"Building a Claude Harness (2/3) — How to Separate CLAUDE.md, Skills, Hooks, and Permissions"

The most common mistake in Claude-based harness design is stuffing every rule into one CLAUDE.md file. But in real operation, the roles are different. CLAUDE.md is identity and baseline guidance, skills are repeatable procedures, hooks are automatic checkpoints, and permissions are access boundaries. Once those layers are separated, instructions stay shorter, automation becomes more reliable, and safety stops depending on memory alone.

Key Takeaways

  • CLAUDE.md is the always-loaded baseline instruction layer for project identity, hard rules, and read-first paths.
  • Skills are procedure packages for repeatable work. Long step-by-step workflows belong here, not in always-loaded memory.
  • Hooks are the automatic enforcement layer. Anything that should be checked or blocked at execution time belongs closer to hooks than to prose.
  • Permissions and settings are the access-boundary layer for reading, editing, executing, and external access.
  • So the real Claude harness problem is not writing one good instruction file. It is deciding which responsibility belongs to which layer.

1. Why separation comes first

If you look across the Claude Code documentation, memory files, settings, hooks, subagents, and slash commands are exposed as distinct surfaces. That matters for one reason above all:

A Claude harness is not meant to be run from one giant instruction file.

When teams ignore that, the same failure pattern appears repeatedly:

  • CLAUDE.md gets too long
  • important rules are buried in noise
  • repeatable procedures get re-explained in prompts
  • enforceable safety rules remain mere suggestions
  • permissions are handled as prose instead of configuration

That is why the core question of this post is not feature discovery. It is role separation.

2. CLAUDE.md is the first signboard, not the whole operating system

As the earlier CLAUDE.md authoring guide emphasized, CLAUDE.md is always part of context. That means it should not be treated as a dumping ground for everything the agent might ever need to know.

Good content for CLAUDE.md usually includes:

  • what this project is
  • what should be read first
  • what must never happen
  • the default workflow for small versus multi-step work
  • the responsibility of major directories

And some things usually belong elsewhere:

  • long step-by-step procedures
  • fast-changing operational tips
  • task-specific detail manuals
  • rules that should be mechanically enforced

In one line:

CLAUDE.md is best used as an identity file and a hard-rule signboard, not as a complete operations manual.

3. Skills separate long procedures from permanent context cost

In our own operating language, skills are reusable task modules. In the broader Claude ecosystem, related goals may also be achieved with custom commands, subagents, or reusable prompt packages. The harness principle is the same:

  • is the task repeated often
  • does it require multiple stages
  • does it have a stable input, validation, and output pattern

If so, it should probably move out of CLAUDE.md and into a reusable procedure layer.

Typical examples include:

  • pre-publish review
  • handoff writing
  • code review
  • test execution and summarization
  • directory-specific edit procedures

This creates several benefits:

  • CLAUDE.md stays short
  • long procedures are loaded only when relevant
  • teams can share the same operational flow
  • output formats become easier to standardize

So the real value of skills is not "more power." It is keeping repeatable process out of always-on context.

4. Hooks are automatic checkpoints, not just stronger instructions

In Anthropic's official hooks documentation, hooks attach to events such as PreToolUse, PostToolUse, UserPromptSubmit, Stop, and SubagentStop, and are configured through matchers and commands in settings files.

In harness terms, that translates roughly like this:

  • CLAUDE.md: the direction you want the agent to follow
  • skill: the process you want it to use
  • hook: the automatic device that checks or intervenes at a specific execution boundary

Typical hook-shaped rules include:

  • run formatters or checks after certain file edits
  • block or warn on sensitive path modifications
  • validate prompts before they are processed
  • verify that handoff artifacts exist before a session stops

If these stay only in prose, they depend on memory and consistency. Hooks move them closer to execution-time enforcement.

That makes hooks fundamentally different from simply writing stronger instructions.

5. Permissions carry the safety and access boundary

The official Claude Code settings documentation exposes permissions.allow, ask, deny, defaultMode, disableBypassPermissionsMode, and additionalDirectories. This matters because it lets you separate safety from prompting and express it as configuration.

The key operational principle is simple:

  • read
  • edit
  • execute
  • web access
  • access to sensitive files

These should not be treated as equivalent actions.

For example:

  • .env, secrets/**, and credential files belong in deny
  • destructive shell commands often belong in ask or deny
  • standard team commands can be narrowly allowed
  • personal experiments fit better in .claude/settings.local.json
  • shared rules belong in .claude/settings.json

This is how you separate "the AI can do this" from "the AI is allowed to do this."

