What is a Claude Code hook?

A user-defined handler, most often a command, that Claude Code runs automatically at a named lifecycle event, such as before or after a tool call. The runtime decides when it fires, so the agent has to clear the gate rather than choose whether to honor it. That is what makes a hook deterministic where a system prompt, a CLAUDE.md instruction, or a skill is advisory.

What belongs in a hook versus CLAUDE.md or a skill?

A rule belongs in a hook when its violation must be stopped at a blockable event and can be seen before the action lands. A rule that usually applies and tolerates judgment belongs in CLAUDE.md as advisory context. A procedure the model should follow when a task calls for it belongs in a skill. A skill says here is how to do this; a hook says this will not happen unless the gate passes.

Can a hook fully sandbox an agent?

No. A hook is the enforcement foundation, not a complete perimeter. The surface leaks where the model can route around the gate (a subagent dispatch, an alternate tool that reaches the same outcome) or modify the gate's own configuration. The mature posture pairs the gate with protected configuration the model cannot edit and with explicit governance of how subagents inherit it.

Cornerstone Guide

Claude Code Hooks in Production: The Gate the Model Doesn't Get to Skip

Q: Why is a fail-open hook worse than no hook?

With no hook you know nothing is enforced and you act accordingly. A fail-open hook, one that logs an error and lets the action proceed because it exited with the wrong signal or was skipped by an allow rule, makes you believe a rule holds when nothing is enforcing it. You approve riskier automated work on the strength of that belief, and the transcript even shows the gate ran. The failure is invisible to retrospective review. A hook you knowingly run as advisory, and watch for failures, is not worse than nothing; it just is not enforcement.

Why a hook is the layer of an agentic coding stack the model cannot choose to skip, why a fail-open hook can be worse than no hook, and where enforcement belongs.

Last reviewed May 31, 2026

Claude Code hook CLAUDE.md Agentic AI governance Production agentic delivery AI authoring trust chain

Why is a hook the one rule an agent can't skip?

Most of what you tell an AI coding agent is a request. A system prompt asks. So does a CLAUDE.md file, in writing and on repeat, and the model reads it and usually complies. Skills teach a procedure the model loads when a task seems to call for it. All three are advisory: the model decides, every time, whether to honor them.

A hook is different. It does not ask. The runtime fires it at a fixed point in the lifecycle, and the agent has to clear it before the action proceeds. Be precise about that claim, because the rest of this guide leans on it. The model cannot choose to skip a gate that fires, and that lack of choice is the property that holds. Whether the gate covers every route to the same outcome is a separate question, one I come back to honestly later, because the answer is not always yes.

Anthropic's own documentation draws the line in one sentence:

They provide deterministic control over Claude Code's behavior, ensuring certain actions always happen rather than relying on the LLM to choose to run them. Anthropic, "Automate workflows with hooks"

The Claude Code hook glossary entry this page extends frames the same property as a trust inversion: the runtime decides when the gate fires, and the agent has to clear it rather than the other way around. The contrast with CLAUDE.md is the whole point. The same guide points you to CLAUDE.md instead when what you want is to inject context at session start, the place the model reads as it loads. The hook is the command the runtime executes regardless. I made this distinction the headline answer when four hundred engineers asked what hooks were for: CLAUDE.md asks, a skill teaches, a hook enforces.

That distinction matters because advisory guidance is demonstrably not holding at scale. The Cloud Security Alliance's 2026 survey of AI-agent scope violations found that more than half of organizations have had their AI agents exceed intended permissions, and fewer than one in ten report agents that never do. That survey measures the size of the risk class, not its single cause, but a number that large is hard to square with advisory guidance reliably holding. The gap between telling an agent a rule and the agent complying is the failure mode the hook exists to close.

What can a hook gate, and what can't it?

A hook binds to a named lifecycle event, and the choice of event is the rule's structure, not a configuration detail. You declare that binding in Claude Code's settings, and the runtime fires the hook only when the event and its matcher line up with the action in front of it; the tool-permission rules are a separate surface that can decide whether the gate is even reached. The hooks reference documents events across the session, the turn, and the agentic tool-call loop. The two that carry most production enforcement are the pair around a tool call. A hook bound before a tool call can pass the action, rewrite its inputs, or block it outright. A hook bound after the call can react to the result or record it, but it cannot un-happen the call it just observed. A rule that must prevent something fires before. A rule that must record something fires after. Picking the wrong one is not a tuning mistake; it is a category error that leaves the rule unable to do its job.

