Pillar: heavy-user-configs | Date: April 2026
Scope: Named power users' actual dotfiles, settings.json, CLAUDE.md files, slash commands, and hooks as used in Q1-Q2 2026 — not blog posts but live config repos. Covers: Steve Yegge, Geoffrey Huntley, Harper Reed, Simon Willison, Mitchell Hashimoto, Anthropic eng team, Aider/Cursor/Goose communities, Claude Code Discord. Documents how many parallel sessions each runs, their worktree strategy, which hooks live in settings.json, which slash commands earn rent, and how they handle memory/continuity.
Sources: 32 gathered, consolidated, synthesized.
Central finding: The gap between light and heavy Claude Code users is not prompt quality — it is infrastructure. Power users running 10–30 parallel sessions achieve outputs like Steve Yegge's reported 12,000 lines of code per day not through better prompting but through purpose-built orchestrators, mechanical hook enforcement, and structured memory systems that the average user has never configured.[5]
Parallel session counts are the clearest signal of power-user tier. Boris Cherny (Claude Code's creator at Anthropic) runs 10–15 simultaneous sessions — 5 local terminal plus 5–10 web — using separate git worktrees as the primary isolation mechanism. Steve Yegge operates 20–30 agents through his custom Gas Town orchestrator (launched January 2026, written in Go after an initial Python prototype). Mitchell Hashimoto stays at 1–2 focused sessions but maintains 4 concurrent git checkouts, spending 30 minutes before every transition queuing slow background work. Harper Reed anchors the conservative end with a single session plus MCP server integrations, operating under strict human-in-the-loop rules after an incident where an automated email sent without approval.[32][23][24]
The hook system is the single highest-leverage configuration lever available. Multiple independent sources converge on a compliance rate of ~80% for CLAUDE.md instructions and skills versus 100% for hooks — because hooks enforce mechanically via exit codes, not probabilistically through language model attention. The PreToolUse event is the most commonly deployed: blocking rm -rf appears in nearly every power user config, while PostToolUse auto-format hooks (running prettier or ruff on every file write) eliminate an entire class of review friction. Trail of Bits extends this to an anti-rationalization gate — a Stop hook that runs a single-turn LLM evaluation asking whether the agent is rationalizing incomplete work, returning structured JSON to block or allow continuation. As of April 2026, 17–18 distinct hook lifecycle events are documented across sources (discrepancy reflects version differences: disler reports 13, Haberlah documents 14, TechBytes adds CwdChanged, FileChanged, and PostCompact as April 2026 additions).[8][28][17]
CLAUDE.md file discipline separates experienced operators from novices. Multiple sources converge on ~100 lines / ~2,500 tokens as the optimal size, with the explicit test: "Would removing this line cause Claude to make mistakes? If not, cut it." David Haberlah's global file sits at just 48 lines; his organizing principle is that detailed procedural knowledge belongs in skills (loaded on demand, ~100 tokens each at rest), not in CLAUDE.md (loaded every session, every token). Mitchell Hashimoto takes a discipline-driven approach: every line in his AGENTS.md represents a past agent failure now prevented by an accompanying validation script or lint rule — a self-correcting error log rather than a static spec. Boris Cherny applies the same loop explicitly: "Anytime we see Claude do something incorrectly, we add it to CLAUDE.md so it doesn't repeat next time."[6][23][32]
Skill system depth varies dramatically by user. zircote runs 60+ reusable skills across 10 agent domains (document processing, media, development, DevOps, AI/ML, utilities); Freek Van der Herten maintains 40+ with 4 custom agents each assigned a specific model. Haberlah's 22 skills — 13 local, 9 from the AltimateAI data-engineering-skills plugin — cost approximately ~2,200 tokens at startup ≈ 1% of a 200k context window when only metadata is loaded. The skill priority order (project > personal > plugin) and the context: fork frontmatter flag (which executes a skill as a subagent with isolated context) are power-user techniques absent from most introductory documentation. Trail of Bits specifically endorses the obra/superpowers collection's brainstorm and systematic-debugging skills as production-hardened defaults for professional engineering environments.[16][7][4]
Parallel session architecture shows clear cost trade-offs. Git worktrees (the Anthropic-recommended approach) deliver an estimated 18% throughput improvement over sequential work at standard 1× token cost per session. The experimental Agent Teams mode (CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1, a February 2026 research preview) costs ~7× tokens in plan mode and is explicitly flagged by Haberlah as appropriate only for genuinely non-overlapping parallel work — not general-purpose parallelism. The practical ceiling is demonstrated by a documented 12-hour compaction-cycle session that refactored 315 frontend files with an agent correctness rate of approximately 80%.[28][6][19]
Context window management has no consensus threshold but clear failure modes. Warning thresholds range from red at 60% used (Van der Herten, Sablonnière) to compact triggers at 70% (Botmonster) and 80% (Haberlah's CLAUDE_AUTOCOMPACT_PCT_OVERRIDE). The underlying math: with a 200k window, setting CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 leaves approximately ~136k tokens for input budget after system prompts and MCP definitions consume their share. Every connected MCP server adds tool definitions permanently — even when idle — making the consensus rule "prefer CLI tools over MCP servers when both accomplish the same task" a meaningful token budget decision, not just a stylistic preference. The 1M token window (Opus 4.6 API beta) is documented by Haberlah as not always superior: higher per-token cost and attention degradation at very large context sizes require case-by-case judgment.[7][6]
Steve Yegge's Beads git-backed issue tracker represents the most-adopted community infrastructure tooling: 1,000 GitHub stars in its first 6 days, growing to 17,900 by April 2026, with 29 contributors building extensions (VS Code, Emacs, Neovim, web dashboards). The architecture — SQLite for fast local queries plus JSONL in git for merge-safe version control — directly inspired Claude Code Tasks. Beads' "Land the Plane" session-ending protocol (quality gates → file discovered work → close finished issues → sync → generate handoff prompt) is the clearest published operational standard for long-running agent sessions. The awesome-claude-code community repository (hesreallyhim) reached 41,500 stars and 3,500 forks as of April 2026, with 276 open issues and 1,157 commits, functioning as the de facto registry for skills, agents, hooks, and orchestrators.[30][29]
Security configuration separates professional deployments from hobbyist setups. Trail of Bits' three-layer model — settings.json deny rules (evaluates before all other permissions), pre-commit hooks scanning 20+ credential patterns deterministically, and .gitignore exclusions — plus a critical caveat: deny rules only block Claude's built-in tools; Bash commands bypass them entirely without /sandbox enabled. The correct countermeasure is OS-level sandboxing (Seatbelt on macOS, bubblewrap on Linux) or devcontainer filesystem isolation for autonomous agents. Running /dangerously-skip-permissions without sandboxing is explicitly flagged as the primary anti-pattern for production use.[4][14]
Implications for practitioners: The configuration gap between casual and power users is large but bridgeable through specific investments. Start with three changes that carry disproportionate returns: (1) Replace CLAUDE.md verbosity with a 50–100-line file that passes the "would removing this cause mistakes?" test, moving procedural knowledge into on-demand skills. (2) Deploy at minimum two PreToolUse hooks — a rm -rf block and a credential pattern scanner — to achieve 100% compliance on the behaviors that matter most. (3) Adopt git worktrees for any work spanning more than one feature, which eliminates context contamination across tasks at no extra token cost. The settings.json ecosystem with its 125+ documented keys (as of v2.1.104, April 2026) rewards incremental investment: each added parameter addresses a specific failure mode rather than requiring wholesale reconfiguration. The community infrastructure — Beads at 17.9K stars, awesome-claude-code at 41.5K — provides vetted starting points rather than requiring from-scratch construction.[10][30][29]
A cluster of prominent engineers have published detailed workflows, dotfiles, and architecture documentation for their Claude Code setups as of Q1–Q2 2026. Parallel session counts range from 1–2 focused agents (Hashimoto) to 20–30 orchestrated workers (Yegge), with the Anthropic creator himself running 10–15 simultaneous sessions as the practical middle ground.[32][5][23]
| User | Role / Project | Parallel Sessions | Isolation Method | Source |
|---|---|---|---|---|
| Steve Yegge | Head of Eng, Sourcegraph/Amp | 20–30 agents | Gas Town orchestrator + tmux | [5][19] |
| Boris Cherny | Claude Code creator, Anthropic Staff Eng | 10–15 (5 local + 5–10 web) | Separate git worktrees | [32][18] |
| Anthropic engineering team | Internal Anthropic | 10–15 (5 terminal + 5–10 web) | Tab numbering + system notifications | [31] |
| Mitchell Hashimoto | HashiCorp founder, Ghostty creator | 1–2 focused; 4 checkouts maintained | Separate git checkouts (ghostty, ghostty2–4) | [15][23] |
| zircote | Large-scale power user | Not reported | 10 agent domains, 60+ skills | [16] |
| Freek Van der Herten | Spatie / Laravel/PHP | Not reported | 4 custom agents, model-selected per task | [7] |
| Harper Reed | Developer / email automation | Single session + MCP servers | Human-in-the-loop approval gate | [24] |
Yegge (40+ years engineering, ex-Amazon, ex-Google) uses Claude Code 14 hours per day and claims 12,000 lines of code per day as of January 2026.[5] His Gas Town orchestrator launched January 2026 — originally Python, rewritten in Go because "models waste fewer tokens on it compared to TypeScript."[30]
Key finding: Yegge's Gas Town operates with 7 distinct worker roles including "Deacon and Dogs," "Refinery," and "handoff loops/seances" — entirely vibe-coded: "100% vibe coded. I've never seen the code, and I never care to."[30]
| Component | Function |
|---|---|
| Deacon and Dogs | Named worker roles for task delegation |
| Refinery | Post-processing / output cleanup component |
| Handoff loops / Seances | Workflow handoff patterns between workers |
| Crew (named + ephemeral) | Worker lifecycle management |
| Polecats and swarms and convoys | Operational patterns for distributed work |
| tmux bindings | Worker pane management interface |
Gas Town distributes across machines rather than vertical scaling. Yegge identifies a critical infrastructure gap: "Agents have almost no platform APIs" — necessitating custom hacks for factory-style orchestration.[5] His "Desire Paths" methodology: observe what agents attempt → implement those capabilities → iterate until agent-native.
