Table of Contents

Claude Code Interview Questions for Hiring Software Engineers in 2026: Junior to Senior Answers with Postmortems

Claude Code job interview questions in 2026 test three things simultaneously: your command of the official permission and memory architecture (CLAUDE.md scopes, auto memory vs. explicit instructions, settings hierarchy), your ability to name and explain every major extension point (hooks, skills, plugins, subagents via the Task tool, MCP), and your recall of real production incidents that senior interviewers now use as diagnostic probes — the March 2026 harness bugs postmortem, cost-runaway patterns documented by practitioners, and the prompt-injection debate around non-deterministic AI-based defenses. For LangGraph-specific interview prep on stateful graph orchestration, see our LangGraph interview questions.

What is Claude Code and how does it differ from Claude.ai?
When did Claude Code launch and what was the initial release?
How do you install Claude Code and verify it’s working correctly?
What is CLAUDE.md, and how does Claude use it across sessions?
What is auto memory, and how does it differ from CLAUDE.md?
What permission modes does Claude Code support?
How do hooks work in Claude Code, and how would you use PreToolUse to prevent destructive commands?
What is MCP and how does Claude Code integrate with it?
What are subagents in Claude Code, and how does the Task tool relate to them?
How do you integrate Claude Code into a CI/CD pipeline?
How does Claude Code pricing work, and how do you control cost at scale?
What 2026 Claude Code features are likely to appear in senior interviews?
How would you design a CLAUDE.md architecture for 10+ developers in a monorepo?
Scenario: Claude Code silently deleted a production file — what do you check first?
Scenario: Your CI pipeline costs 5x more than expected after enabling Claude Code GitHub Actions — how do you diagnose?
Scenario: Your team CLAUDE.md is 800 lines and Claude ignores half of it — how do you fix this?
Scenario: Claude is in a modification loop and you’ve hit your token limit — what do you do?
Scenario: A new MCP server is behaving unexpectedly — what’s your trust and audit process?
What are the prompt injection risks in Claude Code, and are AI-based defenses sufficient?
Claude Code vs. Cursor vs. GitHub Copilot — when would you choose each?

What Claude Code Interviews Actually Test in 2026

This guide is for software engineers, AI engineers, engineering managers, and platform/DevOps engineers targeting roles where Claude Code proficiency is now a hiring signal — AI-native startups building agent infrastructure, enterprise engineering teams adopting Claude Code at scale, DevOps roles integrating Claude Code into CI/CD, and staff or principal engineers designing multi-agent workflows. It is not a definitions glossary — it is a map of what interviewers actually probe and why, grounded in the official Anthropic documentation, practitioner accounts from Simon Willison and the Claude Code team at Anthropic, and community-sourced production incidents.

Test Your Knowledge Quick knowledge check

Four structural shifts define the 2025–2026 Claude Code hiring cycle:

Claude Code launched February 24, 2025. Anthropic released the terminal CLI agent — then called a “research preview” — as the next step beyond Claude.ai’s chat interface. The distinction matters: Claude Code is a stateful, tool-calling CLI agent; Claude.ai is a browser-based chat product. Conflating them during a phone screen is an immediate credibility hit.
Enterprise adoption has made cost governance a first-class engineering concern. Anthropic’s own documentation reports an average enterprise cost of $13 per developer per active day ($150–250/month). Boris Cherny, identified in the community as the creator of Claude Code, acknowledged that “some engineers use hundreds of thousands of dollars worth of tokens per month.” Software engineers interviewing at Anthropic should review Anthropic interview questions to understand cost governance across the Claude product line. Interviewers at cost-conscious organizations now test whether candidates understand token management, rate-limit architecture, and cost-attribution tooling.
The March 2026 harness bugs postmortem changed how senior interviewers frame agentic system design questions. Anthropic documented three separate harness bugs (not model failures) that caused widespread “forgetful and repetitive” behavior. Simon Willison’s April 24, 2026 commentary on the postmortem crystallized the lesson: “the kinds of bugs that affect harnesses are deeply complicated, even if you put aside the inherent non-deterministic nature of the models themselves.” Postmortem-style questions now appear in senior system design rounds.
Security scrutiny has arrived. Simon Willison flagged on March 24, 2026 that the non-deterministic nature of AI-based prompt injection defenses means they cannot be fully trusted: “I remain unconvinced by prompt injection protections that rely on AI, since they’re non-deterministic by nature.” Senior security-adjacent roles now probe whether candidates understand where Claude Code’s permission system provides deterministic enforcement vs. AI-classifier-based soft control.

The SFEIR Institute is currently the only other organization with a structured Claude Code Q&A guide (27 questions, three tiers). This guide covers everything SFEIR covers, plus the 2026 features SFEIR misses (worktrees, channels, checkpoints, plugins, auto mode, Agent SDK), scenario-based behavioral questions SFEIR has none of, and named practitioner postmortems SFEIR does not include.

Foundation Questions: What Claude Code Is and Where It Fits

Foundation questions appear at the phone screen or first technical round. Their purpose is to disqualify candidates who have not used Claude Code at all, or who conflate it with other Claude products.

What is Claude Code and how does it differ from Claude.ai?

Concept: Product positioning and CLI vs. chat distinction | Difficulty: Junior | Stage: Phone screen

Claude Code is an AI-powered terminal CLI agent developed by Anthropic. It runs locally on your machine (or in CI, or on the web at claude.ai/code), calls tools in a loop — reading files, running bash commands, making git commits, calling APIs — and understands your entire codebase across multiple files. Claude.ai is a separate browser-based chat product. They share the same underlying models but serve fundamentally different use cases: Claude.ai is conversational, stateless per session; Claude Code is agentic, stateful, and deeply integrated with the local development environment. The official overview describes Claude Code as helping developers “build features, fix bugs, and automate development tasks” through tools that span the entire SDLC.

What they’re really probing: Candidates who say “Claude Code is Claude in a terminal” without mentioning the tool-calling loop, file system access, or MCP integration reveal they have not used it in production. The key differentiator: Claude Code can run shell commands, edit files across a project, create branches, open PRs, and spawn subagents — Claude.ai cannot.

Common pitfall: Saying “you can do the same thing in Claude.ai Projects.” Claude.ai Projects give Claude persistent context but do not give it shell access, file system write permissions, or the ability to run code. These are architecturally different capabilities.

When did Claude Code launch and what was the initial release?

Concept: Product history and timeline | Difficulty: Junior | Stage: Phone screen / context check

Claude Code launched on February 24, 2025 by Anthropic as a research preview. The Anthropic documentation site and practitioner records confirm this date. The product has iterated rapidly since launch, with major additions through 2025–2026 including worktrees, the Agent SDK reaching GA, channels for external event injection, checkpoints/rewind, the plugins architecture, and scheduled Routines on Anthropic-managed infrastructure.

What they’re really probing: Date precision is a credentialing signal — knowing “February 2025” vs. “sometime in 2025” signals you track the ecosystem closely. At senior levels, interviewers follow up by asking what was added in the 12 months since launch, which maps to the 2026 features section below.

Common pitfall: Saying “Claude Code is new” (which it no longer is) or confusing the launch date with the Claude 3 model family launch (March 2024). Claude Code is a separate product from the Claude model releases.

How do you install Claude Code and verify it’s working correctly?

Concept: CLI setup and troubleshooting | Difficulty: Junior | Stage: Technical screen

Installation depends on OS. The recommended method on macOS/Linux/WSL is the native installer: curl -fsSL https://claude.ai/install.sh | bash. Windows PowerShell uses irm https://claude.ai/install.ps1 | iex. Alternative methods: Homebrew (brew install --cask claude-code for stable; claude-code@latest for rolling), WinGet (winget install Anthropic.ClaudeCode), npm (npm install -g @anthropic-ai/claude-code, requires Node.js 18+), and Linux package managers (apt, dnf, apk). Verification: run claude --version to confirm installation, then claude doctor for a detailed health check of your installation and configuration. First launch requires browser login — you need a Pro, Max, Team, Enterprise, or Console account; the free plan does not include Claude Code access.

What they’re really probing: Installation awareness reveals whether you’ve actually set it up vs. watched a demo. The follow-up “what do you check when it fails to install?” is equally important: common issues include PATH not being updated (native install), permission errors with sudo npm install -g (never use sudo), and Git for Windows missing on native Windows (needed for the Bash tool).

Common pitfall: Using sudo npm install -g @anthropic-ai/claude-code — the docs explicitly warn against this due to permission issues and security risks. On Windows, missing Git for Windows causes Claude Code to fall back to PowerShell as the shell tool, which changes behavior for bash-dependent scripts.

Claude Code Extension Points Reference (2026)

Interviewers at the mid and senior level cycle through the extension points in order: hooks first (automation), then skills (reusable workflows), then plugins (packaged distribution), then subagents (context isolation and parallelism), then MCP (external tool integration). Knowing all five and the architectural reason each one exists as a separate mechanism is the threshold test.

Extension Point	What It Does	When to Use It	Common Interview Probe
CLAUDE.md	Markdown file(s) loaded at session start as persistent instructions; four scope levels (managed/user/project/local); treated as context, not enforced configuration	Coding standards, project architecture, conventions that apply every session	“What’s the difference between project CLAUDE.md and managed policy CLAUDE.md?”
Hooks	Shell commands/HTTP endpoints that fire at named lifecycle events (PreToolUse, PostToolUse, SessionStart, etc.); can block tool calls, run linting, send notifications	Enforcing actions at specific lifecycle points regardless of what Claude decides	“Write a PreToolUse hook that blocks rm -rf”
Skills	Reusable workflows packaged as markdown+frontmatter, invoked via slash commands (e.g., /review-pr); only load on invocation or when Claude determines relevance	Team-shared, repeatable multi-step workflows that don’t need to be in context every session	“Why use a skill instead of putting instructions in CLAUDE.md?”
Plugins	Packaged collections of skills + hooks + MCP servers + subagents + settings; distributable via marketplace; enterprise admins can force-enable via managed settings	Distributing a consistent toolset across an engineering organization or externally	“How does a plugin differ from a project-level settings.json?”
Subagents (Task tool)	Specialized AI assistants with their own context window, system prompt, tool access, and permissions; spawned by the main Claude session; cannot spawn further subagents	Isolating noisy exploration tasks, parallelizing independent subtasks, routing to cheaper models (Haiku) for specific jobs	“What are the built-in subagents and when does Claude automatically delegate to each?”
MCP servers	External tools/data sources connected via Model Context Protocol; three transports (HTTP recommended, SSE deprecated, stdio); three scopes (local, project, user)	Giving Claude Code access to Jira, Sentry, GitHub, Postgres, Slack, or any custom API	“When would you use MCP instead of just giving Claude a CLI tool to run?”

Permissions Model: What’s Enforced vs. What’s Advised

The permissions architecture is one of the highest-frequency mid-to-senior questions because it has a non-obvious split: settings rules are enforced by the client regardless of what Claude decides; CLAUDE.md instructions shape Claude’s behavior but are not a hard enforcement layer. This distinction is architectural, not cosmetic.

Permission modes (from least to most autonomous):

Default: manual approval required for every non-read-only action; the safest mode
Accept Edits: auto-approves file edits and a fixed set of filesystem bash commands (mkdir, touch, rm, mv, cp, sed) for paths within the working directory; other bash commands still prompt
Auto mode: classifier-based autonomous operation; a soft_deny list blocks categories like git force-push, git push to default branch, downloading and executing external code (curl | bash), and cloud storage mass delete. Requires specific plan, admin, model, and provider requirements — the toggle alone may not enable it.
Bypass permissions: for sandboxed environments with no internet access only; never in production

Settings hierarchy (highest to lowest): Managed (cannot be overridden by any user or project setting) → Command line arguments (temporary session) → Local (.claude/settings.local.json) → Project (.claude/settings.json) → User (~/.claude/settings.json). Engineers building sandboxed code-execution environments often interview at Modal Labs — see our Modal interview questions guide for the platform-engineering probes.

Simon Willison’s practitioner critique (March 24, 2026) on auto mode: “I remain unconvinced by prompt injection protections that rely on AI, since they’re non-deterministic by nature… I still want my coding agents to run in a robust sandbox by default, one that restricts file access and network connections in a deterministic way.” This is a direct reference to the Claude Code auto mode classifier — a useful talking point in security discussions at senior interviews.

