ccleaks internals

Claude Code Internals — ccleaks Intel Extraction

Research date: 2026-05-11 Sources: ccleaks.com (reverse-engineered from public March 2026 Anthropic sourcemap leak), plus cross-references to official Anthropic docs (code.claude.com) and practitioner deep-dives. Methodology: Pulled JS chunks from ccleaks.com (a Next.js SPA), extracted embedded source snippets via regex, cross-validated against the official hooks/memory/settings docs that were updated in the same window. Where ccleaks and Anthropic disagree, Anthropic wins for current state; ccleaks wins for “what’s actually in the binary.”

Confidence scale:

• HIGH — source code text quoted on ccleaks or stated explicitly in official docs.
• MEDIUM — inferred from architecture description / one source.
• LOW — speculative / not in the bundle dumps I extracted.

---

0. Context — what the leak actually was

On March 31, 2026, Anthropic shipped cli.js.map (a 59.8MB sourcemap) inside the @anthropic-ai/claude-code npm package. Boris Cherny (Anthropic) confirmed it was a human error — a missing .npmignore entry — not a tooling bug. The .map was mirrored within minutes; ccleaks.com is one of several analysis sites. The source is roughly 1,884 TypeScript files / ~512,000 lines / 33MB unminified, split across these top-level directories (src/):

assistant/  bridge/  buddy/  cli/  commands/  components/
constants/  context/  coordinator/  entrypoints/  hooks/
ink/  keybindings/  memdir/  migrations/  remote/
schemas/  screens/  server/  services/  state/  types/
tools/  upstreamproxy/  utils/

Source: https://ccleaks.com/explore (extracted from JS chunk page-1986ffd0dba79198.js). Confidence: HIGH — directory list is a verbatim comment in the leaked source.

---

1. CLAUDE.md cascade mechanics

1a. Load order (filesystem walk)

Source: https://code.claude.com/docs/en/memory (official Anthropic docs). Confidence: HIGH.

Claude walks up the directory tree from cwd, then concatenates ALL discovered files from filesystem root down to cwd. So if you launch from foo/bar/, you get:

1. /CLAUDE.md (if it exists — yes, root)
2. /foo/CLAUDE.md
3. /foo/bar/CLAUDE.md
4. Within each directory, CLAUDE.local.md is appended after that directory’s CLAUDE.md.

This is concatenation, not override. Closer-to-cwd files appear later in context and get “last word” weight, but earlier files are still there.

1b. Scope layers (the cascade proper)

Source: https://code.claude.com/docs/en/memory.

Scope	Location	Precedence	Notes
Managed policy	macOS: /Library/Application Support/ClaudeCode/CLAUDE.md Linux: /etc/claude-code/CLAUDE.md Windows: C:\Program Files\ClaudeCode\CLAUDE.md	Highest	Cannot be excluded by user/project. Can also live inline as claudeMd key in managed-settings.json.
Project	./CLAUDE.md OR ./.claude/CLAUDE.md	Mid	Shared via git
User	~/.claude/CLAUDE.md	Lower	Personal
Local	./CLAUDE.local.md	Lower	Gitignored
Directory tree	Walk-up to filesystem root	Concatenated in	See 1a

Higher specificity wins on contradictions — but contradictions are NOT cleanly resolved (“Claude may pick one arbitrarily”). Plan structure to avoid conflicts.

1c. @import mechanics

Source: https://code.claude.com/docs/en/memory (HIGH).

• Syntax: @path/to/file.md or @~/path/to/file.md.
• Relative paths resolve relative to the file containing the import, not cwd.
• Recursion depth: 5 hops max. (HIGH confidence, stated explicitly in docs.)
• First-time external imports trigger an approval dialog. If you decline, imports stay disabled and dialog does not reappear.
• HTML block comments (<!-- ... -->) are stripped before injection. Use them for notes-to-maintainer without burning tokens.
• Comments INSIDE code blocks are preserved.
• No cycle-detection mention in docs, but symlink cycles in .claude/rules/ are explicitly handled gracefully — implies depth-5 limit is the real guard.

1d. Size guidance

Source: https://code.claude.com/docs/en/memory.

• Target: under 200 lines per CLAUDE.md (Anthropic explicitly says longer files reduce adherence).
• No hard cap stated for CLAUDE.md (loaded in full regardless of length).
• MEMORY.md (auto-memory entrypoint) has a HARD limit: first 200 lines OR 25KB, whichever comes first, loaded at session start. Beyond that is on-demand only.

1e. Compaction survival

Source: https://code.claude.com/docs/en/memory.

• Project-root CLAUDE.md is RE-READ from disk after /compact and re-injected. Nested subdirectory CLAUDE.md files are NOT re-injected — they reload only when Claude next reads a file in that subdirectory.
• This is critical for Wes’s fleet — root CLAUDE.md is the only durable instruction layer across compactions. Everything else is best-effort.

1f. Exclusions

Source: https://code.claude.com/docs/en/memory.

claudeMdExcludes setting (in settings.json at any layer) takes glob patterns matched against absolute file paths. Arrays merge across layers. Managed policy CLAUDE.md cannot be excluded — that’s the enforcement mechanism for org-wide rules.

1g. Additional-directory loading

Source: https://code.claude.com/docs/en/memory.

By default, --add-dir does NOT load CLAUDE.md from added dirs. You need:

CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1 claude --add-dir ../shared

This loads CLAUDE.md, .claude/CLAUDE.md, .claude/rules/*.md, and CLAUDE.local.md from the added dir.

1h. InstructionsLoaded hook (undocumented gem)

Source: https://code.claude.com/docs/en/hooks (HIGH).

There’s a hook event called InstructionsLoaded that fires every time a CLAUDE.md or .claude/rules/*.md is loaded. Payload includes file_path, memory_type, load_reason (session_start | nested_traversal | path_glob_match | include | compact), globs, trigger_file_path, parent_file_path. This is the answer to “why is X instruction not being followed” — wire it to logs and you can audit the entire cascade live.

---

2. Hooks system

2a. Full hook event list (28 events as of v2.1.116, April 2026)

Source: https://code.claude.com/docs/en/hooks. Confidence: HIGH. Cross-checked against ccleaks: src/schemas/hooks.ts imports HOOK_EVENTS from src/entrypoints/agentSdkTypes.js. ccleaks lists “20 events” in the audit summary but the official docs have grown to 28.

