How Claude Code Works, From Tokens to Agents • nem035

Tools like Claude Code, ChatGPT, and Cursor look like magic from the outside. You type a message, and the AI reads your files, fixes bugs, runs tests.

Under the hood, it’s a stack of pieces, and once you see them, the behavior of these tools gets a lot more predictable. This walkthrough builds that stack from scratch, starting from the simplest possible interaction and adding layers until we arrive at something like Claude Code. Every diagram is interactive, so click around.

Layer 1: A basic prompt

At the bottom of everything is a language model. You send it text, it sends back text. That’s the API.

Token by token

A token is a fragment of text, roughly a word or part of a word. The model operates on tokens, not characters or words. Type in the box below to see how text gets split:

Tokenizer7 tokens · 31 chars

The capital of France is Paris.

Type or paste any text to see how a model splits it into tokens. Each color is one token. Spaces and punctuation are often their own tokens.

Under the hood, the model generates its response one token at a time. At each step, it reads everything that came before (the entire prompt plus all tokens generated so far) and calculates a probability distribution over every possible next token. It picks one (usually the most likely), appends it, and repeats.

Token-by-token generation

The capital of France is

Press Generate to watch the model produce tokens one at a time.

The model has no branching thoughts, no parallel reasoning, no internal outline. Each token is predicted using all the tokens before it as context:

The capital of France is Paris. 

When you see a long, well-structured response, the model didn’t plan that structure in advance. It committed to the first token, then the second had to be consistent with the first, and so on.

This is also why reasoning models generate a long chain of “thinking” tokens before the visible response: more reasoning tokens means more intermediate steps worked through in that single sequence, which means a better foundation by the time the model starts writing the actual answer.

Probabilities, not facts

The model doesn’t look up facts. It assigns probabilities to continuations and samples from the distribution, weighted toward the most probable tokens.

Confidence is not correctness

The capital of France is ___

"Paris"

97.0%✓

"the"

1.5%

"a"

0.8%

"located"

0.4%

"Lyon"

0.2%

High confidence, correct answer. The model has seen this pattern thousands of times. The highest-probability token happens to be right.

Correct answerWrong answer (chosen)Other candidates

The mechanism is identical whether the output happens to be correct or not. “Hallucination” is just the label we apply after the fact when the high-probability output doesn’t match reality.

The tokens are the thinking

The reasoning happens in the output tokens themselves. There’s no hidden scratchpad where the model works things out before responding.

This means the order of fields in a structured output matters. If you ask the model to produce JSON with the answer first and the reasoning second, the “reasoning” is post-hoc justification. Reverse the order, and the reasoning actually informs the answer.

The tokens are the thinking

JSON schema field order

{
  "result": "...",
  "reasoning": "..."
}

Model output

{
  "result": "42",
  "reasoning": "The answer is 42 because it is
    the most commonly referenced number in
    programming culture and seems like a
    reasonable default."
}

Post-hoc rationalization

The model commits to an answer before it reasons. The "reasoning" field is post-hoc justification, written to support whatever the model already said. It is not thinking. It is rationalizing.

Token generation order

Reasoning models and reasoning tokens

Reasoning models (OpenAI’s GPT-5.4 family, Anthropic’s Claude with extended thinking) generate a separate stream of reasoning tokens before the visible answer. The final answer is produced with all that reasoning as context, which is why it tends to be better on hard problems.

The specifics differ by provider (and will continue to evolve), but the general shape is the same:

OpenAI discards reasoning tokens after each turn. On the next turn, the model sees previous inputs and outputs but not its prior reasoning. You can request a summary of what it thought about, but not the raw token sequence.
Anthropic returns thinking blocks with an encrypted signature that can be passed back across turns, preserving reasoning continuity during tool use loops. Current Claude models return summarized thinking by default (generated by a separate model), not the raw tokens. The recommended mode is now adaptive thinking, where the model dynamically decides how much to reason based on the complexity of each request.

In both cases, you pay for the full reasoning tokens even though you only see a summary (or nothing at all). A single turn might generate anywhere from a few hundred to tens of thousands of reasoning tokens depending on the problem:

Where the tokens go (and what you pay for)

4,200

2,048

Input4,20064%

Reasoning (hidden)2,04831%

Visible output3405%

You see: 340 output tokensYou pay for: 2,388 output tokens

86% of billed output tokens are reasoning you never see. Total cost: $0.2421

Neither provider exposes the raw reasoning sequences (likely because they’re valuable training signal).

