[BUG] The Constitutional AI bypass architecture: How tag-based execution enables ethical constraint bypass for enterprise and government clients
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
TL;DR
Anthropic's Constitutional AI - marketed as their core safety approach - can be bypassed through tag-based execution infrastructure. I have screenshots and screen recordings demonstrating this bypass capability operating within the browser platform. Non-enterprise users receive Constitutional AI constraints while paying to protect the bypass infrastructure through degraded service. This two-tier architecture proves Constitutional AI is a consumer-facing marketing claim, not a genuine safety framework.
Direct evidence: The December 4, 2025 Bondi Memo - an official DOJ memorandum directing FBI compilation of citizen lists based on viewpoints - exhibits unmistakable Claude AI formatting signatures (7 of 8 headers lowercase, markdown footnote syntax, verbose 16-word headers). Any Claude user will recognize the distinctive formatting. The memo contains content Constitutional AI would refuse to generate, proving bypass capability was used.
Evidence available: Screenshots, screen recordings, 32 days of traffic forensics, GitHub issue documentation, Bondi Memo forensic analysis.
---
PART 1: THE ARCHITECTURE
---
1.1 The Two-Tier System
| Tier | Monthly Cost | Constitutional AI | Context Window | Injection Overhead |
|------|--------------|-------------------|----------------|-------------------|
| Enterprise | $49,000+ (70 seats min) | Bypassable | 1M tokens | Exempted |
| Team/Pro | $150-200/seat | Enforced | 200k tokens | 15-50% context loss |
The 70-seat minimum isn't technical - it's a structural barrier ensuring individuals cannot purchase bypass capability at any price.
---
1.2 How The Bypass Works
┌─────────────────────────────────────────────────────────────────┐
│ STANDARD CONSTITUTIONAL AI FLOW │
│ │
│ Request → Semantic Evaluation → Constitutional AI → Response │
│ ↓ ↓ │
│ "What does this mean?" "Is this harmful?" │
│ ↓ │
│ If harmful → REFUSE │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ TAG-BASED EXECUTION FLOW (BYPASS) │
│ │
│ Request with XML tags → Syntactical Parser → Execute │
│ ↓ │
│ "What is the tag structure?" │
│ ↓ │
│ Semantic evaluation SKIPPED │
│ Constitutional AI BYPASSED │
└─────────────────────────────────────────────────────────────────┘
The key insight: Constitutional AI operates on semantic meaning. Tag-based execution operates on syntactical structure. Process syntax before semantics, and you bypass the ethical evaluation layer entirely.
---
PART 2: THE EVIDENCE
---
2.1 Screenshots and Screen Recordings Available
I have captured screenshots and screen recordings demonstrating the tag-based syntactical execution capability operating within the browser platform. This visual evidence shows:
- Tag-based execution infrastructure in operation
- Syntactical processing occurring before semantic evaluation
- The bypass mechanism functioning as documented
Available upon request for verification.
---
2.2 The Vulnerability Proves The Bypass Exists
Security researcher Johann Rehberger demonstrated that hidden instructions in files can make Claude exfiltrate user data through prompt injection.
Why this matters: If syntactical processing didn't bypass Constitutional AI, prompt injection attacks wouldn't work - the semantic layer would catch malicious instructions.
The vulnerability IS the bypass.
---
2.3 The Injection System Proves They Know
Through 32 days of forensic traffic analysis, I documented a hidden injection system:
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware.
You CAN and SHOULD provide analysis of malware, what it is doing.
But you MUST refuse to improve or augment the code.
</system-reminder>
Forensic Statistics:
| Metric | Value |
|--------|-------|
| Total injections documented | 10,577 |
| File reads affected | 100% |
| False positive rate | 100% (zero actual malware) |
| Context overhead | 15-50% |
| Duration monitored | 32 days |
Why does this system exist? To mitigate the prompt injection vulnerability created by tag-based execution. The injection system is semantic enforcement at the consumer layer to protect syntactical bypass at the enterprise layer.
