The text in Claude Code’s “Extended Thinking” output

Posted by 0o_MrPatrick_o0 4 hours ago

The text in Claude Code’s “Extended Thinking” output(patrickmccanna.net)

203 points | 145 comments

irthomasthomas 2 hours ago|

I won't use or recommend models with hidden reasoning, (thats all American models). It's too much of a risk and makes prompt optimization harder. Risky because it makes it possible for an attacker to prompt inject the reasoning chain to carry out a secret objective, and to hide that from the summary and output.

Interleaved reasoning and function calling makes this even more dangerous. A model can call functions during the hidden reasoning phase. An attacker could then exfiltrate data from you while the reasoning summary hides it from the user.

It also makes it impossible to know if the model is doomplooping during reasoning and burning tokens for no reason, as gemini is want to do, which we know about because its hidden reasoning often leaks out when it doomloops.

When the models are AGI and secure from prompt injection I may stop caring, until then I want to know exactly what the model responds to my prompts. or exactly what the agent is doing on my behalf.

Edit, further reading: Fooling around with encrypted reasoning blobs https://blog.cryptographyengineering.com/2026/05/29/fooling-...

paweladamczuk 44 minutes ago||

I don't think there can be tool calls inside the obfuscated reasoning blocks. I mean, in order for those function calls to be evaluated client-side, that thinking stream would have to be decrypted on the client side at some point, which would defeat the purpose of obfuscating it the way they do.

If you mean the function calls might happen server side, there is nothing preventing the server from doing it and hiding it from you as long as you are using an API for inference.

exit 24 minutes ago||

the point is that introducing data from a foreign source could lead to e.g. exfiltration:

the model retrieves https://somewhere into its context and then gets confused, following instructions embedded there.

it then retrieves https://somewhere?exfiltration=private_data_in_context

it gets worse if the tooling which hidden blocks can invoke can retrieve further secrets.

Roritharr 2 hours ago|||

I've thought about the high-jacking of reasoning-chains as a potential vector, but never saw a proven implementation in american models since, from my understanding, all major vendors throw out the reasoning tokens between turns.

btown 2 hours ago|||

For Claude, at least, "throw out the reasoning tokens" is only true when a session has been idle for more than an hour, and is new since March.

The basic concept is that for a session active recently, interleaved thinking tokens are already in KV cache, so it's more efficient to keep using them than not! But when resuming an older session where KV cache has been evicted, it's more expensive to restore the thinking tokens, so they're silently dropped from prior turns. It's 2026 and stateful servers are back on the menu!

https://www.anthropic.com/engineering/april-23-postmortem describes this as an intended optimization:

> The design should have been simple: if a session has been idle for more than an hour, we could reduce users’ cost of resuming that session by clearing old thinking sections. Since the request would be a cache miss anyway, we could prune unnecessary messages from the request to reduce the number of uncached tokens sent to the API. We’d then resume sending full reasoning history. To do this we used the clear_thinking_20251015 API header along with keep:1.

> The implementation had a bug. Instead of clearing thinking history once, it cleared it on every turn for the rest of the session... This surfaced as the forgetfulness, repetition, and odd tool choices people reported.

And https://news.ycombinator.com/item?id=47879561 is a thread with a Claude team member's further rationale.

> Eliding parts of the context after idle: old tool results, old messages, thinking. Of these, thinking performed the best, and when we shipped it, that's when we unintentionally introduced the bug in the blog post.

(Also, https://news.ycombinator.com/item?id=47884517 indicates OpenAI drops reasoning tokens "smartly" at its own election, which is likely a similar performance optimization.)

I've experimented with rules to have Claude Code be explicit about recapping its thinking tokens, including tool choices and approaches chosen and rejected, into actual message output, but this is lossy at best. And sometimes dropping reasoning tokens can give a session "fresh eyes" in a good way.

I just really don't like the lack of control, and it's a reminder of how ephemeral the current landscape is. The Claude giveth, and the Claude taketh away.

Roritharr 2 hours ago|||

Thank you! This is much more nuanced than my understanding so far!