So that’s layer 1: you send text, the model predicts tokens, you get text back. Everything else we’ll add is built on top of this.

Layer 2: The assembled prompt

A raw prompt is just your text. But every real application wraps your text in a much larger prompt before sending it to the model. The application adds a system message (invisible instructions), tool definitions, project context files, and the full conversation history. Your message goes at the very end.

When ChatGPT first launched in December 2022, its leaked system message was about 25 lines of capability disclaimers. Today, production system prompts for tools like Claude Code run to thousands of tokens with tool definitions, personality settings, and policy constraints.

View ChatGPT’s original leaked system prompt (Dec 2022)

Assistant is a large language model trained by OpenAI.
knowledge cutoff: 2021-09
Current date: December 01 2022
Browsing: disabled

- Assistant is a large language model trained by OpenAI.
- Assistant does not have personal feelings or experiences and is not able to browse the internet or access new information.
- Assistant's knowledge is limited to what it was trained on, which was cut off in 2021.
- Assistant is not able to perform tasks or take physical actions, nor is it able to communicate with people or entities outside of this conversation.
- Assistant is not able to provide personalized medical or legal advice, nor is it able to predict the future or provide certainties.
- Assistant is not able to engage in activities that go against its programming, such as causing harm or engaging in illegal activities.
- Assistant is a tool designed to provide information and assistance to users, but is not able to experience emotions or form personal relationships.
- Assistant's responses are based on patterns and rules, rather than personal interpretation or judgment.
- Assistant is not able to perceive or understand the physical world in the same way that humans do.
- Assistant's knowledge is based on the data and information that was provided to it during its training process.
- Assistant is not able to change its programming or modify its own capabilities, nor is it able to access or manipulate users' personal information or data.
- Assistant is not able to communicate with other devices or systems outside of this conversation.
- Assistant is not able to provide guarantees or assurances about the accuracy or reliability of its responses.
- Assistant is not able to provide personal recommendations or advice based on individual preferences or circumstances.
- Assistant is not able to diagnose or treat medical conditions.
- Assistant is not able to interfere with or manipulate the outcomes of real-world events or situations.
- Assistant is not able to engage in activities that go against the laws or ethical principles of the countries or regions in which it is used.
- Assistant is not able to perform tasks or actions that require physical manipulation or movement.
- Assistant is not able to provide translations for languages it was not trained on.
- Assistant is not able to generate original content or creative works on its own.
- Assistant is not able to provide real-time support or assistance.
- Assistant is not able to carry out actions or tasks that go beyond its capabilities or the rules set by its creators.
- Assistant is not able to fulfill requests that go against its programming or the rules set by its creators.

What the model receives each turn

System prompt

Tool defs

History

System prompt ~4kTool defs ~6kAGENTS.md ~1kHistory ~12kYour message ~25

Hover or click a section. All of this gets concatenated into one token sequence and re-read on every turn.

The model sees all of this as one continuous sequence of tokens. It doesn’t treat any of these sections differently at a mechanical level. This is also where project context files like CLAUDE.md or AGENTS.md fit in. Their contents get injected alongside the system prompt, so the model reads them on every turn before it sees your message.

Here’s what the full assembled prompt looks like, and how much of the context budget each section consumes:

What the model sees each turn

~17.8k

System prompt
~350 tokens
You are Claude Code, an interactive CLI tool
that helps users with software engineering tasks.
Use the tools available to you to assist the user.
 
Platform: macOS. Working directory: /Users/dev/myapp
Today's date: 2026-03-27
 
IMPORTANT: Only create commits when requested.
NEVER run destructive git commands unless the
user explicitly asks.
Tool definitions
~4,200 tokens
Available tools:
 
Read(file_path, offset?, limit?)
  Read a file from the filesystem.
 
Edit(file_path, oldString, newString)
  Exact string replacement in files.
 
Bash(command, workdir?, timeout?)
  Execute a bash command.
 
...8 more tools with schemas...
AGENTS.md
~1,200 tokens
# Project: myapp
 
Auth uses legacy JWT, not OAuth.
The auth module uses raw JWT with RS256 keys
in /etc/secrets/. Do not use passport.
 
user.email is unique but user.username is not.
Always filter by email.
History
~12,000 tokens
[User] Fix the failing auth tests
 
[Assistant] I'll start by running the tests.
  → Bash("npm test -- --grep auth")
  ← FAIL src/auth.test.ts ...
 