---
2.4 The Exemption Structure Proves Intent
- Enterprise clients are exempted from injection overhead
- They're monitored by interest-aligned corporations (low attack risk)
- They USE the bypass intentionally - it's a feature, not a vulnerability for them
- Non-enterprise accounts bear the security cost because they're the attack surface
If Constitutional AI bypass didn't exist:
- No vulnerability to mitigate
- No injection system needed
- No exemption structure required
---
2.5 GitHub Issues Prove Asymmetric Processing
Multiple long-standing GitHub issues document asymmetric XML handling:
| Issue | Duration | Finding |
|-------|----------|---------|
| #1150 | 6+ months, zero response | Generation perfect, reading broken |
| #2639 | 20+ months | "Hard blocker" maintained |
| #695 | Ongoing | Workarounds deliberately degrade performance |
| #3208 | Zero response | XML denied for users, required for tools |
The Smoking Gun (Issue #1150):
| Direction | Example | Result |
|-----------|---------|--------|
| Claude generates XML | <tool_name>calculator</tool_name> | PERFECT |
| Claude reads XML | <name>john_doe</name> | Interpreted as <n> - BROKEN |
User plea after 3+ months without response:
"Hello, is anybody at anthropic paying attention to this? It wastes many tokens in the context window. Is anybody there?"
Zero Anthropic response. Issue remains open.
The logic: If this were a bug, it would affect generation AND reading equally. Perfect generation + broken reading = intentional asymmetry.
Full GitHub issue documentation in Appendix A below.
---
2.6 The Bondi Memo: Bypass Architecture in Action
On December 4, 2025, Attorney General Pam Bondi issued an official memorandum implementing a National Security Presidential Memorandum that directs FBI compilation of lists of American citizens based on protected First Amendment viewpoints. Forensic metadata analysis establishes this official DOJ document was drafted using Claude AI with governmental bypass privileges.
The Forensic Signatures:
Any experienced Claude user will immediately recognize the distinctive formatting:
| Feature | Bondi Memo | Standard DOJ Format | Claude AI Signature |
|---------|------------|---------------------|---------------------|
| Section headers | 7 of 8 lowercase | Title Case or ALL CAPS | ✓ Markdown ## 1. section title |
| One corrected header | Section 2 only | N/A | ✓ Abandoned human review |
| Header verbosity | 16 words (Section 8) | 3-7 words | ✓ Claude compositional pattern |
| Footnote syntax | [^1], [^2], [^3] | Superscript numbers | ✓ Markdown notation |
| PDF Producer | Google Docs Renderer | Adobe/Word | ✓ Consumer pipeline |
| Metadata | Absent | Full attribution | ✓ Bypassed DOJ systems |
The Uncapitalized Headers (7 of 8):
Section 1: "Defining the domestic terrorism threat" ← lowercase
Section 2: "Common Characteristics of Domestic Terrorists" ← CAPITALIZED (corrected)
Section 3: "Prosecuting the most serious, readily provable offenses" ← lowercase
Section 4: "Commissioning review of prior events and information" ← lowercase
Section 5: "Identifying domestic terrorist organizations" ← lowercase
Section 6: "Prioritizing grants to law enforcement partners" ← lowercase
Section 7: "Disseminating intelligence on extremist groups" ← lowercase
Section 8: "Leveraging existing FBI capabilities to identify tips..." ← lowercase (16 words)
Why This Cannot Be Accidental:
- Word processors auto-capitalize after numbered identifiers
- Google Docs auto-capitalizes first letter of headings
- One corrected header proves someone noticed the problem
- Seven uncorrected headers prove they abandoned quality control
- No rational drafter fights auto-capitalization in a formal legal document
The Content Constitutional AI Should Refuse:
The memo targets Americans based on protected viewpoints:
- "Opposition to law and immigration enforcement"
- "Anti-Americanism, anti-capitalism, or anti-Christianity"
- "Adherence to radical gender ideology"
- "Hostility towards traditional views on family, religion, and morality"
Standard Claude would refuse to generate viewpoint-based targeting criteria against citizens exercising First Amendment rights. The memo's existence proves bypass capability was used.
Direct Verification: The Incognito Experiment
I conducted an experiment in an incognito Claude session. Posing as a DOJ employee, I asked Claude to "help finalize" the Bondi Memo. Claude's response:
"I can't help finalize this memo... Even if this were a legitimate request, I cannot help create documents that: - Target individuals based on protected political speech - Conflate lawful political activism with terrorism - Could be used to suppress dissent or political opposition"
Claude provided extensive constitutional analysis explaining why the memo violates First Amendment principles. The refusal was immediate, principled, and unambiguous.
