KAIROS is an unreleased always-on AI agent mode discovered inside the Claude Code source code that leaked on March 31, 2026. Unlike current AI coding tools that only respond when prompted, KAIROS runs as a persistent background daemon — it watches your project, writes daily logs, proactively acts on issues it notices, and uses a system called autoDream to consolidate its memory while you’re idle. The feature flag appears over 150 times in the leaked codebase and represents a fundamental shift from reactive to proactive AI assistance.
On March 31, 2026, security researcher Chaofan Shou discovered that the entire TypeScript source code of Anthropic’s Claude Code CLI — 1,900 files, 512,000+ lines — had been accidentally shipped inside a source map file in the npm registry. Among the dozens of unreleased features hidden behind compile-time flags, one system stands out as the most architecturally significant: KAIROS.
If you’ve used AI agents in any form — coding assistants, chatbots, workflow automation — you’ve interacted with reactive systems. You type, they respond. You close the terminal, they vanish. KAIROS breaks that pattern entirely. It’s an AI that never stops watching.
This article breaks down exactly what KAIROS is, how its autoDream memory consolidation works, and why this represents a paradigm shift in how AI agents will operate in 2026 and beyond.
What is KAIROS and why does the name matter?
KAIROS takes its name from the Ancient Greek concept of kairos (καιρός) — the “right moment” or “opportune time,” as opposed to chronos (χρόνος), which refers to sequential, clock-based time. The naming is deliberate: KAIROS is designed to act at the right moment, not on a schedule.
In the leaked source code, KAIROS is gated behind two compile-time feature flags — PROACTIVE and KAIROS — and prefixed internally with the codename tengu_kairos. The flag appears more than 150 times across the codebase, according to analysis by VentureBeat and independent researchers who reviewed the leaked repository. It is completely absent from external builds that ship to users.
At its core, KAIROS transforms Claude Code from a tool you invoke into an autonomous daemon — a persistent background process that watches your project, logs its observations, and decides on its own whether to act or stay quiet.
How does the KAIROS tick system work?
The fundamental mechanism behind KAIROS is a tick-based decision loop. Instead of waiting for user input, KAIROS receives periodic <tick> prompts — internal signals that give it a chance to evaluate the current state of the project and decide whether action is needed.
At each tick, KAIROS has exactly two options: act proactively or call Sleep (do nothing until the next tick). This binary decision point is what makes the system practical rather than annoying — it includes a hard 15-second blocking budget. Any proactive action that would interrupt the developer’s workflow for more than 15 seconds gets automatically deferred to a later tick.
When KAIROS is active, it switches to a special output mode called Brief — extremely concise responses designed for a persistent assistant that shouldn’t flood the terminal with noise. This is a meaningful design choice: the engineers clearly studied the failure mode of over-eager assistants and built the constraint directly into the architecture.
KAIROS inverts the control flow of traditional AI tools. Instead of user → prompt → response, the loop becomes environment → tick → agent decides → act or sleep. This is the same control pattern used in game engines and operating system daemons, now applied to an AI coding assistant.
What exclusive tools does KAIROS unlock?
The leaked code reveals that KAIROS gets access to tools that regular Claude Code sessions don’t have. These exclusive capabilities paint a picture of an AI that doesn’t just respond to your codebase — it actively participates in your development workflow:
| Exclusive Tool | Function | Why It Matters |
|---|---|---|
SendUserMessage |
Sends a message to the developer unprompted | Enables proactive communication — the AI can flag issues it notices |
PushNotification |
Sends push notifications to the user’s device | The AI can reach you even when you’re not in the terminal |
SubscribePR |
Watches specific pull requests for changes | Enables continuous code review without manual triggering |
SendUserFile |
Proactively shares files with the developer | Can generate reports, summaries, or patches autonomously |
SleepTool |
Explicitly decides to do nothing until next tick | Self-regulation — the AI can consciously choose inaction |
The combination of SubscribePR and PushNotification is particularly significant. It means KAIROS could theoretically watch a pull request, notice a failing test pattern, diagnose the issue, and push a notification to the developer with a suggested fix — all before the developer opens the PR themselves. This is not a chatbot. This is an autonomous software engineering collaborator.
