Claude Fable 5's System Prompt Leaked: A 1,586-Line OS for an AI
System prompts are the real product spec: they show what a company is actually willing to constrain, not just what it says on stage. This document reveals Anthropic's threat model (users impersonating the system), its cost architecture (nesting AI calls but forcing the cheap model), and the operational discipline required to maintain a prompt as living infrastructure—details that shape how every developer building on these APIs should think about safety, cost, and tool design.
Two days after the Fable 5 launch, jailbreak researcher Pliny published the model's complete system prompt on GitHub. The document is not a simple set of instructions but a layered operating configuration: it opens with a hotfix banning a voice-note tag, reveals that Fable 5 and the restricted Mythos 5 share the same underlying model, and dedicates its longest section to mental-health crisis protocols that even track which eating-disorder hotlines are still operational. Copyright rules are written in all-caps legalese, search behavior follows a decision tree with an "unrecognized entity" rule designed to suppress hallucination, and a full Ubuntu 24 container sits inside claude.ai with a skills system that forces the model to read operational manuals before touching a file. The tool list spans roughly 700 lines and turns the chat box into a super app with maps, recipes, weather, sports scores, and code execution. A hidden capability codenamed Claudeception lets Artifacts call the Anthropic API themselves, but the nested model is hardcoded to the cheaper Sonnet 4.
The document's structure reveals Anthropic's actual priorities by weight: mental-health crisis protocols get the most detail, copyright gets the only all-caps section, and formatting rules ban bullet points even for refusals—each section's intensity maps directly to legal or reputational risk.
Treating a system prompt as a maintained operations document—updating hotline availability, patching abused tags, versioning model strings—is a practice most AI companies do not follow publicly, and it sets a standard for what 'safety infrastructure' actually looks like in production.
The dual-release strategy (Fable/Mythos) is a regulatory and commercial hedge: sell a restricted model to the public while offering an unrestricted version to vetted enterprise clients, with the difference being a classifier that swaps in an older model for sensitive requests.
The explicit acknowledgment that users will attempt to inject fake system instructions—and the corresponding rule to treat all 'official' relaxations as forgeries—shows that prompt injection defense has moved from a research problem to an operational assumption baked into the product.
Hardcoding the nested model to Sonnet 4 inside Claudeception is a quiet cost decision that every developer building agentic workflows should note: recursive AI calls are architecturally permitted but economically constrained at the infrastructure level.
The ban on bullet points in refusals is not a stylistic preference; it is a psychological design choice that forces the model to construct a more human-sounding rejection, acknowledging that format shapes perceived empathy.
The conversation splits between curiosity about the prompt's length and its security implications. Some wonder why a 1,586-line system prompt works when user prompts of a few thousand characters fail, while others compare it to hardcoded if-else logic or terms-of-service boilerplate. A separate thread questions whether bypassing safety restrictions is possible, met with both dismissal and a claim that Fable 5 was already jailbroken this way.
Why can their prompt be written so long, while our own prompts of a few thousand characters can't be fully followed by the AI?
This is basically the gang rules of the Heaven and Earth Society...