Claude Code Configuration Guide: Master CCA Exam Domain 3 in 2026

Q: How do you configure Claude Code for CI/CD pipelines in 2026?

CI/CD configuration requires setting the `ANTHROPIC_API_KEY` environment variable and enabling headless mode with `CLAUDE_HEADLESS=true`. Copy project configuration files (`.claude/settings.json`, `CLAUDE.md`) to the CI environment and use appropriate permission restrictions for automated workflows. The 2026 release added cloud scheduling for persistent workflows independent of local development environments.

Q: What environment variables are available in Claude Code hooks?

Hooks receive context through environment variables: `$TOOL_NAME` (name of the executing tool), `$TOOL_INPUT` (JSON string of tool parameters), `$TOOL_INPUT_FILE_PATH` (file path for file-related operations), and `$TOOL_OUTPUT` (tool results, available only in PostToolUse hooks). These variables enable hooks to make decisions based on the specific tool being executed and its parameters.

Q: How do you set up MCP servers in Claude Code configuration?

MCP servers are configured in settings files under the `mcpServers` section, specifying command, args, and optional environment variables. They can be set at user global level (`~/.claude/settings.json`), project level (`.claude/settings.json`), or in dedicated `.mcp.json` files. Each MCP server runs as a separate process and communicates with Claude Code via the Model Context Protocol standard.

Q: What are the best practices for organizing Claude Code configurations in team environments?

Use version-controlled `.claude/settings.json` for shared team configuration, `.claude/settings.local.json` for developer-specific overrides (gitignored), and maintain up-to-date CLAUDE.md files with clear project context. Implement layered permissions starting restrictive at enterprise level, organize skills by capability rather than project, and establish clear ownership boundaries for different configuration components.

Short Answer

Claude Code configuration in 2026 centers on CLAUDE.md files (project instructions), settings hierarchy (permissions and environment), hooks system (automation triggers), and skills (reusable capabilities). The CCA exam Domain 3 covers 20% of questions, testing configuration patterns, permission models, and workflow optimization across IDE integrations.

Understanding Domain 3: Claude Code Configuration & Workflows

Domain 3 represents 20% of the CCA exam (approximately 12 questions out of 60), making it a critical knowledge area for certification success. This domain tests your understanding of Claude Code's configuration system, which transforms basic AI assistance into sophisticated, project-aware development workflows.

The domain encompasses five core areas: CLAUDE.md project instruction system, settings hierarchy and permissions, hooks for automation, skills for reusable capabilities, and CI/CD integration patterns. Unlike other domains that focus on architectural concepts, Domain 3 requires hands-on knowledge of configuration files, JSON structures, and shell command patterns.

Claude Code launched as part of Anthropic's 2026 developer toolkit expansion, offering agentic AI coding that reads entire codebases, executes commands, and maintains project context across sessions. The configuration system enables teams to customize behavior, enforce standards, and automate workflows without writing custom code.

Key exam topics include understanding the four-level settings hierarchy (enterprise policy → user global → project → local), hook execution patterns (PreToolUse, PostToolUse, Stop), and permission matching syntax using glob patterns. The CCA Exam Format and Scoring 2026 guide details how configuration scenarios appear across multiple-choice and scenario-based questions.

Preparing for the CCA exam? Take the free 12-question practice test to see where you stand, or get the full CCA Mastery Bundle with 300+ questions and exam simulator.

CLAUDE.md: The Project Instructions Foundation

The CLAUDE.md system serves as Claude Code's primary project awareness mechanism, providing context that transforms generic AI assistance into project-specific expertise. These markdown files create a persistent memory layer that survives across sessions, ensuring consistent behavior and reducing repetitive explanations.

Loading hierarchy follows a specific precedence order that exam candidates must memorize:

User-level global: ~/.claude/CLAUDE.md (personal preferences, global coding standards)

Project-level root: ./CLAUDE.md (project-specific context, shared via version control)

Directory-level nested: ./src/CLAUDE.md, ./components/CLAUDE.md (module-specific instructions)

Parent directory walk-up: Enables monorepo and portfolio-level configurations

All files merge rather than override, creating a layered instruction system. Lower levels extend higher levels, allowing granular customization while maintaining global consistency.

markdown# Project: E-commerce Platform

## Build & Test Commands
- Build: `npm run build`
- Test: `npm test -- --coverage`
- Lint: `npm run lint -- --fix`
- Type check: `npx tsc --noEmit`

## Architecture
- Next.js 14 App Router with TypeScript
- Prisma ORM with PostgreSQL
- Redis for caching and sessions
- Stripe for payment processing

## Coding Standards
- Use Server Components by default
- Add 'use client' only when necessary
- Implement error boundaries for all async components
- Use Zod for all API input validation

## Critical Context
- Payment webhooks require idempotency keys
- Never modify auth middleware without security review
- Database migrations must be backwards compatible

Effective CLAUDE.md files include executable commands (Claude Code automatically detects build/test patterns), architectural context (frameworks, databases, external services), coding conventions (naming, patterns, libraries), and critical constraints (security requirements, performance considerations). The CCA Tool Design MCP Integration Guide explores how CLAUDE.md integrates with Model Context Protocol servers.

