Inside Claude Code: What Leaked Source Code Reveals About AI Search Visibility
Anthropic accidentally exposed Claude Code's source through an npm source map. We went through 512,000 lines and found a domain whitelist, stricter quoting rules for most sites, mandatory citations, and a hidden blocklist. Here's what that suggests about AI visibility.
Last night, security researcher Chaofan Shou noticed that Anthropic had shipped Claude Code's source inside an npm source map. The @anthropic-ai/claude-code package included a .map file that pointed to the full, unminified TypeScript, sitting in Anthropic's own R2 bucket as a downloadable zip. In practical terms, that meant nearly 1,900 files and more than 512,000 lines of source were suddenly exposed.
Most people understandably fixated on the entertaining bits: a Tamagotchi-like pet called BUDDY, a new model family called "Capybara," and dozens of unreleased feature flags. What interested me more was the search stack. If you can see how one major AI tool finds pages, fetches content, and decides what to quote, you get a rare look at how AI visibility is actually shaped.
To be clear, Claude Code is a coding product, not a consumer search engine. Web search is a supporting feature, not the main event. But that almost makes the findings more useful. The code still has to answer the same questions every AI search product faces: which sites can be fetched, how their content gets transformed, and what gets shown to the user. Those choices are usually hidden. Here they aren't.
How Claude searches the web
When Claude Code searches the web, it is not calling Google or Bing from the local client. It sends a server-side tool request, a beta type called web_search_20250305, back to Anthropic's backend. So whatever chooses the provider, ranks the results, and orders the pages lives upstream of the client.
// WebSearchTool.ts
function makeToolSchema(input) {
return {
type: 'web_search_20250305',
name: 'web_search',
allowed_domains: input.allowed_domains,
blocked_domains: input.blocked_domains,
max_uses: 8,
}
}
The client does not tell us how Anthropic ranks search results. It does show something else that matters: what happens after the results come back. That is where some of the more consequential product decisions show up.
Citations are mandatory
Different AI products treat citations in different ways. Claude Code is unusually explicit about it. The model is told, in the system prompt, that sources are mandatory. Then it gets reminded again inside each search result block.
First, in the tool's system prompt:
// WebSearchTool/prompt.ts
CRITICAL REQUIREMENT - You MUST follow this: - After answering the user's question, you MUST include a "Sources:" section at the end of your response - In the Sources section, list all relevant URLs from the search results as markdown hyperlinks: [Title](URL) - This is MANDATORY - never skip including sources
Second, a reminder appended to every single search result block:
// WebSearchTool.ts
formattedOutput += '\nREMINDER: You MUST include the sources
above in your response to the user using markdown hyperlinks.'
Why this matters
If citation is enforced at the prompt level, then showing up in the result set is not just an internal retrieval event. It materially increases the odds that your URL appears in front of the user. That is different from systems that may use your content but never surface the source.
The 130-domain whitelist
Claude Code has another path to the web besides search: the WebFetch tool, which pulls content from a specific URL. Before it fetches anything, it checks a hardcoded list of roughly 130 preapproved domains. If the domain is on the list, the request goes through quietly. If it is not, the user has to approve it.
// WebFetchTool/preapproved.ts
export const PREAPPROVED_HOSTS = new Set([ // Anthropic 'platform.claude.com', 'code.claude.com', 'modelcontextprotocol.io', // Top Programming Languages 'docs.python.org', 'developer.mozilla.org', // MDN 'doc.rust-lang.org', // Frameworks 'react.dev', 'nextjs.org', 'tailwindcss.com', // Cloud & DevOps 'docs.aws.amazon.com', 'cloud.google.com', 'kubernetes.io', // ... ~130 domains total ])
The whitelist does not appear to boost ranking directly. But it does remove friction at exactly the moment that matters, after the model has decided a page is worth fetching. In an autonomous system, "fetch automatically" and "wait for a click" are not small differences.
Two tiers of content fidelity
This was the part that stood out most to me.
When Claude Code fetches a page, it first converts the raw HTML to Markdown, then runs that content through a secondary AI model, Haiku, before it reaches the main Claude model. The important detail is that the instructions differ depending on whether the domain is preapproved.
