Gate News, March 25 — Ant Group engineer and Umi.js front-end framework author Chen Cheng reverse-engineered the source code of Claude Code 2.1.81, fully restoring the decision mechanism of Auto Mode. The key finding: each tool invocation passes through four layers of decision-making, and only when the first three layers cannot determine the outcome will an independent AI classifier be called for safety review.
The four layers of the pipeline are: first, checking existing permission rules; if matched, allow directly; second, simulating acceptEdits mode (permission level allowing file edits). If it passes in this mode, it indicates low risk, and the classifier is skipped; third, checking the read-only tool whitelist (Read, Grep, Glob, LSP, WebSearch, etc.), which do not modify any state and are unconditionally allowed; only if none of these conditions are met does it proceed to the fourth layer, sending an API request to Claude Sonnet for safety classification.
Key design details of the classifier include: always using Sonnet instead of Opus, balancing cost and latency; setting temperature to 0 to ensure deterministic output; the classifier is defined as a “safety monitor for autonomous AI programming agents,” protecting against three types of risks (prompt injection, scope creep, unintended harm); the user’s CLAUDE.md configuration file is injected into the classifier context as the basis for judging user intent.
The interception rules cover over 22 categories, including force push, direct push to main branch, downloading and executing external code, production deployment, data leaks, self-modification permissions, creating remote code execution surfaces, credential leaks, etc. Exceptions for allowing include seven types: hardcoded test keys, local file operations within the working directory, read-only GET requests, installing declared dependencies, official toolchain installations, reading configuration credentials sent to target providers, and pushing to the current working branch.
The system also implements a circuit breaker mechanism: after three consecutive rejections or a total of 20 rejections, the system downgrades to manual confirmation; in headless mode, it directly aborts the agent. When the classifier is unavailable, a feature flag controls whether it “fail-closed” (immediately reject) or “fail-open” (downgrade to manual confirmation).
In Auto Mode, prompt injection behavior is finely controlled: injected once every five dialogue rounds, with the first injection in each five-round cycle being the full version (about 800 words, including six instructions such as “execute immediately,” “reduce interruptions,” “action over plan”), and the remaining four being a concise one-line version, balancing context window usage and behavioral stability.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
New Altcoins Outperform Older Tokens in 2025, Data Shows Divergence in Exchange Performance
Gate News message, April 27 — In 2025, newly launched altcoins significantly outperformed older tokens, marking a shift in how liquidity is allocated across the crypto market. While older altcoins posted net losses between 18% and 23%, newly listed altcoins in 2025 retained 5% in net gains,
GateNews49m ago
Europe's MiCA Framework Makes Euro Stablecoin 'Safe but Uncompetitive,' Blockchain Association Reports
Gate News message, April 27 — The Blockchain for Europe association released a report on Monday that concludes the European Union's Markets in Crypto-Assets Regulation (MiCA) framework has significantly enhanced the safety of euro stablecoins but simultaneously undermined their commercial
GateNews1h ago
Global Crypto Funds Record $1.2B Weekly Inflows as Bitcoin Leads Institutional Capital Surge
Gate News message, April 27 — Global crypto investment products issued by asset managers including BlackRock, ARK 21Shares, and Fidelity recorded $1.2 billion in net inflows last week, according to CoinShares data. Bitcoin-based products led the charge with $932.5 million, pushing year-to-date bitco
GateNews4h ago
Bernstein: Crypto Market Shows Structural Strength, Bitcoin Poised for Extended Bull Market
Gate News message, April 27 — Investment research firm Bernstein has released a report indicating that cryptocurrency market fundamentals are steadily improving, with Bitcoin's recent $60,000 low establishing a clear bottom. The asset is now approaching $80,000 and is positioned to enter a longer-te
GateNews4h ago
From Speculation to Stability: Discovery Bank Report Reveals 7.8M South Africans Now Invest in Crypto
A new report by Discovery Bank and Visa highlights a major shift in South Africa’s financial landscape, as cryptocurrency matures from a speculative trend into a mainstream investment class.
Key Takeaways:
Discovery Bank and Visa report that 7.8 million South Africans now treat crypto as a mainst
Coinpedia5h ago
Gate Q1 2026 Report: Perp DEX Hits $130B in Trading Volume, TradFi Products Drive Multi-Asset Expansion
Gate News message, April 27 — Gate released its Q1 2026 quarterly report, showcasing sustained expansion across core business segments. Gate Perp DEX entered a scaling phase in the first quarter, recording cumulative trading volume exceeding $13 billion, surpassing 10 million trades, and expanding t
GateNews5h ago