What a hook gates is the action, not the decision behind it. It sees the write the agent is about to make, never the reasoning that produced the write. That boundary is the source of both its strength and its limits. The strength: where it binds, it binds hard. A hook that denies a tool call blocks it even when the session is running in a mode that skips the usual permission prompts, per the hooks guide. The limit is the mirror image: a hook can tighten what is allowed, but it cannot loosen a rule the surrounding permission settings already deny. It is a one-way ratchet toward more restriction.

There is a deliberate exception to the determinism. The same guide notes that for decisions that require judgment rather than fixed rules, you can use prompt-based or agent-based hooks that call a model to evaluate the condition. That is a useful escape hatch, and it is also where the determinism stops: a hook that asks a model whether to block has reintroduced the same probabilistic judgment the deterministic gate was meant to replace. For a rule that must hold every time, a plain command hook is the honest instrument.

Why is a fail-open hook worse than no hook?

This is the thesis's load-bearing claim, and it turns on a mechanism most treatments skip.

Start with the exit code. The hooks reference is explicit that for the events that can block, exit code 2 blocks the action, while any other code, including the conventional Unix failure code 1, is a non-blocking error and the action proceeds. So a gate written with an idiomatic exit 1 on failure, which is what most scripting languages do by default on an uncaught error, logs a complaint and then lets the action through. It looks installed. It enforces nothing. The same is true when a wrapper swallows an error and the hook exits 0 anyway: no blocking output, a success exit code, and the runtime reads that as no objection.

The subtler trap is precedence. A January 2026 report against an earlier version, issue #18312, documented that when a tool sat in the allow list, a hook returning a deny decision was ignored: in the reporter's words, the command executes regardless of the hook's decision. Anthropic's current docs describe the opposite as the intended behavior, with deny taking precedence over allow, and that gap is itself the point. The distance between what the docs say should happen and what a given version actually does is invisible until something slips through it. I have hit the same precedence class on my own systems, in the sharper variant where an allow rule matched first and the gate never ran at all. Its isolation tests stayed green on synthetic input the whole time, so nothing surfaced the bypass. The fix was structural, not a stronger instruction: a paired deny entry, so the allow rule could no longer wave the action through without the gate getting a vote, plus a manual fresh-session probe rather than trust in a passing unit test. The compatibility scanner I built audits the configuration layer for exactly this kind of drift, and it surfaced a deprecated setting that had been failing silently for weeks, written off as cost variance until the scan named the cause.

Here is why the title of this section is not a rhetorical flourish. With no hook, you know nothing is enforced, and you make decisions accordingly. With a fail-open hook, you believe a rule holds, and you approve riskier automated work on the strength of that belief. Worse, the transcript shows the gate ran, so the failure is invisible to anyone reviewing afterward. A silent fail-open that a team trusts as fail-closed does not merely fail to help. It manufactures enforcement that is not there, and it manufactures the audit trail that hides the absence. A hook everyone knows is advisory, and watches for failures, is not worse than nothing; it simply is not enforcement. The dangerous case is the gate believed to be holding. Collected in one place, a hook fails open in five common ways: it never fires, it fires only after the action it should have stopped, it returns a non-blocking signal, an allow rule or permission setting takes precedence and skips it, or it guards one path while the agent reaches the same outcome through another. Those are the common ones, not a complete set: a tampered or disabled config, a race between the check and the effect, and plain false-negative logic fail open the same way. Every one of them leaves a transcript that looks like the gate did its job.

The strongest counter to all of this is worth stating in full, because it is correct. A practitioner request for a runtime tool-gate argues that hooks are necessary but insufficient, backed by production data across more than 545 tasks and a catalogue of bypass paths: a subagent dispatch can sidestep the parent session's gates, the model can rewrite the gate's own configuration, an alternate tool can reach the outcome the gate scoped out. That is the honest frame, and I hold it. The hook is the enforcement foundation, not a complete perimeter. Its value is entirely contingent on two things: that it fails closed, and that you know where its surface leaks. Neither of those is automatic, and a team that treats the gate as a guarantee rather than a foundation has talked itself into the same false confidence as the team running an exit-1 hook.

Where does enforcement belong: a hook, CLAUDE.md, or a skill?

