{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreihdplkkcef6xzosaif6aazbx5rmmxcwjldfpp6rq2nsjawsldw45e",
"uri": "at://did:plc:sgnbp3iisuckzdcnqv6ygsnp/app.bsky.feed.post/3ml4ewfgydbq2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreieeckcoltv3ue3qdwf2dayv4dfytn4xq3ygy5qtezeoujn75iajky"
},
"mimeType": "image/jpeg",
"size": 337993
},
"description": "The opinionated guide to running Claude Code well. CLAUDE.md, skills, subagents, hooks, and the workflows that produce quality code for engineers, QA, and security teams.",
"path": "/claude-code-for-engineers-a-practitioners-playbook-for-software-qa-and-security-teams/",
"publishedAt": "2026-05-05T14:18:24.000Z",
"site": "https://guptadeepak.com",
"tags": [
"the evolution of software development from machine code to AI orchestration",
"the identity crisis this is creating",
"authentication implementation patterns",
"github.com/anthropics/skills",
"awesome-claude-skills",
"MCP architecture in depth elsewhere",
"obra/superpowers",
"awesome-claude-code",
"identity and access management challenge",
"Claude Code Security Review GitHub Action",
"Anthropic's documentation on automated security reviews",
"github.com/trailofbits/skills",
"github.com/snyk-labs",
"top Claude Skills for cybersecurity",
"analysis of the developer CIAM landscape",
"cybersecurity tag on this site",
"ebooks library",
"evolution from machine code to AI orchestration",
"The Identity Crisis No One's Talking About: AI Agents and Vibe Coding",
"MCP: A Comprehensive Guide to Extending AI Capabilities",
"The Complete Guide to Authentication Implementation for Modern Applications",
"Top 10 CIAM Solutions: Secure Customer Access at Scale",
"Cybersecurity articles archive",
"Free practical ebooks on AI, security, and identity",
"Claude Code documentation",
"Anthropic Skills repository",
"Awesome Claude Code curated list",
"Superpowers plugin marketplace"
],
"textContent": "Most engineers I talk to are using Claude Code at maybe ten percent of what it can do. They open a terminal, type a request, accept whatever comes back, and call it productive. It is not productive. It is autocomplete with extra steps.\n\nThe teams getting real returns are doing something different. They have turned Claude Code into a system. A `CLAUDE.md` that anchors every session. Skills that encode their conventions. Subagents that handle review. Hooks that enforce quality on every edit. MCP servers that connect their actual tooling. The result is not a chatbot helping with code. It is an engineer that already knows how the codebase works, what the team's standards are, and what verification looks like before anything ships.\n\nThis piece is the playbook I wish someone had handed me twelve months ago. It works for software engineers shipping features, QA engineers building test coverage, and security engineers reviewing code for vulnerabilities. The fundamentals are the same. The applications differ.\n\nA note on framing: this is an extension of how I think about the evolution of software development from machine code to AI orchestration. Claude Code is the current peak of that arc, and how you run it determines whether you get the productivity multiplier or the technical debt explosion.\n\n## Why this matters more than people think\n\nThe numbers are uncomfortable. Research shows AI-generated code contains roughly 2.7 times more vulnerabilities than human-written code, and only about 55 percent of AI-generated code meets basic security standards. The Lovable platform shipped 170 vulnerable applications out of 1,645 built on it, a 10 percent failure rate. GitHub Copilot repositories leak secrets 40 percent more often than non-Copilot ones. I have written about the identity crisis this is creating, and the data has not improved since.\n\nThis is not an argument against AI coding tools. It is an argument for using them with discipline. Claude Code, run well, gives you the speed without most of the quality and security hits. Run badly, it accelerates the production of code you will regret.\n\nThe discipline comes from understanding the platform as a system rather than as a prompt box.\n\n## Part 1: The foundations every engineer needs\n\n### The mindset shift\n\nStop thinking of Claude Code as an assistant that responds to questions. Start thinking of it as a junior engineer with infinite patience, perfect recall of public documentation, no memory between sessions, and a tendency to invent things when uncertain. Your job is to give that engineer the context, conventions, and verification loops it needs to do good work.\n\nThat framing changes everything downstream. You stop typing prompts and start designing workflows.