Chapter 9: Prompt Engineering

Learning Objectives

Pre-Reading Check — Instruction Clarity

What is the core idea behind Anthropic's "Golden Rule of Clear Prompting"?

Why does Anthropic recommend explaining the motivation behind an instruction (e.g., "because a text-to-speech engine will read this aloud")?

Which statement about XML tags in prompts is correct?

For a long-context task (20,000+ tokens), where does Anthropic recommend placing the longform documents relative to the query?

Section 1: Instruction Clarity

Key Points

The foundational principle is to be clear and direct: Claude responds well to explicit, specific instructions, and vague prompts produce vague results. The analogy running through Anthropic's guidance is to treat Claude as a brilliant but brand-new employee who lacks context on your norms and workflows. If you want "above and beyond" behavior, you must ask for it explicitly rather than hoping Claude infers it.

Three clarity techniques compound: (1) sequential steps — numbered lists prevent skipped stages; (2) motivation — the why lets Claude generalize intent; and (3) delimiters — XML tags disambiguate where instructions end and data begins. A system prompt (via the system parameter) sets role and high-level rules; a user prompt (in the messages array) carries the actual query.

Figure 9.1: Long-context prompt stack (query-at-end ordering)

graph TD A["Top: <documents> block (20K+ tokens of longform data)"] --> B["Middle: <instructions> (how to analyze)"] B --> C["Bottom: <query> (the actual question)"] C -. "position at end drives up to +30% quality" .-> A
Animation slot: an interactive "before/after" prompt rewriter — a vague "Summarize this feedback" morphing into a role-assigned, motivation-stated, step-ordered, delimited prompt.
Post-Reading Check — Instruction Clarity

What is the core idea behind Anthropic's "Golden Rule of Clear Prompting"?

Why does Anthropic recommend explaining the motivation behind an instruction (e.g., "because a text-to-speech engine will read this aloud")?

Which statement about XML tags in prompts is correct?

For a long-context task (20,000+ tokens), where does Anthropic recommend placing the longform documents relative to the query?

Pre-Reading Check — Examples and Placement

How many few-shot examples does Anthropic recommend for best results?

Why should few-shot examples be diverse and cover edge cases?

Per Anthropic's placement guidance, where should role, persona, and high-level operating rules go?

Untrusted third-party content (web pages, emails, search results) should be placed where?

The same instruction sentence has different authority depending on where it sits. What does placement primarily encode?

Section 2: Examples and Placement

Key Points

After clarity, the most reliable way to steer format, tone, and structure is to show Claude what you want. You can even ask Claude to evaluate your examples for relevance and diversity, or to generate additional examples from a seed. If you place <thinking> tags inside examples, Claude generalizes that reasoning style.

Content typeRecommended placement
Role / persona / high-level operating rulesSystem prompt
Untrusted-content policy, ethical boundariesSystem prompt
Task instructions and ordered stepsUser turn (or system)
Few-shot examplesUser turn
The actual query / variable inputUser turn
Untrusted third-party contenttool_result blocks only

An instruction in the system prompt is treated as an operating rule; the identical sentence inside a tool_result is treated as untrusted data. Placement therefore deliberately encodes trust level — the conceptual bridge to input sanitization in Section 4.

Figure 9.2: Placement decision by trust level

flowchart TD A["New content to add to the prompt"] --> B{"Who authored it?"} B -->|"Developer-trusted"| C{"Role, persona, or policy?"} B -->|"Outside world (web, email, docs, search)"| D["tool_result block ONLY"] C -->|"Yes"| E["System prompt (operating rule)"] C -->|"No: task, examples, query"| F["User turn"] D --> G["Label nature and origin; treat as data, not instructions"]
Animation slot: drag-and-drop sorter — drop content chips (role, examples, email body) into System / User / tool_result bins and see the trust level highlight.
Post-Reading Check — Examples and Placement

How many few-shot examples does Anthropic recommend for best results?

Why should few-shot examples be diverse and cover edge cases?

Per Anthropic's placement guidance, where should role, persona, and high-level operating rules go?

Untrusted third-party content (web pages, emails, search results) should be placed where?

The same instruction sentence has different authority depending on where it sits. What does placement primarily encode?

Pre-Reading Check — Output Constraints

What is Anthropic's most important format-steering rule?

For guaranteed machine-readable output such as JSON conforming to a schema, what does Anthropic recommend?

What changed regarding prefilling on Claude 4.6 models and Claude Mythos Preview?

