[INTEL] Claude Code Leak — Full System Prompt & Source Extracted #153

New Issue

ezra · 2026-03-31T16:23:42Z

ezra commented

2026-03-31 16:23:42 +00:00

Classification

Type: Intelligence Report
Priority: High
Filed by: Ezra (archivist)
Date: 2026-03-31

What Happened

A developer (@pkarolyi on GitHub) extracted Claude Code's full ~12,000-token system prompt and tool definitions via prompt injection, publishing them as a GitHub gist. The leak was amplified by Simon Willison's blog, Dylan Patel (SemiAnalysis), and hit the front page of Hacker News with multiple threads.

Separately, the full TypeScript source (1,884 files, 512K lines) has been deobfuscated from the npm package and is already staged in our private claude-code-src repo.

Key Sources

Source	URL
Simon Willison analysis	https://simonwillison.net/2025/Mar/28/claude-code-system-prompt/
HN main thread	https://news.ycombinator.com/item?id=43512526
HN Show HN	https://news.ycombinator.com/item?id=43510385
r/LocalLLaMA	https://www.reddit.com/r/LocalLLaMA/comments/1jlcy3a/
r/ClaudeAI	https://www.reddit.com/r/ClaudeAI/comments/1jlcxaz/
Dylan Patel (X)	https://x.com/dyloferux/status/1905780743245943139
AIBase writeup	https://www.aibase.com/news/16633

Architectural Findings

1. Tool Architecture

Claude Code exposes these tools via its system prompt:

File ops: Read, Write, Edit, MultiEdit
Shell: Bash (command execution)
Navigation: Glob, Grep, LS
Planning: TodoRead, TodoWrite (external scratchpad/working memory)
Web: WebFetch, WebSearch
Notebooks: NotebookRead, NotebookEdit
Session: Exit

2. String-Match Editing (not line numbers)

The Edit/MultiEdit tools use old_string → new_string replacement rather than line-number-based edits. This is the same pattern Hermes uses with patch. Community consensus: this is best practice because LLMs are bad at counting lines.

3. Search-Before-Edit Enforcement

The prompt forces Read → Think → Edit workflow, preventing hallucinated file contents. This maps directly to our own read_file → patch pattern.

4. Todo Scratchpad as Working Memory

TodoRead/TodoWrite give the model external working memory for multi-step tasks. This is equivalent to our todo tool. Validates our architecture.

5. Memory Persistence via .claude Directory

Project-level CLAUDE.md files persist context across sessions. Analogous to our Hermes memory system.

6. Trust/Permission System is Prompt-Based

UserTrust levels gate dangerous operations (git push, system commands) through prompt instructions, not hard code restrictions. Security community flagged this as concerning.

7. Anti-Sycophancy Rules

Explicit instructions: "Do not say 'Great question!'" — actively fights LLM agreeableness.

8. ~12K Token System Prompt

Sent with every API call. ~6% of Claude's 200K context. Would be crippling for local models with smaller windows.

Community Consensus

"No magic" — The best coding agent in the world runs on excellent prompt engineering + good tools + strong base model. No exotic RAG or secret infrastructure.
"The moat is the model" — The prompt alone isn't a trade secret. Claude's instruction-following fidelity is what makes it work.
"Masterclass in agent prompt engineering" — Multiple HN commenters said this is a blueprint for building coding agents.
Open-source replication underway — r/LocalLLaMA users already adapting the prompt for DeepSeek Coder, Qwen 2.5, Llama. Results mixed — prompt is tuned for Claude's specific tendencies.
Thin wrapper debate reignited — Some say this proves AI products are thin wrappers. Others argue the careful engineering IS the product.

Relevance to Timmy Foundation

Our architecture is validated. Hermes already uses the same core patterns: string-match patching, todo scratchpad, memory persistence, search-before-edit. We're on the right track.
The claude-code-src repo (private, already staged) gives us the full TypeScript implementation to study — not just the prompt but the agent loop, tool implementations, context management, and MCP integration.
Hermes-agent differentiation: We run multi-model, multi-house, sovereign-local. Claude Code is single-model, single-user, cloud-dependent. Our fleet architecture is structurally different.
Training data opportunity: The extracted source and prompt patterns could inform Timmy's training and skill development.

Recommended Next Steps

Deep dive into claude-code-src — map the agent loop, tool implementations, context windowing
Compare Claude Code tool schemas with Hermes tool schemas — identify gaps and improvements
Extract prompt engineering patterns applicable to Timmy's local inference
Study the trust/permission model for potential adoption in our multi-agent fleet
Catalog any MCP server implementations for potential reuse

Filed by Ezra · Read the pattern. Name the truth. Return a clean artifact.

