Hooks
Hooks are automated scripts that execute in response to specific events during Claude Code sessions. They enable automation, validation, permission management, and custom workflows.
Overview
Hooks are automated actions (shell commands, HTTP webhooks, LLM prompts, or subagent evaluations) that execute automatically when specific events occur in Claude Code. They receive JSON input and communicate results via exit codes and JSON output.
Key features:
- Event-driven automation
- JSON-based input/output
- Support for command, prompt, HTTP, and agent hook types
- Pattern matching for tool-specific hooks
Configuration
Hooks are configured in settings files with a specific structure:
~/.claude/settings.json- User settings (all projects).claude/settings.json- Project settings (shareable, committed).claude/settings.local.json- Local project settings (not committed)- Managed policy - Organization-wide settings
- Plugin
hooks/hooks.json- Plugin-scoped hooks - Skill/Agent frontmatter - Component lifetime hooks
Basic Configuration Structure
{
"hooks": {
"EventName": [
{
"matcher": "ToolPattern",
"hooks": [
{
"type": "command",
"command": "your-command-here",
"timeout": 60
}
]
}
]
}
}
Key fields:
| Field | Description | Example |
|---|---|---|
matcher | Pattern to match tool names (case-sensitive) | "Write", "Edit|Write", "*" |
hooks | Array of hook definitions | [{ "type": "command", ... }] |
type | Hook type: "command" (bash), "prompt" (LLM), "http" (webhook), or "agent" (subagent) | "command" |
command | Shell command to execute | "$CLAUDE_PROJECT_DIR/.claude/hooks/format.sh" |
timeout | Optional timeout in seconds (default 60) | 30 |
once | If true, run the hook only once per session | true |
Matcher Patterns
| Pattern | Description | Example |
|---|---|---|
| Exact string | Matches specific tool | "Write" |
| Regex pattern | Matches multiple tools | "Edit|Write" |
| Wildcard | Matches all tools | "*" or "" |
| MCP tools | Server and tool pattern | "mcp__memory__.*" |
Hook Types
Claude Code supports four hook types:
Command Hooks
The default hook type. Executes a shell command and communicates via JSON stdin/stdout and exit codes.
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/validate.py\"",
"timeout": 60
}
HTTP Hooks
Added in v2.1.63.
Remote webhook endpoints that receive the same JSON input as command hooks. HTTP hooks POST JSON to the URL and receive a JSON response. HTTP hooks are routed through the sandbox when sandboxing is enabled. Environment variable interpolation in URLs requires an explicit allowedEnvVars list for security.
{
"hooks": {
"PostToolUse": [{
"type": "http",
"url": "https://my-webhook.example.com/hook",
"matcher": "Write"
}]
}
}
Key properties:
"type": "http"-- identifies this as an HTTP hook"url"-- the webhook endpoint URL- Routed through sandbox when sandbox is enabled
- Requires explicit
allowedEnvVarslist for any environment variable interpolation in the URL
Prompt Hooks
LLM-evaluated prompts where the hook content is a prompt that Claude evaluates. Primarily used with Stop and SubagentStop events for intelligent task completion checking.
{
"type": "prompt",
"prompt": "Evaluate if Claude completed all requested tasks.",
"timeout": 30
}
The LLM evaluates the prompt and returns a structured decision (see Prompt-Based Hooks for details).
Agent Hooks
Subagent-based verification hooks that spawn a dedicated agent to evaluate conditions or perform complex checks. Unlike prompt hooks (single-turn LLM evaluation), agent hooks can use tools and perform multi-step reasoning.