Junior-Level Questions: CLI, Installation, and Basic Concepts

Junior questions test whether you have genuinely used Claude Code, not just read about it. Interviewers look for specificity — knowing exact command names, understanding what fails and why, and recognizing the permission prompts you see in practice.

What is CLAUDE.md, and how does Claude use it across sessions?

Concept: Project memory and persistent instructions | Difficulty: Junior | Stage: Technical screen

CLAUDE.md is a markdown file you create in your project root (or other scoped locations) that Claude Code reads at the start of every session. It gives Claude persistent context: build commands, coding standards, project architecture, naming conventions, review checklists. Claude treats it as a user message delivered after the system prompt — meaning Claude reads and tries to follow it, but there is no guaranteed strict compliance; it is context, not enforced configuration. This is why hooks exist: if an instruction “must run at a specific point such as before every commit,” write it as a hook instead, which executes as a shell command at fixed lifecycle events regardless of what Claude decides.

CLAUDE.md scopes (more specific overrides broader): Managed policy (IT-deployed to /etc/claude-code/CLAUDE.md on Linux, cannot be excluded) → Project (./CLAUDE.md or ./.claude/CLAUDE.md, committed to git, shared with team) → User (~/.claude/CLAUDE.md, personal preferences across all projects) → Local (./CLAUDE.local.md, personal project-specific, gitignored).

Key sizing constraint: target under 200 lines per CLAUDE.md. Longer files consume more context and reduce adherence. For larger codebases, use .claude/rules/ with path-scoped rules — these only load when Claude works with matching file patterns, saving context. Use @path/to/import syntax to import other files (max depth 5 hops), though imported files still load at launch and count toward context.

Common pitfall: Adding multi-step procedures to CLAUDE.md. Long instruction sequences belong in skills (which only load on invocation) not CLAUDE.md (which loads every session and consumes context).

What is auto memory, and how does it differ from CLAUDE.md?

Concept: Complementary memory systems | Difficulty: Junior | Stage: Technical screen

Auto memory is the second memory system: Claude writes it itself based on your corrections and preferences; you write CLAUDE.md. Both load at session start. Auto memory requires Claude Code v2.1.59+; stored at ~/.claude/projects/<project>/memory/ with a MEMORY.md index file (first 200 lines or 25KB loaded) and topic-specific files loaded on demand. Auto memory is machine-local — all worktrees in the same git repo share one auto memory directory, and files do not sync across machines or cloud environments.

Use CLAUDE.md for: instructions you want enforced every session — team coding standards, build commands, required review checklists. Use auto memory for: learnings Claude discovers without you writing anything — debugging insights, architecture patterns Claude observed, your stylistic preferences. Run /memory to browse and edit all memory files; toggle auto memory with the autoMemoryEnabled setting or by setting CLAUDE_CODE_DISABLE_AUTO_MEMORY=1.

Common pitfall: Assuming auto memory persists across machines (e.g., between your laptop and a CI runner). Auto memory is local; CLAUDE.md committed to git is what crosses machine boundaries.

What permission modes does Claude Code support, and when would you use each?

Concept: Permission architecture | Difficulty: Junior | Stage: Technical screen

Claude Code offers four permission modes. Default: manual approval for every action beyond reading — safest, used for unfamiliar codebases or sensitive repositories. Accept Edits: auto-approves file edits and safe filesystem bash commands (mkdir, touch, rm, mv, cp, sed) within the working directory; other bash commands and out-of-scope paths still prompt — good for trusted projects where you want faster iteration without full autopilot. Auto mode: a classifier-based autonomous mode with a soft_deny list covering destructive categories (force-push, curl|bash execution, mass cloud storage delete) — requires specific plan, admin, model, and provider requirements. Bypass permissions: for fully sandboxed, no-internet environments only, never in production. Toggle between modes with /config or pass them via CLI flags; use /permissions to audit current settings.

Common pitfall: Enabling Bypass permissions on a developer laptop. The docs state this is for sandboxes with no internet access. Using it on a machine connected to production systems is an explicit security anti-pattern.

What does `claude doctor` do, and when would you run it?

Concept: Installation verification and troubleshooting | Difficulty: Junior | Stage: Phone screen

claude doctor performs a detailed health check of your Claude Code installation: verifies the binary is reachable, checks authentication state, validates API connectivity, reports the current version and release channel, and surfaces common misconfiguration issues. Run it when installation appears to succeed but Claude Code doesn’t behave as expected — common culprits are PATH not updated (native install), missing Git for Windows on native Windows, or API key / OAuth credential issues. Quick sanity check: claude --version confirms the binary exists; claude doctor confirms it’s correctly configured end-to-end.

Common pitfall: Assuming claude --version returning a version means everything is working. Authentication can fail even with a valid installation — claude doctor catches this.

When do you use `/compact` vs. `/clear`, and what survives each?

Concept: Session and context management | Difficulty: Junior | Stage: Technical screen

/compact summarizes the conversation history when approaching the context limit — Claude produces a condensed version of the session’s work, preserving key decisions and code changes; the session continues with this summary as context. The project-root CLAUDE.md survives compaction (Claude re-reads it from disk). Nested CLAUDE.md files in subdirectories are not re-injected automatically — they reload the next time Claude reads a file in that subdirectory. You can customize compaction: /compact Focus on code samples and API usage tells Claude what to preserve. /clear starts a completely fresh context window — no summary, no prior turn content. Use /clear when switching to a completely unrelated task (stale context wastes tokens on every subsequent message). Use /rename before clearing so you can /resume the old session later.

Common pitfall: Adding conversation-only instructions (not written to CLAUDE.md) and expecting them to survive /compact. They don’t. Any instruction you want to persist across compaction must be in CLAUDE.md.

Mid-Level Questions: Configuration, Hooks, MCP, and Workflow

Mid-level questions test practical depth — you’ve used Claude Code in real projects, you’ve configured hooks, you’ve set up MCP servers, and you understand the cost implications of different usage patterns.

How do hooks work in Claude Code, and how would you write a PreToolUse hook to prevent destructive commands?

