TL;DR Your Pro tip: before adding something to Here are some parts of my Also see:<\/p>\n For project-specific instructions, put them in the project-level The highest-signal content in your project Also see:<\/p>\n For language-specific or per-file rules<\/a>, put them in For instance, The full rules I have:<\/p>\n There are some useful configurations<\/a> you could set in your Highlights:<\/p>\n The full settings I use:<\/p>\n If you're not using a sandbox or devcontainer for Claude Code, you may want to block some evil<\/strong> commands in your However, Though, Claude Code can still write a one-time script to read sensitive data<\/strong> and bypass all of the above defenses. So the safest approach is using sandbox after all.<\/p>\n Also see:<\/p>\n Claude Code Plugins<\/a> are simply a way to package skills, commands, agents, hooks, and MCP servers. Distributing them as a plugin has the following advantages:<\/p>\n To install a plugin, you need to add a marketplace first. A marketplace is usually just a GitHub repo. Think of it as a namespace.<\/p>\n Here are plugins I use:<\/p>\n Skills<\/a> can contain executable scripts and hooks, not just Markdown. Use with caution!<\/strong> When in doubt, have your agent review them first.<\/p>\n Here are skills I use, mostly installed per project when needed:<\/p>\n Highlights:<\/p>\n You can find more skills on skills.sh<\/a>.<\/p>\n You probably don't need any MCP servers<\/a> if you can do the same thing with CLI + skills.<\/p>\n No, just use the No, you should use the No, you should use the Trail of Bits' Yes, ironically. Other coding agents like Claude Code can use Codex via MCP, which is slightly more stable than directly invoking it with However, since OpenAI releases the official Claude Code plugin: codex-plugin-cc<\/a>, you should probably use that instead.<\/p>\n Use Claude Code has a customizable statusline<\/a> at the bottom of the terminal. You can run any script that outputs text.<\/p>\n Mine shows the current model, the current working folder, the git branch, and a grammar-corrected version of my last prompt (because my English needs all the help it can get). The grammar correction runs an ad-hoc You can invoke What each flag does:<\/p>\n You can get independent code reviews or brainstorming input from other model families (Codex, Gemini) without leaving Claude Code. I have two skills for this:<\/p>\n This works because each model family has different training biases. Claude might miss something Codex catches, and vice versa. It's especially useful for architecture decisions and "what should I build next" brainstorming.<\/p>\n","protected":false},"excerpt":{"rendered":" I've used Claude Code daily since it came out. These are the best practices, tools, and configuration patterns that I learned. Most of this applies to other coding agents (Codex, Gemini CLI) too.<\/p>\n","protected":false},"author":1,"featured_media":904,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[97],"tags":[127,153,101,154],"class_list":["post-903","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-about-ai","tag-chat-bot","tag-claude-code","tag-cli-tool","tag-coding-agent"],"_links":{"self":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/903","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/comments?post=903"}],"version-history":[{"count":0,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/posts\/903\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media\/904"}],"wp:attachment":[{"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/media?parent=903"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/categories?post=903"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vinta.ws\/code\/wp-json\/wp\/v2\/tags?post=903"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nMy configs, plugins, and skills for Claude Code:
