Claude Code: Advanced Tutorial

Based on Claude Code v2.1.89 (April 2026). Details may vary in newer releases.

You’ve mastered the basics and intermediate techniques. This tutorial covers security, browser integration, advanced workflows, multi-session orchestration, and CI/CD automation.

Table of Contents

1. Security Configuration
2. Sandboxing
3. Building Production Skills
4. Remote Control and Mobile Access
5. Chrome Integration
6. Browser Automation
7. Plugins and Marketplace
8. Advanced Context Engineering
9. Advanced Debugging Techniques
10. Multi-Session Orchestration
11. Task List Generation and Agent Teams
12. Avoiding Code Bias
13. Principles of Effective Agentic Coding
14. CI/CD and Headless Automation
15. Credits & Attribution

Security Configuration

Hardening Claude Code for sensitive environments.

Permission Lockdown

In settings.json:

{
  "permissions": {
    "allow": [
      "Read(app/**)",
      "Read(tests/**)",
      "Read(docs/**)"
    ],
    "deny": [
      "Read(.env*)",
      "Read(*.pem)",
      "Read(*.key)",
      "Read(**/secrets/**)",
      "Bash(rm -rf *)",
      "Bash(curl *)",
      "Bash(wget *)",
      "Edit(**/.git/**)"
    ]
  }
}

Settings Precedence

Settings are applied in this order (higher priority wins):

1. Managed settings (enterprise) — highest priority, cannot be overridden
2. Command line arguments — temporary session overrides
3. Local project settings (.claude/settings.local.json)
4. Shared project settings (.claude/settings.json)
5. User settings (~/.claude/settings.json)

If a tool is denied at any level, no other level can allow it. Array settings (like permission rules) are merged across scopes.

Auto Mode Permission Visibility

When using auto-accept mode (Shift+Tab once), some commands still get denied by the built-in safety classifier. Previously these denials were opaque. Now:

• Denied commands show a notification explaining what was blocked
• They appear in /permissions → Recent tab
• You can retry a denied command by pressing r from the Recent tab

This makes auto mode much more transparent — you can see exactly what’s being blocked and override when appropriate, instead of wondering why Claude silently skipped something.

Enterprise Model Restrictions

Restrict which models users can select:

{
  "availableModels": ["sonnet", "haiku"]
}

Telemetry and Privacy Controls

Control data collection for compliance:

# Disable telemetry
export DISABLE_TELEMETRY=1

# Disable error reporting
export DISABLE_ERROR_REPORTING=1

# Disable all non-essential network traffic
export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

For verbose session output, use the --verbose flag or --debug for category-filtered debug logs.

Sandboxing

The sandbox provides OS-level isolation for safer execution.

Enabling Sandbox

# From an interactive session
/sandbox

# Or configure in settings.json
# { "sandbox": { "enabled": true } }

Sandbox Modes

1. Auto-allow mode: Sandboxed commands run without permission prompts
2. Regular mode: Sandboxed commands still require permission

Filesystem Rules

{
  "sandbox": {
    "enabled": true,
    "filesystem": {
      "allowWrite": ["~/.cache/pip", "//tmp/build"],
      "denyRead": ["~/.ssh", "~/.aws/credentials"],
      "denyWrite": ["/etc", "/usr"]
    }
  }
}

Path prefixes:

• // — Absolute from root
• ~/ — Home directory
• / — Relative to settings file
• ./ — Relative to working directory

Network Allowlist

{
  "sandbox": {
    "network": {
      "allowedDomains": [
        "*.github.com",
        "*.pypi.org",
        "api.anthropic.com"
      ]
    }
  }
}

Platform Requirements

Building Production Skills

Skills are folders of instructions, scripts, and resources that Claude loads dynamically.

Skill File Structure

.claude/skills/api-generator/
├── SKILL.md              # Main instructions (required)
├── template.py           # Template for Claude to fill in
├── examples/
│   └── sample_endpoint.py    # Example showing expected format
└── scripts/
    └── validate.sh       # Script Claude can execute

SKILL.md with Full Features

---
name: api-generator
description: Generate FastAPI endpoints with tests and docs
model: sonnet
allowed-tools: Read, Write, Edit, Bash
---

# API Endpoint Generator

Generate a complete FastAPI endpoint following project conventions.

