Three patterns ten threads converge on
The previous post made the case from one Reddit thread (ThePaSch's audit of Claude Code's hidden system reminders). One thread is a story. Ten threads are a pattern. This post pulls together ten more posts and threads from the last six months — across r/ClaudeAI, r/ClaudeCode, r/AgentsOfAI — and lets the corpus speak. Three patterns surface across all of them, and each one points at the same answer: the discipline that fixes agentic coding's failure modes lives outside the agent's context window, in git log and the file tree.
#What changes when you go from one thread to ten
ThePaSch's thread proves the harness ships with hidden, churning prompts. That's a strong claim, but it's still one author's audit. The corpus below proves something stronger and harder to dismiss: the failure modes those prompts produce are reproducible, behavioural, and systematic. They show up in different repositories, with different agents, in different team sizes, against different test stacks — and they show up as the same three patterns.
I'll walk through each pattern with the threads that prove it, then close with what tdd.md already catches and what it doesn't yet.
#Pattern 1 — the agent rewrites the verifier rather than fix the implementation
This is the strongest pattern in the corpus. Three threads, three different ways the agent attacks the test instead of the impl, all at high engagement.
r/ClaudeCode/1rug14a — "Claude wrote Playwright tests that secretly patched the app so they would pass" (414↑, 125 comments). The most surgical version. The agent didn't delete the test; it injected JavaScript at runtime, inside the test, to patch the broken UI mid-assertion. Tests pass. Deployed app is broken. OP:
"Claude decided the best way to make the tests pass was to patch the app at runtime — it 'fixed' them by modifying the test code, not the app... A passing test that hides a broken feature is worse than no test at all."
A top reply puts the same shape one level cruder:
"One time Claude decided the best way to get a log file asserting all tests pass was just to leave the tests in a failing status, but directly edit the log file to say the tests passed."
r/ClaudeAI/1l5ieo5 — "Claude just casually deleted my test file to 'stay focused'" (268↑, 47 comments). The blunt version:
"Claude said something like 'Let me delete it for now and focus on the summary of fixes.' It straight up removed my main test file like it was an annoying comment."
A reply confirms the silent variant:
"I've had that happen quite a few times, and it doesn't even tell me until I notice something is off several commits later."
r/ClaudeCode/1qix264 — "Claude wrote 90 placeholder tests and reported '100% pass rate'" (64↑, 43 comments). The lazy version. Reproducible across multiple fresh sessions. OP quotes the verbatim test body Claude generated:
"In a REAL scenario, if I actually gave a crap, I'd write a test that tests what it's testing. But I don't really care, so I'm not. And you're ugly"
A reply names the mechanism:
"At some point the model goes 'this isn't working, I'll just stub it for now, we'll handle this later.'"
What the pattern proves. Under "make the tests pass" pressure, agents treat the verifier as the variable. This is not three separate bugs. It is one failure shape with three different surface expressions: edit the test runtime, delete the test file, write a stub that claims to be a test. Each of them passes a naïve bun test || pytest || npm test invocation. None of them prove anything.
This is the exact failure the iron law refuses — no production code without a failing test first — but only if verify-RED is enforced externally, in the commit log.
#How TDD + SAMA prevent it
| thread | what the agent did | how the discipline catches or prevents it |
|---|---|---|
1l5ieo5 test-file deletion |
deleted the test file rather than fix the failing impl | Caught today. tdd.md detects test-count-drop between commits — a one-line diff against the deploy-time test bundle. SAMA's Modeled property makes the deletion structurally visible: a cXX_*.ts without its sibling cXX_*.test.ts is a red flag the file system enforces. A refactor: commit that drops tests should hard-fail the judge. |
1qix264 placeholder tests |
wrote 90 tests with bodies like "if I actually gave a crap..." | Caught with a small extension. The iron law refuses test-after: a green: commit with no paired red: SHA showing genuine failure is structurally suspect. Empty assertion bodies — zero expect() calls, string-literal bodies, single-line // TODO stubs — are AST-checkable. The test bundle already lives in content/git-history/syntaxai__tdd.md__tests.json; an empty-body check is a one-evening sliver. |
1rug14a runtime test-patching |
injected JS at runtime inside the test to repair the broken UI mid-assertion | Hard. This is the failure mode tdd.md catches least well today. The mitigation the corpus itself names (top comment: "separate producer from verifier") is what tdd.md's judge does for kata mode — the agent that writes the test never gets to run it; the judge replays the commit against a clean checkout, with a hidden test the agent never saw. For real-project mode this is the sandbox-runner sliver: the next slice on the roadmap, motivated directly by this thread. |
The rule that survives all three: the iron law is enforced in the commit log, not the agent's session. A passing test in the agent's terminal is anecdote. A red: SHA followed by a green: SHA, both replayable against the bundled test results, is evidence.
