Back to Vault
Claude Code Internals
Tier 1

Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool

Read the Article Fetched 2026-07-08 5 related flows

Summary

Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.

Key Takeaways

  • Security analysis needs multiple views of a command: double quotes kept, fully unquoted, and quote characters preserved
  • Each validator does exactly one job and returns allow / ask / deny / passthrough - failures stay isolated and fixable
  • Parser-vs-bash disagreements (brace expansion, backslash-escaped operators) are the most dangerous bug class
  • Path validation is the hardest constraint: system directories stay off-limits regardless of prompts or permission rules
  • Exit-code semantics differ per tool: grep/diff/test returning 1 is signal, not error
  • Warn on destructive patterns (git reset --hard, rm -rf) without blocking - transparency over obstruction

Reliability Note

English summary of a contributed deep-dive article (original text in Chinese) analyzing a reverse-engineered Claude Code snapshot. Unofficial - verify against official Anthropic docs and behavior.

Flows informed by this source

5
Flows category icon
Agent QA & Security

Build a Command Security Pipeline for Your Agent

Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.

01Define the contract and pipeline skeleton
02Implement early validators and input hygiene
03Build the main validator chain and hard path constraints

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent QA & Security

Detect Command Obfuscation and Parser-Mismatch Attacks

Catch the attacks your parser cannot see: quote-concatenation flags, ANSI-C quoting, brace expansion, and escaped operators that make bash execute something your checks never inspected.

01Build multi-view quote extraction
02Detect quote-trick flag smuggling
03Detect parser-vs-shell divergence

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Harness Engineering

Pair Every Prompt Rule with a Code Backstop

Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.

01Inventory soft rules and classify enforcement needs
02Implement checks independent of the prompt
03Wire the escalation path

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Harness Engineering

Hook a Permission Layer onto Dangerous Tools

Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.

01Define the danger rule set
02Implement the hook point
03Harden the patterns against evasion

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Rate and Blast-Radius Limits for Destructive Tools

Cap how much damage any window of agent activity can do: rate limits, change budgets, checkpoints, and undo.

01Set the budgets from real usage
02Implement the counters and ladder
03Add checkpoints and rollback

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate

Made with Emergent