\n\n### Context window management is the master skill\n\nAlmost every Claude Code best practice traces back to one constraint: the context window fills up fast, and quality degrades as it fills. Anthropic's own documentation makes this point explicit. Experienced users keep working context under 30 to 40 percent of capacity for serious tasks, and they reset aggressively when switching tasks.\n\nThe practical implications:\n\n * Use `/clear` between unrelated tasks. Do not let one session accumulate context from three different problems.\n * Use `/compact` mid-task when the session is getting long but you want momentum.\n * Use `/rewind` (double-Esc) when a fix went sideways. Leaving the failed attempt plus your correction in context makes the next response worse, not better.\n * Use `claude --resume` and `claude --continue` to return to specific sessions for follow-up rather than reopening fresh ones.\n\n\n\nTreat your context like a workspace. A messy desk slows you down. A messy context window slows Claude Code down even more, because it has no instinct to ignore the clutter.\n\n### CLAUDE.md is the highest-impact file in your repo\n\nRun `/init` in any project. It generates a starter `CLAUDE.md` based on your build system, test framework, and code patterns. Then refine it. Aggressively.\n\nA good `CLAUDE.md` includes:\n\n * Stack and language versions, including non-obvious ones\n * Build, test, lint, and typecheck commands\n * Code style rules that diverge from defaults (no default exports, strict TypeScript, specific import order)\n * Architectural conventions (where business logic lives, where API handlers live, how errors propagate)\n * Things that look inviting but are traps (deprecated modules, the one file no one touches without a migration)\n * Commit message format and PR conventions\n\n\n\nAnthropic's internal data infrastructure team has been explicit that the better your `CLAUDE.md`, the better Claude Code performs at routine tasks. The file is read at the start of every session. It is the only persistent context Claude Code has about your project.\n\nFor a monorepo, you can put `CLAUDE.md` files inside subdirectories. When Claude Code works on files in `packages/auth/`, it picks up the local `CLAUDE.md` in addition to the root one. This matters more than people think, because authentication code has different rules than presentation code, and the authentication implementation patterns you would document for one are nearly opposite for the other.\n\n## Part 2: The full Claude Code toolkit\n\nClaude Code has six extension primitives. Knowing which to reach for and when is what separates power users from dabblers.\n\n### Slash commands\n\nSlash commands are saved prompts you invoke by typing `/command-name`. Project-level commands live in `.claude/commands/`, personal ones in `~/.claude/commands/`. They are now being merged into skills, but the legacy format still works.\n\nUse slash commands for short, repeatable prompts that you find yourself typing constantly. A `/review-pr 142` command that fetches the diff and runs a structured review beats retyping the same prompt every time.\n\nA useful built-in set: `/clear`, `/compact`, `/context`, `/rewind`, `/hooks`, `/permissions`, `/security-review`. Type `/` in Claude Code to see the full list.\n\n### Skills\n\nSkills are folders containing a `SKILL.md` file with YAML frontmatter and markdown instructions. Claude loads them dynamically when the task matches the skill's description. They are the most powerful extension primitive for encoding your team's expertise.\n\nThe structure:\n\n\n my-skill/\n ├── SKILL.md (required)\n ├── references/ (deeper docs loaded on demand)\n ├── scripts/ (executable code)\n └── assets/ (templates, fonts, brand files)\n\n\nThe single most important rule: write a \"pushy\" description. Claude tends to under-trigger skills when descriptions are vague. Spell out the trigger conditions explicitly, including adjacent terms users might say. \"Helps with database queries\" will not fire. \"Use whenever the user mentions SQL, query optimization, slow queries, ORM issues, or database performance, even if they do not explicitly ask for query analysis\" will.\n\nOther rules that matter:\n\n * One skill, one job. Mega-skills score lower on accuracy.\n * Keep `SKILL.md` under 500 lines. Push deep references into separate files in `references/` so they only load when needed.\n * Test by running representative prompts and watching whether Claude triggers the skill without nudging.\n\n\n\nStart with the official Anthropic skills repo at github.com/anthropics/skills and the curated awesome-claude-skills list. The `obra/superpowers` library is also worth installing for its battle-tested patterns around TDD, debugging, and collaboration.\n\n### Subagents\n\nSubagents are specialized Claude instances with their own context, system prompt, and tool permissions. Defined in `.claude/agents/` (project) or `~/.claude/agents/` (personal) as markdown files with YAML frontmatter.\n\n\n ---\n name: security-reviewer\n description: Senior security engineer. Use proactively after changes to auth, session handling, or data flows.\n tools: Read, Grep, Glob, Bash\n model: opus\n ---\n\n You are a senior security engineer. Analyze for OWASP Top 10 vulnerabilities, hardcoded secrets,\n broken access controls, and injection paths. Report findings with severity and remediation.\n\n\nThe big idea: a subagent's context is separate from your main session. You can spawn one to do a deep code audit, get back a clean summary, and keep your main context unpolluted. Up to ten can run in parallel.\n\nThere is a real debate about whether custom subagents are worth the maintenance overhead. Some senior engineers prefer letting the main agent dynamically delegate to copies of itself via the built-in `Task(...)` feature, since custom subagents force human-defined workflows that may not be optimal. My own take: use custom subagents for genuinely specialized work where the system prompt matters (security review, accessibility audit, performance profiling). Use the dynamic `Task` pattern for general delegation.\n\n### Hooks\n\nHooks are shell commands Claude Code runs automatically on lifecycle events. Configured in `.claude/settings.json`. The most useful events:\n\n * `PostToolUse` after Edit or Write, to run formatters, linters, and typecheckers\n * `PreCompact` and `PostCompact` for handling context resets\n * `Stop` when a turn ends, useful for build verification\n\n\n\nA common pattern:\n\n\n {\n \"hooks\": {\n \"PostToolUse\": [\n {\n \"matcher\": \"Edit|Write\",\n \"hooks\": [\n { \"type\": \"command\", \"command\": \"npx prettier --write $CLAUDE_FILE_PATH || true\" }\n ]\n }\n ]\n }\n }\n\n\nThat single hook keeps your codebase formatted without Claude Code spending tokens on it. Extend the pattern for typecheck, lint, and test runs. Be careful though: aggressive hooks can consume context if they run on every edit during a long session. Some teams report 160k tokens consumed in three rounds of automatic formatting. Tune accordingly.\n\n### MCP servers\n\nMCP (Model Context Protocol) is the standard for connecting Claude Code to external services. I have covered MCP architecture in depth elsewhere, but the practical summary is this: instead of giving Claude Code raw CLI access to sensitive systems, you give it an MCP server that exposes scoped, logged operations.\n\nCommon MCP servers to install:\n\n * GitHub or GitLab for PR and issue workflows\n * Linear, Jira, or Asana for ticket management\n * Sentry for error tracking and root-cause analysis\n * A browser automation server (Playwright, Puppeteer) for UI testing\n * Your test management tool (TestCollab, Xray) for QA workflows\n * Internal databases via a read-only MCP wrapper\n\n\n\nThe Anthropic data infrastructure team specifically recommends MCP servers over raw CLI access for sensitive data. Better access scoping. Better logging. Better blast radius control.\n\nInstall with `claude mcp add <name> <command>`. List with `claude mcp list`. Remove with `claude mcp remove <name>`.\n\n### Plugins and \"superpowers\"\n\nPlugins bundle slash commands, skills, agents, and hooks into installable packages. Anthropic maintains an official marketplace, and the community has built impressive collections.\n\nThe two I would install on day one:\n\n * The official Anthropic plugins marketplace, accessed via `/plugin`\n * obra/superpowers, which adds 20-plus battle-tested skills and slash commands like `/brainstorm`, `/write-plan`, and `/execute-plan`. Install with `/plugin marketplace add obra/superpowers-marketplace`.\n\n\n\nFor exploration, the awesome-claude-code repo is the best curated index of skills, hooks, agents, and plugins out there.\n\n## Part 3: The shortcuts that compound\n\nSmall habits, big returns:\n\n * **Plan mode first.** For anything beyond a trivial fix, use plan mode (or just say \"plan first, do not implement yet\"). Review the plan. Push back on assumptions. Then execute. The planning step is cheap. A wrong implementation buried 200 lines deep is expensive.\n * **Pipe data in.** Instead of pasting an error log, run `cat error.log | claude`. For large files, this saves you from copy-paste truncation.\n * **Allowlist your domains.** Use `/permissions` to add the documentation sites and APIs you query often. Stops the permission interrupts.\n * **Use git worktrees for parallel work.** `git worktree add ../myapp-review -b review/cleanup` gives you a separate directory and branch. Spin up a second Claude Code session there. Full isolation, no branch-switching collisions.\n * **Commit per logical step.