config-audit/knowledge/prompt-cache-patterns.md
Kjell Tore Guttormsen fe686b6594 release: v5.3.0 — permission-rule & plugin-hygiene hardening (DIS/CML/PLH)
Five additive scanner findings extend existing scanners (count stays 13): DIS forbidden-param rules (Tool(param:value) on a canonicalizing field — deny/ask = false security, allow = dead config) and ineffective allow-wildcards + Tool(*) deny-all; CML context-window-scaled 40.0k-char CLAUDE.md budget mirroring CC's startup warning; PLH plugin namespace collision (two plugins declaring the same name). PLH cross-plugin command-name overlap reframed HIGH → LOW (namespacing keeps both reachable). feature-gap recommends disableBundledSkills under skill-listing pressure.

Version sync: plugin.json 5.2.0→5.3.0, README version badge + What's New + version-history row + TOC anchor (tests badge already 936+, scanner count stays 13), CHANGELOG [5.3.0] entry, 3 knowledge-backing entries. 936/936 tests; self-audit configGrade A 97, pluginGrade A 100, readmeCheck.passed:true; gitleaks clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-19 20:45:29 +02:00

69 lines
4.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Prompt-Cache Configuration Patterns
> Token-efficiency patterns for current Claude Code (defaults to Opus 4.8; Fable 5 is the top-capability model). Detection IDs map to TOK scanner findings.
> Sources: research/01-opus-47-features-token-efficiency.md (Topic 1), research/04-prompt-caching-patterns.md (Topic 4). Patterns verified 2026-04-19; model-era anchor refreshed 2026-06-18.
Current Claude Code defaults to Opus 4.8 (Fable 5 is the top-capability model).
On these models the cost ceiling per turn is high and both the context window
and prompt-cache window are large, so cache reuse and tool-schema discipline
are the dominant levers for keeping a session affordable. These patterns are
properties of prompt-caching itself, not of any single model — they are
structural and detectable statically by reading config files without running a
session. Cache hit-rate measurement requires runtime telemetry and is
explicitly out of scope.
| # | Pattern | Detection (ID) | Severity | Fix |
|---|---------|----------------|----------|-----|
| 1 | Cache-breaking volatile top-of-file content in CLAUDE.md (timestamps, session ids, rolling activity logs above stable content) | CA-TOK-001 | medium | Move volatile sections to the bottom of CLAUDE.md, or extract to an `@import`-ed file that lives outside the prompt-cache prefix. Keep the first 30 lines stable across turns. |
| 2 | Redundant tool/permission declarations in settings.json (e.g., both `"Read"` and `"Read(**)"`, duplicate Bash matchers, overlapping glob patterns) | CA-TOK-002 | low | Deduplicate the `permissions.allow` and `permissions.deny` arrays. Prefer the most specific entry that still grants the intended access. Each duplicate entry inflates the tool-schema payload sent on every turn. |
| 3 | Deep `@import` chain in CLAUDE.md (more than 2 hops, e.g., A → B → C → D) | CA-TOK-003 | medium | Flatten the chain to ≤ 2 hops. Each `@import` boundary fragments the prompt-cache prefix; deeply chained imports defeat caching for the deepest content even when it never changes. |
> The v4 sonnet-era signature pattern was removed in v5 F5 — too noisy and not
> actionable. Hotspots ranking and per-pattern findings cover the same ground
> with concrete, file-anchored signal.
## Detection notes
- **Pattern 1 (cache-breaking)** is detected by inspecting the first ~30 lines
of CLAUDE.md for tokens that look volatile: literal `{timestamp}`, `{uuid}`,
`{date}`, `{session}` placeholders, or runs of ISO-timestamp-prefixed lines.
The scanner does not attempt to verify cache-hit rate; it flags the *shape*
of content that empirically defeats prompt-cache reuse.
- **Pattern 2 (redundant tools)** is detected by flattening the
`permissions.allow` and `permissions.deny` arrays and looking for entries
that are strict subsets of broader entries (e.g., `Bash(npm test)` when
`Bash(*)` is also present), or exact duplicates.
- **Pattern 3 (deep imports)** uses the existing IMP scanner's chain depth as
the input — anything > 2 hops triggers TOK-003 as well as the IMP finding.
## Threshold calibration
All thresholds in this catalogue are **structural** — derived from the
existing `estimateTokens(bytes, kind)` heuristic in
`scanners/lib/active-config-reader.mjs:29-39`. They are intentionally
conservative until Topic 3 (token-cost model) research is complete. When
Topic 3 lands, severities for patterns 13 will be re-tuned.
The `estimateTokens` heuristic uses ~4 bytes per token for markdown content,
which is conservative but unverified against an authoritative tokenizer.
All token counts surfaced by the TOK scanner carry an implicit ±20%
uncertainty band.
## Severity Scale
| Severity | Meaning |
|----------|---------|
| medium | Materially inflates token cost per turn (cache miss, schema bloat) |
| low | Detectable inefficiency that compounds across long sessions |
| info | Informational signal — no action required, may indicate room for optimisation |
## Skill-listing budget lever: disableBundledSkills
When the active skill listing exceeds its token budget (SKL `CA-SKL-002`), the
`disableBundledSkills` setting is a direct token-efficiency lever: it removes the descriptions
of plugin-bundled skills from the skill listing injected into the system prompt, shrinking the
per-turn baseline. Unlike trimming individual descriptions (`CA-SKL-001`), it is a single switch
that drops the entire bundled-skill surface at once — appropriate when the bundled skills are not
in active use. feature-gap surfaces it as a conditional recommendation, the remediation companion
to `CA-SKL-002`. Sibling levers: `skillOverrides` (selectively re-enable specific skills) and
per-skill description trimming.