CLAUDE.md实战 | 8条规则让Claude少走弯路

把所有“希望 Claude 记住的东西”，一股脑塞进 CLAUDE.md。

你以为上下文越多，Claude 越懂项目。
实际上，上下文越臃肿，Claude 越容易错过真正重要的规则。

当前文件
相关测试
类型定义
报错日志
最近改动
依赖调用链

根目录 CLAUDE.md 先压到 200 行以内。

## Company Story
2021 年，我们在一次内部 hackathon 中发现运营团队每天都要手动导出报表。
2022 年，我们决定把这个能力产品化。
2023 年，我们开始服务第一批企业客户。
...

## Project Overview
这是一个 B2B 数据分析仪表盘，面向运营经理。

核心目标：
- 缩短“从数据到洞察”的时间。
- 优先保证加载速度和数据准确性。

技术栈：
- Next.js 15 App Router
- TypeScript
- Tailwind CSS + shadcn/ui
- Supabase/PostgreSQL

默认优先级：
数据正确 > 加载速度 > 交互丰富度 > 视觉花哨

一个没看过你项目的人，读完后能不能回答：
1. 这是什么产品？
2. 技术栈是什么？
3. 新代码大概率应该放哪里？
4. 哪些目录不能随便动？
5. 改完后怎么验证？

## Tech Stack
- Next.js 15
- TypeScript
- Tailwind CSS
- Supabase

Redux 已经迁出。
全站只用 Tailwind。
UI 系统一直是 shadcn/ui。
数据层已经锁 PostgreSQL。

## Tech Stack
- Next.js 15 App Router + TypeScript
- Tailwind CSS + shadcn/ui
- Supabase Auth + PostgreSQL
- Zustand for small client-side stores

## Do NOT Introduce Unless Explicitly Requested
- Redux: project already migrated to Zustand + React Context.
- styled-components: use Tailwind utilities and existing design tokens.
- Material UI: conflicts with shadcn/ui visual system.
- MongoDB: data layer is PostgreSQL.
- Moment.js: use date-fns already installed.
- New auth provider: auth flow is locked behind review.

新依赖
样式冲突
包体积变大
测试变多
团队认知分裂
后续会话继续沿用错误选择

## Model Policy
Default coding model is configured through 4SAPI.
Do not ask users to paste raw provider keys into project files.
Do not hardcode model names in application code unless the file already does so.
Read model routing config from env or the existing config layer.

- Write clean code.
- Keep it simple.
- Be performant.
- Follow best practices.

## Coding Rules
- 写干净的代码
- 保持简洁
- 注意性能
- 不要过度设计

## Coding Rules
- Use named exports by default, except framework-required files.
- Avoid `any`; use interfaces, generics, or `unknown` with narrowing.
- Keep React components under 200 lines unless there is a clear reason.
- Use async/await instead of `.then()` chains.
- Prefer existing helpers in `src/lib/` before creating new utilities.
- Do not leave commented-out code, debug logs, or temporary TODOs.
- Add tests for bug fixes that change behavior.

读完规则后，你能不能在 5 秒内判断一段代码是否违反？

## API Rules
- Route handlers must validate input with the existing schema helpers.
- Never return raw database errors to clients.
- All external API calls must have timeout and retry policy.
- New endpoints must include success and failure tests.

## UI Rules
- Use components from `src/components/ui/` before building custom controls.
- Buttons must use existing variants from `button.tsx`.
- Do not introduce new colors outside Tailwind theme tokens.
- Loading, empty, error, and success states are required for async views.

系统架构 800 行
数据库设计 500 行
部署流程 300 行
接口说明 1000 行

## Project Documents
- Architecture overview: `docs/architecture.md`
- API contract: `docs/api.md`
- Data model notes: `docs/data-model.md`
- Deployment runbook: `docs/deploy.md`
- ADRs: `docs/adrs/`
- Archived decisions: `docs/archive/` (ignore unless explicitly requested)

需要架构时，去 docs/architecture.md。
需要 API 合同时，去 docs/api.md。
需要历史决策时，去 docs/adrs/。
旧资料在 archive，没要求别碰。

## Context Loading Policy
Always load:
- `CLAUDE.md`
- Files directly related to the task.

Load on demand:
- `docs/architecture.md` for cross-module changes.
- `docs/api.md` for endpoint or contract changes.
- `docs/adrs/` when changing a documented decision.

Do not load unless requested:
- `docs/archive/`
- old migration notes
- product brainstorm documents

## Model Gateway
Model routing and keys are managed outside this repository.
Read local examples from:
- `docs/model-routing.md`
- `.env.example`

Never commit real API keys.
Never paste provider secrets into documentation.

auth
billing
payments
infra
migrations
security
model gateway

# src/auth/CLAUDE.md

## Security Rules
- Do not change token validation logic unless explicitly requested.
- Do not introduce a new auth provider without updating tests and docs.
- Do not log tokens, sessions, cookies, or auth headers.
- All auth changes must pass `pnpm test src/auth`.

## Known Traps
- Magic link IDs use `crypto.randomUUID()`. Do not replace with Math.random().
- Sessions are stored in Redis, not process memory.
- Middleware must preserve existing redirect behavior.

## Review Requirement
For auth changes, summarize:
1. What security behavior changed.
2. Which tests cover it.
3. What remains risky.

# src/billing/CLAUDE.md

## Billing Rules
- Never change invoice totals without adding tests.
- Currency values are stored in cents.
- Do not use floating point arithmetic for money.
- Webhook handlers must be idempotent.
- Any provider signature verification change requires review.