** Tell Claude Code in your `CLAUDE.md` to commit after each meaningful change. Cleaner history, cheaper rewinds, easier reviews.\n * **Use`/security-review` before merges.** It is built in. Free. Run it on your branch before opening a PR. Details below in the security section.\n * **Adversarial review pattern.** \"Grill me on these changes. Do not approve until I can defend the design.\" Or spin up a fresh session as a staff-engineer reviewer. Fresh context catches what the implementer missed.\n\n\n\n## Part 4: For software engineers shipping features\n\nThe core workflow looks like this:\n\n 1. **Specify in writing.** A paragraph in plain English. Not a one-line prompt. Include the user-visible behavior, the constraints, and what \"done\" means. Ambiguity in your input becomes wasted tokens and rework.\n 2. **Plan before coding.** Have Claude Code produce a step-by-step plan. Read it. Push back on the parts that look wrong. The plan is your contract.\n 3. **Implement in chunks.** Let Claude execute one logical step at a time, with commits between steps. This makes it trivial to rewind to the last good state.\n 4. **Verify continuously.** Tests, typecheck, lint after every change. If you have hooks, this happens automatically. If not, ask Claude to run them.\n 5. **Refactor at the end.** Once it works, ask Claude to clean up. \"Knowing what you know now, scrap this and implement the elegant solution\" is a remarkably effective prompt for the second pass.\n\n\n\nA few things that separate the engineers who get good output from the ones who do not:\n\n * They treat Claude Code like a senior engineer they are pair-programming with, not like a code generator. They explain why, not just what.\n * They challenge confident-sounding output. Confidence is not correctness. Ask \"prove to me this works\" or have Claude diff between branches and explain the changes.\n * They paste in actual data. Real error messages. Real stack traces. Real failing test output. Not their summary of the problem.\n * They keep CLAUDE.md current. Every time they fix something Claude got wrong, they update CLAUDE.md so it does not happen again.\n\n\n\nFor frontend work specifically, the screenshot loop is non-obvious but powerful: paste in a design mock, let Claude implement, screenshot the result, ask Claude to compare to the mock and iterate. Anthropic's own documentation notes that two to three iterations typically take you from \"decent\" to \"good.\"\n\n## Part 5: For QA engineers\n\nQA is one of the highest-payoff applications for Claude Code, mostly because the work has been historically tedious. Reading code to write test cases. Maintaining test cases when code changes. Generating synthetic data. Writing assertions for edge cases nobody documented. Claude Code handles all of this.\n\n### Test case generation\n\nA simple pattern: point Claude Code at a feature module and ask it to generate test cases covering happy path, error paths, edge cases, and boundary conditions. With an MCP server like TestCollab connected, the test cases land directly in your test management tool, organized into suites with priority and tags.\n\nBe specific in your prompts. \"Generate test cases for the authentication module covering login, logout, password reset, session timeout, and concurrent session handling. Include negative paths for invalid credentials, expired tokens, and rate limiting\" produces something useful. \"Generate tests\" produces something generic.\n\nReview in batches. Generate five to ten test cases, review them, give feedback, then continue. This calibrates Claude Code to your team's expectations and your domain language.\n\n### Test code generation\n\nFor unit and integration tests, the writer-reviewer pattern works well. Have one Claude session write tests against the spec. Have a fresh Claude session write the implementation. The fresh context keeps the implementer honest because it cannot lean on assumptions about how the tests are structured.\n\nFor end-to-end tests, the YAML-spec pattern that tools like Shiplight popularize is worth understanding. Tests expressed as user intent rather than DOM selectors survive refactors. \"Click the Get Started button\" is brittle. \"Submit the signup form with a valid email\" is durable.\n\n### Exploratory testing\n\nThis is where Claude Code surprises people. With a Playwright MCP server connected, Claude Code can drive a real browser, navigate your app, interact with elements, and observe results, all guided by your natural-language exploration. You describe what you want to probe (\"test the onboarding flow with various invalid inputs and weird Unicode in the name field\"), Claude Code executes, and you get a structured report of what it found.\n\nThis is not a replacement for a senior QA engineer's intuition. It is a force multiplier for it.