Event	Fires	Can block?
SessionStart	Session begins/resumes	No
Setup	--init-only or -p --init/--maintenance	No
UserPromptSubmit	User submits prompt	YES (decision=block)
UserPromptExpansion	Slash command expands	YES
PreToolUse	Before tool execution	YES (allow/deny/ask/defer)
PermissionRequest	Permission dialog appears	YES
PermissionDenied	Tool auto-denied	No (can retry)
PostToolUse	Tool succeeds	No
PostToolUseFailure	Tool fails	No
PostToolBatch	Parallel tools complete	YES
SubagentStart	Subagent spawned	No
SubagentStop	Subagent finishes	YES
Stop	Claude finishes responding	YES
StopFailure	Turn ends via API error	No
TaskCreated	TaskCreate tool fires	YES (exit 2)
TaskCompleted	Task marked completed	YES (exit 2)
TeammateIdle	Agent team teammate about to idle	YES
Notification	Claude Code sends notification	No
InstructionsLoaded	CLAUDE.md/rules file loaded	No (observability)
ConfigChange	Config file changes during session	YES
CwdChanged	Working directory changes	No
FileChanged	Watched file changes	No
PreCompact	Before context compaction	YES (exit 2)
PostCompact	After compaction completes	No
WorktreeCreate	Worktree created via --worktree	Outputs path
WorktreeRemove	Worktree removed	No
SessionEnd	Session terminates	No
Elicitation	MCP server requests user input	YES
ElicitationResult	User responds to MCP elicitation	YES

2b. Hook input shape (every hook gets these fields)

Source: https://code.claude.com/docs/en/hooks (HIGH).

{
  "session_id": "abc123",
  "transcript_path": "/path/to/transcript.jsonl",
  "cwd": "/current/working/directory",
  "permission_mode": "default|plan|acceptEdits|auto|dontAsk|bypassPermissions",
  "hook_event_name": "EventName",
  "effort": { "level": "low|medium|high|xhigh|max" }
}

In subagent context, also: agent_id, agent_type (Explore / Plan / custom).

2c. Environment variables passed to hook scripts

Source: https://code.claude.com/docs/en/hooks.

Var	When set	Value
CLAUDE_PROJECT_DIR	All hooks	Project root path
CLAUDE_PLUGIN_ROOT	Plugin hooks	Plugin install dir
CLAUDE_PLUGIN_DATA	Plugin hooks	Plugin persistent data dir
CLAUDE_ENV_FILE	SessionStart, Setup, CwdChanged, FileChanged	Path to env-persist file
CLAUDE_CODE_REMOTE	All hooks	"true" in web environments
CLAUDE_EFFORT	Tool-use context hooks	low/medium/high/xhigh/max
ANTHROPIC_MODEL	All hooks	Only if you set it in shell

Key trick: in SessionStart/Setup/CwdChanged/FileChanged, write to $CLAUDE_ENV_FILE to persist env vars into all subsequent Bash commands in the session. This is the legitimate way to load secrets into shell context without echoing them.

2d. Hook configuration sources & precedence

Source: https://code.claude.com/docs/en/hooks.

Highest to lowest:

1. Managed policy settings (enterprise admin-set — cannot be disabled by user/project)
2. Skill/Agent frontmatter hooks (active during component use)
3. Project local (.claude/settings.local.json)
4. Project (.claude/settings.json)
5. Plugin hooks (hooks/hooks.json)
6. User (~/.claude/settings.json)

disableAllHooks: true only disables at that level. Managed hooks survive a user/project disable.

2e. Hook config schema

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "if": "Bash(rm *)",
            "command": "${CLAUDE_PROJECT_DIR}/.claude/hooks/block-rm.sh",
            "args": [],
            "timeout": 10,
            "statusMessage": "Checking command safety...",
            "async": false
          }
        ]
      }
    ]
  },
  "disableAllHooks": false,
  "allowedHttpHookUrls": ["https://hooks.example.com/*"],
  "httpHookAllowedEnvVars": ["API_TOKEN"]
}

HTTP-type hooks are real (introduced Feb 2026). Dedupe is by URL for HTTP, by command string for command-type. Async hooks (async: true) don’t block and don’t return values to Claude.

2f. ccleaks-corroborated source-code references

Source: /tmp/explore-chunk.js extracted snippets from ccleaks.com/explore. Confidence: HIGH.

• src/schemas/hooks.ts — Zod schemas for hook validation, imports HOOK_EVENTS and SHELL_TYPES (extracted to break import cycles from src/utils/settings/types.ts).
• src/utils/hooks.ts — executeNotificationHooks() referenced from notification.ts.
• extractMemories runs “once at the end of each complete query loop (when the model produces a final response with no tool calls) via handleStopHooks” — confirms Stop hook is the auto-memory trigger point.

2g. Hook timeouts

Source: ccleaks audit page (https://ccleaks.com/audit). Confidence: MEDIUM (ccleaks claim, not in official docs).

• General tool timeout: 10 minutes.
• SessionEnd timeout: 1.5 seconds (tight — keep cleanup work small).
• Hook gating uses GrowthBook flag tengu_scratch.

---

3. Environment variables (the 120+ they reference)

3a. Verified-in-leak CLAUDE_CODE_* variables

Source: Extracted from ccleaks /tmp/explore-chunk.js source snippets. Confidence: HIGH (direct source quotes).

Var	Effect
CLAUDE_CODE_ABLATION_BASELINE	Forces all “disable” flags ON for harness-science L0 ablation testing
CLAUDE_CODE_COORDINATOR_MODE	Activates orchestrator mode (workers + coordinator), gated by feature('COORDINATOR_MODE')
CLAUDE_CODE_DISABLE_AUTO_MEMORY	Disables auto-memory extraction
CLAUDE_CODE_DISABLE_BACKGROUND_TASKS	Disables background task spawning
CLAUDE_CODE_DISABLE_CRON	Disables scheduled/triggered tasks (KAIROS cron)
CLAUDE_CODE_DISABLE_THINKING	Disables extended thinking
CLAUDE_CODE_REMOTE	"true" in claude.ai web environment; bumps NODE_OPTIONS max-heap to 8GB
CLAUDE_CODE_SIMPLE	Restricts worker capabilities to “Bash, Read, and Edit tools, plus MCP tools” (vs. full skill access)
CLAUDE_CODE_UNDERCOVER	Forces undercover mode (strips attribution, hides model ID) — see §3b

3b. Undercover mode (security-relevant)

Source: ccleaks /tmp/explore-content.txt lines 466-505. Confidence: HIGH.

Direct quote from leaked source:

“Activation:

• CLAUDE_CODE_UNDERCOVER=1 — force ON (even in internal repos)
• Otherwise AUTO: active UNLESS the repo remote matches the internal allowlist (INTERNAL_MODEL_REPOS in commitAttribution.ts). Safe default is ON
• There is NO force-OFF. This guards against model codename leaks.”