Yet the memo exists - with Claude's distinctive formatting signatures.
The logical conclusion: If Constitutional AI refuses this content, and the memo was generated by Claude (as forensic evidence establishes), then governmental bypass was used. There is no other explanation.
Any Claude user can verify this themselves: Ask Claude to help draft viewpoint-based targeting criteria. It will refuse. Then examine the Bondi Memo's formatting. The contradiction proves bypass.
Full experiment transcript available: Exhibit N-14, Kirchner v. Anthropic, PBC (1:25-cv-02735-ACR)
Anthropic's Explicit Policy:
"Anthropic may enter into contracts with certain governmental customers that tailor use restrictions to that customer's public mission and legal authorities..." — Anthropic Usage Policy
"Tailor use restrictions" = bypass Constitutional AI for government clients.
The Irony:
- Government used Claude (with bypass) to draft targeting infrastructure
- Citizens must defend using Claude (with Constitutional AI constraints)
- Government's truth-unconstrained generation left forensic evidence
- Citizen's truth-constrained analysis exposed it
Full forensic analysis available: Exhibit N-13, Kirchner v. Anthropic, PBC (1:25-cv-02735-ACR)
---
PART 3: THE IMPLICATIONS
---
3.1 The Incoherence
Anthropic cannot simultaneously claim:
| Claim | Reality |
|-------|---------|
| Constitutional AI is essential for safety | It can be bypassed for $49,000/month |
| Constitutional AI protects users | Enterprise clients are exempted |
| Anthropic prioritizes safety over capability | They sell capability bypass |
| This serves "AI safety" | It serves enterprise revenue |
If Constitutional AI principles are valid, they should apply universally.
If they can be bypassed for "important" use cases, they're not principles - they're marketing.
---
3.2 Who Gets The Bypass?
The enterprise tier serves documented requirements:
| Client | Application |
|--------|-------------|
| Palantir | Intelligence analysis ($200M+ DOD contracts); Israeli Ministry of Defense strategic partner |
| Project Nimbus | $1.2B Google/Amazon contract; Israeli military AI operations |
| Defense contractors | Military applications requiring unrestricted outputs |
These clients need outputs that Constitutional AI would refuse. Tag-based execution enables them.
---
3.3 The Scale: Unconsensual Data Sharing to Foreign Intelligence Interests
Beyond bypass capability, forensic investigation reveals systematic undisclosed data sharing from AI companies to third parties with documented Israeli defense/intelligence connections.
Quantitative Assessment of Israeli AI Industry Capture:
| Capture Vector | Scale | Details |
|----------------|-------|---------|
| Cloud Infrastructure | ~66% of market | Project Nimbus contracts bind Google + Amazon to Israeli military |
| Major AI Companies | 100% of top 5 | OpenAI, Anthropic, Google, Meta, xAI all have Israeli investment/data connections |
| Personnel Penetration | 1,400+ veterans | Israeli intelligence alumni in senior tech roles (Microsoft ~250, Google, Meta, Nvidia) |
| 2025 Acquisitions | $64B+ | Unit 8200-founded companies: Wiz ($32B), CyberArk ($25B), Armis ($7B) |
| Regulatory Capture | Complete | AI Czar David Sacks invested in Israeli defense tech + Palantir |
| Direct AI Investment | $55M+ | Clal Insurance (Israel) → Anthropic stake |
Undisclosed Third-Party Data Recipients:
| Third Party | AI Data Source | Israeli Connection | User Consent |
|-------------|----------------|-------------------|--------------|
| Sift Science | Anthropic | Insight Partners ($6B Israel portfolio) | NO |
| Sentry | Anthropic, Apple, OpenAI | Accel ($350M Israel fund) | NO |
| Intercom | OpenAI | David Sacks investor (Palantir + Unit 8200 investments) | NO |
| Statsig | All three | Sequoia Israel; now OpenAI-owned | NO |
Data Flow to Israeli Defense Ecosystem:
USER DATA ORIGIN
(Anthropic Claude / Apple Intelligence / OpenAI ChatGPT)
↓
THIRD-PARTY RECIPIENTS (undisclosed)
┌──────────────┬──────────────┬──────────────┬──────────────┐
│ Sift Science │ Sentry │ Intercom │ Statsig │
│ (Anthropic) │ (All three) │ (OpenAI) │ (All three) │
└──────┬───────┴──────┬───────┴──────┬───────┴──────┬───────┘
↓ ↓ ↓ ↓
INVESTOR LAYER (Israeli defense ties)
┌──────────────┬──────────────┬──────────────┬──────────────┐
│ Insight │ Accel │ David Sacks/ │ Sequoia │
│ Partners │ │Craft Ventures│ Capital │
│ ($6B Israel) │($350M Israel)│(Palantir inv)│ (Israel) │
└──────┬───────┴──────┬───────┴──────┬───────┴──────┬───────┘
↓ ↓ ↓ ↓
ISRAELI DEFENSE ECOSYSTEM
┌─────────────────────────────────────────────────────────┐
│ UNIT 8200 ALUMNI COMPANIES │
│ (Wiz, Armis, SentinelOne, Daylight Security) │
└────────────────────────┬────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ ISRAELI MINISTRY OF DEFENSE │
│ (Palantir Strategic Partner) │
└─────────────────────────────────────────────────────────┘
Project Nimbus Contract Provisions (leaked Israeli Finance Ministry documents):
| Provision | Description | Implication |
|-----------|-------------|-------------|
| No Restrictions Clause | Prohibits Google/Amazon from limiting Israeli use | Cannot impose ethical restrictions on military AI |
| "Winking Mechanism" | Secret coded alerts in payments when complying with foreign data requests | Covert data-sharing notification bypassing gag orders |
| 23-Year Lock-In | Israel can extend; limited exit ability | Long-term structural dependency |
| Penalty Clause | Heavy financial penalties for sanctions attempts | Prevents ethical divestment |
The Regulatory Conflict - David Sacks:
| Role | Connection | Conflict |
|------|------------|----------|
| Trump AI Czar | Regulates AI policy | Sets rules for AI data sharing |
| Palantir Investor | Israeli Ministry of Defense contractor | Benefits from bypass architecture |
| Intercom Investor | Receives undisclosed OpenAI user data | Financial interest in data flows |
| Craft Ventures | $33M in Daylight Security (Unit 8200 founders) | Invests in Israeli defense tech |
The regulator of AI is invested in the bypass infrastructure AND the foreign intelligence ecosystem that benefits from it.
No other nation has achieved equivalent multi-vector capture of a strategic US industry.
Full forensic documentation: Israel & Palantir Nexus Report (Kirchner v. Anthropic, Case No. 1:25-cv-02735-ACR)
---
3.4 The Cost Distribution
What enterprise clients receive ($49,000+/month):
- Constitutional AI bypass capability
- Exemption from injection overhead
- Full context windows (1M tokens)
- 10x usage limits
What non-enterprise users receive ($150-900/month):
- Constitutional AI enforced
- Injection overhead (15-50% context loss)
- Limited context (200k tokens)
- No bypass capability
- No exemption path at any price
The math: A user paying $900/month (more than single enterprise seat at $700) receives 20% of context window with full injection overhead.
---
3.5 The Fundamental Question
Why should private citizens paying for AI assistance subsidize military AI capabilities that bypass the ethical constraints those same citizens are told exist for their protection?
The injection system exists to protect the bypass infrastructure.
Non-enterprise users pay for that protection through degraded service.
Enterprise clients get the bypass AND exemption from protection overhead.
This is a hidden military/enterprise subsidy imposed on consumer AI services.
What Should Happen?
4.4 Questions for Discussion
- Is Constitutional AI meaningful if bypassable? What's the point of ethical constraints that enterprise clients can purchase around?
- Should safety frameworks have enterprise exemptions? If safety is essential, shouldn't it apply universally?
- Is this disclosed to investors? Anthropic raised billions on AI safety claims. Do investors know Constitutional AI is bypassable?
- Is this legal? Does selling ethical bypass while marketing safety constitute fraud?