\nhttps:\/\/github.com\/vinta\/hal-9000<\/a><\/p>\n<\/blockquote>\nCLAUDE.md<\/h2>\n
The Global CLAUDE.md<\/h3>\n
~\/.claude\/CLAUDE.md<\/code> should only contain:<\/p>\n\n
CLAUDE.md<\/code>, ask it, "Is this already covered in your system prompt?"<\/strong><\/p>\nCLAUDE.md<\/code> I found useful:<\/p>\n<prefer_online_sources>\nYour training data goes stale. Config keys get renamed, APIs get deprecated, CLI flags change between versions. When you guess instead of checking, the user wastes time debugging your confident-but-wrong output. This has happened repeatedly.\n\nLook things up with the find-docs<\/code> skill or WebSearch<\/code> BEFORE writing code or config. This applies even when you feel confident about the answer. Always look up:\n\n- Config file keys, flags, syntax, and environment variables for any tool\n- Library\/framework API calls, module paths, and parameter names\n- CLI flags and subcommands\n- Dependency versions\n- Best practices and recommended patterns\n- Assertions about external tool behavior, even when confident\n\nThe cost of a lookup is seconds. The cost of a wrong config key is a failed run plus a debugging round-trip.\n<\/prefer_online_sources>\n\n<auto_commit if=\"you have completed the user's requested change\">\nUse the commit<\/code> skill to commit, always passing a brief description of what changed (e.g. \/commit add login endpoint<\/code>). Don't batch unrelated changes into one commit.\n<\/auto_commit><\/code><\/pre>\n\n
The Project CLAUDE.md<\/h3>\n
CLAUDE.md<\/code>.<\/p>\nCLAUDE.md<\/code> (or any skill) is the Gotchas<\/strong> section. Build these from the failure points Claude Code actually runs into.<\/p>\n\n
Per File Type Rules<\/h3>\n
~\/.claude\/rules\/<\/code>, so Claude Code only loads them when editing those file types.<\/p>\n~\/.claude\/rules\/typescript-javascript.md<\/code>:<\/p>\n---\npaths:\n - \"**\/*.ts\"\n - \"**\/*.tsx\"\n - \"**\/*.js\"\n - \"**\/*.jsx\"\n - \"docs\/**\/*.md\"\n---\n\n# TypeScript \/ JavaScript\n\n- Before adding a dependency, search npm or the web for the latest version\n- Pin exact dependency versions in package.json<\/code> \u2014 no ^<\/code> or ~<\/code> prefixes\n- Use node:<\/code> prefix for Node.js built-in modules (e.g., node:fs<\/code>, node:path<\/code>)\n- Use const<\/code> by default, let<\/code> when reassignment is needed, never var<\/code>\n- Prefer async<\/code>\/await<\/code> over .then()<\/code> chains\n- Use template literals over string concatenation\n- Use optional chaining (?.<\/code>) and nullish coalescing (??