The Vibecoding Masterclass
Most developers use Claude Code like a fancy autocomplete. The best developers treat it like a junior engineer with amnesia. Brilliant but forgetful. The difference is systems, not prompts.
Here are the 12 patterns that actually matter, sourced from what real developers are doing right now.
1. The Three-Tier CLAUDE.md Hierarchy
One CLAUDE.md isn’t enough. The developers writing the best code use three layers:
Global (~/.claude/CLAUDE.md) — Rules you never want to repeat:
- “Always run tests before committing”
- “Never use
anyin TypeScript” - “When unsure, say ‘I don’t know’ instead of guessing”
Project (./CLAUDE.md) — Your stack, commands, conventions. Committed to git. Shared with the team. Keep it under 15 lines per section. Bloat kills quality.
Local (./CLAUDE.local.md) — Your personal setup. MCP servers, editor quirks, terminal preferences. Never committed.
The trick: Claude only loads the relevant scoped files. If you’re working in src/api/, it reads src/api/CLAUDE.md for API-specific context. Zero wasted tokens.
2. Claude Code Hooks (The Real Power Feature)
Hooks let you run scripts automatically at specific points in Claude’s workflow. They live in .claude/settings.json (project) or ~/.claude/settings.json (global). Here’s the actual format:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "python3 .claude/hooks/block-dangerous.py"
}
]
}
],
"PostToolUse": [
{
"matcher": "Write|Edit|MultiEdit",
"hooks": [
{
"type": "command",
"command": "npx prettier --write $CLAUDE_FILE_PATH"
}
]
}
]
}
}
Key events you should know:
PreToolUse— Fires before Claude runs a tool. Exit code 2 blocks the action. Use this to stop dangerous commands (rm -rf,DROP TABLE).PostToolUse— Fires after a tool runs. Auto-format files, run linters, trigger notifications.Stop— Fires when Claude finishes a task. Run your full test suite here automatically.SubagentStop— Fires when a subagent completes. Chain QA checks after every agent task.
Hooks receive JSON on stdin with the tool name, inputs, session ID, and working directory. Your script reads that JSON and decides what to do.
Real example: auto-lint after every file edit:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Write|Edit",
"hooks": [
{
"type": "command",
"command": "eslint --fix $(echo $HOOK_INPUT | jq -r '.file_path')"
}
]
}
]
}
}
As of March 2026, hooks expanded from 14 to 21 event types. There are now HTTP hooks (send a POST to a webhook), prompt hooks (ask a Claude model to evaluate), and agent hooks (spawn a subagent to verify conditions). You can also bulk-disable all hooks with "disableAllHooks": true in settings.
3. The Skills Directory
Inside .claude/skills/, you create reusable workflows:
.claude/skills/
├── code-review/SKILL.md
├── security-audit/SKILL.md
├── refactor/SKILL.md
└── release/SKILL.md
Each SKILL.md describes exactly what that agent does and how it approaches the task. You tell Claude “use a sub-agent for security review” and it spins up with its own focused context.
This is how teams get Claude to do code reviews that actually catch things. The security agent has different instructions than the refactoring agent.
4. Worktrees for Parallel Development
This changed everything in early 2026. Claude Code now has native worktree support with the --worktree flag.
The problem: You have Claude working on a feature branch in a partially modified state. You can’t check out a different branch without blowing up its work.
The solution:
# Terminal 1: Auth feature
claude --worktree feature-auth
# Terminal 2: Payment bugfix
claude --worktree bugfix-payment
# Terminal 3: API refactor (launches in tmux)
claude --worktree refactor-api --tmux
Each session gets its own isolated directory under .claude/worktrees/, its own branch, its own files. But they share git history and remote connections.
Cleanup is automatic. When you exit a session with no changes, the worktree and branch get removed. If you made commits, Claude asks if you want to keep or remove it.
Subagents can use worktrees too. Add isolation: worktree to a subagent’s frontmatter and it works in its own isolated copy. No file conflicts between agents.
Most developers find 3-5 parallel worktrees is the practical upper bound before context switching eats your gains.
5. Verification-First Design
This is the mindset shift that separates good from great.
Before the agent writes a single line: define what wrong looks like.
- Are you checking for syntax only, or actual behavior?
- What are the edge cases that will break this?
- What dependencies should NOT be guessed?
Then put it in your CLAUDE.md:
## what NOT to do
- Do not make up dependencies — check package.json first
- Do not guess API signatures — read the source file or ask
- Do not assume a function exists — grep for it
- Do not declare something done without running tests
Negative constraints work 3x better than positive ones. Don’t say “be accurate.” Say “do not make up function names.”
6. The Anti-Hallucination Stack
Developers have moved from hoping hallucinations don’t happen to building systems where they can’t slip through:
Permission to say “I don’t know” — The biggest single reducer. Add this to your CLAUDE.md: “A careful ‘I don’t know’ beats a confident wrong answer.”
Test-first wall — Write the tests yourself. Feed Claude the test file + 1-2 working examples. Claude implements to pass those tests. Tests become ground truth.
QA chaining — Every coder agent task chains to a QA agent task. Your test suite runs with CI=true before anything gets committed. Broken code never leaves the agent.
lessons.md — Every time Claude makes a mistake, the fix gets captured. That file gets read at session start so the same error doesn’t repeat.
Ground truth through tooling — If Claude can’t verify something with a tool (git, your codebase, a database query), it stops and asks. Force verification before guessing.
