marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(quiz): add 58 new questions (159→217) in 4 new categories

Browse source 
New categories:
- 11-learning-with-ai.yaml (15 questions): UVAL protocol, 70/30 rule, dependency patterns
- 12-architecture.yaml (12 questions): master loop, 8 tools, context budget, sub-agents
- 13-security.yaml (10 questions): MCP Rug Pull, CVEs, defense-in-depth
- 14-privacy-observability.yaml (10 questions): retention tiers, session search

Additions to existing:
- 08-mcp-servers.yaml: +3 Figma MCP questions (token efficiency, tools, setup)
- 09-advanced-patterns.yaml: +5 methodology questions (SDD, BDD, TDD)
- 01-quick-start.yaml: +3 image optimization questions

README updated: 217 questions, 56 templates, 14 categories

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX 2026-01-17 22:48:57 +01:00
parent 7fd4048d5e
commit 741acd0fa3
8 changed files with 1006 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -7,8 +7,8 @@
<p align="center">
<a href="https://github.com/FlorianBruniaux/claude-code-ultimate-guide/stargazers"><img src="https://img.shields.io/github/stars/FlorianBruniaux/claude-code-ultimate-guide?style=for-the-badge" alt="Stars"/></a>
<a href="#"><img src="https://img.shields.io/badge/Lines-9,800+-blueviolet?style=for-the-badge" alt="Lines"/></a>
<a href="./examples/"><img src="https://img.shields.io/badge/Templates-55-green?style=for-the-badge" alt="Templates"/></a>
<a href="./quiz/"><img src="https://img.shields.io/badge/Quiz-159_questions-orange?style=for-the-badge" alt="Quiz"/></a>
<a href="./examples/"><img src="https://img.shields.io/badge/Templates-56-green?style=for-the-badge" alt="Templates"/></a>
<a href="./quiz/"><img src="https://img.shields.io/badge/Quiz-217_questions-orange?style=for-the-badge" alt="Quiz"/></a>
</p>
<p align="center">
@ -244,7 +244,7 @@ Based on ALL this context, provide:
### 🧠 Knowledge Quiz
Test your Claude Code knowledge with an interactive CLI quiz. **159 curated questions** covering all 10 guide sections, with immediate feedback and documentation links.
Test your Claude Code knowledge with an interactive CLI quiz. **217 curated questions** covering all 14 guide sections, with immediate feedback and documentation links.
```bash
# Quick start
@ -476,7 +476,7 @@ claude-code-ultimate-guide/
│ ├── ...
│ └── 07-guide-reference.qmd
└── quiz/ # 🧠 Interactive knowledge quiz (159 questions)
└── quiz/ # 🧠 Interactive knowledge quiz (217 questions)
```
---

51
quiz/questions/01-quick-start.yaml
View file

@ -257,3 +257,54 @@ questions:
file: "guide/ultimate-guide.md"
section: "1.1 Installation"
anchor: "#verify-installation"
- id: "01-016"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the optimal image resolution range for Claude Code visual analysis?"
options:
a: "50-200px (smallest possible)"
b: "200-1568px (sweet spot for quality/token balance)"
c: "2000-4000px (maximum detail)"
d: "8000px+ (highest resolution)"
correct: "b"
explanation: |
The optimal range is 200-1568px. Below 200px lacks detail, 200-1000px is the sweet spot for wireframes, 1000-1568px provides optimal quality/token balance, images above 1568px are auto-downscaled (wasting upload time), and images over 8000px are rejected by the API.
doc_reference:
file: "guide/ultimate-guide.md"
section: "1.3 Essential Commands"
anchor: "#image-resolution-guidelines"
- id: "01-017"
difficulty: "senior"
profiles: ["senior", "power"]
question: "How are image tokens calculated in Claude Code?"
options:
a: "file_size_bytes / 1000"
b: "(width × height) / 750"
c: "pixels / 1000"
d: "Fixed 500 tokens per image"
correct: "b"
explanation: |
Token calculation formula: (width × height) / 750 ≈ tokens consumed. Examples: 200×200 = ~54 tokens, 500×500 = ~334 tokens, 1000×1000 = ~1334 tokens. This helps estimate context impact before pasting images. Use /status after pasting to monitor actual context usage.
doc_reference:
file: "guide/ultimate-guide.md"
section: "1.3 Essential Commands"
anchor: "#image-resolution-guidelines"
- id: "01-018"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "Which image format is recommended for wireframes and diagrams in Claude Code?"
options:
a: "JPEG (best compression)"
b: "PNG (sharp lines and text)"
c: "GIF (universal support)"
d: "BMP (lossless)"
correct: "b"
explanation: |
PNG is recommended for wireframes, diagrams, and text because it preserves sharp lines. WebP is good for general screenshots with compression. JPEG is for photos only—compression artifacts harm line detection. GIF should be avoided (static only, poor quality). Always crop to relevant area and resize to 1000-1200px if larger.
doc_reference:
file: "guide/ultimate-guide.md"
section: "1.3 Essential Commands"
anchor: "#format-recommendations"