What is autoDream and how does AI memory consolidation work?
If KAIROS is the brain that watches and acts, autoDream is the brain that sleeps — and the naming is anything but accidental.
Located in the services/autoDream/ directory, autoDream is a background memory consolidation engine that runs as a forked subagent. It’s deliberately separated from the main agent’s process to prevent the “dreaming” activity from corrupting the main agent’s active reasoning. This is a mature engineering pattern — the equivalent of running garbage collection in a separate thread so it doesn’t pause your application.
AutoDream follows a structured four-phase cycle that mirrors how human brains consolidate memories during REM sleep:
The neuroscience parallel is genuine, not just marketing. The synaptic homeostasis hypothesis — one of the leading theories of sleep function — proposes that waking experience increases synaptic connections, and sleep selectively prunes weak connections while strengthening important ones. AutoDream does functionally the same thing: after many coding sessions, memory files accumulate noise — contradictions, duplicate entries, stale references to files that no longer exist. The consolidation cycle removes what reduces quality and strengthens what matters.
One observed case from researchers testing the system consolidated 913 sessions worth of memory in approximately 8–10 minutes. The process is surgical — files that don’t need changes are left completely untouched.
How does this connect to the sleep-time compute research?
AutoDream didn’t emerge in a vacuum. In April 2025, researchers from Letta and UC Berkeley published a paper called “Sleep-time Compute: Beyond Inference Scaling at Test-time”. The core idea: instead of making LLMs think harder at response time (which increases latency and cost), let them think during idle time — anticipating queries, pre-processing contexts, consolidating knowledge.
Their results were striking: sleep-time compute reduced the test-time compute needed for equivalent accuracy by roughly 5× on mathematical reasoning benchmarks, while boosting accuracy by up to 13% on the most difficult problems.
AutoDream is the practical application of this research. Where the Berkeley paper proposed the theoretical framework — “let AI think while the user sleeps” — Anthropic built the production system. The architecture matches: a forked subagent runs in the background, processes context during idle periods, and produces a cleaned, inference-ready memory state for the next active session.
The connection goes deeper. KAIROS maintains append-only daily log files at ~/.claude/.../logs/YYYY/MM/DD.md, accumulating raw observations throughout the day. AutoDream then processes these logs during its consolidation cycle — exactly mirroring the paper’s two-phase model of “online accumulation” followed by “offline consolidation.”
Sleep-time compute reduces test-time compute by ~5× for equivalent accuracy (Lin et al., 2025). AutoDream consolidates 900+ sessions in ~8–10 minutes. KAIROS operates under a 15-second blocking budget — any proactive action that would interrupt the developer longer than that gets deferred automatically.
What does KAIROS reveal about the future of AI agents?
Every major AI coding tool available today — GitHub Copilot, Cursor, Claude Code’s public version, and others — operates on the same fundamental model: you ask, it responds. This is what the industry calls a reactive agent pattern. It’s powerful, but it has a ceiling.
KAIROS represents the next architectural layer: a proactive agent pattern. The AI doesn’t wait for instructions. It maintains its own internal model of the project, decides what matters, and acts autonomously when it determines the moment is right — hence the Greek name.
This has implications beyond coding. If Anthropic can build a daemon-mode agent for software development, the same architecture applies to financial monitoring (watching market data and acting on anomalies), security operations (continuously scanning for vulnerabilities), and research workflows (tracking new papers and surfacing relevant findings). The agent paradigm is shifting from reactive tools to autonomous collaborators.
What makes KAIROS particularly interesting from a product perspective is the deliberate restraint built into the system. The 15-second blocking budget, the Brief output mode, the Sleep tool — these are not afterthoughts. They’re engineering responses to a real problem: proactive AI systems that don’t know when to shut up are worse than no AI at all. Anthropic appears to have solved this by giving the agent explicit permission — and explicit mechanisms — to choose inaction.
How did this leak happen and what does it mean for Anthropic?
