Do I Still Need a Boilerplate If I Use Claude Code?
Is a Claude Code boilerplate needed? Short answer: it depends on what you ship. Here is the honest decision tree and cost math.
Arrête de tout configurer. Place à la construction.
Des templates SaaS avec orchestration IA.
A Claude Code boilerplate is needed when you are shipping a brand-new SaaS to real paying users with logins, Stripe billing, and multi-tenant data, because Claude Code starting from an empty folder repeatedly writes the same security bugs that a tested boilerplate already fixed. A boilerplate is not needed when you are building an internal tool, a prototype, or adding to code that already exists, where a thorough CLAUDE.md instruction file does the job. The answer is "it depends," and below is exactly what it depends on.
Arrête de tout configurer. Place à la construction.
Des templates SaaS avec orchestration IA.
The paradox that explains everything
Two true facts landed in the same week. Anthropic reported on June 5, 2026 that Claude now writes more than 90% of Anthropic's own code (reported, internal company figure). In that same week, three boilerplate vendors published posts arguing you still need their starter kits.
Both are right. Claude Code is fast at writing features. It is also predictable about the bugs it introduces when it starts from nothing. A "boilerplate" is a pre-built starter codebase you buy or copy so you do not write login and payment plumbing yourself. The fight is not "AI versus boilerplates." It is about which job you are doing.
The three bugs Claude Code keeps writing from scratch
Makerkit, a boilerplate vendor, documented three security failures that show up again and again in greenfield Claude Code builds (greenfield means starting from an empty repository):
- Sessions that do not log out on password change. You reset your password, but the old login token still works. An attacker who grabbed it keeps access.
- Stripe webhook handlers that are not idempotent. A webhook is a message Stripe sends your app when a payment happens. "Not idempotent" means if Stripe sends the same message twice (which it does), your app charges or credits the user twice.
- Row-level security gaps that leak data. Row-level security (RLS) is a database rule that says "user A can only see user A's rows." When Claude misses one policy, user A can read user B's data.
The root cause is not your prompt. It is the training data. Claude learned from years of public code that mixes Next.js App Router and Pages Router patterns (two different ways to build the same app) and old Stripe examples. From a blank repo it averages those patterns, and the average includes the bugs.
Why an opinionated framework helps Claude write less, and break less
Less code means fewer chances to introduce a subtle bug. An "opinionated framework" is one that picks the patterns for you instead of leaving them open.
Wasp is one example. Its auth setup replaces 500+ lines of hand-written login code with about 12 lines of config. Reported token-efficiency tests put Claude roughly 70% more efficient in the same context window when it reads 12 lines instead of 500. The context window is Claude's short-term memory for one task. When the boring parts are tiny and fixed, Claude spends its attention on your actual feature, not on re-deriving login from scratch.
The honest decision tree
Here is the table the boilerplate vendors will not give you straight, because two of the four rows say you do not need their product.
| Scenario | Claude Code alone enough? | Boilerplate worth buying? | Key risk if you skip it | Hours a boilerplate saves |
|---|---|---|---|---|
| Internal tool / prototype | Yes, with a good CLAUDE.md | No | Low; few or trusted users | 5 to 15 |
| Greenfield B2C SaaS (auth + payments + real users) | Risky | Yes | Auth session bugs, double Stripe charges | 30 to 60 |
| Greenfield B2B SaaS (multi-tenant, subscriptions, RLS) | No | Yes | RLS data leaks between customer accounts | 50 to 100 |
| Extending an existing codebase | Yes | No | Low; patterns already set | 0 to 10 |
Rule of thumb: the more strangers will trust your app with their data and money, the more a tested base pays off.
The cost math, in plain numbers
One-time boilerplate prices today: ShipFast $199 to $299, Makerkit $149 to $599, supastarter 349 to 1,499 euros (vendor pricing pages, June 2026). All one-time, not subscriptions.
If a boilerplate saves you two weekends of debugging Stripe webhooks and RLS, it has already paid for itself on your first project, even at the top tier. The expensive part of a SaaS is never the first commit. It is the bug you find after a customer's data leaked.
Can a CLAUDE.md replace a boilerplate?
Sometimes. A CLAUDE.md is a plain-text file that tells Claude Code your rules and patterns for the project. It acts as a living spec that Claude reads on every task.
Carlos Pinto reported building a 38,600-line production Rails SaaS in 8 weeks using only Claude Code and a thorough CLAUDE.md, no commercial boilerplate (reported, personal account). The catch: he is an experienced developer. On day 40, when an infrastructure problem cascaded, he could read the fire and put it out. A non-technical founder has no such safety net. A CLAUDE.md only catches the security edge cases you know to write down, and beginners do not know what they do not know. Pairing one with Claude Code subagents and clear rules helps, but it does not invent expertise you lack.
The third option both camps skip
There is a middle path between "raw Claude Code" and "a static boilerplate." That is what the $29 Code Kit (Build This Now) is: a build system that runs on top of a production-ready SaaS skeleton. You get the structural safety of a boilerplate, with auth, Stripe payments, a landing page, and PostgreSQL with row-level security on every table already wired, plus a set of 18 specialist agents and skills that drive Claude Code to ship full features instead of snippets.
In short, the boilerplate stops the predictable security bugs before Claude writes a line, and the agents keep Claude's feature speed. It is one-time, lifetime updates, commercial-use license, unlimited apps, and a 30-day money-back guarantee. You still bring your own Claude subscription, and you can deploy anywhere (Vercel, Docker, any VPS).
FAQ
Does Claude Code replace boilerplate?
No. Claude Code is excellent at building features but repeatedly introduces security gaps from scratch: auth sessions that do not invalidate, RLS data leaks, and non-idempotent Stripe webhooks. A tested boilerplate removes those whole categories of bugs before Claude writes its first line.
Can Claude Code set up Stripe and Supabase from scratch?
It can, but Makerkit documented that greenfield Claude Code builds often produce webhook handlers that fire twice and outdated Stripe patterns pulled from mixed training data. A boilerplate with working Stripe and Supabase wiring removes that risk entirely.
Is ShipFast still worth it with Claude Code?
Yes if you are shipping a new SaaS to real users. ShipFast at $199 to $299 one-time pays for itself by preventing one weekend of debugging auth or payments. No if you are building an internal tool or prototype, where a well-written CLAUDE.md is enough.
What is CLAUDE.md and can it replace a boilerplate?
A CLAUDE.md is a project instruction file that works as a living spec for Claude Code. One experienced developer used it to build a 38,600-line production SaaS with no commercial boilerplate, but non-technical founders lack the expertise to write one that catches security edge cases reliably.
Arrête de tout configurer. Place à la construction.
Des templates SaaS avec orchestration IA.
How to Cut Your Claude Code Token Bill in Half
Reduce Claude Code token cost with five fixes: cap thinking tokens, default to Sonnet, defer MCP loading, trim CLAUDE.md, and filter tool output.
Harness vs Boilerplate vs Framework: The Build-System Stack Explained
Harness vs boilerplate vs framework, explained plainly: what each layer does, who needs which, and where the $29 Code Kit fits.