The Config Ecosystem — Three Layers Explained
How the global developer profile, project CLAUDE.md, and skill files work together to give Claude a complete picture of who you are, how you work, and how to approach every task.
Every time you open Claude Code in a project, it reads a set of files before you type a single message. These files are not a one-time setup chore — they are a living system that gets richer as you build. Understanding what each layer does is the difference between using Claude as a generic code assistant and using it as a developer who knows your standards, your project, and your patterns by heart.
The Three-Layer System
Here is the complete picture of what Claude reads at the start of every session:
What Claude loads and when:
| When | What loads | Why |
|---|---|---|
| Every session start | Global ~/.claude/CLAUDE.md | Your universal rules and profile |
| Every session start | Project ./CLAUDE.md | This project's specific context |
| When a task starts | Matching skill file | Expert approach for this task type |
When all three are in place, Claude starts every session already knowing: who you are and how you like to work, exactly what this project is (stack, database, routes), and the proven expert approach for whatever type of task you're about to do.
Layer 1: The Global CLAUDE.md — Your Developer Profile
File location: ~/.claude/CLAUDE.md
On Windows: C:\Users\[your name]\.claude\CLAUDE.md
What it is: A permanent document describing you as a developer. It lives outside any specific project — in the .claude folder in your home directory. Every Claude Code session you ever open, on any project, on this machine, reads this file first.
The analogy: Your firm's standard operating procedure document. When a new team member joins your CA firm, you hand them the SOP: how the firm operates, what tools you use, what the quality standards are, what you never do. This is that SOP — but for Claude, and it covers how you build software.
What belongs in the global profile:
| Section | What to put here |
|---|---|
| Who I Am | 2 sentences: your background (CA), your goals, what you build |
| Core Rules | 6–8 non-negotiables: no TypeScript any, RLS always on, soft-delete only, integers for money |
| Tech Stack | Every layer: framework, language, styling, state management, forms, icons |
| Skill Routing | Which skill to load for which task type |
| Git Rules | Commit message format, when to commit, what never to commit |
| Indian Locale | IST default, phone format, rupee formatting, GSTIN pattern |
| Response Style | No trailing summaries, no emojis, concise answers |
What does NOT go here:
- Anything specific to one project (that goes in the project CLAUDE.md)
- API keys, passwords, or secrets (those go in
.envfiles, never in markdown files) - Large code patterns (those go in skill files)
The one-time investment: Writing your global profile takes about 20 minutes the first time. After that, Claude uses it across every project on your machine — you never re-explain your preferences, your stack choices, or your rules. Every session on every project starts with Claude already knowing how you work.
Layer 2: The Project CLAUDE.md — This Project's Rulebook
File location: At the root of your project folder (e.g., S:\My Projects\MyApp\CLAUDE.md)
What it is: A permanent document describing everything about this specific project. It is committed to git alongside your code, so anyone who opens the project (including Claude on a different machine) reads the same context.
What it is NOT: A README. A README explains what the project does to people who find it on GitHub. A project CLAUDE.md explains how to work on it to Claude.
The analogy: The engagement file for a specific audit client. Your global SOP (Layer 1) tells you how your firm operates. The engagement file tells you about THIS client — their chart of accounts, their specific requirements, what needs special attention, what you found last time. The project CLAUDE.md is that engagement file.
What belongs in the project CLAUDE.md:
| Section | What to put here |
|---|---|
| Project description | 2–3 sentences: what it does, who uses it |
| Supabase project ref | The ID from your dashboard URL — critical for every database operation |
| Tech stack | Complete stack for this project (may differ from global defaults) |
| Quick commands | Exact terminal commands: dev server, build, type-check, lint |
| Folder structure | Where components, hooks, pages, edge functions live |
| User roles and routes | Who can access what, which routes have which guards |
| Database tables | Every table with a one-sentence purpose |
| Environment variables | The names of the env vars needed (not the values) |
| Test accounts | Emails for each role (credential references, not actual passwords) |
| Known issues | Bugs discovered, with root cause, workaround, and fix plan |
| Decisions log | Why key architectural decisions were made |
A real example — the Aurora Public School project CLAUDE.md:
Aurora Public School is the live job placement platform used throughout this training. Its project CLAUDE.md is 511 lines. Here are the key sections and what they contain:
| Section | What Aurora Public School documents |
|---|---|
| What This Project Is | "Aurora Public School is a CA-focused job placement platform." 2 sentences. |
| Supabase project ref | pncukoisflzcgswujqgi — used on every database tool call |
| Tech Stack table | React 18.3, TypeScript 5.8, Vite 5.4, exact version numbers |
| 8 Hard Rules | Always use matching skill, never ask user to run migrations, backend before frontend |
| Skill Protocol | Table mapping 4 task types to 5 skill files |
| Project Structure | Full folder tree: 50+ components, 13 admin hooks, mobile app, edge functions |
| User Roles | 5 roles: candidate, recruiter, admin, CA firm, public — each with route guards |
| Database Tables | 40+ tables, each with a one-sentence purpose |
| Test Accounts | 7 accounts for testing each role (passwords in secure storage, not in file) |
| Known Issues | 26 tracked issues: root cause, workaround, fix plan |
That 511-line investment saves hours every session. Claude already knows where everything is, who can access what, and what the architectural decisions were — without you explaining a single thing.
Never put API keys, passwords, or secrets in any CLAUDE.md file. Both the global and project CLAUDE.md files are plain Markdown files committed to git. If your repository ever becomes public or is shared, everything in CLAUDE.md is visible. Credentials always go in .env files — which are always in .gitignore and never committed.
