Claude Code Developer Cheat Sheet: Setup, Commands, Agents, MCP, and Safe Automation
TL;DR
Claude Code is Anthropic’s agentic coding environment for reading a codebase, editing files, running commands, integrating with IDEs, and coordinating work across developer tools. The practical mental model is simple: Claude Code is not just a chatbot inside a terminal; it is a coding agent with filesystem access, command execution, project memory, tool permissions, hooks, subagents, and MCP connectors.
For most developers, the highest-leverage setup is:
- Install Claude Code with the native installer or with npm via advanced setup.
- Run
/initto create a project-levelCLAUDE.md. - Use
/permissionsand.claude/settings.jsonto define safe tool rules. - Learn
/plan,/clear,/compact,/context,/memory,/agents,/mcp, and/hooks. - Treat model IDs, slash commands, and installer behavior as fast-moving details; verify them against the Claude Code changelog before scripting.
The core constraint is context. A useful way to think about every long Claude Code session is:
\[C_{\text{free}} = C_{\text{window}} - C_{\text{conversation}} - C_{\text{files}} - C_{\text{tool outputs}} - C_{\text{memory}}\]When \(C_{\text{free}}\) gets small, the session becomes more error-prone. Use /compact, /clear, subagents, and targeted file references to keep the working context clean.
1. What Claude Code Is
Claude Code is an agentic coding tool that can inspect a project, edit files, run shell commands, use development tools, and help ship changes. It is available through the terminal, IDE integrations, desktop, and web surfaces.
The most important distinction is that Claude Code works inside a developer loop:
explore → plan → edit → test → review → commit
That loop is why the official best practices guide emphasizes giving Claude a verification path: tests, builds, linters, screenshots, logs, or reproducible checks.
2. Installation and Setup
Native installer
The current official docs present the native installer as the recommended path in the Claude Code overview.
# macOS, Linux, WSL
curl -fsSL https://claude.ai/install.sh | bash
# Windows PowerShell
irm https://claude.ai/install.ps1 | iex
npm install
Claude Code can also be installed globally with npm through the advanced setup guide. The npm package requires Node.js 18 or later.
npm install -g @anthropic-ai/claude-code
Important caveat: do not use sudo npm install -g. The official setup docs warn that this can cause permission and security problems. To upgrade an npm installation, use:
npm install -g @anthropic-ai/claude-code@latest
Avoid relying on npm update -g, because it may respect the old semver range and fail to move to the latest release.
Health check
Use the CLI health and version tools when something feels wrong:
claude doctor
claude update
claude --version
3. Authentication Options
Claude Code supports several authentication paths through the authentication docs:
| Path | Best for |
|---|---|
| Claude.ai subscription | Individual Pro, Max, Team, or Enterprise users |
| Anthropic Console | API-key and pay-as-you-go workflows |
| Amazon Bedrock | AWS-managed enterprise deployment |
| Google Vertex AI | GCP-managed enterprise deployment |
| Microsoft Foundry | Azure/Microsoft enterprise deployment |
For local development, the common path is signing in with a Claude.ai account. For CI, controlled automation, or cost attribution, an API-key or cloud-provider setup is often cleaner.
4. Core CLI Commands
The CLI reference lists the main commands for starting, resuming, and scripting sessions.
| Command | Purpose |
|---|---|
claude |
Start an interactive session |
claude "query" |
Start a session with an initial prompt |
claude -p "query" |
Run non-interactive print mode, then exit |
cat file \| claude -p "query" |
Pipe content into Claude Code |
claude -c |
Continue the most recent conversation in the current directory |
claude -c -p "query" |
Continue the latest session in non-interactive mode |
claude -r "<session>" "query" |
Resume a named or specific session |
claude update |
Update Claude Code |
claude install stable |
Install or reinstall a native binary |
claude mcp ... |
Manage MCP servers |
claude auth login |
Sign in from the command line |
claude plugin ... |
Manage plugins |
Example headless workflow:
claude -p "fix lint errors" \
--output-format stream-json \
--verbose \
--max-turns 5 \
--allowedTools "Bash(npm run lint:*)" "Edit"
Use headless mode when the task has a clear success condition, such as fixing lint, updating generated files, summarizing logs, or running a review pass.
