Forem: Nikita Savchenko

Claude Code's Source Didn't Leak. It Was Already Public for Years.

Nikita Savchenko — Wed, 01 Apr 2026 22:56:31 +0000

I build a JavaScript obfuscation tool (AfterPack), so when the Claude Code "leak" hit VentureBeat, Fortune, and The Register this week, I did what felt obvious — I analyzed the supposedly leaked code to see what was actually protected.

I wrote a detailed breakdown on the AfterPack blog. Here's the core of it.

What Happened

A source map file — a standard debugging artifact defined in ECMA-426 — was accidentally included in version 2.1.88 of the @anthropic-ai/claude-code package on npm. Security researcher Chaofan Shou spotted it, and within 24 hours a clean-room Rust rewrite hit 110K GitHub stars and a breakdown site (ccleaks.com) cataloged every hidden feature.

This is the second time — a nearly identical source map leak happened in February 2025.

The Code Was Already There

Claude Code ships as a single bundled cli.js on npm — 13MB, 16,824 lines of JavaScript. It's been publicly accessible since launch. You can view it right now at unpkg.com.

I analyzed it. It's minified, not obfuscated. Here's what that means in practice:

Technique	Present?
Variable name mangling	Yes (standard minification)
Whitespace removal	Yes (standard minification)
String encryption/encoding	No
Control flow flattening	No
Dead code injection	No
Self-defending / anti-tamper	No
Property name mangling	No

All 148,000+ string literals sit in plaintext — system prompts, tool descriptions, behavioral instructions.

I Asked Claude to Deobfuscate Itself

This is the part that got me. I pointed Claude — Anthropic's own model — at its own minified cli.js and it just... explained it.

Using AST-based extraction, we parsed the full 13MB file in 1.47 seconds and pulled out 147,992 strings. System prompts, tool descriptions, 837 telemetry events (all prefixed with tengu_ — Claude Code's internal codename), 504 environment variables, a DataDog API key.

Geoffrey Huntley published a full cleanroom transpilation of Claude Code months before this leak using a similar approach — LLMs converting minified JS to readable TypeScript. His deobfuscation repo on GitHub demonstrates the technique.

What Source Maps Actually Added

To be fair, source maps did surface some genuinely sensitive stuff:

Internal code comments and TODOs
The full 1,884-file project tree with original filenames
Feature flags with codenames like tengu_amber_flint and tengu_cobalt_frost
KAIROS — an unreleased autonomous daemon mode
Anti-distillation mechanisms that inject decoy tools to poison training data

That's real exposure. But the actual code logic was already there in cli.js.

This Happens Everywhere

I ran our Security Scanner on GitHub.com and found email addresses and internal URLs in their production JavaScript and source maps. Same with claude.ai. Same class of exposure, zero headlines.

AI Makes This Urgent

The reality is simple: minification was never security. It's a size optimization that bundlers like esbuild, Webpack, and Rollup do by default. Variable renaming slows down human readers but LLMs read minified code like you read formatted code.

System prompts are the new trade secrets. Telemetry names reveal product roadmaps. Environment variables expose what you're not ready to ship. And every JavaScript application — React frontends, Electron apps, Node.js CLIs — ships code that AI can now analyze trivially.

You can check what your site exposes: npx afterpack audit https://your-site.com

Originally published on AfterPack.

How to Software Engineer in the AI Era

Nikita Savchenko — Mon, 30 Mar 2026 15:11:42 +0000

I genuinely believe programming languages are becoming assembler — and I don't mean that metaphorically.

C abstracted assembly. C++ abstracted C. JavaScript abstracted memory management. Each layer let humans think one level higher. The same leap just happened — and the new abstraction layer is English.

The language I work in now is English. Whether the target is TypeScript, Rust, or Python — source code is a lower-level artifact generated from higher-level intent. I write close to 0% of code by hand. I write documentation and sophisticated prompts.

I explored this in depth with a full walkthrough of the AfterPack case study. Here I want to focus on what actually changed in the workflow and what it means for anyone in software — whether you write code, lead teams, or make architecture decisions.

The Mental Model

Every AI tool boils down to one equation:

Input + Context → LLM → Output

The quality of output is directly proportional to the quality of input. I've watched the same LLM give a junior mediocre code and a senior production-ready architecture. The difference was entirely in the context provided. This applies to everyone — whether you're prompting for code, architecture decisions, or product strategy.

The Full Lifecycle Changed

If you're only using AI for code autocomplete, you're at maybe 10%.