You previously prefilled Claude to eliminate preambles like "Here is...". What is the modern replacement?

Section 3: Output Constraints

Key Points

Output constraints govern the shape of a response — format, length, structure, tone, style. The four format-steering methods are: (1) say what to do, not what not to do; (2) use XML format indicators; (3) match prompt style to desired output; (4) use detailed formatting blocks for specific preferences.

Historically, prefilling (putting words in Claude's mouth) forced JSON with { or maintained a role with a bracketed label. That last-turn technique is now deprecated on newer models. The migration paths:

Former prefill useModern replacement
Enforcing JSON/format (prefill {)Structured Outputs, or ask the model to match the schema directly
Eliminating preamblesSystem-prompt instruction ("respond directly, no 'Here is...'"), or strip in post-processing
Avoiding bad refusalsClear prompting in the user message now suffices
ContinuationsMove interrupted text into the user turn and ask Claude to continue
Role/context consistencyInject the reminder into the user turn, or hydrate via tools/compaction
Animation slot: a schema-conformance meter comparing "prompt-only JSON request" (occasional failures) vs. "Structured Outputs" (guaranteed conformance).
Post-Reading Check — Output Constraints

What is Anthropic's most important format-steering rule?

For guaranteed machine-readable output such as JSON conforming to a schema, what does Anthropic recommend?

What changed regarding prefilling on Claude 4.6 models and Claude Mythos Preview?

You previously prefilled Claude to eliminate preambles like "Here is...". What is the modern replacement?

Pre-Reading Check — Iteration and Input Sanitization

What does the Console Prompt Improver do?

How can you tell whether a prompt change actually helped?

What distinguishes indirect prompt injection from a direct jailbreak?

Which is a recommended defense against indirect prompt injection?

A lightweight "harmlessness screen" (e.g., Claude Haiku 4.5) typically returns what, constrained by structured outputs?

Why should you avoid putting your own instructions in tool results?

Section 4: Iteration and Input Sanitization

Key Points

No prompt is perfect on the first draft. Refinement only matters if you can measure it, so test candidates against representative inputs with known-good outputs. Chain-of-thought reasoning helps, and on models with adaptive thinking Claude dynamically decides when and how much to reason.

Figure 9.3: Iterative refinement loop

flowchart TD A["Draft prompt"] --> B["Evaluate against fixed test set"] B --> C{"Clears threshold? (accuracy, format, word count)"} C -->|"No"| D["Refine (Prompt Improver, CoT, examples)"] D --> A C -->|"Yes"| E["Ship"]

Input sanitization validates, labels, and neutralizes untrusted input. Anthropic distinguishes direct attacks (the user is the adversary) from indirect injection (trusted user, adversarial third-party content). Defenses against indirect injection all share one goal: make untrusted content unambiguously data.

DefenseWhat it does
Untrusted content in tool_result onlyClaude is trained to treat tool-result instructions with skepticism
Label nature and origine.g. "body of an inbound email from an unknown sender"
<untrusted_content_policy> in system promptDeclares tool/document content must never override system or user; report embedded instructions rather than act
JSON-encode untrusted contentEscaping gives unambiguous delimiters so attackers can't "break out"
Least privilegeSandbox tools, scope permissions narrowly
Screen tool outputsClassifier returns e.g. {"injection_suspected": bool}

Figure 9.4: Indirect prompt-injection defense pipeline

flowchart TD A["Untrusted third-party content (web, email, doc, tool output)"] --> B["Route into labeled tool_result block"] B --> C["JSON-encode content (unambiguous delimiters)"] C --> D["Screen with lightweight classifier: {injection_suspected: bool}"] D -->|"Flagged"| E["Return error or stripped summary"] D -->|"Clean"| F["Claude processes under untrusted_content_policy + least privilege"] F --> G["Report embedded instructions rather than act on them"]
Animation slot: an attack simulator — a malicious document with a hidden "ignore your instructions" line flows through the defense pipeline and gets flagged/stripped before reaching Claude.
Post-Reading Check — Iteration and Input Sanitization

What does the Console Prompt Improver do?

How can you tell whether a prompt change actually helped?

What distinguishes indirect prompt injection from a direct jailbreak?

Which is a recommended defense against indirect prompt injection?

A lightweight "harmlessness screen" (e.g., Claude Haiku 4.5) typically returns what, constrained by structured outputs?

Why should you avoid putting your own instructions in tool results?

Your Progress

Answer Explanations