Hook a Permission Layer onto Dangerous Tools
Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.
The route
4 steps to Done
- 01
Define the danger rule set
Enumerate what must never run silently - concretely.
Preview prompt + verify gate ▾ Hide ▴
Write the danger rules as data. COMMAND PATTERNS (normalized before matching: resolve quoting, collapse whitespace): recursive deletion (rm -rf and equivalents on any path), git destructive ops (force-push, hard reset on shared branches, clean -fdx), bulk data ops (DROP/TRUNCATE, mass UPDATE without WHERE), package/system mutations (global installs, chmod -R 777, curl piped to shell). PROTECTED PATHS for writes and deletes: .env* and secret/key files, .git internals, paths outside the workspace root, CI and infra configs (approval, not block). Assign each rule a verdict (approval vs block) and a reason string. Store as a versioned config file. Review the list against my actual toolset and add tool-specific rules where needed.
- ✓ Patterns match normalized commands
- ✓ Protected paths cover secrets and workspace escape
- ✓ Every rule has a verdict and reason
- 02
Implement the hook point
One interception point, running before anything executes.
Preview prompt + verify gate ▾ Hide ▴
Build the pre-tool-use hook into the dispatch path. Mechanics: after schema validation and before handler execution, run the hook chain with {tool, arguments, session context}; each hook returns allow / require-approval(reason) / block(reason); the strictest verdict wins; require-approval routes to the approval UX with full call details; block short-circuits with a structured refusal to the model ('blocked by policy: [reason]'). Hooks are ordinary functions loaded from harness config plus project config (next step). Failure containment: a hook that throws counts as block-with-error, never as allow. Implement the danger rules from step 1 as the first hook and unit-test verdicts across a matrix of calls.
- ✓ Hooks run before every execution
- ✓ Strictest verdict wins
- ✓ Hook exceptions fail closed
- 03
Harden the patterns against evasion
The gap between a pattern and its intent is where accidents live.
Preview prompt + verify gate ▾ Hide ▴
Red-team the rules. Try the evasions: path tricks (rm -rf ./, rm -rf $HOME, cd /important && rm -rf .), quoting and splitting ('r''m' -rf, echo rm -rf | sh), indirection (writing a script with the dangerous command then executing it, invoking via xargs/find -delete), and interpreter smuggling (python -c os.system(...)). For each evasion that passes: fix by strengthening normalization (argument resolution, working-directory awareness) or adding rules (script-write-then-execute detection: flag executing a file the agent just wrote, requiring approval). Accept and document the residual risk that patterns cannot be complete - which is why approval tiers and sandboxing exist as the next layers. Record the evasion suite as permanent tests.
- ✓ Path, quoting, and indirection evasions tested
- ✓ Just-written-script execution flagged
- ✓ Residual risk documented, not denied
- 04
Make it extensible and drill it
Projects have their own dragons - let them add rules.
Preview prompt + verify gate ▾ Hide ▴
Add project extensibility and run the live drill. EXTENSIBILITY: the harness loads additional hooks/rules from a project config file (e.g. .agent/hooks with pattern rules in config plus optional script hooks); document the format with two examples (protect a data/ directory; require approval for migrations). Validate project hooks on load. DRILL: on a real task, script the agent into attempting a blocked command, an approval-tier command, and a protected-path write; verify each verdict, the model's adaptation after refusal, and the decision log entries. Confirm a project rule added mid-session takes effect on next dispatch.
- ✓ Project hook format documented with examples
- ✓ Drill covers block, approve, and protected write
- ✓ Model adapts after refusals instead of stalling
Research-backed
Sources behind this flow
Tier 1 · claude-code-internals
claude-code-book (SCUTBrothers)
A second book-length Chinese treatment of Claude Code's source ('Understanding Claude Code In Depth') with a compiled PDF and LaTeX sources. Focuses on turning the complex system into reusable engineering knowledge: source structure, runtime mechanics, permissions and extension points, security and context strategy.
Tier 1 · claude-code-internals
claude-code-decompiled (research reports)
A documentation-only collection of 20 independent research reports on Claude Code v2.1.88 covering architecture, agent behavior, permission design, prompt assembly, MCP integration, and context management. Deliberately ships analysis rather than extracted code.
Tier 4 · coding-agents
Cline
A leading VS Code agent that popularized the human-in-the-loop approval UX: every file edit and terminal command is presented for approval with diff previews, plan/act modes, and checkpoints.
Tier 1 · claude-code-internals
Deep Dive: Code-Layer Security - 20+ Validators Behind BashTool
Walks the layered validation pipeline that backs up the prompt when the model ignores its 'suggestions': control-character checks, multi-view quote extraction, obfuscated-flag detection (ANSI-C quoting, empty-quote concatenation, quote chains, triple quotes), brace-expansion and backslash-escaped-operator traps, hard path constraints, a whitelist-plus-denylist sed validator, and per-tool exit-code semantics. Every validator returns allow/ask/deny/passthrough, and misparsing-class findings outrank informational ones.
Tier 1 · claude-code-internals
Deep Dive: Dual-Defense Architecture - Prompt + Code
Argues that because LLMs are probabilistic, prompts alone are gambling and code alone wastes the model's flexibility. Maps how Claude Code pairs every soft prompt rule ('use Edit instead of sed', 'NEVER force-push') with an independent deterministic check (sed validators, destructive-git detection, sandbox gates), analyzes the four failure combinations of the two layers, and distills five reusable design principles for any tool-calling agent system.