Hashimoto's most distinctive contribution is systematic error prevention: when an agent makes a mistake, build a validation script/linting rule and add it to AGENTS.md. "Each line in AGENTS.md represents a past agent failure now prevented."[23] He estimates agents run 10–20% of his working day in the background.[23]
| Project Type | Code Review Policy | Example |
|---|---|---|
| Long-lived open-source | Reviews every line | Ghostty terminal |
| Throwaway / personal | Zero code review | Family websites |
Notifications are disabled to prevent context-switching costs; Hashimoto manually checks progress during natural breaks.[15] Before every transition (leaving the house, end of day): spends 30 minutes asking "What's a slow thing my agent could do next?"[15]
Cherny shared his workflow publicly in January 2026. Three core CLAUDE.md principles: (1) Simplicity First — minimal changes, (2) No Laziness — find root causes, (3) Minimal Impact — only touch what's necessary.[32]
Key finding: "Almost all best practices boil down to one thing: Context Window management." — Boris Cherny[32]
Cherny's self-improvement loop: "Anytime we see Claude do something incorrectly, we add it to CLAUDE.md so it doesn't repeat next time."[32] Aggressive prompting style: "Grill me on these changes and don't make a PR until I pass your test," "Prove to me this works," single-word prompts like "Fix" when sharing bug reports.[32]
On verification: "Probably the most important thing to get great results out of Claude Code — give Claude a way to verify its work. If Claude has that feedback loop, it will 2–3× the quality."[31]
| User | Background | Distinctive Config Element | Source |
|---|---|---|---|
| Freek Van der Herten | Laravel/PHP, Spatie | 40+ skills; 4 custom agents with per-task model selection; anti-sycophancy directive in global CLAUDE.md | [7][27] |
| Harper Reed | Developer | MCP email triage; strict human-in-the-loop after accidental commitment email sent; "always save as drafts, never auto-send" | [24] |
| Anthropic engineering team | Internal Anthropic | Shared CLAUDE.md in git; @claude tagged on PRs; subagents handle 80% of PR work; exclusively use Opus 4.5 with thinking | [31] |
| David Haberlah | Data engineer | 48-line global CLAUDE.md; 22 skills (13 local + 9 plugin); silent daily sync via .zshrc | [6] |
| Hubert Sablonnière | Developer | Opens Claude Code in dotfiles repo (not home dir) to avoid broad file-access security warnings; GNU Stow symlink management | [1][12] |
| Joe Cotellese | Developer | J.A.R.V.I.S. personality config; required pushback protocol; TDD enforcement; 2-line "ABOUTME:" header on all files | [25] |
| Chris Wiles (ChrisWiles) | Developer | GitHub Actions automated PR review at $0.05–$0.50/PR; estimated $10–$50/month total automation cost | [3] |
| zircote | Developer | 10 agent domains; 60+ reusable skills across document processing, media, devops, AI/ML; zircote/claude-spec plugin | [16] |
| Geoffrey Huntley | Developer tools, open source | Identified in pillar scope as prominent developer tools figure with public Claude Code workflows; not captured in available research corpus — see github.com/GeoffreyHuntley for current dotfiles | Not in corpus |
| Simon Willison | Django co-creator, LLM blogger (simonwillison.net) | Identified in pillar scope as prolific AI tooling writer; Claude Code-specific workflow not documented in available research corpus — publishes AI coding analysis at simonwillison.net | Not in corpus |
Multiple independent sources converge on ~100 lines / ~2,500 tokens as optimal CLAUDE.md size.[28][32] Anthropic's official guidance: "For each line, ask: 'Would removing this cause Claude to make mistakes?' If not, cut it. Bloated CLAUDE.md files cause Claude to ignore your actual instructions."[18]
Key finding: Haberlah's global file sits at just 48 lines — his principle: detailed procedural knowledge belongs in skills (loaded on demand), not in CLAUDE.md (loaded every session).[6]
| Include | Exclude |
|---|---|
Project-specific bash commands Claude cannot guess (e.g., npm run test:integration --watch) | Anything Claude can infer by reading the code |
| Style rules that deviate from language defaults | Standard language conventions |
| Testing instructions and preferred test runners | Frequently-changing data |
| Branch naming, commit formats, PR conventions | File-by-file codebase descriptions |
| Architectural decisions and environment quirks | Detailed API documentation (link instead) |
| Common gotchas and non-obvious behaviors | Long explanations or tutorials |
| Verification scripts / harness tools | Content Claude can find in README or docs |
| Priority | Path | Scope | Version Controlled |
|---|---|---|---|
| 1 (highest per raw_3.md) | .claude/CLAUDE.md | Project-level | Yes |
| 2 | ./CLAUDE.md | Project root | Yes (share with team) |
| 3 | ~/.claude/CLAUDE.md | All sessions globally | Optional (dotfiles) |
| Personal override | ./CLAUDE.local.md | Project, personal only | No (gitignored) |
Note: raw_3.md and raw_18.md differ slightly on exact priority ordering for project vs. global; both agree global applies to all sessions.[3][18]
CLAUDE.md supports inline references to pull in additional context files without bloating the main file:[18]
See @README.md for project overview and @package.json for available npm commands.