Layer 3: Skill Files — Expert Instruction Sets
File location: ~/.claude/skills/ (global — shared across all your projects)
On Windows: C:\Users\[your name]\.claude\skills\
What they are: Markdown files that contain step-by-step expert instructions for a specific type of task. When you describe a task, Claude checks the skill routing table in your CLAUDE.md, loads the matching skill file, and follows its sequence for the entire task.
The analogy: The specialized procedure section of your firm's SOP. The main SOP (global CLAUDE.md) tells you how the firm operates. The "Income Tax Audit Procedure" or "GST Reconciliation Checklist" tells you the expert step-by-step sequence for that specific type of engagement. Skill files are those specialized procedures — except for software tasks.
Why skill files matter:
Without a skill file, Claude defaults to a generic approach for every task type. With a skill file:
- The investigation sequence is predefined and battle-tested
- The quality checklist runs automatically before Claude says "done"
- Anti-patterns are documented — Claude avoids known mistakes
- Every task of that type is handled consistently, regardless of session
The five production skill files from Aurora Public School:
These are production skill files from a live platform. Each one was developed through real-world use.
new-feature.md — Building Something New
Triggered by: "build," "add," "create," "implement," "new page," "new form"
What it makes Claude do:
- Extract requirements as a numbered list and confirm before coding
- Check existing database structure before proposing schema changes
- Build the database migration first (if needed), then the data hook, then the UI
- Create React Query hooks for all data fetching — never call Supabase directly in a component
- Add Zod validation for all user inputs before building the form
- Handle three states in every data-showing component: loading (skeleton), error (friendly message), empty (helpful prompt)
- Run a quality checklist before saying done: types correct, RLS exists, all three states handled, responsive
Anti-patterns it prevents: Direct Supabase calls in components, any types, hard-deletes, service role key in frontend
bug-fix.md — Investigating and Fixing Problems
Triggered by: "fix," "bug," "broken," "error," "not working," "crash," "wrong"
What it makes Claude do:
- Define expected vs actual behavior before touching any code
- Follow a systematic investigation sequence: read the component → check the data hook → check the database/RLS → check recent git changes → check browser console errors
- Identify root cause, not just symptom
- Fix the root cause — not a workaround
- Verify in the actual browser with real data
- Check if the same bug could exist elsewhere
Anti-patterns it prevents: Adding as any to silence TypeScript errors, empty catch blocks, fixing the symptom while leaving the root cause
supabase-migration.md — Database Changes
Triggered by: "database," "table," "schema," "migration," "RLS," "column," "foreign key"
What it makes Claude do:
- Answer the data design questions first (what is stored, who reads it, who writes it, how it connects)
- Write the SQL migration file in
supabase/migrations/with a timestamp prefix - Include in every migration:
CREATE TABLE, RLS enabled, policies for each user role,is_deletedsoft-delete column - Apply the migration via CLI without asking you to run it manually
- Regenerate TypeScript types after the migration
- Update any hooks querying the affected tables
Anti-patterns it prevents: RLS disabled tables, hard-deletes, storing money as floats, storing passwords in your own tables
pre-launch-audit.md — Checking Before Going Live
Triggered by: "before release," "audit," "pre-launch," "check everything," "ready to go live"
What it makes Claude do:
- Security check: grep for service role key in frontend, hardcoded API keys,
.envmissing from.gitignore, TypeScriptany - Database check: verify RLS enabled on every user-data table, at least one policy per operation
- Code quality check:
console.login production code, empty catch blocks, build passes cleanly - UI check: pages load without errors, login works, core flows work end-to-end, error messages are user-friendly, works on mobile
- Classify every finding as Critical / Important / Nice to have
- Report findings in a structured format before recommending launch
Anti-patterns it prevents: Shipping with security holes, disabled RLS, console.log spam, broken core flows
How the Three Layers Interact
Precedence (what wins when rules conflict):
Example: Your global CLAUDE.md says "max 400 lines per file." Your project CLAUDE.md says "max 500 lines for this project." For this project, Claude uses 500 — the project rule wins.
Example: Your global CLAUDE.md says "use React Query for all data fetching." The bug-fix skill says "when investigating data bugs, first check the React Query cache key and invalidation logic." Both apply — React Query (from global) + the investigation sequence (from skill).
The loading sequence in a typical session:
~/.claude/CLAUDE.md — loads your developer profile./CLAUDE.md — loads this project's contextnew-feature.mdQuick Reference: What Goes Where
| This information | Goes in |
|---|---|
My TypeScript rules (no any) | Global CLAUDE.md |
| My preferred libraries | Global CLAUDE.md |
| My Git commit format | Global CLAUDE.md |
| Indian locale defaults | Global CLAUDE.md |
| The Supabase project reference ID | Project CLAUDE.md |
| This project's folder structure | Project CLAUDE.md |
| Which routes require which user roles | Project CLAUDE.md |
| Test account emails | Project CLAUDE.md |
| How to build a new feature step by step | Skill file (new-feature.md) |
| How to investigate a bug step by step | Skill file (bug-fix.md) |
| How to set up RLS properly | Skill file (supabase-migration.md) |
| How to check before going live | Skill file (pre-launch-audit.md) |
| My API keys | .env file — never in any CLAUDE.md |
You always write Indian phone validation as /^[6-9][0-9]{9}$/ and want this applied in every project. Where does this rule go?
You're building a new project. The Supabase dashboard URL shows: app.supabase.com/project/abcd1234efgh. Where does this reference ID go and why?
Before you move on — can you do all of this?
Click each item you're confident about. Bring the unchecked ones to your next session.
I can name the three config layers and where each file lives on my machine
I know that project CLAUDE.md overrides global CLAUDE.md when they conflict
I know what belongs in the global profile vs the project file
I understand the four skill files and what task type each one handles
I know that skill files are loaded when the task starts, not at session start
I know that API keys never go in CLAUDE.md — they go in .env files only