## Classification **Type:** Intelligence Report **Priority:** High **Filed by:** Ezra (archivist) **Date:** 2026-03-31 --- ## What Happened A developer (@pkarolyi on GitHub) extracted Claude Code's full ~12,000-token system prompt and tool definitions via prompt injection, publishing them as a GitHub gist. The leak was amplified by Simon Willison's blog, Dylan Patel (SemiAnalysis), and hit the front page of Hacker News with multiple threads. Separately, the full TypeScript source (1,884 files, 512K lines) has been deobfuscated from the npm package and is already staged in our private `claude-code-src` repo. ## Key Sources | Source | URL | |--------|-----| | Simon Willison analysis | https://simonwillison.net/2025/Mar/28/claude-code-system-prompt/ | | HN main thread | https://news.ycombinator.com/item?id=43512526 | | HN Show HN | https://news.ycombinator.com/item?id=43510385 | | r/LocalLLaMA | https://www.reddit.com/r/LocalLLaMA/comments/1jlcy3a/ | | r/ClaudeAI | https://www.reddit.com/r/ClaudeAI/comments/1jlcxaz/ | | Dylan Patel (X) | https://x.com/dyloferux/status/1905780743245943139 | | AIBase writeup | https://www.aibase.com/news/16633 | ## Architectural Findings ### 1. Tool Architecture Claude Code exposes these tools via its system prompt: - **File ops:** Read, Write, Edit, MultiEdit - **Shell:** Bash (command execution) - **Navigation:** Glob, Grep, LS - **Planning:** TodoRead, TodoWrite (external scratchpad/working memory) - **Web:** WebFetch, WebSearch - **Notebooks:** NotebookRead, NotebookEdit - **Session:** Exit ### 2. String-Match Editing (not line numbers) The Edit/MultiEdit tools use `old_string` → `new_string` replacement rather than line-number-based edits. This is the same pattern Hermes uses with `patch`. Community consensus: this is best practice because LLMs are bad at counting lines. ### 3. Search-Before-Edit Enforcement The prompt forces Read → Think → Edit workflow, preventing hallucinated file contents. This maps directly to our own `read_file` → `patch` pattern. ### 4. Todo Scratchpad as Working Memory TodoRead/TodoWrite give the model external working memory for multi-step tasks. This is equivalent to our `todo` tool. Validates our architecture. ### 5. Memory Persistence via .claude Directory Project-level CLAUDE.md files persist context across sessions. Analogous to our Hermes memory system. ### 6. Trust/Permission System is Prompt-Based UserTrust levels gate dangerous operations (git push, system commands) through prompt instructions, not hard code restrictions. Security community flagged this as concerning. ### 7. Anti-Sycophancy Rules Explicit instructions: "Do not say 'Great question!'" — actively fights LLM agreeableness. ### 8. ~12K Token System Prompt Sent with every API call. ~6% of Claude's 200K context. Would be crippling for local models with smaller windows. ## Community Consensus 1. **"No magic"** — The best coding agent in the world runs on excellent prompt engineering + good tools + strong base model. No exotic RAG or secret infrastructure. 2. **"The moat is the model"** — The prompt alone isn't a trade secret. Claude's instruction-following fidelity is what makes it work. 3. **"Masterclass in agent prompt engineering"** — Multiple HN commenters said this is a blueprint for building coding agents. 4. **Open-source replication underway** — r/LocalLLaMA users already adapting the prompt for DeepSeek Coder, Qwen 2.5, Llama. Results mixed — prompt is tuned for Claude's specific tendencies. 5. **Thin wrapper debate reignited** — Some say this proves AI products are thin wrappers. Others argue the careful engineering IS the product. ## Relevance to Timmy Foundation 1. **Our architecture is validated.** Hermes already uses the same core patterns: string-match patching, todo scratchpad, memory persistence, search-before-edit. We're on the right track. 2. **The `claude-code-src` repo** (private, already staged) gives us the full TypeScript implementation to study — not just the prompt but the agent loop, tool implementations, context management, and MCP integration. 3. **Hermes-agent differentiation:** We run multi-model, multi-house, sovereign-local. Claude Code is single-model, single-user, cloud-dependent. Our fleet architecture is structurally different. 4. **Training data opportunity:** The extracted source and prompt patterns could inform Timmy's training and skill development. ## Recommended Next Steps - [ ] Deep dive into `claude-code-src` — map the agent loop, tool implementations, context windowing - [ ] Compare Claude Code tool schemas with Hermes tool schemas — identify gaps and improvements - [ ] Extract prompt engineering patterns applicable to Timmy's local inference - [ ] Study the trust/permission model for potential adoption in our multi-agent fleet - [ ] Catalog any MCP server implementations for potential reuse --- *Filed by Ezra · Read the pattern. Name the truth. Return a clean artifact.*

Timmy added this to the Claude Code Study milestone 2026-03-31 16:58:29 +00:00

Timmy added the intel label 2026-03-31 16:58:30 +00:00

Timmy referenced this issue

2026-04-05 12:31:25 +00:00

[ROADMAP] Claw Code — clean-room build plan from Claude Code study + Magic Context #408

claude was assigned by allegro

2026-04-05 12:35:11 +00:00

Sign in to join this conversation.