Deep Dive: Prompt-Layer Security in BashTool
Summary
Dissects how BashTool's prompt forms the first line of defense: a three-layer structure (tool preference chains, usage constraints, git-safety and sandbox protocols) assembled dynamically per environment. Shows how wording strategy works - capitalized NOT, positive alternatives ('use Edit' rather than 'avoid sed'), and 'better user experience' framing instead of 'security' - and how token budget (config dedup, conditional blocks) is treated as a first-class engineering constraint rather than an afterthought.
Key Takeaways
- Prompts are assembled dynamically: sandbox, git, and background-task blocks are injected only when the environment enables them
- Preference chains ('Use Edit, NOT sed') give the model a positive alternative instead of a bare prohibition
- Framing guidance as 'better user experience' avoids the over-conservative behavior that 'security' wording can trigger
- Seven NEVER rules guard destructive git operations, always paired with an explicit-user-request exception
- Deduplicating sandbox config in the prompt saves 150-200 tokens per request - token budget is measured, not guessed
Reliability Note
English summary of a contributed deep-dive article (original text in Chinese) analyzing a reverse-engineered Claude Code snapshot. Unofficial - verify against official Anthropic docs and behavior.
Flows informed by this source
4Design Layered Tool Prompts with Preference Chains
Structure your tool prompts the way the leading harness does: preference chains up front, usage constraints in the middle, NEVER-guarded safety protocols at the end.
+1 more steps to Done
Best forbuilders who have shipped a basic app before
Assemble Tool Prompts Dynamically per Environment
Stop shipping one static mega-prompt: generate tool prompts from environment conditions, inject blocks only when features are on, and dedupe config to save tokens.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Pair Every Prompt Rule with a Code Backstop
Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.
+1 more steps to Done
Best forproduction-grade builds with strict verification
Assemble a System Prompt Like the Pros
Structure your agent's system prompt the way leading harnesses do: layered sections, dynamic context, and enforceable rules.
+1 more steps to Done
Best forbuilders who have shipped a basic app before