Ideation and Research: Pressure-test ideas across multiple models (Claude, Gemini, GPT — trained on different data, different blind spots). Competitive landscape analysis. Demand validation with Google Ads keyword data. What used to take a team weeks now takes hours.

Planning and Architecture: This is where I spend the most time — significantly more than on implementation. Load context into the LLM: existing architecture, constraints, business requirements. Ask for multiple approaches. Have it argue against its own recommendations. Planning mode is king — days in planning, then execution in ~30 minutes. When I come to QA, it mostly just works when planned right.

Design: I skip Figma for many use cases now. Give the LLM your existing UI and design system — 15 minutes later, new pages match your patterns. Pro tip: Gemini Pro creates better initial visuals, but Claude handles long-term code evolution far better.

Implementation: The fastest part of the cycle now. Refactor 100+ files by new design patterns — one-shot in 10 minutes. Previously a week of tedious work.

Testing and QA: AI writes tests, runs them, interprets failures, fixes code. But on real products, you spend most time here — verifying outputs. Taste and judgment are still yours.

Your Brain Goes TikTok

Here's what nobody warned me about. When AI handles implementation this fast, you become the bottleneck. So you try to keep up — I run 3-5 Claude terminals in parallel. One is auditing a codebase, another implementing an API, a third writing product specs. You're constantly jumping between contexts, reviewing outputs, catching mistakes.

It's incredibly brain-intensive. Coding used to be more relaxing — you'd hold one idea for 10-20 minutes, type it out, debug, move on. Now you're a rapid context-switcher. I joke that TikTok was training us for AI-assisted engineering all along.

The Bottleneck Is Human Synchronization

Your role becomes judge, quality controller, architect deciding what to build and why. But the deeper bottleneck isn't you individually — it's human synchronization. Meetings, handoffs, miscommunication, waiting for approvals. When execution takes 30 minutes, spending 3 days aligning on requirements becomes the dominant cost.

Who thrives now:

Solo builders shipping entire products alone
Small teams with clear ownership and less meetings
Senior generalists who can be PM, PO, QA, and engineer all in one

One person carries the work that previously required a team. For larger orgs, you still need role separation — but each person's blast radius is dramatically larger.

The AfterPack Story

What this looks like in practice: I'm building AfterPack — a Rust-based JavaScript obfuscator. I spent three weeks on core architecture without writing a single line of Rust.

Documentation first. 20+ spec files. Different AI agents worked on different parts — no Rust, just careful system design.
JavaScript prototyping. Prototyped obfuscation transforms in JS first. Multiple iterations. Agents tried to break the prototypes and suggested improvements.
Adversarial testing. Claude Code running overnight: "keep iterating until a fresh Claude instance with no context can't deobfuscate the output."

I'm writing production Rust — a language I'd barely touched. My actual language is English. I focus on architecture, data structures, algorithms. The LLM handles the Rust.

The previous generation of JavaScript obfuscators took 2-3 years. I'm shipping something more advanced in a fraction of that time.

Working Effectively with AI

Context is everything. Write documentation before anything else. What you want, why, constraints, what "good" looks like.
Start in planning mode. Multiple approaches. Model argues against itself. Prototype in a simpler language first.
Use multiple models. Claude, Gemini, GPT — different training data, different perspectives. Critical for planning and review.
Own the architecture. AI implements any architecture you describe. Your job is describing the right one — that's the part that won't be automated anytime soon.

Where to Start

New to software: get an AI assistant, describe what you want in plain English. You'll learn from watching it reason.
Not using AI yet: build your next feature entirely AI-assisted. Planning, implementation, testing — all of it.
Already using AI daily: focus on context quality. Better documentation, more planning mode.
Team lead or exec: the biggest productivity gains aren't in individual speed — they're in reducing coordination overhead. Rethink whether every process and meeting is still necessary when execution is this fast.

Originally published on nikitaeverywhere.com

Why You Should Build on Cloudflare by Default

Nikita Savchenko — Mon, 02 Feb 2026 21:27:05 +0000

Hi! I'm Nikita — a product engineer who's worked at Google on Cloud Run, Revolut and runs DataUnlocker, a SaaS that's handled 50M+ daily requests on Cloudflare. This is my first dev.to post, cross-posted from my blog.

For the past five years, Cloudflare has been my default infrastructure choice for nearly everything I build. I might be biased, but I genuinely believe Cloudflare gives you the most flexible, robust, easy-to-build, low-maintenance infrastructure — and most importantly — for FREE, until you finally make it.

When DataUnlocker suddenly had to handle 50 million proxy requests per day after a major customer onboarded, I wasn't scrambling. No emergency scaling. No infrastructure panic. The traffic spiked, and Cloudflare just absorbed it like nothing happened.

