The setup Trail of Bits member uses for security audits, vulnerability research, and development workflows.
Philosophy
This configuration optimizes for throughput over permission prompts. The goal: minimize delay between intent and execution, then rely on sandboxing and hooks to prevent damage.
Bypass permissions. Use
--dangerously-skip-permissionspaired with OS-level sandboxing.Hooks as guardrails. Block known-bad patterns at the decision point, not in system prompts.
Context efficiency. Offload research to subagents, put stable rules in CLAUDE.md, clear aggressively.
Continuous improvement. Weekly
/insightsreviews drive incremental refinements.
0. Clone the Repository
git clone https://github.com/trailofbits/claude-code-config.git
cd claude-code-configAll cp commands in later steps reference files from this repo.
1. Install Prerequisites
Terminal
Use Ghostty. It handles high-volume text output from long AI sessions without memory bloat (native Metal GPU rendering, ~500MB vs ~8GB for alternatives).
brew install --cask ghosttyCore Tools
brew install jq ripgrep fd ast-grep shellcheck shfmt \
actionlint zizmor macos-trash node@22 pnpm uvTool | Purpose |
|---|---|
| JSON processor for parsing Claude Code data structures |
| Fast grep alternative for codebase searches |
| Modern find replacement for file discovery |
| AST-based code pattern matching |
| Static analyzer for shell scripts |
| Shell script formatter |
| GitHub Actions workflow linter |
| GitHub Actions security scanner |
| Safe file deletion (prevents |
| Node.js runtime for JavaScript tools |
| Fast, low-disk-usage package manager |
| Fast Python package manager |
Python Tools
uv tool install ruff # Fast Python linter and formatter
uv tool install ty # Type checker for Python
uv tool install pip-audit # Scans for supply chain vulnerabilities in dependenciesRust Tools
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
cargo install prek # Git pre-commit hook runner
cargo install worktrunk # Worktree management
cargo install cargo-deny # Dependency license and security audits
cargo install cargo-careful # Extra compilation checksNode Tools
npm install -g oxlint # Fast JavaScript/TypeScript linter
npm install -g agent-browser # Headless browser automation for ClaudeLM Studio (for Local Models)
curl -fsSL https://lmstudio.ai/install.sh | bash2. Configure Shell
Add to ~/.zshrc:
alias claude-yolo="claude --dangerously-skip-permissions"This bypasses permission prompts for maximum throughput. Pair it with sandboxing (step 6) for protection.
For local models, also add:
claude-local() {
ANTHROPIC_BASE_URL=http://localhost:1234 \
ANTHROPIC_AUTH_TOKEN=lmstudio \
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 \
claude --model qwen/qwen3-coder-next "$@"
}3. Install Settings
Copy the settings template to enable privacy controls, extended thinking, and security hooks:
mkdir -p ~/.claude
cp settings.json ~/.claude/settings.jsonWhat you get:
Setting | Why |
|---|---|
| Privacy, disables outbound telemetry |
| Persists extended thinking for complex reasoning |
| Security, prevents malicious MCP servers from git repos |
| Keeps conversation history for a year |
| Blocks reading credentials/secrets, editing shell config |
| Blocks |
4. Install Statusline
A two-line status bar showing model, folder, branch, context usage, cost, and time:
[Opus 4.6] 📁 claude-code-config │ 🌿 main
████⣿⣿⣿⣿⣿⣿⣿⣿ 28% │ $0.83 │ ⏱ 12m 34s ↻89%mkdir -p ~/.claude
cp scripts/statusline.sh ~/.claude/statusline.sh
chmod +x ~/.claude/statusline.shRequires jq (installed in step 1).
5. Install Global CLAUDE.md
The global CLAUDE.md sets development philosophy and toolchain conventions for every session:
cp claude-md-template.md ~/.claude/CLAUDE.mdIt includes:
Development philosophy (no speculative features, replace don't deprecate)
Code quality hard limits (function length, complexity, line width)
Language-specific toolchains: Python (
uv,ruff,ty), Node/TypeScript (oxlint,vitest), Rust (clippy,cargo deny)Testing methodology and code review conventions
Review and customize for your stack.
6. Enable Sandboxing
In bypass-permissions mode, the sandbox is what prevents the agent from doing damage.
Built-in Sandbox
Type /sandbox in a session to enable filesystem and network isolation using OS-level primitives (Seatbelt on macOS, bubblewrap on Linux). The settings.json deny rules harden read access to block:
SSH/GPG keys (
~/.ssh/**,~/.gnupg/**)Cloud credentials (
~/.aws/**,~/.azure/**,~/.kube/**)Package tokens (
~/.npmrc,~/.pypirc)Shell config (
~/.bashrc,~/.zshrc), prevents backdoor plantingmacOS keychain, crypto wallets
Use both: deny rules plus /sandbox for full protection.