5. Slash Commands You Should Actually Learn
The commands documentation describes slash commands as session-level controls for models, permissions, context, memory, agents, and workflows.
| Command | Use |
|---|---|
/help |
Show available commands |
/init |
Generate a starter CLAUDE.md |
/memory |
View and edit loaded memory files |
/permissions |
Manage tool approval rules |
/plan |
Switch into planning before edits |
/model |
View or change model |
/effort |
Adjust reasoning effort where supported |
/clear |
Clear the conversation context |
/compact |
Summarize and compress context |
/context |
Inspect context-window usage |
/agents |
Create or manage subagents |
/mcp |
Manage MCP servers and OAuth |
/hooks |
Configure lifecycle hooks |
/status |
Check account, model, version, and environment status |
/doctor |
Diagnose install/session issues |
/resume |
Resume earlier sessions |
/rewind |
Rewind to a checkpoint |
/review |
Ask for a code review |
/config |
View or update configuration |
/ide |
Connect an IDE integration |
The most productive beginner sequence is:
/init
/memory
/permissions
/plan
That sequence gives Claude project knowledge, makes memory editable, prevents unsafe tool usage, and forces a design pass before code changes.
6. CLAUDE.md and Memory
Claude Code’s memory system uses Markdown files such as CLAUDE.md to give Claude persistent project guidance. The file is not magic; it is instructions loaded into the session context.
A good CLAUDE.md should be short, specific, and operational:
# Project instructions
## Build and test
- Install dependencies with `pnpm install`.
- Run unit tests with `pnpm test`.
- Run type checks with `pnpm typecheck`.
- Run lint with `pnpm lint`.
## Code style
- Prefer small pure functions.
- Use 2-space indentation.
- Do not introduce new runtime dependencies without asking.
## Safety
- Never edit `.env`, credentials, or deployment secrets.
- Ask before running database migrations.
Bad memory is vague:
Write good code.
Be careful.
Follow best practices.
Good memory is verifiable:
Before marking a task complete, run `pnpm test` and `pnpm lint`.
Use /memory to inspect which memory files were loaded. If Claude ignores project instructions, first check whether the relevant CLAUDE.md is actually visible to the current session.
7. Settings and Permission Rules
Claude Code uses scoped settings described in the settings documentation. The main scopes are:
| Scope | Location | Shared? | Use case |
|---|---|---|---|
| Managed | IT / system policy | Yes | Organization-wide enforcement |
| User | ~/.claude/ |
No | Personal defaults across projects |
| Project | .claude/ in repo |
Yes | Team-shared repo settings |
| Local | .claude/settings.local.json |
No | Personal overrides inside one repo |
A practical .claude/settings.json:
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"permissions": {
"allow": [
"Bash(npm run lint)",
"Bash(npm run test *)",
"Bash(git diff *)",
"Read(~/.zshrc)"
],
"ask": [
"Bash(git push *)",
"Bash(npm publish *)"
],
"deny": [
"Read(./.env)",
"Read(./.env.*)",
"Read(./secrets/**)",
"Bash(curl *)"
]
}
}
Permission rules follow the format:
Tool
Tool(specifier)
Examples:
Bash(npm run *)
Read(./.env)
WebFetch(domain:example.com)
mcp__github__get_*
The safe default is:
deny secrets → ask for deployment/destructive actions → allow repeatable local checks
8. Permission Modes
Claude Code supports several permission modes through settings and CLI flags.
| Mode | Meaning |
|---|---|
default |
Ask on first use of tools |
acceptEdits |
Auto-accept file edits, still ask for riskier actions |
plan |
Read-only planning before tool use |
auto |
Let Claude classify what can run automatically |
dontAsk |
Avoid permission prompts where possible |
bypassPermissions |
Skip prompts; dangerous outside sandboxed environments |
The dangerous shortcut is:
claude --dangerously-skip-permissions
Use it only in isolated environments such as disposable containers or controlled CI. In normal development, prefer explicit allowlists plus plan mode.