If you're still defaulting to AWS, Google Cloud, Vercel, or Azure without considering Cloudflare first — you're missing out. Seriously. The developer experience, the pricing model, and the global architecture are in a different league.

Here are 5 facts about Cloudflare you can't ignore. Even if just two or three resonate with you, that should be enough to give it a serious look.

P.S. Yes, Cloudflare goes down sometimes. You hear about it because half the internet uses them — not because they're unreliable ☝️

1. A Free Tier No One Else Can Offer

Most cloud providers offer free tiers as glorified demos — useful for tutorials, useless for anything long-running for free. Cloudflare is different. You can run a legitimate product on their free tier until you have your first thousand customers.

Here's what you get for $0:

CDN & DDoS Protection — unlimited bandwidth, always free
Workers — 100,000 requests/day
Pages — Unlimited static site traffic (yes, UNLIMITED)
D1 — 5GB storage, 25 million reads/day
R2 — ~10GB storage, zero egress fees
KV — 1GB storage for key-value data
Zero Trust — free, no user limit
Much more in other products, enough to just start shipping.

No credit card required. No surprise bills after a traffic spike — you control how to bill it.

Compare this to AWS, Google Cloud, or Azure, where "free tier" usually means "free until we charge you for data transfer" or "free for 12 months, then a surprise bill."

Fun fact: R2's zero egress pricing alone saves significant money at scale. AWS S3 charges ~$90 per TB of egress. Serve a few terabytes of images per month and you're looking at real money. R2? Still zero.

What About Google Cloud?

Google Cloud's free tier gives you one e2-micro VM, 30GB disk, and a handful of services — restricted to US regions. However the bright spot in GCP is Cloud Run — I worked on its UI at Google — with 180,000 vCPU-seconds, 360,000 GiB-seconds, and 2 million requests/month, FREE. This is the closest to Cloudflare in terms of a generous free tier offering.

But Cloud Run alone doesn't make an architecture. You'll need Cloud SQL, Pub/Sub, Cloud Storage — services with far less generous free tiers. Cloudflare gives you compute, database, storage, queues, and KV all with meaningful free limits.

And the cold start difference matters: Cloud Run containers take 1–3 seconds even with startup boost. Workers start in under 5 milliseconds. For latency-sensitive apps, that's a different world.

Cloudflare Containers: The Cloud Run Competitor

As of 2025, Cloudflare launched Containers in public beta — their direct answer to Cloud Run. You can now run full Docker containers orchestrated by Workers, with any language or runtime.

Instance types range from lite (1/16 vCPU, 256 MiB) to standard-4 (4 vCPU, 12 GiB memory, 20 GB disk). Pricing follows the same philosophy: scale-to-zero with 10ms billing granularity. The $5/month Workers Paid plan includes 25 GiB-hours of memory and 375 vCPU-minutes — enough for light container workloads.

The difference? Your Worker code orchestrates containers programmatically. No YAML manifests, no separate container registry setup. Deploy with wrangler deploy and your containers spin up on-demand, controlled by JavaScript.

2. The Global Compute CDN

When people hear "CDN," they think of cached static files. Cloudflare goes further — your code runs at the edge, in 300+ cities worldwide.

Traditional serverless (Lambda, Cloud Functions, Cloud Run) runs in a region. A user in Singapore hitting your US-East function adds 200–300ms of latency before your code even starts. With Workers, the code executes at the data center closest to the user.

But the real magic is zero cold starts.

Lambda and similar services spin up containers on demand. That first request can take 100–500ms just for the container to wake up. Workers use V8 isolates — the same technology that runs JavaScript in Chrome. An isolate starts in under 5 milliseconds.

The practical result: AfterPack's Pro JavaScript Obfuscation API feels instant regardless of where users are located. No warming strategies. No provisioned concurrency costs. Just fast by default. And this is given AfterPack is a small Rust binary running on Cloudflare Workers.

3. Simplicity That Scales

Here's what deploying a new API looks like:

# From zero to globally deployed in 3 commands
npm create cloudflare@latest my-api
cd my-api
npx wrangler deploy

That's it. Your code is now running in 300+ locations worldwide. No IAM policies. No VPC configuration. No subnet planning. No Kubernetes manifests.

Push to GitHub and it deploys automatically. Need a preview environment? Every PR gets one. Want to roll back? One click.

I've set up Google Cloud & Digital Ocean infrastructure for production systems. I've written configs, fought with IAM permission boundaries, debugged Kubernetes, and spent days on trying to configure or update Cert Manager through its lifecycle. It works, but the complexity tax is real.

