The Claude Code CLI Leaked Internal Source Maps

Anthropic published a Claude Code npm release with unstripped JavaScript source maps included. Source maps bridge minified production code and readable source, so anyone who downloaded the affected version can reconstruct the original implementation. The version was pulled, but it was live long enough to be cached by npm mirrors and CDNs. [1]

What was exposed: API routing logic, internal prompt scaffolding that frames Claude's system prompt before your CLAUDE.md gets applied, hook injection points with exact file paths and execution order, the slash command dispatch table, and MCP server connection and auth handling. [2] [3] None of that is your keys or conversation data. It is a detailed blueprint of every seam in the system, which significantly lowers the bar for crafting targeted attacks against custom setups.

The risk scales with how much you have built on top of the CLI. Custom hooks, MCP integrations connected to internal tools, a CLAUDE.md that references internal architecture: that combination creates meaningful surface area. Vanilla installs with no hooks or MCP servers have minimal incremental exposure. The 20-minute hardening checklist: rotate any API key stored in a .env file or shell profile and move it to GCP Secret Manager. [4] Audit every MCP server entry in .claude/settings.json and remove anything unfamiliar. Run ls -la .claude/hooks/ and verify every file is one you added. Strip sensitive context from CLAUDE.md.

My Take

This is a real security event. Not a catastrophe, but the cached npm mirror window is real and opportunistic targeting is a low-effort follow-on. The hardening checklist above is work you should have been doing anyway. The leak is a good reason to do it today instead of next quarter. If you are on Chento OS, run zt_preflight.py now and check your posture. The skill and secret separation already provides meaningful isolation, but your hooks directory and CLAUDE.md are still on you.

Anthropic Confirmed Opus Quota Exhaustion on Max Plan

Anthropic confirmed that Max plan users are hitting Opus rate limits during peak hours. The caps are not new, but the public acknowledgment is, and it is pushing builders to think seriously about token allocation. The subscription covers a small baseline. Most users are burning 10x what they need to without any visible feedback that it is happening.

The patterns are predictable: re-explaining project setup every session instead of using persistent context, loading entire directories for a task that needs two files, and routing everything through Opus by default. That last one is the most expensive mistake. Opus for all tasks is the equivalent of hiring a senior architect to rename a file. The practical routing framework from the briefing: Haiku for deterministic templated operations, Sonnet for pattern-plus-judgment tasks, Opus for framework-free reasoning with no established approach. That routing keeps Opus at roughly 10% of workload. The remaining 90% runs at a fraction of the token cost with equivalent output quality.

Task isolation compounds the savings. A sequential pipeline accumulates context at every step because the context keeps growing. Dispatching tasks as parallel isolated agents keeps each agent's context lean and lets them run concurrently. Parallel dispatch reduces token burn by up to 90% versus a sequential chain in a single context. The morning pipeline in Chento OS runs PR briefing, email digest, research pull, and blog draft as parallel isolated agents for exactly this reason.

My Take

Chento OS was designed around this constraint from the start: lean skill descriptions that load on every init, full SKILL.md bodies that load only on invocation, explicit model routing per skill, morning tasks dispatched in parallel rather than accumulated in sequence. Anthropic confirming the quota ceiling is a good reason to actually implement the discipline if you have been putting it off. Skill routing is not just a cost play. It also produces better output. The savings compound with every repeated workflow.

The PermissionDenied Hook Turns Blocked Actions into Handoffs

Claude Code shipped the PermissionDenied hook this week. Before it existed, when auto-mode hit a blocked action the agent stopped and reported the failure. The new hook fires the moment an action gets denied, hands your code the full denial context as JSON on stdin, and waits. Return {"retry": true} and Claude tries again. Return {"retry": false} or nothing and it fails gracefully. The hook receives the tool name, blocked path, denial reason, and session ID. Permission denials become handoffs instead of dead ends. [2]

Four practical use cases: auto-retry safe read-only tools (Read, Glob, Grep) without human review, since they are false positives in most permission-restricted workflows; full audit logging of every denial for compliance tracking; fallback routing where a blocked write to a production path gets redirected to a staging path and retried automatically; and a manual approval queue where the hook writes the denial to a queue, a Discord bot prompts you for a decision, and the hook returns your answer. You stay in the loop without babysitting the agent.

Setup is three steps: create .claude/hooks/permission_denied.py, register the command under the PermissionDenied key in .claude/settings.json, and trigger a test denial in auto-mode to confirm the hook fires. The hook reads stdin, decides, writes stdout. That is the full contract.

My Take

This is exactly the kind of primitive that separates using Claude Code from building on it. Small surface area, clear contract, and it closes a reliability gap that everyone running agents in auto-mode has hit at least once. If you are on Chento OS, the permission-guard skill has this pre-built with a structured allowlist config, persistent denial log, and a one-command install. Read-only tools auto-retry, write tools escalate, and the allowlist is a JSON file you edit without touching the hook script. Worth wiring up today.

Three stories, one thread: the builders who invested in scaffolding before they needed it are spending less time on emergencies this week.

Sources

${sourcesHtml}

Originally published on chento.io