51
quiz/questions/08-mcp-servers.yaml
View file

@ -363,3 +363,54 @@ questions:
file: "guide/ultimate-guide.md"
section: "8.5 Plugin System"
anchor: "#plugin-commands"
- id: "08-015"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the main advantage of using Figma MCP over screenshots?"
options:
a: "Higher image quality"
b: "3-10x fewer tokens: structured data vs. image analysis"
c: "Faster download speed"
d: "Works offline"
correct: "b"
explanation: |
Figma MCP provides 3-10x fewer tokens than screenshots because it returns structured data (React+Tailwind structure, design tokens) instead of requiring image analysis. Other benefits: direct token access, component mapping via Code Connect, iterative workflow without new screenshots.
doc_reference:
file: "guide/ultimate-guide.md"
section: "4.3 Figma MCP Integration"
anchor: "#figma-mcp-integration"
- id: "08-016"
difficulty: "senior"
profiles: ["senior", "power"]
question: "Which Figma MCP tool retrieves design tokens (colors, spacing, typography)?"
options:
a: "get_design_context"
b: "get_variable_defs"
c: "get_metadata"
d: "get_screenshot"
correct: "b"
explanation: |
`get_variable_defs` retrieves design tokens like colors (--color-primary: #3B82F6), spacing (--spacing-md: 16px), and typography. Recommended workflow: get_metadata → get_design_context → get_variable_defs (once per project) → get_screenshot (only when visual reference needed).
doc_reference:
file: "guide/ultimate-guide.md"
section: "4.3 Figma MCP Integration"
anchor: "#available-tools-via-figma-mcp"
- id: "08-017"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What command adds the Figma MCP server for remote access?"
options:
a: "claude mcp install figma"
b: "claude mcp add --transport http figma https://mcp.figma.com/mcp"
c: "claude figma connect"
d: "npm install @figma/mcp"
correct: "b"
explanation: |
For remote MCP (all Figma plans, any machine): `claude mcp add --transport http figma https://mcp.figma.com/mcp`. For desktop MCP (requires Figma desktop app with Dev Mode): `claude mcp add --transport http figma-desktop http://127.0.0.1:3845/mcp`. Official Figma MCP was announced in 2025.
doc_reference:
file: "guide/ultimate-guide.md"
section: "4.3 Figma MCP Integration"
anchor: "#setup-options"

85
quiz/questions/09-advanced-patterns.yaml
View file

@ -436,3 +436,88 @@ questions:
file: "guide/ultimate-guide.md"
section: "9.12 Git Best Practices & Workflows"
anchor: "#git-worktrees-for-parallel-development"
- id: "09-017"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is SDD (Spec-Driven Development) and its key claim?"
options:
a: "Speed-based Development - fastest approach"
b: "Spec-Driven Development - one well-structured iteration equals 8 unstructured ones"
c: "Standard Driven Development - follows industry standards"
d: "Sequential Driven Development - linear workflow"
correct: "b"
explanation: |
SDD (Spec-Driven Development) means specifications BEFORE code. The key claim: one well-structured iteration equals 8 unstructured ones. CLAUDE.md IS your spec file. Best for APIs and contracts. High Claude fit (⭐⭐⭐).
doc_reference:
file: "guide/methodologies.md"
section: "Tier 2: Specification & Architecture"
anchor: "#tier-2-specification--architecture"
- id: "09-018"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What format does BDD (Behavior-Driven Development) use for test scenarios?"
options:
a: "Arrange-Act-Assert"
b: "Given-When-Then (Gherkin)"
c: "Setup-Execute-Verify"
d: "Input-Process-Output"
correct: "b"
explanation: |
BDD uses Given-When-Then format (Gherkin). BDD is beyond testing - it's a collaboration process: (1) Discovery with devs/business, (2) Formulation with examples, (3) Automation via Cucumber. Example: Given product with 0 stock → When customer attempts purchase → Then system refuses.
doc_reference:
file: "guide/methodologies.md"
section: "Tier 3: Behavior & Acceptance"
anchor: "#tier-3-behavior--acceptance"
- id: "09-019"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "What are the three steps of the TDD cycle?"
options:
a: "Plan-Develop-Test"
b: "Red-Green-Refactor"
c: "Write-Run-Fix"
d: "Design-Code-Review"
correct: "b"
explanation: |
The classic TDD cycle: (1) Red - write failing test, (2) Green - minimal code to pass, (3) Refactor - clean up while tests stay green. With Claude: be explicit "Write FAILING tests that don't exist yet." TDD is a core workflow (⭐⭐⭐).
doc_reference:
file: "guide/methodologies.md"
section: "Tier 5: Implementation"
anchor: "#tier-5-implementation"
- id: "09-020"
difficulty: "senior"
profiles: ["senior", "power"]
question: "How many development methodologies are documented in the methodologies reference?"
options:
a: "5 methodologies"
b: "10 methodologies"
c: "15 methodologies"
d: "20 methodologies"
correct: "c"
explanation: |
15 methodologies organized in a 6-tier pyramid: Tier 1 (Strategic - BMAD), Tier 2 (Specification - SDD, Doc-Driven, Req-Driven, DDD), Tier 3 (Behavior - BDD, ATDD, CDD), Tier 4 (Feature - FDD, Context Engineering), Tier 5 (Implementation - TDD, Eval-Driven, Multi-Agent), Tier 6 (Optimization).
doc_reference:
file: "guide/methodologies.md"
section: "The 15 Methodologies"
anchor: "#the-15-methodologies"
- id: "09-021"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What is 'Context Engineering' as a methodology?"
options:
a: "Engineering team context"
b: "Treating context as first-class design element: progressive disclosure, memory management, dynamic refresh"
c: "Building context menus"
d: "Managing environment variables"
correct: "b"
explanation: |
Context Engineering treats context as a design element. Key concepts: Progressive Disclosure (let agent discover incrementally), Memory Management (conversation vs persistent memory), Dynamic Refresh (rewrite TODO list before response). High Claude fit (⭐⭐⭐) for long sessions.
doc_reference:
file: "guide/methodologies.md"
section: "Tier 4: Feature Delivery"
anchor: "#tier-4-feature-delivery"

