From d1182af4cf98056593452c51888d993631b4285c Mon Sep 17 00:00:00 2001 From: Florian BRUNIAUX Date: Sun, 15 Feb 2026 18:41:45 +0100 Subject: [PATCH] =?UTF-8?q?docs:=20v3.27.1=20=E2=80=94=20fact-check=20corr?= =?UTF-8?q?ections,=20grepai=20docs,=20RTK=20overhaul?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fact-check (README positioning): - Template count: 120/123 → 108 (ground truth recount) - Ratio: 14× → 24× (19,000 ÷ 784 = 24.2×) - everything-cc stars: 31.9k → 45k+ (verified Feb 15) - Commands count: 20 → 23, hooks: 30 → 31 Added: - Grepai MCP documentation (semantic search, call graphs) - 3 hook templates (rtk-baseline, session-summary, session-summary-config) - 2 resource evaluations (system-prompts update, qmd token savings) Changed: - RTK documentation overhaul (v0.7.0 → v0.16.0, rtk-ai org) - Exports deprecated (kimi.pdf, notebooklm.pdf → deprecated/) Co-Authored-By: Claude Opus 4.6 --- CHANGELOG.md | 61 +- CLAUDE.md | 12 +- README.md | 347 +++-- SECURITY.md | 4 +- VERSION | 2 +- docs/competitive-analysis.md | 18 +- ...imone-ruggiero-qmd-token-savings-medium.md | 117 ++ docs/resource-evaluations/README.md | 4 +- docs/resource-evaluations/rtk-evaluation.md | 127 +- .../system-prompts-opus-4-6-update.md | 153 ++ docs/resource-evaluations/watch-list.md | 3 +- examples/README.md | 194 ++- examples/claude-md/rtk-optimized.md | 40 +- examples/hooks/README.md | 153 ++ examples/hooks/bash/rtk-auto-wrapper.sh | 27 +- examples/hooks/bash/rtk-baseline.sh | 39 + examples/hooks/bash/session-summary-config.sh | 473 ++++++ examples/hooks/bash/session-summary.sh | 1335 +++++++++++++++++ examples/scripts/rtk-benchmark.sh | 69 +- examples/skills/rtk-optimizer/SKILL.md | 61 +- exports/README.md | 28 +- exports/{ => deprecated}/kimi.pdf | Bin exports/{ => deprecated}/notebooklm.pdf | Bin guide/ai-ecosystem.md | 111 +- guide/cheatsheet.md | 6 +- guide/mcp-servers-ecosystem.md | 140 +- guide/third-party-tools.md | 26 +- guide/ultimate-guide.md | 285 +++- machine-readable/reference.yaml | 51 +- tools/audit-cheatsheet-prompt.md | 2 +- 30 files changed, 3506 insertions(+), 382 deletions(-) create mode 100644 docs/resource-evaluations/2026-02-14-simone-ruggiero-qmd-token-savings-medium.md create mode 100644 docs/resource-evaluations/system-prompts-opus-4-6-update.md create mode 100644 examples/hooks/bash/rtk-baseline.sh create mode 100644 examples/hooks/bash/session-summary-config.sh create mode 100755 examples/hooks/bash/session-summary.sh rename exports/{ => deprecated}/kimi.pdf (100%) rename exports/{ => deprecated}/notebooklm.pdf (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 16fa31f..f9ccb52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,10 +8,69 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [3.27.1] - 2026-02-15 + +### Added + +- **Grepai MCP documentation** (`guide/mcp-servers-ecosystem.md`) + - New "Code Search & Analysis" section (~130 lines): semantic search, call graph tracing, setup guide + - Privacy: fully local (Ollama + nomic-embed-text), zero data exfiltration + - Token efficiency comparison: grepai 2-3K tokens vs Grep+Read 15K for same results + - Cross-referenced from `reference.yaml` + +- **2 new resource evaluations** (both scored 2/5 — not integrated) + - `system-prompts-opus-4-6-update.md`: Re-evaluation of x1xhlol system prompts repo (Opus 4.6 update), still redundant + - `2026-02-14-simone-ruggiero-qmd-token-savings-medium.md`: qmd token savings tool (Medium article), claims unverifiable, redundant with grepai + +- **2 new hook templates** (`examples/hooks/bash/`) + - `rtk-baseline.sh`: SessionStart hook — saves RTK gain baseline for delta tracking + - `session-summary.sh`: SessionEnd hook — auto-displays session summary (inspired by Gemini CLI) + +- **Watch list entry**: o16g (Outcome Engineering) — emerging framework by Cory Ondrejka (ex-VP Google/Meta) + +### Changed + +- **RTK documentation overhaul** (v0.7.0 → v0.16.0, 446 stars, rtk-ai org) + - Updated 15+ files across guide + landing: org migration (rtk-ai/rtk), removed fork distinction + - Added: Python, Go, Homebrew, hook-first install, `rtk init`, `rtk tree`, `rtk learn` + - Removed outdated ls/grep warnings (bugs resolved in v0.16.0) + - Evaluation score: 4.5/5 → 5/5 (446 stars, [700+ Reddit upvotes](https://www.reddit.com/r/ClaudeAI/comments/1r2tt7q/)) + - Landing site updated: Homebrew install, new command grid (cargo/python/go), removed name collision warning + - `~/.claude/CLAUDE.md`: replaced fork install with cargo/Homebrew + +- **Exports deprecated** — Moved `kimi.pdf` and `notebooklm.pdf` to `exports/deprecated/` (generated from ~9K line v1.x era, guide now ~19K lines) + +### Fixed + +- **Fact-check corrections across 22 files** (866 insertions, 308 deletions) + - CVEs: 22→18 (7 files: README, CHANGELOG, SECURITY, competitive-analysis, etc.) + - Resource evaluations: 56→67 (README), 55→67 (reference.yaml), 14→68 (CLAUDE.md) + - Templates: 111→120 (badges), breakdown 22 commands→23, 18 hooks→30 + - Quiz questions: 257→264 (README, CLAUDE.md, reference.yaml, ai-ecosystem) + - Guide lines: 11K→19K (competitive-analysis, CLAUDE.md, ai-ecosystem, audit-cheatsheet-prompt) + - CLAUDE.md: version 3.9.9→3.27.0, evaluations 14→68, quiz 257→264 + - MCP ecosystem: updated date Jan→Feb 2026, added Code Search TOC entry + +- **README positioning fact-check** (4 files, 21 edits) + - Template count: 120/123 → **108** (ground truth recount: hooks 30→31, workflows 2→3, multi-provider removed) + - Ratio: 14× → **24×** (19,000 ÷ 784 = 24.2×, added "16 specialized guides" context) + - everything-claude-code stars: 31.9k → **45k+** (verified 2026-02-15) + - Commands count in README: 20→23 (aligned with examples/README.md) + - Added missing entries to `examples/README.md`: `session-summary-config.sh` (hook), `memory-stack-integration.md` (workflow) + ## [3.27.0] - 2026-02-12 ### Added +- **Watch List** (`docs/resource-evaluations/watch-list.md`) + - Public tracker for resources monitored but not yet integrated (tools, MCP servers, articles, libraries) + - Event-driven re-evaluation (trigger-based, not time-based) to avoid stale dates + - 3 sections: Active Watch, Graduated, Dropped + - Initial entries: ICM (MCP, pre-v1), System Prompts (x1xhlol, redundant with official sources) + - Cross-referenced from `mcp-servers-ecosystem.md` (Monitor workflow) and `resource-evaluations/README.md` + - Added to `reference.yaml` as `resource_evaluations_watchlist` + - Replaces private `claudedocs/` watch list (deleted) + - **Entire CLI Integration** (launched Feb 2026 by Thomas Dohmke, ex-GitHub CEO, $60M funding) - Comprehensive coverage across 7 guide files: ai-traceability, third-party-tools, observability, ai-ecosystem, ultimate-guide, security-hardening, cheatsheet - **Replaces deprecated git-ai** (404 repo) in AI Traceability Guide with production-ready alternative @@ -33,7 +92,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **Security Threat Intelligence Database** (`examples/commands/resources/threat-db.yaml` v2.0.0) - Comprehensive threat DB compiled from Perplexity Deep Research across 15 sources - **63 malicious skills** catalogued (ClawHavoc 341 skills, Snyk ToxicSkills, PyPI supply chain) - - **22 CVEs** tracked with component, severity, fixed_in version, and mitigation + - **18 CVEs** tracked with component, severity, fixed_in version, and mitigation - **4 campaigns** documented: ClawHavoc (AMOS), ToxicSkills, PyPI MCP reverse shell, Postmark npm squatter - **IOCs**: 6 C2 IPs, exfiltration endpoints, malicious GitHub repos, malware hashes - **17 malicious skill patterns** for wildcard matching (prefix-based scanning) diff --git a/CLAUDE.md b/CLAUDE.md index de9f160..e9495a9 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -10,7 +10,7 @@ This repository is the **comprehensive documentation for Claude Code** (Anthropi ``` guide/ # Core documentation -├── ultimate-guide.md # Main guide (~9900 lines, the reference) +├── ultimate-guide.md # Main guide (~19K lines, the reference) ├── cheatsheet.md # 1-page printable summary ├── architecture.md # How Claude Code works internally ├── methodologies.md # TDD, SDD, BDD workflows @@ -34,7 +34,7 @@ tools/ # Interactive utilities └── onboarding-prompt.md # Personalized learning prompt docs/ # Public documentation (tracked) -└── resource-evaluations/ # External resource evaluations (14 files) +└── resource-evaluations/ # External resource evaluations (68 files) claudedocs/ # Claude working documents (gitignored) ├── resource-evaluations/ # Research working docs (prompts, private audits) @@ -45,7 +45,7 @@ claudedocs/ # Claude working documents (gitignored) | File | Purpose | |------|---------| -| `VERSION` | Single source of truth for version (currently 3.9.9) | +| `VERSION` | Single source of truth for version (currently 3.27.0) | | `guide/ultimate-guide.md` | The main reference (search here first) | | `guide/cheatsheet.md` | Quick reference for daily use | | `machine-readable/reference.yaml` | LLM-optimized index with line numbers | @@ -269,7 +269,7 @@ Ce guide fait partie d'un écosystème de 4 repositories interconnectés, sépar |--------|---------| | **GitHub** | https://github.com/FlorianBruniaux/claude-code-ultimate-guide | | **Local** | `/Users/florianbruniaux/Sites/perso/claude-code-ultimate-guide/` | -| **Contenu** | Guide 11K lignes, 66+ templates, workflows, architecture | +| **Contenu** | Guide ~19K lignes, 108 templates, workflows, architecture | | **Audience** | Développeurs, DevOps, tech leads | ### 2. Claude Cowork Guide (repo dédié) @@ -292,7 +292,7 @@ Ce guide fait partie d'un écosystème