# Additional Instructions
- Git workflow: @docs/git-instructions.md
- Personal overrides: @~/.claude/my-project-instructions.md| User | File Size | Distinctive Patterns | Source |
|---|---|---|---|
| Boris Cherny (Anthropic) | ~100 lines | 6-step task management; 3 core principles (Simplicity First, No Laziness, Minimal Impact); workflow orchestration triggers; plan mode rules. See Cherny profile (Section 1) — self-improvement loop applied to CLAUDE.md. | [32] |
| David Haberlah | 48 lines | Australian English in comments; plan-first workflow; agent team conventions; auto-commit behavior; CTEs preferred over nested subqueries | [6] |
| Trail of Bits | Not reported | No speculative features; no premature abstraction; replace don't deprecate; hard limits on function length/complexity/line width; language toolchain standards | [4][14] |
| Joe Cotellese | Not reported | J.A.R.V.I.S. personality; required pushback protocol; 2-line "ABOUTME:" header on all files; TDD enforcement; supplementary docs (python.md, swift.md, source-control.md) | [25] |
| Harper Reed | Not reported | Email voice guidelines; processing steps; "never include signatures"; "always save as drafts, never auto-send" | [24] |
| Freek Van der Herten | Not reported | Anti-sycophancy directive ("be critical and not sycophantic"); thinking mode always-on; stored at freekmurze/dotfiles under config/claude/ | [7] |
| Mitchell Hashimoto | Not reported | AGENTS.md (not CLAUDE.md); each line = past agent failure now prevented via validation script/lint rule. See Hashimoto profile (Section 1) — equivalent self-improvement loop applied to AGENTS.md. | [23] |
The mculp community reference (v2.1.104, April 13, 2026) documents 125+ configuration keys across authentication, model selection, permissions, filesystem sandbox, MCP servers, hooks, memory/context, enterprise/org settings, UI/display, and network/proxy.[10][21]
| Scope (Priority) | Path | Merge Behavior |
|---|---|---|
| 1 — Enterprise managed (highest) | Org-managed | Overrides all below |
| 2 — Local project | .claude/settings.json | Merges; conflicts resolve to highest scope |
| 3 — User | ~/.claude/settings.json | Merges |
| 4 — Workspace | Workspace-level | Merges |
| 5 — Application defaults (lowest) | Built-in | Baseline |
Source: [6][13]. Shell-level env var exports take precedence over settings.json values (e.g., export CLAUDE_CODE_MAX_OUTPUT_TOKENS=32000).[6]
| Parameter | Value | Effect / Rationale | Source |
|---|---|---|---|
alwaysThinkingEnabled |
true |
Forces chain-of-thought; "most impactful setting for complex tasks" (Van der Herten); note: thinking tokens count toward context window | [6][27] |
showTurnDuration |
true |
Diagnostics: browser automation ~12s vs file reads ~0.3s — identifies slow tools | [6] |
teammateMode |
"tmux" or "in-process" |
tmux = separate panes; in-process = single terminal with Shift+Up/Down navigation | [6][13] |
enableAllProjectMcpServers |
false |
Prevents auto-loading potentially unsafe project MCP servers (Trail of Bits hardening) | [4] |
cleanupPeriodDays |
365 |
Extends history retention beyond default (Trail of Bits) | [4] |
model |
"opusplan" |
New 2026 hybrid: Opus reasoning for planning, Sonnet for execution | [17] |
defaultMode |
"plan" |
Analysis-before-execution default; overridden per session with /plan toggle | [17] |
autoMemoryEnabled |
true |
Persistent memory across sessions (2026 addition) | [10][21] |
autoDreamEnabled |
true |
Background memory consolidation between sessions (2026 addition) | [10][21] |
effortLevel |
"thorough" |
Controls reasoning depth: fast / balanced / thorough (2026 addition) | [10] |
| Variable | Recommended Value | Rationale | Source |
|---|---|---|---|
CLAUDE_CODE_MAX_OUTPUT_TOKENS |
"64000" |
Prevents truncation during CSV generation or multi-file refactors; 200k window → ~136k budget for system prompts + MCP definitions | [6] |
CLAUDE_AUTOCOMPACT_PCT_OVERRIDE |
"80" |
Triggers compaction earlier than 90% default; Botmonster recommends 70%[28] | [6] |
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS |
"1" |
February 2026 research preview; disabled by default; ~7× token cost when enabled | [6] |
MCP_TIMEOUT |
"30000" |
30s connection timeout; browser automation requires generous timeouts | [6] |
MCP_TOOL_TIMEOUT |
"60000" |
60s execution timeout per MCP tool call | [6] |
DISABLE_TELEMETRY |
"true" |
Disables Statsig telemetry; Trail of Bits security hardening | [4] |
DISABLE_ERROR_REPORTING |
"true" |
Disables Sentry error reporting | [4] |
CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY |
"true" |
Suppresses feedback survey prompts | [4] |
DISABLE_AUTOUPDATER |
"1" |
Prevents automatic updates in controlled environments | [6] |
| Model ID / Alias | Context Window | Notes |
|---|---|---|
claude-opus-4-6 / opus / best | 1M tokens | Anthropic engineers use exclusively despite higher cost |
claude-sonnet-4-6 / sonnet | 1M tokens | Default capable model |
claude-haiku-4-5 | 200k tokens | Fast; exploration and read-only tasks |
opusplan | 1M tokens | NEW 2026 hybrid: Opus reasoning for planning, Sonnet for execution |
Evaluation order: deny → ask → allow. First match wins.[6][13]
"deny": [
"Read(**/.env*)", "Read(**/secrets/**)", "Read(**/*.pem)", "Read(**/*.key)",
"Read(~/.ssh/**)", "Read(~/.aws/**)", "Read(~/.gnupg/**)", "Read(~/.azure/**)",
"Read(~/.kube/**)", "Read(~/.npmrc)", "Read(~/.pypirc)", "Read(~/.git-credentials)"
]"ask": [
"Bash(rm -rf *)", "Bash(git push --force *)", "Bash(git reset --hard *)",
"Bash(sudo rm *)", "Bash(chmod 777 *)"
]| Pattern | Matches |
|---|---|
Bash(git *) | All git operations only |
Edit(*.py) | Python files only |
