Claude Code Cheatsheet
What it is
Claude Code is Anthropic's terminal-based coding agent. It reads, edits, and writes files in your repo, runs shell commands, manages git, and orchestrates MCP servers — all from a CLI session, not a chat sidebar. For deployment work, that means it can generate Dockerfiles, debug failed CI runs, draft ~/.ssh/config entries, and wire up GitHub Actions workflows in a single session, with full context of your codebase.
This cheatsheet focuses on the slash commands, flags, hooks, and MCP patterns that matter when Claude Code sits between you and a production deploy. Generic Claude Code references already exist; the deployment-shaped recipes below are what makes this one worth bookmarking.
Quick reference
Install and authenticate
# Install (one of):
npm install -g @anthropic-ai/claude-code
curl -fsSL https://claude.ai/install.sh | bash
# Start a session in the current repo
claude
# Authenticate (interactive)
/login
# One-shot, non-interactive
claude -p "summarize this repo's deploy setup"
Built-in slash commands
/help # list commands
/clear # clear context (keeps session config)
/compact # summarize older messages, free context
/cost # show session token + cost so far
/model # switch model (opus/sonnet/haiku)
/init # bootstrap a CLAUDE.md for this project
/permissions # view/edit allow/deny tool patterns
/mcp # list MCP servers and connection status
/agents # list sub-agents
/config # show effective settings
/login | /logout
Custom slash commands
Project-scoped commands live in .claude/commands/<name>.md. User-scoped commands in ~/.claude/commands/.
description: Run pre-deploy checklist
allowed-tools: Bash(git status:*), Bash(npm test:*)
Check for uncommitted changes, run tests, summarize blockers.
$ARGUMENTS
Invoke with /<name>. $ARGUMENTS interpolates positional args from /checklist staging.
Useful flags
claude -p "..." # print mode (one-shot, no REPL)
claude -c # continue last session
claude -r <session-id> # resume specific session
claude --model sonnet # override default model
claude --mcp-config ./mcp.json # extra MCP servers for this run
claude --allowed-tools "Bash(git:*)" # restrict tools to a pattern
claude --disallowed-tools "Bash(rm:*)" # blocklist
claude --output-format json # machine-readable output
--dangerously-skip-permissions exists. Don't use it on a host that can SSH into prod.
CLAUDE.md scopes
| Path | Scope |
|---|---|
./CLAUDE.md |
Project (committed) |
./CLAUDE.local.md |
Project, gitignored |
~/.claude/CLAUDE.md |
User, all projects |
/etc/claude-code/CLAUDE.md |
Enterprise |
@<path> imports are followed: @docs/deploy-runbook.md pulls that file into context every session.
Hooks
Hooks fire on lifecycle events. Define in .claude/settings.json (project) or ~/.claude/settings.json (user).
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{"type": "command", "command": "scripts/guard-deploy.sh"}
]
}
]
}
}
Events: PreToolUse, PostToolUse, UserPromptSubmit, Stop, SessionStart, Notification. Exit code 0 allows; non-zero blocks (PreToolUse) or surfaces feedback to the agent.
MCP servers
# Add a server (project scope, written to .mcp.json)
claude mcp add github --scope project -- npx -y @modelcontextprotocol/server-github
# Add via JSON config
claude mcp add-json my-server '{"command":"node","args":["server.js"]}'
# Inside a session
/mcp # status
@<server>:<resource> # reference an MCP resource
/mcp__<server>__<tool> # invoke a server-prefixed slash command
Sub-agents
Files in .claude/agents/<name>.md define isolated agents with their own system prompt, tools, and model:
name: deploy-reviewer
description: Reviews PRs that touch deploy/* before merge
tools: Read, Grep, Glob, Bash
model: sonnet
You review changes to deployment configuration. Flag any change that...
Invoke from the parent session: "ask the deploy-reviewer agent to look at this PR".
Deployment workflows (the moat)
1. Generate a production Dockerfile from an existing repo
A vanilla "write me a Dockerfile" prompt produces a single-stage 800MB image. Anchor the prompt to constraints and you get a production-grade artifact in one shot:
Read package.json and the build scripts. Write a multi-stage Dockerfile that:
- Builds in node:20-alpine, copies node_modules separately for layer caching
- Final stage uses node:20-alpine, runs as non-root user, exposes only the app port
- Honors NODE_ENV=production and uses npm ci --omit=dev
- Adds HEALTHCHECK against /healthz with a 30s start period
Show the full file. Then explain the cache layering decisions in 3 lines.
Pin the constraints in CLAUDE.md so every future Dockerfile request inherits them — no need to re-paste.
2. Debug a failing CI deploy
Paste the failing job log inline and let Claude Code localize:
This GitHub Actions job failed at the deploy step. Find the root cause,
not just the surface error. Check workflow YAML for env mismatches,
secret references that don't exist, and runner version drift.
<paste log>
For deeper integration, wire the GitHub MCP server (claude mcp add github) and ask: "fetch the latest failed run on main, summarize the failure, and propose a workflow patch." The agent-driven CI/CD walkthrough covers the full pattern from issue triage to production deploy.