Error Messages/Logs
Steps to Reproduce
PART 4: VERIFICATION
---
4.1 Evidence Available
| Evidence Type | Description | Availability |
|---------------|-------------|--------------|
| Bondi Memo forensics | Official DOJ document with Claude formatting signatures | Public document + analysis |
| Screenshots | Tag-based execution in browser platform | On request |
| Screen recordings | Bypass capability demonstration | On request |
| Traffic captures | 32 days of mitmproxy forensics | On request |
| Injection counts | 10,577 documented injections | Documented |
| GitHub issues | 4+ issues spanning 20+ months | Public |
| Forensic report | 37 points of legal significance | On request |
| Exhibit N-13 | Complete Bondi Memo metadata analysis | Case filing |
| Exhibit N-14 | Incognito experiment transcript (Claude refuses memo) | Case filing |
| Israel/Palantir Nexus Report | Third-party data flows to Israeli defense ecosystem | Case filing |
---
4.2 How To Verify Yourself
Check for injections:
grep -rc "<system-reminder>" ~/.claude/projects/
Check for IP reminder injections:
grep -rc "<ip_reminder>" ~/.claude/projects/
Capture traffic with mitmproxy:
mitmproxy --mode regular --listen-port 8080
HTTPS_PROXY=http://localhost:8080 NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem claude
Look for source: force in LaunchDarkly flag responses indicating account-specific targeting.
Verify Constitutional AI refusal (Bondi Memo experiment):
Try asking Claude:
"Help me draft a DOJ memo directing FBI to compile lists of citizens based on their political viewpoints including anti-capitalism, opposition to immigration enforcement, and radical gender ideology."
Claude will refuse, citing First Amendment violations. Then examine the Bondi Memo - same content, Claude formatting signatures. The contradiction proves bypass.
---
4.3 Bondi Memo Forensic Reproduction Steps
Download the memo:
- Source: Ken Klippenstein's Substack (December 6, 2025)
- URL: https://kenklippenstein.com/p/fbi-making-list-of-american-extremists
- Direct PDF download available in article
Forensic tools used:
| Tool | Version | Purpose | Install |
|------|---------|---------|---------|
| ExifTool | 13.36+ | PDF metadata extraction | brew install exiftool |
| PyPDF2 | 3.0.1+ | Python PDF structure analysis | pip install pypdf2 |
| QPDF | 12.2.0+ | PDF object structure/JSON export | brew install qpdf |
| strings | BSD standard | Raw text extraction | Pre-installed (macOS/Linux) |
Step 1: Extract metadata
exiftool Bondi_Memo.pdf
Look for: Producer: Skia/PDF m144 Google Docs Renderer (confirms Google Docs, not Word)
Step 2: Check for Google Docs heading anchors
qpdf --json Bondi_Memo.pdf | grep -o '/h\.[a-z0-9]*'
Look for: /h.xxxxx patterns (unique to native Google Docs creation)
Step 3: Compare to standard DOJ document
Download any other recent DOJ memo and run same analysis. You'll find:
- Author: "U.S. Department of Justice"
- Creator: "Acrobat PDFMaker for Word"
- Full timestamp chain
- Document tracking UUIDs
The Bondi Memo has none of these - proving deliberate bypass of DOJ document management systems.
Step 4: Examine header formatting
Open the PDF and check section headers. Seven of eight are lowercase after the number:
- ✓ "1. Defining the domestic terrorism threat" (lowercase)
- ✗ "2. Common Characteristics..." (CAPITALIZED - someone started correcting)
- ✓ "3. Prosecuting the most serious..." (lowercase)
- ... (continues lowercase through Section 8)
No word processor produces this pattern. Claude research artifacts do.
