Skip to main content

Claude Code Plugin Best Practices & Standards

Quick-reference standards for configuration hierarchy, permission patterns, skill naming, and safety boundaries. Source: Local file (claude-code-plugin-best-practices-standards.md) Added: 2026-01-27

Core Architectural Principles

1. Configuration Hierarchy Enforcement

The settings precedence (highest to lowest) that guarantees upstream gates cannot be weakened:

LayerLocationYour Mapping
Enterprise (MDM-deployed)managed-settings.jsonCore
Project shared.claude/settings.jsonProduct Config
Project local.claude/settings.local.jsonTeam Config
User~/.claude/settings.jsonIndividual prefs

Key guarantee: deny rules always win. Enterprise denies cannot be overridden by project allows.

2. Permission Model Standards

Format: Tool(pattern:args)

Examples:
- Bash(npm run:*)     → Allow npm run with any args
- Write(src/**)       → Allow writes in src tree
- Read(.env*)         → Match .env, .env.local, etc.
- mcp__jira__*        → All Jira MCP tools

Safe defaults for Core layer:

  • Deny: rm -rf, curl|sh, .env*, ~/.ssh/*, .git/*, secrets/**
  • Deny network tools in non-sandboxed mode
  • Require explicit allows for production paths

3. Skill Naming Convention

Pattern: /[ROLE]-[DOMAIN]:[ACTION]

ComponentPurposeExamples
ROLEWho executespm, dev, qa, devops
DOMAINWhat areaprd, lint, test, deploy, review
ACTIONWhat happenswrite, check, run, create, sync

Stable command examples:

  • /jaan-to-pm-prd-write — Create PRD
  • /dev-lint:check — Run linting
  • /qa-test:run — Execute tests
  • /devops-deploy:preview — Deploy to preview

Discoverability requirements:

  • Always set description in frontmatter
  • Use argument-hint for expected params
  • Group with consistent prefixes

Trust & Guardrails Standards

4. Hook Exit Codes

CodeMeaningUse Case
0ProceedValidation passed
1Error (logged, continues)Non-critical warning
2Block with messageHard gate—stops execution

Human-in-the-loop pattern: PreToolUse hook returns exit 2 with explanation for risky operations.

5. Gate Hierarchy (Non-Weakening)

Core Layer (Enterprise)
├── MUST deny: secrets, credentials, dangerous patterns
├── MUST deny: production paths without explicit approval
└── Cannot be overridden downstream

Product Layer (Project)
├── CAN allow: safe build/test commands
├── CAN add: project-specific denies
└── Cannot remove Core denies

Team Layer (Local/User)
├── CAN allow: personal workflow shortcuts
├── CAN set: UI preferences, default modes
└── Cannot remove Product or Core denies

6. Secrets Protection Checklist

ControlImplementation
File accessDeny Read(.env*), Read(**/secrets/*)
Output scanningPostToolUse hook with pattern matching
Pre-commitTruffleHog or gitleaks integration
MCP authEnvironment variables only, never hardcoded

MCP Integration Standards

7. Self-Hosted Service Patterns

ServiceAuth MethodKey Consideration
Jira Server/DCPersonal Access TokenUse mcp-atlassian, not Cloud OAuth
GitLab Self-HostedPAT or Deploy TokenGitLab 18.2+ has native MCP endpoint
FigmaOAuth via remote serverOfficial mcp.figma.com/mcp

Environment variable naming:

SERVICE_URL       → Base URL
SERVICE_TOKEN     → Auth credential
SERVICE_PROJECT   → Default project/workspace

8. MCP Server Restrictions (Enterprise)

{
  "allowedMcpServers": [
    { "serverName": "approved-server" },
    { "serverCommand": ["npx", "-y", "@org/approved-mcp"] }
  ],
  "deniedMcpServers": [
    { "serverName": "*" }  // Allowlist mode
  ]
}

Plugin Structure Standards

9. Directory Layout

plugin-name/
├── .claude-plugin/
│   └── plugin.json      # Manifest ONLY
├── commands/            # At root, not nested
├── agents/
├── skills/
├── hooks/
├── .mcp.json
└── CLAUDE.md

Critical: Components at root level. .claude-plugin/ contains only manifest.

10. Public vs Internal Plugin Separation

AspectPublic (Core)Internal
URLsEnvironment vars onlyCan hardcode internal
SecretsNeverVia secure env injection
DefaultsGeneric, configurableCompany-specific
DistributionMarketplace/GitHubPrivate registry

Metrics Standards

11. Required Measurements

MetricDefinitionTarget Direction
Cycle timeCommand invocation → completion↓ Decrease
Rework rateEdits within 24h of generation< 10%
AdoptionActive users / total eligible↑ Increase
Gate bypass attemptsBlocked operations / totalMonitor
Token efficiencyTokens per successful task↓ Decrease

Instrumentation points:

  • SessionStart / Stop — Session duration
  • PostToolUse — Command success/failure
  • PreToolUse exit 2 — Gate blocks

Key Decision Standards

12. When to Use What

NeedUseNot
External API integrationMCP serverHooks
File validation/blockingPreToolUse hookMCP
Human confirmationPreToolUse exit 2Prompt instructions
Auto-formattingPostToolUse hookManual commands
Cross-session stateMemory MCPCLAUDE.md
Workflow orchestrationSlash commandsSkills
Behavioral defaultsSkillsCommands

13. Anti-Patterns to Avoid

Anti-PatternWhy It FailsInstead
Elaborate multi-page promptsContext dilutionSimple, direct commands
Hardcoded URLs in pluginsBlocks distributionEnvironment variables
Allow-by-default permissionsSecurity debtExplicit allowlists
Skipping human gates for "speed"Production incidentsAlways gate risky ops
Single monolithic pluginHard to maintainLayered: Core → Product → Team
Mixing STDIO output formatsProtocol corruptionJSON only for MCP

Quick Reference Card

Permission Pattern Syntax:

Tool(command:args)
Bash(npm run:*)
Write(path/**)
Read(path/*)
mcp__server__tool

Hook Lifecycle:

PreToolUse → [Tool Execution] → PostToolUse
SessionStart → [Session] → Stop
Notification (async, non-blocking)

Settings Merge Order:

Enterprise (wins) > CLI flags > Project local > Project shared > User

Command Frontmatter:

---
allowed-tools: Bash(npm:*), mcp__jira__*
argument-hint: [required] [--optional]
description: One-line for autocomplete
model: claude-sonnet-4-20250514  # Optional override
---