Deep Dive: Dual-Defense Architecture - Prompt + Code
Summary
Argues that because LLMs are probabilistic, prompts alone are gambling and code alone wastes the model's flexibility. Maps how Claude Code pairs every soft prompt rule ('use Edit instead of sed', 'NEVER force-push') with an independent deterministic check (sed validators, destructive-git detection, sandbox gates), analyzes the four failure combinations of the two layers, and distills five reusable design principles for any tool-calling agent system.
Key Takeaways
- The prompt layer makes the model want to do the right thing; the code layer makes the wrong thing impossible
- Code checks must not depend on prompt wording - either layer can change independently without breaking the other
- When the layers conflict, code wins: a prompt 'may' is soft, a code return value is hard
- Escalate instead of refusing: allow -> ask (user confirms) -> deny only for clear malice
- The residual risk is novel attacks both layers miss - mitigate with sandboxes and user confirmation as the final gate
Reliability Note
English summary of a contributed deep-dive article (original text in Chinese) analyzing a reverse-engineered Claude Code snapshot. Unofficial - verify against official Anthropic docs and behavior.
Flows informed by this source
5Pair Every Prompt Rule with a Code Backstop
Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Build a Command Security Pipeline for Your Agent
Replace scattered if-else safety checks with a layered validator pipeline: single-purpose checks, an allow/ask/deny/passthrough contract, and severity-aware ordering.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Design Layered Tool Prompts with Preference Chains
Structure your tool prompts the way the leading harness does: preference chains up front, usage constraints in the middle, NEVER-guarded safety protocols at the end.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Design the Permission Approval UX
Design approval prompts users actually read: diffs, risk framing, scoped grants, and pacing that prevents approval fatigue.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Hook a Permission Layer onto Dangerous Tools
Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.
+1 more steps to Done
Best forbuilders who have shipped a basic app before