A reasonable safety formula is:
\[\text{safe autonomy} ==================== \text{least privilege} + \text{sandboxing} + \text{tests} + \text{human review}\]9. Hooks
Hooks let you run shell commands, HTTP endpoints, or prompt-based checks at specific points in Claude Code’s lifecycle.
Useful hook events include:
| Event | Typical use |
|---|---|
SessionStart |
Load environment diagnostics |
UserPromptSubmit |
Validate prompt or inject policy |
PreToolUse |
Block unsafe commands |
PostToolUse |
Format files after edits |
Stop |
Run final checks |
PreCompact |
Save state before context compression |
SessionEnd |
Export logs or cleanup |
SubagentStart / SubagentStop |
Track delegated work |
Example hook:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "./scripts/check-command.sh"
}
]
}
]
}
}
A PreToolUse hook can block an action. This makes hooks useful for policy enforcement, but also risky: hook commands are code, so they should be reviewed like any other automation.
10. MCP: Connecting Claude Code to External Tools
Claude Code connects to external tools through Model Context Protocol. MCP servers can expose issue trackers, databases, monitoring tools, file systems, design tools, internal APIs, or SaaS connectors.
Add a local stdio server:
claude mcp add local-weather -- /path/to/weather-cli --api-key "$API_KEY"
Add an HTTP server:
claude mcp add --transport http sentry https://mcp.sentry.dev/mcp
Add from JSON:
claude mcp add-json weather-api \
'{"type":"http","url":"https://api.weather.com/mcp","headers":{"Authorization":"Bearer token"}}'
Manage servers:
claude mcp list
claude mcp get sentry
claude mcp remove sentry
Authenticate remote servers:
/mcp
or:
claude mcp login sentry
MCP is powerful because it turns Claude Code from a codebase-only tool into an environment-aware agent. It is also a prompt-injection surface. If an MCP server fetches untrusted external content, treat that content as potentially hostile.
11. Subagents
Subagents are specialized Claude Code workers that run in their own context windows. They are useful when a side task would flood the main conversation with logs, search results, or large file reads.
Use subagents for:
| Use case | Why |
|---|---|
| Code review | Keeps review findings separate from implementation |
| Debugging | Lets one agent inspect logs while another edits |
| Research | Avoids dumping long search output into the main context |
| Migration planning | Produces a scoped plan before code changes |
| Database query validation | Restricts tools and domain behavior |
| Large refactors | Delegates independent file groups |
A project subagent lives under:
.claude/agents/<name>.md
Example:
---
name: code-reviewer
description: Review code changes for correctness, maintainability, and security risks.
tools: Read, Grep, Glob, Bash(git diff *)
model: inherit
---
You are a strict code reviewer. Focus on:
- correctness bugs
- missing tests
- security issues
- brittle abstractions
- unnecessary complexity
Return findings with file paths and concrete suggested fixes.
Subagents are best when they have narrow instructions and limited tools. If the task requires direct collaboration between multiple workers, consider agent teams or separate sessions instead of a single subagent.
12. Custom Slash Commands
Custom slash commands are Markdown files stored in:
.claude/commands/
~/.claude/commands/
Example:
---
allowed-tools: Bash(git add:*), Bash(git commit:*)
description: Create a conventional commit
argument-hint: [message]
---
Stage all changes and create a conventional commit with this message:
$ARGUMENTS
Then run:
/commit fix parser edge case
Good custom commands encode repeatable workflows:
/review-pr
/write-tests
/update-changelog
/triage-issue
/refactor-module
They should not encode secrets, broad permissions, or destructive commands.
13. Recommended Workflow
The best Claude Code workflow is not “ask it to code immediately.” It is:
1. Ask Claude to inspect the relevant files.
2. Ask for a plan.
3. Approve or edit the plan.
4. Let Claude implement.
5. Run tests.
6. Ask for a review.
7. Commit only after verification.
Example prompt:
Read the auth module and the failing tests. Do not edit yet.
Explain the root cause, then propose a minimal patch plan.
Then:
Implement the plan. After editing, run the focused tests first, then the full test suite if the focused tests pass.
Then:
Review your own diff for correctness, edge cases, and unnecessary complexity.