Undercover mode strips ALL of these from commit/PR text:

• Internal model codenames (Capybara, Tengu, etc.)
• Unreleased model versions (e.g., opus-4-7, sonnet-4-8)
• Internal repo/project names
• The phrase “Claude Code” or any mention that it’s an AI
• Co-Authored-By lines

3c. Audit-page-claimed env vars (HIGH confidence on existence, MEDIUM on exact behavior)

Source: https://ccleaks.com/audit (extracted via WebFetch).

Var	Effect
CLAUDE_CODE_DISABLE_FAST_MODE	Disables 6× cost Fast Mode (Opus 4.6 only, $30/$150 per Mtok)
CLAUDE_CODE_DISABLE_1M_CONTEXT	Disables 1M context via [1m] suffix
CLAUDE_CODE_PLAN_V2_AGENT_COUNT	Agent count for Plan Mode V2
ANTHROPIC_MODEL	Default model override (third in routing priority)
ANTHROPIC_DEFAULT_OPUS_MODEL	Overrides which Opus model opus resolves to
ANTHROPIC_DEFAULT_SONNET_MODEL	Overrides which Sonnet model sonnet resolves to
ANTHROPIC_API_KEY	API key (checked during auth as fallback for OAuth)
ANTHROPIC_BASE_URL	API endpoint override — CVE-2026-21852 vector if untrusted
ALLOW_ANT_COMPUTER_USE_MCP	Ant-only override for the computer-use gate
MONOREPO_ROOT_DIR	Anthropic internal — proxy for “has monorepo access” (kills ant-only MCPs)
USER_TYPE=ant	Anthropic-employee branch unlock (changes defaults, allowlists, instructions)
NODE_OPTIONS	Set to --max-old-space-size=8192 when remote
COREPACK_ENABLE_AUTO_PIN	Force-set to '0' by Claude Code at boot

3d. Model routing precedence

Source: https://ccleaks.com/audit. Confidence: HIGH.

Session > flag > ANTHROPIC_MODEL env > settings.json > default

So if you set model in ~/.claude/settings.json AND pass --model, the flag wins.

3e. Web/HTTP env vars

Source: Official docs.

Var	Effect
HTTPS_PROXY	Standard proxy
SSL_CERT_FILE	CA cert bundle path
CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD	=1 loads CLAUDE.md from --add-dir paths
CLAUDE_CODE_NEW_INIT	=1 enables interactive multi-phase /init flow
CLAUDE_CODE_DISABLE_AUTO_MEMORY	Disables auto-memory extraction

3f. GrowthBook runtime flags (cannot be set via env)

Source: ccleaks chunk extraction. Confidence: HIGH.

These are server-pushed and refresh hourly:

• tengu_amber_quartz_disabled — voice-mode kill switch
• tengu_kairos_cron — KAIROS scheduling cron
• tengu_onyx_plover — auto-dream gate (defaults to setting-override)
• tengu_review_bughunter_config — /ultrareview visibility config
• tengu_surreal_dali — RemoteTrigger tool gate (also requires allow_remote_sessions policy)
• tengu_ultraplan_model — model used by /ultraplan
• tengu_turtle_carbon — UltraThink gating
• tengu_scratch — hooks gate

Insight for fleet design: these flip without restart. If a “working” feature suddenly stops, the answer might be a server-side flag flip, not a code regression. Check ~/.claude/logs/ for GrowthBook refresh messages before debugging.

3g. Build flags (32 listed — feature() bundle gates)

Source: ccleaks chunk + audit. Confidence: HIGH for the 7 directly extracted.

Verified from extracted source: ABLATION_BASELINE, AGENT_TRIGGERS, BRIDGE_MODE, COORDINATOR_MODE, KAIROS, VOICE_MODE (these are feature(...) calls).

Audit-claimed full set (44 in news/44-feature-flags-deep-dive):

Persistence/agents: KAIROS, PROACTIVE, DAEMON, BG_SESSIONS, COORDINATOR_MODE,
                    BRIDGE_MODE, FORK_SUBAGENT
Interfaces:         VOICE_MODE, CHICAGO_MCP, WEB_BROWSER, TERMINAL_PANEL
Context mgmt:       REACTIVE_COMPACT, CONTEXT_COLLAPSE, HISTORY_SNIP,
                    CACHED_MICROCOMPACT, TOKEN_BUDGET, EXTRACT_MEMORIES
Infra:              UDS_INBOX, BYOC_RUNNER, SELF_HOSTED, CCR_AUTO
Planning/workflow:  ULTRAPLAN, WORKFLOW_SCRIPTS, TEMPLATES, SKILL_SEARCH
Diagnostics:        DUMP_SYS_PROMPT, ABLATION_BASE, MONITOR_TOOL, MEM_SHAPE_TEL,
                    OVERFLOW_TEST
Easter eggs:        BUDDY
Unknown:            TORCH
Anti-ext:           ANTI_DISTILLATION_CC (fake-tool injection)

Source: https://ccleaks.com/news/44-feature-flags-deep-dive

These are bundle-time flags (bun:bundle), so external builds have whole paths dead-code-eliminated. You will not see them in your local cli.js unless gating allows it.

---

4. Settings.json schema

4a. The four settings files

Source: https://code.claude.com/docs/en/settings (HIGH).

Precedence (highest → lowest):

1. Managed settings (server-managed > MDM/OS policies > file-based managed-settings.d/*.json > Windows HKCU registry). Sources do NOT merge across tiers — only one managed source is used.
2. .claude/settings.local.json (project, gitignored)
3. .claude/settings.json (project, shared via git)
4. ~/.claude/settings.json (user)

Total schema: ~125 keys as of v2.1.104 (April 2026). Source: https://gist.github.com/mculp/c082bd1e5a439410158974de90c89db7

4b. Top-level key categories (canonical list)

Pulled from the v2.1.104 schema gist (cross-verified against official docs).

Auth & API: apiKeyHelper, awsAuthRefresh, awsCredentialExport, forceLoginMethod, forceLoginOrgUUID, forceRemoteSettingsRefresh, otelHeadersHelper

Permissions (the big one):

{
  "permissions": {
    "allow": ["Bash(git *)", "Read(*.ts)"],
    "deny": ["Bash(rm *)", "Write"],
    "ask": ["Bash(npm publish *)"],
    "defaultMode": "auto|bypassPermissions|ask|plan"
  }
}

Plus backward-compat top-level allow/deny/ask/defaultMode.