WebFetch(domain:example.com) | Specific domain only |
mcp**github**create_issue | Specific MCP tool only |
The hook system enables deterministic control over Claude's probabilistic behavior. As Lukasz Fryc states: "Hooks give you deterministic control over a probabilistic system."[8]
Different sources report different counts reflecting version differences: disler reports 13,[9] Fryc reports 12,[8] Haberlah documents 14 lifecycle points including TeammateIdle and TaskCompleted,[6] and TechBytes (April 2026) adds CwdChanged, FileChanged, and PostCompact as newer additions.[17]
| Category | Event | Can Block (exit 2)? | Notes |
|---|---|---|---|
| Session | Setup | No | Pre-launch initialization |
| SessionStart | No | Context injection | |
| PreCompact | No | Before context compaction | |
| PostCompact | No | After compaction (April 2026 addition)[17] | |
| SessionEnd | No | Cleanup on exit | |
| Tool | UserPromptSubmit | Yes (exit 2)* | *Discrepancy: raw_17.md says no; raw_9.md says yes[9] |
| PreToolUse | Yes (exit 2) | Primary safety gate; most commonly used | |
| PostToolUse | No | Formatting, logging, auditing | |
| PostToolUseFailure | No | Error handling workflows | |
| PermissionRequest | Yes (approve/block) | JSON output controls permission decision | |
| Agent | SubagentStart | No | Subagent lifecycle |
| SubagentStop | Yes (exit 2) | Subagent output validation | |
| TeammateIdle | No | Agent teams mode[6] | |
| TaskCompleted | No | Task completion signal[6] | |
| User/Async | Notification | No | Background notification events |
| Stop | Yes (exit 2 forces continuation) | Block = agent continues instead of stopping | |
| Directory/File | CwdChanged | No | April 2026 addition[17] |
| FileChanged | No | April 2026 addition[17] |
| Type | Config | Use Case | Source |
|---|---|---|---|
| Command (shell) | {"type": "command", "command": "...", "timeout": 60} |
Most common; security checks, formatting, audit logging | [2][9] |
| Prompt (single-turn LLM) | {"type": "prompt", "prompt": "...", "model": "claude-haiku-4-5", "timeout": 30} |
Policy evaluation; anti-rationalization checks | [8][14] |
| Agent (multi-turn subagent) | {"type": "agent", "prompt": "...", "timeout": 120} |
Complex verification workflows | [8] |
| HTTP webhook | {"type": "http", "url": "https://...", "headers": {...}} |
External system integration (reported in raw_17.md only) | [17] |
| Exit Code | Meaning | Effect |
|---|---|---|
| 0 | Success | Proceeds; stdout injected as context into Claude |
| 2 | Block | Action blocked; stderr shown as feedback to Claude |
| 1 / other | Non-blocking error | Logged; action continues; stderr shown to user |
Consistent across: [2][8][9][14][17]
Present in nearly every power user config:[4][8][17]
CMD=$(jq -r ".tool_input.command" <<< "$(cat)")
echo "$CMD" | grep -qiE "rm -rf" && echo "Blocked" >&2 && exit 2{ "matcher": "Write|Edit", "hooks": [{ "type": "command",
"command": "npx prettier --write \"$CLAUDETOOLINPUTFILEPATH\"" }] }Stages changes, commits with auto: <changed-files> message, scans dotfiles for secrets before pushing, outputs pull command via stderr.[6][13]
{ "type": "prompt",
"prompt": "Review if assistant is rationalizing incomplete work...
Respond with JSON: {\"ok\": false, \"reason\": \"...\"} or {\"ok\": true}" }Source: [14]
Triggers on Python file writes; blocks (exit 2) on Ruff linting errors and Ty type errors.[2][20]
Analyzes prompts via keyword/pattern/file-path/intent scoring, auto-suggests relevant skills.[3][22]
Provider priority: ElevenLabs → OpenAI → pyttsx3 → random fallback.[2][20]
jq -r ".tool_input.command" | while read cmd; do
echo "$(date) $cmd" >> .claude/command-audit.log; doneSource: [8]
| Pattern | Rule | Source |
|---|---|---|
| Path resolution | Use $CLAUDE_PROJECT_DIR prefix for all hook paths; ensures reliable resolution across working directories |
[2][9][20] |
| Stop hook loop prevention | Check stop_hook_active and exit 0 immediately; prevents infinite continuation loops |
[8] |
| UV single-file scripts | Embed dependencies via # /// script block; isolation, portability, no venv management |
[2][9] |
| Timeout | Default 60 seconds per hook execution | [9] |
| Parallelization | All matching hooks of the same type run in parallel | [20] |
| Factor | CLAUDE.md | Skills | Hooks |
|---|---|---|---|
| Load timing | Every session | On demand | Every matching event |
| Compliance rate | ~80% | ~80% | 100% |
| Can block actions | No | No | Yes |
| Best for | Project context, conventions | Workflows, procedures | Formatting, security, audit |
Source: Botmonster[28]
Key finding: CLAUDE.md and skills achieve ~80% compliance through instruction; hooks achieve 100% compliance through mechanical enforcement. Only hooks can guarantee a behavior across all sessions regardless of context window pressure.[28]
Commands stored as .claude/commands/{name}.md with frontmatter fields:[3]
---
description: Brief description shown in command list
allowed-tools: Bash(git:*), Read, Grep
---Available variables: $ARGUMENTS, $1, $2, $3 (positional); inline bash: !`git branch --show-current` embeds output at runtime.[3][28]
| Source | Command | Function |
|---|---|---|
| Anthropic engineering team[31] | /commit-push-pr | One-shot commit, push, PR creation (used dozens of times daily) |
/security-review | Automated security analysis (used dozens of times daily) | |
| Trail of Bits[4][14] | /trailofbits:config | Self-installing configuration wizard |
/review-pr | Parallel review agents (pr-review-toolkit, Codex, Gemini) + auto-fix | |
/fix-issue | Autonomous: research → implement → test → self-review → PR | |
/merge-dependabot | Dependency update evaluation with transitive mapping | |
