diff --git a/content/copilot/tutorials/copilot-cli-hooks.md b/content/copilot/tutorials/copilot-cli-hooks.md
index 3b79078feb15..df23f1e92db4 100644
--- a/content/copilot/tutorials/copilot-cli-hooks.md
+++ b/content/copilot/tutorials/copilot-cli-hooks.md
@@ -394,15 +394,6 @@ fi
 
 COMMAND="$(echo "$TOOL_ARGS_RAW" | jq -r '.command // empty')"
 
-# ---------------------------------------------------------------------------
-# Demo-only deny rule for safe testing.
-# This blocks a harmless test command so you can validate the deny flow.
-# Remove this rule after confirming your hooks work as expected.
-# ---------------------------------------------------------------------------
-if echo "$COMMAND" | grep -q "COPILOT_HOOKS_DENY_DEMO"; then
-  deny "Blocked demo command (test rule). Remove this rule after validating hooks."
-fi
-
 deny() {
   local reason="$1"
 
@@ -431,6 +422,15 @@ deny() {
   exit 0
 }
 
+# ---------------------------------------------------------------------------
+# Demo-only deny rule for safe testing.
+# This blocks a harmless test command so you can validate the deny flow.
+# Remove this rule after confirming your hooks work as expected.
+# ---------------------------------------------------------------------------
+if echo "$COMMAND" | grep -q "COPILOT_HOOKS_DENY_DEMO"; then
+  deny "Blocked demo command (test rule). Remove this rule after validating hooks."
+fi
+
 # Privilege escalation
 if echo "$COMMAND" | grep -qE '\b(sudo|su|runas)\b'; then
   deny "Privilege escalation requires manual approval."