Claude Code Setup

Published: February 25, 2026 · Last edited: February 25, 2026

A grounded approach to setting up Claude Code that keeps costs visible, scope controlled, and sensitive data safe.

Core Philosophy

• Visible costs over silent consumption
• Explicit scope over open-ended access
• Safety nets before the session starts
• Deliberate use over autopilot
• Smallest context that gets the job done

1. Installation

curl -fsSL https://claude.ai/install.sh | bash

Official quickstart: code.claude.com/docs/en/quickstart

Verify it installed:

claude --version

Authenticate (opens browser):

claude

On first run Claude Code will prompt you to log in via Anthropic or set an API key. To use an API key directly:

export ANTHROPIC_API_KEY="sk-ant-..."

Add to ~/.zshrc or ~/.bashrc to persist it:

# Claude Code API key
export ANTHROPIC_API_KEY="sk-ant-..."

2. Core Configuration

Claude Code has two layers of configuration: global (user-level) and per-project.

Global Settings

File: ~/.claude/settings.json

{
  "model": "claude-opus-4-5",
  "permissions": {
    "allow": [],
    "deny": []
  }
}

Project Settings

File: .claude/settings.json (checked into the repo)

{
  "permissions": {
    "allow": [
      "Bash(npm run test:*)",
      "Bash(npm run lint:*)",
      "Bash(git diff:*)",
      "Bash(git log:*)",
      "Bash(git status)"
    ],
    "deny": [
      "Bash(git push*)",
      "Bash(rm -rf*)",
      "Bash(curl*)",
      "Bash(wget*)"
    ]
  }
}

Allow only what Claude needs for the task at hand. A session debugging a test suite does not need network access or push rights. Deny them explicitly rather than relying on Claude's judgment.

Project Instructions File

File: CLAUDE.md at the root of your project.

Claude reads this at the start of every session. Treat it like onboarding notes for a careful contractor — describe the project, the conventions, and the constraints.

# Project Context

## What This Is
[One paragraph describing the project]

## Tech Stack
- Language:
- Framework:
- Test runner:
- Linter:

## Conventions
- Branch naming: feature/*, fix/*, chore/*
- Commit style: conventional commits (feat, fix, docs, etc.)
- Tests must pass before committing

## What Claude Should NOT Do
- Push to remote without asking
- Modify database migration files
- Change environment files directly
- Install new dependencies without discussion

## Common Commands
- Run tests: `npm test`
- Lint: `npm run lint`
- Build: `npm run build`

Keep CLAUDE.md short. A long file means Claude spends tokens reading instructions instead of doing work.

3. Monitoring Tokens

Tokens are currency. Every file read, every large paste, every long conversation costs them. Visibility into consumption is not optional — it is how you stay in control.

Check Cost Mid-Session

Type /cost at any point in a session to see how many tokens have been used and the estimated cost so far.

Compact Mode

When the context grows long, use /compact to summarize and compress the conversation. Claude will retain the key context but discard the verbose history. Do this proactively before tackling a new subtask in a long session.

Clear and Restart

/clear resets the session entirely. Use it when switching to an unrelated task rather than accumulating irrelevant context. A fresh session is cheaper and usually more accurate than a bloated one.

Avoid Feeding Claude Entire Codebases

Be deliberate about what files Claude reads:

# Instead of asking Claude to explore everything, point it at specific files
claude "Look at src/services/payment.ts and explain the retry logic"

# Avoid vague prompts that trigger broad file reads
# "Look at the codebase and find all bugs" — this reads everything

Watch What Goes Into Context

Things that silently consume tokens:

• Entire log files pasted as context
• Generated files (lock files, build artifacts)
• Large test fixtures or JSON blobs
• Screenshots converted to base64

Add these to .claudeignore to prevent Claude from reading them:

# .claudeignore
node_modules/
dist/
build/
*.lock
*.log
coverage/
.git/

Set a Mental Budget Per Task

Before starting a session, decide what the task is worth. A ten-minute refactor is not worth a session that costs more than that. Use /cost to check in. If you are burning through tokens on exploration, stop and narrow the scope.

4. Security and Safety

Keep the API Key Out of the Repo

The most common mistake. Add to .gitignore globally:

# Add to ~/.gitignore_global
.env
.env.*
.claude/

Apply:

git config --global core.excludesfile ~/.gitignore_global

The .claude/ folder contains local state. The project settings file .claude/settings.json is safe to commit, but nothing else in that folder should be.

