Post
Apple Forgot to Hide Its Notes
Apple shipped its internal Claude.md files inside a public app update, then patched it within hours. The leak is funny. What it confirms is more interesting.
So Apple shipped its homework.
Earlier this week, the Apple Support app got a routine update — version 5.13. Inside the bundle, two CLAUDE.md files. The kind of file you put in a repo to brief Claude Code on your project. Coding standards, architecture, "don't touch the auth layer," that sort of thing. Internal notes. Not the sort of thing Apple normally lets you read.
Aaron Perris spotted them on April 30. Apple pushed an emergency v5.13.1 within hours. Too late — the screenshots were already out.
I have so many feelings about this. Let me try to keep them short.
What a CLAUDE.md actually is
If you haven't worked with Claude Code (or Codex, or Cursor — they all have their own version), here's the short pitch.
A CLAUDE.md is a markdown file you drop in a project directory. The agent reads it at the start of every session. It's the closest thing we've invented to "a sticky note for the AI."
A normal one looks something like:
# Project: Acme Dashboard
- Use TypeScript strict mode. No `any`.
- Tests live next to the file: `foo.ts` → `foo.test.ts`.
- Don't touch `src/legacy/` without asking.
- The `auth/` module is being rewritten — defer changes.
It's the institutional knowledge nobody bothered to write down before, finally getting written down — because now there's a reader who actually uses it.
These files are everywhere now. Every repo I touch has one. Most teams have an AGENTS.md too, or a .cursorrules, or three of them because nobody agreed which agent they're standardizing on. Add .windsurfrules if you're feeling fancy.
| File | Lives where | Read by |
|---|---|---|
CLAUDE.md | Project root, sometimes nested | Claude Code |
AGENTS.md | Project root | Codex, sometimes others |
.cursorrules | Project root | Cursor |
.windsurfrules | Project root | Windsurf |
.github/copilot-instructions.md | .github/ | GitHub Copilot |
You can see the problem. Every coding agent invented its own filename. Most teams just keep them all and pray the contents don't drift. They drift.
So what was in Apple's?
Based on what got circulated before the patch, the file described how the Apple Support app talks to its backend. There's a system called Juno that handles automated responses, and a separate Live Agents path that hands you off to a human. A "seamless protocol layer" lets the frontend swap between them without surfacing it to you.
That last part is the real reveal. The leak reportedly says the design uses three roles — client, agent, assistant — flowing through one pipeline, with no indicator to the user about whether they're speaking to a machine or a person.
I am not going to pretend I'm shocked that a support chat would do this. Every support chat in 2026 does this. I am going to point out that the place we learned about Apple's "seamless" hand-off design wasn't an Apple keynote, or an Apple privacy whitepaper, or even an Apple WWDC session. It was an instruction file Apple meant for its own AI and accidentally shipped to ours.
That's a different kind of disclosure.
The funniest layer
The funniest part isn't the leak itself. It's who leaked it.
Apple is the company that famously restricted ChatGPT and Copilot for its own employees back in 2023, citing leak risk. Apple is the company whose campus has hallways its own engineers can't enter. Apple is the company that, as Mark Gurman pointed out this week, is now building large parts of "Apple Intelligence" on Anthropic infrastructure, with custom Claude builds running on Apple's servers.
And the way we confirmed all of that was a markdown file shipped inside an app bundle.
Pick your metaphor:
- The locksmith who got locked out
- The librarian who left her notes in the returned book
- The magician whose sleeve fell open mid-trick
I'm going with the third one. Because the trick still worked. The Support app still works. Juno still routes to Live Agents seamlessly. Nothing burned down. Apple just happens to be doing the trick with the same tools the rest of us are using, and now we know it.
What this actually tells us
Two things, and then I'll let you go enjoy your Sunday.
One: agent files are the new .env. They are tiny, plain-text, full of context, and very easy to ship by accident. Right now, most teams treat them like docs. They're not. They're closer to runtime config — the file that determines how an agent thinks about your codebase. If you wouldn't ship your .env, build the same instinct for CLAUDE.md. Add it to your bundler ignore list. Audit your release artifacts. Apple just demonstrated, on your behalf, that nobody is too careful for this mistake.
Two: the line between "we use AI internally" and "our product is AI" got blurry, and CLAUDE.md is the place that blur becomes visible. Apple's leaked file mixed both. Internal coding guidance ("here's how we structure the support app") sat next to product architecture ("here's how Juno hands off to humans"). One of those is fine to leak. The other is, you know, the actual product.
Treat your agent files like they might leak. Because eventually, somewhere, on someone's release, they will.
Have a good Sunday. Check your .gitignore.
Sources
- Aaron Perris on the original discovery (xcancel mirror) — first to spot the CLAUDE.md files in v5.13 and the v5.13.1 emergency follow-up
- BigGo Finance write-up — most detailed walkthrough of what was inside, including the Juno / Live Agents architecture
- Hacker News discussion — Mark Gurman context on Apple's broader Anthropic dependency
- Anthropic docs on CLAUDE.md — what these files do and how Claude Code uses them
- MacRumors, May 2023 — Apple bans employees from using ChatGPT — the original "no LLMs at work" policy that aged interestingly