hook-development

Hook Development for Claude Code Plugins

Overview

Hooks are event-driven automation scripts that execute in response to Claude Code events. Use hooks to validate operations, enforce policies, add context, and integrate external tools into workflows.

Key capabilities:

Validate tool calls before execution (PreToolUse)
React to tool results (PostToolUse)
Enforce completion standards (Stop, SubagentStop)
Load project context (SessionStart)
Automate workflows across the development lifecycle

Hook Types

Prompt-Based Hooks (Recommended)

Use LLM-driven decision making for context-aware validation:

{ "type": "prompt", "prompt": "Evaluate if this tool use is appropriate: $TOOL_INPUT", "timeout": 30 }

Supported events: Stop, SubagentStop, UserPromptSubmit, PreToolUse

Benefits:

Context-aware decisions based on natural language reasoning
Flexible evaluation logic without bash scripting
Better edge case handling
Easier to maintain and extend

Command Hooks

Execute bash commands for deterministic checks:

{ "type": "command", "command": "bash ${CLAUDE_PLUGIN_ROOT}/scripts/validate.sh", "timeout": 60 }

Use for:

Fast deterministic validations
File system operations
External tool integrations
Performance-critical checks

Hook Configuration Formats

Plugin hooks.json Format

For plugin hooks in hooks/hooks.json, use wrapper format:

{
  "description": "Brief explanation of hooks (optional)",
  "hooks": {
    "PreToolUse": [...],
    "Stop": [...],
    "SessionStart": [...]
  }
}

Settings Format (Direct)

For user settings in .claude/settings.json, use direct format:

{
  "PreToolUse": [...],
  "Stop": [...],
  "SessionStart": [...]
}

Hook Events

PreToolUse

Execute before any tool runs. Use to approve, deny, or modify tool calls.

{
  "PreToolUse": [
    {
      "matcher": "Write|Edit",
      "hooks": [
        {
          "type": "prompt",
          "prompt": "Validate file write safety. Check: system paths, credentials, path traversal, sensitive content. Return 'approve' or 'deny'."
        }
      ]
    }
  ]
}

Output for PreToolUse:

{
  "hookSpecificOutput": {
    "permissionDecision": "allow|deny|ask",
    "updatedInput": {"field": "modified_value"}
  },
  "systemMessage": "Explanation for Claude"
}

PostToolUse

Execute after tool completes. Use to react to results, provide feedback, or log.

Output behavior:

Exit 0: stdout shown in transcript
Exit 2: stderr fed back to Claude
systemMessage included in context

Stop

Execute when main agent considers stopping. Use to validate completeness.

Decision output:

{
  "decision": "approve|block",
  "reason": "Explanation",
  "systemMessage": "Additional context"
}

SubagentStop

Execute when subagent considers stopping. Use to ensure subagent completed its task.

UserPromptSubmit

Execute when user submits a prompt. Use to add context, validate, or block prompts.

SessionStart

Execute when Claude Code session begins. Use to load context and set environment.

Special capability: Persist environment variables using $CLAUDE_ENV_FILE:

echo "export PROJECT_TYPE=nodejs" >> "$CLAUDE_ENV_FILE"

SessionEnd

Execute when session ends. Use for cleanup, logging, and state preservation.

PreCompact

Execute before context compaction. Use to add critical information to preserve.

Notification

Execute when Claude sends notifications. Use to react to user notifications.

Hook Output Format

Standard Output (All Hooks)

{
  "continue": true,
  "suppressOutput": false,
  "systemMessage": "Message for Claude"
}

continue: If false, halt processing (default true)
suppressOutput: Hide output from transcript (default false)
systemMessage: Message shown to Claude

Exit Codes

0: Success (stdout shown in transcript)
2: Blocking error (stderr fed back to Claude)
Other: Non-blocking error

Environment Variables

Available in all command hooks:

$CLAUDE_PROJECT_DIR - Project root path
$CLAUDE_PLUGIN_ROOT - Plugin directory (use for portable paths)
$CLAUDE_ENV_FILE - SessionStart only: persist env vars here
$CLAUDE_CODE_REMOTE - Set if running in remote context

Always use ${CLAUDE_PLUGIN_ROOT} in hook commands for portability.