<\/code>) over manual checks\n- Never use as any<\/code> or unknown<\/code>. Always write proper types\/interfaces. Only use any<\/code> or unknown<\/code> as a last resort when no typed alternative exists\n- Prefer interface<\/code> over type<\/code> for object shapes (extendable, better error messages)\n- Avoid enums. Use union types (type Status = 'active' | 'inactive'<\/code>) or as const<\/code> objects\n- Don't prefix interfaces with I<\/code> or type aliases with T<\/code> (e.g., User<\/code> not IUser<\/code>)\n- Mark properties and parameters readonly<\/code> when they should not be mutated\n- Do not add explicit return types. Let TypeScript infer them\n\n<verify_with_browser if=\"you completed a frontend change (UI component, page, client-side behavior)\" only_if=\"playwright-cli skill is installed in project or user scope\">\nAfter implementing frontend changes, use the playwright-cli<\/code> skill to visually verify the result in a real browser. Check layout, responsiveness, and interactive behavior rather than assuming correctness from code alone.\n<\/verify_with_browser><\/code><\/pre>\n\n
Configurations<\/h2>\n
Settings<\/h3>\n
~\/.claude\/settings.json<\/code>:<\/p>\n{\n \"env\": {\n \"CLAUDE_CODE_BASH_MAINTAIN_PROJECT_WORKING_DIR\": \"1\",\n \"CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING\": \"1\",\n \"CLAUDE_CODE_EFFORT_LEVEL\": \"max\",\n \"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS\": \"1\",\n \"CLAUDE_CODE_NEW_INIT\": \"1\",\n \"CLAUDE_CODE_NO_FLICKER\": \"1\",\n \"ENABLE_CLAUDEAI_MCP_SERVERS\": \"false\",\n \"USE_BUILTIN_RIPGREP\": \"0\"\n },\n \"permissions\": {\n \"allow\": [\"...\"],\n \"deny\": [\"...\"],\n \"ask\": [\"...\"],\n \"defaultMode\": \"auto\",\n \"additionalDirectories\": [\n \"~\/Projects\"\n ]\n },\n \"cleanupPeriodDays\": 365,\n \"showThinkingSummaries\": true,\n \"showClearContextOnPlanAccept\": true,\n \"voiceEnabled\": true\n}<\/code><\/pre>\n\n
"CLAUDE_CODE_DISABLE_ADAPTIVE_THINKING": "1"<\/code>: To mitigate the Claude Code Degradation<\/a> issue<\/li>\n"CLAUDE_CODE_EFFORT_LEVEL": "max"<\/code>: Same as above<\/li>\n"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1"<\/code>: Enable Agent Team<\/a> feature, a fancy way to consume a huge amount of tokens<\/li>\n"permissions.defaultMode": "auto"<\/code>: We use this to pretend it's safer than --dangerously-skip-permissions<\/code><\/li>\n"cleanupPeriodDays": 365<\/code>: By default, your chat history (location: ~\/.claude\/projects\/<\/code>) will be deleted after 30 days. If you want to keep them, set a higher number<\/li>\n"voiceEnabled": true<\/code>: Enable Voice Dictation<\/a> feature. Code like a boss!<\/li>\n<\/ul>\n\n
Permissions<\/h3>\n
~\/.claude\/settings.json<\/code>:<\/p>\n{\n \"permissions\": {\n \"deny\": [\n \"Read(~\/.aws\/**)\",\n \"Read(~\/.config\/**)\",\n \"Read(~\/.docker\/**)\",\n \"Read(~\/.dropbox\/**)\",\n \"Read(~\/.gnupg\/**)\",\n \"Read(~\/.gsutil\/**)\",\n \"Read(~\/.kube\/**)\",\n \"Read(~\/.npmrc)\",\n \"Read(~\/.orbstack\/**)\",\n \"Read(~\/.pypirc)\",\n \"Read(~\/.ssh\/**)\",\n \"Read(~\/*history*)\",\n \"Read(~\/**\/*credential*)\",\n \"Read(~\/Library\/**)\",\n \"Write(~\/Library\/**)\",\n \"Edit(~\/Library\/**)\",\n \"Read(~\/Dropbox\/**)\",\n \"Write(~\/Dropbox\/**)\",\n \"Edit(~\/Dropbox\/**)\",\n \"Read(\/\/etc\/**)\",\n \"Write(\/\/etc\/**)\",\n \"Edit(\/\/etc\/**)\",\n \"Bash(su *)\",\n \"Bash(sudo *)\",\n \"Bash(passwd *)\",\n \"Bash(env *)\",\n \"Bash(printenv *)\",\n \"Bash(history *)\",\n \"Bash(fc *)\",\n \"Bash(eval *)\",\n \"Bash(exec *)\",\n \"Bash(rsync *)\",\n \"Bash(sftp *)\",\n \"Bash(telnet *)\",\n \"Bash(socat *)\",\n \"Bash(nc *)\",\n \"Bash(ncat *)\",\n \"Bash(netcat *)\",\n \"Bash(nmap *)\",\n \"Bash(kill *)\",\n \"Bash(killall *)\",\n \"Bash(pkill *)\",\n \"Bash(chmod *)\",\n \"Bash(chown *)\",\n \"Bash(chflags *)\",\n \"Bash(xattr *)\",\n \"Bash(diskutil *)\",\n \"Bash(mkfs *)\",\n \"Bash(security *)\",\n \"Bash(defaults *)\",\n \"Bash(launchctl *)\",\n \"Bash(osascript *)\",\n \"Bash(dscl *)\",\n \"Bash(networksetup *)\",\n \"Bash(scutil *)\",\n \"Bash(systemsetup *)\",\n \"Bash(pmset *)\",\n \"Bash(crontab *)\"\n ],\n \"ask\": [\n \"Bash(curl *)\",\n \"Bash(wget *)\",\n \"Bash(open *)\",\n \"Bash(*install*)\",\n \"Bash(uv add *)\",\n \"Bash(bun add *)\",\n \"Bash(git push *)\",\n ]\n },\n \"hooks\": {\n \"PreToolUse\": [\n {\n \"matcher\": \"Bash\",\n \"hooks\": [\n {\n \"type\": \"command\",\n \"command\": \"python3 ~\/.claude\/hooks\/guard-bash-paths.py\"\n }\n ]\n }\n ]\n }\n}<\/code><\/pre>\n"deny": ["Read(~\/.aws\/**)", "Read(~\/.kube\/**)", ...]<\/code> alone is not enough, since Claude Code can still read sensitive files through the Bash<\/code> tool. You can write a simple hook to intercept Bash<\/code> commands that access blocked files, like this guard-bash-paths.py<\/code><\/a> hook.<\/p>\n\n
Plugins<\/h2>\n
\n
~\/.claude\/settings.json<\/code> manually)<\/li>\n\/plugin-name:your-skill-name<\/code> prefix (no more conflicts)<\/li>\n<\/ul>\nclaude plugin marketplace add anthropics\/claude-plugins-official\nclaude plugin marketplace add openai\/codex-plugin-cc\nclaude plugin marketplace add slavingia\/skills\nclaude plugin marketplace add trailofbits\/skills\nclaude plugin marketplace add vinta\/hal-9000\n\n# then enter Claude Code to browse plugins\n\/plugin<\/code><\/pre>\n\n
Skills<\/h2>\n
# my skills\nnpx skills add https:\/\/github.com\/vinta\/hal-9000 --skill commit magi second-opinions -g\nnpx skills add https:\/\/github.com\/vinta\/dear-ai\n\n# writing skills\nnpx skills add https:\/\/github.com\/softaworks\/agent-toolkit --skill writing-clearly-and-concisely humanizer naming-analyzer\nnpx skills add https:\/\/github.com\/hardikpandya\/stop-slop\nnpx skills add https:\/\/github.com\/shyuan\/writing-humanizer\n\n# doc skills\nnpx skills add https:\/\/github.com\/upstash\/context7 --skill find-docs -g\n\n# backend skills\nnpx skills add https:\/\/github.com\/trailofbits\/skills --skill modern-python\nnpx skills add https:\/\/github.com\/vintasoftware\/django-ai-plugins\nnpx skills add https:\/\/github.com\/supabase\/agent-skills\nnpx skills add https:\/\/github.com\/planetscale\/database-skills\nnpx skills add https:\/\/github.com\/cloudflare\/skills\n\n# frontend skills\nnpx skills add https:\/\/github.com\/vercel-labs\/agent-skills\nnpx skills add https:\/\/github.com\/vercel-labs\/next-skills\n\n# design skills\nnpx skills add https:\/\/github.com\/openai\/skills --skill frontend-skill\nnpx skills add https:\/\/github.com\/pbakaus\/impeccable\nnpx skills add https:\/\/github.com\/nextlevelbuilder\/ui-ux-pro-max-skill\n\n# video skills\nnpx skills add https:\/\/github.com\/remotion-dev\/skills\n\n# browser skills\nnpx skills add https:\/\/github.com\/vercel-labs\/agent-browser\nnpx skills add https:\/\/github.com\/microsoft\/playwright-cli\n\nnpx skills list -g\nnpx skills update -g\nnpx skills remove --all -g<\/code><\/pre>\n\n
\/brainstorming<\/code> from superpowers<\/a>: When in doubt, start with this skill<\/li>\n\/writing-skills<\/code> from superpowers<\/a>: Use this skill to improve your skills<\/li>\n\/skill-creator<\/code> from claude-plugins-official<\/a>: Use this skill to evaluate<\/strong> your skills<\/li>\n\/find-docs<\/code> from context7<\/a>: Find the latest documentations<\/li>\n\/frontend-design<\/code> from impeccable<\/a>: The better version of the official \/frontend-design<\/code> skill<\/li>\n\/simplify<\/code>: Run it often, you will like it<\/li>\n\/insights<\/code>: Analyze your Claude Code sessions<\/li>\n<\/ul>\nMCP Servers<\/h2>\n
Context7 MCP<\/h2>\n
ctx7<\/code> CLI with find-docs<\/code> skill instead.<\/p>\nnpx ctx7 setup<\/code><\/pre>\n\n
Playwright MCP<\/h3>\n
playwright-cli<\/code> or agent-browser<\/code> skill instead. Both tools support headed mode<\/strong> (the opposite of headless), if you'd like to see the browser.<\/p>\nnpm install -g @playwright\/cli@latest\nnpx skills add https:\/\/github.com\/microsoft\/playwright-cli\n\nnpm install -g agent-browser\nagent-browser install\nnpx skills add https:\/\/github.com\/vercel-labs\/agent-browser<\/code><\/pre>\n\n
GitHub MCP<\/h3>\n
gh<\/code> command instead.<\/p>\nbrew install gh<\/code><\/pre>\ngh-cli<\/code> plugin is also worth a look, though you should check how it uses hooks to intercept GitHub fetch requests. Quite controversial for a security company.<\/p>\n\n
Codex MCP<\/h3>\n
codex exec<\/code> via CLI.<\/p>\n# Codex reads your local .codex\/config.toml by default\nclaude mcp add codex --scope user -- codex mcp-server\n\n# You can still override some configs\nclaude mcp add codex --scope user -- codex -m gpt-5.3-codex-spark -c model_reasoning_effort=\"high\" mcp-server<\/code><\/pre>\n\n
Some Other Tips<\/h2>\n
Prompt Best Practices<\/h3>\n
\n
Command Aliases<\/h3>\n
# in ~\/.zshrc\nalias cc=\"claude --enable-auto-mode --teammate-mode tmux\"\nalias ccc=\"claude --enable-auto-mode --continue --teammate-mode tmux\"\nalias cct='tmux -CC new-session -s \"claude-$(date +%s)\" claude --enable-auto-mode --teammate-mode tmux'\nalias ccy=\"claude --teammate-mode tmux --dangerously-skip-permissions\"\nccp() { claude --no-chrome --no-session-persistence -p \"$*\"; }<\/code><\/pre>\nccp<\/code> for ad-hoc prompts:<\/p>\nccp \"commit\"\nccp \"list all .md in this repo\"<\/code><\/pre>\n\n
Customize Your Statusline<\/h3>\n
claude<\/code> command inside the statusline script.<\/p>\n![\"Claude](\"https:\/\/raw.githubusercontent.com\/vinta\/hal-9000\/main\/assets\/claude-code-statusline-grammar-check.png\")
<\/p>\n\n
Run Ad-Hoc Claude Commands Inside Scripts<\/h3>\n
claude<\/code> as a one-shot CLI tool from hooks, statusline scripts, CI, or anywhere else. The trick is using the right flags to get a clean, isolated call with zero side effects:<\/p>\ncmd = \"\"\"\n claude\n --model haiku\n --max-turns 1\n --setting-sources \"\"\n --tools \"\"\n --disable-slash-commands\n --no-session-persistence\n --no-chrome\n --print\n\"\"\"\n\nresult = subprocess.run(\n [*shlex.split(cmd), your_prompt],\n capture_output=True,\n text=True,\n timeout=15,\n cwd=\"\/tmp\",\n)<\/code><\/pre>\n\n
--setting-sources ""<\/code>: don't load hooks (avoids infinite recursion if called from a hook)<\/li>\n--no-session-persistence<\/code> and cwd="\/tmp"<\/code>: avoid polluting your current context<\/li>\n--tools ""<\/code>: no file access, no bash, pure text in\/out<\/li>\n--no-chrome<\/code>: skip the Chrome integration<\/li>\n<\/ul>\nMulti-Model Second Opinions<\/h3>\n
\n