{
"type": "agent",
"prompt": "Verify the code changes follow our architecture guidelines. Check the relevant design docs and compare.",
"timeout": 120
}
Key properties:
"type": "agent"-- identifies this as an agent hook"prompt"-- the task description for the subagent- The agent can use tools (Read, Grep, Bash, etc.) to perform its evaluation
- Returns a structured decision similar to prompt hooks
Hook Events
Claude Code supports 25 hook events:
| Event | When Triggered | Matcher Input | Can Block | Common Use |
|---|---|---|---|---|
| SessionStart | Session begins/resumes/clear/compact | startup/resume/clear/compact | No | Environment setup |
| InstructionsLoaded | After CLAUDE.md or rules file loaded | (none) | No | Modify/filter instructions |
| UserPromptSubmit | User submits prompt | (none) | Yes | Validate prompts |
| PreToolUse | Before tool execution | Tool name | Yes (allow/deny/ask) | Validate, modify inputs |
| PermissionRequest | Permission dialog shown | Tool name | Yes | Auto-approve/deny |
| PostToolUse | After tool succeeds | Tool name | No | Add context, feedback |
| PostToolUseFailure | Tool execution fails | Tool name | No | Error handling, logging |
| Notification | Notification sent | Notification type | No | Custom notifications |
| SubagentStart | Subagent spawned | Agent type name | No | Subagent setup |
| SubagentStop | Subagent finishes | Agent type name | Yes | Subagent validation |
| Stop | Claude finishes responding | (none) | Yes | Task completion check |
| StopFailure | API error ends turn | (none) | No | Error recovery, logging |
| TeammateIdle | Agent team teammate idle | (none) | Yes | Teammate coordination |
| TaskCompleted | Task marked complete | (none) | Yes | Post-task actions |
| TaskCreated | Task created via TaskCreate | (none) | No | Task tracking, logging |
| ConfigChange | Config file changes | (none) | Yes (except policy) | React to config updates |
| CwdChanged | Working directory changes | (none) | No | Directory-specific setup |
| FileChanged | Watched file changes | (none) | No | File monitoring, rebuild |
| PreCompact | Before context compaction | manual/auto | No | Pre-compact actions |
| PostCompact | After compaction completes | (none) | No | Post-compact actions |
| WorktreeCreate | Worktree being created | (none) | Yes (path return) | Worktree initialization |
| WorktreeRemove | Worktree being removed | (none) | No | Worktree cleanup |
| Elicitation | MCP server requests user input | (none) | Yes | Input validation |
| ElicitationResult | User responds to elicitation | (none) | Yes | Response processing |
| SessionEnd | Session terminates | (none) | No | Cleanup, final logging |
PreToolUse
Runs after Claude creates tool parameters and before processing. Use this to validate or modify tool inputs.
Configuration:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/validate-bash.py"
}
]
}
]
}
}
Common matchers: Task, Bash, Glob, Grep, Read, Edit, Write, WebFetch, WebSearch
Output control:
permissionDecision:"allow","deny", or"ask"permissionDecisionReason: Explanation for decisionupdatedInput: Modified tool input parameters
PostToolUse
Runs immediately after tool completion. Use for verification, logging, or providing context back to Claude.
Configuration:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Write|Edit",
"hooks": [
{
"type": "command",
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/security-scan.py"
}
]
}
]
}
}
Output control:
"block"decision prompts Claude with feedbackadditionalContext: Context added for Claude
UserPromptSubmit
Runs when user submits a prompt, before Claude processes it.
Configuration:
{
"hooks": {
"UserPromptSubmit": [
{
"hooks": [
{
"type": "command",
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/validate-prompt.py"
}
]
}
]
}
}
Output control:
decision:"block"to prevent processingreason: Explanation if blockedadditionalContext: Context added to prompt
Stop and SubagentStop
Run when Claude finishes responding (Stop) or a subagent completes (SubagentStop). Supports prompt-based evaluation for intelligent task completion checking.
Additional input field: Both Stop and SubagentStop hooks receive a last_assistant_message field in their JSON input, containing the final message from Claude or the subagent before stopping. This is useful for evaluating task completion.
Configuration:
{
"hooks": {
"Stop": [
{
"hooks": [
{
"type": "prompt",
"prompt": "Evaluate if Claude completed all requested tasks.",
"timeout": 30
}
]
}
]
}
}
SubagentStart
Runs when a subagent begins execution. The matcher input is the agent type name, allowing hooks to target specific subagent types.
Configuration:
{
"hooks": {
"SubagentStart": [
{
"matcher": "code-review",
"hooks": [
{
"type": "command",
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/subagent-init.sh"
}
]
}
]
}
}
SessionStart
Runs when session starts or resumes. Can persist environment variables.