The boundary is a routing decision, and getting it right is most of the skill. A rule belongs in a hook only when its violation must be stopped at a blockable lifecycle event and can be seen before the action lands. A rule that usually applies and tolerates judgment is advisory context in CLAUDE.md. When the thing you want is a procedure the model should follow once a task calls for it, that belongs in a skill. I wrote a full decision tree for where each rule goes; the compressed version is that a skill says here is how to do this thing, while a hook says this thing will not happen unless the gate passes. When a project needs the latter, a skill that tries hard to enforce the same rule is structurally a wish.

A concrete case makes the line obvious. When half a team is on one model version and half on another, the directive "always pin the model version" sitting in CLAUDE.md is a request that each agent may or may not honor. A hook that blocks a call carrying a deprecated parameter is a guarantee that holds regardless. Same rule, two homes, completely different reliability.

The discipline cuts both ways, and over-gating is its own failure mode. A hook on a frequent event pays its latency on every single trigger, and a flaky hook command surfaces as the silent fail-open described above. A stylistic preference ("write it this way") is not structural and does not belong in a gate at all; forced into one, it adds fragility and latency while buying no enforcement that matters. The test I apply has two parts. Route a rule to a hook only when its violation is something the model must be unable to do, and only when that violation is visible at a blockable lifecycle event before the action lands. Plenty of must-hold rules fail the second part: semantic correctness, test coverage, an architectural boundary the runtime cannot see at the moment of the call. Those belong in a validator, a sandbox, or a branch protection, not in a hook pretending to cover them.

How do hooks make agentic work auditable?

Agentic AI governance becomes deterministic at exactly the point where a rule moves out of a policy document the agent can ignore and into a gate it cannot choose to skip once a route reaches the gated event. That is the difference between "we told the agents the policy" and "the runtime checks before the action," and it is the difference that holds up under audit. A policy you asked an agent to follow leaves no evidence that it was followed. A gate that blocks leaves a record that one attempt was prevented.

The need grows with autonomy. A second Cloud Security Alliance survey found that more than four in five enterprises have unknown AI agents in their environment, and nearly two-thirds had an agent-related incident in the past year. When a single run can fan out across many subagents with no human in the loop, the deterministic gate is the part of the system that survives the run where the model talks itself past the rule, at least for the actions that pass through the gated surface. This is the same posture I argued for in who owns the verification loop: the load-bearing piece is the check between the change and the artifact, not the prompt. The hook is where production agentic delivery and the AI authoring trust chain get their teeth, as a chain of deny-by-default gates between the agent and the shipped result.

There is an honest limit here too, and skipping it would undercut the whole argument. The hook layer is itself a surface that can be attacked and can fail. A security analysis of this emerging runtime-enforcement layer notes that the gates can become a vector in their own right and that approval fatigue erodes the human-in-the-loop the layer often leans on. A block record is positive evidence that one attempt was stopped, not proof that a policy held: a real audit trail also needs durable pass-and-block logs, the hook version and configuration that produced them, and a map of which paths the gate actually covers. The mature posture pairs the gate with configuration the model cannot edit and with an explicit decision about how subagents inherit, or do not inherit, the gates above them. The hook is the foundation of deterministic governance. It is not the whole building, and selling it as the whole building is how the false sense of enforcement gets in.

When I scope a Claude Code infrastructure engagement, the deterministic gate layer, its fail-closed discipline, and a map of where its surface leaks are part of what I set up, alongside the broader production practice the gates sit inside.

How does this page stay current?

This cornerstone is the deep companion to the Claude Code hook glossary entry and a peer of Running Claude Code as a Production Engineering Practice. Its anchor is the primary artifact, a first-party operational record of the gate layer I run, updated when a new failure mode is observed or an existing mitigation evolves. The Sources roster tracks the freshness of each external anchor under the 3-month AI/SaaS cap and the 6-month tool-capability cap that govern this site's authority pages; a row past its cap is held only when a documented search trail shows nothing fresher qualified.

The hook does not stand alone. Skills carry the procedural knowledge a model loads on demand; MCP servers carry the external-system access the model otherwise cannot reach; the hook is the deterministic gate that runs on top of either when a rule has to hold every time. The composition rule I use is to route each rule to the layer that matches its enforcement need, and to reserve the hook for what the agent must be unable to do.