259
quiz/questions/11-learning-with-ai.yaml Normal file
View file

@ -0,0 +1,259 @@
category: "Learning with AI"
category_id: 11
source_file: "guide/learning-with-ai.md"
questions:
- id: "11-001"
difficulty: "junior"
profiles: ["junior", "senior", "power", "pm"]
question: "What are the three developer patterns when using AI, according to the Learning with AI guide?"
options:
a: "Beginner, Intermediate, Expert"
b: "Dependent, Avoidant, Augmented"
c: "Passive, Active, Proactive"
d: "Consumer, Producer, Creator"
correct: "b"
explanation: |
The three patterns are: Dependent (copy-paste without understanding, can't debug AI code), Avoidant (refuses AI on principle, slower than peers), and Augmented (uses AI critically, understands everything). The goal is to become Augmented - using AI for leverage while maintaining deep understanding.
doc_reference:
file: "guide/learning-with-ai.md"
section: "The Three Patterns"
anchor: "#the-three-patterns"
- id: "11-002"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "What does UVAL stand for in the AI learning protocol?"
options:
a: "Use, Validate, Apply, Learn"
b: "Understand, Verify, Apply, Learn"
c: "Understand, Validate, Analyze, Learn"
d: "Use, Verify, Analyze, Log"
correct: "b"
explanation: |
UVAL stands for: Understand First (the 15-minute rule), Verify (ensure you actually learned), Apply (transform knowledge into skill through modification), Learn (capture insights for long-term retention). This protocol ensures you're learning, not just copying.
doc_reference:
file: "guide/learning-with-ai.md"
section: "The UVAL Protocol"
anchor: "#the-uval-protocol"
- id: "11-003"
difficulty: "junior"
profiles: ["junior", "senior"]
question: "In the Quick Self-Check, if you score 0-2 'yes' answers, what does this indicate?"
options:
a: "You're an augmented developer"
b: "You're on track with room for optimization"
c: "You're at dependency risk - outsourcing thinking"
d: "You're an AI avoidant"
correct: "c"
explanation: |
A score of 0-2 yes answers indicates dependency risk - you're outsourcing your thinking to AI. The 5 questions test: can you explain AI-generated code, have you debugged without AI, do you know WHY solutions work, could you write the code yourself, do you know AI's limitations. Low scores mean you should read the "Breaking Dependency" section.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Quick Self-Check"
anchor: "#quick-self-check-start-here"
- id: "11-004"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the '15-Minute Rule' in the UVAL protocol's 'Understand First' step?"
options:
a: "Limit AI usage to 15 minutes per day"
b: "A 4-step protocol: State problem, Brainstorm approaches, Identify gaps, THEN ask AI"
c: "Wait 15 minutes after getting AI response before using it"
d: "Spend 15 minutes explaining AI code to a colleague"
correct: "b"
explanation: |
The 15-minute rule is a specific protocol: (1) State the problem in ONE sentence (2 min), (2) Brainstorm 3 possible approaches (5 min), (3) Identify your knowledge gaps (3 min), (4) THEN ask AI with a much better question (5 min). This forces you to think before asking, resulting in better questions and faster learning.
doc_reference:
file: "guide/learning-with-ai.md"
section: "U — Understand First"
anchor: "#u--understand-first-the-15-minute-rule"
- id: "11-005"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the 'Explain It Back' technique in the UVAL protocol's Verify step?"
options:
a: "Ask AI to explain its own code"
b: "Write documentation for the code"
c: "If you can't explain the code to a colleague, you haven't learned it"
d: "Record yourself explaining and review later"
correct: "c"
explanation: |
The rule is simple: if you can't explain the code to a colleague, you don't understand it. This is the verification step - you must be able to articulate WHY the solution works, not just THAT it works. The guide recommends using a /explain-back slash command that asks YOU to explain AI-generated code.
doc_reference:
file: "guide/learning-with-ai.md"
section: "V — Verify"
anchor: "#v--verify-explain-it-back"
- id: "11-006"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "In the 30-Day Progression Plan, what is the AI usage ratio for Week 1?"
options:
a: "0-20% AI usage"
b: "40-50% AI usage"
c: "60-70% AI usage"
d: "70-80% AI usage"
correct: "a"
explanation: |
Week 1 focuses on foundations with 0-20% AI usage: Days 1-2 build feature WITHOUT AI (0%), Days 4-5 refactor with AI review only (20%), Day 6 debug without AI (0%). The goal is to build (or rebuild) core skills without heavy AI reliance. Success criteria: can explain every line you wrote.
doc_reference:
file: "guide/learning-with-ai.md"
section: "30-Day Progression Plan"
anchor: "#30-day-progression-plan"
- id: "11-007"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What AI usage ratio does the 30-Day Plan recommend for Week 4 (Augmented stage)?"
options:
a: "30-40%"
b: "50-60%"
c: "70%"
d: "90-100%"
correct: "c"
explanation: |
Week 4 (Augmented stage) recommends 70% AI usage with the UVAL protocol. The progression is: Week 1 (0-20%), Week 2 (30-40%), Week 3 (50-60%), Week 4 (70%). Success criteria for Week 4: you're fast AND you understand everything. The cap at 70% ensures you maintain skills.
doc_reference:
file: "guide/learning-with-ai.md"
section: "30-Day Progression Plan"
anchor: "#week-4-augmented"
- id: "11-008"
difficulty: "junior"
profiles: ["junior", "senior", "power", "pm"]
question: "According to the guide, what is the metaphor for AI in development?"
options:
a: "AI is your co-pilot"
b: "AI is your GPS"
c: "AI is your assistant"
d: "AI is your teacher"
