Claude Code became infrastructure this week — start treating it that way

Claude Code now has Hooks that fire shell scripts on PreToolUse and PostToolUse events. It has Subagents that spawn parallel Claude instances. It has MCP, which connects sessions directly to your databases and APIs. It has a .claude/ directory with skills/ and commands/ subfolders, and a CLAUDE.md that loads at every session start. Twelve production features in one cycle.

If your team is using it, you have already made a platform decision. You probably haven't admitted it yet.

The thing under the announcement

The Hooks feature is the one to pay attention to first, and for opposite reasons depending on which side of the desk you sit on.

If you ship code: Hooks are the most useful thing Anthropic has shipped this year. Wire your linter, your type checker, your test runner into PreToolUse, and AI-generated code physically cannot land in your repo without passing the same gates a human PR has to clear. This is the move from prompt-engineered compliance — "please follow our conventions" stapled to a system prompt — to exit 1. Deterministic enforcement is the only thing that has ever worked at scale, and it just arrived for agent-written code. If your team uses Claude Code and you don't have PreToolUse hooks running your CI gates locally, you're voluntarily skipping the part that makes this safe.

If you're responsible for security: Hooks are arbitrary shell execution triggered by files committed to a repo. A malicious .claude/ directory in a dependency, a fork, a contractor's branch — that's code execution on every developer workstation that opens the project. It is the poisoned Makefile pattern, the malicious .vscode/settings.json pattern, with one difference: your reviewers don't know to look at it yet, your SAST tools don't flag it, and your EDR sees one Claude Code process where there are actually several subagents running with inherited credentials.

The same feature is the productivity unlock and the supply-chain hole. That's normal. What's not normal is having neither a review checklist nor a configured set of enforcement hooks while shipping production code through it.

.claude/ is config, and config is policy

The quiet news is that .claude/ and CLAUDE.md have become first-class project configuration. Not personal dotfiles. Project state. Skills, custom commands, MCP connection strings, behavioral rules — all checked into the repo, all loaded automatically, all of it shaping what the agent does for every developer who pulls main.

Treat it the way you treat your CI config. Version it deliberately. Review changes the way you review a Dockerfile change. Decide as a team what's allowed to live there before individual developers decide for you. If you don't, you'll discover six months from now that three teams have committed three different MCP configurations, two of them pointing at production read replicas, and nobody can remember who approved either.

The lock-in is real and worth naming out loud. None of this ports. Not to Codex, not to Copilot, not to Cursor. The Skills you write, the Commands you build, the Hook scripts you wire up — all of it is Anthropic-shaped. For most teams the productivity is worth the commitment right now. But "worth it" is a decision, not a default. Write down what you're committing to and what the migration would cost. Future you, evaluating an alternative in eighteen months, will need that number.

The agent-taxonomy stuff is mostly a distraction

There's a five-level taxonomy floating around — prompt-response, interactive assistant, delegated execution, autonomous scheduled ops, self-building agents — and a lot of breathless commentary about Sim Studio's Mothership shipping Level 5 capability open-source at twenty-seven thousand stars. The framework is fine as vocabulary. It is not a planning tool.

Most production AI products sit at Level 2 or 3 and will sit there for another year, because Level 4 — agents that run on their own clock, hold credentials, and don't wait for a human — is where reliability and governance get hard fast, and "Level 5" demos break the moment you ask them to do anything specific to your stack. Mothership has stars; it doesn't have anyone running it against a real production workload they care about. Track it. Don't redesign anything around it.

The Google Memory Caching paper is in the same bucket. Genuinely interesting work — O(NL) complexity, GRM beating sparse routing, a clean theoretical lens on hybrid architectures — and capped at 1.3B parameters with no frontier-scale validation. If you do inference optimization, read it. If you're picking an architecture this quarter, ignore it until October.

What to do this week

One move, specific: scan every repo in your organization for .claude/ directories and CLAUDE.md files. Count them. Read them. For each one, answer three questions — what shell commands can fire from a Hook in here, what does any MCP block connect to, and who approved the contents. Then add .claude/** to your PR review checklist and your pre-commit scanner before the end of the sprint.

You're not auditing a tool. You're auditing infrastructure your engineers already deployed.