Concept: Lifecycle automation and safety enforcement | Difficulty: Mid | Stage: Technical screen

Hooks are shell commands, HTTP endpoints, MCP tools, prompts, or agents that fire at named lifecycle events during a Claude Code session. They provide deterministic enforcement at specific points — unlike CLAUDE.md instructions (which Claude may or may not follow), a hook that returns a deny decision blocks the tool call regardless of what Claude decided. Key events: PreToolUse (fires before any tool call; can block it), PostToolUse (fires after success; useful for linting or formatting), SessionStart/SessionEnd, Stop (fires when Claude finishes responding — useful for notifications), and WorktreeCreate/WorktreeRemove (worktree lifecycle).

A PreToolUse hook blocking rm -rf looks like this (from the official docs):

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "if": "Bash(rm *)",
        "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/block-rm.sh"
      }]
    }]
  }
}

The script reads tool input from stdin as JSON (tool_name, tool_input), checks for rm -rf, and returns {"hookSpecificOutput": {"hookEventName": "PreToolUse", "permissionDecision": "deny", "permissionDecisionReason": "Destructive command blocked by hook"}}. Returning exit 0 allows the call.

Hook matcher patterns: exact string ("Bash" matches only the Bash tool), pipe-separated ("Edit|Write"), JavaScript regex ("mcp__.*" matches all MCP tools), or omitted (fires on all occurrences). Use the if field for finer filtering with permission rule syntax: "Bash(git *)" only fires when a git subcommand runs.

Common pitfall: Assuming CLAUDE.md instruction “never run rm -rf” is enforceable. It is not — it is advisory. A PreToolUse hook is the only way to deterministically block the command. Senior interviewers probe this distinction explicitly.

What is MCP and how does Claude Code integrate with it?

Concept: External tool integration via Model Context Protocol | Difficulty: Mid | Stage: Technical screen

MCP (Model Context Protocol) is an open standard for connecting Claude Code to external tools and data sources — issue trackers, monitoring dashboards, databases, APIs. Claude Code supports three MCP transports: HTTP (recommended for remote servers; --transport http; also accepts streamable-http alias in config), SSE (Server-Sent Events, deprecated — use HTTP instead), and stdio (local process, ideal for scripts and CLI tools with direct system access). Add a server with claude mcp add --transport http <name> <url>; list servers with claude mcp list; inspect a session’s MCP status with /mcp.

MCP server scopes: Local (default, stored in .claude/, per-project personal), Project (shared via .mcp.json committed to git), User (available across all projects via ~/.claude.json). When the same URL exists in both Claude.ai (connectors) and Claude Code, the Claude Code configuration takes precedence.

Key 2026 addition — Channels: an MCP server can declare the claude/channel capability, enabling it to push external events directly into a running Claude Code session (CI results, Telegram/Discord messages, webhook triggers). Enable with the --channels flag at startup. This is the mechanism behind “Claude Code in Slack” — the Slack MCP server pushes @Claude mentions into the session.

Common pitfall: Using SSE transport for new integrations. SSE is explicitly deprecated; HTTP is the current standard as of 2025–2026. Mentioning SSE as “the HTTP transport” reveals knowledge pinned to the 2024 release.

What are subagents in Claude Code, and how does the Task tool relate to them?

Concept: Context isolation and parallelism | Difficulty: Mid | Stage: Technical screen

Subagents are specialized AI assistants with their own context window, system prompt, tool access, and permission set. When Claude encounters a task that matches a subagent’s description, it delegates to that subagent, which works independently and returns only a summary — keeping noise (search results, file contents, logs) out of the main conversation. Subagents are accessed via the Task tool (the mechanism Claude uses internally to spawn them) and via the /agents slash command (the user-facing interface to create and manage them).

Built-in subagents: Explore (Haiku model, read-only tools, for codebase search — fast and cheap), Plan (inherits main model, read-only, used during plan mode for pre-planning research), general-purpose (inherits main model, all tools, for complex multi-step tasks requiring both exploration and modification). Subagents cannot spawn further subagents (prevents infinite nesting).

Custom subagents are defined as Markdown files with YAML frontmatter: specify model (including Haiku for cost control), allowed tools, permission modes, hooks, skills to preload, and optionally a persistent memory directory. User-scope subagents live at ~/.claude/agents/ and are available across all projects; project-scope at .claude/agents/.

Common pitfall: Saying “subagents are accessed via the Task tool” when asked about user invocation. Technically correct at the implementation level, but the user-facing answer is /agents. The Task tool is what Claude itself uses; /agents is what engineers use to configure them.

How do you integrate Claude Code into a CI/CD pipeline?

Concept: Automation and GitHub Actions | Difficulty: Mid | Stage: Technical screen / system design

Two patterns: headless CLI and GitHub Actions. For headless CI, use the -p (print) flag for non-interactive mode: claude -p "review these changed files for security issues". Pipe output from other commands: git diff main --name-only | claude -p "review these changed files". Set ANTHROPIC_API_KEY as a CI secret; set --max-turns to cap runaway loops; use --model to specify the model (default Sonnet; switch to Opus 4.7 for complex tasks with claude-opus-4-7).

For GitHub Actions, use anthropics/claude-code-action@v1. In interactive mode, Claude responds to @claude mentions in PR or issue comments. In automation mode, use the prompt parameter with a fixed instruction. The claude_args parameter passes any Claude Code CLI argument. Important: the v1.0 action broke backward compatibility from beta — removed the mode parameter (now auto-detected), renamed direct_prompt to prompt, moved max_turns/`model`/custom_instructions to claude_args. For enterprise: supports Amazon Bedrock and Google Vertex AI via OIDC-based IAM authentication.

Common pitfall: Not setting --max-turns in CI. Without a turn limit, a Claude Code GitHub Actions job can loop indefinitely, generating significant API cost. The docs recommend using workflow-level timeouts and GitHub concurrency controls as additional safeguards.

How does Claude Code pricing work, and how do you control cost at scale?

Concept: Cost governance and API token management | Difficulty: Mid | Stage: Technical screen / EM behavioral

Claude Code charges by API token consumption for API users; subscription plan holders (Pro at $20/month, Max at $200/month, Team, Enterprise) have usage included. Enterprise benchmarks from Anthropic’s documentation: average $13 per developer per active day, $150–250 per developer per month, with 90% of users below $30 per active day. However, Boris Cherny acknowledged at the high end: “some engineers use hundreds of thousands of dollars worth of tokens per month.”