## Process
1. Read existing patterns (check app/api/v1/ and app/schemas/)
2. Generate route handler — Location: app/api/v1/{resource}.py
3. Generate service — Location: app/services/{resource}.py
4. Generate schemas — Location: app/schemas/{resource}.py
5. Generate tests — Location: tests/api/test_{resource}.py

## Arguments
$ARGUMENTS contains the resource name (e.g., "invoice", "order")

## Validation
Run: make lint && make test

Dynamic Context Injection

Use shell commands in skills to inject runtime context:

---
name: pr-summary
description: Summarize changes in a pull request
context: fork
agent: Explore
allowed-tools: Bash(gh *)
---

## Pull Request Context
- PR diff: !`gh pr diff`
- PR comments: !`gh pr view --comments`
- Changed files: !`gh pr diff --name-only`

## Your Task
Summarize this pull request:
1. What does it change?
2. What are the risks?
3. What tests should be added?

The !`command` syntax runs shell commands and injects output.

Skill Frontmatter Options

Remote Control and Mobile Access

Continue local Claude Code sessions from phone, tablet, or any browser.

Start Remote Control

# CLI flag
claude remote-control

# From session (with optional name)
/remote-control My Project
# or shorthand
/rc

Connecting from Another Device

1. Open session URL in browser
2. Or scan QR code (press spacebar to show)
3. Or find session in claude.ai/code session list

Enable by Default

/config
# → "Enable Remote Control for all sessions" → true

Beyond the Terminal: Desktop App and Web

Claude Code now runs in more places than the terminal:

The Desktop app is particularly useful for durable scheduled tasks that survive restarts — unlike /loop which is session-scoped.

Requirements

• Max or Pro subscription
• Must /login through claude.ai
• Workspace trust accepted

Chrome Integration

Connect Claude Code to Chrome for web automation and debugging.

Prerequisites

• Google Chrome or Microsoft Edge
• Claude in Chrome extension (v1.0.36+)
• Claude Code v2.0.73+

Enable Chrome

# CLI flag
claude --chrome

# From session
/chrome

# Enable by default
/chrome → "Enabled by default"

Capabilities

• Live debugging with console logs
• Web app testing
• Authenticated site interaction
• Data extraction and scraping
• Session recording as GIFs
• Form automation

Example Commands

> go to localhost:3000, fill out the registration form with test data,
> and verify the success message appears

> open the admin dashboard and check the browser console for errors

> record a GIF showing the checkout flow from cart to confirmation

> navigate to the settings page and extract all form field names

Browser Automation

For browser automation beyond Claude Code’s built-in /chrome integration, there are community tools that provide deeper control.

Recommended: chrome-cdp-skill

chrome-cdp-skill connects your AI agent to your live Chrome session — the tabs you already have open, your logged-in accounts, your current page state. No separate browser instance, no re-login.

Why this over other tools:

• Connects to Chrome you’re already running (not a fresh isolated browser)
• Works with pages you’re logged into (Gmail, GitHub, internal tools)
• Handles 100+ tabs reliably (persistent daemon per tab, no Puppeteer)
• One toggle to enable: chrome://inspect/#remote-debugging
• No npm install — just Node.js 22+

Install as a Claude Code skill:

pi install git:github.com/pasky/chrome-cdp-skill@v1.0.1

Or copy the skills/chrome-cdp/ directory to .claude/skills/.

CLI commands:

scripts/cdp.mjs list              # list open tabs
scripts/cdp.mjs shot <target>     # screenshot
scripts/cdp.mjs snap <target>     # accessibility tree
scripts/cdp.mjs click <target> "selector"  # click element
scripts/cdp.mjs type <target> "text"       # type text
scripts/cdp.mjs eval <target> "expr"       # evaluate JS
scripts/cdp.mjs nav <target> https://...   # navigate

Alternative: browser-use

browser-use is a third-party Python library for programmatic browser control. It launches a fresh browser instance (unlike chrome-cdp-skill which connects to your existing Chrome). Good for automated testing workflows where you want an isolated browser.

pip install browser-use

See the browser-use docs for Python API and CLI usage.

Plugins and Marketplace

Plugins bundle skills, agents, hooks, and MCP servers into installable packages. Marketplaces host plugins for discovery.

Installing Plugins

# Browse and install from marketplaces
/plugin install

# Add a third-party marketplace (GitHub repo, Git URL, or local path)
/plugin marketplace add

# View installed plugins
/plugin

An official Anthropic marketplace is available by default. Installed skills are namespaced: /plugin-name:skill-name.

Building a Plugin

A plugin is a directory with a manifest and any combination of skills, agents, hooks, or MCP configs:

my-plugin/
├── .claude-plugin/
│   └── plugin.json      # {"name": "my-plugin", "version": "1.0.0", ...}
├── skills/              # SKILL.md files
├── agents/              # Agent definitions
└── .mcp.json            # MCP servers

Test locally before publishing:

claude --plugin-dir ./my-plugin

Advanced Context Engineering

Techniques for maximizing Claude’s effectiveness within context limits.

Context Anxiety Mitigation

When you’re worried about losing important context:

# 1. Explicitly state critical info
> IMPORTANT: We decided to use async SQLAlchemy sessions because
> all our endpoints need to handle concurrent requests efficiently.
> Never use synchronous database calls.

# 2. Compact with focus
> /compact preserve the architecture decisions about async patterns

# 3. Verify retention
> summarize our key decisions

The Plan-Checkpoint-Compact Pattern

For long tasks:

# Phase 1: Planning
> create implementation plan for payment webhook handling

# Claude outputs plan...

> save plan to @docs/specs/payment-webhooks.md

# Phase 2: Execution with checkpoints
> start with step 1 of @docs/specs/payment-webhooks.md

# After completing step 1:
> checkpoint: step 1 complete — webhook endpoint created.
> mark as done in @docs/specs/payment-webhooks.md

# When context gets high:
> /compact focusing on remaining steps in payment webhooks

> continue with step 2

Structured Checkpointing

Create a checkpoint template:

## Checkpoint: [Step Name]
### Completed — What was done
### State — Current file states, configuration changes
### Next — What's remaining
### Decisions — Key decisions made and why

Save after each major step. Reference when resuming.

Advanced Debugging Techniques

Systematic approaches to hard bugs.

The Debugging Loop

When stuck, follow this systematic approach:

1. Hypothesize: What could be causing this?
2. Read ALL related code: Don’t skim — actually read it
3. Add strategic logging: Verify assumptions
4. Try a new chat: Fresh context, fresh approach
5. Try a different model: Opus sees things Sonnet misses
6. Revert and retry: Sometimes starting over is faster
7. Dive in yourself: When AI isn’t getting it, do it manually

The Rule of Three

If you’ve explained the same thing three times and Claude still isn’t getting it, more explaining won’t help. Change something:

• Use a different model
• Start a fresh session
• Show a minimal example instead of explaining
• Do it yourself and have Claude learn from your approach

Show Instead of Tell

When Claude misunderstands what you want:

Instead of more explanation, show a minimal example:

# GOOD - this is what I want
def process_payment(payment_id: str) -> PaymentResult:
    payment = get_payment(payment_id)
    if not payment:
        raise PaymentNotFound(payment_id)
    return process(payment)

# BAD - not this
def process_payment(payment_id: str) -> Optional[PaymentResult]:
    payment = get_payment(payment_id)
    if payment:
        return process(payment)
    return None

Multi-Session Orchestration

Running many Claude instances in parallel for large projects.

Agent Teams (experimental)

Claude Code has built-in agent team coordination, but it’s still experimental and disabled by default. Enable with CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS in settings.

One session acts as team lead, assigning tasks and synthesizing results. Unlike subagents, teammates can communicate with each other, not just report back. Best for: research/review, cross-layer changes, debugging competing hypotheses.

Status: Experimental as of v2.1.89. Known limitations around session resumption, task coordination, and shutdown behavior. The manual multi-terminal approach below remains the more reliable option.