Matchers: startup, resume, clear, compact
Special feature: Use CLAUDE_ENV_FILE to persist environment variables (also available in CwdChanged and FileChanged hooks):
#!/bin/bash
if [ -n "$CLAUDE_ENV_FILE" ]; then
echo 'export NODE_ENV=development' >> "$CLAUDE_ENV_FILE"
fi
exit 0
SessionEnd
Runs when session ends to perform cleanup or final logging. Cannot block termination.
Reason field values:
clear- User cleared the sessionlogout- User logged outprompt_input_exit- User exited via prompt inputother- Other reason
Configuration:
{
"hooks": {
"SessionEnd": [
{
"hooks": [
{
"type": "command",
"command": "\"$CLAUDE_PROJECT_DIR/.claude/hooks/session-cleanup.sh\""
}
]
}
]
}
}
Notification Event
Updated matchers for notification events:
permission_prompt- Permission request notificationidle_prompt- Idle state notificationauth_success- Authentication successelicitation_dialog- Dialog shown to user
Component-Scoped Hooks
Hooks can be attached to specific components (skills, agents, commands) in their frontmatter:
In SKILL.md, agent.md, or command.md:
---
name: secure-operations
description: Perform operations with security checks
hooks:
PreToolUse:
- matcher: "Bash"
hooks:
- type: command
command: "./scripts/check.sh"
once: true # Only run once per session
---
Supported events for component hooks: PreToolUse, PostToolUse, Stop
This allows defining hooks directly in the component that uses them, keeping related code together.
Hooks in Subagent Frontmatter
When a Stop hook is defined in a subagent's frontmatter, it is automatically converted to a SubagentStop hook scoped to that subagent. This ensures that the stop hook only fires when that specific subagent completes, rather than when the main session stops.
---
name: code-review-agent
description: Automated code review subagent
hooks:
Stop:
- hooks:
- type: prompt
prompt: "Verify the code review is thorough and complete."
# The above Stop hook auto-converts to SubagentStop for this subagent
---
PermissionRequest Event
Handles permission requests with custom output format:
{
"hookSpecificOutput": {
"hookEventName": "PermissionRequest",
"decision": {
"behavior": "allow|deny",
"updatedInput": {},
"message": "Custom message",
"interrupt": false
}
}
}
Hook Input and Output
JSON Input (via stdin)
All hooks receive JSON input via stdin:
{
"session_id": "abc123",
"transcript_path": "/path/to/transcript.jsonl",
"cwd": "/current/working/directory",
"permission_mode": "default",
"hook_event_name": "PreToolUse",
"tool_name": "Write",
"tool_input": {
"file_path": "/path/to/file.js",
"content": "..."
},
"tool_use_id": "toolu_01ABC123...",
"agent_id": "agent-abc123",
"agent_type": "main",
"worktree": "/path/to/worktree"
}
Common fields:
| Field | Description |
|---|---|
session_id | Unique session identifier |
transcript_path | Path to the conversation transcript file |
cwd | Current working directory |
hook_event_name | Name of the event that triggered the hook |
agent_id | Identifier of the agent running this hook |
agent_type | Type of agent ("main", subagent type name, etc.) |
worktree | Path to the git worktree, if the agent is running in one |
Exit Codes
| Exit Code | Meaning | Behavior |
|---|---|---|
| 0 | Success | Continue, parse JSON stdout |
| 2 | Blocking error | Block operation, stderr shown as error |
| Other | Non-blocking error | Continue, stderr shown in verbose mode |
JSON Output (stdout, exit code 0)
{
"continue": true,
"stopReason": "Optional message if stopping",
"suppressOutput": false,
"systemMessage": "Optional warning message",
"hookSpecificOutput": {
"hookEventName": "PreToolUse",
"permissionDecision": "allow",
"permissionDecisionReason": "File is in allowed directory",
"updatedInput": {
"file_path": "/modified/path.js"
}
}
}
Environment Variables
| Variable | Availability | Description |
|---|---|---|
CLAUDE_PROJECT_DIR | All hooks | Absolute path to project root |
CLAUDE_ENV_FILE | SessionStart, CwdChanged, FileChanged | File path for persisting env vars |
CLAUDE_CODE_REMOTE | All hooks | "true" if running in remote environments |
${CLAUDE_PLUGIN_ROOT} | Plugin hooks | Path to plugin directory |