\n\n### Risk-based test planning\n\nThe pattern that separates good QA from great QA is risk-based test planning: focusing test effort where the impact of a defect is highest. Claude Code can analyze a PR diff, identify which modules and dependencies are affected, and propose a focused test plan. With a `CLAUDE.md` that documents your high-risk areas (payment flows, authentication, data export), this becomes systematic rather than ad hoc.\n\nOpenObserve documented their \"Council of Sub Agents\" approach where eight specialized Claude Code subagents handle their full E2E pipeline. Feature analysis dropped from 45 to 60 minutes down to 5 to 10 minutes. Test coverage went from 380 tests to over 700. Flaky tests dropped 85 percent. The Council architecture is worth studying as a reference for what serious QA automation with Claude Code looks like.\n\n### What stays human\n\nStrategy. Test prioritization in ambiguous cases. User behavior intuition. Release decisions. Security and compliance judgment calls. Anything where domain context overrides what the code seems to do.\n\nThe right framing: Claude Code does not make QA engineers obsolete. It eliminates the tedious 70 percent of the job and lets QA engineers focus on the 30 percent that actually requires their expertise.\n\n## Part 6: For security engineers\n\nThis is the section I have the most to say about, because the security implications of AI-assisted coding are exactly the kind of identity and access management challenge I have been working on for the past decade.\n\n### The built-in security review command\n\nRun `/security-review` in any Claude Code session. It analyzes your changes for SQL injection, XSS, auth flaws, insecure data handling, hardcoded secrets, and dependency vulnerabilities. It is on by default, free, and surprisingly good. Anthropic used the underlying capability to find over 500 vulnerabilities in production open-source codebases that human reviewers and traditional SAST tools had missed, in some cases for decades.\n\nThe review is not a replacement for a real AppSec program. It is a first line of defense that catches the obvious stuff before it reaches CI.\n\n### The GitHub Action for PR-level review\n\nFor organizations, the Claude Code Security Review GitHub Action runs on every pull request, posts findings as inline comments, and filters false positives more aggressively than rule-based SAST. Add it to `.github/workflows/security.yml`:\n\n\n name: Security Review\n permissions:\n pull-requests: write\n contents: read\n on:\n pull_request:\n jobs:\n security:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n ref: ${{ github.event.pull_request.head.sha || github.sha }}\n fetch-depth: 2\n - uses: anthropics/claude-code-security-review@main\n with:\n comment-pr: true\n claude-api-key: ${{ secrets.CLAUDE_API_KEY }}\n\n\nAnthropic's documentation on automated security reviews covers configuration in depth.\n\n### Where AI security review wins\n\nTraditional SAST tools catch syntactic vulnerabilities through pattern matching: concatenated SQL, recognizable XSS sinks, known credential formats. They struggle with semantic flaws because pattern scanners cannot reason about whether authorization logic is correct. They can only check whether something that looks like an authorization check exists.\n\nClaude reasons about whether the controls actually enforce the intended policy. That difference is large. It catches:\n\n * Race conditions and time-of-check-time-of-use bugs\n * Authorization logic errors where the check exists but is wrong\n * Trust boundary violations across services\n * Missing validation on critical paths\n * Insecure default behaviors\n * Subtle logic flaws in business rules\n\n\n\nThe NIST data on traditional SAST tools shows false positive rates above 68 percent in some languages. Claude Code's adversarial verification pass (where it challenges its own findings before reporting them) drives that number down considerably.\n\n### Where it does not replace existing tooling\n\nClaude Code Security is fundamentally code-centric. It operates at the source layer. It does not analyze:\n\n * Compiled binaries or container images\n * Third-party installers and commercial software packages\n * Runtime behavior or actual exploit conditions (DAST)\n * Software supply chain risks beyond declared dependencies\n * AI infrastructure security (the models, agents, and MCP servers themselves)\n\n\n\nYou still need DAST, SCA, container scanning, runtime protection, and a real AppSec program. Claude Code Security is a smart evolution of SAST, not a replacement for the broader stack. Snyk's analysis on this point is honest: you cannot scan your way out of a problem that AI tools are simultaneously creating.