Hook-Based Permission Model

CLAUDE.mdAdvanced

Claude Code hooks (PreToolUse, PostToolUse, Notification) provide a programmatic way to enforce policies beyond CLAUDE.md rules. This pattern shows how to build a permission layer: block writes to protected paths, require approval for destructive commands, log all file modifications for audit, and notify on sensitive operations. Ideal for team environments where guardrails must be enforced, not just suggested.

hookspermissionssecurityguardrailspolicy

Pattern Code

# Hook-Based Permission Model

## .claude/settings.json — Hook Configuration
```json
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Write|Edit",
        "command": "node .claude/hooks/check-write-permission.js"
      },
      {
        "matcher": "Bash",
        "command": "node .claude/hooks/check-bash-command.js"
      }
    ],
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "command": "node .claude/hooks/log-file-change.js"
      }
    ],
    "Notification": [
      {
        "command": "node .claude/hooks/notify-slack.js"
      }
    ]
  }
}
```

## .claude/hooks/check-write-permission.js
```javascript
// Block writes to protected paths
const PROTECTED = [
  /^\.env/,
  /^src\/config\/production/,
  /^migrations\//,
  /package-lock\.json/,
];

const input = JSON.parse(require("fs").readFileSync("/dev/stdin", "utf8"));
const filePath = input.tool_input?.file_path || "";

const blocked = PROTECTED.some((re) => re.test(filePath));
if (blocked) {
  console.log(JSON.stringify({
    decision: "block",
    reason: `Protected path: ${filePath}. Manual edit required.`,
  }));
} else {
  console.log(JSON.stringify({ decision: "approve" }));
}
```

## .claude/hooks/check-bash-command.js
```javascript
// Block destructive commands
const BLOCKED_PATTERNS = [
  /rm\s+-rf/,
  /git\s+push\s+--force/,
  /git\s+reset\s+--hard/,
  /DROP\s+TABLE/i,
  /DELETE\s+FROM\s+\w+\s*;/i,
];

const input = JSON.parse(require("fs").readFileSync("/dev/stdin", "utf8"));
const cmd = input.tool_input?.command || "";

const blocked = BLOCKED_PATTERNS.some((re) => re.test(cmd));
if (blocked) {
  console.log(JSON.stringify({
    decision: "block",
    reason: "Destructive command detected. Requires manual execution.",
  }));
} else {
  console.log(JSON.stringify({ decision: "approve" }));
}
```

Copy this pattern into your project configuration to implement.

Terminal Preview

Hook-Based Permission Model

About Hook-Based Permission Model

Claude Code patterns are proven architectural designs and workflow structures that help you tackle complex development scenarios. Hook-Based Permission Model is a CLAUDE.md pattern at the Advanced level that provides a tested, repeatable approach you can adapt to your projects for more efficient and consistent results.

Related Patterns

CLAUDE.md Architecture Patterns

Design layered CLAUDE.md configurations that scale from personal preferences to team-wide project standards.