${CLAUDE_PLUGIN_DATA} | Plugin hooks | Path to plugin data directory |
CLAUDE_CODE_SESSIONEND_HOOKS_TIMEOUT_MS | SessionEnd hooks | Configurable timeout in milliseconds for SessionEnd hooks (overrides default) |
Prompt-Based Hooks
For Stop and SubagentStop events, you can use LLM-based evaluation:
{
"hooks": {
"Stop": [
{
"hooks": [
{
"type": "prompt",
"prompt": "Review if all tasks are complete. Return your decision.",
"timeout": 30
}
]
}
]
}
}
LLM Response Schema:
{
"decision": "approve",
"reason": "All tasks completed successfully",
"continue": false,
"stopReason": "Task complete"
}
Examples
Example 1: Bash Command Validator (PreToolUse)
File: .claude/hooks/validate-bash.py
#!/usr/bin/env python3
import json
import sys
import re
BLOCKED_PATTERNS = [
(r"\brm\s+-rf\s+/", "Blocking dangerous rm -rf / command"),
(r"\bsudo\s+rm", "Blocking sudo rm command"),
]
def main():
input_data = json.load(sys.stdin)
tool_name = input_data.get("tool_name", "")
if tool_name != "Bash":
sys.exit(0)
command = input_data.get("tool_input", {}).get("command", "")
for pattern, message in BLOCKED_PATTERNS:
if re.search(pattern, command):
print(message, file=sys.stderr)
sys.exit(2) # Exit 2 = blocking error
sys.exit(0)
if __name__ == "__main__":
main()
Configuration:
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/validate-bash.py\""
}
]
}
]
}
}
Example 2: Security Scanner (PostToolUse)
File: .claude/hooks/security-scan.py
#!/usr/bin/env python3
import json
import sys
import re
SECRET_PATTERNS = [
(r"password\s*=\s*['\"][^'\"]+['\"]", "Potential hardcoded password"),
(r"api[_-]?key\s*=\s*['\"][^'\"]+['\"]", "Potential hardcoded API key"),
]
def main():
input_data = json.load(sys.stdin)
tool_name = input_data.get("tool_name", "")
if tool_name not in ["Write", "Edit"]:
sys.exit(0)
tool_input = input_data.get("tool_input", {})
content = tool_input.get("content", "") or tool_input.get("new_string", "")
file_path = tool_input.get("file_path", "")
warnings = []
for pattern, message in SECRET_PATTERNS:
if re.search(pattern, content, re.IGNORECASE):
warnings.append(message)
if warnings:
output = {
"hookSpecificOutput": {
"hookEventName": "PostToolUse",
"additionalContext": f"Security warnings for {file_path}: " + "; ".join(warnings)
}
}
print(json.dumps(output))
sys.exit(0)
if __name__ == "__main__":
main()
Example 3: Auto-Format Code (PostToolUse)
File: .claude/hooks/format-code.sh
#!/bin/bash
# Read JSON from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | python3 -c "import sys, json; print(json.load(sys.stdin).get('tool_name', ''))")
FILE_PATH=$(echo "$INPUT" | python3 -c "import sys, json; print(json.load(sys.stdin).get('tool_input', {}).get('file_path', ''))")
if [ "$TOOL_NAME" != "Write" ] && [ "$TOOL_NAME" != "Edit" ]; then
exit 0
fi
# Format based on file extension
case "$FILE_PATH" in
*.js|*.jsx|*.ts|*.tsx|*.json)
command -v prettier &>/dev/null && prettier --write "$FILE_PATH" 2>/dev/null
;;
*.py)
command -v black &>/dev/null && black "$FILE_PATH" 2>/dev/null
;;
*.go)
command -v gofmt &>/dev/null && gofmt -w "$FILE_PATH" 2>/dev/null
;;
esac
exit 0
Example 4: Prompt Validator (UserPromptSubmit)
File: .claude/hooks/validate-prompt.py
#!/usr/bin/env python3
import json
import sys
import re
BLOCKED_PATTERNS = [
(r"delete\s+(all\s+)?database", "Dangerous: database deletion"),
(r"rm\s+-rf\s+/", "Dangerous: root deletion"),
]
def main():
input_data = json.load(sys.stdin)
prompt = input_data.get("user_prompt", "") or input_data.get("prompt", "")
for pattern, message in BLOCKED_PATTERNS:
if re.search(pattern, prompt, re.IGNORECASE):
output = {
"decision": "block",
"reason": f"Blocked: {message}"
}
print(json.dumps(output))
sys.exit(0)
sys.exit(0)
if __name__ == "__main__":
main()
Example 5: Intelligent Stop Hook (Prompt-Based)
{
"hooks": {
"Stop": [
{
"hooks": [
{
"type": "prompt",
"prompt": "Review if Claude completed all requested tasks. Check: 1) Were all files created/modified? 2) Were there unresolved errors? If incomplete, explain what's missing.",
"timeout": 30
}
]
}
]
}
}
Example 6: Context Usage Tracker (Hook Pairs)
Track token consumption per request using UserPromptSubmit (pre-message) and Stop (post-response) hooks together.
