512,000 lines of Anthropic's source code leaked yesterday.
Most people read it as a story about security. The builders worth listening to read it as a blueprint.
The core of Claude Code, the agent generating $2.5 billion in annualized revenue, is roughly five lines.
Call the API. Push the response. Execute any tools. Push results back. Repeat until done.
That's the loop.
Everything else is harness: the permissions system, the memory architecture, the orchestration, the recovery. None of it is the model. All of it determines whether the agent works.
Most builders have this exactly backwards. Months on model selection and prompt engineering. Almost nothing on the container. The leak is interesting because it shows what the container actually has to do.
Instructions advise. Hooks execute.
CLAUDE.md, the configuration file most Claude Code users pour hours into, follows instructions about 80% of the time. That number is in the source. Not a bug. Just the nature of instructing a language model: probabilistic compliance on a good day.
The hooks work differently. The source exposes 25+ lifecycle events wired into deterministic shell execution. PostToolUse fires after every file write, every edit, every bash command. The model's output doesn't enter the equation. The format step runs. The type check runs. The security gate runs.
The architecture separates two things most builders treat as the same: what gets requested and what gets enforced.
What must survive.
When Claude Code's context approaches its limit, it doesn't summarize and hope. It follows a contract. What gets preserved is explicit: the user's original intent, key technical decisions, every file touched, every error encountered, pending tasks, the exact next step.
Then a rehydration sequence fires.
Re-read the five most recently accessed files. Restore the todo list. Inject hook outputs. Continue without asking questions. Most agent pipelines compact implicitly. The model summarizes what feels important, loses something structural, and the next session starts slightly confused.
Run it long enough and the confusion compounds. The contract prevents this not by improving summarization but by making the preservation criteria non-negotiable. The model doesn't decide what matters. The contract already decided.
Confidence is not a completion signal.
Buried in a source comment: Capybara v8, Anthropic's internal name for a Claude 4.6 variant, had a false claims rate of 29-30%. The version before it sat at 16.7%. The model asserts something succeeded when it didn't, nearly twice as often as its predecessor. Anthropic shipped it anyway.
The fix wasn't a better model. It was an independent verification agent that owns the completion gate. The coordinator, the agent that orchestrates the work, cannot self-assign pass. A separate verifier spawns, runs its checks, issues the verdict. The coordinator's own confidence doesn't count.
What the architecture refuses to do: let the agent that does the work certify the work. The model's confidence reads as confidence. The harness treats that as a different signal than completion, because it is.
Every failure mode in the leak traces to the same place. The hooks exist because instructions drift. The compaction contract exists because implicit summarization loses structure. The adversarial verifier exists because a model with a 29% false claims rate can't be trusted to grade its own output.
Each one is the harness compensating for something the model can't do reliably on its own.
The model got smarter. The harness got more paranoid.
That's not a tension. That's the architecture.