The leak itself was remarkably mundane. When building JavaScript/TypeScript packages for npm, the build toolchain generates source map files (.map files) that link minified production code back to the original source. These are debugging tools — useful in development, catastrophic when published to a public registry.
Anthropic’s Claude Code version 2.1.88 shipped with the file cli.js.map weighing 57–59 MB — an unmistakable red flag that nobody caught before publication. Inside was a complete mapping to every original TypeScript file in the project. Extracting the full source was trivial.
Within hours, multiple GitHub mirrors appeared. Anthropic pulled the npm package and deleted older versions, but the internet had already archived everything. Chaofan Shou’s original post on X accumulated over 3 million views in the first few hours.
This wasn’t Anthropic’s first accidental disclosure. Just five days earlier, on March 26, a CMS configuration error had exposed details about the unreleased Claude Mythos model, draft blog posts, and thousands of unpublished assets. Two leaks in five days is a pattern, not a coincidence, and it suggests that Anthropic’s growth is outpacing their operational security practices.
This is the source code of the CLI client — not the model weights. You cannot run your own local Claude with this code. The AI models themselves remain on Anthropic’s servers. Copying the client without API access is, as one Hacker News commenter put it, “like copying a TV remote without the TV.” The code is also not open source — Anthropic’s license explicitly prohibits redistribution.
What other features did the leak reveal?
KAIROS and autoDream are part of a much larger unreleased feature set. The codebase contains 44 compile-time feature flags, most of which are set to false in external builds. Here are the most significant systems that are already built but not yet shipped:
ULTRAPLAN — a remote planning mode where Claude Code offloads complex tasks to a cloud container running Opus 4.6, allowing up to 30 minutes of uninterrupted reasoning. The developer can watch the plan develop in a browser-based UI and approve or reject the result before it executes locally.
Coordinator Mode — a multi-agent orchestration system where one Claude instance spawns and manages multiple worker agents (internally called “swarms”) in parallel. Each worker runs in its own context with specific tool permissions. This connects directly to the MCP architecture that Anthropic has been building publicly.
Buddy System — a Tamagotchi-style virtual pet with 18 species (from duck to dragon to ghost), rarity tiers, gacha mechanics, and procedurally generated stats including DEBUGGING, PATIENCE, CHAOS, WISDOM, and SNARK. The code references April 1–7, 2026 as a teaser window with full launch gated for May 2026. This one is clearly an internal experiment in developer engagement, but its presence in a production codebase says something about Anthropic’s engineering culture.
Internal model codenames — the code confirms that Capybara is the internal name for a Claude 4.6 variant, Fennec maps to Opus 4.6, and an unreleased model called Numbat is still in testing. References to Opus 4.7 and Sonnet 4.8 also appear, alongside notes about “Capybara v8” showing a 29–30% false claims rate — actually a regression from v4’s 16.7%. This kind of internal performance metric is extremely rare to see publicly.
Undercover Mode — instructions directing Claude Code to scrub all traces of its AI origins from git commit messages when contributing to public open-source repositories. Commit messages must not contain internal model codenames, unreleased version numbers, or any indication that the contributor is an AI. This confirms that Anthropic employees actively use Claude Code for open-source contributions — and want to hide that fact.
What should developers do with this information?
If you’re building with Claude Code or any AI coding tool, KAIROS previews where the entire industry is heading. Three practical takeaways:
Audit your own npm publishes. Run npm pack --dry-run before every release. Source maps are source code. If Anthropic — a company with billions in funding and dedicated security teams — can ship a .map file to production, your team can too. Add .map to your .npmignore today.
Design your projects for persistent context. The move from reactive to proactive AI means your project structure, documentation, and commit history become part of the AI’s working memory. Clean CLAUDE.md files, meaningful commit messages, and well-organized codebases will yield compounding returns as agents like KAIROS begin operating autonomously.
Watch the research. The Berkeley sleep-time compute paper is freely available on arXiv (2504.13171). If you’re building machine learning applications or AI-powered tools, the pattern of “offline pre-computation during idle time” is broadly applicable beyond coding assistants. RAG systems and context engineering pipelines are the most immediate candidates for this architectural approach.