| disler hooks-mastery[2] | /prime | Project analysis and understanding |
/plan_w_team | Team-based build/validate workflow with task orchestration | |
/cook | Advanced task execution | |
/update_status_line | Dynamic metadata updates | |
| zircote[16] | /git:cm | Stage all + commit |
/git:cp | Stage, commit, push | |
/git:pr | Create pull request | |
/cr | Parallel code review by specialists | |
/cr-fx | Interactive remediation workflow | |
/deep-research | Multi-phase research protocol | |
| ChrisWiles[3][22] | /onboard | Deep task exploration |
/pr-review | PR review workflow | |
/ticket | JIRA/Linear integration | |
/code-quality | Quality checks | |
/docs-sync | Documentation alignment |
| Command | Function |
|---|---|
/buddy | Terminal pet companion |
/doctor | Diagnostic health check |
/memory | Edit CLAUDE.md memory files |
/plan | Analysis-before-execution toggle |
/fast | Opus 4.6 fast mode toggle |
/terminal-setup | Shell integration configuration |
Skills implement progressive disclosure: loading only names/descriptions at startup (~100 tokens per skill), full instructions on demand. Haberlah calculates 22 skills at rest ≈ ~2,200 tokens total ≈ 1% of a 200k context window.[6]
---
name: lowercase-letters-numbers-hyphens # 64 chars max
description: When to use — determines auto-activation # 1024 chars max
allowed-tools: Read, Grep, Glob
model: claude-sonnet-4-20250514
disable-model-invocation: true # Manual-only activation
context: fork # Executes as subagent with isolated context
---Trail of Bits (professional security research firm) documents a curated set of production-hardened skills for their Claude Code config:[4][14]
| Skill | Purpose |
|---|---|
ask-questions-if-underspecified | Forces clarification before proceeding on ambiguous tasks |
modern-python | Enforces current Python idioms and toolchain standards |
audit-context-building | Systematic context gathering before security audits |
differential-review | Focused review on diff scope rather than full codebase |
Trail of Bits also recommends skills from the obra/superpowers collection: brainstorm (divergent ideation before implementation) and systematic-debugging (structured debugging workflows). These are notable as production-hardened configurations from a professional security firm rather than individual developer setups.[4][14]
| User | Skill Count | Categories / Notes | Source |
|---|---|---|---|
| zircote | 60+ | Document processing, media, development, DevOps, AI/ML, utilities | [16] |
| Freek Van der Herten | 40+ | Laravel/PHP focus; 4 custom agents (laravel-simplifier, laravel-debugger, laravel-feature-builder, task-planner) | [7] |
| Haberlah | 22 (13 local + 9 plugin) | AltimateAI/data-engineering-skills plugin; silent daily sync via .zshrc | [6] |
| Harper Reed | 2 (email + CRM) | skills/crm-management, skills/email-management | [24] |
Project skills > Personal skills > Plugin skills.[6][13] Dynamic runtime injection via !`command` syntax: e.g., !`gh pr diff` embeds actual diff content at invocation time.[28]
Every connected MCP server adds tool definitions to context permanently, even when idle. Tool Search mitigates by loading up to 10% of context window, deferring remaining tools.[6][13] Default max per tool response: 25,000 tokens, configurable via MAX_MCP_OUTPUT_TOKENS.[6]
Key finding: Haberlah's consensus rule: "Prefer CLI tools over MCP servers when both accomplish the same task. CLI tools carry no standing overhead."[6]
| User | MCP Servers | Source |
|---|---|---|
| Trail of Bits (global defaults) | Context7 (docs), Exa (semantic search), slither-mcp (Solidity), pyghidra-mcp (binary decompilation), Serena (symbol navigation, 30+ languages) | [4] |
| ChrisWiles | JIRA/Linear, GitHub, Slack, PostgreSQL, Sentry | [3] |
| Harper Reed | Pipedream (Gmail, Google Calendar, Contacts), Toki (todos), Chronicle (action logging), Pagen (personal CRM) | [24] |
| Approach | Mechanism | Token Cost | Who Uses It | Source |
|---|---|---|---|---|
| Git worktrees | claude --worktree feature-name; isolated directory, shared .git |
1× per session | Cherny, Anthropic team (primary recommendation) | [18][28][32] |
| Separate git checkouts | Full clone per session (ghostty, ghostty2–4) | 1× per session | Cherny (reported), Hashimoto | [18][23] |
| Agent Teams (experimental) | CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 + "teammateMode": "tmux" |
~7× in plan mode | Haberlah (documented, not primary recommendation) | [6][13] |
.claude/worktrees/ to .gitignore[28].worktreeinclude for auto-copying .env and secrets[28]Shift+Tab): restricts lead agent to spawning teammates only; loses Edit/Write/Bash access[6]Session A implements; Session B reviews with fresh context — "A fresh context improves code review since Claude won't be biased toward code it just wrote."[18][28]
for file in $(cat files.txt); do
claude -p "Migrate $file from React to Vue. Return OK or FAIL." \
--allowedTools "Edit,Bash(git commit *)"
doneSource: [18]
# One-off with output format
claude -p "List all API endpoints" --output-format json
# Auto mode (uninterrupted)
claude --permission-mode auto -p "fix all lint errors"
# Budget-capped
claude -p --max-budget-usd 2.50 "Refactor API layer"
# Limit turns
claude -p --max-turns 5 "Run tests and fix failures"| Type | Context | Token Cost | Communication | Best For |
|---|---|---|---|---|
| Subagents | Isolated, returns summary | Parent benefits without full costs | Result summary only | Focused investigation tasks |
| Agent Teams | Peer agents, persistent | ~7× of standard | Messaging between peers | Non-overlapping parallel work with coordination |
