Skip to content
Flows
Tier 1 · Claude Code internals Claude Code internals · fetched 2026-07-08

Deep Dive: Prompt-Layer Security in BashTool

Dissects how BashTool's prompt forms the first line of defense: a three-layer structure (tool preference chains, usage constraints, git-safety and sandbox protocols) assembled dynamically per environment. Shows how wording strategy works - capitalized NOT, positive alternatives ('use Edit' rather than 'avoid sed'), and 'better user experience' framing instead of 'security' - and how token budget (config dedup, conditional blocks) is treated as a first-class engineering constraint rather than an afterthought.

View source on GitHub

Key takeaways

  • 01

    Prompts are assembled dynamically: sandbox, git, and background-task blocks are injected only when the environment enables them

  • 02

    Preference chains ('Use Edit, NOT sed') give the model a positive alternative instead of a bare prohibition

  • 03

    Framing guidance as 'better user experience' avoids the over-conservative behavior that 'security' wording can trigger

  • 04

    Seven NEVER rules guard destructive git operations, always paired with an explicit-user-request exception

  • 05

    Deduplicating sandbox config in the prompt saves 150-200 tokens per request - token budget is measured, not guessed

Flows built on this research