Why Claude Code Feels Like an OS: Inside Anthropic’s 510k‑Line Source

1. A Story: Hiring a Remote Programmer

Imagine giving a remote developer full access to your computer. Cursor would require you to approve every command manually, GitHub Copilot Agent would work in an isolated VM, while Claude Code lets the AI use your exact environment but wraps every action in a nine‑layer security review, deciding which operations need approval and which can run autonomously.

2. Claude Code vs. Expected AI Coding Tools

Typical flow:

user input → call LLM API → return result → show to user

Claude Code actual flow:

user input
 → dynamically assemble 7 layers of system prompts
 → inject Git state, project conventions, history
 → attach 42 tool manuals
 → LLM selects a tool
 → 9‑layer safety review (AST parsing, ML classifier, sandbox checks…)
 → permission competition (keyboard / IDE / hook / AI classifier)
 → 200 ms anti‑accidental‑trigger delay
 → execute tool
 → stream result back
 → three‑stage context compression (micro → auto → full)
 → spawn sub‑agents if needed
 → loop until task completes

The article walks through each step, showing how the author dissected the source to understand the process.

3. First Secret: Prompt Assembly, Not Writing

Opening src/constants/prompts.ts reveals the getSystemPrompt function, which returns a list of static sections (cached) followed by a dynamic boundary marker SYSTEM_PROMPT_DYNAMIC_BOUNDARY. Static parts are cached by Claude’s API to save tokens; dynamic parts contain the current Git branch, CLAUDE.md configuration, and user‑provided preferences, changing every conversation.

This design treats prompts like compiled binaries (static) plus runtime parameters (dynamic), yielding three benefits: lower cost (static cache avoids re‑billing), faster responses (cache hits skip token processing), and flexibility (dynamic part adapts to the user’s environment).

4. Second Secret: 42 Tools, Most Hidden

Inspecting src/tools.ts shows a registration function returning an array of tool classes such as AgentTool, BashTool, FileReadTool, WebFetchTool, etc. Most tools are lazy‑loaded via ToolSearchTool only when the LLM requests them, because each tool description adds tokens to the system prompt. Setting the environment variable CLAUDE_CODE_SIMPLE=true reduces the toolset to just Bash, FileRead, and FileEdit, providing a minimalist backdoor for power users. All tools are built from a common factory with default safety flags ( isConcurrencySafe = false , isReadOnly = false ), a “fail‑closed” approach that assumes a tool is unsafe unless explicitly marked safe.

Read‑Before‑Edit Rule

FileEditTool calls getPreReadInstruction and aborts if the file hasn’t been read with FileReadTool , enforcing a “read before modify” discipline that prevents blind overwrites.

5. Third Secret: Memory System

Claude Code remembers user preferences across sessions. When you tell it not to mock a database or that you’re a backend engineer new to React, the next conversation reflects that knowledge. Memory selection uses a separate Claude Sonnet model with the prompt SELECT_MEMORIES_SYSTEM_PROMPT to pick up to five relevant memory files, prioritizing precision over recall to avoid polluting context.

KAIROS Night‑Dream Mode

When the KAIROS flag is on, raw nightly logs are distilled into structured files ( memory/user_preferences.md , memory/project_context.md ) by a /dream skill, turning unstructured logs into usable knowledge.

6. Fourth Secret: Agent Swarm

Complex tasks trigger the creation of sub‑agents. The AgentTool schema defines fields like description , prompt , subagent_type , and model . Generated child agents receive a strict “you are a worker, not a manager” message, preventing recursive spawning and limiting reports to 500 words. In Coordinator mode, Claude Code becomes a pure orchestrator, assigning phases (Research, Synthesis, Implementation, Verification) to parallel workers and then aggregating results.

7. Fifth Secret: Three‑Layer Compression

To stay within LLM context windows, Claude Code applies three compression stages:

Micro‑compression replaces old tool results with the placeholder [Old tool result content cleared].

Automatic compression triggers at ~87% token usage, with a breaker that stops after three consecutive failures.

Full compression runs an AI summarizer that replaces the entire conversation history with a concise text‑only summary, enforced by the NO_TOOLS_PREAMBLE prompt that forbids any tool calls during summarization.

Token budgets after compression are roughly 50 k for file restoration, 5 k per file, and 25 k for skill content, balancing context retention with space for new messages.

8. What I Learned

Only about 5 % of the 510 k lines actually call the LLM API; the rest implements security checks, permission systems, context management, multi‑agent coordination, UI components (≈140 React components), and performance optimizations. Key takeaways:

Prompt engineering is a systems problem: 7 dynamic layers, per‑tool manuals, cache boundaries, internal vs. external version differences, and fixed tool ordering.

Design for failure: each external dependency has a fallback strategy, and the system includes circuit breakers, exponential backoff, and transcript persistence.

Claude Code is more than a chatbot with tools; it is an operating system built around an LLM, with its own permission model, memory subsystem, process management, and storage abstraction.

Conclusion

Anthropic’s answer to making AI truly useful is to give it a complete trust framework rather than a cage or a bare‑bones assistant. The price of that framework is 510 k lines of code, but the result is an AI‑driven OS that feels safe, fast, and deeply integrated with the developer’s environment.