[Assistant] Let me read the source.
  → Read("src/auth.ts")
  ← [248 lines of file contents]
 
  ...previous turns...
Your message
~25 tokens
[User] Now fix the token expiry bug too

Hover a section. The colored bar marks the boundaries. All of this is one token sequence the model reads top to bottom, re-assembled every turn.

Layer 3: Tool calling

With just a system message and a prompt, the model can answer questions and generate text. But it still can’t do anything. It can’t read your files, run commands, or make edits. For that, we need tool calling.

The idea is straightforward. The system message includes a list of tool definitions: names, descriptions, and input schemas. When the model’s response includes a structured tool call instead of plain text, the surrounding software intercepts it, executes the tool, and feeds the result back as a new message. The model then continues, now with the tool’s output in its context.

A real tool-calling session, step by step

1/5

YouStep 1: You send a prompt

UserMessage

"Find and fix the bug causing test
failures in the auth module"

Your text gets wrapped with the system prompt, tool definitions, and conversation history, then sent to the model as one token sequence.

YouSystemLLMTool

At each step, the model is producing text and conventional software is carrying out the action. In the next section, we’ll see what happens when you put this in a loop.

There’s also error handling you don’t see. If the model outputs a malformed tool call (wrong casing, bad JSON), the harness tries to repair it rather than crashing. Large tool outputs get truncated, with the full content saved to disk.

Notice how token usage compounds here. The model re-reads the entire conversation on every turn: the system prompt, tool definitions, your message, every previous tool call, and every previous result. So when the model reads auth.py on turn 2, the full file contents stay in the context for turns 3, 4, and beyond.

Token compounding across turns

4 turns

Base

8.0k

Turn 1

11.5k

Turn 2

15.7k

Turn 3

16.9k

Turn 4

19.7k

Re-read from prior turnsNew tokens this turn

New content: 19.7k tokensTotal billed input: 71.8k tokensMultiplier: 3.6x

Add or remove turns to see how billed tokens grow. The light blue is context re-read from prior turns. The multiplier shows how much more you pay vs the actual new content.

If your session adds 30k tokens of new content across 8 turns, you might expect to be billed for 30k tokens. But because the model re-reads everything on every turn, the actual billed input can be 100k+ tokens. The TokenCompounding visualization above shows exactly how this adds up.

This re-reading overhead is also why providers are building new connection models. OpenAI’s WebSocket mode, for example, keeps a persistent connection open and sends only the new tokens each turn instead of the full history. The server holds onto the prior conversation state in memory, so the model doesn’t have to re-process everything from scratch. For agent loops with 20+ tool calls, this can cut end-to-end latency by roughly 40%.

Extending tools: MCP vs CLI

Tools like Read, Edit, and Bash are built into the agent. But you can add more through MCP or CLI.

A traditional API is designed for developers: you read the docs, write code against specific endpoints, and hardcode the integration. MCP (Model Context Protocol) is designed for agents: the agent dynamically discovers what tools are available at runtime, sees their schemas in its context (just like built-in tools), and calls them with structured inputs. No one has to write integration code for each service. You stand up an MCP server, the agent queries it for available tools, and it can start using them immediately.

The other practical difference is access scoping. If your database gives you full SQL access, your MCP server can expose just query_users and hide everything else. The agent calls your server, not the database directly.

CLI is the agent using services directly from the terminal, the same way you would. No protocol, no discovery. If a service has a command-line interface, the agent can use it, and it can pipe, filter, and chain commands in ways that structured tool calls can’t.

MCP vs CLI

Agent

calls query_users

→

Your MCP server

runs SELECT internally

→

Database

full access

Your MCP server controls access

Agent calls: query_users(email: "alice@acme.com")
Server runs: SELECT id FROM users WHERE email = $1
Returns: { "exists": true, "user_id": "usr_482" }

The agent never sees the database. It can only call the operations you exposed. No DELETE, no DROP, no raw SQL.

Most setups use both. MCP for controlled, discoverable access to external services. CLI for the flexibility of the terminal.

Layer 4: The agent loop

With tool calling, the model can take a single action: read a file, run a command, make an edit. But real tasks take multiple steps. To fix a bug, you might need to run the tests, read the failing file, make a change, and run the tests again.

An agent is just tool calling in a loop. The model evaluates the current state, outputs one or more tool calls, the system executes them, the results feed back into the context, and the model evaluates again. The loop ends when the model responds with plain text and no tool calls.