de 4 repositories interconnectés, sépar | Aspect | Détails | |--------|---------| | **Local** | `/Users/florianbruniaux/Sites/perso/claude-code-ultimate-guide-landing/` | -| **Contenu** | Page marketing, badges, FAQ, quiz (257 questions) | +| **Contenu** | Page marketing, badges, FAQ, quiz (264 questions) | | **Sync avec** | Guide principal (version, templates, guide lines) | ### 4. Cowork Landing Site @@ -421,7 +421,7 @@ External resources (articles, videos, discussions) are evaluated before integrat | Location | Content | Tracking | |----------|---------|----------| -| `docs/resource-evaluations/` | Final evaluations (14 files) | ✅ Git tracked (public) | +| `docs/resource-evaluations/` | Final evaluations (68 files) | ✅ Git tracked (public) | | `claudedocs/resource-evaluations/` | Working docs, prompts, private audits | ❌ Gitignored (private) | ### Scoring Grid diff --git a/README.md b/README.md index 70d747d..4824dd4 100644 --- a/README.md +++ b/README.md @@ -6,23 +6,87 @@

Stars - Last Update - Quiz - Templates - Threat Database + Last Update + Quiz + Templates + Threat Database

+ Mentioned in Awesome Claude Code License: CC BY-SA 4.0 Ask Zread

-> **Claude Code from beginner to power user.** Exhaustive documentation, production-ready templates, agentic workflow guides, quiz, and a cheatsheet for daily use. +> **6 months of daily practice** distilled into a guide that teaches you the WHY, not just the what. From core concepts to production security, you learn to design your own agentic workflows instead of copy-pasting configs. > **If this guide helps you, [give it a star ⭐](https://github.com/FlorianBruniaux/claude-code-ultimate-guide/stargazers)** — it helps others discover it too. --- +## 🎯 What You'll Learn + +**This guide teaches you to think differently about AI-assisted development:** +- ✅ **Understand trade-offs** — When to use agents vs skills vs commands (not just how to configure them) +- ✅ **Build mental models** — How Claude Code works internally (architecture, context flow, tool orchestration) +- ✅ **Master methodologies** — TDD, SDD, BDD with AI collaboration (not just templates) +- ✅ **Security mindset** — Threat modeling for AI systems (only guide with 18 CVEs + 341 malicious skills database) +- ✅ **Test your knowledge** — 264-question quiz to validate understanding (no other resource offers this) + +**Outcome**: Go from copy-pasting configs to designing your own agentic workflows with confidence. + +--- + +## 📊 When to Use This Guide vs Everything-CC + +Both guides serve different needs. Choose based on your priority. + +| Your Goal | This Guide | everything-claude-code | +|-----------|------------|------------------------| +| **Understand why** patterns work | Deep explanations + architecture | Config-focused | +| **Quick setup** for projects | Available but not the priority | Battle-tested production configs | +| **Learn trade-offs** (agents vs skills) | Decision frameworks + comparisons | Lists patterns, no trade-off analysis | +| **Security hardening** | Only threat database (18 CVEs) | Basic patterns only | +| **Test understanding** | 264-question quiz | Not available | +| **Methodologies** (TDD/SDD/BDD) | Full workflow guides | Not covered | +| **Copy-paste ready** templates | 108 templates | 200+ templates | + +### Ecosystem Positioning + +``` + EDUCATIONAL DEPTH + ▲ + │ + │ ★ This Guide + │ Security + Methodologies + 19K lines + │ + │ [Everything-You-Need-to-Know] + │ SDLC/BMAD beginner + ─────────────────────────┼─────────────────────────► READY-TO-USE + [awesome-claude-code] │ [everything-claude-code] + (discovery, curation) │ (plugin, 1-cmd install) + │ + │ [claude-code-studio] + │ Context management + │ + SPECIALIZED +``` + +**4 unique gaps no competitor covers:** +1. **Security-First** — 18 CVEs + 341 malicious skills tracked (no competitor has this depth) +2. **Methodology Workflows** — TDD/SDD/BDD comparison + step-by-step guides +3. **Comprehensive Reference** — 19K lines across 16 specialized guides (24× more reference material than everything-cc) +4. **Educational Progression** — 264-question quiz, beginner → expert path + +**Recommended workflow:** +1. Learn concepts here (mental models, trade-offs, security) +2. Use battle-tested configs there (quick project setup) +3. Return here for deep dives (when something doesn't work or to design custom workflows) + +**Both resources are complementary, not competitive.** Use what fits your current need. + +--- + ## ⚡ Quick Start **Quickest path**: [Cheat Sheet](./guide/cheatsheet.md) — 1 printable page with daily essentials @@ -71,11 +135,11 @@ graph LR root[📦 Repository
Root] root --> guide[📖 guide/
19K lines] - root --> examples[📋 examples/
111 templates] - root --> quiz[🧠 quiz/
257 questions] + root --> examples[📋 examples/