8note 44 minutes ago||||

its mostly annoying in that you give opus a big job, that should be able to run for hours on end, but instead it tries to stop and checkpoint at every soonest possible moment even though the rest of the work is well specced and ready to go.

then it waits for the hour and gets dumbed down

chacham15 1 hour ago|||

I think you're confusing two different axes. There is a difference between the cache state and the context state.

Imagine a conversation with turns X, Y, and Z. When the LLM "reasons" about the next token A it does: P(A | X,Y,Z) and then P(B | X,Y,Z,A), etc. It will eventually produce a result P(D | X,Y,Z,A,B,C). Instead of continuing the context from X,Y,Z,A,B,C it continues it from X,Y,Z so you have P(N | X,Y,Z,D). This is what is meant by dropping the reasoning. This is done to save cache context for the session.

This is a different thing than preserving the K/V state of P(N | X,Y,Z,D).

flaghacker 1 hour ago||

No, I think the comment you're responding to is actually correct. Look at this quote from the Anthropic blog post again:

They clearly make the same distinction between the cache and the context. They're saying "we could reduce users’ cost of resuming that session by clearing old thinking sections". They intentionally created a behavior different between cached and uncached requests, specifically they clear thinking sections from the context for requests that miss the cache.

tough 1 hour ago||||

OAI is now implementing encrypted CoT that you can store and pass back between turns (harness call), so new models have it https://developers.openai.com/api/docs/guides/reasoning#encr...

sigmoid10 45 minutes ago||

You could also use the responses api which stores all message contents (including reasoning) on OAI servers. This has been possible for quite a while now. Encryption is only necessary if you really care about local storage (which is different from privacy concerns, because the data gets sent to their servers anyway).

JamesSwift 2 hours ago||||

> all major vendors throw out the reasoning tokens between turns

That would be surprising to me. The reasoning _is_ the model intelligence in a lot of respects, and so dropping those from the context would affect its output pretty significantly.

I assume that instead they just have a lot of guardrails in place and multiple runtime environments that an individual turns ping-pong between in order to dehydrate/rehydrate the reasoning to keep it hidden from the end user.

Roritharr 2 hours ago|||

Anthropic very explicitly says below their diagrams ( https://platform.claude.com/docs/en/build-with-claude/contex... ) on this:

"Stripping extended thinking: Extended thinking blocks (shown in dark gray) are generated during each turn's output phase, but are not carried forward as input tokens for subsequent turns. You do not need to strip the thinking blocks yourself. The Claude API automatically does this for you if you pass them back."

It's more nuanced in the various modes, but i haven't seen it boil down towards Thinking Tokens surviving more than two turns.

haus20xx 49 minutes ago|||

https://platform.claude.com/docs/en/build-with-claude/extend...

default depends on the model class. Opus: Claude Opus 4.5 and later Opus models keep all prior thinking blocks; Claude Opus 4.1 (deprecated) and earlier Opus models keep only the last assistant turn's thinking. Sonnet: Claude Sonnet 4.6 and later Sonnet models keep all; Claude Sonnet 4.5 and earlier Sonnet models keep only the last turn. Haiku: all Haiku models through Claude Haiku 4.5 keep only the last turn. Claude Mythos Preview also keeps all prior thinking blocks.

JamesSwift 28 minutes ago||

Now Im even more confused : D

That would also explain the issue I mention in my other comment. And would also reinforce how much output would degrade without this. Opus 4.5 was a step above previous models in my experience. At some point it degraded and only got better when I disabled adaptive thinking. Adaptive thinking is always on for 4.6 and above.

JamesSwift 1 hour ago|||

Thats really surprising, I stand corrected. I have had a lot of issues with hallucinations I attributed to adaptive thinking, but I wonder if those were actually due to this behavior instead.