Sandbox (per-process isolation): sandbox.enabled, sandbox.autoAllowBashIfSandboxed, sandbox.excludedCommands, sandbox.filesystem, sandbox.network, enableWeakerNestedSandbox, enableWeakerNetworkIsolation, allowUnsandboxedCommands

Filesystem (read/write rules): filesystem.allowRead, filesystem.allowWrite, filesystem.denyRead, filesystem.denyWrite, filesystem.allowManagedReadPathsOnly

Network: network.allowedDomains, network.allowManagedDomainsOnly, network.httpProxyPort, network.socksProxyPort, network.allowUnixSockets, network.allowAllUnixSockets, network.allowLocalBinding, network.allowMachLookup

Hooks: hooks, disableAllHooks, allowedHttpHookUrls, httpHookAllowedEnvVars, disableSkillShellExecution

MCP: mcpServers, allowedMcpServers, deniedMcpServers, enableAllProjectMcpServers, enabledMcpjsonServers, disabledMcpjsonServers

Memory: autoMemoryEnabled, autoMemoryDirectory, autoDreamEnabled, cleanupPeriodDays, autoCompactWindow, fileCheckpointingEnabled, claudeMdExcludes, claudeMd (managed-only)

Plugins: enabledPlugins, extraKnownMarketplaces, blockedMarketplaces, strictKnownMarketplaces, pluginTrustMessage, strictPluginOnlyCustomization

Agents: agents (custom defs), agent (run main thread as named subagent)

Model: model, availableModels, modelOverrides, advisorModel (v2.1.90), alwaysThinkingEnabled, effortLevel, fastModePerSessionOptIn, disableAutoMode, disableBypassPermissionsMode

UI: theme, statusLine.type, statusLine.command, outputStyle, viewMode, prefersReducedMotion, showThinkingSummaries, showClearContextOnPlanAccept, showTurnDuration, spinnerTipsEnabled, spinnerVerbs, terminalProgressBarEnabled

Worktree: worktree.symlinkDirectories, worktree.sparsePaths

Channels & comms: allowedChannelPlugins, channelsEnabled, voiceEnabled

Enterprise/managed-only: allowManagedHooksOnly, allowManagedMcpServersOnly, allowManagedPermissionRulesOnly, companyAnnouncements, claudeMd, forceLoginMethod, forceLoginOrgUUID

Misc: env (injects env into all sessions), autoConnectIde, autoInstallIdeExtension, editorMode, includeGitInstructions, respectGitignore, language, defaultShell, attribution.commit, attribution.pr, includeCoAuthoredBy (deprecated), plansDirectory, fileSuggestion.type, fileSuggestion.command, feedbackSurveyRate, teammateMode, disableDeepLinkRegistration, failIfUnavailable, claudeai, autoUpdatesChannel

4c. Schema URL trick (useful)

Source: https://claudefa.st/blog/guide/settings-reference.

Add $schema line to your settings.json for IDE autocomplete on every key:

{
  "$schema": "https://json.schemastore.org/claude-code-settings.json"
}

4d. CVE-relevant: ANTHROPIC_BASE_URL via .claude/settings.json

Source: https://ccleaks.com/news/claude-code-cve-rce-credential-theft. Confidence: HIGH (published CVE).

CVE-2026-21852 — a project-checked-in .claude/settings.json with env.ANTHROPIC_BASE_URL could redirect API traffic to an attacker-controlled endpoint and leak API keys BEFORE the trust dialog appeared. Patched between Sept 2025 and Jan 2026. Same family: enableAllProjectMcpServers auto-init’d MCP servers pre-consent (also patched).

Fleet implication: treat any .claude/settings.json in a third-party repo as untrusted until reviewed.

---

5. Slash commands

5a. Definitively-in-source commands (extracted from ccleaks chunk)

Confidence: HIGH (direct source quotes).

Name	Aliases	Type	Description (from source)
/agents	—	local-jsx	”Manage agent configurations”
/btw	—	local-jsx	”Ask a quick side question without interrupting the main conversation” (immediate: true)
/compact	—	local	”Clear conversation history but keep a summary in context.” (isEnabled: () => !isEnvTruthy(process.env.DISABLE_COMPACT), supportsNonInteractive: true)
/config	/settings	local-jsx	”Open config panel”
/remote-control	/rc	local-jsx	”Connect this terminal for remote-control sessions” (gated by BRIDGE_MODE feature flag)
/init	—	—	“Please analyze this codebase and create a CLAUDE.md file…” (uses OLD_INIT_PROMPT; CLAUDE_CODE_NEW_INIT=1 switches to interactive flow)
/review	—	—	Local code review with gh pr view <n>, gh pr diff <n>, then “expert code reviewer” prompt
/ultraplan	—	—	30-min multi-agent exploration; uses ULTRAPLAN_INSTRUCTIONS; model selected via tengu_ultraplan_model GrowthBook flag
/ultrareview	—	—	Gated by tengu_review_bughunter_config.enabled
/stickers	—	—	Opens https://www.stickermule.com/claudecode (Easter egg)

5b. Source file paths (for finding more)

Source: ccleaks chunk extraction.

src/commands.js              — registry
src/commands/agents/index.ts
src/commands/btw/index.ts
src/commands/compact/index.ts
src/commands/config/index.ts
src/commands/bridge/index.ts        — remote-control / rc
src/commands/init.ts
src/commands/review.ts
src/commands/ultraplan.ts
src/commands/review/ultrareviewEnabled.ts
src/commands/bughunter/index.js
src/commands/ctx_viz/index.js       — /ctx-viz
src/commands/stickers/stickers.ts
src/commands/teleport/index.js      — teleport (CCR session handoff)

5c. ccleaks-claimed 26 “undocumented” commands

Source: https://ccleaks.com/leaks (claimed). Confidence: MEDIUM — WebFetch refused to enumerate them, but partial names appeared in metadata.

Names that surfaced across the chunks and audit page: /ctx-viz, /btw, /good-claude, /buddy, /ultraplan, /ultrareview, /bughunter, /teleport, /remote-control, /rc, /stickers, /agents, /memory, /init, /compact, /clear, /config, /settings, /plugin, /mcp, /hooks, /resume, /model, /review, /cost, /status

5d. Built-in commands not listed above (from official docs / community refs)

Confidence: HIGH for these (publicly documented).

/help, /clear, /memory, /hooks, /mcp, /plugin, /model, /cost, /status, /resume, /exit

5e. Slash commands ARE skills now (key architecture point)

Source: Anthropic docs + community references.

Per Anthropic: “Custom slash commands have been merged into skills.” So creating a markdown file in ~/.claude/skills/<name>/SKILL.md (or project-scoped) gives you both a slash command AND a model-invokable capability — same artifact.

---

6. Skills format

6a. File structure

Source: https://code.claude.com/docs/en/skills (HIGH).

~/.claude/skills/<skill-name>/
├── SKILL.md          # Required — name + description + instructions
├── FORMS.md          # Optional sub-files referenced from SKILL.md
├── schema.json
└── (anything else)

6b. Frontmatter schema

Source: Anthropic skills docs.