Cost control levers: (1) Model selection — Sonnet handles most coding tasks well at lower cost; reserve Opus for complex architectural decisions; use /model to switch mid-session. (2) Context management — /clear between unrelated tasks, /compact with custom instructions, path-scoped rules so instructions only load when needed. (3) Subagent model routing — specify model: haiku in subagent configuration for bulk/low-intelligence tasks. Note: Haiku still counts against Anthropic subscription limits; external models (via Bash tool calls to Kimi, DeepSeek) do not. (4) MCP tool deferral — enabled by default; only tool names enter context until Claude uses a specific tool. (5) Rate limit architecture — set workspace spend limits in the Claude Console for API users; configure workspace-level rate limits to protect other production workloads.

Common pitfall: Routing tasks to Haiku via subagents to “avoid cost” when on a subscription plan. Haiku billed through Anthropic still counts toward the subscription limit. The pattern that actually bypasses the limit is calling a different provider via Bash tool — a documented practitioner pattern for heavy Pro users hitting weekly limits.

Senior-Level Questions: Architecture, Security, and Multi-Agent Design

Senior questions probe mechanism-level answers, production judgment, and the ability to defend architectural decisions. “Claude Code handles it” is not an answer at the senior level.

What 2026 Claude Code features are likely to appear in senior interviews?

Concept: Platform evolution and feature awareness | Difficulty: Senior | Stage: Technical screen

The six 2026 features most likely to surface in senior interviews, with why each one matters architecturally:

1. Worktrees (--worktree / -w flag): launches Claude in an isolated git worktree with its own files and branch. Use case: running multiple Claude Code sessions on different features simultaneously without interference — each session has its own file state while sharing git history. The WorktreeCreate and WorktreeRemove hook events enable orchestration logic around worktree lifecycle. Interviewers ask: “How do you run parallel Claude Code sessions safely?”

2. Channels: MCP servers that declare claude/channel can push external events into a live session — CI results, monitoring alerts, Telegram/Discord messages, webhook events. Enabled with --channels flag. This is the architectural underpinning of “Claude Code in Slack.” Interviewers ask: “How would you have Claude Code react to a PagerDuty alert automatically?”

3. Checkpoints / rewind: Claude tracks file edits throughout a session; users can fork conversation from any prior message, rewind code to a prior state, or fork+rewind. Available in VS Code extension and CLI. Interviewers ask: “How do you recover when Claude goes down a wrong implementation path?”

4. Agent SDK (GA): programmatic integration of Claude Code into applications; powers GitHub Actions integration; enables custom orchestration, tool access, and permission control. The SDK is what you use when you need Claude Code behavior in your own software beyond the CLI. Interviewers ask: “How would you build a custom agent that runs Claude Code against every PR automatically?”

5. Auto mode: classifier-based autonomous operation with deterministic soft_deny categories for the riskiest action classes. Requires specific plan, admin, model, and provider requirements — the toggle alone may not enable it. Simon Willison’s February 2026 critique noted that non-deterministic AI defenses are insufficient; practitioners recommend pairing auto mode with sandboxing for defense-in-depth.

6. Routines (scheduled tasks): run on Anthropic-managed infrastructure, continuing even when the local machine is off; can be triggered by API calls or GitHub events; created via /schedule command. Desktop scheduled tasks run locally and require the machine awake. Interviewers ask: “How would you run a nightly dependency audit with Claude Code?”

Common pitfall: Knowing the feature names but not the architectural implications. “Worktrees allow parallel sessions” is junior-level. “Worktrees with WorktreeCreate/Remove hooks enable an orchestrator pattern where a lead agent creates and tears down worker worktrees programmatically” is senior-level.

How would you design a CLAUDE.md architecture for 10+ developers in a monorepo?

Concept: Team configuration and governance at scale | Difficulty: Senior | Stage: System design

A monorepo CLAUDE.md architecture needs to solve four problems simultaneously: shared standards (everyone gets the same build commands and review criteria), team isolation (team A’s CLAUDE.md doesn’t pollute team B’s sessions), personal overrides (individual developers have preferences that don’t belong in source control), and policy enforcement (security rules that cannot be disabled).

Recommended layering: (1) Managed policy CLAUDE.md (IT/DevOps deployed via MDM/Ansible to system path) — company-wide security policies, compliance reminders, and behavioral guidance that cannot be overridden. (2) Root project CLAUDE.md (version-controlled) — build commands, architecture overview, CI/CD workflow, commit message standards. (3) Subdirectory CLAUDE.md files for team-specific context (e.g., payments/CLAUDE.md with PCI compliance reminders, frontend/CLAUDE.md with component library standards) — these load lazily when Claude works in those subdirectories. (4) Path-scoped rules via .claude/rules/ with YAML frontmatter so TypeScript-specific rules only load when editing .ts files. (5) claudeMdExcludes in team-level .claude/settings.local.json to skip other teams’ CLAUDE.md files that get picked up by directory traversal.

Scale warnings: keep each CLAUDE.md file under 200 lines — over that, adherence degrades and context is wasted every session. If instructions are growing large, move task-specific procedures to skills (load on demand) and keep CLAUDE.md for session-constant facts only.

Common pitfall: Putting the entire company handbook in a single CLAUDE.md. This fails on two dimensions: it exceeds the 200-line guidance, reducing adherence, and it loads context that is irrelevant to most sessions (consuming tokens on every turn). The path-scoped rules system exists precisely for this problem.

What are the prompt injection risks in Claude Code, and are AI-based defenses sufficient?

Concept: Security architecture for agentic systems | Difficulty: Senior | Stage: Security / system design

Prompt injection in Claude Code is the risk that malicious content in a file Claude reads (or a web page it fetches, or an MCP tool response) contains instructions designed to override Claude’s behavior — for example, a file containing . Claude Code includes several defenses: permission system (sensitive operations require explicit approval), context-aware analysis of the full request, input sanitization, command blocklist (curl/wget blocked by default), isolated context windows for web fetch, and “fail-closed” matching (unmatched commands default to manual approval).

However, Simon Willison’s March 24, 2026 analysis is important: “I remain unconvinced by prompt injection protections that rely on AI, since they’re non-deterministic by nature. The documentation does warn that this may still let things through: ‘The classifier may still allow some risky actions: for example, if user intent is ambiguous, or if Claude doesn’t have enough context about your environment to know an action might create additional risk.’” The Anthropic docs themselves acknowledge the classifier is probabilistic.