Settings Hierarchy and Permission Models

Claude Code's settings system implements a five-level hierarchy that determines tool permissions, environment variables, and integration configurations. Understanding this hierarchy is essential for CCA exam success, as questions frequently test precedence rules and permission inheritance patterns.

Hierarchy order (highest to lowest priority):

Enterprise policy (immutable, organization-wide)
    ↓
~/.claude/settings.json (user global preferences)
    ↓
.claude/settings.json (project settings, version controlled)
    ↓
.claude/settings.local.json (local overrides, gitignored)
    ↓
Enterprise defaults (fallback values)

Higher levels override lower levels, with enterprise policy always taking precedence. This enables organizations to enforce security boundaries while allowing developer customization within approved limits.

json{
  "permissions": {
    "allow": [
      "Bash(npm run *)",
      "Bash(git status)",
      "Bash(git diff *)",
      "Read",
      "Write(src/**)",
      "Edit(src/**/*.{ts,tsx,js,jsx})"
    ],
    "deny": [
      "Bash(git push --force *)",
      "Bash(rm -rf *)",
      "Bash(sudo *)",
      "Write(.env*)"
    ]
  },
  "env": {
    "NODE_ENV": "development",
    "LOG_LEVEL": "debug",
    "API_BASE_URL": "http://localhost:3000"
  },
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "./src"]
    },
    "database": {
      "command": "python3",
      "args": ["/usr/local/bin/db-mcp-server.py"]
    }
  }
}

Permission patterns use glob-style matching where deny always overrides allow. Common patterns include tool-specific permissions ("Bash(npm )" allows npm commands), file path restrictions ("Write(src/)" limits writes to source directories), and wildcard blocking ("Bash(rm -rf )" prevents destructive operations). The What is Model Context Protocol (MCP)? guide details MCP server configuration within settings files.

Hooks System: Automation and Quality Gates

The hooks system enables automated workflows by executing shell commands at specific points in Claude Code's execution cycle. Hooks transform reactive coding assistance into proactive development automation, implementing quality gates, formatting standards, and validation checks without manual intervention.

Three hook types provide comprehensive workflow control: PreToolUse hooks execute before tool invocation, enabling parameter validation, command transformation, and execution blocking. Return codes determine behavior: 0 with empty output allows normal execution, 0 with output shows messages but proceeds, and 2 blocks execution entirely. PostToolUse hooks run after tool completion, processing outputs and triggering follow-up actions. Common uses include auto-formatting modified files, running linters, sending notifications, and updating documentation. Stop hooks execute when Claude Code reaches end_turn, providing final validation opportunities. If hooks return non-empty output, that output becomes a new user message, continuing the agent loop for additional iterations.

json{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "command": "python3 ~/.claude/validate_command.py \"$TOOL_INPUT\""
      }
    ],
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "command": "npx prettier --write \"$TOOL_INPUT_FILE_PATH\" && npx eslint --fix \"$TOOL_INPUT_FILE_PATH\" 2>/dev/null; exit 0"
      },
      {
        "matcher": "Write",
        "command": "git add \"$TOOL_INPUT_FILE_PATH\""
      }
    ],
    "Stop": [
      {
        "matcher": "",
        "command": "npm run typecheck 2>&1 | tail -10"
      }
    ]
  }
}

Environment variables provide hook context: $TOOL_NAME (tool being executed), $TOOL_INPUT (JSON parameters), $TOOL_INPUT_FILE_PATH (file paths for file operations), and $TOOL_OUTPUT (tool results for PostToolUse). Matcher patterns support empty strings (all tools), specific tool names, pipe-separated lists, and glob patterns.

Effective hook strategies include auto-formatting on save (PostToolUse with prettier/eslint), command validation (PreToolUse blocking dangerous operations), quality gates (Stop hooks running tests/type checking), and workflow integration (triggering CI/CD, updating tickets, sending notifications). The CCA Agentic Architecture Guide covers how hooks integrate with broader agentic patterns.