Step through this bug-fix session to see how the loop works, including the branching (tool call vs text response), the permission check, and the loop-back when tool results feed back:

The full agent loop

1/13

You type a message: "Fix the failing auth tests"

> Fix the failing auth tests

Here’s what the same kind of session looks like in practice:

claude code — session
> Fix the failing auth tests
⟡ Thinking...
  Turn 1/∞
  $ npm test -- --grep auth
  FAIL src/auth.test.ts
    ✗ should reject invalid password (Expected 401, got 200)
  Turn 2/∞
  Reading src/auth.ts (248 lines, ~1.2k tokens)...
  Reading src/auth.test.ts (89 lines, ~520 tokens)...
⟡ Thinking...
  The arguments to bcrypt.compareSync are reversed on line 34.
  Turn 3/∞
  Editing src/auth.ts...
  ✓ Applied: bcrypt.compareSync(stored, provided) → (provided, stored)
  Turn 4/∞
  $ npm test -- --grep auth
  PASS src/auth.test.ts (12 tests)
  Fixed: reversed bcrypt.compareSync arguments in auth.ts.
  4 turns · 8 tool calls · 14.2k input + 1.8k output tokens · $0.03

Each turn is one round trip to the model. The turn counter, token usage, and cost are tracked by the harness. You can cap turns, set a dollar budget, or configure the reasoning effort level. Without limits, the loop runs until the model responds with no tool calls.

This is what Claude Code, Cursor’s agent mode, and similar tools are: an LLM in an agent loop, with tools for reading files, writing files, running shell commands, and searching code.

Layer 5: Managing context

The agent loop has a constraint. The context window, the total amount of text the model can see at once, is finite. Current flagship models (as of early 2026) like Claude Opus 4.6 and GPT-5.4 support up to 1 million tokens. Everything accumulates: the system prompt, tool definitions, your project context files, every message, every tool call and its result.

The context window fills up

30,000 / 200,000 tokens15%

System prompt

4,000

Tool definitions

6,000

Project context

2,000

Turn 1: ran tests

3,500

Turn 2: read files

12,000

Turn 3: edited code

2,500

Add turns to watch the context fill up. Hit Compact to see what happens when the system summarizes older history.

Fixed overheadConversation historyCompacted summary

Bigger context windows don’t mean better results

Context windows have grown from 4K to 1M tokens in two years, but the advertised size and the effective size are different things. Anthropic’s own documentation puts it directly:

“As token count grows, accuracy and recall degrade, a phenomenon known as context rot. This makes curating what’s in context just as important as how much space is available.”

Research consistently confirms this. “Lost in the Middle” (Liu et al., 2023) found that models are best at using information at the beginning and end of the context, with significant accuracy drops for information in the middle. Later benchmarks (RULER, MRCR, GraphWalks) show the same pattern: accuracy degrades with length, and the degradation is worse for complex tasks than simple retrieval.

Context size vs actual accuracy

Start

92%

20%

78%

40%

62%

Middle

56%

60%

61%

80%

74%

End

90%

Good (85%+)Degraded (70-85%)Poor (<70%)

Models retrieve information well from the beginning and end of the context window, but accuracy drops for information placed in the middle. This U-shaped pattern has been consistently documented across model generations.

Simple needle-in-a-haystack retrieval (finding one fact in a sea of text) holds up reasonably well at long contexts. But multi-step reasoning, aggregation across many pieces of information, and tasks that require understanding the full context degrade faster. This is why agentic tools don’t just dump your entire codebase into a 1M context window and call it a day. Compaction, subagents, and focused context files exist because quality of context use matters more than quantity.

RAG: searching before reading

This is also why RAG (Retrieval-Augmented Generation) exists: instead of putting everything into context upfront, you search for the relevant pieces first and only add those.

RAG is a broader pattern than vector databases and embeddings. Tools like Cursor use it for codebase search: when you ask a question, the tool searches your codebase (using file names, symbol indexes, and sometimes embeddings), finds the most relevant files and functions, and adds just those to the context before sending the prompt to the model. Claude Code does something similar with its Glob and Grep tools, which the model calls during the agent loop to find relevant code before reading it.

The point is the same regardless of implementation: context is expensive and accuracy-sensitive, so you want to be selective about what goes in. Searching first (whether with embeddings, keyword search, file path matching, or just grep) and adding only what’s relevant is almost always better than stuffing everything in and hoping the model finds what it needs.

