Aethyr Research

Production AI Engineering Patterns: Lessons from Claude Code's Architecture

by R. Demetri Vallejos
ai-engineeringclaudeanthropictechnical-breakdownprompt-engineeringreference

This is the technical companion to our analysis of Claude Code's architecture. Where that post tells the story, this one catalogs the patterns.

Architecture Overview

Claude Code is a ~380K line TypeScript codebase implementing an AI-powered coding assistant. The architecture follows a layered pattern:

  • CLI shell — Terminal interface with rich rendering (Yoga layout engine, ANSI color diff, vim mode)
  • Agent loop — State machine managing the conversation-tool-response cycle
  • Tool system — 44+ tools with typed interfaces, safety properties, and concurrent execution
  • Prompt engine — Cache-optimized system prompt construction with static/dynamic boundaries
  • Multi-agent layer — Subagent spawning, advisor delegation, and coordinator patterns
  • Budget system — Token tracking, cost estimation, and compaction strategies

System Prompt Architecture

Static/Dynamic Cache Boundary

Every system prompt is split at a boundary marker. Content above the boundary — model identity, tool definitions, behavioral rules — is static and globally cached. Content below — user context, session state, feature flags — varies per request.

This architecture means prompt caching works across all users for the static portion, dramatically reducing costs.

Tool Definition Ordering

Tool definitions are sorted alphabetically — not for readability, but for cache stability. If tools loaded in a different order between requests, the cache key would change. Alphabetical sort is deterministic and survives tool additions without breaking the cache.

Cache-Breaking Discipline

Engineers are required to justify any content placed in the dynamic (uncached) section. The pattern uses a function signature that forces a reason parameter — not used at runtime, but serving as mandatory documentation for why the cache is being broken.

Quantitative Length Targets

System prompts use exact word counts (e.g., "keep responses under 100 words") rather than qualitative guidance ("be concise"). Research showed ~1.2% output token reduction from quantitative targets. At fleet scale, that adds up.

Tool System

Safety Properties

Every tool declares structured safety metadata:

  • Read-only — Whether the tool modifies state
  • Concurrency-safe — Whether it can run in parallel with other tools
  • Destructive — Whether it performs irreversible operations
  • Max result size — Character limit before result is persisted to disk

A factory function ensures fail-closed defaults — if a property isn't explicitly set, the tool is treated as potentially destructive.

Concurrent Execution with Selective Abort

When multiple tools run concurrently, a Bash error aborts all sibling tool calls via a shared abort controller. But Read or WebFetch errors don't trigger sibling aborts — each non-Bash tool type is independent.

The asymmetry reflects dependency patterns: Bash commands often have implicit chains, but reading two files has no dependency.

Tool Result Budgets

Results exceeding ~50,000 characters are persisted to disk. The model sees a preview plus a file path. Once persisted, that decision is frozen forever — even across session resume — to preserve prompt cache alignment.

Deferred Tool Loading

Tool schemas are loaded lazily — only fetched when the user references them. This keeps the base system prompt compact and cacheable.

Token Budget and Compaction

Thresholds

The system tracks context utilization as a percentage. When utilization exceeds a threshold (~80%), auto-compaction summarizes older messages to free space.

Circuit Breaker

After 3 consecutive compaction failures, the system stops retrying. Production data showed sessions with 50+ consecutive failures, each burning an API call. The circuit breaker saved ~250,000 API calls per day.

Diminishing Returns Detection

The agent loop tracks the token delta between continuations. If the model has continued 3+ times with minimal new tokens each iteration, the system stops. The model is spinning rather than making progress.

Multi-Agent Architecture

Agent Isolation

Subagents receive a cloned copy of state, not a reference. They get filtered tool access — user-facing tools (like asking questions) are blocked. Each subagent runs with independent permissions.

Coordinator Pattern

A coordinator mode enables multi-step task decomposition. The coordinator plans, delegates to worker agents, and synthesizes results. Workers cannot spawn their own subagents (single level of nesting).

Advisor Tool

A secondary, stronger model reviews the primary agent's work before it commits to an approach. The advisor's cost is tracked separately. This "AI reviewing AI" pattern builds reliability for high-stakes decisions.

The architectural gap: there's no cryptographic proof linking the advisor's recommendation to the action taken. The delegation happens in memory and disappears when the process exits.

Permission System

Three-Decision Model

Every tool invocation gets one of three decisions: allow, deny, or ask the user. Rules are evaluated in priority order — explicit denials override allowlists.

Dangerous Pattern Detection

Bash commands are scanned against patterns that indicate destructive operations: force pushes, hard resets, recursive deletes, hook bypasses, stash operations. Matching commands require explicit user approval regardless of permission settings.

Protected Files

Certain file patterns (.env, credential files, SSH keys) trigger heightened scrutiny. Write operations to these paths always prompt for confirmation.

Cost Tracking

Every API call records input tokens, output tokens, cache creation tokens, cache read tokens, and estimated dollar cost. Users see a running total. The system uses client-side price tables to estimate cost before server confirmation.

Performance Engineering

Native Modules

Performance-critical paths use compiled native code rather than JavaScript:

  • Layout engine — Terminal UI layout via native bindings
  • File indexing — Fuzzy file search for large repositories
  • Color diff — Syntax-highlighted diff rendering
  • Screenshot rendering — ANSI terminal output to PNG conversion

Startup Optimization

The CLI uses aggressive lazy loading — modules are imported only when first needed. Heavy dependencies (vision models, voice processing) are deferred until the user invokes the relevant feature.

Memory System

The persistent memory system uses markdown files (like CLAUDE.md) at three scopes:

  • User-level — Global preferences and context
  • Project-level — Repository-specific conventions
  • Session-level — Current conversation state

Memory files are loaded into every system prompt. The system can read, write, and update memory files as tools.

Feature Gating

Features are controlled at both build time and runtime:

  • Build-time gates — Features are excluded from bundles entirely via tree-shaking
  • Runtime flags — Features are toggled for gradual rollout within a build
  • User-type gates — Different feature sets for internal vs external users

The combined approach eliminates dead code from production bundles while enabling canary deployments.

The Missing Layer

380,000 lines of runtime guardrails. Zero lines of cryptographic identity.

Claude Code's agent architecture is the most sophisticated we've seen — but every permission check, every delegation, every tool authorization happens in memory and disappears when the process exits. There's no verifiable proof that agent A authorized agent B to take action C.

For a CLI on your laptop, this is acceptable. For autonomous agents operating across trust boundaries — multi-tenant platforms, cross-organization APIs, regulated industries — it's a gap that widens with every layer of agent delegation.

The Aethyr Agent Registry exists to fill this gap: W3C DIDs and post-quantum Verifiable Credentials for every agent instance, verifiable offline, for $1.