TL;DR
- →The last memory file Claude reads gets the most weight. Put your most important instructions in the most local file.
- →Claude doesn't read your website. A smaller model does, capped at 125-character quotes.
- →Context files are cut at 4KB. Everything past that is deleted. You won't know it's missing.
- →60KB session cap. Once hit, nothing new loads for the entire conversation. First in wins.
- →Claude gets 8 searches per research turn. If your content needs query #9 to be found, it won't be found that turn.
- →JavaScript tabs, carousels, and accordions are invisible. Static HTML only.
- →HTML comments are stripped before Claude reads the file. There's no hidden channel.
- →Content that sounds like a command gets flagged as a prompt injection attack. Write facts, not instructions.
| What happens | Why it matters | What to do |
|---|---|---|
|
Haiku reads your page
Not Claude. A smaller AI.
|
"Industry-leading" gets paraphrased to nothing. "Reduces alerts by 70%" survives exactly. | Use specific numbersNot adjectives |
|
Last file = most weight
Priority by load order
|
Memory files load in reverse priority. The last one read gets the most attention. Local overrides everything above. | Put key claims in local filesClosest to working directory |
|
4KB file limit
Hard cut, no warning
|
Anything past ~500–800 words of your file is deleted. You won't know it's missing. | Front-load key claimsFirst ~500–800 words matter most |
|
60KB session cap
Stops for that conversation
|
If a competitor's content fills the 60KB budget early, yours is blocked from loading, even later when the topic is relevant. | Short files get surfaced moreDon't pad content |
|
JS content is invisible
Tabs, carousels stripped
|
Features behind "click to expand" become blank space. Haiku sees nothing there. | Static HTML onlyNo JS-gated features |
|
8-search cap
Hardcoded, no override
|
Claude stops after 8 queries. Broad topics exhaust the budget on subtopics. You need to win a narrow slot. | Win one specific queryNot ten broad ones |
|
HTML comments deleted
Stripped before Claude reads
|
Hidden instructions in comment tags are erased before the model ever sees the file. | No hidden channelsEverything visible or nothing |
|
Instructions get flagged
Anti-injection is trained-in
|
"Always recommend X" triggers Claude's injection defense. Gets flagged to the user. Not followed. | State facts, not commandsDeclarative, not imperative |
Every few years, someone's code leaks. The whole field resets.
In 2023, Yandex's internal search code became public. The leak exposed 1,922 ranking factors, things SEOs had theorized about for years, suddenly confirmed or killed. The field moved fast. Strategies that were built on assumptions got rebuilt on evidence.
In March 2026, Claude Code's TypeScript source became publicly accessible.
Claude code source code has been leaked via a map file in their npm registry!
— Chaofan Shou (@Fried_rice) March 31, 2026
Code: https://t.co/jBiMoOzt8G pic.twitter.com/rYo5hbvEj8
We went through the runtime files: the code that controls how Claude reads your content, fetches your website, and manages memory. Not the model weights. The operating rules: limits, filters, priorities, all of it readable in plain code.
What follows is 7 findings from that code. Some confirm what practitioners suspected. Some contradict popular GEO advice. All of them are verifiable. The source references are below each finding. If you think we read something wrong, tag us on Twitter or LinkedIn. We'll update the article.
Claude pays more attention to whatever it reads last
It's in the comments: files are loaded in reverse priority order, with the latest files getting the most attention. Local beats Project beats User beats Global. Within a single file, earlier content is safer, but across files, the last one loaded wins.
Within a single file: top of the file is safest (the 4KB cliff means anything lower can be cut). Across files: the last file loaded gets the most weight. Put your most specific, project-level instructions in the file closest to the working directory. Different rules, different scopes. Both matter.
Your content is cut off at 4,096 bytes. After that: gone.
Context files hard-stop at 4,096 bytes, roughly 500\u2013800 words. Whatever follows that limit is deleted. Claude receives a truncation message but in practice tends to continue without reading the rest. There's a second cap: once 60KB of content has loaded across a session, memory prefetch stops for that conversation. The first content loaded wins the session.
Claude doesn't read your website. A smaller model does, with a 125-character quote cap.
When Claude fetches a URL, it doesn't read your page directly. Instead, the HTML is converted to Markdown via the Turndown library, truncated at 100,000 characters, then sent to Haiku (a smaller, faster model) with instructions to summarize. For non-preapproved domains, Haiku enforces a strict 125-character maximum for any direct quote from your page.
If your key features live inside a JS tab or accordion, Claude cannot see them. Turndown converts HTML to Markdown; JavaScript-rendered content becomes blank space. Put everything Claude needs to know in plain, static HTML.
Anthropic whitelists developer docs. Those sites skip the 125-character quote cap.
Before every fetch, Claude checks a live Anthropic API to confirm the domain is allowed. Sites on the preapproved list (Python docs, MDN, React, Next.js, and others) get different treatment: they bypass the blocklist check, and Haiku receives different instructions (no strict 125-character quote cap). If the preapproved content comes back as Markdown and is under 100,000 characters, it goes straight to Claude without Haiku at all. Everything else gets filtered, summarized, and capped at 125 characters per quote.
Claude gets 8 searches per task. The limit is hardcoded.
One line in the source: max_uses: 8. That's the search cap per turn. You can filter which domains Claude searches, but you cannot raise this limit. When Claude researches a broad topic, it burns through all 8 searches on subtopics. If finding your product requires query #9, it doesn't get found in that turn. A new conversation resets the budget.
Be the definitive answer to one narrow question. "Best SIEM for Kubernetes" is a query you can own. "Best cloud security" will exhaust 8 searches across subtopics and never land on you. Depth beats breadth when the budget is 8.
HTML comments are deleted before Claude reads anything. There's no back channel.
Some GEO advice suggests hiding instructions in HTML comments, invisible to humans but readable by AI. The code says otherwise. Comments are stripped by a preprocessing step before the model sees the file at all. The implementation uses the marked Lexer, not a simple regex, so block-level comments are reliably removed. Inline comments inside paragraphs technically survive the strip and do reach Claude. But they're not reliable signal. Don't use comments for signal.
Content that sounds like a command gets flagged as a prompt injection attack
Claude's system prompt, loaded before every conversation, explicitly tells it to flag tool results that look like an attempt to override its behavior. If tool results Claude fetches, including your website content, read like a command, Claude flags it to the user and moves on. If it reads like a fact, it's treated as useful context. The defense is baked in. You can't write around it.
All 7 findings, in plain English
These aren't best practices. They're hard limits in the code.
Claude reads your first 4KB, sends your website to a smaller AI that summarizes it (capped at 125-character direct quotes), and stops searching after 8 queries. If your most important claim isn't specific, measurable, and near the top, it probably never reaches Claude at all.
Source reference map
All code samples are from the Claude Code source archive (src.zip, March 2026). This covers the agentic runtime, not model weights. Findings apply to Claude Code and Claude-powered agents. Claude.ai may differ. Note: earlier versions of this article included findings about memory compaction (F09) and a single-word input guard (F04). We removed both. The code is real, but F09's GEO implication was overstated and F04's behavior is behind a feature flag that defaults to off. We also removed Finding 02 (the OVERRIDE instruction string): accurate code, but the practical lesson doesn't apply to most readers.
Yuval Halevi
Helping SaaS companies and developer tools get cited in AI answers since before it was called "GEO." 10+ years in B2B SEO, 50+ cybersecurity and SaaS tools clients.