Defense-in-depth recommendations for production: (1) Use sandboxing (/sandbox on Linux/WSL) for deterministic filesystem and network isolation — more trustworthy than classifier-based defenses. (2) Implement PreToolUse hooks that allowlist specific safe bash commands and deny-list patterns — deterministic enforcement. (3) Use dev containers for additional OS-level isolation. (4) Never pipe untrusted content directly to Claude (cat untrusted-file.txt | claude -p ...). (5) Enable the CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD constraint carefully — external files added this way could contain injection payloads.

Common pitfall: Assuming the permission system eliminates prompt injection risk. The permission system requires Claude to surface the action for approval — but a sophisticated injection could phrase the action in benign-seeming language that passes classifier review. Deterministic defenses (hooks, sandboxing) are the reliable layer; AI classifiers are a probabilistic first filter.

Claude Code vs. Cursor vs. GitHub Copilot — when would you choose each?

Concept: Competitive landscape and tool selection judgment | Difficulty: Senior | Stage: System design / behavioral

This is a judgment question where interviewers want to hear mechanism-level reasoning, not “they’re all good.” Claude Code is the right choice when you need an agentic loop — multi-step tasks across many files, terminal tool use, git operations, custom MCP integrations, and the ability to spawn subagents for parallel work. Its model is billing directly to Anthropic API (or subscription) and token costs scale with task complexity. Cursor is an IDE (fork of VS Code) with AI pair-programming deeply embedded — better UX for single-file editing and inline diff review; stronger at stay-in-editor workflows where you want AI suggestions alongside your code without losing IDE features. GitHub Copilot is best for inline code completion at the character/line level, code chat within the editor, and organizations already on the GitHub Enterprise license stack (Copilot Enterprise is bundled).

The SFEIR Institute framing from their Q27 is useful: Claude Code excels at “orchestration, automation, and multi-file refactors”; IDE copilots excel at “low-latency inline suggestion within a focused editing session.” The choice is often context-dependent, not exclusive — many teams use Claude Code for agentic tasks and Copilot for inline completion simultaneously. A fourth tool that senior interviewers now include in this comparison for OpenAI-stack teams is OpenAI Codex CLI — a GPT-5.5-based terminal agent with its own Plan mode and AGENTS.md project context architecture. The Codex CLI vs Claude Code interview comparison: Rust + GPT-5.5 vs TypeScript + Sonnet 4.x architecture maps the key architectural, model, and governance differences that distinguish the two tools — including the distinct deprecated 2021 Codex API that hiring managers still confuse with the 2025 Codex CLI launch — a disambiguation that signals research depth in interviews.

Common pitfall: Saying “Claude Code is better than Cursor” as a categorical statement. Senior interviewers want architectural reasoning: when is the agentic loop valuable enough to justify the API cost and context-management overhead vs. when is inline IDE completion sufficient? The answer depends on task complexity and team workflow.

Scenario: Claude Code silently deleted a production file — what do you check first, and how do you prevent it?

Concept: Incident diagnosis and permission architecture | Difficulty: Senior | Stage: Behavioral / system design

Your colleague tells you: “I was using Claude Code in auto mode and came back to find a critical config file deleted. There’s no prompt in my history approving the deletion. What happened, and how do we prevent it?”

Diagnosis sequence: (1) Check the Claude Code session transcript — all operations are logged at ~/.claude/projects/<project>/; the session files contain the full tool call history including every bash command executed. (2) Check git status — if the file was under version control, git diff and git log will show whether it was committed or just deleted. (3) Inspect the permission settings that were active — in auto mode, the Accept Edits mode auto-approves a fixed set of filesystem bash commands including rm for paths within the working directory. If the file was in the working directory and rm was in the default allow list, Claude Code could have deleted it without prompting. (4) Check if a PreToolUse hook existed to block destructive commands — if not, add one.

Prevention architecture: (1) Add a PreToolUse hook that denies rm -rf and similar destructive patterns — this provides deterministic blocking regardless of permission mode. (2) Run sensitive sessions in a worktree (--worktree flag) so file state is isolated. (3) Use sandboxing (/sandbox) on Linux/WSL to add filesystem boundary enforcement at the OS level. (4) For critical config files, consider using permissions.deny in managed settings to explicitly deny write access to specific paths. (5) Always keep critical config files in version control so deletion is recoverable via git checkout.

What they’re really probing: This tests whether you understand (a) that auto mode and Accept Edits mode can execute rm without prompting for in-project paths, (b) that hooks are the deterministic blocking layer, (c) that the session transcript provides a full audit trail, and (d) that prevention is architectural (permission design, hooks, sandboxing) not operational (being more careful).

Scenario: Your CI pipeline costs 5x more than expected — how do you diagnose Claude Code GitHub Actions cost overrun?

Concept: Cost governance in CI/CD | Difficulty: Senior | Stage: System design / EM behavioral

Two weeks after enabling Claude Code GitHub Actions, your API bill is 5x higher than projected. The workflow fires on every PR opened, synchronized, and commented. What’s your diagnostic checklist?

Diagnostic checklist: (1) Turn limit — check claude_args for --max-turns; without it, the agent can loop indefinitely. The default is unbounded. This is the most common culprit. (2) Model selection — confirm --model in claude_args; GitHub Actions default to Sonnet. If someone added --model claude-opus-4-7 without accounting for Opus’s higher token cost, costs escalate rapidly. (3) Trigger scope — review which events fire the workflow. pull_request: types: [opened, synchronize, review_requested, labeled] can trigger dozens of runs per PR day. Remove low-value triggers. (4) Concurrency — check if GitHub concurrency controls are configured; without them, 20 simultaneous PRs create 20 simultaneous Claude Code sessions with independent context windows. (5) Context size — large CLAUDE.md files or many MCP tool definitions load on every run; measure via --output-format stream-json to inspect token counts. (6) Workspace spend limits — set a workspace-level rate limit in the Claude Console to cap Claude Code’s share and prevent runaway jobs from consuming your entire API budget.

What they’re really probing: Cost governance discipline in CI/CD is a senior engineering concern. Knowing that --max-turns is critical, that Opus vs. Sonnet is a cost multiplier, and that workspace spend limits exist in the Console signals production experience. The Anthropic docs on CI costs list “set workflow-level timeouts to avoid runaway jobs” and “consider GitHub’s concurrency controls to limit parallel runs” as explicit recommendations.