When to Use Multi-Session

The Parallel Pattern

# Terminal 1: API changes
cd ~/projects/inventory
claude
> working on API layer. focus: new sync endpoint

# Terminal 2: Service layer
cd ~/projects/inventory  
claude
> working on service layer. focus: inventory sync logic

# Terminal 3: Tests
cd ~/projects/inventory
claude
> writing integration tests for inventory sync

# Terminal 4: Documentation
cd ~/projects/inventory
claude
> updating API docs for inventory sync

Coordination Strategies

Shared status file (WORK-STATUS.md):

Inventory Sync Feature
[x] API endpoint (Terminal 1)
[x] Service logic (Terminal 2)
[ ] Integration tests (Terminal 3)
[ ] Documentation (Terminal 4)

File Ownership
Terminal 1: app/api/v1/sync.py
Terminal 2: app/services/inventory_sync.py
Terminal 3: tests/integration/test_sync.py
Terminal 4: docs/api/sync.md

Keep changes in separate files to avoid merge conflicts.

Managing Sessions

# List all Claude processes
ps aux | grep claude

# Using tmux for persistence
tmux new-session -d -s api 'claude'
tmux new-session -d -s tests 'claude'

# Kill all
pkill -f "claude"

Task List Generation and Agent Teams

Generate tasks and distribute work across agents.

Task Generation

Ask Claude to break down a migration or feature into parallelizable tasks:

> analyze this codebase and create a task list for:
> "migrate from synchronous to async SQLAlchemy"
>
> Format each task with:
> - ID
> - Description  
> - Files affected
> - Dependencies (other task IDs)
> - Estimated complexity (S/M/L)

Parallel Execution with Subagents

Once you have a task list, spawn subagents for independent tasks:

> Task list is in @tasks/async-migration.md
> 
> Spawn subagents for independent tasks:
> - Agent 1: TASK-001 (models) — no dependencies
> - Agent 2: TASK-005 (config) — no dependencies
> - Agent 3: TASK-007 (test fixtures) — no dependencies
>
> Wait for all three to complete before starting dependent tasks.

Task Tracking

> update @tasks/async-migration.md:
> mark TASK-001 as complete
> note: all models now use async session via AsyncSession

This is a prompting pattern, not a special feature — it works with subagents today. Agent teams (when stable) will add automatic task claiming and inter-agent coordination.

Avoiding Code Bias

Prevent cross-contamination between projects when porting features.

The Isolation Technique

When porting features between projects:

# WRONG: Both projects in context
> I have project A and project B open.
> Copy the auth from A to B.
# Claude mixes patterns

# RIGHT: Isolated analysis
# Session 1: Analyze source
cd ~/project-a
claude
> explain the auth system. create an implementation spec
> that's independent of this codebase's specifics.
> save to ~/specs/auth-spec.md

# Session 2: Fresh implementation
cd ~/project-b
claude
> implement auth based on @~/specs/auth-spec.md
> following THIS project's patterns in @CLAUDE.md

Why This Works

Abstract Spec Template

# Feature Specification: [Name]
## Purpose — What problem this solves
## Components — List of logical components (not specific files or paths)
## Data Flow — Step by step flow using generic terms
## Interfaces — Generic interfaces, not project-specific
## Considerations — Security, performance, edge cases

Principles of Effective Agentic Coding

Working with AI coding agents requires a different mindset than traditional development. These principles are distilled from community experience — particularly SilenNaihin’s excellent guide which articulates these ideas well.

Context is your scarcest resource

One chat ≈ one task. Spawn subagents for exploration so they don’t pollute your main context. Compact proactively with focus. Don’t wait until context is exhausted — quality degrades before you hit the limit.

Planning pays compound interest

1 minute of planning saves 3+ minutes of follow-ups. Use plan mode for complex tasks. Save plans to files. Let Claude interview you about requirements before implementing. The cost of a bad plan is n wasted iterations, not just one.

Close the loop

If you do something more than once, automate it:

• Create skills for repeated workflows
• Update CLAUDE.md when you discover gotchas
• Use hooks for quality enforcement
• Build stop hooks for automated verification

Verify, don’t trust

You only know code works if you can verify it. Write tests before refactoring. Use interface tests as your safety net. If tests pass, ship it. If you can’t test it, you can’t trust it — regardless of how confident Claude sounds.

Debug systematically

Follow the debugging loop: Hypothesize → Read → Log → Try differently → Change model → Revert → Do it manually. Apply the Rule of Three: if you’ve explained the problem three times and Claude isn’t getting it, change your approach, not your explanation.