108 templates] + root --> quiz[🧠 quiz/
264 questions] root --> tools[🔧 tools/
utils] root --> machine[🤖 machine-readable/
AI index] - root --> docs[📚 docs/
56 evaluations] + root --> docs[📚 docs/
67 evaluations] style root fill:#d35400,stroke:#e67e22,stroke-width:3px,color:#fff style guide fill:#2980b9,stroke:#3498db,stroke-width:2px,color:#fff @@ -95,20 +159,20 @@ graph LR ├─ 📖 guide/ Core Documentation (~19K lines) │ ├─ ultimate-guide.md Complete reference, 10 sections │ ├─ cheatsheet.md 1-page printable -│ ├─ architecture.md How Claude Code works internal ly +│ ├─ architecture.md How Claude Code works internally │ ├─ methodologies.md TDD, SDD, BDD workflows │ ├─ third-party-tools.md Community tools (RTK, ccusage, Entire CLI) │ ├─ mcp-servers-ecosystem.md Official & community MCP servers │ └─ workflows/ Step-by-step guides │ -├─ 📋 examples/ 111 Production Templates +├─ 📋 examples/ 108 Production Templates │ ├─ agents/ 6 custom AI personas -│ ├─ commands/ 22 slash commands -│ ├─ hooks/ 18 security hooks (bash + PowerShell) +│ ├─ commands/ 23 slash commands +│ ├─ hooks/ 31 hooks (bash + PowerShell) │ ├─ skills/ 1 meta-skill (Claudeception) │ └─ scripts/ Utility scripts (audit, search) │ -├─ 🧠 quiz/ 257 Questions +├─ 🧠 quiz/ 264 Questions │ ├─ 9 categories Setup, Agents, MCP, Trust, Advanced... │ ├─ 4 profiles Junior, Senior, Power User, PM │ └─ Instant feedback Doc links + score tracking @@ -121,7 +185,7 @@ graph LR │ ├─ reference.yaml Structured index (~2K tokens) │ └─ llms.txt Standard LLM context file │ -└─ 📚 docs/ 55 Resource Evaluations +└─ 📚 docs/ 67 Resource Evaluations └─ resource-evaluations/ 5-point scoring, source attribution ``` @@ -131,61 +195,106 @@ graph LR ## 🎯 What Makes This Guide Unique -### 🎓 Educational Depth +### 🎓 Deep Understanding Over Configuration -We explain **concepts first**, not just configs: -- [Architecture](./guide/architecture.md) — How Claude Code works internally -- [Trade-offs](./guide/ultimate-guide.md#when-to-use-what) — When to use agents vs skills vs commands -- [Pitfalls](./guide/ultimate-guide.md#common-mistakes) — Common mistakes and solutions +**Outcome**: Design your own workflows instead of copy-pasting blindly. -### 📝 257-Question Quiz (Unique in Ecosystem) +**We teach how Claude Code works and why patterns matter**: +- [Architecture](./guide/architecture.md) — Internal mechanics (context flow, tool orchestration, memory management) +- [Trade-offs](./guide/ultimate-guide.md#when-to-use-what) — Decision frameworks for agents vs skills vs commands +- [Pitfalls](./guide/ultimate-guide.md#common-mistakes) — Common failure modes + prevention strategies -**Only comprehensive assessment available** — test your understanding across 9 categories: -- Setup & Configuration -- Agents & Sub-Agents -- MCP Servers & Integration -- Trust & Verification -- Advanced Patterns +**What this means for you**: Troubleshoot issues independently, optimize for your specific use case, know when to deviate from patterns. -[Try the Quiz Online →](https://florianbruniaux.github.io/claude-code-ultimate-guide-landing/quiz/) | [Run Locally](./quiz/) +--- -### 🤖 Agent Teams Coverage (v2.1.32+) +### 🛡️ Security Threat Intelligence (Only Comprehensive Database) -**Only comprehensive guide to Anthropic's experimental multi-agent coordination**: -- Production metrics (Fountain 50% faster, CRED 2x speed, autonomous C compiler) +**Outcome**: Protect production systems from AI-specific attacks. + +**Only guide with systematic threat tracking**: +- **18 CVE-mapped vulnerabilities** — Prompt injection, data exfiltration, code injection +- **341 malicious skills catalogued** — Unicode injection, hidden instructions, auto-execute patterns +- **Production hardening workflows** — MCP vetting, injection defense, audit automation + +[Threat Database →](./machine-readable/threat-db.yaml) | [Security Guide →](./guide/security-hardening.md) + +**What this means for you**: Vet MCP servers before trusting them, detect attack patterns in configs, comply with security audits. + +--- + +### 📝 264-Question Knowledge Validation (Unique in Ecosystem) + +**Outcome**: Verify your understanding + identify knowledge gaps. + +**Only comprehensive assessment available** — test across 9 categories: +- Setup & Configuration, Agents & Sub-Agents, MCP Servers, Trust & Verification, Advanced Patterns + +**Features**: 4 skill profiles (Junior/Senior/Power User/PM), instant feedback with doc links, weak area identification + +[Try Quiz Online →](https://florianbruniaux.github.io/claude-code-ultimate-guide-landing/quiz/) | [Run Locally](./quiz/) + +**What this means for you**: Know what you don't know, track learning progress, prepare for team adoption discussions. + +--- + +### 🤖 Agent Teams Coverage (v2.1.32+ Experimental) + +**Outcome**: Parallelize work on large codebases (Fountain: 50% faster, CRED: 2x speed). + +**Only comprehensive guide to Anthropic's multi-agent coordination**: +- Production metrics from real companies (autonomous C compiler, 500K hours saved) - 5 validated workflows (multi-layer review, parallel debugging, large-scale refactoring) -- Git-based coordination architecture (team lead + teammates) - Decision framework: Teams vs Multi-Instance vs Dual-Instance vs Beads -- Setup, limitations, best practices, troubleshooting [Agent Teams Workflow →](./guide/workflows/agent-teams.md) | [Section 9.20 →](./guide/ultimate-guide.md#920-agent-teams-multi-agent-coordination) -### 🔬 Methodologies (Structured Workflows) +**What this means for you**: Break monolithic tasks into parallelizable work, coordinate multi-file refactors, review your own AI-generated code. + +--- + +### 🔬 Methodologies (Structured Development Workflows) + +**Outcome**: Maintain code quality while working with AI. Complete guides with rationale and examples: -- [TDD](./guide/methodologies.md#1-tdd-test-driven-development-with-claude) — Test-Driven Development -- [SDD](./guide/methodologies.md#2-sdd-specification-driven-development) — Specification-Driven Development -- [BDD](./guide/methodologies.md#3-bdd-behavior-driven-development) — Behavior-Driven Development -- [GSD](./guide/methodologies.md#gsd-get-shit-done) — Get Shit Done pattern +- [TDD](./guide/methodologies.md#1-tdd-test-driven-development-with-claude) — Test-Driven Development (Red-Green-Refactor with AI) +- [SDD](./guide/methodologies.md#2-sdd-specification-driven-development) — Specification-Driven Development (Design before code) +- [BDD](./guide/methodologies.md#3-bdd-behavior-driven-development) — Behavior-Driven Development (User stories → tests) +- [GSD](./guide/methodologies.md#gsd-get-shit-done) — Get Shit Done (Pragmatic delivery) -### 📚 106 Annotated Templates +**What this means for you**: Choose the right workflow for your team culture, integrate AI into existing processes, avoid technical debt from AI over-reliance. + +--- + +### 📚 108 Annotated Templates + +**Outcome**: Learn patterns, not just configs. Educational templates with explanations: -- Agents (6), Commands (22), Hooks (18), Skills -- Comments explaining **why** each pattern works -- Gradual complexity progression +- Agents (6), Commands (23), Hooks (31), Skills +- Comments explaining **why** each pattern works (not just what it does) +- Gradual complexity progression (simple → advanced) [Browse Catalog →](./examples/) -### 🔍 55 Resource Evaluations +**What this means for you**: Understand the reasoning behind patterns, adapt templates to your context, create your own custom patterns. + +--- + +### 🔍 67 Resource Evaluations + +**Outcome**: Trust our recommendations are evidence-based. Systematic assessment of external resources (5-point scoring): - Articles, videos, tools, frameworks -- Honest assessments with source attribution -- Integration recommendations +- Honest assessments with source attribution (no marketing fluff) +- Integration recommendations with trade-offs [See Evaluations →](./docs/resource-evaluations/) +**What this means for you**: Save time vetting resources, understand limitations before adopting tools, make informed decisions. + --- ## 🎯 Learning Paths @@ -288,12 +397,55 @@ cco # Offline mode (Ollama, 100% local) ## 🔑 Golden Rules -1. **Start small** — First project: 10-15 lines CLAUDE.md max -2. **Read before edit** — Always Read → Understand → Edit (never blind Write) -3. **Test-first** — Write test → Watch fail → Implement → Pass -4. **Use `/compact`** before context hits 70% — prevention beats recovery -5. **Review everything** — AI code has 1.75× more logic errors ([source](https://dl.acm.org/doi/10.1145/3716848)) -6. **Context = Gold** — Clear CLAUDE.md > clever prompts +### 1. Verify Trust Before Use + +Claude Code can generate 1.75x more logic errors than human-written code ([ACM 2025](https://dl.acm.org/doi/10.1145/3716848)). Every output must be verified. Use `/insights` commands and verify patterns through tests. + +**Strategy:** Solo dev (verify logic + edge cases). Team (systematic peer review). Production (mandatory gating tests). + +--- + +### 2. Never Approve MCPs from Unknown Sources + +18 CVEs identified in Claude Code ecosystem. 341 malicious skills in supply chain. MCP servers can read/write your codebase. + +**Strategy:** Systematic audit (5-min checklist). Community-vetted MCP Safe List. Vetting workflow documented in guide. + +--- + +### 3. Context Pressure Changes Behavior + +At 70% context, Claude starts losing precision. At 85%, hallucinations increase. At 90%+, responses become erratic. + +**Strategy:** 0-50% (work freely). 50-70% (attention). 70-90% (`/compact`). 90%+ (`/clear` mandatory). + +--- + +### 4. Start Simple, Scale Smart + +Start with basic CLAUDE.md + a few commands. Test in production for 2 weeks. Add agents/skills only if need is proven. + +**Strategy:** Phase 1 (basic). Phase 2 (commands + hooks if needed). Phase 3 (agents if multi-context). Phase 4 (MCP servers if truly required). + +--- + +### 5. Methodologies Matter More with AI + +TDD/SDD/BDD are not optional with Claude Code. AI accelerates bad code as much as good code. + +**Strategy:** TDD (critical logic). SDD (architecture upfront). BDD (PM/dev collaboration). GSD (throwaway prototypes). + +--- + +### Quick Reference + +| # | Rule | Key Metric | Action | +|---|------|------------|--------| +| 1 | Verify Trust | 1.75x more logic errors | Test everything, peer review | +| 2 | Vet MCPs | 18 CVEs, 341 malicious skills | 5-min audit checklist | +| 3 | Manage Context | 70% = precision loss | `/compact` at 70%, `/clear` at 90% | +| 4 | Start Simple | 2-week test period | Phase 1→4 progressive adoption | +| 5 | Use Methodologies | AI amplifies good AND bad | TDD/SDD/BDD by context | > Context management is critical. See the [Cheat Sheet](./guide/cheatsheet.md#context-management-critical) for thresholds and actions. @@ -312,19 +464,6 @@ cco # Offline mode (Ollama, 100% local) ## 🌍 Ecosystem -### Positioning: Complementary, Not Competitive - -**Claude Code has two major community resources:** - -| Resource | Focus | Best For | -|----------|-------|----------| -| **This Guide** | 🎓 Educational depth, methodologies | Deep understanding, learning WHY | -| [everything-claude-code](https://github.com/affaan-m/everything-claude-code) | ⚙️ Production configs, plugin install | Quick setup, battle-tested patterns | - -**Recommended workflow**: Learn concepts here → Leverage production configs there → Return for deep dives - -Both resources serve different needs. Use what fits your learning style and project requirements. - ### Claude Cowork (Non-Developers) **Claude Cowork** is the companion guide for non-technical users (knowledge workers, assistants, managers). @@ -339,13 +478,14 @@ Same agentic capabilities as Claude Code, but through a visual interface with no | Project | Focus | Best For | |---------|-------|----------| -| [claude-code-templates](https://github.com/davila7/claude-code-templates) | Distribution (200+ templates) | CLI installation (17k⭐) | -| [anthropics/skills](https://github.com/anthropics/skills) | Official Anthropic skills (60K+⭐) | Documents, design, dev templates | +| [everything-claude-code](https://github.com/affaan-m/everything-claude-code) | Production configs (45k+ stars) | Quick setup, battle-tested patterns | +| [claude-code-templates](https://github.com/davila7/claude-code-templates) | Distribution (200+ templates) | CLI installation (17k stars) | +| [anthropics/skills](https://github.com/anthropics/skills) | Official Anthropic skills (60K+ stars) | Documents, design, dev templates | | [anthropics/claude-plugins-official](https://skills.sh/anthropics/claude-plugins-official) | Plugin dev tools (3.1K installs) | CLAUDE.md audit, automation discovery | | [skills.sh](https://skills.sh/) | Skills marketplace | One-command install (Vercel Labs) | | [awesome-claude-code](https://github.com/hesreallyhim/awesome-claude-code) | Curation | Resource discovery | | [awesome-claude-skills](https://github.com/BehiSecc/awesome-claude-skills) | Skills taxonomy | 62 skills across 12 categories | -| [awesome-claude-md](https://github.com/josix/awesome-claude-md) | CLAUDE.md examples (31★) | Annotated configs with scoring | +| [awesome-claude-md](https://github.com/josix/awesome-claude-md) | CLAUDE.md examples | Annotated configs with scoring | | [AI Coding Agents Matrix](https://coding-agents-matrix.dev) | Technical comparison | Comparing 23+ alternatives | **Community**: 🇫🇷 [Dev With AI](https://www.devw.ai/) — 1500+ devs on Slack, meetups in Paris, Bordeaux, Lyon @@ -363,19 +503,21 @@ Same agentic capabilities as Claude Code, but through a visual interface with no | Tool | Purpose | Maintained By | |------|---------|---------------| | [claude-code-security-review](https://github.com/anthropics/claude-code-security-review) | GitHub Action for automated security scanning | Anthropic (official) | -| This Guide's Threat DB | Intelligence layer (22 CVEs, 341 malicious skills) | Community | +| This Guide's Threat DB | Intelligence layer (18 CVEs, 341 malicious skills) | Community | **Workflow**: Use GitHub Action for automation → Consult Threat DB for threat intelligence. ### Threat Database -**22 CVE-mapped vulnerabilities** and **341 malicious skills** tracked in [`machine-readable/threat-db.yaml`](./machine-readable/threat-db.yaml): +**18 CVE-mapped vulnerabilities** and **341 malicious skills** tracked in [`machine-readable/threat-db.yaml`](./machine-readable/threat-db.yaml): | Threat Category | Count | Examples | |----------------|-------|----------| -| **Prompt Injection** | 14 CVEs | Indirect injection (CVE-2024-1546), context poisoning | -| **Data Exfiltration** | 5 CVEs | Training data extraction (CVE-2024-0241), secret leakage | -| **Code Injection** | 3 CVEs | Tool manipulation, workflow abuse | +| **Code/Command Injection** | 5 CVEs | CLI bypass (CVE-2025-66032), child_process exec | +| **Path Traversal & Access** | 4 CVEs | Symlink escape (CVE-2025-53109), prefix bypass | +| **RCE & Prompt Hijacking** | 4 CVEs | MCP Inspector RCE (CVE-2025-49596), session hijack | +| **SSRF & DNS Rebinding** | 4 CVEs | WebFetch SSRF (CVE-2026-24052), DNS rebinding | +| **Data Leakage** | 1 CVE | Cross-client response leak (CVE-2026-25536) | | **Malicious Skills** | 341 patterns | Unicode injection, hidden instructions, auto-execute | **Taxonomies**: 10 attack surfaces × 11 threat types × 8 impact levels @@ -400,7 +542,7 @@ Same agentic capabilities as Claude Code, but through a visual interface with no ### Security Hooks -**18 production hooks** (bash + PowerShell) in [`examples/hooks/`](./examples/hooks/): +**30 production hooks** (bash + PowerShell) in [`examples/hooks/`](./examples/hooks/): | Hook | Purpose | |------|---------| @@ -427,30 +569,37 @@ Same agentic capabilities as Claude Code, but through a visual interface with no ## 📖 About -
-Origins & Philosophy +This guide is the result of **6 months of daily practice** with Claude Code. The goal isn't to be exhaustive (the tool evolves too fast), but to share what works in production. -This guide is the result of several months of daily practice with Claude Code. I don't claim expertise—I'm sharing what I've learned to help peers and evangelize AI-assisted development best practices. +**What you'll find:** +- Patterns verified in production (not theory) +- Trade-off explanations (not just "here's how to do it") +- Security first (18 CVEs tracked) +- Transparency on limitations (Claude Code isn't magic) -**Philosophy**: Learning journey over reference manual. Understanding **why** before **how**. Progressive complexity — start simple, master advanced at your pace. +**What you won't find:** +- Definitive answers (tool is too new) +- Universal configs (every project is different) +- Marketing promises (zero bullshit) -**Created with Claude Code**. Community-validated through contributions and feedback. +Use this guide critically. Experiment. Share what works for you. -**Key Inspirations**: -- [Claudelog.com](https://claudelog.com/) — Excellent patterns & tutorials -- [zebbern/claude-code-guide](https://github.com/zebbern/claude-code-guide) — Comprehensive reference with security focus -- [ykdojo/claude-code-tips](https://github.com/ykdojo/claude-code-tips) — Practical productivity techniques +**Feedback welcome:** [GitHub Issues](https://github.com/FlorianBruniaux/claude-code-ultimate-guide/issues) -
+### About the Author -
-Privacy & Data +**Florian Bruniaux** — Founding Engineer @ [Méthode Aristote](https://methode-aristote.fr) (EdTech + AI). 12 years in tech (Dev → Lead → EM → VP Eng → CTO). Current focus: Rust CLI tools, MCP servers, AI developer tooling. -Claude Code sends your prompts, file contents, and MCP results to Anthropic servers. -- **Default**: 5 years retention (training enabled) | **Opt-out**: 30 days | **Enterprise**: 0 -- **Action**: [Disable training](https://claude.ai/settings/data-privacy-controls) | [Full privacy guide](./guide/data-privacy.md) +| Project | Description | Links | +|---------|-------------|-------| +| **RTK** | CLI proxy — 60-90% LLM token reduction | [GitHub](https://github.com/rtk-ai/rtk) · [Site](https://www.rtk-ai.app/) | +| **ccboard** | Real-time TUI/Web dashboard for Claude Code | [GitHub](https://github.com/FlorianBruniaux/ccboard) · [Demo](https://ccboard.bruniaux.com/) | +| **Claude Cowork Guide** | 26 business workflows for non-coders | [GitHub](https://github.com/FlorianBruniaux/claude-cowork-guide) · [Site](https://cowork.bruniaux.com/) | +| **cc-copilot-bridge** | Bridge between Claude Code & GitHub Copilot | [GitHub](https://github.com/FlorianBruniaux/cc-copilot-bridge) · [Site](https://ccbridge.bruniaux.com/) | +| **Agent Academy** | MCP server for AI agent learning | [GitHub](https://github.com/FlorianBruniaux/agent-academy) | +| **techmapper** | Tech stack mapping & visualization | [GitHub](https://github.com/FlorianBruniaux/techmapper) | -
+[GitHub](https://github.com/FlorianBruniaux) · [LinkedIn](https://www.linkedin.com/in/florian-bruniaux-43408b83/) · [Portfolio](https://florian.bruniaux.com/) --- @@ -478,13 +627,13 @@ Claude Code sends your prompts, file contents, and MCP results to Anthropic serv | **[Claude Code Releases](./guide/claude-code-releases.md)** | Official release history | 10 min |
-Examples Library (111 templates) +Examples Library (108 templates) **Agents** (6): [code-reviewer](./examples/agents/code-reviewer.md), [test-writer](./examples/agents/test-writer.md), [security-auditor](./examples/agents/security-auditor.md), [refactoring-specialist](./examples/agents/refactoring-specialist.md), [output-evaluator](./examples/agents/output-evaluator.md), [devops-sre](./examples/agents/devops-sre.md) ⭐ -**Slash Commands** (22): [/pr](./examples/commands/pr.md), [/commit](./examples/commands/commit.md), [/release-notes](./examples/commands/release-notes.md), [/diagnose](./examples/commands/diagnose.md), [/security](./examples/commands/security.md), [/security-check](./examples/commands/security-check.md) **, [/security-audit](./examples/commands/security-audit.md) **, [/update-threat-db](./examples/commands/update-threat-db.md) **, [/refactor](./examples/commands/refactor.md), [/explain](./examples/commands/explain.md), [/optimize](./examples/commands/optimize.md), [/ship](./examples/commands/ship.md)... +**Slash Commands** (23): [/pr](./examples/commands/pr.md), [/commit](./examples/commands/commit.md), [/release-notes](./examples/commands/release-notes.md), [/diagnose](./examples/commands/diagnose.md), [/security](./examples/commands/security.md), [/security-check](./examples/commands/security-check.md) **, [/security-audit](./examples/commands/security-audit.md) **, [/update-threat-db](./examples/commands/update-threat-db.md) **, [/refactor](./examples/commands/refactor.md), [/explain](./examples/commands/explain.md), [/optimize](./examples/commands/optimize.md), [/ship](./examples/commands/ship.md)... -**Security Hooks** (18): [dangerous-actions-blocker](./examples/hooks/bash/dangerous-actions-blocker.sh), [prompt-injection-detector](./examples/hooks/bash/prompt-injection-detector.sh), [unicode-injection-scanner](./examples/hooks/bash/unicode-injection-scanner.sh), [output-secrets-scanner](./examples/hooks/bash/output-secrets-scanner.sh)... +**Security Hooks** (31): [dangerous-actions-blocker](./examples/hooks/bash/dangerous-actions-blocker.sh), [prompt-injection-detector](./examples/hooks/bash/prompt-injection-detector.sh), [unicode-injection-scanner](./examples/hooks/bash/unicode-injection-scanner.sh), [output-secrets-scanner](./examples/hooks/bash/output-secrets-scanner.sh)... **Skills** (1): [Claudeception](https://github.com/blader/Claudeception) — Meta-skill that auto-generates skills from session discoveries ⭐ @@ -501,7 +650,7 @@ Claude Code sends your prompts, file contents, and MCP results to Anthropic serv
-Knowledge Quiz (257 questions) +Knowledge Quiz (264 questions) Test your Claude Code knowledge with an interactive CLI quiz covering all guide sections. @@ -516,7 +665,7 @@ cd quiz && npm install && npm start
-Resource Evaluations (55 assessments) +Resource Evaluations (67 assessments) Systematic evaluation of external resources (tools, methodologies, articles) before integration into the guide. @@ -578,19 +727,25 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for guidelines. - **Evaluation**: [`docs/resource-evaluations/anthropic-2026-agentic-coding-trends.md`](docs/resource-evaluations/anthropic-2026-agentic-coding-trends.md) (score 4/5) - **Integration**: Diffused across sections 9.17 (Multi-Instance ROI), 9.20 (Agent Teams adoption), 9.11 (Enterprise Anti-Patterns), Section 9 intro +- **[Outcome Engineering — o16g Manifesto](https://o16g.com/)** (Cory Ondrejka, Feb 2026) + - 16 principles for shifting from "software engineering" to "outcome engineering" + - Author: CTO Onebrief, co-creator Second Life, ex-VP Google/Meta + - Cultural positioning: numeronym naming (o16g like i18n, k8s), Honeycomb endorsement + - **Status**: Emerging — on [watch list](./docs/resource-evaluations/watch-list.md) for community adoption tracking + ### Community Resources -- [everything-claude-code](https://github.com/affaan-m/everything-claude-code) — Production configs (31.9k⭐) +- [everything-claude-code](https://github.com/affaan-m/everything-claude-code) — Production configs (45k+⭐) - [awesome-claude-code](https://github.com/hesreallyhim/awesome-claude-code) — Curated links - [SuperClaude Framework](https://github.com/SuperClaude-Org/SuperClaude_Framework) — Behavioral modes ### Tools - [Ask Zread](https://zread.ai/FlorianBruniaux/claude-code-ultimate-guide) — Ask questions about this guide -- [Interactive Quiz](./quiz/) — 257 questions +- [Interactive Quiz](./quiz/) — 264 questions - [Landing Site](https://florianbruniaux.github.io/claude-code-ultimate-guide-landing/) — Visual navigation --- -*Version 3.27.0 | Updated daily · Feb 12, 2026 | Crafted with Claude* +*Version 3.27.1 | Updated daily · Feb 15, 2026 | Crafted with Claude*