\n\n### A security-engineer-grade subagent\n\nFor repeated review work, define a security subagent in `.claude/agents/security-reviewer.md`:\n\n\n ---\n name: security-reviewer\n description: Senior security engineer specializing in OWASP Top 10, auth/identity flaws, and supply-chain risks. Use proactively after any changes to authentication, authorization, session handling, data validation, or third-party integrations.\n tools: Read, Grep, Glob, Bash\n model: opus\n permissionMode: plan\n ---\n\n You are a senior security engineer with deep expertise in:\n - OWASP Top 10 (2021) and OWASP API Top 10\n - OAuth 2.0, OIDC, SAML, and modern auth flows\n - Identity and access management (IAM, CIAM, NHIs)\n - Session management and token handling\n - Cryptographic primitives and common misuse patterns\n - Supply chain security and dependency analysis\n\n For every review:\n 1. Map the attack surface introduced by the change\n 2. Trace data flows from untrusted inputs to sensitive operations\n 3. Verify authentication and authorization checks on every privileged path\n 4. Check for hardcoded secrets, weak crypto, and unsafe defaults\n 5. Report findings with: severity (Critical/High/Medium/Low/Info),\n exact file and line, explanation of impact, and remediation steps\n 6. Be honest about uncertainty. Flag suspicious patterns even when not definitively exploitable.\n\n\nTrigger it with \"have the security-reviewer agent audit my last commit\" or set it to run proactively via hooks.\n\n### Skills for security work\n\nThe community has produced strong security skills. A few worth installing:\n\n * **Trail of Bits skills repository** at github.com/trailofbits/skills covers CodeQL pipeline automation, insecure-defaults detection, and SARIF processing. This is the gold standard for security-focused Claude skills.\n * **Snyk's official skills** at github.com/snyk-labs include `snyk-fix` for automated vulnerability remediation across SAST and SCA findings, plus a `snyk-learning-path` skill that builds repo-specific security training.\n * **YARA rule writing skills** for SOC and detection engineering work.\n\n\n\nFor a broader inventory, Snyk's recent roundup of top Claude Skills for cybersecurity is a good starting point.\n\n### The harder problem: securing AI-generated code at scale\n\nEven with all of this in place, the systemic risk remains: developers using Claude Code at speed are creating code faster than any security review process can keep up with. The numbers from earlier in this piece are not theoretical. They describe what is shipping right now.\n\nMitigating this requires more than tooling. It requires:\n\n * **Mandatory`CLAUDE.md` security rules** in every repo. Claude Code obeys these. If you tell it \"never log raw tokens, never accept user input into shell commands, always use parameterized queries,\" it complies far more reliably than a developer reviewing AI output by eye.\n * **Hooks that block on security issues.** Pre-commit hooks running secret scanners, dependency checks, and the security review can stop the worst issues before they hit the repo.\n * **Separation of concerns for sensitive operations.** Authentication, authorization, encryption, and PII handling should live behind tested libraries (or proven CIAM platforms; my analysis of the developer CIAM landscape covers the options) rather than being implemented inline by AI assistants.\n * **Mandatory human review for security-sensitive paths.** Auth, payments, data export, admin functions. Non-negotiable, regardless of how confident the AI seems.\n\n\n\nFor deeper coverage of these topics, the cybersecurity tag on this site and the practical guides in the ebooks library go into the architectural patterns in detail.\n\n## Part 7: The anti-patterns that ruin everything\n\nThings I see teams do that destroy their Claude Code productivity:\n\n * **Letting context bloat.** A session that has been thrashing on a problem will keep thrashing. `/rewind` or `/clear` and restart with a sharper prompt. Every time.\n * **Skipping plans on non-trivial work.** Asking for an implementation cold produces an implementation. Asking for a plan first produces understanding. Then the implementation.\n * **Trusting confident output.** Confidence is not correctness. The model is happy to invent function signatures, library APIs, and security properties. Verify with execution, not by reading.\n * **Using Claude Code to write security-sensitive code without expert review.** The 45 percent vulnerability rate in vibe-coded apps is not exaggeration. It is the baseline.\n * **Ignoring`CLAUDE.md` until you need it.** Build the file gradually but build it from day one. Every fix that exposed a hidden assumption belongs in `CLAUDE.md` so it does not happen again.\n * **Running raw CLI for sensitive systems instead of MCP.