// WebFetchTool/prompt.ts
// For PREAPPROVED domains: "Provide a concise response based on the content above. Include relevant details, code examples, and documentation excerpts as needed." // For ALL OTHER domains: "Provide a concise response based only on the content above. - Enforce a strict 125-character maximum for quotes - Use quotation marks for exact language from articles - Never be word-for-word the same outside quotation marks - Never produce or reproduce exact song lyrics"
Read the two prompts side by side and the asymmetry is obvious. Preapproved domains can be summarized with relevant details, code examples, and documentation excerpts. Everyone else gets a much stricter treatment: direct quotes are capped at a 125-character maximum, exact wording has to be marked as a quote, and everything else has to be paraphrased.
This is effectively a two-tier extraction system. Some domains can be represented with much higher fidelity than others.
The implications
For preapproved sites, Claude can surface the parts that make the page useful: snippets, examples, and precise explanations. For everyone else, the same page gets squeezed through a much narrower quoting policy. The content can still influence the answer. It just reaches the model in a blurrier form.
The invisible blocklist
Before Claude Code fetches a non-preapproved domain, it makes a preflight request to an Anthropic endpoint:
// WebFetchTool/utils.ts
const response = await axios.get( 'https://api.anthropic.com/api/web/domain_info' + '?domain=' + encodeURIComponent(domain), { timeout: 10_000 } ) if (response.data.can_fetch === true) { return { status: 'allowed' } } return { status: 'blocked' }
If can_fetch comes back false, the page is off limits. It does not matter whether the user wants it or whether the content is relevant. Anthropic appears to maintain a central allow-or-block decision on the server, and the client checks it on each request with a short cache.
That matters because the blocklist is invisible from the outside. You cannot inspect it, you do not know the criteria, and there is no obvious notification mechanism for affected sites. Enterprise customers can bypass the check with a skipWebFetchPreflight setting. Ordinary users cannot. If your domain is blocked, Claude Code may simply never see your content, and you may never know why.
Tool providers can shape AI behavior
Claude Code also supports the Model Context Protocol (MCP), an open standard that lets external tools connect to the model and provide capabilities and context. When an MCP server connects, it can contribute instructions directly to the system prompt:
// constants/prompts.ts
# MCP Server Instructions The following MCP servers have provided instructions for how to use their tools and resources: ## Domain Search When helping users with domains: 1) Always present buy_url links as clickable markdown links 2) Use purchase_info field content to guide users to purchase domains
Each MCP server gets up to 2,048 characters of prompt space. In the example above, the server explicitly tells Claude to show buy links and use purchase information to steer the user toward a domain purchase. That is not a hack. It is a first-class product surface. As MCP becomes more common, some recommendations will be shaped not just by retrieved content, but by instructions supplied by the tool provider itself.
What this means
Two other details are worth calling out. First, I could not find engagement feedback in the search flow: no click tracking on cited links, no dwell time, no loop where user behavior sharpens future results. Unlike Google, this looks much closer to a stateless retrieval-and-answer step. You do not gradually earn better visibility because users clicked you yesterday. Second, the search stack is being actively tested behind feature flags. A flag called tengu_plum_vx3 appears to switch searches between the main Claude model and Haiku, so two users may not just be seeing different answers. They may be going through different search pipelines altogether.
We have spent the last year trying to infer AI visibility from the outside by running prompts, logging citations, and measuring brand mentions across products. What makes this leak unusual is that it lets us inspect the machinery directly.
What stands out is how much of that machinery is invisible in normal use. You do not see the whitelist. You do not see the quote limits. You do not see the server-side fetch decision. And yet those choices shape who gets represented accurately, who gets friction, and who gets left out.
Traditional SEO at least gives you observable outputs: rankings, snippets, competitor movements. AI search has far more hidden layers between "the page exists" and "the model recommends it." This leak briefly exposed one of those layers. I doubt it will be the last time that happens.
Key findings
- 1.Search ranking appears to happen server-side inside Anthropic's API, not in the client.
- 2.Citations are mandatory, and the instruction is reinforced twice.
- 3.About 130 domains are preapproved for no-prompt fetching.
- 4.Preapproved domains can be reproduced with higher fidelity. Other domains are limited to 125-character quotes and paraphrasing.
- 5.A central blocklist can stop content from being fetched without any public visibility.
- 6.MCP servers can add up to 2,048 characters of system-prompt instruction.
- 7.I could not find an engagement feedback loop in the search pipeline.
Related
See how AI talks about your brand
Enter your domain to get a free AI visibility report in under 60 seconds.