← Bookmarks 📄 Article

cchistory: Tracking Claude Code System Prompt and Tool Changes

A developer reverse-engineers Claude Code by monkeypatching fetch to intercept API calls, creating a tool that tracks system prompt and tool definition changes across versions—revealing how Anthropic tunes Claude's behavior and uses Haiku for background tasks.

· software engineering
Read Original
Claude Codereverse engineeringsystem promptstool definitions
monkeypatchingLLM introspectionAI coding assistantsprompt engineeringHaikucommand injectionNode.js debuggingfetch interception
Listen to Article
0:006:09
Summary used for search

TLDR

• Bypasses Claude's anti-debug protections and monkeypatches fetch to capture full request-response pairs, including system prompts and tool definitions
• Discovers Claude uses Haiku for cheap operations: whimsical loading messages, conversation summaries, terminal titles, and detecting command injection in bash commands
• Tracks specific prompt evolution: Anthropic added emoji restrictions across all tools, switched Grep from grep to ripgrep, removed project file structure from system prompt to reduce context pollution
• Built cchistory tool that diffs system prompts across Claude Code versions by downloading old npm packages and patching out version checks to run them
• Reveals Anthropic's engineering tradeoffs: using one LLM to judge if another LLM's bash commands are malicious, tightening security policies while shortening instructions

In Detail

The author creates a tool called cchistory that tracks how Claude Code's system prompts and tool definitions change across versions. The technical approach is delightfully hacky: instead of using a man-in-the-middle proxy, they directly patch Claude Code's JavaScript binary to monkeypatch fetch, intercepting all API communication with Anthropic's servers. This captures full request-response pairs including system prompts, tool definitions, and message augmentations that Claude Code adds.

The reverse engineering reveals fascinating implementation details. Claude uses Haiku (the cheaper, faster model) for background tasks: generating whimsical loading messages, creating conversation summaries for the resume feature, generating terminal titles based on conversation topics, and—most entertainingly—checking if bash commands contain injection attacks that would let Claude escape its sandbox. The author notes the irony of "letting one LLM judge whether a bash command by another LLM is dangerous."

Tracking prompt changes across versions shows Anthropic's evolving priorities. They've systematically added "no emojis unless explicitly requested" to multiple tools. They switched the Grep tool from using grep to ripgrep and added explicit warnings to "NEVER invoke grep or rg as a Bash command." They removed the entire project file structure from the system prompt to reduce context pollution. Security instructions got tightened and duplicated. The author also shows how to run old Claude Code versions by patching out the version check function, enabling historical analysis of any release since 1.0.0.

Related

📄 Agentic Engineering Patterns: A Practical Guide to Working with AI Coding Agents A field guide for the new reality where writing code is cheap—covering how to ef... 📄 Writing a good CLAUDE.md | HumanLayer Blog Research shows LLMs can only follow ~150-200 instructions reliably, and Claude C... 📄 Writing a good CLAUDE.md | HumanLayer Blog CLAUDE.md is the highest-leverage configuration point in Claude Code, but most d... 📄 Prompt Engineering Best Practices with Claude Anthropic's applied AI team live-codes a production prompt from scratch, transfo... 📄 System Prompts - Anthropic Anthropic publicly documents the exact system prompts powering Claude.ai, reveal...