Never Store the API Key in Plain Text

Use your system's secret manager or at minimum a .env file that is gitignored:

# .env (gitignored)
ANTHROPIC_API_KEY=sk-ant-...

Load it in your shell:

# ~/.zshrc
[ -f ~/.env.local ] && source ~/.env.local

Review Before You Run

Claude Code operates in two modes: it proposes changes (you review), and it executes commands (you approve). Never approve a command you have not read. Slow down on:

• Any rm or deletion
• Any git push or remote operation
• Any command that writes to files outside the project directory
• Any curl or external network call

Restrict Tool Access by Default

The permissions.deny list in .claude/settings.json is your primary safety control. Start with a restrictive default and open up specific tools when needed:

{
  "permissions": {
    "deny": [
      "Bash(git push*)",
      "Bash(git force*)",
      "Bash(rm -rf*)",
      "Bash(sudo*)",
      "Bash(curl*)",
      "Bash(wget*)",
      "Bash(ssh*)",
      "Bash(scp*)"
    ]
  }
}

Be Specific About What Claude Can Commit

If Claude has commit access, constrain what it commits to:

{
  "permissions": {
    "allow": [
      "Bash(git add src/*)",
      "Bash(git add tests/*)",
      "Bash(git commit*)",
      "Bash(git status)",
      "Bash(git diff*)"
    ],
    "deny": [
      "Bash(git push*)",
      "Bash(git reset --hard*)",
      "Bash(git rebase*)",
      "Bash(git branch -D*)"
    ]
  }
}

Rotate Keys If They Are Exposed

If the API key ends up in a commit, git log, or shared file:

1. Go to console.anthropic.com → API keys
2. Delete the exposed key immediately
3. Generate a new one
4. Update your local config

Do not rely on rewriting git history to fully remove it. Treat it as compromised the moment it is visible.

Do Not Feed Claude Sensitive Data

Claude sends context to Anthropic's servers to generate responses. Do not paste:

• Passwords or secrets
• Private keys or certificates
• Customer PII
• Internal authentication tokens
• Confidential business data

If you need Claude to work with a file that references secrets (like an .env example), redact the values before pasting.

5. Useful Commands

Session Commands

Command	What It Does
/cost	Show token usage and estimated cost for the current session
/clear	Reset context completely — start fresh
/compact	Summarise and compress the conversation to save tokens
/help	List all available commands

CLI Flags

# Start with a specific model
claude --model claude-opus-4-5

# Non-interactive: pipe output to a command
echo "Summarise this file" | claude --print < README.md

# Run a one-off task without entering a session
claude -p "What does the test in tests/auth_test.py verify?"

Useful Shell Aliases

Add to ~/.zshrc:

# Claude Code shortcuts
alias cc='claude'
alias cclear='claude /clear'

# Start a session in a specific project
ccp() {
    cd "$1" && claude
}

# Quick one-shot questions (non-interactive)
ask() {
    claude -p "$*"
}

6. Usage Tips

1. Write a good CLAUDE.md: The two minutes it takes saves you from explaining the project every session.
2. Use /cost early: Check in after the first few exchanges in a new session to calibrate how fast context is growing.
3. Compact before switching tasks: If you solved one problem and are moving to a second, /compact first.
4. Deny by default, allow by task: Start every project with a restrictive permissions list. Add to it as you discover what Claude actually needs.
5. Read every proposed command: Claude is helpful but not infallible. One misread command can delete files or push broken code.
6. Keep CLAUDE.md in version control: The team benefits from shared conventions and constraints.
7. Use .claudeignore: It is the easiest way to keep irrelevant files out of context and costs down.

Customisation

Adjust based on your workflow:

• Tighten or loosen permissions.deny as you learn which commands are safe for your project
• Add project-specific banned patterns (migration files, infra configs, secrets directories)
• Update CLAUDE.md whenever a convention changes — it is living documentation
• Set up a per-team CLAUDE.md template for new projects to start from a sensible baseline

Remember: The goal is intentional use, not restriction for its own sake.

Related

• Gemini CLI Setup — Setting up Google's AI coding assistant alongside Claude
• CLI Setup — The shell environment your AI tools run inside