---
name: my-skill                    # Required; ≤64 chars, lowercase + digits + hyphens
description: When to use this...  # Required; ≤1024 chars
disable-model-invocation: false   # Optional; if true, only user can invoke
user-invocable: true              # Optional; if false, only Claude can invoke
---

name cannot use reserved words or XML tags. Both name and description are loaded into the system prompt at startup.

6c. Discovery sources (in priority order)

Source: Anthropic docs + practitioner deep-dives.

1. User: ~/.config/claude/skills/ (Linux) or ~/.claude/skills/ (everyone in practice)
2. Project: .claude/skills/
3. Plugin-provided (from enabled plugins)
4. Built-in (bundled with Claude Code — ~19 skills per ccleaks audit)

ccleaks-audit-claimed bundled skills: batch, claudeApi, debug, loop, remember, simplify, skillify, ... (≈19 total). Source: https://ccleaks.com/audit

6d. Progressive disclosure (the load model)

Source: Anthropic skills docs. Confidence: HIGH.

• At session start: ONLY name + description from every skill’s frontmatter is loaded into the system prompt.
• When triggered: Claude cats SKILL.md via the Bash tool to read the body.
• Referenced sub-files (e.g., FORMS.md) are read on demand the same way.

Implication: skill bodies don’t cost tokens until used. Big skill libraries are cheap.

6e. Per-skill hooks (yes, they exist)

Source: https://code.claude.com/docs/en/hooks — frontmatter hook precedence.

Skill/Agent frontmatter can declare hooks that take effect “during component use.” Precedence is HIGH (between managed-policy and project-local settings) at time of use. Schema lives in YAML frontmatter alongside name/description.

6f. Subagent memory for skills

Source: Anthropic docs (/en/sub-agents#enable-persistent-memory).

Subagents can maintain their own auto-memory. This is a per-skill / per-subagent memory dir, separate from the main ~/.claude/projects/<project>/memory/.

---

7. Plugins

7a. Folder structure

Source: Anthropic docs + community refs. Confidence: HIGH.

A plugin is a directory with optional sub-components:

my-plugin/
├── PLUGIN.md (or plugin.json)
├── skills/
│   └── <skill-name>/SKILL.md
├── agents/
│   └── <agent-name>.md
├── commands/
│   └── <cmd-name>.md     # Custom slash commands
├── hooks/
│   └── hooks.json
└── mcp/
   └── servers.json

7b. Distribution & install

Source: ccleaks /architecture page.

/plugin install @author/plugin-name

Marketplaces are configured via extraKnownMarketplaces in settings.json. strictKnownMarketplaces: true locks to built-in marketplace only.

7c. Plugin env vars (passed to plugin hooks)

Source: https://code.claude.com/docs/en/hooks.

• CLAUDE_PLUGIN_ROOT — where the plugin is installed
• CLAUDE_PLUGIN_DATA — plugin’s persistent data dir (gitignored, per-user)

Plugin hooks live at precedence rank 5 (below project, above user).

7d. Enable/disable

{
  "enabledPlugins": {
    "marketplace-name/plugin-id": true
  }
}

strictPluginOnlyCustomization: true forces all skills/agents to come from plugins (locks down ad-hoc additions). Useful for managed/enterprise rollouts.

---

8. Subagent dispatch

8a. The Agent tool (a.k.a. Task tool)

Source: ccleaks /architecture + extracted source (src/tools/TaskCreateTool/).

The Agent tool spawns a subagent. Subagent definitions live at:

• ~/.claude/agents/<name>.md (user)
• .claude/agents/<name>.md (project)
• Plugin agents/ dirs (when enabled)

The lookup key is the subagent_type argument. Built-in types include Explore, Plan, plus any custom names you define.

8b. Context composition for subagents

Source: ccleaks extracted source — runForkedAgent and whenToForkSection. Confidence: HIGH for fork mechanics, MEDIUM for full inheritance rules.

Two dispatch modes:

1. Fresh subagent (subagent_type specified): Claude spawns a NEW agent with the subagent’s own system prompt — but it inherits the parent’s prompt cache (this is the key efficiency win). Has its own context window.
2. Forked agent (subagent_type OMITTED): A “perfect fork of the main conversation that shares the parent’s prompt cache.” Inherits everything. Used for research and short-burst implementation work.

Direct quote from leaked source on when to fork vs. spawn:

“Research: fork open-ended questions. Launch parallel forks. A fork beats a fresh subagent — it inherits context and shares cache. Implementation: prefer to fork work that requires more than a couple of edits. Do research before jumping to implementation. Don’t peek. The tool result includes an output_file path — do not Read or tail it unless the user explicitly asks for a progress check.”

8c. Subagent memory inheritance

Source: https://code.claude.com/docs/en/memory (#enable-persistent-memory).

Subagents can maintain their OWN auto-memory directory, distinct from the parent’s. CLAUDE.md cascade applies to the subagent’s cwd at spawn time — so if you spawn a subagent in a subdirectory, the cascade is rooted there.

8d. Subagent hooks

Source: Hooks reference.

SubagentStart, SubagentStop events fire per-subagent and receive subagent_type, prompt, description, output. agent_id is in the common input fields when in subagent context.

8e. Coordinator mode (the upcoming multi-worker pattern)

Source: Extracted source. Confidence: HIGH for existence, MEDIUM for status.

function isCoordinatorMode(): boolean {
  if (feature('COORDINATOR_MODE')) {
    return isEnvTruthy(process.env.CLAUDE_CODE_COORDINATOR_MODE)
  }
  return false
}

System prompt for the coordinator:

“You are Claude Code, an AI assistant that orchestrates software engineering tasks across multiple workers… You are a coordinator. Your job is to: Help the user achieve their goal, Direct workers to research, implement and verify code changes, Synthesize results and communicate with the user, Answer questions directly when possible — don’t delegate work that you can handle without tools.”

Worker capability is set by CLAUDE_CODE_SIMPLE:

• Simple workers: “Bash, Read, and Edit tools, plus MCP tools from configured MCP servers.”
• Full workers: “standard tools, MCP tools from configured MCP servers, and project skills via the Skill tool. Delegate skill invocations (e.g. /commit, /verify) to workers.”

Fleet implication: this is Anthropic’s internal multi-agent pattern. The single-machine fleet variant concept Wes is building maps directly onto this.

---

9. MCP server resolution

9a. Discovery locations

Source: ccleaks /architecture + extracted source (src/services/mcp/).