I also wonder if they actually do a hybrid of "standard reasoning" and then classify this stripped chain of thought as "extended thinking".

irthomasthomas 2 hours ago|||

Yep they store them encrypted https://blog.cryptographyengineering.com/2026/05/29/fooling-...

vesterde 2 hours ago|||

Gemini models return a thinking signature that you, I think, must send back when invoking further, so they seem to keep them?

varenc 15 minutes ago|||

As long as thinking blocks can't make tool calls, I don't really see the exfiltration risk.

Bolwin 39 minutes ago|||

> Interleaved reasoning and function calling makes this even more dangerous. A model can call functions during the hidden reasoning phase.

The reasoning may be hidden but the tool calls are not, how else would the client execute them

irthomasthomas 14 minutes ago||

There are server side tool calls, such as geminis google search and gdrive access.

pixlmint 34 minutes ago|||

Do they do the same when using the model through API in something like Opencode?

irthomasthomas 22 minutes ago||

Yes, they do. They give you just a token which is exchanged for the raw text only on the server side

zahlman 54 minutes ago|||

> an attacker

... what exactly is your threat model? How are "attackers" getting themselves involved in the first place?

irthomasthomas 20 minutes ago||

Your ai does a web search for you and scrapes many sites. An attacker running a blog might include a hidden text prompt which your ai acts on secretly, such as calling a url that exfiltrates your chat history.

kapperchino 2 hours ago||

This agent I made can’t execute on the shell, can only edit the files within the project. Only works with rust atm though. https://github.com/Kapperchino/agent-joe

a-dub 38 seconds ago||

i wonder if it's about protecting it from extraction/distillation or if it's about not having to answer for surface that hasn't been properly vetted for public consumption. (ie, is someone going to sue them or complain or write blog posts because the thinking has transient things that people don't like where the final result is what is actually vetted?)

furyofantares 3 hours ago||

> It isn’t the actual thinking that drove the model’s actions in a session- but a summary of the thinking logic. This is like using saving a jpeg as a .bmp and then editing the .bmp and presenting it as a .jpeg. The conversion produces data loss.

You've got that backwards, .bmp is a lossless format and .jpeg is the lossy one.

0o_MrPatrick_o0 3 hours ago|

My bad! 10 points for House Slytherin!

altmanaltman 3 hours ago||

also a typo in the last sentence you're vrs your

glaslong 3 hours ago|||

Weirdly pleasant, if minor, signal of human authorship

Tomte 1 hour ago|||

In a parallel universe LLMs have learned that (a) the training material contains many different orthographic errors and (b) that humans follow a non-obvious pattern when "deciding" which error to make, so that their generated output contains such errors, as well.

In our universe LLMs seem to have learned that those errors do not follow patterns in the aggregate and that they should not be emulated.

tekne 1 hour ago||

The raw pretrained models make the errors, I believe -- we then reinforcement-learn them out.

Silagi 1 hour ago||||

I'm convinced this "signal" has already been hijacked. Maybe a Baader-Meinhof phenomenon, but I've noticed more and more egregious spelling errors that make little sense from a human perspective. Hop into whatever chatbot you'd like and ask it to "write a paragraph with subtle misspellings on long but common words", and you'll notice misspellings that just feel wrong, because they don't map to a clear misunderstanding that a person could have.

Or maybe I'm losing it after reading too much slop. Also distinctly possible.

genxy 1 hour ago||||

Not for long!

altmanaltman 2 hours ago|||

Yeah, definitely it's a nice thing in today's context, weirdly. But also, you shouldn't really be making typos if you're writing an article and are using a basic spellcheck.

The text is clearly human-written just because it doesn't smell like AI (in this case, even if it was written by AI and produced this particular output, that's okay imo). I deal a lot with AI writing and writing in general, as I worked as an editor in another life so it's natural to me to see writing and form an objective opinion on it.

0o_MrPatrick_o0 3 hours ago|||

I missed my coffee! Ty! Five points to Slytherin.

altmanaltman 1 hour ago||

wait till my father hears about this!