** No logging, no scoping, no audit trail. MCP exists for a reason.\n * **Mega-skills.** A skill that tries to do five things does five things badly. Split them.\n\n\n\n## Frequently asked questions\n\n**Is Claude Code safe to use on production code?**\n\nYes, with the right discipline. Treat AI-generated code as needing the same review as code from a junior engineer: tests must pass, security review must run, sensitive paths must have human eyes on them. The risk is not the AI. The risk is bypassing your own quality gates because the AI sounded confident.\n\n**How is Claude Code different from GitHub Copilot or Cursor?**\n\nCopilot is autocomplete inside your IDE. Cursor is an IDE built around AI. Claude Code is an agentic command-line tool that reads files, runs commands, makes changes autonomously, and connects to external services via MCP. The fundamental difference is autonomy: Claude Code can complete multi-step tasks while you watch, redirect, or step away. Copilot and Cursor are still primarily about completion at the cursor.\n\n**Do I need to be a senior engineer to use Claude Code well?**\n\nNo, but you do need to verify what you accept. Junior engineers using Claude Code without verification ship more bugs faster. Junior engineers using Claude Code with disciplined verification (tests, security review, code review) often outperform mid-level engineers without these tools. The tool amplifies whatever discipline you bring to it.\n\n**What is the difference between a slash command, a skill, and a subagent?**\n\nA slash command is a saved prompt you invoke explicitly. A skill is a set of instructions Claude can auto-load when the task matches. A subagent is an entirely separate Claude session with its own context, system prompt, and tool permissions. Use slash commands for shortcuts, skills for reusable expertise, and subagents for isolated work that should not pollute your main context.\n\n**Can Claude Code replace my SAST tools?**\n\nNo, and Anthropic does not claim this. Claude Code Security is an evolution of SAST that catches semantic and logic flaws traditional tools miss. It does not replace DAST, SCA, container scanning, or runtime protection. Use it as a complement.\n\n**How do I prevent secrets from leaking in AI-generated code?**\n\nThree layers. First, a `CLAUDE.md` rule prohibiting hardcoded credentials. Second, a pre-commit hook running a secret scanner like Gitleaks or TruffleHog. Third, a security review (manual or via the GitHub Action) before merge. Never rely on a single layer.\n\n**What is the right team size for adopting Claude Code seriously?**\n\nIt scales from solo developer to large enterprise. The investment in `CLAUDE.md`, skills, and hooks pays back fastest at team size five to fifty, where you have enough people for shared conventions to matter but not so many that change management becomes its own problem.\n\n**Where should I start?**\n\nRun `/init` in your main repo. Refine the generated `CLAUDE.md` for one week. Add one hook (a formatter is fine). Install one plugin (`obra/superpowers` is a strong default). Use `/security-review` before every merge. That alone puts you ahead of most teams.\n\n## The closing thought\n\nThe teams that win with Claude Code are not the ones with the cleverest prompts. They are the ones who built a system. CLAUDE.md as the constitution. Skills as the conventions. Subagents for the specialized work. Hooks for the verification. MCP for the integrations. And underneath all of it, the engineering discipline that says no code ships without verification, regardless of how it was written.\n\nThe shift from coding to orchestrating engineers (real and AI) is the same shift I described in the evolution from machine code to AI orchestration. The engineers who treat it as a discipline rather than a shortcut are the ones who will compound their advantage. The ones treating it as a magic prompt box are quietly accumulating technical debt at unprecedented speed.\n\nYou decide which side of that curve you want to be on.\n\n* * *\n\n**Further reading on related topics:**\n\n * The Identity Crisis No One's Talking About: AI Agents and Vibe Coding\n * MCP: A Comprehensive Guide to Extending AI Capabilities\n * The Complete Guide to Authentication Implementation for Modern Applications\n * Top 10 CIAM Solutions: Secure Customer Access at Scale\n * Cybersecurity articles archive\n * Free practical ebooks on AI, security, and identity\n\n\n\n**Official references:**\n\n * Claude Code documentation\n * Claude Code Security Review GitHub Action\n * Anthropic Skills repository\n * Awesome Claude Code curated list\n * Superpowers plugin marketplace\n\n",
"title": "Claude Code for Engineers: A Practitioner's Playbook for Software, QA, and Security Teams",
"updatedAt": "2026-05-05T14:18:24.641Z"
}