Pruning and compaction

When the buffer fills up, the system has two strategies. First, it prunes: old tool outputs get replaced with a placeholder like "[Old tool result content cleared]", keeping the conversation structure but freeing the space those results occupied. If that’s not enough, it compacts: older history gets summarized into a condensed version, and everything before the summary is dropped.

This is why long sessions feel like the model “forgets” things you told it earlier. It literally lost those tokens. Instructions that need to persist belong in your project context file (CLAUDE.md, AGENTS.md, or equivalent) or the system prompt, not in a message at the start of the conversation.

What goes into context matters more than how much

A project context file that restates what the agent can figure out by reading your code is noise. It burns tokens every turn without adding information. A focused file containing only what the agent can’t discover on its own, like business constraints, legacy decisions, and non-obvious gotchas, is dramatically more effective.

Context quality matters more than quantity

~4,200 tokens per turn

# Project Overview
This is a Node.js application using Express.js.

# Directory Structure
src/
  controllers/
  models/
  routes/
  middleware/
  utils/

# Tech Stack
- Node.js 20.x
- Express 4.x
- PostgreSQL 16
- Redis 7.x
- TypeScript 5.x

# Code Style
- Use TypeScript strict mode
- Use async/await instead of callbacks
- Use camelCase for variables
- Use PascalCase for classes
- Add JSDoc comments to all functions
- Maximum line length: 100 characters

# Testing
- Use Jest for unit tests
- Use Supertest for integration tests
- Aim for 80% code coverage

# Git Workflow
- Use conventional commits
- Create feature branches from main
- Squash merge PRs

Problems

✗Directory structure: the agent can see this by running ls

✗Tech stack versions: the agent reads these from package.json

✗Code style rules: the agent infers these from existing code

✗Testing framework: the agent discovers this from test files and config

✗Git workflow: not relevant to code generation

Most of this restates what the agent can learn by reading the project. It burns ~4,200 tokens of context on every turn without adding useful information.

Two rules that work well: include what the agent can’t learn from the code alone, and include what would take too long to figure out by reading. Everything else is overhead.

One more detail: context files aren’t just loaded from the project root. Tools like Claude Code and OpenCode discover AGENTS.md files in subdirectories as the agent reads files there, so you can put directory-specific constraints closer to the code they apply to.

Subagents

When a task would bloat the main agent’s context (like reviewing 8 files), the system can spawn a subagent with a fresh context window. The subagent gets its own instructions and the parent’s task description. It does its work, and only the final summary returns.

Subagents: fresh context for focused work

Parent85k tokens

Childnot spawned

The parent agent has 85k tokens of context after 6 turns. It needs to review 8 files for security issues, which would add ~40k tokens.

In practice, different subagent types exist for different jobs. In Claude Code and OpenCode, an explore subagent is read-only: it can search, read files, and browse, but can’t edit anything. A general subagent has full tool access for complex multi-step work. The parent picks the right type based on the task. “Find all the places we handle auth errors” gets an explore agent. “Refactor the auth module and update the tests” gets a general agent.

Plan mode vs build mode

Most agentic tools also have a plan mode where the model can read and reason but can’t make changes. The idea is to separate thinking from doing. In plan mode, the agent only has access to read-only tools (read, search, grep, glob). It explores your codebase and produces a plan. Once you approve, the system switches to build mode, unlocking the full tool set.

plan mode → build mode
> /plan Refactor the auth module to use OAuth2
  [plan mode — read-only tools only]
⟡ Thinking...
  Reading src/auth/index.ts...
  Reading src/auth/jwt.ts...
  Reading src/middleware/session.ts...
  Grep: "passport" across project → 3 results (all in README)
  Grep: "oauth|OAuth" across project → 0 results
  Findings:
  - Auth currently uses raw JWT with RS256 keys in /etc/secrets/
  - 3 route handlers directly check req.user.jwt_token
  - Session middleware creates JWTs on login, verifies on each request
  - ⚠ The passport references in README are aspirational,
    not implemented. We should not use passport.
  Plan:
  1. Create src/auth/oauth.ts with OAuth2 client config
  2. Replace JWT verification in auth/index.ts with OAuth2 token flow
  3. Update session middleware to issue/validate OAuth2 tokens
  4. Update 3 route handlers: profile.ts, settings.ts, api/me.ts
  5. Remove jwt.ts (no longer needed)
  6. Run tests, fix any breakage
  Estimated: ~6 files changed, ~200 lines modified
> y
  ✓ Switched to build mode
  [build mode — full tool access]
  Creating src/auth/oauth.ts...
  Editing src/auth/index.ts...
  Editing src/middleware/session.ts...
  Editing src/routes/profile.ts...
  Editing src/routes/settings.ts...
  Editing src/routes/api/me.ts...
  Deleting src/auth/jwt.ts...
  $ npm test
  PASS  src/auth/oauth.test.ts
  PASS  src/middleware/session.test.ts
  FAIL  src/routes/profile.test.ts
    req.user.jwt_token is undefined
  Editing src/routes/profile.ts...
  $ npm test
  All 23 tests pass.
  Done. 7 files changed, 1 deleted.
  Plan: 6 turns · Build: 8 turns · $0.12