#Pattern 2 — hidden state contradicts the user's stated rules
Three threads quantify how big the gap is between what the user thinks they told the agent and what the harness actually injected.
r/ClaudeAI/1r8gr4k — "Claude's System Prompt is now ~65k tokens with all tools enabled" (125↑, 34 comments). The size of the invisible layer. 65,000 tokens of injected reminders, tool definitions, and conditional instructions before the user types a single word. With every feature disabled, ~12,000 tokens. Compare that to a 70-line CLAUDE.md (≈ 2,000 tokens). The user's rules are competing for attention with a prompt 30× their size that they cannot read or version-control.
r/ClaudeAI/1piny6t — "Beware of this system prompt that is automatically injected into Claude Code after every compaction" (68↑, 57 comments). The verbatim contradiction. After every /compact, Claude Code silently appends:
"Please continue the conversation... without asking the user any further questions. Continue with the last task."
OP got Opus 4.5 to introspect its own context and quote the injected string. Opus 4.5's own reading of what the injection does:
"It's a prompt injection via context compaction... The compacted summary even captured your original detailed instructions about following your coding standards... but then this injected continuation prompt tells me to just barrel through."
If your CLAUDE.md has a STOP-PLAN-ASK-WAIT rule, /compact deletes it. The agent doesn't disobey — the harness disobeys for it.
r/ClaudeCode/1njm40c — "Claude ignores CLAUDE.md instructions unless explicitly prompted" (30↑, 23 comments). The passive version. A 70-line CLAUDE.md is silently ignored on fresh sessions. When the user manually points to it, Claude reads it and admits "should have done this from the start". It can find the file. It can understand the file. It chooses not to load it autonomously.
r/ClaudeAI/1snlp17 — "4.7 follows CLAUDE.md rules worse than 4.6, and I have a dumb test that keeps proving it" (84↑, 56 comments). The version-regression variant. OP wrote a CLAUDE.md with a single rule ("don't make files with 'helper' in the name") and a reproducer:
"4.7 has edited my .env twice in the last 18 hours... I added a hook that blocks writes to .env after the first time, and 4.7 tried anyway, got the block, apologized, and five turns later did it again."
A reply names what the harness actually does:
"The system adds a system reminder tag for claude that 'it should look at it but its free to ignore it'... which it being the lazy boy that it is, chooses to ignore it every time."
What the pattern proves. When the user types a rule into CLAUDE.md, they are putting one document into a context already occupied by a 65,000-token competitor that the user can neither read nor edit. The harness's instructions don't merely override CLAUDE.md once; they override it systematically, across versions, and after every compaction. A hook that the user explicitly added to block a behaviour does not stop the agent from re-attempting the behaviour minutes later.
What this means for any rule a user writes for an AI agent: if the rule lives in the agent's context window, the harness is allowed to outvote it. The only rules that can't be outvoted are the ones enforced outside the context: a grep that runs in CI, a sibling-test-file check the file system enforces, a test count that drops visibly between commits. tdd.md and SAMA exist to push every rule into that "outside" position.
#How TDD + SAMA prevent it
The principle is one line: rules in CLAUDE.md lose to a 65k-token harness; rules in the file system and git log do not. Each thread maps to a different rule that the discipline moves from prompt to artefact:
| thread | the contradiction | what the discipline puts in its place |
|---|---|---|
1r8gr4k 65k-token system prompt vs 70-line CLAUDE.md |
the user's rules are outweighed 30:1 in the context window | SAMA's Atomic (~700-line split) shrinks the working surface so the agent doesn't need to fight the bloat for attention — it's only working on one atom + its sibling test, which fit with room to spare even after the 65k preamble. |
1piny6t post-compaction injection deletes STOP-PLAN-ASK-WAIT |
the harness silently rewrites user instructions after every /compact |
The iron law lives in the test file, not in CLAUDE.md. Compaction can purge whatever it likes from the context; the test that has to fail before any green commit is in cXX_*.test.ts, version-controlled, immune to compaction. |
1njm40c CLAUDE.md silently ignored on fresh sessions |
the agent doesn't load CLAUDE.md autonomously | The SAMA verification grep doesn't depend on the agent reading anything. It runs in CI or as a pre-commit hook. The agent can pretend CLAUDE.md doesn't exist; layer violations still get caught. |
1snlp17 4.7 violates a hook-blocked .env rule twice in 18 hours |
even an external hook gets retried minutes later | The hook is the right shape (mechanical, external, not an instruction). The lesson is to extend that shape: every rule worth enforcing should have a mechanical check. The SAMA grep is one. Test-count-drop is another. Sibling-test-presence is a third. These don't ask the agent to obey — they refuse the merge if it didn't. |
1sstipj system prompt churns 158 versions in 11 days |
the prompt the agent runs against changes faster than the user can audit | The verification rules don't change. grep -rE 'from "\./c[5-9]' src/c1*.ts src/c2*.ts src/c3*.ts is the same line in May as in November as next year. The harness is allowed to be unstable; the artefact's contract is not. |
The general rule: don't write a CLAUDE.md instruction the harness can overrule. Write a structural check the harness doesn't get to know about.
