Claude Code
Native hooks integration for Claude Code.
Security Layer integrates natively with Claude Code via its hooks system. PreToolUse hooks evaluate actions before execution; PostToolUse hooks track taint after execution.
Setup
sl setup claude-codeThis writes hooks to ~/.claude/hooks.json. No manual configuration needed.
How it works
PreToolUse hooks
Before Claude Code executes a tool, Security Layer evaluates the action:
| Tool | Capability | What's Checked |
|---|---|---|
Bash | exec | Full command through security pipeline |
Write | file.write | File path and content |
Edit | file.write | File path and modifications |
WebFetch | web_fetch | URL and request |
NotebookEdit | file.write | Notebook path and cell changes |
If the action is denied, Claude Code receives an error message explaining why.
PostToolUse hooks
After a tool completes, Security Layer updates taint tracking:
| Tool | Effect |
|---|---|
Bash | Track command execution context |
Read | Elevate taint if file is from untrusted directory |
WebFetch | Elevate taint to WEB_CONTENT |
Hook format
Each hook calls the Security Layer CLI:
# PreToolUse
sl hook claude-code --tool Bash --input "$TOOL_INPUT"
# PostToolUse
sl hook claude-code --tool Read --post --output "$TOOL_OUTPUT"Verifying
Check that hooks are installed:
sl statusLook for "Claude Code hooks: installed" in the output.
Removing
To remove Security Layer hooks from Claude Code, edit ~/.claude/hooks.json and remove the Security Layer entries, or delete the file to remove all hooks.
See also
- hook — Hook handler reference
- setup — Auto-setup command
- Shell shim — Alternative integration method