| Parallel Sessions | Fully independent | 1× per session | None (git is coordination layer) | Maximum scale, feature branches |
Key finding: Agent Teams consume ~7× the tokens of standard sessions — Haberlah's guidance: use only for genuinely parallel work with non-overlapping file boundaries. For most parallelism, git worktrees with independent sessions are faster and cheaper.[6]See also: Autonomous Build Loop (CronCreate and /loop primitives for scheduling parallel work)
Built by Yegge in approximately 6 days using Claude. Repository reached 1,000 GitHub stars in the first 6 days of release, growing to 17.9K stars as of the research date (April 2026).[19][30] Beads inspired Claude Code Tasks.[30]
| Component | Implementation | Purpose |
|---|---|---|
| Local database | SQLite (.beads/beads.db) | Fast local queries |
| Git-tracked source | JSONL (.beads/issues.jsonl) | Merge-safe, version-controlled truth |
| Sync mechanism | Unix socket daemon, 5-second debounce | Export from SQLite to JSONL |
| ID format | Hash-based (e.g., bd-a3f2) | Prevents merge conflicts |
| Dependency types | blocks, parent-child, related, discovered-from | 4 link types for task relationships |
| Command | Function |
|---|---|
bd init | Initialize in project |
bd setup claude | Configure for Claude Code integration |
bd ready | Find unblocked, claimable work |
bd create "task" -p 1 -t epic | Create work items with priority and type |
bd update bd-a3f2 --status in_progress | Update issue status |
bd compact | Summarize old issues (context management) |
bd sync | Export SQLite to JSONL for git commit |
bd dep tree bd-a3f2 --direction=both | Visualize dependency graph |
bd sync and push to gitCase study: developer refactored 315 frontend files in a 12-hour session using compaction cycles. Agent correctness rate: approximately 80%.[19][30]
| Dimension | Beads | Claude Code Tasks |
|---|---|---|
| Scope | Project-level, weeks | Session-level |
| Storage | .beads/ in git (shareable) | ~/.claude/tasks/ locally only |
| Agent Support | Any agent (any tool) | Claude Code only |
| Dependencies | 4 link types | Simple blocking |
Source: [30]
| Layer | Source | Access Pattern |
|---|---|---|
| L1 — Always loaded | CLAUDE.md, .cursorrules | Every session, every token |
| L2 — On-demand project state | Beads, Claude Code Tasks | Queried explicitly or via CLAUDE.md instructions |
| L3 — Session context | Conversation history with auto-compression | Active session only; compacted at threshold |
| L4 — External retrieval | Codebase search, documentation, MCP | Pulled on demand by tools |
Source: [30]
tasks/todo.mdtodo.mdlessons.md after correctionsSource: [32]
| Command | Function |
|---|---|
/clear | Reset context between unrelated tasks |
/compact <instructions> | Compact with specific focus (lossy — Trail of Bits prefers /clear) |
/btw | Quick question without entering conversation history |
Esc + Esc / /rewind | Open rewind menu; restore previous state |
claude --continue / claude -c | Resume most recent conversation |
claude --resume / claude -r "name" | Select/resume named session |
Anti-pattern: /compact introduces lossy compression. Trail of Bits prefers /clear between tasks; "Summarize from here" for surgical space reclamation without full compaction.[4][14]
| User | Implementation | Format / Features | Source |
|---|---|---|---|
| disler (hooks-mastery) | UV Python script; 9 versions (v1–v9) | v1: git branch + dir + model; v5: cost + line changes; v6: context usage bar; v8: token/cache stats; v9: Powerline minimal style | [2][20] |
| Freek Van der Herten | Bash script | Color: green <40%, yellow 40–59%, red 60%+. Format: "laravel-og-image | ctx: 27%" |
[7][27] |
| Hubert Sablonnière | JavaScript (.claude/statusline.js) |
Folder, branch, model name, context window %. Red above 59%. Notes "some users recommend resets at 40%" | [1][12][26] |
| Trail of Bits | Command hook | Interpreted as remaining capacity: green >50% remaining, yellow 20–50%, red <20% remaining | [14] |
| User / Source | Warning Threshold | Reset/Compact Threshold |
|---|---|---|
| Hubert Sablonnière[12] | Red above 59% used | "Some users recommend resets at 40%" |
| Freek Van der Herten[7] | Red at 60%+ used | Not specified |
| Haberlah[6] | Not specified | 80% (CLAUDE_AUTOCOMPACT_PCT_OVERRIDE) |
| Botmonster[28] | Not specified | 70% compact trigger recommended |
| Anthropic official[18] | Performance degrades as fills | No specific threshold |
{
"statusLine": {
"type": "command",
"command": "uv run $CLAUDE_PROJECT_DIR/.claude/status_lines/status_line_v3.py"
}
}| Strategy | Rationale | Source |
|---|---|---|
| One task per worktree/session | Prevents cross-task context contamination | [28] |
/clear between unrelated tasks | Context reset; Trail of Bits prefers over /compact | [4][14] |
| Subagents for investigation | Preserves main session context; subagent summarizes results | [6] |
| Keep CLAUDE.md concise | Every token loaded every session; 100 lines ≈ 2,500 tokens | [32][18] |
| CLI tools over MCP servers | MCP servers carry standing overhead; CLI carries none | [6][13] |
| After two failed corrections: rollback and retry | Avoiding compounding errors in degraded context | [4][14] |
Key finding: Haberlah's optimization math: 64k output tokens leaves ~136k input budget after system prompts and MCP definitions in a 200k window. The 1M context window (Opus 4.6 API beta) carries higher per-token cost and "is not always better."[6]
| Layer | Mechanism | What It Blocks |
|---|---|---|
| 1 — Permission deny rules | settings.json deny block; evaluates BEFORE all other permission types | .env at any depth, secrets dirs, SSH/AWS credentials, private key material |