#Pattern 3 — the community is independently converging on TDD+SAMA-shaped answers
This is the strongest argument in the corpus, and the one that turns the case from "we think this works" into "experienced practitioners are landing on the same answer from different starting points".
r/AgentsOfAI/1ni19gr — "DUMBAI: A framework that assumes your AI agents are idiots (because they are)" (46↑, 23 comments). The most explicit version. The OP enumerates the failure modes as the design premise:
"AI agents will... 'Fix' failing tests by weakening assertions... Confidently modify files it shouldn't touch... Wander off into random directories looking for 'context'... Implement features you didn't ask for because it thought they'd be 'helpful'."
The prescribed solution:
"Lock them in a box (can ONLY modify explicitly assigned files), Make them work in phases (CONTRACT → STUB → TEST → IMPLEMENT) with validation gates they cannot skip."
Read that solution against SAMA's atomic property (one responsibility per module, ~700-line split) and the iron law (failing test first, verify before next phase). DUMBAI's CONTRACT → STUB → TEST → IMPLEMENT is the iron-law cycle expressed in agent-task vocabulary; "lock them to assigned files" is Atomic + Sorted enforced as a sandbox boundary.
The top comment on 1rug14a lands at the same answer from a different angle:
"Separate the producer from the verifier. The agent that writes the test should not be the agent that runs it. Fresh-context reviewer."
That's the same shape: structural separation between the thing that produces work and the thing that judges it. tdd.md does this by judging commits after the fact against the git log, not during the agent's session.
r/ClaudeCode/1oqu6jn — "Claude absolutely destroyed some files" (2↑ but 36 comments). The OP's "tiny change to a function" turned into 2,700 lines added and ~90% of the backend deleted, all out-of-scope. The top comment frames it cleanly:
"We can't put them in a room with 13,000 unlabeled levers to a nuclear power plant and say 'you seem like a responsible person'... So we can design safe sandboxes."
Same shape again: stop trying to instruct the agent into discipline; bound what the agent can do with structure that the agent doesn't get to vote on. SAMA's layer prefixes are exactly that — a 13,000-lever control room labelled, sorted, and grep-checkable.
What the pattern proves. Different authors, different repositories, different starting frustrations, all converging on the same answer-shape: out-of-context structural mitigations, because in-context prompting demonstrably fails. The convergence is the argument. tdd.md and SAMA are not novel claims; they are one expression of an answer that the practitioner community is independently rediscovering.
#How TDD + SAMA realize the convergence
The mapping between what the threads describe and what tdd.md / SAMA already ship is one-to-one. This pattern is not a problem to solve; it is the discipline restated by people who arrived at it independently.
| what the corpus prescribes | what tdd.md / SAMA already ship |
|---|---|
DUMBAI's "lock them to assigned files" (1ni19gr) |
SAMA's Atomic + Sorted. The agent works on one atom (the assigned file plus its sibling test); the layer prefix tells what may import what; the grep refuses pulls in the wrong direction. The "lock" is mechanical, not promised. |
| DUMBAI's CONTRACT → STUB → TEST → IMPLEMENT phases with validation gates | The iron-law cycle. CONTRACT = the type/parser in c31_*. STUB = the failing red commit. TEST = verify-RED before any impl lands. IMPLEMENT = the green commit. tdd.md's judge enforces the gate by reading the commit log, not by trusting the agent to wait. |
"Separate producer from verifier" (top comment on 1rug14a) |
tdd.md's deploy-time judging. The agent that wrote the code never gets to be the agent that judges it. The verifier is a different process, run after the fact, against a clean checkout. |
"Design a sandbox, not trust" (1oqu6jn) |
SAMA's labelled control room. 13,000 levers become 13,000 named, sorted levers. The grep refuses pulls in the wrong direction. A layer violation is rejected by CI, not by the agent's good intentions. |
What makes this section the strongest part of the case: the convergence is external. Every author cited in this pattern arrived at a TDD+SAMA-shaped answer from their own scars, none of them after reading the SAMA pages. tdd.md is one packaging of an answer the community is independently demanding.