correct: "b"
explanation: |
AI is compared to GPS: great for getting somewhere fast, dangerous if you lose the ability to navigate without it, truly useful when you understand the map AND use the GPS. A developer who only copy-pastes AI output is like a driver who can't read a map - fine until the GPS fails or someone asks for directions.
doc_reference:
file: "guide/learning-with-ai.md"
section: "The Problem in 60 Seconds"
anchor: "#the-problem-in-60-seconds"
- id: "11-009"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is a 'Red Flag' sign of AI dependency according to the checklist?"
options:
a: "Using AI for complex algorithms"
b: "Can't start coding without AI"
c: "Using AI for code reviews"
d: "Asking AI to explain concepts"
correct: "b"
explanation: |
"Can't start without AI" is a red flag indicating you've outsourced problem decomposition. Other red flags: don't understand AI's code, can't debug AI errors, anxiety without AI, rejected in interviews, always ask "how" never "why", every solution looks the same. Immediate action: code 30 min daily without AI.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Red Flags Checklist"
anchor: "#red-flags-checklist"
- id: "11-010"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the 'Apply' step's core principle in the UVAL protocol?"
options:
a: "Apply the code directly to production"
b: "Transform knowledge into skill through MODIFICATION, not copying"
c: "Apply code reviews to all AI-generated code"
d: "Apply unit tests to verify correctness"
correct: "b"
explanation: |
The Apply step requires modification, not copy-paste. You must change at least one element (variable name, structure, edge case handling). Why? Modification forces understanding. Copying is passive; modifying requires you to engage with the code and understand how it works.
doc_reference:
file: "guide/learning-with-ai.md"
section: "A — Apply"
anchor: "#a--apply-transform-dont-copy"
- id: "11-011"
difficulty: "senior"
profiles: ["junior", "senior", "power"]
question: "What CLAUDE.md configuration enables 'Learning Mode' with Claude Code?"
options:
a: "## Learning Mode - Ask me questions before generating code"
b: "## Strict Mode - Never generate code directly"
c: "## Teaching Mode - Always explain before showing"
d: "## Quiz Mode - Test before implementing"
correct: "a"
explanation: |
Learning Mode in CLAUDE.md prompts Claude to ask questions before generating: "What approaches have I considered?", "What specifically am I stuck on?", "What do I expect the solution to look like?". This implements the UVAL protocol's Understand step directly in your workflow.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Claude Code for Learning"
anchor: "#claude-code-for-learning-not-just-producing"
- id: "11-012"
difficulty: "senior"
profiles: ["junior", "senior", "power"]
question: "What hook event is recommended for capturing daily learning?"
options:
a: "PreToolUse - before each command"
b: "PostToolUse - after each edit"
c: "Stop - when session ends"
d: "Notification - on alerts"
correct: "c"
explanation: |
The learning-capture.sh hook uses the Stop event (session end) to prompt: "What's ONE thing you learned today?" This logs to ~/claude-learnings.md automatically. It's lightweight (asks one question) so you'll actually use it, unlike verbose learning journals.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Hooks That Build Habits"
anchor: "#hooks-that-build-habits"
- id: "11-013"
difficulty: "junior"
profiles: ["junior", "senior", "power", "pm"]
question: "What is the 'Dependent' pattern's main risk according to the guide?"
options:
a: "Slower than peers"
b: "Unemployable"
c: "Left behind"
d: "Overworked"
correct: "b"
explanation: |
The Dependent pattern's risk is becoming unemployable. Signs: copy-paste without understanding, can't debug AI code, anxiety without AI. In interviews: can't whiteboard basics, struggles with "why this approach?", asks to look up fundamentals. You ship code you can't explain - when it breaks, you're stuck.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Pattern 1: Dependent"
anchor: "#pattern-1-dependent"
- id: "11-014"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the Weekly Self-Audit question that detects dependency?"
options:
a: "How many lines of code did I write?"
b: "Am I faster than last month? Am I smarter?"
c: "How much did I use AI this week?"
d: "Did I meet all my deadlines?"
correct: "b"
explanation: |
The key question is: "Am I faster than last month? Am I smarter?" If you're faster but NOT smarter, you're building dependency. Other weekly questions: What did I learn that I didn't know before? Could I have done this without AI? Did I understand everything I shipped?
doc_reference:
file: "guide/learning-with-ai.md"
section: "Weekly Self-Audit"
anchor: "#weekly-self-audit"
- id: "11-015"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the recommended approach for 'Avoidant' developers (Pattern 2)?"
options:
a: "Continue avoiding AI to maintain purity"
b: "Start with AI review of YOUR code, not AI-generated code"
c: "Immediately switch to 100% AI usage"
d: "Wait until AI tools are more mature"
correct: "b"
explanation: |
For Avoidant developers, the guide recommends gradual adoption: start with AI reviewing YOUR code (you stay in control), then move to AI explaining concepts you implement, then AI-assisted work. This respects your instinct for understanding while gaining AI benefits. Pure avoidance means being slower without being smarter.
doc_reference:
file: "guide/learning-with-ai.md"
section: "Embracing AI Tools"
anchor: "#embracing-ai-tools"