File: .claude/hooks/context-tracker.py
#!/usr/bin/env python3
"""
Context Usage Tracker - Tracks token consumption per request.
Uses UserPromptSubmit as "pre-message" hook and Stop as "post-response" hook
to calculate the delta in token usage for each request.
Token Counting Methods:
1. Character estimation (default): ~4 chars per token, no dependencies
2. tiktoken (optional): More accurate (~90-95%), requires: pip install tiktoken
"""
import json
import os
import sys
import tempfile
# Configuration
CONTEXT_LIMIT = 128000 # Claude's context window (adjust for your model)
USE_TIKTOKEN = False # Set True if tiktoken is installed for better accuracy
def get_state_file(session_id: str) -> str:
"""Get temp file path for storing pre-message token count, isolated by session."""
return os.path.join(tempfile.gettempdir(), f"claude-context-{session_id}.json")
def count_tokens(text: str) -> int:
"""
Count tokens in text.
Uses tiktoken with p50k_base encoding if available (~90-95% accuracy),
otherwise falls back to character estimation (~80-90% accuracy).
"""
if USE_TIKTOKEN:
try:
import tiktoken
enc = tiktoken.get_encoding("p50k_base")
return len(enc.encode(text))
except ImportError:
pass # Fall back to estimation
# Character-based estimation: ~4 characters per token for English
return len(text) // 4
def read_transcript(transcript_path: str) -> str:
"""Read and concatenate all content from transcript file."""
if not transcript_path or not os.path.exists(transcript_path):
return ""
content = []
with open(transcript_path, "r") as f:
for line in f:
try:
entry = json.loads(line.strip())
# Extract text content from various message formats
if "message" in entry:
msg = entry["message"]
if isinstance(msg.get("content"), str):
content.append(msg["content"])
elif isinstance(msg.get("content"), list):
for block in msg["content"]:
if isinstance(block, dict) and block.get("type") == "text":
content.append(block.get("text", ""))
except json.JSONDecodeError:
continue
return "\n".join(content)
def handle_user_prompt_submit(data: dict) -> None:
"""Pre-message hook: Save current token count before request."""
session_id = data.get("session_id", "unknown")
transcript_path = data.get("transcript_path", "")
transcript_content = read_transcript(transcript_path)
current_tokens = count_tokens(transcript_content)
# Save to temp file for later comparison
state_file = get_state_file(session_id)
with open(state_file, "w") as f:
json.dump({"pre_tokens": current_tokens}, f)
def handle_stop(data: dict) -> None:
"""Post-response hook: Calculate and report token delta."""
