From 5f3b81764e305a9565d12b277a214cfd13f24b17 Mon Sep 17 00:00:00 2001
From: Ethan Hanley <git@ohainle.me>
Date: Mon, 23 Feb 2026 10:00:54 +0000
Subject: [PATCH] fix: moves COPILOT_HOOKS_DENY_DEMO guard to ensure deny() in
 scope

---
 content/copilot/tutorials/copilot-cli-hooks.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/content/copilot/tutorials/copilot-cli-hooks.md b/content/copilot/tutorials/copilot-cli-hooks.md
index 3b79078feb15..df23f1e92db4 100644
--- a/content/copilot/tutorials/copilot-cli-hooks.md
+++ b/content/copilot/tutorials/copilot-cli-hooks.md
@@ -394,15 +394,6 @@ fi
 
 COMMAND="$(echo "$TOOL_ARGS_RAW" | jq -r '.command // empty')"
 
-# ---------------------------------------------------------------------------
-# Demo-only deny rule for safe testing.
-# This blocks a harmless test command so you can validate the deny flow.
-# Remove this rule after confirming your hooks work as expected.
-# ---------------------------------------------------------------------------
-if echo "$COMMAND" | grep -q "COPILOT_HOOKS_DENY_DEMO"; then
-  deny "Blocked demo command (test rule). Remove this rule after validating hooks."
-fi
-
 deny() {
   local reason="$1"
 
@@ -431,6 +422,15 @@ deny() {
   exit 0
 }
 
+# ---------------------------------------------------------------------------
+# Demo-only deny rule for safe testing.
+# This blocks a harmless test command so you can validate the deny flow.
+# Remove this rule after confirming your hooks work as expected.
+# ---------------------------------------------------------------------------
+if echo "$COMMAND" | grep -q "COPILOT_HOOKS_DENY_DEMO"; then
+  deny "Blocked demo command (test rule). Remove this rule after validating hooks."
+fi
+
 # Privilege escalation
 if echo "$COMMAND" | grep -qE '\b(sudo|su|runas)\b'; then
   deny "Privilege escalation requires manual approval."