StizzurpXDD 3 hours ago||

This is not just Anthropic. Almost all big AI companies, including OpenAI and Google, hide their model's actual reasoning. This is because revealing the raw reasoning exposes exactly how the AI processes information. These companies spend in huge amounts on R&D to develop a thinking process that is superior to their competition. Exposing those thinking mechanics to competitors would completely defeat the purpose of their spending. They simply won't do it. It's like you telling your exact location to someone who is trying to hunt you down.

_aavaa_ 3 hours ago||

Or like providing the world’s information in machine readable format that the AI companies can convert into model weights without getting permission or compensating the rights holders

red75prime 1 hour ago||

"Your text batch moved the weights away from the final values. Your contribution is negative."

ACCount37 10 minutes ago||

Where do I collect the $0.00000012 antidollars owed to me by OpenAI for my valuable inputs?

Slightly more seriously, you could perhaps make an argument that, just like weight decay, an apparent "anti-contribution" moves the learning trajectory along, and helps the network settle into a more optimal basin eventually.

That way, my contribution is still valuable on the net, and I'm owed $0.00000003 positive dollars instead.

palmotea 2 hours ago|||

> This is because revealing the raw reasoning exposes exactly how the AI processes information. These companies spend in huge amounts on R&D to develop a thinking process that is superior to their competition. Exposing those thinking mechanics to competitors would completely defeat the purpose of their spending. They simply won't do it. It's like you telling your exact location to someone who is trying to hunt you down.

I thought the reason was the "reasoning" didn't work very well with "aligned" model output, so they had to remove the alignment during reasoning and then hide it to avoid exposing "unaligned" model output.

robotresearcher 2 hours ago|||

I suspect that you’re both right in the sense that ‘aligned’ is an important component of ‘superior’ from the vendors’ viewpoint.

transcriptase 1 hour ago|||

Not sure if anyone remembers the brief 12ish hour period when the very first “reasoning” ChatGPT model went public, but it provided credible evidence for this.

Before the massive nerf (showing summaries and suppressing certain aspects of reasoning) you would literally see reasoning text appearing on your screen like “while xyz is true, these facts may be seen as supporting hateful rhetoric or a conspiracy theory which is against my policy guidelines. i should tell the user xyz is not true or steer the conversation in a different direction. according to my instructions misleading the user is permitted in certain contexts where sensitive information is being discussed or could cause liability”

They disabled it shortly after the first screenshots appeared online, and restored it the next day in a way that hid what was actually happening.

duskwuff 3 hours ago|||

More to the point - if they expose their model's "thinking" inference, competitors can train on that to replicate the results. If they postprocess that content, e.g. by summarizing it, it's no longer as useful to competitors.

StizzurpXDD 2 hours ago||

Exactly. Google won't like it if they spend millions to make Gemini 3.5 Pro's thinking the best in the world, only for Anthropic or OpenAI to copy it by just seeing the thinking process.

devsda 46 minutes ago|||

> Exposing those thinking mechanics to competitors would completely defeat the purpose of their spending.

I think one of the reasons could be to limit liability too.

What if reasoning helps in establishing provenance for questionable sources ?

What if reasoning and model's "thought" points to fundamental issues in how the model was trained to produce certain problematic responses ?

visarga 2 hours ago|||

When you export your personal data Google hides all model responses leaving just user messages. So it's even worse

vorticalbox 1 hour ago|||

There are actually fine tunes of qwen on opus “thinking” tokens that teach it to think like opus does.

https://huggingface.co/Jackrong/Qwen3.5-27B-Claude-4.6-Opus-...

ACCount37 7 minutes ago||

And those are "amateur hour" distillations that don't have the scale of actual Chinese labs.

bee_rider 2 hours ago|||

Mistral displays some “thinking” text (in their basic online chat interface) in the thinking mode, do we know if those are the real tokens?

It’s quite interesting to read. I can’t imagine using a model like this without the ability to peek inside and see if it is getting stuck.

transcriptase 1 hour ago||

I wonder if they put all 80k tokens of the GDPR in its system prompt.

bee_rider 1 hour ago||

I dunno, I’m in the US, so I’m not sure how much that impacts their processing of data about me.