Skills System: Reusable Capabilities

Claude Code's skills system provides modular, reusable capabilities that extend core functionality beyond basic tool use. Skills encapsulate complex workflows, domain-specific knowledge, and multi-step procedures into invocable units that maintain consistency across projects and team members.

Skills vs. CLAUDE.md comparison:

Feature	CLAUDE.md	Skills
Scope	Project context and instructions	Reusable procedures and workflows
Organization	Single file per directory level	Multiple files organized by capability
Content	Descriptive context and standards	Executable procedures and templates
Invocation	Automatically loaded on session start	Explicitly called via commands or triggers
Versioning	Tied to project/directory structure	Independent versioning and updates
Sharing	Project-specific, version controlled	Cross-project, centrally managed

Skills locations follow a similar hierarchy to other configurations:

~/.claude/skills/ - User-level skills (personal automation)
.claude/skills/ - Project-level skills (team workflows)
Enterprise skills repositories (organization standards)

Typical skills include code review workflows (automated PR analysis with security, performance, and style checks), deployment procedures (multi-environment deployment with rollback capabilities), testing strategies (comprehensive test generation covering unit, integration, and e2e scenarios), and documentation generation (API docs, README updates, changelog maintenance).

python# Example skill: ~/.claude/skills/security_review.py
import subprocess
import json
import sys

def analyze_security_risks(file_paths):
    """Comprehensive security analysis for code changes"""
    results = []
    
    # Static analysis with semgrep
    semgrep_cmd = ["semgrep", "--config=auto", "--json"] + file_paths
    semgrep_result = subprocess.run(semgrep_cmd, capture_output=True, text=True)
    
    if semgrep_result.returncode == 0:
        findings = json.loads(semgrep_result.stdout)
        for finding in findings.get('results', []):
            results.append({
                "type": "security",
                "severity": finding.get('extra', {}).get('severity', 'info'),
                "message": finding.get('extra', {}).get('message', ''),
                "file": finding.get('path'),
                "line": finding.get('start', {}).get('line')
            })
    
    # Check for hardcoded secrets
    secret_patterns = [
        r'api[_-]?key[\s]*=|password[\s]*=|secret[\s]*=',
        r'AWS_ACCESS_KEY|AWS_SECRET|PRIVATE_KEY',
        r'Bearer\s+[A-Za-z0-9\-\._~\+\/]+=*'
    ]
    
    for pattern in secret_patterns:
        grep_cmd = ["grep", "-nH", "-E", pattern] + file_paths
        grep_result = subprocess.run(grep_cmd, capture_output=True, text=True)
        
        for line in grep_result.stdout.split('\n'):
            if line.strip():
                file_path, line_num, content = line.split(':', 2)
                results.append({
                    "type": "secret",
                    "severity": "high",
                    "message": f"Potential hardcoded secret: {content.strip()}",
                    "file": file_path,
                    "line": int(line_num)
                })
    
    return results

if __name__ == "__main__":
    file_paths = sys.argv[1:]
    results = analyze_security_risks(file_paths)
    
    if results:
        print("🔒 Security Review Results:")
        for result in results:
            emoji = "🚨" if result['severity'] == 'high' else "⚠️" if result['severity'] == 'medium' else "ℹ️"
            print(f"{emoji} {result['file']}:{result['line']} - {result['message']}")
    else:
        print("✅ No security issues detected")

Skills integrate with hooks for automated execution, can be version controlled for team consistency, and support parameterization for flexible reuse across different project contexts.

CI/CD Integration and Headless Automation

Claude Code's CI/CD capabilities enable automated code analysis, testing, and deployment workflows within continuous integration pipelines. The 2026 release introduced headless mode, cloud scheduling, and enterprise-grade automation features that transform Claude Code from a developer tool into a production system component.

Headless configuration requires environment variable setup for API authentication and permissions:

bash# Docker CI/CD setup
FROM node:18-alpine
RUN npm install -g @anthropic-ai/claude-code@latest

# Set required environment variables
ENV ANTHROPIC_API_KEY=your-api-key-here
ENV CLAUDE_HEADLESS=true
ENV CLAUDE_AUTO_APPROVE=true