Complexity is not a feature — it's a cost. Every hour spent on infrastructure is an hour not spent on the actual product.

Cloudflare's Wrangler CLI and dashboard assume you want to ship software, not become a cloud architect. For most projects, that's exactly right — you can add complexity later on.

4. The Complete Service Ecosystem

What started as a CDN has become a genuine full-stack platform. Here's what's available:

Workers — Serverless Compute

The foundation. Write in JavaScript, TypeScript, Rust, or Python. Workers have a 10MB size limit (paid plan), 30 seconds of standard CPU time, and up to 5 minutes with extended timeouts.

export default {
  async fetch(request: Request, env: Env): Promise<Response> {
    const url = new URL(request.url);

    if (url.pathname === "/api/users") {
      const { results } = await env.DB.prepare(
        "SELECT id, name FROM users LIMIT 10"
      ).all();
      return Response.json(results);
    }

    return new Response("Not found", { status: 404 });
  },
};

D1 — SQLite at the Edge

D1 launched in 2022 and brought something genuinely new: a relational database that runs at the edge. It's SQLite under the hood, replicated globally.

For most applications, D1 is enough. You get familiar SQL, proper transactions, and sub-millisecond reads from the nearest replica.

R2 — S3-Compatible Storage

R2 is S3-compatible with one killer difference: zero egress fees. Store files, serve them globally, pay only for storage and operations.

If you're building anything with significant file serving — image hosting, video delivery, software downloads — the economics are dramatically better than AWS.

KV — Global Key-Value Store

KV is eventually consistent key-value storage. Great for configuration, feature flags, session data, and caching. Reads are fast from anywhere; writes propagate globally within about 60 seconds.

Queues — Async Message Processing

Queues handle background jobs and async processing. Push messages from one Worker, consume them in another.

// Producer: send work to the queue
await env.MY_QUEUE.send({
  userId: 123,
  action: "process_upload",
  fileKey: "uploads/image.png",
});

// Consumer: process messages in batches
export default {
  async queue(batch: MessageBatch<QueueMessage>, env: Env): Promise<void> {
    for (const message of batch.messages) {
      await processJob(message.body, env);
      message.ack();
    }
  },
};

Durable Objects — Stateful Edge Computing

Durable Objects are the advanced tool — stateful actors that live at the edge. Use them for real-time collaboration, game servers, rate limiting, or anything needing consistent state.

5. Cloudflare Catches Up Fast

The AI wave hit, and Cloudflare responded quickly:

Workers AI — Run inference at the edge with popular models
AI Gateway — Route between AI providers with caching and rate limiting
Vectorize — Vector database for embeddings and similarity search
MCP Integration — Model Context Protocol support for AI agents

They ship features within weeks of trends emerging. Not everything lands perfectly, but the velocity is impressive lately.

I've been with Cloudflare since the early days of DataUnlocker around 2020 — and honestly, I wouldn't have written this article a few years ago. Today, unlike before, they have a complete product set that lets you just ship products of any complexity.

Architecture Patterns in Practice

Here's where Cloudflare really shines compared to traditional infrastructure. Let me walk through common patterns and show how much simpler they become.

API Gateway Pattern

In Kubernetes, building an API gateway means: ingress controller, TLS certificates, load balancer configuration, service definitions, deployment manifests, and probably Helm charts to tie it all together. You need to pick a region, think about failover, and hope your YAML indentation is correct.

On Cloudflare? You write a Worker.

User → Worker (auth, routing, validation) → D1 / External API

The flexibility is yours to decide. You can:

Single Worker — If your API is small (fits in 10MB), one Worker handles everything. Deploy with npx wrangler deploy and you're done.
Split by domain — Group related endpoints into separate Workers. Auth in one, billing in another, core API in a third.
1000 endpoints = 1000 Workers — Each API route gets its own Worker. Share common code via packages, deploy independently. Useful for large teams where different groups own different endpoints.

The point is: Cloudflare doesn't tell you how to architect. You're not fighting the platform — you choose the structure that fits your team and codebase.

Static + API Pattern

Pages (Next.js/React/Vue/Svelte) → Worker API → D1 + R2

Pages hosts the frontend with automatic builds from Git. Workers handle the API. D1 for structured data, R2 for files. This covers 90% of web applications.

Next.js deserves special mention — it's the frontend framework for most serious web apps now, and Cloudflare supports it well. App Router, Pages Router, SSG, SSR, ISR, Server Components, Server Actions — all work. I use Next.js with static export on Cloudflare Pages for this very site, and it's seamless. The only limitation is Node.js in Middleware (a Next.js 15.2 feature), which most apps don't need anyway.

