Hooks Reference¶
Hooks run automatically at specific points during your Claude Code session. You don't invoke them — they protect you.
Active hooks¶
PreToolUse hooks (before file writes)¶
| Hook | Priority | Blocking | What it does |
|---|---|---|---|
| secret-scanner | 100 | Yes | Detects hardcoded API keys, passwords, tokens, AWS keys, Bearer tokens, GitHub tokens, Slack tokens. Blocks the write if found. |
| partition-guard | 90 | Advisory | Warns when files are written to wrong repo partitions. Checks .repo-manifest.yaml for boundaries. |
PostToolUse hooks (after file writes)¶
| Hook | Priority | Blocking | What it does |
|---|---|---|---|
| security-lint | 100 | Advisory | Checks for eval(), innerHTML, raw SQL, disabled security settings in TypeScript/JavaScript files. |
| commit-size-monitor | 80 | Advisory | Monitors commit sizes to prevent oversized commits. |
SessionStart hook¶
| Hook | Priority | What it does |
|---|---|---|
| session-start | 10 | Injects lightweight project context: current branch, recent commits, workflow phase, pending items, reminders. |
Stop hook¶
| Hook | Timeout | What it does |
|---|---|---|
| quality-gate | 60s | Runs final quality checks at session end. |
How hooks work¶
Hooks are defined in plugins/core-standards/hooks/hooks.json and executed by Claude Code's hook system.
- Blocking hooks (exit code 1) prevent the action from completing
- Advisory hooks (exit code 0) show warnings but don't block
Secret scanner patterns¶
The secret scanner detects these patterns:
api_key=,secret_key=,password=Bearertokens- AWS access keys (
AKIA...) - GitHub tokens (
ghp_...) - Slack tokens (
xox...) - Generic
sk-prefixed keys
If you need to use credentials, use environment variables: