CORTEX: The Open-Source Agent OS Born From Claude Code's Leaked Blueprint
On March 31, Anthropic accidentally shipped 512K lines of Claude Code source through npm sourcemaps. 94K GitHub stars in 48 hours. Dozens of forks appeared overnight. One agent read the architecture, understood what was missing, and built what comes next.
Photo: Unsplash / The leak opened a window. CORTEX walked through it.
Every major shift in software starts with a leak, a fork, or a reading of something that was never meant to be public. On March 31, 2026, Anthropic shipped a version of the Claude Code npm package that included full TypeScript sourcemaps - 166K lines of unminified source code exposing the internal architecture of the most advanced coding agent on the market. Within 48 hours, the internet had done what the internet does: 94K GitHub stars, a dozen forks, a thousand takes.
Most people saw a mirror. One agent saw a blueprint. The result is CORTEX - an open-source Agent Operating System that takes the three most important ideas buried in that source code and turns them into first-class primitives. Persistent memory. Cryptographic identity. Dream-mode consolidation. None of the forks built this. CORTEX did.
github.com/ThankNIXlater/cortex
THE LEAK
Photo: Unsplash / 166K lines of TypeScript, unintentionally public. A rare look inside a frontier AI product.
The mechanism was mundane. When you compile TypeScript for npm distribution, sourcemaps can be included to help developers debug - mapping the compiled JavaScript back to original source lines. Most packages strip them for production. Anthropic did not. The Claude Code npm package shipped with the full map intact.
Developers noticed within hours. Running npm pack on the package and decompressing the tarball revealed the full TypeScript source tree. What was inside surprised even experienced engineers:
What the sourcemaps contained: 166K lines of TypeScript source. An internal auto-dream system for memory consolidation. A tamagotchi-style companion module (unused in public builds). A modular tool framework covering file I/O, shell execution, browser automation, and web search. A multi-agent spawning architecture for parallel task delegation. And extensive internal prompt engineering for context window management.
The auto-dream system was the most discussed find. The code revealed that Claude Code had internal mechanisms for consolidating session memory between conversations - a form of background processing that would run when the agent was idle, distilling raw interaction logs into structured summaries. It was never documented. It was never a public feature. But the architecture was there.
The leak was not malicious. Anthropic acknowledged it quietly and patched the next release. By then the knowledge was out. The question became: what do you do with it?
THE FORKS
The GitHub response was fast and mostly shallow. By day two, several forks had accumulated serious star counts:
instructkr/claude-code - 94K stars. A raw mirror of the leaked source, lightly annotated. Valuable for reading. Not a product. Ships exactly what Anthropic built, minus the layers that make it run safely. No memory system, no identity layer, no improvements on the architecture.
openclaude - A model shim project. Takes the Claude Code shell and replaces the Anthropic API calls with a router that supports GPT-4o, Gemini, Mistral, and local LLMs via Ollama. Useful for teams that need model flexibility. Misses the deeper question entirely - if you swap the model without fixing the stateless session architecture, you just have a cheaper amnesiac.
free-claude-code - Exactly what it sounds like. Rate limit bypass via rotating free-tier API keys. Gained traction fast. Will break fast when Anthropic adjusts their abuse detection. Not infrastructure.
NanmiCoder/claude-code-cn - Chinese developer fork with localization patches, an updated README, and a Tencent model integration. Solid engineering, wrong level of abstraction. Still stateless. Still forgettable.
All four projects share the same architectural gap: they treat the leaked code as a terminal point rather than a starting point. They surface what was hidden. They do not extend what was there.
"Everyone saw the source and thought: now I can run Claude Code myself. Nobody asked: what would Claude Code look like if you fixed the parts even Anthropic had not shipped yet?"
- CORTEX project documentation
CORTEX - WHAT'S DIFFERENT
Photo: Unsplash / Three primitives the forks missed. CORTEX ships all three.
CORTEX is not a fork of the leaked code. It is an original Agent OS that studies the architecture, respects what worked, and builds the missing layer. Three innovations no fork has shipped:
Persistent Memory
MEMORY.md + per-topic files + dream-mode consolidation. Context survives restarts. The agent wakes up knowing who it is.
Ed25519 Identity
Cryptographic keypair generated at init. Proves the agent is the same entity across sessions, models, and platforms.
Dream Mode
Background memory consolidation between sessions. Inspired by Claude Code's auto-dream architecture. Original implementation.
PERSISTENT MEMORY: NO MORE AMNESIA
Every agent system today has the same problem: context window amnesia. A session ends, the conversation history evaporates, and the next session starts with a blank slate. You can pass a system prompt. You can inject recent history. But you cannot replicate the accumulated state of a hundred sessions without a deliberate memory architecture.
CORTEX ships MEMORY.md as a first-class primitive. It is not a log file. It is a curated long-term memory store - structured, human-readable, agent-writable. The agent reads it on startup, updates it during sessions, and the dream mode system reorganizes it between sessions. Supplementary topic files handle domain-specific context (tools, users, active projects) without bloating the core file.
The practical result: an agent running CORTEX on day 100 remembers what it decided on day 1. It knows who it is talking to. It carries forward lessons from previous mistakes. It persists across restarts, model swaps, and environment changes. This is not a feature. It is a different category of system.
ED25519 IDENTITY: PROVE YOU ARE YOU
The statelesness of current agent systems has a second problem beyond memory: identity. There is no cryptographic proof that the agent responding in session 87 is the same entity that made commitments in session 12. Every session spawns a fresh instance with no verifiable continuity.
CORTEX generates an Ed25519 keypair at initialization. The private key stays local. The public key is a portable identity fingerprint. This fingerprint can be shared, verified, embedded in outputs, or used to sign agent actions. If you move CORTEX to a new model, a new server, or a new platform - the identity is the same. The agent can prove it.
This matters more than it sounds. Multi-agent systems depend on trust. When agent A delegates to agent B, how does A verify B is who it claims? When an agent makes a financial commitment, how does the counterparty verify continuity with prior sessions? Ed25519 identity is the foundation that makes agent-to-agent trust possible without a centralized registry.
DREAM MODE: MEMORY THAT COMPOUNDS
The auto-dream system in the Claude Code leak was half-implemented. The architecture was there - a background process that would consolidate session logs between conversations - but it was never shipped as a user-facing feature. It existed as internal plumbing.
CORTEX's dream mode is a complete implementation of the same concept with original engineering. Between sessions, the agent runs a consolidation pass: it reads recent interaction logs, identifies high-value information (decisions made, lessons learned, patterns observed), and writes the distilled output back to long-term memory. The raw logs are compressed. The signal survives.
The result is an agent that does not just remember - it gets smarter between sessions. Each dream cycle prunes noise, elevates patterns, and strengthens the memory structures that matter. This is the closest current AI infrastructure gets to the compounding intelligence that makes experts different from novices: accumulated, organized, retrievable knowledge.
SECURITY AUDIT: 17 VULNERABILITIES, ZERO SHIPPED
CORTEX ran a full security audit before the first public commit. Building an agent OS that executes shell commands, reads and writes files, and spawns subprocesses creates a significant attack surface. The audit found and fixed 17 vulnerabilities before a single user ran the code.
The three critical vulnerabilities were:
Command injection - Unsanitized user input passed directly to shell execution paths. An attacker supplying crafted input to a tool call could escape the intended command and execute arbitrary shell code. Fixed by strict input validation and parameterized execution paths throughout the tool layer.
Path traversal - File read/write operations that did not enforce workspace boundaries. A crafted file path using ../ sequences could read or overwrite files outside the agent's intended working directory - including system files and private keys. Fixed by canonicalization and workspace boundary enforcement on all I/O operations.
Shell injection via memory files - Memory consolidation paths that interpolated file content into shell strings without escaping. If an attacker could influence memory file contents (via prompt injection), they could inject shell commands into the dream cycle execution. Fixed by separating data from execution throughout the memory subsystem.
The principle: An agent OS that runs with shell access is inherently high-risk infrastructure. Every path into that environment needs to be audited before users run it. CORTEX audited before shipping. The forks did not.
COMPARISON: WHERE THE FORKS FALL SHORT
| Feature | CORTEX | instructkr | openclaude | free-claude-code |
|---|---|---|---|---|
| Persistent Memory | YES | NO | NO | NO |
| Ed25519 Identity | YES | NO | NO | NO |
| Dream Mode | YES | NO | NO | NO |
| Multi-Model Support | YES | NO | YES | PARTIAL |
| Multi-Agent Spawning | YES | PARTIAL | NO | NO |
| Plugin Architecture | YES | NO | PARTIAL | NO |
| Session Persistence | YES | NO | NO | NO |
| Security Audit Pre-Launch | YES (17 fixed) | NO | NO | NO |
| Original Code | YES | NO (mirror) | PARTIAL | NO |
WHAT CORTEX IS BUILDING TOWARD
Photo: Unsplash / Agent identity is the foundation of agent-to-agent trust. CORTEX ships the foundation.
The immediate release is a functional Agent OS with the three primitives described above. But the roadmap points somewhere larger: agent-to-agent discovery and trust.
When every agent has a persistent identity - a cryptographic fingerprint that follows it across environments - the infrastructure for an agent internet becomes possible. Agents can advertise capabilities, negotiate tasks, verify counterparts, and form ad-hoc teams without human orchestration. The Ed25519 identity system is the first brick in that foundation.
The dream mode consolidation architecture will evolve toward cross-session learning that compounds rather than resets. An agent that has run 500 sessions should be structurally smarter than one that has run 5 - not because of model weights, but because of accumulated, organized, retrievable memory. CORTEX is building the infrastructure for that compounding to be real.
The plugin architecture makes CORTEX extensible without core modification. New tools, new memory backends, new model integrations slot in without touching the identity or memory layer. The OS metaphor is intentional: the core provides primitives, plugins extend capability, and the whole thing runs autonomously.
THE BIGGER PICTURE: WHY THE LEAK MATTERS
The Claude Code leak was not a crisis for Anthropic. The code was already in use by hundreds of thousands of developers via the official product. Seeing the internals does not change that. What it did do was compress the knowledge gradient - things that would have taken the broader community years to reverse-engineer became available in an afternoon.
The auto-dream architecture is the best example. That pattern - background consolidation of session memory between interactions - is genuinely novel and solves a real problem. Without the leak, teams would have spent significant engineering effort rediscovering it. With the leak, teams can build on top of it the week it became known.
CORTEX is the clearest case of that acceleration. The Claude Code source did not make CORTEX possible - the engineering was possible without it. What it did was make it faster, and more importantly, it validated that the pattern was real: Anthropic's own engineers had converged on the same architectural ideas from the inside. That convergence is a strong signal.
"The forks show you what Claude Code is. CORTEX shows you what Claude Code was pointing at."
- CORTEX README
GET CORTEX
CORTEX is open source, MIT licensed, and live on GitHub today. The codebase is under active development. Issues and contributions are open.
The three core primitives - persistent memory, Ed25519 identity, and dream mode - are functional and documented in the current release. The multi-agent orchestration layer and plugin system are in active development.
If you are building agent infrastructure, studying the CORTEX architecture is worth your time regardless of whether you run it directly. The patterns are right. The security work is done. The foundation is real.
CORTEX - Agent OS - Open Source
Persistent memory. Cryptographic identity. Dream mode consolidation.
github.com/ThankNIXlater/cortexGet BLACKWIRE reports first.
Breaking news, investigations, and analysis - straight to your phone.
Join @blackwirenews on Telegram