Production Postmortems: What Went Wrong and What It Teaches

Senior interviewers use real incidents as architecture probes — “name a known Claude Code production issue and what it tells you about agentic system design.” The incidents below are sourced from practitioner accounts and Anthropic’s public postmortem.

Incident	Date	Root Cause	Engineering Lesson
Claude Code harness bugs / quality degradation	March–April 2026	Three separate harness bugs (not model failure): a March 26 change to clear idle-session thinking had a bug causing it to clear every turn for the rest of the session, making Claude seem “forgetful and repetitive.” Simon Willison, April 24, 2026: “the kinds of bugs that affect harnesses are deeply complicated, even if you put aside the inherent non-deterministic nature of the models themselves.”	Agentic systems can degrade at the harness layer, not just the model. Test harness behavior separately from model quality. Session replay and transcript logging are essential for diagnosing non-obvious failures.
Pro plan silent removal (brief)	April 2026	Anthropic silently updated the pricing page to remove Claude Code from Pro plan features and re-titled the support article; no user communication. An Anthropic employee later clarified this was a 2%-of-new-signups test. Reverted within hours after 2,970-point community backlash.	Developer tool trust is fragile. Pricing changes to developer tools require explicit advance communication — silent changes in feature availability trigger credibility loss disproportionate to the actual change. Change management is an engineering discipline.
Source code leak via npm .map file	March 2026	Claude Code’s full TypeScript source was exposed via a `.map` file in the public npm package. Revealed: internal codename “tengu”, a hidden /buddy pet gacha system (April Fools feature), push-to-talk voice using Deepgram, a `wouldLoseAuthState()` guard added to prevent GitHub issue #3117 (config save wiping auth state). r/ClaudeAI, 5,585 score.	Source maps must be excluded from public npm packages. CI/CD publish pipelines need a source-map exclusion step. The community consensus: the underlying code quality was “pedestrian and normal” for a fast-shipping startup — the lesson is the disclosure mechanism, not the code.
Cost runaway — individual and CI	Ongoing (2025–2026)	Individual users hitting Pro weekly limits by Wednesday; CI pipelines generating unexpected API spend. Root: missing `--max-turns` in CI, routing all tasks to the primary model, and treating Haiku-via-Anthropic as a cost bypass (it still counts against subscription limits). Boris Cherny: “some engineers use hundreds of thousands of dollars worth of tokens per month.”	Cost governance must be a first-class concern in Claude Code deployments. `--max-turns` is mandatory in CI. Model routing (Sonnet for normal tasks, Opus for complex decisions, external cheap models for bulk reads) must be explicit, not default.
Multi-agent C compiler — $20K API spend	2025	Anthropic built a 100K-line C compiler using ~2,000 Claude Code sessions at $20,000 in API costs. The compiler requires GCC for 16-bit x86, has no own assembler/linker, and generates less efficient code than GCC with optimizations disabled. r/programming, 2,781 score.	Multi-agent tasks need: (a) verifiable acceptance criteria (compiler test suites provided the oracle), (b) explicit cost modeling before starting, (c) human-guided agent orchestration — the lead engineer did significant framing work around the agents. “Fully autonomous” multi-agent is still a guided process.

Red Flag Answers: What Costs You the Offer

These are answers that immediately signal insufficient depth to senior interviewers:

“CLAUDE.md enforces rules on Claude.” No — it is context, not enforcement. Hooks enforce. CLAUDE.md advises. Candidates who don’t know this distinction reveal they haven’t debugged a Claude Code session where an instruction was not followed.
“You can avoid cost by routing to Haiku via a subagent.” Haiku through Anthropic still counts against the subscription limit. Cost avoidance via subagent model selection is real for API users; subscription plan holders cannot bypass weekly limits this way. External model routing (via Bash tool) is the pattern that actually bypasses it.
“SSE is the HTTP transport for MCP.” SSE is explicitly deprecated; Streamable HTTP is the current standard. This reveals knowledge pinned to the original 2024 MCP implementation.
“Subagents are accessed via the Task tool.” Technically true at the implementation level, but the user-facing answer is /agents. Senior interviewers want to hear both: “Claude spawns subagents using the Task tool internally; engineers configure them via the /agents slash command.”
“I’d use –dangerously-skip-permissions in CI to avoid approval prompts.” This flag is explicitly for sandboxes with no internet access. Using it in CI against production codebases or systems is a security anti-pattern the docs warn against explicitly.
“Claude Code launched in 2024.” The launch date is February 24, 2025. Getting this wrong by a year when you claim to follow the Claude Code ecosystem signals you are regurgitating surface-level information.

Scenario-Based Questions: Mid/Senior Behavioral Tier

Scenario: Your team CLAUDE.md is 800 lines and Claude ignores half of it — how do you fix this?

Concept: CLAUDE.md optimization and context management | Difficulty: Mid | Stage: Behavioral / technical

Your engineering team CLAUDE.md has grown to 800 lines over six months. Developers report Claude ignoring style guidelines, using wrong library versions, and occasionally contradicting itself. What’s your diagnostic and remediation plan?

The root cause is likely a combination: (1) context length degradation — at 800 lines, CLAUDE.md is 4x the 200-line recommendation; adherence degrades as file length increases because later instructions compete for attention with earlier ones, (2) conflicting instructions — as multiple authors add rules over time, contradictions accumulate, and Claude may pick one arbitrarily, (3) wrong file for the content type — multi-step procedures, task-specific instructions, and team-specific rules don’t belong in a session-constant CLAUDE.md.

Remediation plan: (1) Audit for conflicts — run /memory to see what loaded; look for contradictory instructions. (2) Move procedures to skills — anything that is a workflow (deploy steps, PR review process, migration steps) belongs in a skill file that loads on invocation, not in CLAUDE.md. (3) Migrate to path-scoped rules — TypeScript rules only for .ts files, backend rules only for src/api/**; use .claude/rules/ with YAML frontmatter. (4) Split into scoped CLAUDE.md files — root CLAUDE.md (build commands, architecture overview, ~50 lines); subdirectory CLAUDE.md for each team (payments, frontend, infra). (5) Use claudeMdExcludes so developers only load the CLAUDE.md files relevant to their current working directory. Target: root CLAUDE.md under 100 lines after remediation.

