Hook ベース権限モデル

# Hook-Based Permission Model ## .claude/settings.json — Hook Configuration ```json { "hooks": { "PreToolUse": [ { "matcher": "Write|Edit", "command": "node .claude/hooks/check-write-permission.js" }, { "matcher": "Bash", "command": "node .claude/hooks/check-bash-command.js" } ], "PostToolUse": [ { "matcher": "Write|Edit", "command": "node .claude/hooks/log-file-change.js" } ], "Notification": [ { "command": "node .claude/hooks/notify-slack.js" } ] } } ``` ## .claude/hooks/check-write-permission.js ```javascript // Block writes to protected paths const PROTECTED = [ /^\.env/, /^src\/config\/production/, /^migrations\//, /package-lock\.json/, ]; const input = JSON.parse(require("fs").readFileSync("/dev/stdin", "utf8")); const filePath = input.tool_input?.file_path || ""; const blocked = PROTECTED.some((re) => re.test(filePath)); if (blocked) { console.log(JSON.stringify({ decision: "block", reason: `Protected path: ${filePath}. Manual edit required.`, })); } else { console.log(JSON.stringify({ decision: "approve" })); } ``` ## .claude/hooks/check-bash-command.js ```javascript // Block destructive commands const BLOCKED_PATTERNS = [ /rm\s+-rf/, /git\s+push\s+--force/, /git\s+reset\s+--hard/, /DROP\s+TABLE/i, /DELETE\s+FROM\s+\w+\s*;/i, ]; const input = JSON.parse(require("fs").readFileSync("/dev/stdin", "utf8")); const cmd = input.tool_input?.command || ""; const blocked = BLOCKED_PATTERNS.some((re) => re.test(cmd)); if (blocked) { console.log(JSON.stringify({ decision: "block", reason: "Destructive command detected. Requires manual execution.", })); } else { console.log(JSON.stringify({ decision: "approve" })); } ```