Matchers

Tool Name Matching

Exact match:

"matcher": "Write"

Multiple tools:

"matcher": "Read|Write|Edit"

Wildcard (all tools):

"matcher": "*"

Regex patterns:

"matcher": "mcp__.*__delete.*"

Note: Matchers are case-sensitive.

Security Best Practices

Input Validation

Always validate inputs in command hooks:

#!/bin/bash
set -euo pipefail
input=$(cat)
tool_name=$(echo "$input" | jq -r '.tool_name')

# Validate tool name format
if [[ ! "$tool_name" =~ ^[a-zA-Z0-9_]+$ ]]; then
  echo '{"decision": "deny", "reason": "Invalid tool name"}' >&2
  exit 2
fi

Path Safety

Check for path traversal and sensitive files:

file_path=$(echo "$input" | jq -r '.tool_input.file_path')

# Deny path traversal
if [[ "$file_path" == *".."* ]]; then
  echo '{"decision": "deny", "reason": "Path traversal detected"}' >&2
  exit 2
fi

# Deny sensitive files
if [[ "$file_path" == *".env"* ]]; then
  echo '{"decision": "deny", "reason": "Sensitive file"}' >&2
  exit 2
fi

Quote All Variables

# GOOD: Quoted
echo "$file_path"
cd "$CLAUDE_PROJECT_DIR"

# BAD: Unquoted (injection risk)
echo $file_path
cd $CLAUDE_PROJECT_DIR

Performance Considerations

Parallel Execution

All matching hooks run in parallel:

{
  "PreToolUse": [
    {
      "matcher": "Write",
      "hooks": [
        {"type": "command", "command": "check1.sh"},
        {"type": "command", "command": "check2.sh"},
        {"type": "prompt", "prompt": "Validate..."}
      ]
    }
  ]
}

Design implications:

Hooks don't see each other's output
Non-deterministic ordering
Design for independence

Optimization

Use command hooks for quick deterministic checks
Use prompt hooks for complex reasoning
Cache validation results in temp files
Minimize I/O in hot paths

Debugging Hooks

Enable Debug Mode

claude --debug

Look for hook registration, execution logs, input/output JSON, and timing information.

Test Hook Scripts

Test command hooks directly:

echo '{"tool_name": "Write", "tool_input": {"file_path": "/test"}}' | \
  bash ${CLAUDE_PLUGIN_ROOT}/scripts/validate.sh
echo "Exit code: $?"

Quick Reference

DO:

✅ Use prompt-based hooks for complex logic
✅ Use ${CLAUDE_PLUGIN_ROOT} for portability
✅ Validate all inputs in command hooks
✅ Quote all bash variables
✅ Set appropriate timeouts
✅ Return structured JSON output
✅ Test hooks thoroughly

DON'T:

❌ Use hardcoded paths
❌ Trust user input without validation
❌ Create long-running hooks
❌ Rely on hook execution order
❌ Modify global state unpredictably
❌ Log sensitive information

Implementation Workflow

Identify events to hook into (PreToolUse, Stop, SessionStart, etc.)
Decide between prompt-based (flexible) or command (deterministic) hooks
Write hook configuration in hooks/hooks.json
For command hooks, create hook scripts
Use ${CLAUDE_PLUGIN_ROOT} for all file references
Validate configuration with scripts/validate-hook-schema.sh hooks/hooks.json
Test hooks with scripts/test-hook.sh before deployment
Test in Claude Code with claude --debug
Document hooks in plugin README

Additional Resources

Official Docs
Use claude --debug for detailed logs
Use jq to validate hook JSON output

Description

How to Use

Full Skill Documentation