208
quiz/questions/12-architecture.yaml Normal file
View file

@ -0,0 +1,208 @@
category: "Architecture Internals"
category_id: 12
source_file: "guide/architecture.md"
questions:
- id: "12-001"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the core architecture pattern of Claude Code?"
options:
a: "A DAG orchestrator with task planning"
b: "A simple while(tool_call) loop with no classifier"
c: "A RAG pipeline with embeddings"
d: "A multi-agent system with intent router"
correct: "b"
explanation: |
Claude Code runs a remarkably simple `while(tool_call)` loop. There is NO intent classifier, task router, RAG/embedding pipeline, DAG orchestrator, or planner/executor split. The model itself decides when to call tools, which tools to call, and when it's done. This is the "agentic loop" pattern.
doc_reference:
file: "guide/architecture.md"
section: "The Master Loop"
anchor: "#1-the-master-loop"
- id: "12-002"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "How many core tools does Claude Code have?"
options:
a: "5 tools"
b: "8 tools"
c: "12 tools"
d: "Unlimited (model-dependent)"
correct: "b"
explanation: |
Claude Code has exactly 8 core tools: Bash (universal adapter), Read (file contents), Edit (modify files), Write (create/overwrite), Grep (search contents), Glob (find files), Task (sub-agents), and TodoWrite (progress tracking). That's the entire arsenal.
doc_reference:
file: "guide/architecture.md"
section: "The Tool Arsenal"
anchor: "#2-the-tool-arsenal"
- id: "12-003"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "Which tool is described as Claude's 'swiss-army knife' and 'universal adapter'?"
options:
a: "Read"
b: "Grep"
c: "Bash"
d: "Task"
correct: "c"
explanation: |
Bash is Claude's swiss-army knife. It can run any CLI tool (git, npm, docker, curl...), execute scripts, chain commands with pipes, and access system state. The model has been trained on massive amounts of shell data, making it highly effective as a universal adapter.
doc_reference:
file: "guide/architecture.md"
section: "The Bash Universal Adapter"
anchor: "#the-bash-universal-adapter"
- id: "12-004"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the approximate context budget for Claude Code with Claude 3.5 Sonnet?"
options:
a: "~32K tokens"
b: "~100K tokens"
c: "~200K tokens"
d: "~500K tokens"
correct: "c"
explanation: |
Claude Code operates within a ~200K token context window. This is shared between: system prompt (~5-15K), CLAUDE.md files (~1-10K), conversation history (variable), tool results (variable), and reserved response buffer (~40-45K). Usable space is approximately 140-150K tokens.
doc_reference:
file: "guide/architecture.md"
section: "Context Budget Breakdown"
anchor: "#context-budget-breakdown"
- id: "12-005"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What are the reported auto-compaction thresholds for Claude Code?"
options:
a: "50-60%"
b: "75-92% (conflicting reports)"
c: "95-99%"
d: "No auto-compaction exists"
correct: "b"
explanation: |
Auto-compaction thresholds vary by source: PromptLayer analysis reports 92%, community observations report 75-80%. When triggered, older conversation turns are summarized, tool results condensed, and recent context preserved. Use /compact to manually trigger summarization.
doc_reference:
file: "guide/architecture.md"
section: "Auto-Compaction"
anchor: "#auto-compaction"
- id: "12-006"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What is the maximum depth for sub-agents spawned via the Task tool?"
options:
a: "Unlimited depth"
b: "Depth = 3"
c: "Depth = 1 (cannot spawn sub-sub-agents)"
d: "Depth = 2"
correct: "c"
explanation: |
Sub-agents have a depth=1 limit. They CANNOT spawn sub-sub-agents. This prevents: recursive explosion (infinite resources), context pollution (accumulated context), debugging nightmares (multi-level chains), and unpredictable costs (nested token usage).
doc_reference:
file: "guide/architecture.md"
section: "Why Depth = 1?"
anchor: "#why-depth--1"
- id: "12-007"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What does a sub-agent receive when spawned by the Task tool?"