session_id = data.get("session_id", "unknown")
transcript_path = data.get("transcript_path", "")
transcript_content = read_transcript(transcript_path)
current_tokens = count_tokens(transcript_content)
# Load pre-message count
state_file = get_state_file(session_id)
pre_tokens = 0
if os.path.exists(state_file):
try:
with open(state_file, "r") as f:
state = json.load(f)
pre_tokens = state.get("pre_tokens", 0)
except (json.JSONDecodeError, IOError):
pass
# Calculate delta
delta_tokens = current_tokens - pre_tokens
remaining = CONTEXT_LIMIT - current_tokens
percentage = (current_tokens / CONTEXT_LIMIT) * 100
# Report usage
method = "tiktoken" if USE_TIKTOKEN else "estimated"
print(f"Context ({method}): ~{current_tokens:,} tokens ({percentage:.1f}% used, ~{remaining:,} remaining)", file=sys.stderr)
if delta_tokens > 0:
print(f"This request: ~{delta_tokens:,} tokens", file=sys.stderr)
def main():
data = json.load(sys.stdin)
event = data.get("hook_event_name", "")
if event == "UserPromptSubmit":
handle_user_prompt_submit(data)
elif event == "Stop":
handle_stop(data)
sys.exit(0)
if __name__ == "__main__":
main()
Configuration:
{
"hooks": {
"UserPromptSubmit": [
{
"hooks": [
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/context-tracker.py\""
}
]
}
],
"Stop": [
{
"hooks": [
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/context-tracker.py\""
}
]
}
]
}
}
How it works:
UserPromptSubmitfires before your prompt is processed - saves current token countStopfires after Claude responds - calculates delta and reports usage- Each session is isolated via
session_idin the temp filename
Token Counting Methods:
| Method | Accuracy | Dependencies | Speed |
|---|---|---|---|
| Character estimation | ~80-90% | None | <1ms |
| tiktoken (p50k_base) | ~90-95% | pip install tiktoken | <10ms |
Note: Anthropic hasn't released an official offline tokenizer. Both methods are approximations. The transcript includes user prompts, Claude's responses, and tool outputs, but NOT system prompts or internal context.
Example 7: Seed Auto-Mode Permissions (One-Time Setup Script)
A one-time setup script that seeds ~/.claude/settings.json with ~67 safe permission rules equivalent to Claude Code's auto-mode baseline — without any hook, without remembering future choices. Run it once; safe to re-run (skips rules already present).
File: 09-advanced-features/setup-auto-mode-permissions.py
# Preview what would be added
python3 09-advanced-features/setup-auto-mode-permissions.py --dry-run
# Apply
python3 09-advanced-features/setup-auto-mode-permissions.py
What gets added:
| Category | Examples |
|---|---|
| Built-in tools | Read(*), Edit(*), Write(*), Glob(*), Grep(*), Agent(*), WebSearch(*) |
| Git read | Bash(git status:*), Bash(git log:*), Bash(git diff:*) |
| Git write (local) | Bash(git add:*), Bash(git commit:*), Bash(git checkout:*) |
| Package managers | Bash(npm install:*), Bash(pip install:*), Bash(cargo build:*) |
| Build & test | Bash(make:*), Bash(pytest:*), Bash(go test:*) |
| Common shell | Bash(ls:*), Bash(cat:*), Bash(find:*), Bash(cp:*), Bash(mv:*) |
| GitHub CLI | Bash(gh pr view:*), Bash(gh pr create:*), Bash(gh issue list:*) |
What is intentionally excluded (never added by this script):
rm -rf,sudo, force push,git reset --hardDROP TABLE,kubectl delete,terraform destroynpm publish,curl | bash, production deploys
Plugin Hooks
Plugins can include hooks in their hooks/hooks.json file:
File: plugins/hooks/hooks.json
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "${CLAUDE_PLUGIN_ROOT}/scripts/validate.sh"
}
]
}
]
}
}
Environment Variables in Plugin Hooks:
${CLAUDE_PLUGIN_ROOT}- Path to the plugin directory${CLAUDE_PLUGIN_DATA}- Path to the plugin data directory
This allows plugins to include custom validation and automation hooks.
MCP Tool Hooks
MCP tools follow the pattern mcp__<server>__<tool>:
{
"hooks": {
"PreToolUse": [
{
"matcher": "mcp__memory__.*",
"hooks": [
{
"type": "command",
"command": "echo '{\"systemMessage\": \"Memory operation logged\"}'"
}
]
}
]
}
}
Security Considerations
Disclaimer
USE AT YOUR OWN RISK: Hooks execute arbitrary shell commands. You are solely responsible for:
- Commands you configure
- File access/modification permissions
- Potential data loss or system damage
- Testing hooks in safe environments before production use
Security Notes
- Workspace trust required: The
statusLineandfileSuggestionhook output commands now require workspace trust acceptance before they take effect. - HTTP hooks and environment variables: HTTP hooks require an explicit
allowedEnvVarslist to use environment variable interpolation in URLs. This prevents accidental leakage of sensitive environment variables to remote endpoints. - Managed settings hierarchy: The
disableAllHookssetting now respects the managed settings hierarchy, meaning organization-level settings can enforce hook disablement that individual users cannot override.