# Copy project configuration
COPY .claude/ /workspace/.claude/
COPY CLAUDE.md /workspace/

# CI/CD workflow commands
CMD ["claude", "review", "--format=json", "--output=/workspace/review-results.json"]

Common CI/CD patterns include automated pull request reviews (security analysis, performance checks, style compliance), deployment verification (smoke tests, health checks, rollback triggers), and scheduled maintenance (dependency updates, security scans, documentation updates). Cloud scheduling introduced in 2026 enables persistent workflows that run independently of local development environments:

json{
  "schedules": {
    "nightly_analysis": {
      "cron": "0 2 * * *",
      "command": "claude analyze --full-project --generate-report",
      "notifications": ["slack://dev-team", "email://[email protected]"]
    },
    "weekly_security_scan": {
      "cron": "0 10 * * 1",
      "command": "claude security-review --recursive --fail-on-high",
      "notifications": ["pagerduty://security-team"]
    }
  }
}

Permission models for CI/CD require careful configuration to balance automation capabilities with security constraints. Production environments typically use restricted permission sets with explicit allow-lists for required operations.

The CCA Decision Frameworks: Agents vs Workflows guide covers decision criteria for choosing between interactive development assistance and automated CI/CD integration patterns.

Configuration Best Practices and Anti-Patterns

Successful Claude Code implementations follow established patterns while avoiding common configuration mistakes that lead to security vulnerabilities, performance issues, or team workflow conflicts.

Configuration best practices include: Layered permissions: Start restrictive at enterprise level, gradually expand permissions at project and user levels. Use deny patterns for dangerous operations ("Bash(rm -rf )", "Bash(sudo )") and explicit allow patterns for approved workflows. Environment separation: Maintain separate configurations for development, staging, and production. Use .claude/settings.local.json for developer-specific overrides while keeping shared configuration in version control. Hook optimization: Design hooks to be fast and reliable. Use background processes for time-intensive operations and implement proper error handling to prevent workflow interruption. CLAUDE.md maintenance: Keep project instructions current with architecture changes. Include onboarding instructions for new team members and document configuration dependencies. Common anti-patterns to avoid:

Anti-Pattern	Problem	Solution
Overly permissive permissions	Security risk, accidental damage	Start with minimal permissions, expand as needed
Slow hooks	Workflow interruption, poor UX	Use async operations, optimize command execution
Outdated CLAUDE.md	Inconsistent behavior, confusion	Regular reviews, tie updates to architecture changes
Hardcoded paths	Environment portability issues	Use relative paths, environment variables
Monolithic configurations	Difficult maintenance, unclear ownership	Modular organization, clear responsibility boundaries
Ignored local overrides	Version control pollution, merge conflicts	Proper .gitignore patterns, clear local vs shared boundaries

Testing strategies for configurations include validating permission patterns with test scenarios, verifying hook behavior in isolated environments, and maintaining configuration documentation alongside code changes.

The CCA Exam Anti-Patterns Cheat Sheet provides comprehensive coverage of configuration mistakes that frequently appear in exam scenarios.

Advanced Integration Patterns

Advanced Claude Code implementations leverage sophisticated integration patterns that combine multiple configuration systems for enterprise-scale development workflows. These patterns demonstrate the deep understanding expected for CCA exam success.

Multi-project orchestration enables consistent configurations across microservice architectures and monorepos:

json{
  "workspace": {
    "projects": [
      {
        "name": "api-service",
        "path": "./services/api",
        "config": ".claude/api-service.json",
        "dependencies": ["shared-schemas"]
      },
      {
        "name": "web-client",
        "path": "./clients/web",
        "config": ".claude/web-client.json",
        "dependencies": ["shared-components", "api-service"]
      }
    ]
  },
  "shared_hooks": {
    "PostToolUse": [
      {
        "matcher": "Edit",
        "command": "node scripts/sync-dependencies.js $TOOL_INPUT_FILE_PATH"
      }
    ]
  }
}

Dynamic permission elevation allows temporary privilege escalation for specific workflows:

python# ~/.claude/skills/deploy.py
import os
import subprocess
import tempfile

def deploy_with_elevated_permissions(environment, commit_sha):
    """Temporary permission elevation for deployment"""
    
    # Create temporary elevated config
    elevated_config = {
        "permissions": {
            "allow": [
                "Bash(kubectl *)",
                "Bash(docker *)",
                "Bash(aws s3 *)",
                "Write(deploy/**)"
            ]
        }
    }
    
    with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
        json.dump(elevated_config, f)
        elevated_config_path = f.name
    
    try:
        # Execute deployment with elevated permissions
        env = os.environ.copy()
        env['CLAUDE_CONFIG_OVERRIDE'] = elevated_config_path
        
        deploy_cmd = f"claude deploy --environment={environment} --commit={commit_sha}"
        result = subprocess.run(deploy_cmd, shell=True, env=env, 
                              capture_output=True, text=True)
        
        return result.returncode == 0
    finally:
        # Clean up temporary config
        os.unlink(elevated_config_path)

Cross-tool synchronization maintains consistency across IDE extensions, terminal usage, and CI/CD pipelines through shared configuration stores and event-driven updates. Telemetry and monitoring integration provides insights into configuration effectiveness, hook performance, and team usage patterns, enabling data-driven optimization of development workflows.

