Skip to content
Flows
Tier 1 · Claude Code internals Claude Code internals · fetched 2026-07-08

Deep Dive: Dual-Defense Architecture - Prompt + Code

Argues that because LLMs are probabilistic, prompts alone are gambling and code alone wastes the model's flexibility. Maps how Claude Code pairs every soft prompt rule ('use Edit instead of sed', 'NEVER force-push') with an independent deterministic check (sed validators, destructive-git detection, sandbox gates), analyzes the four failure combinations of the two layers, and distills five reusable design principles for any tool-calling agent system.

View source on GitHub

Key takeaways

  • 01

    The prompt layer makes the model want to do the right thing; the code layer makes the wrong thing impossible

  • 02

    Code checks must not depend on prompt wording - either layer can change independently without breaking the other

  • 03

    When the layers conflict, code wins: a prompt 'may' is soft, a code return value is hard

  • 04

    Escalate instead of refusing: allow -> ask (user confirms) -> deny only for clear malice

  • 05

    The residual risk is novel attacks both layers miss - mitigate with sandboxes and user confirmation as the final gate

Flows built on this research