# src/model-gateway/CLAUDE.md

## Gateway Rules
- Never hardcode provider API keys.
- Never bypass the existing rate-limit middleware.
- Preserve request/response logging redaction.
- Do not expose raw provider error bodies to clients.
- New model routes must include timeout, retry, and cost tagging.

## Required Checks
- Run gateway unit tests after changes.
- Manually inspect redaction for logs touching `Authorization`, `api_key`, or `token`.

倾向、偏好、协作方式、代码风格、项目说明。

格式化
测试
禁止改敏感文件
禁止提交密钥
检查 lint
校验生成文件

## Hooks & Quality Gates
The rules below are enforced by hooks, not just reminders:
- Format edited files after code changes.
- Run related tests after modifying core modules.
- Block edits to `src/auth/`, `src/billing/`, and `prisma/migrations/` unless confirmed.
- Scan for secrets before final summary.

If a hook fails, explain the failure and do not claim the task is complete.

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Edit|Write|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "pnpm prettier --write \"$CLAUDE_FILE_PATHS\""
          }
        ]
      }
    ]
  }
}

删除文件
自动提交
自动推送
自动改数据库
自动旋转生产 Key
自动执行远程脚本

## Project Memory
Before starting non-trivial tasks, read `MEMORY.md` if it exists.

Use `MEMORY.md` for:
- recurring bugs
- important implementation discoveries
- local setup quirks
- known flaky tests
- decisions made during previous tasks

Do not store:
- secrets
- credentials
- personal data
- temporary notes older than 30 days

At the end of a task, suggest updates to `MEMORY.md` only when the discovery is likely to matter again.

能进 Git
能 review
能删除
能追溯
不用额外数据库
不会黑箱召回

## Memory Hygiene
Keep `MEMORY.md` under 100 lines.
Prefer bullets with date and owner.
Remove stale notes when they no longer affect future work.

# MEMORY.md

- 2026-06-17: `pnpm test` is slow on Windows; use `pnpm vitest src/auth` for auth-only checks.
- 2026-06-17: Billing amounts are cents; never use floats for invoice math.
- 2026-06-17: 4SAPI model route tests require `MODEL_GATEWAY_TEST_MODE=mock`.

先别急着改。
先读代码。
不确定就问我。
回复用中文。
不要讲废话。
改完跑测试。
路径写清楚。

## Working Style
- Read relevant files before proposing changes.
- For risky changes, propose a short plan first.
- For small obvious fixes, implement directly.
- Ask when requirements are ambiguous and a wrong assumption is costly.
- Do not start replies with “Great question” or generic encouragement.
- Reply in Chinese. Keep code comments in English.
- Use absolute file paths when referencing files.
- Final response must include changed files and verification results.

- 不要写垃圾代码。
- 不要自作聪明。
- 不要浪费我时间。

- Do not introduce abstractions unless they remove duplicated logic or match an existing pattern.
- If you are unsure about a behavior, inspect existing tests before guessing.
- Do not refactor unrelated files while fixing a bug.

# CLAUDE.md

## Project Overview
This is a B2B analytics dashboard for operations managers.
Priority: correctness > loading speed > UX richness > visual polish.

## Tech Stack
- Next.js 15 App Router + TypeScript
- Tailwind CSS + shadcn/ui
- Supabase Auth + PostgreSQL
- Vitest for unit tests

## Do NOT Introduce Unless Explicitly Requested
- Redux
- styled-components
- Material UI
- MongoDB
- Real API keys or provider secrets in code/docs

## Coding Rules
- Use named exports by default, except framework-required files.
- Avoid `any`; use interfaces, generics, or `unknown` with narrowing.
- Prefer existing helpers before creating new utilities.
- Do not leave commented-out code or debug logs.
- Add tests for behavior changes.

## Context Loading Policy
- Read files directly related to the task before editing.
- Load `docs/architecture.md` for cross-module changes.
- Load `docs/api.md` for endpoint or contract changes.
- Ignore `docs/archive/` unless explicitly requested.

## Sensitive Areas
- `src/auth/`: read local CLAUDE.md before edits.
- `src/billing/`: read local CLAUDE.md before edits.
- `prisma/migrations/`: do not edit without confirmation.
- `src/model-gateway/`: never hardcode provider keys or bypass rate limits.

## Quality Gates
- Run related tests after behavior changes.
- If tests cannot run, explain why.
- If hooks fail, do not claim completion.

## Project Memory
- Read `MEMORY.md` before non-trivial tasks if it exists.
- Suggest updates only for discoveries likely to matter again.
- Never store secrets or personal data in memory files.

## Working Style
- For risky changes, propose a short plan first.
- For small obvious fixes, implement directly.
- Ask when ambiguity is costly.
- Reply in Chinese. Keep code comments in English.
- Final response must include changed files and verification results.

1. 把根目录 CLAUDE.md 删到 200 行以内。
2. 加一个 Do NOT Introduce 区块，至少列 5 个禁用项。
3. 把“干净、简洁、最佳实践”改成可检查规则。
4. 给 auth、billing、infra、model-gateway 这类高风险目录加本地 CLAUDE.md。
5. 把格式化、测试、密钥扫描做成 hooks 或现有 CI 门禁。

1. 在 CLAUDE.md 里写清楚：不要硬编码 provider key、base URL 和模型名。
2. 在模型中转层目录写本地 CLAUDE.md：保留限流、脱敏、成本标签和错误处理。

这个项目是什么。
技术栈是什么。
不要引入什么。
新代码放哪里。
危险目录有哪些。
改完怎么验证。
不确定时怎么和你协作。

上下文别浪费。
规则能执行。
敏感目录有护栏。
模型调用走统一入口。
成本能复盘。
风险能拦住。