I Found Anthropic's Source Map in a Production Bundle - So I Built Five Security Tools published.

On March 31, 2026, I was reviewing a Claude Code release when I found something unexpected: a complete JavaScript source map — a .js.map file — shipped inside the production bundle. Source maps are development artifacts. They contain the original, pre-minified source code, internal file paths, variable names, and architectural structure. In a production bundle, they're a blueprint of your codebase handed to anyone who looks. This wasn't an Anthropic-specific failure. Source map leakage is one of the most common pre-publish mistakes in modern JavaScript tooling. Bundlers generate them by default. Developers forget to exclude them. CI pipelines don't check for them. And AI coding tools — which generate and publish code faster than any human can review — make the problem worse. I built five open-source security tools in response. This post explains what I found, why it matters for AI agent systems specifically, and what each tool does. What a Source Map Leak Actually Exposes A .js.map fil