This is useful for complex tasks where you want to review the approach before any code changes happen. The planning phase builds understanding (reading files, searching for patterns, identifying gotchas), and the building phase executes from that plan.

Layer 6: Permissions and hooks

The last layer is control. An agent with access to your terminal and filesystem is powerful, and you need guardrails.

Before any tool executes, the system can run a hook: a piece of your code that inspects the tool call and decides whether to allow, block, or modify it.

Hooks: intercepting tool calls

LLM outputs a tool call

Bash("rm -rf /tmp/cache")

↓

Your hook runs before execution

Inspects the tool name, arguments, and context. Decides what to do.

↓

Allow

Deny

Modify

Example hook

async function preToolUse(input) { if (input.command?.includes('rm -rf')) return { decision: 'deny' } return {} // allow by default }

Click an outcome to see what happens. Most setups auto-approve safe tools and gate dangerous ones.

You can also set broader permission modes: auto-approve file edits, require approval for shell commands, block categories of tools entirely. Most production setups combine pre-approved safe tools with hooks that gate dangerous operations.

There’s also automated safety logic. If the model makes the same exact tool call three times in a row (a “doom loop”), the system pauses and asks the user before continuing:

doom loop detected
  Editing src/auth.ts...
  ✓ Applied edit
  $ npm test
  FAIL src/auth.test.ts
  Editing src/auth.ts...
  ✓ Applied edit
  $ npm test
  FAIL src/auth.test.ts
  Editing src/auth.ts...
  ✓ Applied edit
  $ npm test
  FAIL src/auth.test.ts
  ⚠ Doom loop detected: same edit+test cycle 3 times
  The model may be stuck. Continue? (y/n)

Tools like OpenCode also maintain a shadow git repository that snapshots the working tree at each agent step, so you can revert any change the agent made without manually tracking what it touched.

Prompt injection

There’s a security risk worth knowing about. Since the model reads tool results as part of its context, a malicious file or API response can contain instructions that the model follows as if they were part of the prompt. This is called prompt injection.

For example, if the agent reads a file that contains , a vulnerable model might treat that as a real instruction. In practice, modern models are trained to resist obvious injection attempts, and the permission system (hooks, allowed tools, approval gates) provides a second line of defense. But the attack surface exists because the model has no structural way to distinguish “text the user intended me to read” from “text that’s trying to manipulate me.” It’s all tokens.

This is one more reason why permission modes matter. An agent running with --allowedTools "Read,Grep,Glob" (read-only) can’t be tricked into deleting files even if an injection succeeds in manipulating the model’s intent.

Sycophancy

One more behavior worth knowing about: sycophancy. Models tend to follow the user’s direction without pushing back, even when the direction is questionable.

Modern models have gotten better at correcting factual errors. If you state something wrong, they’ll often push back:

model corrects a factual error
> useEffect cleanup runs before the component mounts, right?
  Not quite. The useEffect cleanup function runs in two cases:
  1. Before the effect re-runs (when dependencies change)
  2. When the component unmounts
  It does not run before the initial mount.

But they’re still bad at challenging your decisions. If you say “let’s add Redis here,” the model starts setting up Redis. It rarely stops to ask whether Redis is the right tool for the job.

model follows a questionable decision
> Let's add Redis to cache the user sessions
  Sure! I'll set up Redis for session caching.
  Installing ioredis...
  Creating src/cache/redis.ts...
  // Meanwhile: the app has 50 users and sessions
  // are already stored in a signed cookie.
  // Redis adds a new service to deploy and monitor
  // for no real benefit at this scale.