Compare to traditional setup: S3 + CloudFront for static files, EC2 or Lambda for API, RDS for database, separate S3 bucket for uploads, IAM roles connecting everything, VPC configuration... and you're still picking a region.

Async Processing Pattern

Every serious backend needs asynchronous processing. User uploads a file — you don't make them wait while you process it. You accept the upload, queue the work, return immediately.

Traditional approach: spin up RabbitMQ or Kafka, write consumer services, handle retries with exponential backoff, manage dead letter queues, monitor broker health. It's a whole subsystem to maintain.

On Cloudflare:

Worker (accepts request) → Queue → Worker (processes) → R2 (stores result)

Queues handle the message delivery. Workers consume messages in batches. Retries and backoff are built in. You define what handles what declaratively in wrangler.toml. That's it.

// Producer: accept upload, queue for processing
export default {
  async fetch(request: Request, env: Env): Promise<Response> {
    const file = await request.blob();
    const fileId = crypto.randomUUID();

    await env.UPLOADS.put(fileId, file);
    await env.PROCESS_QUEUE.send({ fileId, action: "transform" });

    return Response.json({ fileId, status: "processing" });
  },
};

// Consumer: process queued work
export default {
  async queue(batch: MessageBatch<Job>, env: Env): Promise<void> {
    for (const message of batch.messages) {
      const file = await env.UPLOADS.get(message.body.fileId);
      const result = await processFile(file);
      await env.RESULTS.put(message.body.fileId, result);
      message.ack();
    }
  },
};

AI Workflows

Cloudflare jumped on AI infrastructure quickly:

Workers AI — Run inference at the edge. Models run on Cloudflare's GPUs, you just call the API from your Worker.
AI Gateway — Proxy requests to OpenAI, Anthropic, or other providers. Add caching, rate limiting, logging without changing your code.
Vectorize — Vector database for embeddings. Build RAG applications without external vector stores.
MCP Integration — Model Context Protocol support for building AI agents that can use tools.

The pattern for AI apps looks like:

User → Worker (orchestration) → AI Gateway → LLM Provider
                              → Vectorize (embeddings)
                              → D1 (conversation history)

You can build sophisticated AI agents entirely on Cloudflare — isolated, scalable, globally distributed.

Beyond Compute: The Full Stack

Cloudflare quietly became an everything provider:

Domain Registrar — At-cost domain registration (since September 2018). No markup, no upsells.
Email Routing — Route emails to your domain without running mail servers (private beta since September 2025)
DNS — Fastest DNS provider according to independent benchmarks
DDoS Protection — Included by default, no extra configuration
SSL/TLS — Automatic certificates, zero maintenance

One dashboard. One bill. One company to deal with.

I moved all my domains to Cloudflare Registrar lately. Combined with their DNS, every domain I own is managed in one place.

Honest Limitations

Cloudflare isn't the right choice for everything. Be realistic about these gaps:

Long-running compute — Workers cap at 5 minutes (extended). For longer workloads, Containers (beta) now support extended runtimes with up to 4 vCPUs and 12 GiB memory — though for heavy ML training or multi-hour jobs, traditional servers are still the answer.

GPU workloads — No GPU access. Workers AI handles inference, but if you're training models or need raw CUDA, look elsewhere.

Complex relational databases at scale — D1 is excellent for most apps, but if you need advanced PostgreSQL features, complex joins across billions of rows, or specialized extensions, a dedicated database (Supabase, Neon, PlanetScale) might be better.

Enterprise compliance — HIPAA, FedRAMP, SOC2 with specific requirements? AWS and GCP still lead here with more certifications and audit trails.

Vendor lock-in — While Workers use standard JavaScript and D1 uses SQLite, some services (Durable Objects, KV) have Cloudflare-specific APIs. Plan accordingly if portability matters.

Getting Started

If you haven't tried Cloudflare beyond basic CDN:

Sign up — No credit card required
Add a domain — Switch nameservers, or start without a domain
Deploy a Pages site — npm create cloudflare@latest
Create a D1 database — wrangler d1 create my-db
Build something real — Start small, expand as needed

The learning curve is gentle. The documentation is solid. The community is active.

Closing Thoughts

I'm not paid to write this. I genuinely believe Cloudflare should be your default choice for most projects. Not because it's perfect — it isn't — but because the balance of simplicity, capability, and cost is unmatched.

If you're spending more time configuring infrastructure than building features, maybe it's time to try something simpler yet powerful.