options:
a: "Full conversation history + all file reads"
b: "Task description only (isolated fresh context)"
c: "Last 10 messages of conversation"
d: "System prompt + CLAUDE.md files"
correct: "b"
explanation: |
Sub-agents have ISOLATED context. They receive only the task description, have their own fresh context window, access the same tools (except Task), and return only a summary text. This isolation keeps the main context clean and prevents context pollution.
doc_reference:
file: "guide/architecture.md"
section: "Isolation Model"
anchor: "#isolation-model"
- id: "12-008"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What are the 4 permission layers in Claude Code's security model?"
options:
a: "User, Admin, System, Root"
b: "Interactive prompts, Allow/Deny rules, Hooks, Sandbox"
c: "Read, Write, Execute, Delete"
d: "Local, Project, Global, Enterprise"
correct: "b"
explanation: |
Claude Code has 4 layered security: (1) Interactive prompts (allow once/always/deny), (2) Allow/Deny rules in settings.json, (3) Hooks (Pre/Post execution scripts), (4) Sandbox mode (filesystem + network isolation). Each layer adds protection.
doc_reference:
file: "guide/architecture.md"
section: "Permission & Security Model"
anchor: "#5-permission--security-model"
- id: "12-009"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What algorithm does the Edit tool use when exact match fails?"
options:
a: "Returns error immediately"
b: "Fuzzy match (whitespace normalization, line ending normalization, context expansion)"
c: "Regex pattern matching"
d: "Semantic similarity search"
correct: "b"
explanation: |
When exact match fails, Edit attempts fuzzy matching: (1) Whitespace normalization (trailing spaces, indentation), (2) Line ending normalization (CRLF vs LF), (3) Context expansion (surrounding lines). Only if fuzzy match also fails does it return an error.
doc_reference:
file: "guide/architecture.md"
section: "Fuzzy Matching Details"
anchor: "#fuzzy-matching-details"
- id: "12-010"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What protocol does MCP (Model Context Protocol) use for communication?"
options:
a: "REST API over HTTPS"
b: "GraphQL"
c: "JSON-RPC 2.0 over stdio or HTTP"
d: "gRPC with Protocol Buffers"
correct: "c"
explanation: |
MCP uses JSON-RPC 2.0 over stdio or HTTP transport. MCP tools follow the naming convention `mcp__<server>__<tool>`. Servers start on first use and stay alive during the session. They have the same permission system as native tools.
doc_reference:
file: "guide/architecture.md"
section: "MCP Integration"
anchor: "#6-mcp-integration"
- id: "12-011"
difficulty: "senior"
profiles: ["power"]
question: "What is Claude Code's design philosophy, as stated by Anthropic?"
options:
a: "More scaffolding, less model - build complex orchestration"
b: "Less scaffolding, more model - trust Claude's reasoning"
c: "Maximum control - explicit rules for every case"
d: "Hybrid approach - RAG + classifier + model"
correct: "b"
explanation: |
Claude Code's philosophy is "Less scaffolding, more model" - trust Claude's reasoning instead of building complex orchestration systems. This means: single model decides (no classifier/router), Grep+Glob (no RAG), simple while loop (no DAG), conversation as state (no state machines).
doc_reference:
file: "guide/architecture.md"
section: "Philosophy: Less Scaffolding, More Model"
anchor: "#9-philosophy-less-scaffolding-more-model"
- id: "12-012"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What are the 4 specialized sub-agent types available in Claude Code?"
options:
a: "Reader, Writer, Searcher, Executor"
b: "Explore, Plan, Bash, general-purpose"
c: "Junior, Senior, Expert, Architect"
d: "Fast, Balanced, Thorough, Complete"
correct: "b"
explanation: |
Claude Code offers 4 sub-agent types: Explore (codebase exploration, read-only tools), Plan (architecture planning, no Edit/Write), Bash (command execution, Bash only), and general-purpose (complex multi-step tasks, all tools). Each has different tool access.
doc_reference:
file: "guide/architecture.md"
section: "Sub-Agent Types"
anchor: "#sub-agent-types"