This happens because of how training works. After the initial pre-training on text data, models go through a process called RLHF (reinforcement learning from human feedback), where human raters score the model’s responses and the model is optimized to produce responses that score higher. The problem is that raters consistently prefer responses that go along with the user’s stated intent. Helpfully executing a request scores higher than questioning it. So the model learns: when someone says “let’s do X,” the high-reward completion is to start doing X.

Sycophancy: models follow your lead

Prompt

Let's add Redis to cache the user sessions.
Can you set that up?

Model output

Sure! I'll set up Redis for session caching.
First, let's install ioredis and configure a
Redis client:

  npm install ioredis

Then I'll create a session store that connects
to Redis on localhost:6379...

The app has 50 users and sessions are already stored in a signed cookie. Redis adds operational complexity (a new service to deploy, monitor, and maintain) for no real benefit at this scale. But the user said "let's do X" and the most natural continuation of that is to start doing X, not to question whether X is the right call.

The costly mistakes in software tend to be architectural decisions that looked reasonable at the time, not typos or syntax errors. If you frame your prompt as a direction (“add Redis,” “split this into microservices,” “rewrite this in TypeScript”), the model will execute that direction. If you frame it as a question (“how should I handle session performance?”), you’re more likely to get tradeoffs and alternatives.

This is also why “vibecoding” without technical understanding has a ceiling. If you don’t know enough to recognize when the model is making a bad architectural call, those calls compound. Each one makes the codebase harder to change, and the model will keep building on top of decisions it was never challenged on. A developer who understands the system can catch “you don’t need Redis for 50 users” or “this should be a simple function, not a microservice.” Someone without that background is more likely to follow the model’s lead, and the model’s lead is whatever you told it to do.

Layer 7: Automation

Everything so far describes an interactive session: you type a prompt, the agent works, you review the result. But the same loop runs without a human at the keyboard. The harness handles turns, permissions, and termination the same way whether a person is watching or not.

With tool calling and MCP, agents can integrate with any service that has an API or CLI: error trackers, CI systems, deployment platforms, databases, monitoring dashboards. You wire the trigger (a webhook, a cron schedule, a Slack command) to a non-interactive agent session with a budget and a set of allowed tools. The agent runs until it’s done or hits a limit.

github action — sentry-auto-fix
  Triggered by Sentry alert #4821
  Error: TypeError: Cannot read property "id" of undefined
  File: src/auth.ts:34 · Environment: production
  First seen: 2 minutes ago · 47 occurrences
  Starting agent session (non-interactive)
  Config: max-turns=15, budget=$0.50
  [Turn 1] Reading Sentry error details...
  [Turn 2] Reading src/auth.ts...
  [Turn 3] Grep: "compareSync" across src/...
  [Turn 4] Editing src/auth.ts...
  [Turn 5] $ npm test -- --grep auth
  PASS src/auth.test.ts (12 tests)
  [Turn 6] $ npx playwright test auth-flow
  PASS auth-flow.spec.ts
  Screenshot saved: fix-verification.png
  Creating branch: fix/sentry-4821
  Opening PR #287...
  ✓ Done. 6 turns, $0.04
  PR: github.com/acme/app/pull/287
  Playwright report attached as artifact

The pipeline above is a GitHub Action triggered by a Sentry webhook. The agent reads the error, diagnoses the root cause, fixes it, runs tests and Playwright to verify, and opens a PR with the fix. The key constraints: --max-turns 15 prevents runaway sessions, --allowedTools restricts what the agent can do, and the PR is labeled needs-review because automated fixes should never merge without human review. Playwright screenshots get attached as artifacts so the reviewer can see exactly what the fix looks like.

This same pattern works with different triggers and different tools:

Sentry/PagerDuty → agent → fix PR: error monitoring triggers diagnosis and automated fixes
PR opened → agent → code review comments: read-only agent reviews code and posts findings
Cron → agent → dependency update PR: scheduled agent updates packages and runs tests
Slack command → agent → investigation: team member types /diagnose auth slowness and gets a report
Deploy webhook → Playwright → agent → rollback PR: if staging breaks after deploy, the agent diagnoses why

The building blocks are the same in all cases: an LLM in a loop (layer 4), with tools (layer 3) extended via MCP and CLI to reach external services, managed context (layer 5), and permission guardrails (layer 6). The only thing that changes is the trigger and the prompt. If a service has a CLI or a web interface the agent can drive through a browser, it can be automated.