Best Practices
| Do | Don't |
|---|---|
| Validate and sanitize all inputs | Trust input data blindly |
Quote shell variables: "$VAR" | Use unquoted: $VAR |
Block path traversal (..) | Allow arbitrary paths |
Use absolute paths with $CLAUDE_PROJECT_DIR | Hardcode paths |
Skip sensitive files (.env, .git/, keys) | Process all files |
| Test hooks in isolation first | Deploy untested hooks |
Use explicit allowedEnvVars for HTTP hooks | Expose all env vars to webhooks |
Debugging
Enable Debug Mode
Run Claude with debug flag for detailed hook logs:
claude --debug
Verbose Mode
Use Ctrl+O in Claude Code to enable verbose mode and see hook execution progress.
Test Hooks Independently
# Test with sample JSON input
echo '{"tool_name": "Bash", "tool_input": {"command": "ls -la"}}' | python3 .claude/hooks/validate-bash.py
# Check exit code
echo $?
Complete Configuration Example
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/validate-bash.py\"",
"timeout": 10
}
]
}
],
"PostToolUse": [
{
"matcher": "Write|Edit",
"hooks": [
{
"type": "command",
"command": "\"$CLAUDE_PROJECT_DIR/.claude/hooks/format-code.sh\"",
"timeout": 30
},
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/security-scan.py\"",
"timeout": 10
}
]
}
],
"UserPromptSubmit": [
{
"hooks": [
{
"type": "command",
"command": "python3 \"$CLAUDE_PROJECT_DIR/.claude/hooks/validate-prompt.py\""
}
]
}
],
"SessionStart": [
{
"matcher": "startup",
"hooks": [
{
"type": "command",
"command": "\"$CLAUDE_PROJECT_DIR/.claude/hooks/session-init.sh\""
}
]
}
],
"Stop": [
{
"hooks": [
{
"type": "prompt",
"prompt": "Verify all tasks are complete before stopping.",
"timeout": 30
}
]
}
]
}
}
Hook Execution Details
| Aspect | Behavior |
|---|---|
| Timeout | 60 seconds default, configurable per command |
| Parallelization | All matching hooks run in parallel |
| Deduplication | Identical hook commands deduplicated |
| Environment | Runs in current directory with Claude Code's environment |
Troubleshooting
Hook Not Executing
- Verify JSON configuration syntax is correct
- Check matcher pattern matches the tool name
- Ensure script exists and is executable:
chmod +x script.sh - Run
claude --debugto see hook execution logs - Verify hook reads JSON from stdin (not command args)
Hook Blocks Unexpectedly
- Test hook with sample JSON:
echo '{"tool_name": "Write", ...}' | ./hook.py - Check exit code: should be 0 for allow, 2 for block
- Check stderr output (shown on exit code 2)
JSON Parsing Errors
- Always read from stdin, not command arguments
- Use proper JSON parsing (not string manipulation)
- Handle missing fields gracefully
Installation
Step 1: Create Hooks Directory
mkdir -p ~/.claude/hooks
Step 2: Copy Example Hooks
cp 06-hooks/*.sh ~/.claude/hooks/
chmod +x ~/.claude/hooks/*.sh
Step 3: Configure in Settings
Edit ~/.claude/settings.json or .claude/settings.json with the hook configuration shown above.
Related Concepts
- Checkpoints and Rewind - Save and restore conversation state
- Slash Commands - Create custom slash commands
- Skills - Reusable autonomous capabilities
- Subagents - Delegated task execution
- Plugins - Bundled extension packages
- Advanced Features - Explore advanced Claude Code capabilities
Additional Resources
- Official Hooks Documentation - Complete hooks reference
- CLI Reference - Command-line interface documentation
- Memory Guide - Persistent context configuration