The Claude Code source map leak happened because of environment drift - a build tool behaved differently than expected, and nobody caught it. Bivvy makes that kind of drift visible before it ships.
A runtime update introduced a bug that generated source maps even when told not to. Bivvy locks tool versions in bivvy.yaml - the whole team builds with the same binary, every time.
No one checked the /dist folder for .map files before publishing. Bivvy's built-in audit templates catch source maps, secrets, and debug symbols as a post-build step - no extra tooling required.
Leaks happen when someone runs a manual build because CI was "acting up." Bivvy makes local setup fast and correct, so there's no reason to bypass the pipeline.
| Risk | With Bivvy | Without Bivvy |
|---|---|---|
| Build tool version | Pinned in bivvy.yaml, enforced on every machine | Whatever's installed locally |
| Pre-publish checks | Built-in audit templates catch source maps, secrets, debug symbols | Hoped-for, not guaranteed |
| Local vs. CI parity | Same config runs everywhere - --non-interactive for CI | Different tools, different versions, different flags |
| Ad-hoc deploys | Local env is fast and correct - no reason to skip the pipeline | Tempting when CI is slow or broken |
| Environment visibility | bivvy status shows every tool's state at a glance | No way to see what's actually installed |
| Onboarding a new machine | bivvy run - done | Follow the README, hope it's current |
The Claude Code leak was triggered by a bug in a specific version of the Bun runtime that generated source maps even when the config said not to. Somewhere between "it worked last week" and "ship it," the runtime changed.
Bivvy pins your tools to exact versions. If the declared version doesn't match what's installed, the step fails before any code gets built. No surprises, no "bleeding edge" regressions shipping to production.
steps: bun: command: "mise install bun@1.1.38" check: type: execution command: "bun --version | grep -q '1.1.38'" build: command: "bun run build" depends_on: [bun] check: type: change target: "src/**/*" kind: glob
The missing safety gate was simple: nobody verified that the /dist folder was clean before npm publish ran. A file-check step would have caught the .map files in seconds.
Bivvy ships with built-in audit templates for every major ecosystem - Node, Rust, Python, Go, Java, .NET, Docker, Ruby, PHP, Elixir, and Swift. Add one as a post-build step with depends_on, and it runs automatically as a safety gate. No extra tooling to install, no scripts to maintain.
steps: deps: template: npm-install build: template: vite-build depends_on: [deps] audit: template: node-artifact-audit depends_on: [build] inputs: dist_dir: dist # Catches source maps, .env files, # secrets in JS, node_modules in dist, # and TypeScript source leaks.
Leaks don't usually happen because someone did something malicious. They happen because someone's local environment drifted from what CI expected, or because CI was down and someone ran a manual build "just this once."
Bivvy makes the right path the easy path. When setup is fast, reliable, and identical everywhere, there's no friction that tempts someone to bypass the pipeline. Your laptop becomes just as controlled as the build server - same tools, same versions, same checks.
❯ bivvy status [✓] bun v1.1.38 pinned [✓] deps up to date [✓] build clean [✓] audit passed - no leaks detected Environment matches declared state. Ready to ship.
If your environment isn't declared in code, you're just vibing with your infrastructure. Bivvy moves setup out of the realm of vibes and into reproducible engineering.