# hookify-rules > A Claude Code skill from Affaan M's everything-claude-code repo that writes Hookify rule files — markdown-with-frontmatter regex patterns stored at .claude/hookify..local.md — to warn or block on bash commands, file edits, prompts, or stop events. Different system from Claude Code's native PreToolUse / PostToolUse hooks; Hookify is a pattern-to-message rule layer. **Use case**: Author Hookify regex rules for dangerous bash patterns, sensitive file edits, or workflow enforcement **Canonical URL**: https://agentcookbooks.com/skills/hookify-rules/ **Topics**: claude-code, skills, hooks **Trigger phrases**: "write a Hookify rule for rm -rf", "block edits to .env files with Hookify", "configure hookify for sudo commands" **Source**: [Affaan M](https://github.com/affaan-m/everything-claude-code/tree/main/skills/hookify-rules) **License**: MIT --- ## What it does `hookify-rules` is the rule-authoring skill in [Affaan M's everything-claude-code](https://github.com/affaan-m/everything-claude-code) — see [skills/hookify-rules](https://github.com/affaan-m/everything-claude-code/tree/main/skills/hookify-rules). It covers Hookify rule files: markdown files with YAML frontmatter that define a pattern to watch for and a message to surface when the pattern matches. Rules live at `.claude/hookify..local.md` in the project root and are gitignored by convention (`.claude/*.local.md` added to `.gitignore`). Hookify is a *different system* from Claude Code's native PreToolUse / PostToolUse hooks — important to keep distinct. Native hooks are tool-event hooks (run a command before / after a tool call). Hookify is a regex-pattern-to-message rule system: every rule watches one event type (`bash` / `file` / `stop` / `prompt` / `all`), matches against an event field (`command`, `file_path`, `new_text`, `user_prompt`, etc.), and either warns (`action: warn`, default) or blocks (`action: block`) when the pattern hits. The frontmatter contract is six fields: `name` (kebab-case, verb-first — `warn-*` / `block-*` / `require-*`), `enabled` (toggle without deleting), `event`, `action`, `pattern` (regex) or `conditions` (multi-field). For multi-condition rules, every condition must match — operators include `regex_match`, `contains`, `equals`, `not_contains`, `starts_with`, `ends_with`. The body of the markdown file is the message Claude sees when the rule fires; it can include warnings, suggestions, or safer alternatives. ## When to use it - Authoring a Hookify regex rule for a dangerous bash command (`rm\s+-rf`, `sudo\s+rm`, `chmod\s+777`, `dd\s+if=`, `mkfs`) - File-edit rule that warns when a `.env` file gets an `API_KEY` added (multi-condition rule with `file_path` + `new_text`) - Workflow-enforcement rule on the `prompt` event — block or warn when the user uses a banned framing - Completion-check rules on the `stop` event with pattern `.*` (always-on reminder) - Toggling rules on / off with `enabled: false` instead of deleting When *not* to reach for it: - Native Claude Code PreToolUse / PostToolUse hooks — those are configured in `settings.json` and run shell commands, not regex rules. The wiki has a separate `hooks` topic covering those. - Heavy logic that needs a real script — Hookify is regex-on-events, not arbitrary code - Pattern matching across many event types in one rule — Hookify rules are scoped to one event each ## Install From [affaan-m/everything-claude-code](https://github.com/affaan-m/everything-claude-code) at `skills/hookify-rules/`. Drop the folder into `~/.claude/skills/hookify-rules/`. The skill itself is markdown documentation for the rule format; the Hookify rule system has slash commands of its own (`/hookify`, `/hookify-list`, `/hookify-configure`, `/hookify-help`) that the rule files are consumed by. Rules go at `.claude/hookify..local.md` in the project root; add `.claude/*.local.md` to `.gitignore` so they stay local. ## What a session looks like 1. **Operator names the danger.** "I want a Hookify rule that warns me whenever a bash command contains `rm -rf` anywhere except inside `/tmp`." 2. **Skill picks the event + matcher.** Event is `bash`, matcher is the `command` field, pattern is `rm\s+-rf` with a negative lookahead or post-match filter. 3. **Frontmatter scaffold.** Name `warn-rm-rf`, `enabled: true`, `event: bash`, `action: warn`, `pattern: rm\s+-rf`. Body is the message Claude will see. 4. **Test the regex.** The skill points at the Python one-liner: `python3 -c "import re; print(re.search(r'rm\s+-rf', 'rm -rf /'))"`. Catches the common pitfalls (too-broad patterns like bare `log` matching "login", too-specific patterns like `rm -rf /tmp` missing other paths). 5. **Save to `.claude/hookify.warn-rm-rf.local.md`.** Gitignored by convention. 6. **Verify with `/hookify-list`.** Table view confirms the rule is registered and enabled. 7. **Iterate.** If the pattern triggers too eagerly, tighten with multi-condition rules — `command` matches `rm\s+-rf` AND `command` does not contain `/tmp/`. The discipline that makes it work: verb-first names. `warn-rm-rf` reads as "this rule warns when rm-rf appears." `block-secrets-env` blocks. `require-tests-before-commit` requires. The convention makes a `/hookify-list` table scannable instead of a wall of opaque rule names. ## Receipts _TODO — to be filled in from a real session. Once a Hookify rule has been authored and triggered in a real workflow, this section will capture: which regex pattern matched too broadly on first try (the upstream skill calls out `log` → "login" / "dialog" as the canonical bad-pattern example — receipts will document a similar one), how multi-condition rules behaved vs. single-pattern rules for the same workflow, and whether the warn vs. block action choice was right on first try or needed downgrading after false-positive friction._ ## Source and attribution From [Affaan M's everything-claude-code](https://github.com/affaan-m/everything-claude-code/tree/main/skills/hookify-rules) — an MIT-licensed skill collection covering harness construction, agent ops, video, payments, and platform-specific patterns. License: MIT.