A CLAUDE.md context-burn audit, the seven things to actually grade.
Most posts that show up under "audit your CLAUDE.md" say the same thing. Keep the file under 500 words. Remove instructions you added three months ago. Every line gets sent on every turn. That is all true and none of it tells you which lines.
An actual audit fires concrete checks against the file you already wrote and points at the lines. This page walks through the seven checks ccmd runs, the exact threshold or regex each one fires on, and the order to fix them in. The whole thing takes 220 ms in your browser.
1. The input
A representative CLAUDE.md from a real-feeling Next.js payments repo. 213 tokens, 22 lines. Looks fine on first read. Scores 5 of 12 on the rubric and ships 8 findings.
2. What the audit says
Same file, run through analyzeConfig() in src/lib/analyzer.ts. The UI on ccmd.dev renders the same data as a richer panel; the shape is below.
Eight findings on 22 lines. Read top to bottom: line 3 is the single highest-severity finding on the page and the cheapest fix. Lines 7, 8, and 9 are absolute-word and vague-term cleanups. Lines 12 and 13 are prohibitions with no Why. Line 17 is a stack paragraph that wants to be three short rules. Line 22 is a copy-paste of line 7. The seven check categories on the right column come next.
3. The seven checks the audit runs
Each one is a pure function in the same file. Thresholds and regex are below; copy them, adapt them, port them. The whole module is under 300 lines.
cache_bust — the one nobody catches
Regex \b20[2-9]\d-\d{2}-\d{2}|today|this session|right now\b runs against the first 20 lines (analyzer.ts:194). Severity: high. A timestamp or session-specific string near the top of a cached file mutates the prefix on every session and re-bills the full file at full input cost. Anthropic's prompt cache only hits on byte-identical prefixes. Move the date to the bottom of the file or strip it. This is the cheapest single edit on most files we see and almost no audit guide mentions it.
bloat — lines over 28 words
word_count > 28 on a single non-blank trimmed line (analyzer.ts:150). Severity: medium. Long compound rules get treated as one signal by the model and the second half gets ignored. The token saving on a split is estimated at 35% of the line's tokens because splitting into shorter directives keeps most of the words but produces three rules the agent actually follows.
vague — 14 banned soft words
Word boundary match against: appropriate, appropriately, good, best, proper, properly, carefully, thoughtfully, well, nicely, cleanly, as needed, where applicable, if relevant, when possible (analyzer.ts:124-128). Severity: low. The agent cannot tell when it succeeded at 'handle edge cases appropriately'. Replace with a concrete test: 'cover the four edge cases in cases.test.ts'.
aspirational — absolute words without escape clause
Six terms (always, never, must, should always, in all cases, every time) on a line under 25 words that does not also contain 'unless', 'except', 'but if', or 'when X then' (analyzer.ts:130-191). Severity: low. Real codebases have exceptions. Add the exception or drop the absolute. The fix is one or two words per finding.
duplicate — same line twice
Lowercased non-trivial lines (over 10 chars) are hashed; the second occurrence gets a duplicate finding pointing at the line number of the first (analyzer.ts:207-224). Severity: medium. Catches the 'I forgot I said that already' pattern that happens when teams concatenate sections from multiple authors. Token saving on this one is the full line.
missing_why — prohibitions with no reason
Any line starting with DO NOT, NEVER, or don't gets a four-line lookahead (analyzer.ts:227-240). If the next four lines do not contain because, why, reason, past, got burned, incident, happened, or caused, the prohibition is flagged. Severity: medium. Agents follow unannotated rules until they hit an edge case, then guess. One Why: line citing the past incident makes the rule load-bearing.
conflict — contradictory absolutes
Detects pairs like 'never use comments' AND 'add comments' in the same file (analyzer.ts:244-252). Severity: high. The agent has no resolution path. Pick one, or scope each by context. Rare but loud when it happens.
4. The math under the audit
The audit assumes the file fires every turn (it does), 30 turns per long-running session (a heuristic from the docs), and the published Opus 4.7 input rate. These three constants give you a defensible dollar number on the file you wrote.
For the 213-token sample above, the dollar math reads: 213 tokens × 30 turns × $5 per million = $0.032. Trivial in isolation. Now scale the file to a realistic 6,000-token CLAUDE.md and the same math comes out to $0.90 per session, or about $27 per month at one long session a day. With a cache hit that drops to about $2.70 per month. Without cache (because one ISO date at line 3 invalidated it), back to $27. The cache_bust finding moves the cost by 10x.