This keeps the agent grounded and gives it a way to verify its work.
14. Context Hygiene
The official best practices emphasize that context fills quickly. Every tool output, file read, prompt, and memory item consumes budget.
Use these habits:
| Habit | Why it helps |
|---|---|
Use /clear between unrelated tasks |
Prevents stale assumptions |
Use /compact in long sessions |
Preserves useful state while reducing tokens |
Use /context |
Shows where context is going |
| Use subagents for research | Keeps noisy exploration out of the main window |
Reference specific files with @path |
Avoids broad codebase scanning |
| Ask for plans before edits | Prevents premature changes |
| Run focused tests first | Gives a fast verification loop |
A useful rule:
\[\text{agent quality} \propto \frac{\text{relevant context}}{\text{total context noise}}\]The goal is not to maximize context. The goal is to maximize relevant context density.
15. Models as of July 2026
The current Claude models overview lists the latest model family as:
| Model | Positioning |
|---|---|
| Claude Fable 5 | Most capable widely released model; long-running agents |
| Claude Opus 4.8 | Complex agentic coding and enterprise work |
| Claude Sonnet 5 | Strong speed-intelligence balance |
| Claude Haiku 4.5 | Fastest model with near-frontier intelligence |
For Claude Code, the practical selection rule is:
| Need | Start with |
|---|---|
| Hard autonomous coding | Opus |
| Everyday coding and analysis | Sonnet |
| Cheap high-volume simple work | Haiku |
| Highest available capability | Fable, where available |
Do not hard-code old model IDs unless you need pinned reproducibility. Model naming and aliases move quickly; verify against the current models overview, model IDs and versioning, and Claude Code changelog.
16. Practical Setup Checklist
For a new repository:
claude
Then inside Claude Code:
/init
/memory
/permissions
Create or review:
CLAUDE.md
.claude/settings.json
.claude/commands/
.claude/agents/
.mcp.json
Recommended project files:
CLAUDE.md # team-shared project instructions
.claude/settings.json # shared safe defaults
.claude/settings.local.json # personal overrides, gitignored
.claude/commands/review-pr.md # repeatable workflow
.claude/agents/code-reviewer.md # reusable review subagent
.mcp.json # project MCP servers, if shared
Minimum safe .gitignore check:
.claude/settings.local.json
.env
.env.*
secrets/
17. Common Gotchas
| Problem | Fix |
|---|---|
| Claude ignores project rules | Run /memory and confirm CLAUDE.md is loaded |
| Session becomes confused | Use /compact or /clear |
| Too many permission prompts | Add narrow allow rules |
| Claude edits too early | Start with /plan |
| Commands fail in headless mode | Use --allowedTools and make auth non-interactive |
| MCP server missing | Check /mcp, /status, and active auth method |
| npm install has permission errors | Avoid sudo; reinstall with the official installer or fix npm permissions |
| Risky automation | Use sandboxing, deny rules, and hooks |
| Model alias changed | Check official model docs and changelog |
18. Recommended Defaults
For most individual developers:
{
"permissions": {
"allow": [
"Bash(npm run lint)",
"Bash(npm run test *)",
"Bash(git diff *)",
"Bash(git status *)"
],
"ask": [
"Bash(git push *)",
"Bash(npm publish *)",
"Bash(docker *)"
],
"deny": [
"Read(./.env)",
"Read(./.env.*)",
"Read(./secrets/**)",
"Bash(rm -rf *)"
]
},
"defaultMode": "plan"
}
Use defaultMode: "plan" when onboarding a repo or doing risky refactors. Switch to acceptEdits only after the permission rules and test workflow are stable.
19. Bottom Line
Claude Code’s power does not come from one command or one hidden model flag. It comes from combining:
project memory
+ scoped permissions
+ repeatable commands
+ subagents
+ MCP connectors
+ hooks
+ verification loops
The winning workflow is not “let the agent do everything.” It is “give the agent enough context, enough tools, and enough constraints to safely complete a narrow task.”
If you remember one formula, use this:
\[\text{useful Claude Code session} ================================= \text{clear goal} + \text{relevant context} + \text{safe tools} + \text{fast verification}\]