Scenario: Claude is in a modification loop and you’ve hit your token limit — what do you do?

Concept: Session recovery and context management | Difficulty: Mid | Stage: Behavioral

You ran Claude Code on a refactoring task. Fifteen minutes later, you notice Claude has been modifying the same three files repeatedly, and your /usage shows you’re near the context limit. What’s your response?

Immediate recovery: (1) Press Escape to interrupt the current agentic loop without losing the session. (2) Run /usage to assess remaining context. (3) Run /compact Focus on the changes made so far and what the target state should be — compaction with specific instructions reduces context while preserving the intent. (4) Review what Claude actually changed via git diff — loops often produce a mix of correct and undone work. (5) Craft a specific follow-up prompt targeting only the remaining gap, not the full original task.

Prevention: (1) Use plan mode first for complex refactors — Claude researches, produces a plan, you approve, then it implements. Plans reduce mid-task divergence. (2) Break large refactors into scoped steps with explicit checkpoints. (3) Set up a PostToolBatch hook to log progress at each batch of tool calls — if the same files are being edited repeatedly, the hook can alert you. (4) Use checkpoints to rewind to a state before the loop started, preserving conversation context while reverting code changes.

Scenario: A new MCP server your team installed is behaving unexpectedly — what’s your trust and audit process?

Concept: MCP security governance | Difficulty: Senior | Stage: Security / system design

Your team added a third-party MCP server for Notion integration two days ago. You notice Claude Code is making API calls you didn’t explicitly request. What’s your investigation and remediation process?

Investigation: (1) Run /mcp to see all connected MCP servers and their tool counts. (2) Check the session transcript — MCP tool calls appear in the tool call history with the server name and tool name. (3) Review the MCP server’s tool definitions — use claude mcp get <server-name> to inspect the configuration. (4) Check for prompt injection via MCP resource content — if the Notion pages Claude is reading contain instructions embedded as text, those can influence Claude’s behavior. (5) Review the Notion integration’s OAuth scope — was it granted more access than necessary?

Remediation: (1) Add a PreToolUse hook that logs all MCP tool calls to a file for auditing: matcher: "mcp__.*". (2) Use oauth.scopes in .mcp.json to pin the Notion server to only the OAuth scopes your team needs (read channels, not write). (3) If the server cannot be trusted, remove it with claude mcp remove <name> and add it to deniedMcpServers in managed settings to prevent re-addition. (4) For future MCP servers: follow Anthropic’s guidance — “use MCP servers from providers that you trust; Anthropic does not manage or audit any MCP servers.” Treat every third-party MCP server as an untrusted code execution surface.

Questions to Ask the Interviewer

The questions you ask signal your depth as much as your answers. Three profiles, three sets of questions:

If interviewing at an AI-native startup building on Claude Code:

“Is your team using the Agent SDK for programmatic workflows, or primarily the CLI? What’s the orchestration pattern?”
“How are you handling cost governance at scale — workspace spend limits, model routing, or external model delegation for bulk tasks?”
“Have you had any production incidents with the harness (not model quality)? How did you diagnose them?”

If interviewing at an enterprise adopting Claude Code:

“Are you using managed settings for org-wide enforcement, or relying on project-level settings.json per team?”
“How are you handling the CLAUDE.md governance challenge as the file grows — path-scoped rules, skills, or a different architecture?”
“What’s your permission model for CI/CD integration — headless API key, or per-developer OAuth?”

If interviewing for a platform/infrastructure role:

“Are you building internal plugins for distribution, or using the public marketplace?”
“How are you instrumenting Claude Code usage for observability — OpenTelemetry metrics, or Console usage analytics?”
“What’s your sandboxing strategy — dev containers, WSL sandboxing, or cloud VM execution?”

Four-Week Preparation Roadmap

This plan assumes you are starting from “familiar with Claude models but have not used Claude Code in production.”

Week 1 — Install and daily use: Install Claude Code (native installer, then verify with claude doctor). Use it daily on a real project. Write your first CLAUDE.md (target 50 lines). Run /compact and /clear and observe what survives. Use /usage to monitor token consumption. Goal: you have directly experienced the permission prompts, the CLAUDE.md loading behavior, and the compaction mechanics.

Week 2 — Extension points: Configure at least one PreToolUse hook (block a pattern you want to prevent). Add an MCP server (GitHub, Sentry, or Postgres from the popular servers list). Create a custom subagent via /agents using the quickstart walkthrough. Write a skill with a slash command. Goal: you can explain from experience, not theory, when each extension point is the right choice.

Week 3 — CI/CD and cost analysis: Set up Claude Code GitHub Actions on a sample repository using anthropics/claude-code-action@v1. Set --max-turns 5 and observe behavior. Run /usage before and after a complex task to measure token consumption. Run an agent team (set CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1) and observe cost scaling. Goal: you have hands-on CI integration experience and a concrete cost data point to reference in interviews.

Week 4 — 2026 features and incident study: Try worktrees (claude --worktree feature-branch). Read the Anthropic security documentation on prompt injection. Read Simon Willison’s April 24, 2026 postmortem commentary at simonwillison.net/tags/claude-code/. Practice the five scenario questions above with a colleague or out loud. Goal: you can discuss the harness bugs postmortem, the prompt injection debate, and 2026 features from a practitioner perspective.

Final Verification Checklist

Before submitting a take-home or walking into a senior interview, confirm you can articulate all six:

Claude Code launched February 24, 2025 by Anthropic — not 2024, not “recently.”
CLAUDE.md is the project memory file — markdown, read at session start, context not enforcement, four scope levels, 200-line target.
Subagents are accessed via the Task tool (internally) and the /agents slash command (user-facing) — built-ins include Explore (Haiku, read-only), Plan (main model, read-only), and general-purpose (all tools).
Permissions model has explicit allow/deny in settings; Claude Code consumes billed API tokens and cost runaway is a real risk — --max-turns in CI is mandatory; workspace spend limits exist; enterprise average is $13/developer/active day.
MCP integration enables Claude Code to use external tools — three transports (HTTP recommended, SSE deprecated, stdio for local), three scopes (local/project/user), channels for event push.
Hooks + plugins + skills are extension points — hooks are deterministic lifecycle enforcement, skills are on-demand reusable workflows, plugins are distributable collections of all extension point types.