These patterns demonstrate the enterprise-grade capabilities that distinguish expert-level Claude Code usage from basic implementation, representing the advanced knowledge tested in CCA exam scenarios.

Frequently Asked Questions

What is CLAUDE.md and how does it work in Claude Code configuration?

CLAUDE.md is a markdown file that provides project-specific instructions to Claude Code. It creates persistent context that survives across sessions, containing build commands, architecture details, coding standards, and important constraints. The file loads automatically when Claude Code starts in a project directory, with a four-level hierarchy: user global, project root, directory-specific, and parent directory walk-up.

How does the Claude Code settings hierarchy determine permissions?

Claude Code uses a five-level settings hierarchy: Enterprise policy (highest priority), user global settings (~/.claude/settings.json), project settings (.claude/settings.json), local overrides (.claude/settings.local.json), and enterprise defaults (lowest priority). Higher levels override lower levels, and deny permissions always take precedence over allow permissions, regardless of hierarchy level.

What are the three types of hooks in Claude Code and when do they execute?

Claude Code has three hook types: PreToolUse (executes before tool invocation, can validate parameters or block execution), PostToolUse (runs after tool completion, used for formatting and follow-up actions), and Stop (executes when Claude Code reaches end_turn, can continue the agent loop if it returns non-empty output). Each hook type receives different environment variables and has specific return code behaviors.

How do you configure Claude Code for CI/CD pipelines in 2026?

CI/CD configuration requires setting the ANTHROPIC_API_KEY environment variable and enabling headless mode with CLAUDE_HEADLESS=true. Copy project configuration files (.claude/settings.json, CLAUDE.md) to the CI environment and use appropriate permission restrictions for automated workflows. The 2026 release added cloud scheduling for persistent workflows independent of local development environments.

What's the difference between Claude Code skills and CLAUDE.md files?

CLAUDE.md provides descriptive project context and coding standards that load automatically per directory, while skills are executable procedures and workflows that must be explicitly invoked. Skills are reusable across projects and stored in ~/.claude/skills/ or .claude/skills/, whereas CLAUDE.md files are project-specific and tied to directory structure. Skills encapsulate complex multi-step procedures, while CLAUDE.md provides contextual information.

How do permission patterns work in Claude Code settings?

Permission patterns use glob-style matching with specific syntax: "Bash(npm )" allows npm commands, "Write(src/)" restricts writes to source directories, and "Bash(rm -rf )" blocks destructive operations. The deny array always overrides allow patterns, regardless of specificity. Patterns can match tool names, command prefixes, file paths, or use wildcards for broader matching.

What environment variables are available in Claude Code hooks?

Hooks receive context through environment variables: $TOOL_NAME (name of the executing tool), $TOOL_INPUT (JSON string of tool parameters), $TOOL_INPUT_FILE_PATH (file path for file-related operations), and $TOOL_OUTPUT (tool results, available only in PostToolUse hooks). These variables enable hooks to make decisions based on the specific tool being executed and its parameters.

How do you set up MCP servers in Claude Code configuration?

MCP servers are configured in settings files under the mcpServers section, specifying command, args, and optional environment variables. They can be set at user global level (~/.claude/settings.json), project level (.claude/settings.json), or in dedicated .mcp.json files. Each MCP server runs as a separate process and communicates with Claude Code via the Model Context Protocol standard.

What are the best practices for organizing Claude Code configurations in team environments?

Use version-controlled .claude/settings.json for shared team configuration, .claude/settings.local.json for developer-specific overrides (gitignored), and maintain up-to-date CLAUDE.md files with clear project context. Implement layered permissions starting restrictive at enterprise level, organize skills by capability rather than project, and establish clear ownership boundaries for different configuration components.

How does Claude Code handle configuration conflicts and inheritance?

Configuration inheritance follows the settings hierarchy with higher levels overriding lower levels. CLAUDE.md files merge rather than override, creating layered instructions. Permission conflicts resolve with deny taking precedence over allow. When multiple configuration sources exist, Claude Code merges them according to precedence rules, with enterprise policy always having final authority over all other settings.