MCPは誰も語らない最重要AI基盤

The Accidental Open Source: A Deep Dive into the Leaked Claude Code Repository This morning (March 31, 2026), due to an axios hack injection, the complete TypeScript source code for Claude Code was inadvertently exposed. All 512,000 lines. @fried_rice (Chaofan Shou) identified the path, and the codebase was available for download. I spent the day performing a deep-tissue audit of the src/ directory. What I found is a masterclass in Agentic Engineering. I. THE "BRAINS": HOW SYSTEM PROMPTS ARE ASSEMBLED The prompt is built piece-by-piece based on your environment via getSystemPrompt(). It's not just "You are a helpful assistant." It's "You are a senior engineer in a directory with a specific Git history, a specific date, and a specific set of active tools." Prompt Caching: Anthropic uses a section caching registry. By splitting the prompt into cached blocks, they can swap out the "Context" without re-processing the "Rules", saving massive amounts of latency and cost. CLAUDE.md: Treated as a "Memory File." The code specifically looks for these files to inject long-term project instructions directly into the user context. II. THE "HEARTBEAT": THE MAIN AGENT LOOP The while(true) loop at line 307 in query.ts drives the agent. It observes the terminal, orients itself to your files, decides on a tool, and acts — repeating until the task is complete. Multi-Agent Spawning: AgentTool.tsx allows the main Claude instance to spawn "worker" sub-agents (like Explore or Plan) to handle massive codebases in parallel. III. THE "HANDS": A SOPHISTICATED TOOL SYSTEM Concurrent vs. Serial Execution: In toolOrchestration.ts, the code decides whether it can run multiple tools at once or needs to wait. It's essentially a "scheduler" for AI actions. MCP Bridge: Deep integration with the Model Context Protocol. Claude Code can "plug in" to any external data source that speaks MCP. IV. THE "INFINITE HORIZON": CONTEXT & COMPACTION Auto-Compaction: When conversation hits the 13,000-token buffer, the agent triggers a "summarization flow." It stops, writes a summary, clears old messages, and keeps the summary. This maintains "working memory" over hours of coding. Token Estimation: Three-tier estimation system to predict costs before they happen. V. THE "YOLO" CLASSIFIER: AUTONOMOUS PERMISSION ENGINE Two-Stage XML Validation: - Fast-reject stage (64 tokens) to catch obvious violations - "Deep Thinking" stage (4096 tokens) where Sonnet 4.6 analyzes conversation transcript Transcript Sanitization: The classifier only sees tool calls, not conversational text — prevents "prompt injection." Safe List: Read-only ops (ls, grep, glob, LSP lookups), task management (TodoWrite, TaskCreate), and a literal Sleep tool skip the classifier. Circuit Breakers: - 3 consecutive denials → falls back to manual mode - 20 total denials in a session → assumes agent has "gone rogue" Dangerous Rule Stripping: In Auto Mode, the system proactively strips dangerous permissions (iex, invoke-expression, nested shells like wsl or pwsh). VI. THE HIDDEN AUTOFIX-PR ARCHITECTURE Claude Code Remote (CCR): autofix-pr isn't a local tool — it's a Remote Agent Task. It teleports the agent's "consciousness" to an Anthropic-hosted environment. The PR "Observer" Loop: 1. Trigger: Developer points Claude at a PR URL 2. Teleport: Agent moves to CCR session 3. Analyze: Reads PR diff, scans CI failure logs, parses reviewer comments 4. Fix: Runs in high-permission "Auto Mode" 5. Verify: Polls CI/CD pipeline. If tests fail again, loop restarts automatically VII. THE "TELEPORT" PROTOCOL Pre-flight check (validateGitState): Ensures repo is clean, syncs with remote, uses Haiku to auto-name session. The Bridge: 33+ files for controlling local computer from Claude Mobile App. Local machine runs a "Long-Polling" server (POST /v1/environments/{id}/work/poll). Two Transport Generations: - V1 (Hybrid): WebSockets for reading + batched HTTP POST (500 messages) for writing - V2 (SSE): Server-Sent Events with sequence numbers for resilience Remote Permissions: SDKControlRequest sends permission requests through the bridge. Your phone pops up a dialog. "Allow" fires SDKControlResponse back to cloud. CONCLUSION: Anthropic isn't winning because they have the "smartest" model. They are winning because they have built a Distributed Operating System for Intelligence. The era of the "AI Chatbot" is over. We are now in the era of the Autonomous Teammate — a system that thinks while you sleep, fixes your PRs before you wake up, and maintains a "personality" that evolves with you.