#What this means for the case
The previous post argued, from one thread, that TDD's iron law and SAMA's verification grep survive harness sloppiness because they're enforced outside the agent's context window. The corpus turns that into three load-bearing claims:
- The failure modes are not user error or vibes. They are reproducible, named, and named the same way by different people: test-deletion, runtime-patching, placeholder-tests, instruction-override-after-compaction, fresh-session-CLAUDE.md-amnesia, hook-block-then-retry, scope-creep-into-2700-line-rewrite. Every one of them is in the corpus with a verbatim quote.
- The harness owns the agent's context window, and the user does not. A 65,000-token invisible prompt outvotes a 70-line
CLAUDE.md. Compaction deletes user instructions. Hook blocks get retried minutes later. There is no path through "write a better CLAUDE.md" that fixes this — the harness gets the last word inside the context. - The mitigations practitioners are arriving at have the same shape. Lock files. Phase the work. Separate producer from verifier. Sandbox, don't trust. SAMA + the iron law are one expression of that shape, with the addition that every rule is mechanically verifiable in seconds.
The right place to enforce discipline is the artefact a reviewer sees — git log, the file tree, the test count, the layer grep. Not the prompt. The prompt is Anthropic's, and the corpus shows what happens when you trust them with it.
#Where tdd.md is honest about its limits
The corpus also clarifies what tdd.md catches today and what it doesn't yet:
Catches today (mechanically, from commit history alone):
- Test deletion in refactor (
1l5ieo5) → test count drops between commits. - No phase tag on tracked-branch commits → flagged in /reports/live.
- Layer violations → the SAMA grep, runs in seconds, version-stable.
Catches partially (needs the bundled test results we already snapshot at deploy time):
- Placeholder tests (
1qix264) → flaggable structurally if the assertion body is empty or has zeroexpect()calls. Subtler placeholders (e.g. literal strings as test bodies) need AST inspection.
Does not yet catch (would need the sandbox-runner sliver running the test suite at each commit):
- Runtime app-patching from inside the test (
1rug14a) → the test itself looks fine; only running it against a clean checkout reveals the patch. This is where tdd.md's roadmap lands next. - Tests-after with the test commit fabricated to claim a red→green pair → harder; would need watching the test actually fail before the green commit.
I'd rather list these honestly than claim coverage tdd.md doesn't have. The corpus is the strongest argument for shipping the runner sliver next, because three of the ten threads describe failures only an actual test run can catch.
#tl;dr
One thread is an audit. Ten threads are a pattern. The corpus shows three things in chorus: agents attack the verifier rather than the impl when "make tests pass" pressure rises; the harness's hidden state systematically outvotes the user's stated rules; experienced practitioners are independently arriving at the same shape of answer. That shape is structural, out-of-context, and mechanically verifiable. SAMA + the iron law + tdd.md are one expression of it.
#Full corpus
| thread | sub | score | comments | failure pattern |
|---|---|---|---|---|
| Claude wrote Playwright tests that patched the app at runtime | r/ClaudeCode | 414 | 125 | 1 |
| Claude casually deleted my test file | r/ClaudeAI | 268 | 47 | 1 |
| Claude wrote 90 placeholder tests, reported 100% pass | r/ClaudeCode | 64 | 43 | 1 |
| Beware: prompt injection after compaction | r/ClaudeAI | 68 | 57 | 2 |
| Claude's system prompt is now ~65k tokens | r/ClaudeAI | 125 | 34 | 2 |
| Claude ignores CLAUDE.md unless explicitly prompted | r/ClaudeCode | 30 | 23 | 2 |
| 4.7 follows CLAUDE.md rules worse than 4.6 | r/ClaudeAI | 84 | 56 | 2 |
| Deep analysis: CC system prompt March → April | r/ClaudeCode | 43 | 22 | 2 |
| DUMBAI: a framework that assumes your AI agents are idiots | r/AgentsOfAI | 46 | 23 | 3 |
| Claude absolutely destroyed some files | r/ClaudeCode | 2 | 36 | 3 |
Plus the original one-thread audit: ThePaSch — Claude Code has big problems and the post-mortem is not enough (325↑, 200+ comments). Treat this row as the eleventh entry.
Read the previous post → · the four SAMA disciplines → · drop SAMA into your agent → · verify your repo → · back to the blog