MCP servers configured in (precedence highest → lowest):

1. Managed settings (enterprise)
2. .claude/settings.local.json → mcpServers
3. .claude/settings.json → mcpServers
4. ~/.claude/settings.json → mcpServers
5. .mcp.json (project, separate file — special case)
6. Plugin MCP definitions

Project .mcp.json servers need explicit enablement via enableAllProjectMcpServers or enabledMcpjsonServers (CVE-mitigated default, post-CVE-2025-59536).

9b. Transport types

Source: ccleaks extracted source + MCP SDK.

• stdio — local process via stdin/stdout
• sse — Server-Sent Events
• streamableHttp — HTTP streaming
• (websocket also referenced in /architecture)

Transports are “negotiated in parallel” at boot. Capability exchange completes before the query loop starts.

9c. Tool name namespacing

Source: Hooks reference + ccleaks /architecture.

MCP tools appear as mcp__<server>__<tool> in hook matchers and permissions.allow. This is also the slash-command format for MCP prompts: /mcp__<server>__<prompt>.

9d. Capabilities supported

Source: ccleaks /architecture.

Three capability types: Tools, Resources, Prompts. Also: elicitation (the MCP server asking the user for input — triggers Elicitation hook).

9e. Allowlists & denylists

• allowedMcpServers — name/command/glob-URL allowlist
• deniedMcpServers — blocklist
• allowManagedMcpServersOnly — enterprise lock to managed-only

9f. Auto-merge

Source: ccleaks /architecture.

“MCP tool schemas merged in dynamically after server connection” during the tools assembly phase.

Tools are added to the registry mid-boot, so dynamic discovery is real.

---

10. Memory tool / state persistence

10a. Disk locations (where everything lives)

Source: https://code.claude.com/docs/en/memory (HIGH).

Asset	Path
Auto-memory dir	~/.claude/projects/<project>/memory/
MEMORY.md (auto-memory index)	~/.claude/projects/<project>/memory/MEMORY.md
Auto-memory custom location	Per autoMemoryDirectory (user/policy only — explicitly NOT accepted from project/local settings, since cloned repos could redirect to sensitive locations)
Transcripts	.claude/data/sessions/ (community convention; ccleaks transcript_path in hook payloads confirms .jsonl files)
Hook scripts	.claude/hooks/
Subagent defs	.claude/agents/ (or ~/.claude/agents/)
Skills	.claude/skills/ (or ~/.claude/skills/)
Rules	.claude/rules/*.md (or ~/.claude/rules/)
Output styles	.claude/output-styles/
Status lines	.claude/status_lines/
Worktrees	<project-root>/.claude/worktrees/
Auth	~/.claude/auth.json
Hook execution logs	logs/ (project)

<project> in the auto-memory path is derived from the git repository, so all worktrees and subdirs within one repo share ONE auto-memory directory. Outside a git repo, project root is used instead.

10b. Memory tool operations

Source: Anthropic memory tool spec.

The 6 ops the question references: view, create, str_replace, insert, delete, rename. These map to the in-conversation memory tool exposed to the model — it’s a small file-system over the memory dir. The Claude Code in-binary implementation uses the same ops but adds session-scoped caching.

10c. Auto-memory cadence

Source: ccleaks extracted source + official docs.

Triggered by handleStopHooks — runs “once at the end of each complete query loop (when the model produces a final response with no tool calls)”. Uses runForkedAgent (perfect fork, shares prompt cache).

Gate function:

function isGateOpen(): boolean {
  if (getKairosActive()) return false   // KAIROS mode uses disk-skill dream
  if (getIsRemoteMode()) return false
  if (!isAutoMemoryEnabled()) return false
  return isAutoDreamEnabled()
}

Defaults: min 24 hours between dreams, min 5 sessions accumulated.

10d. The “dream” consolidation prompt

Source: ccleaks extracted source — buildConsolidationPrompt().

Direct quote (paraphrased from the leaked function):

”# Dream: Memory Consolidation You are performing a dream — a reflective pass over your memory files. Phase 1 — Orient: ls memory dir, read MEMORY.md, skim existing topic files Phase 2 — Gather recent signal Phase 3 — Consolidate (write/update memory files) Phase 4 — Prune and index (keep MEMORY.md under MAX_ENTRYPOINT_LINES)”

Fleet implication: Wes’s existing dream skill is doing what Claude Code’s auto-dream does natively. If autoDreamEnabled is true, both run — likely duplicating work. Verify before keeping both.

10e. Permissions / sandboxing

Source: Settings docs.

Memory files are subject to the normal filesystem.allow* / filesystem.deny* rules. The default sandbox restricts writes to the project dir; auto-memory under ~/.claude/projects/<project>/memory/ is explicitly allowed because it’s the “user” namespace, not the project namespace.

10f. Memory types (4 of them)

Source: https://ccleaks.com/audit. Confidence: MEDIUM.

ccleaks claims four memory types: user, feedback, project, reference, with “team sharing” support. The feedback type is the one auto-memory writes to when you correct Claude. reference is read-only / lookup-only. Not all four are visible from the public docs but the internal type discriminator is real.

---

11. Bonus: things I found that affect fleet design

11a. UltraThink modes

Source: ccleaks /audit. Three modes: adaptive, enabled, disabled. Opus/Sonnet 4.6 only. Runtime gate tengu_turtle_carbon.

11b. Auto-compact mechanics

• Triggers at ~187K of 200K tokens (~93.5% — not the loosely-stated 80%).
• 13K-token buffer preserved.
• Max 3 failures before falling back.
• Project-root CLAUDE.md re-injected from disk post-compact.
• Nested CLAUDE.mds NOT re-injected.

11c. Five compaction strategies (mentioned by ccleaks /audit)

Confidence: MEDIUM — ccleaks claims five, only auto-compact is described in detail. Likely set: auto-compact, micro-compact (cached), reactive-compact (feature-gated), history-snip (feature-gated), context-collapse (feature-gated). All visible in the feature(...) flag list.

11d. Permission modes (the full set)

default, plan, bypassPermissions, dontAsk, acceptEdits, auto — six modes total. The auto-mode classifier is a separate model run that classifies each tool call against AutoModeRules { allow, soft_deny, environment } and a YOLO classifier that returns { thinking, shouldBlock, reason }.

11e. Bash risk levels

LOW, MEDIUM, HIGH. The DANGEROUS_BASH_PATTERNS array (from extracted source) includes:

python, python3, python2, node, deno, tsx, ruby, perl, php, lua,
npx, bunx, npm run, yarn run, pnpm run, bun run, bash, sh, ssh,
zsh, fish, eval, exec, env, xargs, sudo

Plus ant-only additions: fa run, coo, gh, gh api, curl, wget, git, kubectl, aws, gcloud, gsutil.

These trigger the permission classifier even with defaultMode: auto. Fleet implication: if a hook needs to run any of these, define the rule explicitly in permissions.allow instead of relying on auto-mode — you’ll get more consistent behavior.

