Recommended stack
Install GitHub CLI, ripgrep, jq, yq, Gitleaks, Trivy, Vercel CLI, Stripe CLI, Supabase CLI, and DuckDB for serious Claude Code sessions.
AGENTS.md starter
Claude Code may run without approval:
- rg, jq, yq, duckdb SELECT-only analysis
- gh repo/pr/issue read-only commands with --json
- gitleaks/trivy/semgrep scans that only generate reports
- npm test, npm run build, and local lint checks
Claude Code must ask before:
- gh pr merge, gh issue close, release delete
- vercel deploy --prod, wrangler deploy
- stripe live-mode commands
- database migrations or writes
- editing security ignore files
- rm -rf, git push --force, or dependency upgrades
Output rules:
Prefer --json, --format json, --dry-run, --preview, and read-only commands first.
Before changing state, summarize the command, expected effect, rollback option, and approval reason.Usage pattern
Ask Claude Code to inspect first, summarize evidence second, and only then propose a state-changing command.