Context7 for docs — Stop letting Claude guess API signatures from memory. Context7 pulls version-specific documentation into the prompt. 9,000+ libraries. If you install one MCP server, make it this one.
7. The Bento-Box Prompt Structure
Keep tasks separated from raw data using XML tags:
<task>
Refactor the authentication middleware to use JWT instead of sessions.
</task>
<context>
<file path="src/middleware/auth.ts">
[paste current code]
</file>
<cli_output>
[paste error logs]
</cli_output>
<architecture>
Auth flows through middleware → controller → service layer.
Sessions stored in Redis. JWT should replace Redis dependency.
</architecture>
</context>
That data-noise separation tanks hallucinations. Claude processes the task and the context separately instead of mixing instructions with data.
8. The Tool Stack (March 2026)
What the best developers are actually installing right now:
Must-Have MCP Servers
- Context7 — Real-time, version-specific docs.
claude mcp add context7 -- npx -y @upstash/context7-mcp - GitHub MCP — Native GitHub access. Issues, PRs, repo reading.
- Playwright MCP — Browser automation and E2E testing.
claude mcp add playwright -- npx @playwright/mcp@latest - Sequential Thinking — Structured reasoning for complex problems. Claude breaks tasks into explicit steps instead of one opaque answer.
- Figma MCP — Direct access to Figma layout data. Combined with Code Connect, it generates code using your actual components, not generic React.
Verification Tools
- Airlock — Open-source Rust-based local CI. Sits between AI-generated code and your remote branch. Every push triggers a self-healing pipeline: lint, test, document, clean up slop.
- Traycer — Creates a “source of truth roadmap” before any code gets written. VS Code extension. Free tier available, Pro at $25/mo.
- CodeGraphContext — Indexes your code into a graph database.
pip install codegraphcontextthencgc start. Supports 14 languages.
The Winning Combo
- Claude Code for autonomous refactors and debugging
- Cursor for day-to-day iteration (Agent Mode is solid)
- Windsurf if you want multi-IDE support (plugins for 40+ IDEs)
- A second LLM as a reviewer before you look at it
9. Parallel Agent Pattern
Don’t run one agent. Run several simultaneously using worktrees:
# Implementation agent
claude --worktree impl-feature "Implement the auth middleware per spec.md"
# Research agent
claude --worktree research "Read the OAuth2 spec and summarize the token refresh flow"
# Review agent (launches after impl finishes)
claude --worktree review "Review the diff in impl-feature branch for security issues"
Each agent gets its own SKILL.md with focused prompts. The security review agent doesn’t need to know about your UI components.
Run them in separate terminals or use the --tmux flag. Review the diffs. The synthesis agent combines findings.
10. The Session Workflow
The pattern winning right now:
- You write the plan. The spec, the acceptance criteria, the edge cases.
- You write the tests. This is your ground truth.
- Agent implements. To pass YOUR tests, not its own idea of “working.”
- QA agent validates. Full test suite + linter with CI=true.
- You review. The diff, not the code. Agent loops on failures.
- Lessons captured. Mistakes go into lessons.md for next session.
Stop treating the agent like a replacement. It’s pair programming with someone who forgets constantly. You provide the memory. It provides the speed.
11. The Anti-Patterns (What To Stop Doing)
These are the mistakes that burn tokens and produce garbage. Sourced from developers who learned the hard way.
Vibing without a spec. Developers who plan architecture first use ~200K tokens per project. Developers who “just vibe it” burn 800K-1.2M tokens. And take longer to finish. Write the spec first.
Accepting code you don’t understand. If you can’t explain why it works, you can’t debug it at 2 AM when production is down. Review every diff like you wrote it.
Delaying auth until the end. Adding login systems after your app is built means restructuring everything. Auth touches routing, state, middleware, and database. Do it early.
Giant CLAUDE.md files. A 200-line CLAUDE.md means Claude treats none of it as important. Keep sections short. Move detailed docs to a docs/ folder Claude can read on demand.
Not committing often enough. Small, frequent commits let you revert cleanly when Claude goes off the rails. If your last commit was 45 minutes ago, you’re doing it wrong.
Skipping Plan Mode for complex tasks. Plan Mode prevents wasted work by aligning on architecture before writing code. Use it for anything that touches more than 3 files.
Trusting AI-generated code for security. Studies show ~45% of AI-generated code has security flaws. Not because AI is bad at security, but because it optimizes for “code that works” over “code that’s secure.” Human review is non-negotiable for auth, payments, and data access.
Placeholder comments instead of real code. Claude sometimes writes // TODO: implement this instead of actual implementations. Add to your CLAUDE.md: “Never use placeholder comments. Write the full implementation or say you can’t.”
12. Real Command-Line Examples
Here’s an actual productive Claude Code session:
# Start with plan mode for a new feature
claude "Plan how to add rate limiting to the API. Don't write code yet."
# After reviewing the plan, implement in a worktree
claude --worktree rate-limiting "Implement rate limiting per the plan. Run tests after."
# Meanwhile, in another terminal, research the library
claude --worktree research "Read the bottleneck npm package docs via Context7. Summarize the sliding window API."
# Review what the implementation agent did
claude "Review the diff in the rate-limiting worktree. Check for race conditions."
# Run the full QA pass
claude "Run CI=true npm test. Fix any failures. Don't commit until everything passes."
The Meta Insight
The developers who are 10x more productive with AI aren’t better prompters. They’re better systems designers.
They built the guardrails, the verification layers, the memory systems. The AI does the typing. They do the thinking.
That’s vibecoding done right.