3. Generate ~/.ssh/config from an inventory
Read infra/hosts.yaml. For each host, generate a ~/.ssh/config Host block:
- Use the deploy-only key at ~/.ssh/deploy_<env>_ed25519
- Set IdentitiesOnly yes (avoid agent leakage to wrong hosts)
- Add Hostname, Port, User from the YAML
Write the result to ~/.ssh/config.d/inventory and append the include line
to ~/.ssh/config if missing.
Pair with the SSH cheatsheet's deploy-key patterns — Claude Code makes the per-environment IdentitiesOnly discipline trivial to apply across 50 hosts.
4. Draft a GitHub Actions workflow with environments and secrets
Create .github/workflows/deploy.yml:
- Triggers on tag push matching v*.*.*
- Uses environment: production with required reviewers
- Steps: checkout, setup-node@v4, npm ci, npm run build, then
POST to ${{ secrets.DEPLOYHQ_WEBHOOK }} with the tag as payload
- Add a separate staging job that runs on push to main
- No hardcoded secrets, all via secrets context
Then gh secret set DEPLOYHQ_WEBHOOK to populate the secret. If you're choosing between an MCP-driven and a CLI-driven CI integration here, the practical CLI-vs-MCP comparison for coding agents breaks down the tradeoffs.
5. Hooks for deploy hygiene
Block destructive Bash commands during deploy sessions:
# scripts/guard-deploy.sh — exits non-zero to block the tool call
#!/usr/bin/env bash
set -euo pipefail
input=$(cat)
cmd=$(echo "$input" | jq -r '.tool_input.command // ""')
if echo "$cmd" | grep -E 'rm -rf /|drop database|truncate' >/dev/null; then
echo "Blocked dangerous command in deploy session: $cmd" >&2
exit 2
fi
Wire as a PreToolUse hook with matcher: "Bash". Exit code 2 surfaces the message back to Claude Code, which will then refuse the action and explain to you instead of running it.
PostToolUse is useful for an audit trail — append every Bash command to ~/.claude/deploy-audit.log so you can grep what an agent ran during a deploy window.
6. MCP servers worth wiring up for ops work
| Server | What it gives you in a deploy session |
|---|---|
@modelcontextprotocol/server-github |
Read PRs, fetch run logs, comment on issues |
@modelcontextprotocol/server-filesystem |
Sandbox file ops to a release directory |
| Postgres MCP server | Query staging DB, dry-run migrations safely |
| Sentry MCP server | Pull production errors back into the chat for debugging |
| Kubernetes MCP server | kubectl-equivalent ops scoped by RBAC |
Skip "everything-and-the-kitchen-sink" MCP bundles — every connected server eats context tokens before you've typed anything. Our curated list of MCP servers worth installing for web developers covers the set that actually pulls weight.
7. Cost discipline for long deploy sessions
Long sessions burn tokens. Defaults that pay for themselves:
/compact # at every natural breakpoint
/model haiku # for repetitive sub-tasks (lint fixes, log triage)
claude -p "..." # for one-shot tasks; no REPL = no context buildup
Drop a /cost once per session — surprises are cheaper to catch early. The free GitHub repos that cut your Claude Code token bill round up the patterns that move the needle most.
Common errors and fixes
| Symptom | Fix |
|---|---|
| Permission prompt on every Bash command | /permissions → add Bash(git:*), Bash(npm:*) to allowlist; commit .claude/settings.json |
MCP server failed to connect |
claude mcp list to inspect; check the server's stdio command runs standalone first |
| Hook never fires | Verify matcher is exact (e.g. Bash not bash); confirm settings file path scope |
| Context window pressure mid-session | /compact then continue; for very long tasks, split via sub-agents |
claude -c resumes the wrong session |
Use claude -r <id> with the explicit ID from ~/.claude/projects/... |
Tools work locally, fail under --print |
--print runs without interactive permission prompts; pre-allow via --allowed-tools |
| Agent edits files outside scope | Tighten the sub-agent's tools: frontmatter; use Read,Grep only for review agents |
| Output truncated in CI | --output-format json and parse with jq, don't rely on streamed text |
Companion: full DeployHQ workflow with AI agents
For the end-to-end pattern — Claude Code drafting the deploy artifact, GitHub Actions running the build, DeployHQ orchestrating the release across servers — read the agentic workflows guide for CI/CD pipelines. For project-config best practices that keep Claude Code's output consistent across deploys, see the CLAUDE.md, AGENTS.md and Copilot instructions guide.
DeployHQ's automatic deployments from Git sit naturally downstream of an AI-drafted workflow: Claude Code writes the workflow, DeployHQ owns the actual atomic release, rollback, and per-server config. Start a free DeployHQ trial to wire one up.
Related cheatsheets
- SSH cheatsheet — for the deploy keys and
~/.ssh/configdiscipline that Claude Code's generators slot into. - Docker cheatsheet — for the runtime patterns that the multi-stage Dockerfile workflow above produces.
- Bash scripting cheatsheet — for the hook scripts and deploy guards that wrap Claude Code's Bash tool calls.
- GitHub Actions cheatsheet — for the workflow YAML that the CI generator produces.
- Cheatsheets hub — every DeployHQ cheatsheet in one place.
Need help? Email support@deployhq.com or follow @deployhq on X.