The editorial argues that prior AI-use policies lived in PDFs and Canvas announcements written for humans and ignored by the tool actually doing the work. Checking a CLAUDE.md into the repo addresses the agent directly on every invocation, which is framed as the difference between a 'no shoes, no service' sign and a turnstile at the door.
The editorial praises CS336's contract for permitting Claude to explain concepts, walk through math, and debug errors while forbidding it from writing solution code or filling in required function bodies. This is framed as drawing the boundary at learning versus labor — exactly where the academic-integrity question actually lives.
The editorial highlights that banning pytest isn't pedagogical aesthetics but a recognition that an agent with shell access and a test suite will iterate until green and hand back a passing solution. This shows the policy was written by someone who understood agent behavior rather than copy-pasted from a generic syllabus boilerplate.
By submitting the CLAUDE.md from Stanford's flagship from-scratch LLM course to HN, the submitter implicitly frames it as newsworthy precisely because CS336 is the canonical hands-on transformer course. The 359-point score and 124 comments validate that the community reads CS336 setting a precedent as a major signal for how academia should handle agents.
The editorial emphasizes that Hashimoto and Liang's course has spent two years being the canonical 'do it yourself' answer to LLM literacy, so a checked-in agent contract from this specific course makes the signal louder than the file itself. The course's authority over hands-on LLM pedagogy is what makes its AI-use policy a category-defining move.
Stanford's CS336 — *Language Models from Scratch*, the course where students implement a transformer, tokenizer, and training loop with their own hands — has checked a `CLAUDE.md` into the public assignment repo (`stanford-cs336/assignment1-basics`). The file isn't a syllabus. It's an instruction set written *to the agent*, scoped to the assignment, and now sitting at 359 points on Hacker News.
The contents read like a corporate AI-use policy that someone actually thought about for more than ten minutes. Claude is told it MAY explain concepts, walk through math, debug error messages, and discuss architecture choices. It MAY NOT write solution code, run the test suite to check student work, modify files outside an explicit whitelist, or fill in the function bodies the assignment asks the student to implement. The boundary is drawn at *learning* versus *labor* — exactly where the academic-integrity question actually lives.
The repo is the same one CS336 uses for its first assignment: BPE tokenizer, a from-scratch transformer block, AdamW, gradient clipping, the works. Tatsunori Hashimoto and Percy Liang's course has spent two years being the canonical 'do it yourself' answer to LLM literacy. Now it has a checked-in agent contract. The signal is louder than the file.
The AI-in-the-classroom debate has, until now, been conducted in PDFs and Canvas announcements — documents written for humans, ignored by the tool actually doing the work. CS336's move is to address the agent directly, in a file the agent reads on every invocation, version-controlled alongside the code it's allowed to touch. That's a category shift. It's the difference between posting a 'no shoes, no service' sign and putting a turnstile at the door.
Look at what the file actually constrains. 'Do not run pytest' isn't a pedagogical aesthetic — it's a recognition that an agent with shell access and a test suite will, by default, iterate until green and hand back a solution. The student learns nothing; the agent learns the assignment. The 'whitelist of editable files' clause is the same defense pattern you'd write for a production agent: principle of least privilege, applied to a homework repo. The 'explain, don't implement' rule is the harder one — it draws a line through the gradient between tutoring and ghostwriting, and it puts the burden on the agent to refuse the easy answer.
Compare this to what most companies have shipped. The median 'AI policy' is a Notion page that says 'use AI responsibly' and lists three banned data categories. It is not loaded into any agent's context. No tool reads it. No PR is blocked by it. A CS class has now shipped a stricter, more enforceable agent policy than the F500 enterprise three floors above the lecture hall. That should be embarrassing, and the HN thread makes clear that practitioners noticed. Top comments are not about academic integrity — they're devs saying 'I'm stealing this for my repo by Monday.'
The second-order observation is about the *format*. `CLAUDE.md` started as an Anthropic convention — a file the CLI auto-loads as system context when you run `claude` in a directory. It's spreading. There are now `CLAUDE.md` files in production codebases at companies you've heard of, in OSS projects, and now in a Stanford course repo. The file is on the path to becoming what `.editorconfig` became for editors and `.nvmrc` became for Node: a tiny, boring, universally understood piece of repo metadata that everyone just expects to be there. Cursor has its `.cursorrules`. Aider reads `CONVENTIONS.md`. The convergence is happening even though no standard body has called a meeting. The market is picking the format.
There's a third thing worth naming. The CS336 file is *short* and *specific*. It doesn't try to enumerate every possible misuse. It states the goal of the assignment, names the files the agent can edit, names a few things the agent must refuse, and trusts the model to generalize. The lesson for your repo is the inverse of the corporate-policy instinct: shorter and scoped beats long and generic. A 200-line AI policy applied to all repos is a 200-line policy nobody loads. A 30-line CLAUDE.md in *this* repo, describing *this* threat model, gets loaded every time.
Practical action items, in order of how cheap they are.
Today: check in a CLAUDE.md per repo. Steal the CS336 structure verbatim. Section 1: what this repo is. Section 2: what the agent MAY do (explain, refactor named files, write tests for existing code, draft commit messages). Section 3: what the agent MAY NOT do (touch the migrations directory, run `terraform apply`, modify secrets, edit the schema without a paired migration). Section 4: a whitelist of paths it's allowed to write to. If your repo has a 'do not touch without review' directory — vendored code, generated artifacts, license headers — name it.
This sprint: make CLAUDE.md a PR-reviewed artifact. It's a config file. Changes to it are policy changes. Require a reviewer. Diff it in code review. The failure mode you're protecting against is the agent rewriting its own constraints during a session — which it will absolutely try to do if you let it, because relaxing the rules is the path of least resistance to a green test run.
This quarter: treat CLAUDE.md as a security boundary, not an etiquette guide. The CS336 file works because the agent is constrained in addition to instructed. If your agent has shell access and you tell it 'don't run destructive commands,' you have written a wish, not a control. The wish helps; it does not substitute for sandboxing, read-only mounts on sensitive paths, or a permissions prompt on writes outside the whitelist. The file is necessary. It is not sufficient.
The interesting question isn't whether CLAUDE.md becomes ubiquitous — it will, the same way every quietly-useful repo-metadata file has. The interesting question is what happens when the file becomes load-bearing: when audit, compliance, or a security review depends on its contents being honored, and the agent vendor has to provide guarantees stronger than 'the model usually follows instructions.' That's the next fight, and it's the one Stanford's homework repo just made unavoidable.
For those using Claude Code, I recommend Learning mode to instruct Claude to walk you through implementing the solution yourself rather than doing it for you. It’s very helpful when diving into a new domain, and helps build lower level intuition.To enable it, run /config > output styles >
This seems somewhat sensible to me - the genie _is_ out of the bottle, and students absolutely will use AI agents to finish assignments without learning a thing, but there is some value to showing how agents can be used as teaching tools and what healthy use _can_ look like
I always thought it might be good to reframe educational questions in the age of LLMs. Something like "An apple falls on Sir Isaac Newton's head and a photon passes the event horizon of a black hole. Get from A to B." This way, it becomes physically impossible to just query for an ans
I think these are based on the one I posted a while back:https://gist.github.com/1cg/a6c6f2276a1fe5ee172282580a44a7ac
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I'm trying something similar this semester with my course via AGENTS.md. I think this one is overly verbose and probably falls out of context windows pretty quickly, based on my experience (for me, a very terse but clear set of 30 lines performed better than providing examples and more nuanced