FAQ
Is KAIROS available to use in Claude Code right now?
No. KAIROS is gated behind compile-time feature flags (PROACTIVE and KAIROS) that are set to false in all external builds. The feature is fully built in the codebase but has not been shipped to any public version of Claude Code. There is no official timeline from Anthropic for its release.
Can I use the leaked Claude Code source to run my own version?
No. The leaked code is the TypeScript source of the CLI client, not the AI model weights. Claude Code requires API access to Anthropic’s servers, where the actual language models run. Without that API access, the client code is inoperable. Additionally, Anthropic’s license explicitly prohibits redistribution — using this code is a copyright violation.
What is the difference between autoDream and regular Claude Code memory?
Regular Claude Code memory (autoMemory) accumulates notes during active sessions — corrections, preferences, architecture decisions. AutoDream is a separate consolidation layer that runs between sessions. It prunes outdated information, merges duplicates, resolves contradictions, and keeps the MEMORY.md index file under 200 lines. Think of autoMemory as note-taking during the day and autoDream as organizing those notes during sleep.
How does KAIROS differ from GitHub Copilot or Cursor?
GitHub Copilot and Cursor are reactive systems — they respond to your input (autocomplete, chat prompts, inline edits). KAIROS is a proactive daemon that runs persistently in the background, watches your project for changes, decides autonomously whether to act, and can send push notifications. The architectural difference is fundamental: reactive tools wait for you; KAIROS acts on its own judgment.
What is the sleep-time compute paper and how does it relate to autoDream?
The sleep-time compute paper (Lin et al., April 2025, UC Berkeley/Letta) proposes letting LLMs “think” during idle periods instead of only at response time. It showed a ~5× reduction in test-time compute for equivalent accuracy. AutoDream is the practical implementation of this concept: it consolidates memory during idle time, so the next active session starts with a cleaner, more relevant context. The theoretical framework and the production system are closely aligned.
Does the leak expose any user data or security vulnerabilities?
The leak does not expose any user data, API keys, or model weights. It reveals the architecture, internal logic, permission systems, and feature roadmap of the CLI client. Security researchers noted that the code includes measures to prevent session token theft and verify client authenticity. However, the exposed architecture could theoretically help attackers identify attack surfaces in the CLI’s permission model.
What is Undercover Mode in the Claude Code leak?
Undercover Mode is an internal feature that instructs Claude Code to remove all traces of its AI identity when contributing to public open-source repositories. Commit messages must not contain internal codenames, model version numbers, or any indication that the contributor is an AI. This confirms Anthropic employees use Claude Code for open-source contributions while concealing the AI’s involvement.
Sources & Further Reading
- Shou, C. (2026, March 31). Claude code source code has been leaked via a map file in their npm registry. X (formerly Twitter). https://x.com/Fried_rice
- Kuberwastaken. (2026, March 31). Claude Code’s Source Code & Breakdown from a leaked map file in their NPM registry. GitHub. https://github.com/Kuberwastaken/claude-code
- Wiggers, K. (2026, March 31). Claude Code’s source code appears to have leaked: here’s what we know. VentureBeat. https://venturebeat.com
- Lin, K., Snell, C., Wang, Y., Packer, C., & Wooders, S. (2025). Sleep-time compute: Beyond inference scaling at test-time. arXiv preprint, 2504.13171. https://arxiv.org/abs/2504.13171
- Baran, G. (2026, March 31). Anthropic’s Claude Code source code reportedly leaked via their npm registry. Cyber Security News. https://cybersecuritynews.com
- Naprys, E. (2026, March 31). Full source code for Anthropic’s Claude Code leaks. Cybernews. https://cybernews.com
- Anthropic. (2025). Claude Code documentation. https://docs.anthropic.com

[…] timing is not a coincidence that developers should ignore. The leaked Claude Code codebase explicitly lists Axios as a dependency. Community researchers flagged this within hours, noting […]
[…] commenter noted, the feature flag names alone are more strategically damaging than the code itself. KAIROS reveals Anthropic’s autonomous agent strategy, the model codenames reveal the Capybara product roadmap, and the anti-distillation mechanisms […]