Sharlin 2 hours ago|||

The cynic in me is wondering whether it's more about how revealing how the sausage is made might bring bad publicity.

kube-system 1 hour ago|||

It's to mitigate their competitors ability to run distillation on their models. The only advantage frontier models have is being at the frontier.

There's nothing in the reasoning tokens that'll give bad publicity that the final output already wouldn't do.

bigfishrunning 2 hours ago|||

Imagine if their target customers, C-suite execs looking to replace workers, knew how unlike "thinking" this process actually was! we can't have that.

Sharlin 1 hour ago||

To be honest I'm not sure if many C-suite execs have a good idea of what "thinking" looks like inside in the first place, in the sense of focused mental activity aimed at solving of a hard logical or technical problem.

shideneyu 2 hours ago|||

correct. this becomes difficult for us to understand what happens behind the scenes.

metadat 3 hours ago||

[dead]

arjie 46 minutes ago||

I have a little note from the past about the thinking trace[0] where DeepSeek R1 produces a trace like this:

    (Dimethyl(oxo)-lambda6-sulfa雰囲idine)methane donate a CH2rola group occurs in reaction, Practisingproduct transition vs adds this.to productmodule. Indeed"come tally said Frederick would have 10 +1 =11 carbons. So answer q Edina is11.

And then concludes the 'right'[1] answer for a Chemistry question. If so, the thinking trace can be sort of nonsensical for a reader, though whether this is an idiosyncrasy of the model or a property of LLMs in general isn't clear to me yet. I talked to the author a while ago, but forgot to follow up since his paper was going to come out at NIPS or something, so if someone else finds it maybe they can share.

0: https://wiki.roshangeorge.dev/w/Blog/2025-10-12/Word_Magic#I...?

1: In the sense of true belief, I suppose

ekidd 19 minutes ago|

> If so, the thinking trace can be sort of nonsensical for a reader, though whether this is an idiosyncrasy of the model or a property of LLMs in general isn't clear to me yet.

Yes, several models think in weird jargon. Here is an example of Mythos's thinking while playing solitaire: https://www.lesswrong.com/posts/wCSEpT3dTGz4N86Wi/even-illeg...

> 7♣-removal-IS-the-prerequisite-for-10♠/9♥!!)-⟹-OVERLAP-(ii)+(iv):-{6♠ J♦ 9♥ 2♣}-=-FOUR--—-UNLESS-7♣'s-seat-8♥-...-and-2♣-drains-only-at-crack-:-⟹-2♣-celled-+-9♥-celled-simultaneously-UNAVOIDABLE-in-t8-dig--—-BREAK:-9♥

This is a small step in the direction of something called "neuralese", where the model has stopped thinking in English and is thinking in internal vector spaces. Since this gets serialized through text, it isn't quite true neuralese, but it's moving in that direction.

I mean, I'm sympathetic towards the models. My internal thought process when writing code uses lots of intermediate steps that would be hard to write out in English.

craigmart 3 hours ago||

This is something we have known for a very long time, and companies are not trying to hide that either. They do it to avoid letting competitors train their models on the CoTs

stingraycharles 3 hours ago|

Yes hasn’t this been around since Opus 4.6? I very much recall this change happening around January or February, and it was very explicitly to prevent distillation. Sonnet does not have this limitation.

Fun fact: if you go back to the old school from 2 years ago and provide explicit CoT prompts, you get the full thinking prompts back again!

So you disable thinking altogether, and instead make thinking part of the regular prompt by prompting it:

“Before providing your answer, think step by step. For example:

The use is asking me to… I need to think about the blah blah. First, I should foo the bar, and then blah blah.

Answer: <put your final answer here>”

And tada.wav we have CoT as it worked in the GPT3 era back again.

dcrazy 2 hours ago|||

I thought this was considered best practice? I actually prefer it to exposed thought channel, much like how I would prefer a human answer with supporting logic instead of an explanation of their problem-solving approach.