| 2 — Pre-commit hook | Scans 20+ credential patterns; deterministic (doesn't depend on Claude's judgment) | Anthropic keys (sk-ant-), GitHub tokens (ghp_, gho_), AWS keys (AKIA), Stripe, Slack, JWTs, SendGrid, GCP service accounts; file types: .env, credentials.json, id_rsa, *.pem, *.key |
| 3 — Gitignore | File exclusion | settings.local.json, *.env, *.pem, *.key |
Additional paths blocked beyond the standard deny block:[4][14]
~/.ssh/**, ~/.gnupg/**~/.aws/**, ~/.azure/**, ~/.kube/**~/.npmrc, ~/.npm/**, ~/.pypirc~/.git-credentials, ~/.config/gh/**~/.bashrc, ~/.zshrc (prevents backdoor planting)Deny rules only block Claude's built-in tools without /sandbox. Bash commands bypass deny rules entirely. With /sandbox enabled, OS-level enforcement applies to all commands.[4]
| Layer | Technology | Scope |
|---|---|---|
| 1 — Native sandbox | /sandbox command; Seatbelt (macOS) or bubblewrap (Linux) | OS-level blocking for all commands |
| 2 — Permission deny rules | settings.json deny block | Claude's built-in tools only |
| 3 — Devcontainer | Container filesystem isolation | Full container boundary |
| 4 — Remote droplet | Disposable cloud instances via dropkit | Network-isolated throwaway environments |
Source: [4]
Anti-pattern: Running /dangerously-skip-permissions without sandboxing enabled.[14]
| Pattern | Hook Event | Implementation | Source |
|---|---|---|---|
| Block dangerous shell patterns | PreToolUse | Regex match on rm\s+.*-[rf], sudo\s+rm, chmod\s+777; exit 2 |
[2] |
| Auto-approve read-only operations | PermissionRequest | Allow Read, Glob, Grep, safe Bash; log all requests | [2][20] |
| Protect sensitive file patterns | PreToolUse | Block on .env, .env.local, secrets/, .git/, package-lock.json patterns | [8] |
| Scrub context injections | SessionStart / UserPromptSubmit | Data masking tool strips PII, tokens, secrets before reaching Claude's window | [17] |
| File | Git Status | Rationale |
|---|---|---|
settings.json | Tracked | Hook definitions, MCP server list (without secrets) |
CLAUDE.md | Tracked | Shared team conventions |
| Hook scripts | Tracked | Deterministic security patterns shared across team |
| Skills | Tracked | Shared workflow procedures |
settings.local.json | Gitignored | Personal permissions + MCP configs (may contain tokens) |
Source: [6]
| Repository | Stars | Forks | Primary Language | Key Contents | Source |
|---|---|---|---|---|---|
| awesome-claude-code (hesreallyhim) | 41,500 | 3,500 | 98.1% Python | Skills, agents, hooks, status lines, orchestrators, developer tooling; 276 open issues; 1,157 commits | [29] |
| disler/claude-code-hooks-mastery | 3,600 | 602 | 82.8% Python, 17.2% TypeScript | 13 hook lifecycle examples, 9 status line versions, 8 output styles | [2][9] |
| Beads (Steve Yegge) | 17,900 | Not reported | Not reported | Git-backed issue tracker; SQLite + JSONL; 29 contributors; VS Code/Emacs/Neovim extensions | [30] |
| ChrisWiles/claude-code-showcase | Not reported | Not reported | Not reported | Full skills evaluation system, GitHub Actions workflows for PR review/docs sync | [3][11] |
| trailofbits/claude-code-config | Not reported | Not reported | Not reported | Security-focused defaults from professional security research firm | [4][14] |
| zircote/.claude | Not reported | Not reported | Not reported | 10 agent domains, 60+ skills, language-specific coding standards, zircote/claude-spec plugin | [16] |
| haberlah/dotfiles-claude | Not reported | Not reported | Not reported | Forkable dotfiles with setup.sh installer; silent daily sync via .zshrc | [6][13] |
The awesome-claude-code repository (41.5K stars, 276 open issues as of April 2026) serves as the primary community aggregation point for shared hook patterns, CLAUDE.md templates, and skill collections.[29] Configuration patterns documented across the community repositories in this research converge on several shared practices:
rm -rf blocking and PostToolUse auto-formatter patterns appear independently across disler, Fryc, Trail of Bits, and ChrisWiles configs — indicating organic community convergence rather than copying[2][8][4]Note: Claude Code Discord and Aider/Cursor community cross-pollination data was identified as in-scope for this pillar but was not captured in the available research corpus. The awesome-claude-code repository (276 open issues, very active) is the closest available proxy for community-aggregated config patterns.[29]
Recommended local fallback: Qwen3-Coder-Next (80B MoE, 3B active parameters, MLX-4bit).[4]
lms get Qwen3-Coder-Next@MLX-4bit -y
lms load qwen/qwen3-coder-next --context-length 32768 --gpu max -y
ANTHROPIC_BASE_URL=http://localhost:1234 ANTHROPIC_AUTH_TOKEN=lmstudio claude| Terminal | Platform | Why Recommended | Source |
|---|---|---|---|
| Ghostty | macOS (primary) | Native Metal GPU rendering; avoids lag during autonomous runs; created by Mitchell Hashimoto | [4][14] |
| WezTerm | Windows | Alternative for non-macOS environments | [4] |
| Workload | Estimated Cost | Source |
|---|---|---|
| GitHub Actions automated PR review + docs sync + quality sweeps | $10–$50/month | [3][22] |
| Per-PR review with parallel agents | $0.05–$0.50 per PR | [3] |
| Agent Teams vs standard sessions | ~7× token usage | [6][13] |
| Shortcut | Action |
|---|---|
Ctrl+C | Cancel/interrupt current action |
Ctrl+D | Exit Claude Code |
Ctrl+L | Redraw screen |
Esc + Esc | Rewind / restore code to previous state |
Shift+Tab / Alt+M | Cycle permission modes |
Option+P / Alt+P | Switch model |
Option+T / Alt+T | Toggle extended thinking |
Option+O / Alt+O | Toggle fast mode |
Ctrl+G | Open plan in text editor |