By bendean
Tiered permission approval and smart session-idle notifications for Claude Code
A Claude Code hook that routes permission requests through Claude itself using your existing subscription — no API key, no OpenRouter, no extra billing.
Permission Request → Tier 1: Safe? Auto-approve (instant)
→ Tier 2: Dangerous? Auto-deny (instant)
→ Tier 3: Ambiguous? Ask Claude via CLI (~2-5s)
→ Fallback: Can't decide? Show normal prompt
The hook calls claude -p (print mode) for ambiguous cases, which authenticates with your existing Claude Pro/Max subscription.
If you have a plugin marketplace configured:
/install-plugin drinking-bird
The hook registers automatically — no manual config needed.
git clone <repo-url> && cd drinking-bird
./install.sh
This copies the hook to ~/.claude/hooks/ and adds the config to ~/.claude/settings.json.
# 1. Copy the hook script
mkdir -p ~/.claude/hooks
cp hooks/permission-hook.py ~/.claude/hooks/permission-hook.py
chmod +x ~/.claude/hooks/permission-hook.py
# 2. Add to ~/.claude/settings.json (merge if file exists):
{
"hooks": {
"PermissionRequest": [
{
"matcher": "*",
"hooks": [
{
"type": "command",
"command": "python3 ~/.claude/hooks/permission-hook.py"
}
]
}
]
}
}
./uninstall.sh
Or manually: remove ~/.claude/hooks/permission-hook.py and delete the PermissionRequest hook entry from ~/.claude/settings.json.
Restart Claude Code after installing or uninstalling. Run /hooks to verify.
rm -rf /, rm -rf ~, fork bombs, dd if=sudo rm/chmod/chown/etc/shadow, /etc/passwd.env, secrets/, credentials, .aws/credentials, .ssh/id_*Everything else — Docker commands, npm install, git push, unfamiliar bash commands, file operations outside the project directory, MCP tool calls, etc.
Claude sees the tool name, full input, and working directory, and responds ALLOW / DENY / ASK. If it says ASK (or times out, or errors), you get the normal permission prompt.
Edit the lists at the top of hooks/permission-hook.py:
SAFE_TOOLS — tools to always approveSAFE_BASH_PREFIXES — bash command prefixes to always approveDANGEROUS_BASH_PATTERNS — bash patterns to always blockSENSITIVE_PATH_PATTERNS / SENSITIVE_BASENAME_PATTERNS — file paths to always block read/writeZero additional cost. The claude -p command uses your existing Pro or Max subscription. Each Tier 3 evaluation is a small, fast prompt (~200 input tokens, 1 output token).
Hook not firing: Run /hooks in Claude Code to verify the hook is registered. You may need to restart Claude Code after editing settings.
"claude: command not found": Make sure the Claude CLI is in your PATH. The hook will fall through to manual approval if it can't find the CLI.
Slow evaluations: The 15-second timeout ensures the hook never hangs. If Claude is slow, it falls through to manual approval. You can adjust the timeout in the script.
The name "drinking bird" comes from a Simpsons episode where Homer uses a drinking bird toy to automatically press "Y" on his keyboard at the nuclear power plant — which, predictably, triggers a meltdown.
The idea for this hook comes from Boris Cherny's Claude Code workflow, specifically step 8c: "Route permission requests to Opus 4.5 via a hook — let it scan for attacks and auto-approve the safe ones."
Matches all tools
Hooks run on every tool call, not just specific ones
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
npx claudepluginhub bendean/drinking-birdSmart command safety filter for Claude Code — parses shell pipelines and evaluates per-command safety rules to auto-approve safe commands and block dangerous ones
Achieve flow state safely with Claude Code. Auto-approves routine work, gates risky actions, hard-blocks dangerous patterns. Dual enforcement (skill + hooks), token cap for cost governance, full audit trail. Zero dependencies.
PreToolUse hook that auto-approves safe Bash commands by parsing them into an AST and matching against configurable patterns
Safety hooks to block or require user approval for dangerous commands (rm, git operations, .env access, file size limits)
A secure runtime for Claude Code. Intercepts every tool call with policy-based allow/block/ask decisions, evasion detection, path fencing, file snapshots, and audit logging.
The most comprehensive Claude Code plugin — 48 agents, 184 skills, 68 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning