Maximize effectiveness with proven patterns for security, context management, and choosing the right tools.
Claude Code provides multiple layers of protection, each serving a different purpose. Understanding when to use each layer helps you build robust workflows.
Key Insight: Guidance vs Enforcement
Behavioral guidance (CLAUDE.md) tells Claude what to do—it follows these as best practice but can be influenced by context. Deterministic enforcement (hooks) runs code regardless of what Claude thinks—if exit code is 2, the operation is blocked.
Instructions loaded with each session that Claude follows as best practice
Code that executes at lifecycle points regardless of Claude's interpretation
System-level restrictions that prevent specific actions entirely
# Security Rules
Never read, modify, or reference these files:
- .env files (contain secrets)
- credentials.json
- Any file matching *secret*Claude will avoid these files in most cases, but could be influenced by strong user prompting.
#!/bin/bash
# PreToolUse hook - blocks access to sensitive files
TARGET=$(cat | jq -r '.tool_input.file_path // empty')
case "$TARGET" in
*.env*|*credentials*|*secret*)
echo "Blocked: $TARGET is protected" >&2
exit 2 # Block the operation
;;
esac
exit 0 # Allow the operationThis hook runs regardless of prompting—exit code 2 means the file access is blocked unconditionally.
Claude's effectiveness depends heavily on context quality. Managing conversation context well leads to better results and fewer errors.
Start fresh conversations for unrelated tasks. Mixing context from different features or bugs can lead to confusion and errors.
Clear context when switching focus within a conversation, or when Claude seems to be referencing outdated information.
Subagents run with fresh context. Use them for independent tasks like security reviews or documentation that shouldn't be influenced by main conversation context.
Signs you need a fresh context: repeated misunderstandings, referencing deleted code, or confusion between similar concepts.
When to Start Fresh
If Claude keeps referencing code you've deleted, mixes up similar variable names, or seems confused about your current goal, it's time for a fresh conversation or /clear.
Not sure whether to create a command, skill, or hook? Use this guide to pick the right component for your use case.
| When You Need... | Use |
|---|---|
| Project-specific instructions | CLAUDE.md |
| Reusable workflow across projects | Skill |
| User-triggered automation | Command |
| External API/service access | MCP Server |
| Deterministic enforcement | Hook |
| Code intelligence features | LSP Server |
Start Simple
Begin with CLAUDE.md for project rules—it requires no plugin setup. Only create a plugin when you need to share functionality across projects or with teammates.
Use hooks to enforce security policies before sensitive operations. This pattern ensures compliance regardless of how Claude interprets the task.
{
"hooks": {
"PreToolUse": [{
"matcher": "Bash",
"hooks": [{
"type": "command",
"command": "./hooks/validate-command.sh"
}]
}]
}
}Run automated checks before commits or deployments. Combine with subagents for intelligent review when needed.
# Hook runs tests and linting before git commits
PreToolUse hook on "Bash" where command contains "git commit":
1. Run test suite
2. Run linter
3. Exit 2 if any checks fail
4. Exit 0 to allow commitCreate subagents with focused expertise for specific tasks. They run with fresh context, avoiding pollution from the main conversation.
You are a security-focused code reviewer.
Your task is to analyze code changes for:
- SQL injection vulnerabilities
- XSS attack vectors
- Authentication/authorization issues
- Sensitive data exposure
Focus only on security concerns. Do not comment
on code style, performance, or architecture.Learn more about plugin safety and trust signals, or start building your own plugins with best practices in mind.