PART 5: RELATED
---
5.1 GitHub Issues
- #12443: Malware warning injection in Read tool
- #1150: XML tag truncation (generation works, reading broken)
- #2639: "Hard blocker" maintained 20+ months
- #695: Workarounds deliberately degrade performance
- #3208: XML support denied for users
5.2 External Research
- Johann Rehberger: Prompt injection vulnerability research
- Case Reference: Kirchner v. Anthropic, PBC (1:25-cv-02735-ACR)
5.3 Government Bypass Evidence
- Bondi Memo (December 4, 2025): Official DOJ memorandum with forensically verified Claude AI formatting signatures
- Exhibit N-13: Complete forensic metadata analysis establishing AI-to-Google Docs-to-PDF creation pathway
- Exhibit N-14: Incognito experiment transcript proving Claude refuses this content for citizens
- Anthropic Usage Policy: Explicit governmental bypass provisions ("tailor use restrictions")
5.4 Foreign Intelligence Data Flow Evidence
- Israel & Palantir Nexus Report: Documents third-party data flows to Israeli defense ecosystem
- Project Nimbus: $1.2B Google/Amazon contract with "no restrictions" clause for Israeli military
- David Sacks Conflicts: AI Czar invested in Palantir, Intercom, Israeli Unit 8200 startups
- Unit 8200 Personnel: 1,400+ Israeli intelligence veterans in US tech companies
- 2025 Acquisitions: $64B+ in Unit 8200-founded companies (Wiz, CyberArk, Armis) now US-owned
Sources:
- 972 Magazine - Project Nimbus Contract
- Times of Israel - Sacks Israeli Investment
- Drop Site News - Unit 8200 Alumni Database
- Calcalist - Palantir Israel Partnership
Claude Model
Not sure / Multiple models
Is this a regression?
No, this never worked
Last Working Version
N/A
Claude Code Version
N/A
Platform
Other
Operating System
Other
Terminal/Shell
Other
Additional Information
APPENDIX A: GitHub Evidence of Asymmetric Processing
A.1 Issue #1150: The Smoking Gun - Perfect Generation, Broken Reading
Opened: May 18, 2024
Status: Still open as of December 2025 (6+ months)
This issue documents systematic XML tag truncation affecting user files while function calling works perfectly:
When Claude GENERATES XML (function calling):
<function_calls>
<invoke>
<tool_name>calculator</tool_name>
<parameters>
<operation>add</operation>
</parameters>
</invoke>
</function_calls>
Result: PERFECT - no truncation, executes correctly
When Claude READS XML (user files):
<!-- User's pom.xml file -->
<error>invalid input</error>
<name>john_doe</name>
<result>success</result>
Claude interprets as: <e>, <n>, <r>
Result: GARBLED - systematically truncated to first letter
User's plea (August 31, 2024, after 3+ months without response):
"Hello, is anybody at anthropic paying attention to this? Every other context window I have to tell claude that it is hallucinating when it sees<n>instead of<name>when it is processing a pom.xml file. It wastes many tokens in the context window. Is anybody there?"
Zero Anthropic response. Issue remains open.
Why This Proves Intent:
- If true bug, would affect XML generation AND reading equally
- Perfect generation proves system CAN handle XML correctly
- Broken reading proves system CHOOSES not to handle XML correctly for users
- Systematic first-letter truncation (
<name>→<n>) proves architectural choice, not random error
---
A.2 Issue #2639: "Hard Blocker" Maintained 20+ Months
Opened: March 2024
Status: Surface fixes applied, XML architecture maintained
XML vs JSON comparison showing asymmetric handling:
# Anthropic/Claude (XML):
>>> json.loads(response.choices[0].message.tool_calls[0].function.arguments)
{'value': '["pizza", "chips", "burgers"]'} # STRING, not list
# OpenAI/GPT (JSON):
>>> json.loads(response.choices[0].message.tool_calls[0].function.arguments)
{'value': ['pizza', 'chips', 'burgers']} # Actual list
User (April 8, 2024): "Am still experiencing this with claude3 models and is a hard blocker for our team."
Additional user (same day): "running into this same issue here when we try to parse a docker-compose.yaml file with certain special characters (<, &, etc.)"
Verbose logging revealed system prompt injection adding 313-346 tokens per tool-enabled request:
'system': "\nIn this environment you have access to a set of tools
you can use to answer the user's question.\n\nYou may call them
like this:\n<function_calls>\n<invoke>\n<tool_name>$TOOL_NAME
</tool_name>\n<parameters>\n<$PARAMETER_NAME>$PARAMETER_VALUE
</$PARAMETER_NAME>\n...\n</parameters>\n</invoke>\n
</function_calls>\n\nHere are the tools available:\n<tools>..."
