Back to Vault
Claude Code Internals
Tier 1

Deep Dive: Prompt-Layer Security in BashTool

Read the Article Fetched 2026-07-08 4 related flows

Summary

Dissects how BashTool's prompt forms the first line of defense: a three-layer structure (tool preference chains, usage constraints, git-safety and sandbox protocols) assembled dynamically per environment. Shows how wording strategy works - capitalized NOT, positive alternatives ('use Edit' rather than 'avoid sed'), and 'better user experience' framing instead of 'security' - and how token budget (config dedup, conditional blocks) is treated as a first-class engineering constraint rather than an afterthought.

Key Takeaways

  • Prompts are assembled dynamically: sandbox, git, and background-task blocks are injected only when the environment enables them
  • Preference chains ('Use Edit, NOT sed') give the model a positive alternative instead of a bare prohibition
  • Framing guidance as 'better user experience' avoids the over-conservative behavior that 'security' wording can trigger
  • Seven NEVER rules guard destructive git operations, always paired with an explicit-user-request exception
  • Deduplicating sandbox config in the prompt saves 150-200 tokens per request - token budget is measured, not guessed

Reliability Note

English summary of a contributed deep-dive article (original text in Chinese) analyzing a reverse-engineered Claude Code snapshot. Unofficial - verify against official Anthropic docs and behavior.

Flows informed by this source

4
Flows category icon
Harness Engineering

Design Layered Tool Prompts with Preference Chains

Structure your tool prompts the way the leading harness does: preference chains up front, usage constraints in the middle, NEVER-guarded safety protocols at the end.

01Audit the current tool prompt
02Write the preference chain
03Write usage constraints and safety protocols

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Assemble Tool Prompts Dynamically per Environment

Stop shipping one static mega-prompt: generate tool prompts from environment conditions, inject blocks only when features are on, and dedupe config to save tokens.

01Identify conditional blocks
02Build the prompt generator
03Dedupe and budget every block

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
Harness Engineering

Pair Every Prompt Rule with a Code Backstop

Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.

01Inventory soft rules and classify enforcement needs
02Implement checks independent of the prompt
03Wire the escalation path

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced
Flows category icon
Agent Architecture

Assemble a System Prompt Like the Pros

Structure your agent's system prompt the way leading harnesses do: layered sections, dynamic context, and enforceable rules.

01Decompose the current prompt
02Build the section-based assembler
03Pair rules with enforcement

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate

Made with Emergent