Skip to content
Chapter 05 · 6 min

The 18-point checklist & weekly audit

Walk this once (about 20 minutes) then re-check the Claude Code half on a schedule. Anything you don't touch in twelve months, you probably never will.

Tools drift out of place the moment you stop putting them back. A quick weekly tidy keeps the bench usable.

The 18-point checklist

  • Claude.ai 1: Memory scoped per-project, with an exclusion list.
  • Claude.ai 2: Extended Thinking defaulted to Light.
  • Claude.ai 3: A custom style per recurring workflow.
  • Claude.ai 4: Project instructions filled in (under ~400 words).
  • Claude.ai 5: Search past chats turned on.
  • Claude.ai 6: Web search citations set to Footnotes (if you copy answers out).
  • Claude.ai 7: Trusted folders pruned to active projects only.
  • Claude.ai 8: Incognito used for sensitive data.
  • Claude Code 9: Unused plugins set to false.
  • Claude Code 10: permissions.deny set, plus a filesystem layer (chmod 600 .env).
  • Claude Code 11: hooks.SessionStart loads per-branch context.
  • Claude Code 12: disableAllHooks known as your panic switch.
  • Claude Code 13: Per-project model override on light repos.
  • Claude Code 14: Unused MCP servers set to enabled: false.
  • Claude Code 15: cleanupPeriodDays raised from the 30-day default.
  • API 16: cache_control breakpoint at the static/dynamic boundary.
  • API 17: Regional residency only where actually required.
  • API 18: Per-workspace and per-feature rate limits set.

A weekly audit script

Drop something like this in ~/bin and run it weekly to flag the Claude Code half of the checklist. This is a composed example (the source article's exact script was unavailable) so adapt the keys and targets to your setup before trusting it.

#!/usr/bin/env bash
# claude-audit.sh: flag Claude Code settings drift. Adapt to your setup.
set -euo pipefail
cfg="$HOME/.claude/settings.json"

[ -f "$cfg" ] || { echo "no settings.json at $cfg"; exit 1; }

jq -e '.disableAllHooks == true' "$cfg" >/dev/null 2>&1 \
  && echo "WARN: disableAllHooks is on (panic switch left engaged)"

days=$(jq -r '.cleanupPeriodDays // 30' "$cfg")
[ "$days" -lt 90 ] && echo "INFO: cleanupPeriodDays=$days (consider raising)"

jq -r '.mcpServers // {} | to_entries[] | select(.value.enabled != false) | .key' "$cfg" \
  | sed 's/^/INFO: MCP server loaded on start: /'

jq -r '.enabledPlugins // {} | to_entries[] | select(.value == true) | .key' "$cfg" \
  | sed 's/^/INFO: plugin loaded on start: /'

[ -f ".env" ] && [ "$(stat -f '%Lp' .env 2>/dev/null || stat -c '%a' .env)" != "600" ] \
  && echo "WARN: .env is not chmod 600"
echo "audit complete"

What didn't make the cut

The source names four candidates it dropped, worth listing so you don't chase them: an adaptive-reasoning override (the default was hard to beat in testing), skill auto-activation (already well-tuned with progressive disclosure, so leave it on), mobile-to-desktop dispatch (a feature, not a settings knob), and a per-workspace max-tokens ceiling (saves money on chatty work but truncates long code generation, so test per-workspace, don't default it on).

In one line each

  • Run the 18-point checklist once (~20 min), covering all three surfaces.
  • Re-check the Claude Code half weekly with an audit script; adapt the example to your own keys before trusting it.
  • Four settings deliberately left out: adaptive-reasoning override, skill auto-activation, mobile dispatch, per-workspace max-tokens.
The 18-point checklist & weekly audit · AI courses · SDEN