Devcontainer (Full Isolation)
For complete filesystem isolation, use a devcontainer. The agent sees only the project files, with no access to host filesystem, SSH keys, or credentials.
Remote Droplets
For complete isolation from your local machine, run on a disposable cloud instance.
See: trailofbits/dropkit
7. Essential Hooks
Hooks intercept tool calls at specific moments and can block, modify, or inject context. They're more powerful than system prompt instructions because they fire at the exact decision point with the full context of what Claude is about to do.
How Hooks Work
Event | When it fires | Can block? |
|---|---|---|
| Before a tool call executes | Yes |
| After a tool call succeeds | No |
| When Claude finishes responding | Yes (forces continue) |
| When Claude needs attention | No |
Exit code 0 allows the action, exit code 2 blocks with an error message fed back to Claude.
Block rm -rf
Suggests trash instead of destructive deletion. Catches accidents before they happen.
{
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "jq -r '.tool_input.command' | if test(\"rm -rf[^/]\") then echo \"Use 'trash' instead of 'rm -rf' for safe deletion.\" >&2; exit 2; else exit 0; fi"
}
]
}
]
}Block Push to Main
Requires feature branches. Prevents accidental direct pushes to main/master.
{
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "jq -r '.tool_input.command' | if test(\"git push.*origin/(main|master)\") then echo \"Direct push to main/master blocked. Create a feature branch first.\" >&2; exit 2; else exit 0; fi"
}
]
}
]
}Both hooks are included in settings.json. Just copy the file.
Optional: Audit Logging
To log all Bash commands for post-session review, add to settings.json:
{
"PostToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "jq -r '\"[\" + (now | todate) + \"] \" + .tool_input.command' >> ~/.claude/bash-commands.log"
}
]
}
]
}Optional: Desktop Notifications
Get notified when Claude needs attention during long autonomous runs:
{
"Notification": [
{
"matcher": "",
"hooks": [
{
"type": "command",
"command": "osascript -e 'display notification \"Claude needs your attention\" with title \"Claude Code\"'"
}
]
}
]
}On Linux, replace with: notify-send 'Claude Code' 'Claude needs your attention'
Optional: Anti-Rationalization Gate
Claude sometimes declares victory while leaving work undone ("these issues were pre-existing," "fixing this is out of scope"). A prompt-based Stop hook catches this:
{
"Stop": [
{
"hooks": [
{
"type": "prompt",
"prompt": "Review the assistant's final response. Reject it if the assistant is rationalizing incomplete work. Common patterns: claiming issues are 'pre-existing' or 'out of scope' to avoid fixing them, saying there are 'too many issues' to address all of them, deferring work to a 'follow-up' that was not requested, listing problems without fixing them. If any pattern appears, respond {\"ok\": false, \"reason\": \"You are rationalizing incomplete work. [specific issue]. Go back and finish.\"}. If genuinely complete, respond {\"ok\": true}."
}
]
}
]
}This sends the response to a fast model (Haiku) for a yes/no judgment. If rejected, the reason becomes Claude's next instruction.
8. Install MCP Servers
MCP servers extend Claude with external capabilities. Set up these two essentials globally.
Essentials
Server | Purpose | Requirements |
|---|---|---|
Context7 | Up-to-date library documentation lookup | None |
Exa | Semantic web search returning LLM-optimized content |
|
Setup
cp mcp-template.json ~/.mcp.jsonEdit ~/.mcp.json and replace your-exa-api-key-here with your key (get one at exa.ai).
Security-Focused MCP Servers (Optional)
Server | Purpose | Requirements |
|---|---|---|
Solidity static analysis — vulnerability detection, call graphs, inheritance | Python 3.11+, Solidity compiler | |
Headless Ghidra — binary analysis, decompilation, cross-references | Ghidra ( | |
Symbol-level code navigation via LSP — find symbols, references, edit by symbol |
|
9. Configure Local Models (Optional)
For offline use or cost savings, run local LLMs via LM Studio.
Recommended Model: Qwen3-Coder-Next
80B mixture-of-experts with only 3B active parameters, designed for agentic coding. The MLX 4-bit quantization is ~45GB and needs at least 64GB unified memory.
Setup
lms get Qwen3-Coder-Next@MLX-4bit -y
lms load qwen/qwen3-coder-next --context-length 32768 --gpu max -y
lms server startThen use claude-local (from step 2) instead of claude.