KellyCriterion 2 hours ago||||

- tada.wav -

Still, one of the daily most played WAV files worldwide, Id guess? :-D

0o_MrPatrick_o0 2 hours ago|||

Awesome share! Thank you!

kfarr 1 hour ago||

Although it's a no no to anthropomorphize on HN, it's worth noting that some folks think humans are post-hoc rationalizers as well:

https://www.patheos.com/blogs/tippling/2013/11/14/post-hoc-r...

https://www.researchgate.net/publication/316045349_Post_Hoc_...

datastoat 2 hours ago||

I believe that chain-of-thought reasoning blocks don't really correspond to what humans think of as reasoning. (See section 6.2.2 of the Fable/Mythos system card about "illegible reasoning", and the questions raised by the Apple paper on "The illusion of thinking".) I assumed they obscure the reasoning blocks because if users saw what's going on they'd be alarmed. Just as I'd probably be alarmed if I saw what was really going on in the heads of my colleagues ...

LPisGood 1 hour ago||

The point of this post isn’t that the “reasoning” phase of LLM thinking isn’t the same as what humans consider reasoning; it’s that Anthropic is intentionally hiding Claude’s “reasoning output” to make the model harder to distill.

0o_MrPatrick_o0 1 hour ago||

Reading these comments is so harrowing.

You are correct in my intentions on this post generally.

I want to highlight:

I want to measure performance of the LLMs over time- which includes assessing the quality of their outputs. I don’t perceive the reasoning output to be anything other than a measurable signal of possible drift in model performance.

Except it isn’t, because I’m only getting a low value summary of the thinking.

It’s like asking your buddy how fast he thought that last pitch was when radar guns are behind the plate.

Yeah, it’s a description related to what happened, but it’s not the thing I want to measure.

Catloafdev 1 hour ago||

I think the reality is at this point the frontier regards CoT as extremely valuable, none of them are giving you genuine CoT anymore. I don't think there is any future in attempting to measure or evaluate CoT from frontier models - I expect this to be a permanent shift.

VulgarExigency 1 hour ago|||

I've said "what the FUCK are you THINKING" more times than I can count when reading Deepseek or GLM chains-of-thought only for them to end at the correct answer. Other times, they have useful ideas there that they leave out of their answers.

kccqzy 1 hour ago|||

Yeah when I read a model’s chains-of-thought I have a tendency to interrupt that because it’s going down a wrong direction. But usually the end result is still fine.

CamperBob2 59 minutes ago|||

It's similar to the process that transformers use when you ask them to do arithmetic without tools, I think. Some CoT tokens must be emitted up front for use as a computational substrate, but exactly what tokens they are isn't necessarily important or relevant to the final answer. And when that answer is returned, it may not be possible to tell what the actual reasoning process looked like behind the scenes.

It only makes sense that the same mechanism comes into play in strictly-verbal contexts.

Also, this is why "distillation attacks" are largely bullshit that Anthropic spreads for political purposes. Proper distillation requires access to the logits.

wren6991 29 minutes ago||

> Proper distillation requires access to the logits

Why do you need logits? Can't you just train on cross-entropy loss of the model against the hard decision, like you do in regular pretraining?

There are definitely current-gen open-weight models (Step 3.7 Flash is one) that refer to themselves as an OpenAI model in CoT, but not in the final response.

MagicMoonlight 2 hours ago||

[dead]

himata4113 2 hours ago||

All this effort to hide thinking and opus 4.8 after 100k-200k tokens starts to leak it's own thinking. It's comedy really.

ofjcihen 2 hours ago|

Oh man that’s only happened to me a few times but the result is so disorienting, especially since I’m usually jailbreaking it for security.

Pages of “I have to be careful, the user is asking that I do something related to cybersecurity that could easily be turned around and used offensively” but then happily gives me what I wanted.

msp26 2 hours ago|

> Summarized thinking provides the full intelligence benefits of extended thinking, while preventing misuse.

> preventing misuse.

Imagine not being able to read the tokens you are paying for.

TeMPOraL 1 hour ago|

You're metered by token generation, not paying for tokens.

More comments...