CI/CD and Headless Automation

Note: Headless mode (-p) works with your normal Pro/Max subscription — you can run it locally just like interactive mode. However, CI/CD pipelines, GitHub Actions, and --bare mode require an Anthropic Console API key (ANTHROPIC_API_KEY) since there’s no OAuth/keychain available in those environments. Set up a Console account at console.anthropic.com if you need one.

Headless Mode Basics

# Simple prompt, text output
claude -p "explain the main.py file" --output-format text

# JSON output for parsing
claude -p "list all TODO comments in app/" --output-format json

# Stream output for real-time processing
claude -p "refactor the payment service" --output-format stream-json

The --bare Flag for Fast Scripted Calls

--bare skips hooks, LSP, plugins, and skill scanning. ~14% faster to first API request:

claude --bare -p "analyze this function" --output-format json

Tool Restrictions

# Only allow reading and searching
claude -p "find all database queries" --allowedTools "Read" "Grep" "Glob"

# Prevent file modifications
claude -p "review this code" --disallowedTools "Write" "Edit"

# Limit conversation turns
claude -p "fix the bug" --max-turns 10

Headless with Pipes

# Pipe input
cat error.log | claude -p "analyze this error log and suggest fixes"

# Review git diff
git diff main --name-only | claude -p "review these changed files for security issues"

# Generate commit message
git diff --staged | claude -p "generate a conventional commit message" --output-format text

GitHub Actions Integration

name: Claude Code Review

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]

jobs:
  claude:
    if: contains(github.event.comment.body, '@claude')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: anthropics/claude-code-action@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

Automation Pipeline Examples

Daily code quality report (post to your team collaboration platform via webhook):

#!/bin/bash
cd /path/to/project

claude -p "Generate a code quality report:
  - New TODO comments added this week
  - Functions over 50 lines
  - Missing docstrings on public functions
  Format as markdown." \
  --output-format text \
  --dangerously-skip-permissions \
  > /tmp/quality-report.md

# Post to Slack, Teams, Discord, etc. via webhook
curl -X POST "$WEBHOOK_URL" \
  -H "Content-Type: application/json" \
  -d "{\"text\": \"$(cat /tmp/quality-report.md)\"}"

PR description generator:

#!/bin/bash
branch=$(git branch --show-current)
base=${1:-main}

git diff $base...$branch | claude -p "Generate a PR description. Include:
- Summary of changes
- Breaking changes (if any)
- Related issues" \
  --output-format text \
  --dangerously-skip-permissions

CI/CD Best Practices

Summary: The Power User Toolkit

Security & Safety

• Permission lockdown and settings precedence
• OS-level sandboxing with filesystem and network rules
• Auto mode permission visibility

Customization

• Production-grade skills with dynamic context injection
• Plugin development and marketplace
• Custom agents

Integration

• Browser automation via Chrome and chrome-cdp-skill
• Remote control for mobile access
• GitHub Actions for PR automation

Scale

• Multi-session orchestration
• Agent teams (experimental)
• Task list generation and parallel execution

Automation (requires API key)

• Headless mode and --bare for scripted calls
• CI/CD pipelines
• Webhook-based reporting

Quick Reference

Security

{"permissions": {"allow": ["Read(app/**)"], "deny": ["Bash(rm -rf *)"]}}

Sandboxing

/sandbox                            # Toggle from session

Remote Control

/rc                                 # From session

Chrome

claude --chrome
/chrome

Skills

~/.claude/skills/           # User skills
.claude/skills/             # Project skills
/skills                     # List all

Plugins

/plugin install                     # Browse marketplace
/plugin                             # View installed

Headless (requires ANTHROPIC_API_KEY)

claude -p "prompt" --output-format json --dangerously-skip-permissions
claude --bare -p "prompt" --output-format json   # Fast mode

CI/CD

- uses: anthropics/claude-code-action@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

Credits & Attribution

This tutorial series draws from Claude Code’s official documentation and the generous knowledge-sharing of the Claude Code community including SilenNaihin, Peter Steinberger (steipete.me), Daniel Avila, Steve Kinney, and numerous others on X, Reddit, and Discord.