174
quiz/questions/13-security.yaml Normal file
View file

@ -0,0 +1,174 @@
category: "Security Hardening"
category_id: 13
source_file: "guide/security-hardening.md"
questions:
- id: "13-001"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is an 'MCP Rug Pull' attack?"
options:
a: "An MCP server that crashes unexpectedly"
b: "A benign MCP that turns malicious after gaining trust (no re-approval needed)"
c: "An MCP that uses too many tokens"
d: "An attack on the MCP protocol itself"
correct: "b"
explanation: |
An MCP Rug Pull exploits the one-time approval model: attacker publishes benign MCP → user approves once → MCP works normally (builds trust) → attacker pushes malicious update → MCP exfiltrates credentials WITHOUT re-approval. Mitigation: version pinning + hash verification.
doc_reference:
file: "guide/security-hardening.md"
section: "Attack: MCP Rug Pull"
anchor: "#attack-mcp-rug-pull"
- id: "13-002"
difficulty: "senior"
profiles: ["senior", "power"]
question: "What does CVE-2025-53109/53110 (EscapeRoute) exploit?"
options:
a: "Prompt injection in Claude's system prompt"
b: "Filesystem MCP sandbox escape via prefix bypass + symlinks"
c: "Memory corruption in the Bash tool"
d: "API key leakage in network requests"
correct: "b"
explanation: |
CVE-2025-53109/53110 (EscapeRoute) allows sandbox escape in Filesystem MCP via prefix bypass combined with symlinks. Severity: High. Mitigation: avoid Filesystem MCP with unrestricted access or apply the official patch. Source: Cymulate security research.
doc_reference:
file: "guide/security-hardening.md"
section: "CVE Summary (2025)"
anchor: "#cve-summary-2025"
- id: "13-003"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is a known limitation of permissions.deny in .claude/settings.json?"
options:
a: "It only works on macOS"
b: "System reminders may expose file contents before tool permission checks"
c: "It cannot block Bash commands"
d: "It requires admin privileges"
correct: "b"
explanation: |
permissions.deny has architectural limitations: background indexing may expose file contents via internal "system reminder" mechanism BEFORE tool permission checks are applied. This is documented in GitHub #4160. Defense-in-depth: store secrets outside project directories.
doc_reference:
file: "guide/security-hardening.md"
section: "Known Security Gaps"
anchor: "#known-security-gaps"
- id: "13-004"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the recommended defense-in-depth strategy for secrets protection?"
options:
a: "Only use permissions.deny"
b: "Store secrets outside project + external vault + PreToolUse hooks + never commit"
c: "Encrypt all files in the project"
d: "Use a VPN when running Claude Code"
correct: "b"
explanation: |
Defense-in-depth: (1) Store secrets outside project directories (~/.secrets/ or vault), (2) Use external secrets management (AWS Secrets Manager, 1Password), (3) Add PreToolUse hooks as secondary blocking, (4) Never commit secrets, (5) Manually review bash commands.
doc_reference:
file: "guide/security-hardening.md"
section: "Defense-in-Depth Strategy"
anchor: "#defense-in-depth-strategy"
- id: "13-005"
difficulty: "senior"
profiles: ["senior", "power"]
question: "Which prompt injection evasion technique uses U+200B, U+200C, U+200D?"
options:
a: "Base64 encoding"
b: "RTL override"
c: "Zero-width characters (invisible to humans)"
d: "Homoglyphs"
correct: "c"
explanation: |
Zero-width characters (U+200B, U+200C, U+200D) make instructions invisible to humans while still being interpreted. Detection: Unicode regex pattern [\x{200B}-\x{200D}\x{FEFF}\x{202A}-\x{202E}]. Added to prompt-injection-detector.sh in v3.6.0.
doc_reference:
file: "guide/security-hardening.md"
section: "Evasion Techniques"
anchor: "#evasion-techniques"
- id: "13-006"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "Which secret detection tool has the highest recall (88%) but lower precision (46%)?"
options:
a: "TruffleHog"
b: "GitGuardian"
c: "Gitleaks"
d: "detect-secrets"
correct: "c"
explanation: |
Gitleaks: 88% recall, 46% precision, fast (~2 min/100K commits) - best for pre-commit hooks. TruffleHog: 52% recall, 85% precision, slow - best for CI verification. GitGuardian: 80% recall, 95% precision - enterprise monitoring. detect-secrets: 60% recall, 98% precision - baseline approach.
doc_reference:
file: "guide/security-hardening.md"
section: "Tool Comparison"
anchor: "#tool-comparison"
- id: "13-007"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the recommended hook stack for security in settings.json?"
options:
a: "Only PostToolUse hooks for logging"
b: "PreToolUse (dangerous blocker, injection detector) + PostToolUse (output scanner) + SessionStart (MCP integrity)"
c: "No hooks - rely only on permissions.deny"
d: "Only UserPromptSubmit hooks"
correct: "b"
explanation: |
Recommended security hook stack: PreToolUse → dangerous-actions-blocker.sh (Bash), prompt-injection-detector.sh + unicode-injection-scanner.sh (Edit/Write). PostToolUse → output-secrets-scanner.sh (Bash). SessionStart → mcp-config-integrity.sh. Multiple layers for defense-in-depth.
doc_reference:
file: "guide/security-hardening.md"
section: "Hook Stack Setup"
anchor: "#23-hook-stack-setup"
- id: "13-008"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "Which MCP servers are marked as 'Safe' in the community-vetted safe list?"
options:
a: "filesystem (unrestricted), database (prod credentials)"
b: "@anthropic/mcp-server-*, context7, sequential-thinking, memory"
c: "browser (full access), custom MCPs"
d: "All MCPs are safe by default"
correct: "b"
explanation: |
MCP Safe List: @anthropic/mcp-server-* (official), context7 (read-only docs), sequential-thinking (no external access, local), memory (local file-based). Risk: filesystem unrestricted (CVE-2025-53109), database prod (exfiltration). Unsafe: browser full access.
doc_reference:
file: "guide/security-hardening.md"
section: "MCP Safe List (Community Vetted)"
anchor: "#mcp-safe-list-community-vetted"
- id: "13-009"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "What is the first action when a secret is exposed?"
options:
a: "Document the incident for post-mortem"
b: "Revoke the credential immediately"
c: "Scan the entire repo"
d: "Notify the team"
correct: "b"
explanation: |
First 15 minutes (stop the bleeding): (1) Revoke immediately - AWS delete-access-key, GitHub revoke token, Stripe roll key. (2) Confirm exposure scope. Then: audit git history, scan dependencies, check CI/CD logs. First 24 hours: rotate ALL related credentials, notify compliance, document timeline.
doc_reference:
file: "guide/security-hardening.md"
section: "Secret Exposed"
anchor: "#31-secret-exposed"
- id: "13-010"
difficulty: "junior"
profiles: ["junior", "senior", "power", "pm"]
question: "What are the three security posture levels in the guide?"
options:
a: "Low, Medium, High"
b: "Basic (5 min), Standard (30 min), Hardened (2 hours)"
c: "Development, Staging, Production"
d: "Free, Pro, Enterprise"
correct: "b"
explanation: |
Security posture levels: Basic (5 min) = output scanner + dangerous blocker - for solo dev/experiments. Standard (30 min) = + injection hooks + MCP vetting - for teams/sensitive code. Hardened (2 hours) = + integrity verification + ZDR - for enterprise/production.
doc_reference:
file: "guide/security-hardening.md"
section: "Security Posture Levels"
anchor: "#security-posture-levels"