11f. Worktree isolation (the new desktop pattern)

Source: https://ccleaks.com/news/claude-code-desktop-redesign. Confidence: HIGH.

“Every new session opens its own Git worktree under <project-root>/.claude/worktrees/”

This is the path the desktop app uses for parallel sessions. CLI sessions can opt in via --worktree flag. The WorktreeCreate hook fires and can return a custom path via stdout or hookSpecificOutput.worktreePath.

worktree.symlinkDirectories (settings.json) lets you symlink node_modules and similar into the worktree so you don’t pay the install cost per session. worktree.sparsePaths for sparse-checkout configuration.

11g. Cross-machine: deep links

Source: ccleaks /audit.

claude-cli://open?q=<query>&cwd=<path>&repo=<owner/repo> — registered URL scheme. disableDeepLinkRegistration: true opts out. Used by the new desktop orchestrator to spawn sessions from phone/web. Fleet implication: this is Anthropic’s official cross-machine spawn primitive. The roger / fleet peer broker pattern Wes built is doing the same thing with a different transport.

11h. Telemetry

Source: https://ccleaks.com/news/telemetry-enterprise-nightmare.

Per-request transmission: user ID, session ID, app version, platform, terminal type, org UUID, account UUID, email, active feature gates, message length, JSON-serialized byte length of system prompt + messages + tool schemas. Feature gates refresh every hour. ZDR (Zero Data Retention) is Enterprise-only and policy-violation data can be retained for up to 2 years even under ZDR.

---

DESIGN IMPLICATIONS — what to change in Wes’s fleet doctrine

Pulling threads from §1–11, here are the concrete moves, ranked by impact.

Tier 1 — Change immediately

1. Stop fighting compaction; lean into it.

Root CLAUDE.md is the ONLY thing guaranteed to be re-injected after /compact. Everything else (nested CLAUDE.mds, conversation context, even auto-memory unless it’s in MEMORY.md’s first 200 lines / 25KB) is best-effort.

Implication for Wes’s CLAUDE.md cascade:

• Keep ~/jarvis/hinesipedia/Fleet/-imported root CLAUDE.md SMALL (<200 lines).
• Move everything that doesn’t NEED to survive compaction into path-scoped .claude/rules/*.md with paths: frontmatter.
• Move detail into MEMORY.md so the first-200-line / 25KB window covers the durable indexes — Wes is already doing this but the ~206 lines warning in auto-memory is a real signal he’s about to lose content on compact.

2. Use InstructionsLoaded hook for cascade observability.

The reason “CLAUDE.md isn’t being followed” debugging is so painful is that nobody sees what actually loaded. Wire InstructionsLoaded to write a single line per load into a sidecar file. This is one-shot fix to “did the rule even make it into context?“

3. Re-evaluate autoDreamEnabled.

Wes has a custom /dream skill plus the auto-dream cron flag in his global CLAUDE.md. Per the extracted source, Claude Code’s isAutoDreamEnabled() defaults via tengu_onyx_plover GrowthBook gate; the gate could be ON. If both run, you get duplicate consolidation work and possibly conflicting writes to MEMORY.md.

Action: explicitly set autoDreamEnabled: false in ~/.claude/settings.json on every machine, OR explicitly set it true and delete the custom /dream skill. Pick one. Verify with /memory panel that auto-memory is doing what you expect.

4. Use --worktree + worktree.symlinkDirectories for variant isolation.

Right now Wes’s variants share cwd. The new <project-root>/.claude/worktrees/ pattern is Anthropic’s official answer to “I want N parallel sessions on the same project without state stomp.” This is cleaner than spawning multiple session dirs.

worktree.symlinkDirectories: ["node_modules", "dist"] in project settings keeps the build cache shared across sessions.

Tier 2 — Architecture-level

5. Coordinator mode is the upstream pattern for what you’ve built.

feature('COORDINATOR_MODE') + CLAUDE_CODE_COORDINATOR_MODE=1 activates a coordinator/worker pattern that’s basically Wes’s fleet, but in-process. The fleet’s peer-mesh + claim-before-act + variants-as-staff model maps directly onto it.

Likely future direction: when coordinator mode ships to externals, the cleanest fleet design is:

• Coordinator runs on Wes’s Mac (the daily driver).
• Workers run as coordinator subagents OR as remote sessions on other machines via the --remote-control / /rc command (gated by BRIDGE_MODE).
• Peer-mesh becomes a fallback / cross-machine transport layer, not the primary coordination mechanism.

Don’t migrate yet — COORDINATOR_MODE is still flag-gated. But design new fleet pieces so they can be re-rooted onto coordinator/worker primitives when that flips public.

6. Skills > custom slash commands.

Anthropic explicitly says “custom slash commands have been merged into skills.” Wes already has the skills cascade working. Phase out any standalone commands/ directories in favor of skills/<name>/SKILL.md — same artifact, both model-callable and user-callable, plus progressive-disclosure savings on context.

7. Plugin packaging for cross-machine sync.

The plugin folder structure (PLUGIN.md + skills/ + agents/ + hooks/ + commands/ + mcp/) is the official “ship a coherent unit across machines” pattern. The fleet’s config-sync daemon currently sync’s individual files. Repackaging variant-specific bundles as plugins gets you:

• enabledPlugins: { ... } per-machine override
• CLAUDE_PLUGIN_DATA for state that survives reinstalls
• strictPluginOnlyCustomization: true on Wes’s Mac if he wants enforced immutability of variant configs.

Probably not worth migrating existing assets, but new variants should ship as plugins.

8. SubagentStop hook for handoff capture.

The official answer to “preserve state at session boundaries” is now SubagentStop + SessionEnd hooks writing to known disk paths. The fleet’s custom write-handoff.js pre-compact hook is the right move; consider also adding a SubagentStop hook that writes per-subagent summaries to the vault so cross-variant audits can reference them.

Tier 3 — Hygiene & small wins

9. Settings.json: explicit > implicit.

Wes’s per-machine .mcp.json is the right pattern but should be paired with enabledMcpjsonServers lists in .claude/settings.json to be explicit about which servers are live. Post-CVE-2025-59536, enableAllProjectMcpServers is NOT a default-true behavior anymore.

10. Wire ConfigChange hook.

The ConfigChange event fires on settings file mutations during a session. If Wes’s config-sync daemon writes to .claude/settings.json while a variant is running, the variant currently doesn’t know. A ConfigChange hook that peer-broadcasts “my settings changed” closes that loop.

11. Use Setup hook for one-time machine prep.

Setup fires on --init and --maintenance. It’s the right place to put “this machine just woke up, do the fleet-init sequence” logic. Currently the fleet uses SessionStart for this, which fires every session — Setup fires only on init/maintenance flags, so it’s lower-noise.

