Gate News, March 25 — Ant Group engineer and Umi.js front-end framework author Chen Cheng reverse-engineered the source code of Claude Code 2.1.81, fully restoring the decision mechanism of Auto Mode. The key finding: each tool invocation passes through four layers of decision-making, and only when the first three layers cannot determine the outcome will an independent AI classifier be called for safety review.
The four layers of the pipeline are: first, checking existing permission rules; if matched, allow directly; second, simulating acceptEdits mode (permission level allowing file edits). If it passes in this mode, it indicates low risk, and the classifier is skipped; third, checking the read-only tool whitelist (Read, Grep, Glob, LSP, WebSearch, etc.), which do not modify any state and are unconditionally allowed; only if none of these conditions are met does it proceed to the fourth layer, sending an API request to Claude Sonnet for safety classification.
Key design details of the classifier include: always using Sonnet instead of Opus, balancing cost and latency; setting temperature to 0 to ensure deterministic output; the classifier is defined as a “safety monitor for autonomous AI programming agents,” protecting against three types of risks (prompt injection, scope creep, unintended harm); the user’s CLAUDE.md configuration file is injected into the classifier context as the basis for judging user intent.
The interception rules cover over 22 categories, including force push, direct push to main branch, downloading and executing external code, production deployment, data leaks, self-modification permissions, creating remote code execution surfaces, credential leaks, etc. Exceptions for allowing include seven types: hardcoded test keys, local file operations within the working directory, read-only GET requests, installing declared dependencies, official toolchain installations, reading configuration credentials sent to target providers, and pushing to the current working branch.
The system also implements a circuit breaker mechanism: after three consecutive rejections or a total of 20 rejections, the system downgrades to manual confirmation; in headless mode, it directly aborts the agent. When the classifier is unavailable, a feature flag controls whether it “fail-closed” (immediately reject) or “fail-open” (downgrade to manual confirmation).
In Auto Mode, prompt injection behavior is finely controlled: injected once every five dialogue rounds, with the first injection in each five-round cycle being the full version (about 800 words, including six instructions such as “execute immediately,” “reduce interruptions,” “action over plan”), and the remaining four being a concise one-line version, balancing context window usage and behavioral stability.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Nomura Securities survey: Eight in ten institutional investors plan to allocate 2% to 5% of AUM to crypto assets
A 2026 digital asset institutional investor survey by Nomura Securities (Nomura) and its crypto subsidiary, Laser Digital, shows that nearly four-fifths of surveyed institutional investors plan to allocate 2% to 5% of their total assets under management (AUM) to the crypto market. Most institutions say they plan to do so within the next year rather than investing immediately.
MarketWhisper22h ago
Nomura Survey: 80% of Institutional Investors Willing to Allocate 2-5% to Cryptocurrencies
A Nomura survey reveals 80% of institutional investors aim to invest 2-5% in cryptocurrencies, favoring yield strategies like staking and lending. Regulatory clarity and risk management are key to boosting institutional interest in digital assets.
GateNews04-16 19:11
Stablecoin Market Hits $322B ATH, Q1 2026 Trading Volume Reaches $8.3 Trillion
The stablecoin market experienced significant growth, surging $2.25 billion to reach $322 billion, despite a broader crypto market contraction. USDC saw a substantial supply increase, while USDT maintained its market share. Yield-bearing stablecoins contributed notably to this growth, with transaction activity hitting an all-time high.
GateNews04-16 19:02
Ethereum Foundation Announces ETH Rangers Project Results: Over $5.8M in Recovered or Frozen Assets
The Ethereum Foundation's ETH Rangers project has successfully completed, funding 17 researchers to enhance public security in the ecosystem. Achievements include recovering $5.8M in assets, identifying over 785 vulnerabilities, and developing several security tools.
GateNews04-16 14:32
Top Crypto VCs See Significant AUM Declines Amid 2025 Market Downturn
During the 2025 crypto market downturn, major venture capital firms saw significant AUM declines, but Haun Ventures grew by 30%. Paradigm and a16z are raising over $4.2 billion for new funds, highlighting varied performances among firms.
GateNews04-16 11:01