10. Install Skills
Skills encode expertise for specific workflows. Install the Trail of Bits marketplaces:
claude plugin marketplace add mfakbar127/agent-skills
claude plugin marketplace add trailofbits/skills
claude plugin marketplace add trailofbits/skills-curatedEssential Skills
Skill | What it does |
|---|---|
| Security-focused code review toolkit using grepai semantic search. Provides vulnerability scanning, data flow analysis, and security Q&A capabilities |
| Asks clarification questions before starting - prevents building the wrong thing |
| Configures projects with uv, ruff, ty, pytest, prek |
| Line-by-line code analysis using First Principles methodology |
| Security-focused review of code changes with impact analysis |
| Refines ideas through Socratic questioning before implementation |
| Structured 4-phase root cause analysis |
| Runs 6 specialized review agents in parallel (comments, tests, errors, types, quality, simplification) |
| Turns feature descriptions into implementation plans with parallel research agents |
| Runs 15 specialized review agents in parallel (security, performance, architecture, style) |
agent-browser Skill
For headless browser control with low-context snapshot/ref system:
claude plugin marketplace add vercel-labs/agent-browser
claude plugin install agent-browser@agent-browser11. Install Commands
Custom slash commands for common workflows:
mkdir -p ~/.claude/commands
cp commands/review-pr.md ~/.claude/commands/
cp commands/fix-issue.md ~/.claude/commands/
cp commands/merge-dependabot.md ~/.claude/commands/Command | Usage |
|---|---|
| Reviews a GitHub PR with parallel agents, fixes findings, pushes |
| Autonomously completes a GitHub issue — researches, plans, implements, tests, creates PR |
| Evaluates and merges dependabot PRs with parallel testing |
12. Usage Tips
Context Management
The context window is finite. When it fills up, Claude auto-compacts (summarizing to free space), but this is lossy. Best strategy: avoid needing it.
Scope work to one session. Each feature or bug fix should fit in one context window. If a task is too large, break it into pieces and run each in a fresh session. A session that stays within context budget produces better code than one that compacts three times.
Prefer /clear over /compact. /clear wipes the conversation and starts fresh with no information loss. Your CLAUDE.md reloads, git state is fresh, and the agent re-reads whatever files it needs. /compact is for when you're mid-task and need space without losing your place.
Cut your losses after two corrections. If you've corrected Claude twice on the same issue and it's still wrong, use checkpoints (Esc Esc or /rewind) to roll back to before the first wrong attempt. If the session is too far gone, /clear and start fresh with a better prompt.
Offload research to subagents. Subagents each get their own context window. The main session only sees the summary. Use this for tasks that would bloat your session with documentation reading or codebase exploration.
Put stable context in CLAUDE.md. Project architecture, coding standards, tool preferences: anything reusable goes in CLAUDE.md. It loads automatically every session and survives /clear.
Web Browsing
Three ways to interact with the web:
Need | Use |
|---|---|
Search the web for information | Exa (returns LLM-optimized content) |
Run multi-step workflows on public pages | agent-browser (low-context ref system) |
Interact with authenticated/internal pages | Claude in Chrome extension |
Exa is the default for research. It returns pre-extracted content instead of search result links, saving context window.
agent-browser runs its own Chromium instance (doesn't share your Chrome profile or cookies) and uses a snapshot/ref system (@e1, @e2) that uses ~93% less context than full accessibility trees.
Claude in Chrome operates inside your actual browser with access to your login sessions. The only option for Gmail, Google Docs, Jira, or internal tools.
Continuous Improvement
Run /insights weekly. It analyzes recent sessions and shows what's working, what's failing, where you're spending time. When it finds something useful, act on it: add a rule to CLAUDE.md, write a hook to block a recurring mistake, extract a workflow into a skill.
Fast Mode
/fast switches to fast mode: same Opus 4.6 model, ~2.5x faster output, 6x the cost per token. Use it only for tight interactive loops when you're debugging live and latency costs you focus. Turn it off before autonomous runs (/fix-issue, swarms). The agent doesn't benefit from lower latency; you're just burning money.
Output Styles
Enable Explanatory output style (/output-style explanatory) when learning a new codebase. Claude explains frameworks and patterns as it works, adding "★ Insight" blocks with reasoning. Useful for auditing unfamiliar code or reviewing a language you don't write daily. Switch back to default when you want speed.
Project-Level CLAUDE.md
For each project, add a CLAUDE.md at the repo root with project-specific context: architecture, build/test commands, codebase navigation patterns, domain-specific APIs. The global CLAUDE.md sets defaults. The project file layers on what's unique.
Quick Start
Follow steps 0-11 in order. After completing setup, run /trailofbits:config to walk through installing each component with a guided interface.
Further Reading
Best practices for Claude Code — Anthropic's official guide
Here's how I use LLMs to help me write code — Simon Willison on practical LLM-assisted coding
AI-assisted coding for teams that can't get away with vibes — Nilenso's playbook for high-standard teams
My AI Skeptic Friends Are All Nuts — Thomas Ptacek on why dismissing LLMs is a mistake
Harness engineering — OpenAI on building with zero manually-written code