“every single API call to Claude sends the whole context, including prompts, meaning that all this extra text in CLAUDE.md is sent over and over”
caymanjim, Hacker News thread 47581701
5. What the other "audit your CLAUDE.md" pages do
We read the top results that currently rank for this topic. They agree on the diagnosis (sloppy CLAUDE.md taxes every turn). They stop short of the audit.
| Feature | generic audit advice | ccmd analyzer |
|---|---|---|
| Names the specific finding kinds | no — generic 'remove dead weight' | seven named kinds with thresholds |
| Catches ISO date / session-specific lines | not flagged anywhere we saw | cache_bust, high severity, first 20 lines |
| Flags prohibitions without a Why | not mentioned | DO NOT / NEVER + 4-line lookahead |
| Per-line token savings estimate | qualitative only | chars / 4, summed across findings |
| Runs on the file you already wrote | advice, not a run | paste in browser, 220 ms |
| Same checks on AGENTS.md / .cursorrules / .grokrules | single-format | polyglot, content-based detection |
6. The order to fix in
Findings have different blast radius. Cheapest-impact-first beats cheapest-effort-first. For the sample above the order is:
- cache_bust on L3. Strip the date line or move it to the bottom. One delete, recovers the full prompt-cache discount for the rest of the session.
- duplicate on L22. Delete the second copy. One line, zero risk.
- missing_why on L12 and L13. Append a Why: with the past incident. One line each. "Never use any. Why: silent runtime error in checkout, 2026-03, 4 hours to trace."
- bloat on L17. Split the 31-word stack paragraph into three short rules: framework, payments boundary, migration rule. The second half of the original was being ignored anyway.
- vague + aspirational on L7-9. Replace "always handle edge cases appropriately" with "cover the four cases in cases.test.ts". Replace "always think carefully" with a tests-must-pass line. The absolute-word findings often go away when the line gets concrete.
After all five passes the file scores 9 of 12 on the rubric, drops to roughly 145 tokens, and the prompt cache stays warm. The token saving is real but secondary. The larger win is that the agent stops ignoring half of what is in the file.
Want a second pair of eyes on your CLAUDE.md?
15 minutes, walk through the audit on your file, leave with a shortlist of cuts. Free.
Frequently asked questions
What does CLAUDE.md context burn mean?
Every Claude Code API call ships the full CLAUDE.md as part of the system prompt. A 6,000-token file gets re-sent on every turn for the entire session. On a 30-turn session that is 180,000 input tokens spent before Claude has read a single line of your code. 'Context burn' is the share of the per-turn context budget the file consumes, and the dollar cost when that share is multiplied by 30 turns and the Opus 4.7 input rate (currently $5 per million as of 2026-05-17, down from $15 per million on Opus 4.1).
How do I run an audit on my CLAUDE.md?
Open ccmd.dev, paste the file into the textarea at the top. The analyzer runs entirely in your browser; no signup, no upload. You get the total token count, the Karpathy 12-rule pass rate, and a line-by-line list of findings with per-line token savings estimates. The same analyzer works on AGENTS.md, .cursorrules, and .grokrules — detection is by content, not filename.
Why does the cache-bust finding matter more than the others?
Anthropic and xAI both use prompt caching to amortize long system prompts. A cache hit on a 6,000-token CLAUDE.md costs roughly a tenth of a fresh read. A single 'Today is 2026-05-17' line in the first 20 lines mutates the cached prefix every session, so every turn pays full input cost for the entire file. That one line can be the difference between a $0.27 session and a $2.70 session at Opus 4.7 rates. ccmd's analyzer is the only audit we know of that flags it.
What threshold does ccmd use for a 'bloat' finding?
28 words on a single non-blank line. The constant lives in src/lib/analyzer.ts at line 150. The threshold is empirical: rule lines over 25 words consistently get treated as one signal by the model, and the second half of the line tends to be ignored. Split a 34-word stack paragraph into three 8-word rules and the agent follows all three.
Why does the analyzer flag 'always' and 'never' lines?
Absolute words with no escape clause are aspirational rather than operational. Real codebases have exceptions. The analyzer fires the 'aspirational' finding when it sees 'always', 'never', 'must', 'should always', 'in all cases', or 'every time' on a line under 25 words that does not also contain 'unless', 'except', 'but if', or 'when X then'. Either add the exception or drop the absolute. Either way the agent stops guessing.
How is per-line token savings estimated?
Estimated tokens use the universal chars / 4 heuristic that every Claude Code CLI uses (analyzer.ts line 38). For bloat findings the saving is roughly 35% of the line's tokens since splitting into shorter rules retains most of the words. For cache_bust and duplicate findings the saving is the full line. Multiply by 30 turns and the Opus 4.7 input rate to get a per-session dollar estimate.
Does ccmd upload my CLAUDE.md anywhere?
No. The analyzer is pure client-side TypeScript in src/lib/analyzer.ts. Open DevTools, watch the network tab, paste a file. No POST. The same is true for AGENTS.md, .cursorrules, and .grokrules.
Is a 500-word CLAUDE.md actually the right target?
It is a heuristic, not a rule. The real target is: every line in the file earns its place against the per-turn token cost. A 2,000-token CLAUDE.md with zero findings is healthier than a 400-token one with three vague absolutes and a cache-busting date. ccmd grades the file, not the length.
Related: the 12-rule rubric in full, the two surfaces skills bloat on, or paste your file on the analyzer.
Comments (••)
Leave a comment to see what others are saying.Public and anonymous. No signup.