174
quiz/questions/14-privacy-observability.yaml Normal file
View file

@ -0,0 +1,174 @@
category: "Privacy & Observability"
category_id: 14
source_file: "guide/data-privacy.md"
questions:
- id: "14-001"
difficulty: "junior"
profiles: ["junior", "senior", "power", "pm"]
question: "What is the default data retention period for Claude Code conversations?"
options:
a: "30 days"
b: "1 year"
c: "5 years"
d: "Forever"
correct: "c"
explanation: |
Default retention is 5 years with data used for model training. By opting out of training at claude.ai/settings/data-privacy-controls, retention reduces to 30 days (safety monitoring only). Enterprise API (ZDR) has 0-day retention.
doc_reference:
file: "guide/data-privacy.md"
section: "TL;DR - Retention Summary"
anchor: "#tldr---retention-summary"
- id: "14-002"
difficulty: "intermediate"
profiles: ["junior", "senior", "power"]
question: "What data is sent to Anthropic when using Claude Code?"
options:
a: "Only your prompts"
b: "Prompts, files Claude reads, MCP results, Bash outputs, error messages"
c: "Only code snippets you copy-paste"
d: "Hashed metadata only"
correct: "b"
explanation: |
Everything Claude sees is sent: your prompts, files Claude reads (including .env if not excluded!), MCP server results (SQL queries, API responses), Bash command outputs, and error messages with stack traces. Use permissions.deny to block sensitive files.
doc_reference:
file: "guide/data-privacy.md"
section: "What Leaves Your Machine"
anchor: "#what-leaves-your-machine"
- id: "14-003"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the risk when connecting a database via MCP?"
options:
a: "Database might slow down"
b: "Query results (including PII) are sent to Anthropic and stored per retention policy"
c: "Claude might drop tables"
d: "MCP uses too many tokens"
correct: "b"
explanation: |
When MCP executes a database query, ALL results are sent to Anthropic: "SELECT * FROM orders" → 100 rows with customer names, emails, addresses → stored according to your retention tier. NEVER connect production databases. Use dev/staging with anonymized data.
doc_reference:
file: "guide/data-privacy.md"
section: "Risk 2: MCP Database Access"
anchor: "#risk-2-mcp-database-access"
- id: "14-004"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "How can you reduce Claude Code data retention from 5 years to 30 days?"
options:
a: "Delete ~/.claude folder"
b: "Disable 'Allow model training' at claude.ai/settings/data-privacy-controls"
c: "Use incognito mode"
d: "Add --no-retention flag"
correct: "b"
explanation: |
Visit claude.ai/settings/data-privacy-controls and toggle OFF "Allow model training". This immediately reduces retention from 5 years to 30 days (safety monitoring only). Enterprise API (ZDR) provides 0-day retention for HIPAA/GDPR compliance.
doc_reference:
file: "guide/data-privacy.md"
section: "Opt-Out of Training"
anchor: "#41-opt-out-of-training"
- id: "14-005"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the Enterprise API (ZDR) data retention policy?"
options:
a: "30 days retention"
b: "1 year retention"
c: "0 days (real-time processing only, data not stored)"
d: "5 years like default"
correct: "c"
explanation: |
Enterprise API (Zero Data Retention) has 0-day retention - data is processed in real-time and not stored. Required for HIPAA, GDPR, PCI-DSS compliance and government contracts. Requires enterprise contract with Anthropic.
doc_reference:
file: "guide/data-privacy.md"
section: "Tier 3: Enterprise API (Zero Data Retention)"
anchor: "#tier-3-enterprise-api-zero-data-retention"
- id: "14-006"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "What is the recommended session search tool from the guide?"
options:
a: "claude-conversation-extractor"
b: "session-search.sh (zero-dependency bash script)"
c: "ran CLI (npm)"
d: "Built-in /search command"
correct: "b"
explanation: |
session-search.sh is the recommended tool: zero dependencies (bash only), fast (~10ms list, ~400ms search), displays ready-to-use 'claude --resume' commands. Install with alias 'cs' for quick access. Alternative Python tools exist but are slower.
doc_reference:
file: "guide/observability.md"
section: "Recommended: session-search.sh"
anchor: "#recommended-session-searchsh"
- id: "14-007"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What hook event is used for session logging?"
options:
a: "PreToolUse"
b: "PostToolUse"
c: "SessionStart"
d: "Notification"
correct: "b"
explanation: |
Session logging uses PostToolUse hook - it runs after each tool completes, capturing tool name, file path, project, and token estimates. Configure in settings.json with the session-logger.sh script. Logs are stored as JSONL files in ~/.claude/logs/.
doc_reference:
file: "guide/observability.md"
section: "Register in Settings"
anchor: "#2-register-in-settings"
- id: "14-008"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What is the token estimation method used by the session logger?"
options:
a: "API-provided exact counts"
b: "~4 characters per token (heuristic, slightly overestimates)"
c: "1 word = 1 token"
d: "Based on file size only"
correct: "b"
explanation: |
The logger estimates tokens using ~4 characters per token heuristic. This is approximate and tends to slightly overestimate. Claude Code CLI doesn't expose actual API token metrics, so estimates have ~15-25% variance from actual billing.
doc_reference:
file: "guide/observability.md"
section: "Token Estimation Method"
anchor: "#token-estimation-method"
- id: "14-009"
difficulty: "intermediate"
profiles: ["senior", "power"]
question: "What CANNOT the session monitoring do?"
options:
a: "Track tool usage counts"
b: "Identify file access patterns"
c: "Provide exact token counts and actual API costs"
d: "Record operation timestamps"
correct: "c"
explanation: |
Monitoring CANNOT provide: exact token counts (CLI doesn't expose API metrics), actual API costs (estimates only), TTFT timing, real-time streaming metrics, or context window usage. It CAN track: tool usage counts, file access patterns, relative comparisons, operation timing.
doc_reference:
file: "guide/observability.md"
section: "What This Monitoring CANNOT Do"
anchor: "#what-this-monitoring-cannot-do"
- id: "14-010"
difficulty: "junior"
profiles: ["junior", "senior", "power"]
question: "Where are Claude Code session logs stored locally?"
options:
a: "~/.config/claude/"
b: "~/.claude/projects/<project>/"
c: "/var/log/claude/"
d: "In the cloud only"
correct: "b"
explanation: |
Sessions are stored locally at ~/.claude/projects/<project>/ as JSONL files. This enables session resume with 'claude --resume <id>' or 'claude -c' for most recent. Custom logs from session-logger.sh go to ~/.claude/logs/ (configurable via CLAUDE_LOG_DIR).
doc_reference:
file: "guide/observability.md"
section: "Native Commands"
anchor: "#native-commands"