6. Each layer answers a different kind of question

When in doubt, classify by question rather than by feature name.

Question Better matching layer
What is this project, and what is the baseline posture CLAUDE.md
How should this kind of task be executed step by step skill
Should an automatic check run before or after this action hook
Should this action be allowed, confirmed, or blocked permissions/settings

That table alone prevents a large amount of CLAUDE.md bloat.

7. Common anti-patterns

Weak Claude harnesses tend to show the same mistakes.

7.1 Putting every rule into CLAUDE.md

The file grows, adherence drops, and the important hard rules disappear into background noise.

7.2 Re-explaining repeatable work in the prompt every time

This wastes tokens and causes process drift.

7.3 Writing blocking rules only as prose

For example, saying "do not touch credentials" without reinforcing it through permissions or hooks.

7.4 Using skills or prose where hooks are a better fit

Validation automation, path blocking, and stop-time checks are often execution-boundary problems.

7.5 Mixing personal exceptions into shared config

Personal experiments belong in local settings, not in shared team policy.

8. A practical separation rule: short rules, long procedures, automatic enforcement, narrow permissions

A reliable operating baseline can be summarized in four lines:

  • short rules go in CLAUDE.md
  • long procedures go in skills
  • automatic enforcement goes in hooks
  • narrow permissions go in settings

This works because each layer fails differently.

  • CLAUDE.md fails when it becomes bloated
  • skills fail when procedures drift and go stale
  • hooks fail when they over-block workflow
  • permissions fail when they are either too loose for safety or too tight for usability

So the goal is not to maximize one layer. It is to keep each layer thin and sharp for its role.

9. What this looks like in a repo like ours

In a content-and-scripts workspace, the split often looks like this:

  • CLAUDE.md: publish restrictions, config/ restrictions, read-first docs, workflow gates
  • skills: blog drafting, pre-publish review, handoff writing, code review
  • hooks: path validation after context-doc edits, checks after script changes
  • permissions/settings: deny secrets, ask/deny risky commands, allow narrow shared commands

That arrangement clarifies not only what the agent should do, but also what it is allowed to do.

10. Good layer separation matters more than one perfect prompt

When people first adopt Claude Code, they often focus on writing better instructions. That matters, but at operating scale, structure matters more.

  • baseline identity and hard rules belong in CLAUDE.md
  • reusable processes belong in skills
  • execution-time intervention belongs in hooks
  • access boundaries and safety policy belong in permissions and settings

Once that separation is in place, CLAUDE.md gets shorter, repeatable work becomes steadier, safety rules are forgotten less often, and collaboration gets easier.

That is why the most useful Claude harness question is not "what should I tell the model?" but this:

Should this rule live in memory, in a reusable procedure, in an automatic checkpoint, or in the permission boundary?

Part 3 compares this operational philosophy with OpenAI's and shows why the two ecosystems naturally push teams toward different harness shapes.

References

  • Anthropic Docs, Claude Code settings
    https://docs.anthropic.com/en/docs/claude-code/settings
  • Anthropic Docs, Hooks reference
    https://docs.anthropic.com/en/docs/claude-code/hooks
  • Anthropic Docs, Subagents
    https://docs.anthropic.com/en/docs/claude-code/sub-agents
  • Anthropic Docs, Slash commands
    https://docs.anthropic.com/en/docs/claude-code/slash-commands
  • Anthropic Docs, Security
    https://docs.anthropic.com/en/docs/claude-code/security
  • drafts/blog/260425_CLAUDEmd์ž‘์„ฑ๊ฐ€์ด๋“œ_๋ธ”๋กœ๊ทธ.md
  • drafts/blog/260425_claude_md_authoring_guide_en.md
  • docs/blog_series_ํ•˜๋„ค์Šค์—”์ง€๋‹ˆ์–ด๋ง_์ด๊ด„_design.md
  • sources/260518_ํ•˜๋„ค์Šค์—”์ง€๋‹ˆ์–ด๋ง_15์žฅ_๋ธ”๋กœ๊ทธํ™œ์šฉ๋…ธํŠธ.md

This is Part 2/3 of the OpenAI and Claude Harnesses series. Suggested next reading: the OpenAI vs Claude harness comparison.

Series overview: Harness Engineering Series Guide

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »