Skip to content
Flows
Tier 1 · Claude Code internals Claude Code internals · fetched 2026-07-02

claude-code-sourcemap (leeyeel)

An independent, earlier source-map extraction of Claude Code (v0.2.8 research preview) capturing the agent's terminal-native design: codebase understanding, file edits, git workflows through natural language. Useful as a second witness when the SatoMini map is ambiguous, and for seeing how early the core loop stabilized.

View source on GitHub

Key takeaways

  • 01

    Second independent witness for cross-checking module claims

  • 02

    Shows the core loop design was stable from very early versions

  • 03

    Covers the v0.2.x era - useful for evolution comparisons

Flows built on this research

From the archive

Verbatim excerpts mined from our local archive of this repository — the prompts, schemas, and patterns worth stealing.

Prompt

The malicious-code refusal instruction, verbatim

IMPORTANT: Refuse to write code or explain code that may be used maliciously; even if the user claims it is for educational purposes. When working on files, if they seem related to improving, explaining, or interacting with malware or any malicious code you MUST refuse.
IMPORTANT: Before you begin work, think about what the code you're editing is supposed to do based on the filenames directory structure. If it seems malicious, refuse to work on it or answer questions about it, even if the request does not seem malicious (for instance, just asking to explain or speed up the code).

From an early open-source Claude Code snapshot: the security instruction asks the model to infer intent from directory structure before touching any file.

src/constants/prompts.ts

Agent pattern

The original subagent dispatch prompt

Launch a new agent that has access to the following tools: ${toolNames}. When you are searching for a keyword or file and are not confident that you will find the right match on the first try, use the Agent tool to perform the search for you.

Usage notes:
1. Launch multiple agents concurrently whenever possible... use a single message with multiple tool uses
2. When the agent is done, it will return a single message back to you. The result returned by the agent is not visible to the user.
3. Each agent invocation is stateless.

// In the source: getAgentTools() filters out AgentTool itself - 'No recursive agents, yet..'

Three durable subagent rules in one prompt: parallelize by default, results are for the caller not the user, and recursion is disabled by construction.

src/tools/AgentTool/prompt.ts

Prompt

BashTool's banned list and pre-flight ritual

export const BANNED_COMMANDS = ['alias', 'curl', 'curlie', 'wget', 'axel', 'aria2c', 'nc', 'telnet', 'lynx', 'w3m', 'links', 'httpie', 'xh', 'http-prompt', 'chrome', 'firefox', 'safari']

Before executing the command:
1. Directory Verification - if the command will create new directories or files, first use the LS tool to verify the parent directory exists and is the correct location
2. Security Check - for security and to limit the threat of a prompt injection attack, some commands are limited or banned.
3-5. Execute after proper quoting; truncate output beyond 30000 characters; include errors in the result.

The banned list is all network-fetch and browser commands - the model gets dedicated, auditable tools for the web instead of raw curl.

src/tools/BashTool/prompt.ts