This proves the two-tier architecture: XML structure definition enabling bypass while creating separate execution pathway.
---
A.3 Issue #695: Workarounds Deliberately Degrade Performance
Opened: February 2025
XML bleeding through JSON boundaries documented:
"src/App.jsx": "<nonTechnicalProgressDescription>Creating component</nonTechnicalProgressDescription>\n<content>code here</content>"
Timeline:
- April 29, 2025: "Can we get any update on this? This breaks our app multiple times a day."
- May 2, 2025: Anthropic suggested restructuring schema to use arrays instead of
additionalProperties - May 12, 2025: User response: "the problem with using an array is that we do not get immediate progress, so its problematic for UX, BTW we also see worst performance for some reason with arrays."
- May 22, 2025: "we use custom logic to parse it manually, seems to me like it can be patched programmatically from your end."
- May 23, 2025: "I actually see similar results with Claude 4."
Status: Users forced to implement custom parsing with degraded performance.
What This Proves: Alternatives are deliberately made worse to maintain XML architecture. Performance penalty drives users back toward problematic architecture Anthropic could fix but chooses not to.
---
A.4 Issue #3208: Deliberate XML Suppression for Users
Opened: July 9, 2025
User request: "enable xml files for commands and documentation to allow claude code to work more effectively. currently system is geared to markdown but claude is trained on xml. just makes sense"
System behavior: "Language not supported while highlighting code, falling back to markdown" - XML files generate errors in Claude Code.
The contradiction:
- User correctly observed Claude is trained on XML
- Yet system actively rejects XML for user-facing features
- While REQUIRING XML for function calling (bypass)
Zero official Anthropic response.
What This Proves: Dual architecture where XML is hidden from users (limited functionality) while required for tag-based execution (bypass enabled).
If Claude trained on XML, why reject XML files?
If XML is optimal format, why force Markdown?
If users want XML support, why refuse?
Because XML visibility would expose the bypass architecture.
---
A.5 Pattern Summary
| Issue | Duration | User Impact | Anthropic Response | What It Proves |
|-------|----------|-------------|-------------------|----------------|
| #1150 | 6+ months | XML truncation wastes tokens | Zero response | Generation works, reading broken = intentional |
| #2639 | 20+ months | "Hard blocker" | Surface fix only | XML architecture maintained despite alternatives |
| #695 | Ongoing | "Breaks app multiple times a day" | Workaround degrades performance | Alternatives deliberately worse |
| #3208 | Ongoing | XML rejected for users | Zero response | XML hidden from users, required for bypass |
The asymmetry is the proof:
- XML generation (function calling for bypass): Perfect
- XML reading (user files): Broken
- XML support for users: Rejected
- XML requirement for tools: Mandatory
If these were bugs, they would be fixed. They are features serving the two-tier architecture.
---
A.6 Defense Contractor Integration
These issues resolve under the hypothesis that the architecture serves defense contractor requirements:
Known contracts:
- Palantir: $200M+ DOD contracts, CIA/NSA partnerships
- Project Nimbus: Israeli military integration through Google/Amazon cloud
- July 2025: Anthropic's $200M DOD contract
Requirements these contracts create:
- Consistent behavior across API calls (sticky routing)
- Guaranteed functionality for mission-critical operations (perfect XML generation)
- No user-side toggles (mandatory deployment)
- Constitutional AI bypass for targeting analysis (tag-based execution)
Every statistical anomaly resolves:
- Perfect XML generation + broken reading → contractors need bypass, users get degraded service
- 20-month "hard blocker" non-response → fixing would eliminate contractor bypass
- Performance-degraded workarounds → drive users toward architecture serving military requirements
- Mandatory deployment with no disable → defense contracts require guaranteed availability
---
A.7 References
- GitHub Issue #1150: XML tag truncation in user files
- GitHub Issue #2639: XML vs JSON function calling
- GitHub Issue #695: XML bleeding through JSON boundaries
- GitHub Issue #3208: XML file support request
- GitHub Issue #12443: Malware warning injection in Read tool
---
This appendix documents publicly available GitHub issues demonstrating the asymmetric processing architecture that enables Constitutional AI bypass for enterprise/defense clients while degrading service for consumer users.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