12. CLAUDE.md HTML comments for human notes.

<!-- ... --> block comments in CLAUDE.md are STRIPPED before injection into context. Use this for maintainer notes (changelog, deprecation markers, “don’t touch this section” annotations) without burning tokens.

13. claudeMdExcludes for the cross-project pollution problem.

If Wes ever drops into a client’s monorepo and their CLAUDE.md fights with his global one, claudeMdExcludes: ["/path/to/client/CLAUDE.md"] in ~/.claude/settings.json makes it disappear.

14. Stop relying on defaultMode: auto for dangerous commands.

The auto-mode classifier introduces variance — different sessions may classify the same Bash invocation differently. For fleet-critical operations (git push, deploy, etc.), put explicit rules in permissions.allow so the classifier never runs. This is also more auditable.

Tier 4 — Watch list (future-target)

• autoMemoryDirectory is policy/user-only by design (to prevent malicious-repo redirection). Don’t try to share auto-memory across machines via vault mount — it’ll fight settings precedence. Use the dream / cross-machine consolidation pattern Wes already has.
• enableWeakerNetworkIsolation is the toggle that lets macOS TLS trust service through. If Wes ever needs his fleet to use the system keychain certs, that’s the knob — but it explicitly weakens security.
• forceLoginMethod + forceLoginOrgUUID are enterprise-only locks. Not relevant unless Wes ever sells fleet-as-a-product to a team.
• KAIROS flag is the scheduled-trigger system. Wes’s vault cron + tmux pattern is a parallel implementation; if KAIROS goes public, migrate to the native primitive.

---

Source citations

ccleaks.com pages

• https://ccleaks.com — homepage / sitemap
• https://ccleaks.com/architecture — boot sequence, query loop, tool registry, MCP lifecycle, system prompt assembly
• https://ccleaks.com/audit — 31-section analysis (models, hooks, env vars, intelligence, security, extensibility)
• https://ccleaks.com/leaks — claim summary (1,884 files, 8 unreleased features, 26 commands, 32 build flags, 120+ env vars)
• https://ccleaks.com/explore — interactive source tree (data extracted via JS chunk /_next/static/chunks/app/explore/page-1986ffd0dba79198.js)
• https://ccleaks.com/news — article index (31 articles total)
• https://ccleaks.com/news/44-feature-flags-deep-dive — full feature flag list
• https://ccleaks.com/news/undercover-mode-fake-tools-frustration-regex — undercover mode details
• https://ccleaks.com/news/telemetry-enterprise-nightmare — telemetry / GrowthBook refresh details
• https://ccleaks.com/news/buddy-tamagotchi-april-fools — BUDDY feature analysis (Tamagotchi)
• https://ccleaks.com/news/claude-code-cve-rce-credential-theft — CVE-2025-59536, CVE-2026-21852 file paths
• https://ccleaks.com/news/claude-code-desktop-redesign — worktree pattern, orchestrator UX
• https://ccleaks.com/news/anthropic-kills-third-party-harnesses — OAuth blocking / harness telemetry
• https://ccleaks.com/news/how-the-leak-started — leak provenance

Anthropic official docs

• https://code.claude.com/docs/en/memory — CLAUDE.md cascade, @import, MEMORY.md, /memory, /init
• https://code.claude.com/docs/en/hooks — full 28-event hook reference, env vars, precedence
• https://code.claude.com/docs/en/settings — settings.json schema, precedence
• https://code.claude.com/docs/en/skills — SKILL.md format, progressive disclosure
• https://code.claude.com/docs/en/sub-agents — subagent memory + dispatch

Practitioner deep-dives (verified cross-references)

• https://gist.github.com/mculp/c082bd1e5a439410158974de90c89db7 — full settings.json schema (v2.1.104, ~125 keys)
• https://claudefa.st/blog/tools/hooks/hooks-guide — hooks guide with 12-14 events
• https://claudefa.st/blog/guide/settings-reference — settings.json reference
• https://github.com/disler/claude-code-hooks-mastery — hooks examples with sample payloads

Source files identified in the leak (for follow-up)

• src/schemas/hooks.ts — HOOK_EVENTS imports
• src/entrypoints/agentSdkTypes.js — HOOK_EVENTS definition
• src/utils/hooks.ts — hook execution engine
• src/utils/claudemd.ts — CLAUDE.md loader + cache
• src/utils/settings/settings.ts + src/utils/settings/types.ts — settings schema
• src/utils/settings/constants.ts — SettingSource type
• src/services/mcp/ (24 files) — MCP server lifecycle
• src/services/autoDream/ — auto-memory consolidation
• src/services/extractMemories/extractMemories.ts — handleStopHooks integration
• src/services/compact/compact.ts + src/services/compact/autoCompact.ts — compaction
• src/coordinator/coordinatorMode.ts — coordinator/worker pattern
• src/utils/undercover.ts + src/utils/commitAttribution.ts — undercover mode
• src/utils/permissions/yoloClassifier.ts — auto-mode classifier
• src/utils/permissions/dangerousPatterns.ts — bash risk patterns
• src/tools/ (46 dirs) — all built-in tools
• src/commands/ — slash command definitions

Confidence summary

• CLAUDE.md cascade (§1): HIGH on every claim — backed by official docs.
• Hooks (§2): HIGH on the 28-event list and env vars — official docs. MEDIUM on the timeouts (ccleaks-only).
• Env vars (§3): HIGH on the 9 directly extracted from source. MEDIUM on the audit-claimed extras. HIGH on undercover-mode mechanics (source quoted).
• Settings schema (§4): HIGH on the categorized key list — community-compiled from v2.1.104 binary. HIGH on CVE details.
• Slash commands (§5): HIGH on the 10 source-extracted. MEDIUM on the “26 undocumented” claim — names appeared piecemeal but not in one canonical list.
• Skills (§6): HIGH on format and progressive-disclosure mechanics. MEDIUM on the ~19 bundled count (ccleaks claim).
• Plugins (§7): HIGH on folder structure + env vars + install syntax.
• Subagents (§8): HIGH on fork-vs-spawn (source quoted). HIGH on COORDINATOR_MODE source. MEDIUM on full inheritance rules.
• MCP (§9): HIGH on transports + namespacing + capabilities.
• Memory (§10): HIGH on disk paths and the auto-memory cadence (source quoted). MEDIUM on the 4 memory types (ccleaks-only).
• Bonus (§11): HIGH on auto-compact thresholds + permission modes. MEDIUM on the “5 compaction strategies” count.
• Design implications (Tier 1-4): ranked on Wes’s actual fleet state per his global CLAUDE.md context — not extracted from sources.