Back to Vault
Claude Code Internals
Tier 1

Deep Dive: Dual-Defense Architecture - Prompt + Code

Read the Article Fetched 2026-07-08 5 related flows

Summary

Argues that because LLMs are probabilistic, prompts alone are gambling and code alone wastes the model's flexibility. Maps how Claude Code pairs every soft prompt rule ('use Edit instead of sed', 'NEVER force-push') with an independent deterministic check (sed validators, destructive-git detection, sandbox gates), analyzes the four failure combinations of the two layers, and distills five reusable design principles for any tool-calling agent system.

Key Takeaways

  • The prompt layer makes the model want to do the right thing; the code layer makes the wrong thing impossible
  • Code checks must not depend on prompt wording - either layer can change independently without breaking the other
  • When the layers conflict, code wins: a prompt 'may' is soft, a code return value is hard
  • Escalate instead of refusing: allow -> ask (user confirms) -> deny only for clear malice
  • The residual risk is novel attacks both layers miss - mitigate with sandboxes and user confirmation as the final gate

Reliability Note

English summary of a contributed deep-dive article (original text in Chinese) analyzing a reverse-engineered Claude Code snapshot. Unofficial - verify against official Anthropic docs and behavior.

Flows informed by this source

5
Flows category icon
Harness Engineering

Pair Every Prompt Rule with a Code Backstop

Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.

01Inventory soft rules and classify enforcement needs
02Implement checks independent of the prompt
03Wire the escalation path

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent QA & Security

Build a Command Security Pipeline for Your Agent

Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.

01Define the contract and pipeline skeleton
02Implement early validators and input hygiene
03Build the main validator chain and hard path constraints

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Harness Engineering

Design Layered Tool Prompts with Preference Chains

Structure your tool prompts the way the leading harness does: preference chains up front, usage constraints in the middle, NEVER-guarded safety protocols at the end.

01Audit the current tool prompt
02Write the preference chain
03Write usage constraints and safety protocols

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Design the Permission Approval UX

Design approval prompts users actually read: diffs, risk framing, scoped grants, and pacing that prevents approval fatigue.

01Audit the current approval moments
02Rebuild the prompt content
03Make friction proportional to risk

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Hook a Permission Layer onto Dangerous Tools

Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.

01Define the danger rule set
02Implement the hook point
03Harden the patterns against evasion

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate

Made with Emergent