Get startedGet started for free

Video: Implementing a hook

1. Video: Implementing a hook

Let's put together our custom hook. Remember, the entire goal here is to prevent Claude from ever reading the contents of the .env file. In the last video, we discussed many of the different configuration options we'll need to set, so in this video we're going to be mostly focused on the implementation. To get started, inside the .claude directory, I'm going to open up the settings.local.json file. Remember, inside of here we have a list of pre-tooluse hooks and post-tooluse hooks. As we discussed a moment ago, we want to make a pre-tooluse hook so that we can prevent Claude from ever reading the contents of that particular file. I already added in a little configuration section right here for us, just to save us a little bit of typing. All we need to do is fill in the matcher and the command. First is the matcher. So the matcher is going to be the tools that we want to watch for. In our case, as we discussed, we want to watch for calls to the read and the grep tools. I'm going to separate those two tool names with a pipe symbol, so that's not an L or a capital I, it is the symbol right above the return key on your keyboard. Then, next up, we need to provide a command to run whenever Claude attempts to call those two tools. We could put in here any command you want, so it can be a CLI, it can be a call to a shell script, absolutely anything. To follow the pattern that I've already established inside the rest of this file, I'm going to call a node.js script that I placed ahead of time inside the hooks directory of this project. So inside the hooks directory, I put together for us a read underscore hook dot js file. This is the file that I want to run whenever Claude attempts to call one of those two tools. So to call that, I'm going to replace the true right here, which is just a placeholder for right now with node dot slash hooks, read underscore hook dot js. I'm going to save this file, and that's all we have to do inside of here. Next up, we need to actually implement the command that's going to run anytime Claude tries to call the read or the grep tools. So that's going to be the read hook dot js file. At the top of this file, I've got some code that's going to read from standard in and parse that data as JSON. So this tool args object right here, that's going to be the big JSON object I showed you in this diagram back over here. So it's going to have properties like session ID, the tool name, the tool input, and so on. So all we really need to do is take a look at that file path right there and decide whether or not it is trying to read the .env file. If it is, then we want to make sure that we exit from our program or our command here with an exit code of two and hopefully also log some information out to Claude that says, sorry, but you can't read that file. So you'll notice that back over here, I've already got some code that's going to read that file path. You'll also notice that there's a fallback of looking at tool input dot path right here. I'll tell you why that's added in in just a moment. So now let's implement the to do statement. We'll say if read path includes .env, that means that Claude must be trying to read the .env file. And if that's the case, then I want to make sure that we block that operation and provide some logging feedback to Claude. So I'm going to first add in a console.error, specifically a console.error, because we want to log to standard error. Remember, that's how we provide some feedback to Claude. And I'll say something like, you cannot read the .env file. And then I'll do a process dot exit two. So now to test this out, I'm going to save the file, I'm going to open up Claude code. If you already have it open, make sure you restart Claude code, you have to restart it to have any changes to your hooks take effect. I'm going to ask Claude to read the .env file. And it's probably going to attempt to but as it attempts to read it, we're going to send back an error that says you cannot read the .env file. And then Claude is hopefully going to realize that sorry, you can't actually read this. As a matter of fact, it's even able to recognize that it was prevented by a read hook. Now our hook should also be working on grep operations as well. So if I ask Claude to try the grep tool, this should also hopefully be forbidden as well. So let's see how it does. And yep, same thing, it is now forbidden. So that is a working hook that we have put together. Now this hook is not terribly useful. And I'm going to show you a much more useful hook in just a moment.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.