Evaluate hookify plugin to replace bespoke hook scripts #352
Description
Problem
config-protection.sh, validate-bash-commands.py, and parts of prompt-injection-guard.py each implement pattern-matching-and-warn logic in bespoke scripts. Adding a new rule means editing Python or bash code.
Solution
The official hookify plugin (claude-code/plugins/hookify/) provides a declarative rule engine where rules are markdown files with frontmatter:
---
name: block-dangerous-rm
event: bash
pattern: rm\s+-rf
action: block
---
⚠️ Dangerous rm command detected!Features:
- Regex matching, substring contains, equals, starts_with, ends_with operators
- Multi-condition rules (all conditions must match)
- Block vs. warn actions
- Field extraction for Bash commands, file paths, edit content
- Works on PreToolUse, PostToolUse, Stop, UserPromptSubmit events
Could replace 3 hook scripts with ~5 declarative .local.md rule files — less code to maintain.
Trade-offs
- Adds a plugin dependency vs. self-contained scripts
- May not cover all current hook logic (e.g., prompt-injection-guard's invisible unicode detection)
- Need to verify it handles the config-protection case statement patterns