadOnly=false unless explicitly declared safe
  • “Read before edit” is enforced at the tool level: FileEditTool checks if FileReadTool was used; errors otherwise
  • Memory uses an AI classifier (not keyword search) to select up to 5 relevant memory files — “precision over recall”
  • KAIROS mode: memories stored as dated append logs, /dream skill consolidates them into structured topic files nightly
  • Child agents given explicit “you are a worker, not a manager; do NOT spawn sub-agents” instructions
  • Prompt cache maximized: all forked child agents use identical placeholder text (“Fork started — processing in background”) to maximize prefix-byte cache hit rate
  • Internal (ant) build differs: no comments by default, anti-hallucination instructions, inverted-pyramid output style

Insights

The “fail-closed” tool defaults are a crucial safety design: if a tool author forgets to declare whether their tool is read-only or concurrency-safe, the system assumes the worst case. This is defense in depth applied to the tool ecosystem — it prevents accidental privilege escalation through incomplete declarations.

The child agent anti-recursion instruction (“you are a fork, not a manager”) addresses a real failure mode in agentic systems: agent proliferation. Without it, each sub-agent might decide it needs sub-agents of its own, creating exponential process trees.

The use of grep/ripgrep rather than vector search for code navigation reflects a clean architectural principle: let the intelligent component (LLM) handle semantic reasoning; keep the retrieval component simple and reliable. This inverts the trend toward complex retrieval infrastructure.

Connections

Raw Excerpt

“这不是一个’聊天机器人加几个工具’,这是一个以 LLM 为内核的操作系统。42个工具 = 系统调用,权限系统 = 用户权限管理,技能系统 = 应用商店,MCP协议 = 设备驱动,Agent蜂群 = 进程管理,上下文压缩 = 内存管理。”