I bet you could derive a lot by using a packet sniffer while using CC and just watch the calls go back and forth to the LLM API. In every api request you'll get the full prompt (system prompt aside) and they can't offload all the magic to the server side because tool calls have to be done locally. Also, LLMs can probably de-minimize the minimized Javascript in the CC client so you can inspect the source too.

edit: There's a tool, i haven't used it in forever, i think it was netsaint(?) that let you sniff https in clear text with some kind of proxy. The enabling requirement is sniffing traffic on localhost iirc which would be the case with CC