PostToolUse hooks: support updatedBuiltinToolOutput for built-in tools

[kyle-aungst]

Summary

PostToolUse hooks can replace MCP tool output via updatedMCPToolOutput, but there is no equivalent for built-in tools (WebFetch, WebSearch, Bash, Read, etc.). When scanning external content for prompt injection, this means MCP tool output can be sanitized/replaced, but built-in tool output can only have warnings injected alongside it.

Use case

Security scanning hooks that detect prompt injection in WebFetch responses currently cannot replace the malicious content before the model sees it. They can only add warnings via "decision": "block" (which injects a reason string) or additionalContext. The original malicious content still reaches the model.

For MCP tools, updatedMCPToolOutput solves this cleanly: the hook replaces the output with a sanitized version.

Proposal

Add updatedBuiltinToolOutput (or similar) to the PostToolUse hook contract, allowing hooks to replace the tool result for built-in tools the same way updatedMCPToolOutput works for MCP tools.

This would enable:

• Replacing WebFetch output with quarantine-extracted content
• Stripping malicious payloads from Bash command output
• Consistent security scanning across all tool types

[VoxCore84]

Strong +1 on this. We run 17 hooks in production (PreToolUse, PostToolUse, PreCompact, Stop, etc.) and this is a real gap.

Our concrete use case: we have a PostToolUse edit-verifier hook (based on PR #32755) that reads the file back after every Edit call and checks that new_string is present and old_string is gone. When verification fails, we currently have to use "decision": "block" with a reason string — but the original (possibly wrong) tool output still reaches the model, so Claude sometimes ignores the hook's correction and proceeds as if the edit succeeded.

If we could replace the tool output via updatedBuiltinToolOutput, we'd swap the success message with "EDIT VERIFICATION FAILED: [details]. Re-read the file before proceeding." — giving the model unambiguous signal instead of two contradictory messages (tool says success, hook says failure).

Same issue applies to our SQL safety hook that scans Bash output for dangerous patterns — we can warn but can't replace the output that already reached the model.

The security angle in the OP is also valid — WebFetch content sanitization is the obvious next case. Consistent behavior between MCP and built-in tools would simplify hook development significantly.

[tigeryst]

Another +1: adding a use case from the output-scanning side.

Sensitive data in tool output

We use gitleaks in PreToolUse hooks to scan commands before execution, and in UserPromptSubmit hooks to scan user input. But there's currently no way to scan and redact output from built-in tools.

Sensitive material routinely appears in Bash output without the user intending it: verbose/debug logs containing auth headers, error messages with connection strings, curl -v exposing Authorization: headers, database query results with PII columns, config dumps embedding secrets, stack traces leaking environment variables. PreToolUse is blind to this since the output doesn't exist yet, and blocklisting commands is the same whack-a-mole problem described in #32105.

With updatedBuiltinToolOutput, a PostToolUse hook could pipe tool_response.stdout through a secret scanner, redact detected secrets, and return sanitized output. The command runs normally, but the model's context and transcript file only see [REDACTED: secret-key].

Broader pattern

This issue and #32105 describe the same fundamental gap from different angles --- security sanitization and context budget recovery. Use cases that would all benefit from the same mechanism:

• Secret/credential redaction - scanning output for tokens, keys, connection strings before they persist in context and transcript files
• Database query safety - redacting PII or sensitive data from query results
• Web content sanitization - stripping prompt injection or sensitive data from WebFetch responses
• Context recovery - compressing verbose output to signal ([FEATURE] PostToolUse hooks: allow updatedToolOutput for built-in tools (context budget recovery) #32105)
• Edit verification - replacing contradictory success messages when post-checks fail (as @VoxCore84 described above)

All need post-execution output replacement for built-in tools. This mechanism already exists for MCP tools via updatedMCPToolOutput. Extending it to built-in tools would unify the hook contract and close a gap in the security surface.

[yurukusa]

PostToolUse can modify output via systemMessage:

INPUT=$(cat)
OUTPUT=$(echo "$INPUT" | jq -r '.tool_output // empty' | head -c 100)
jq -n --arg msg "[Processed] Output received (${#OUTPUT} chars)" '{"hookSpecificOutput":{"hookEventName":"PostToolUse","systemMessage":$msg}}'
exit 0

[dsablic]

+1. This is critical for secret sanitization. PostToolUse hooks need to be able to redact secrets from built-in tool output (Bash, Read, Grep) before it enters the LLM context. Currently there is no way to prevent accidental secret leakage from reaching the model. The existing updatedMCPToolOutput mechanism already proves the pattern works and extending it to built-in tools would close a real security gap.

[pornopatsan]

+1. My use case: I wrote a PostToolUse hook on Read/Bash/WebFetch that checks if the output contains sensitive data and returns a block if it does. The hook returns PostToolUse:Read hook returned blocking error - so the model still has the original content in its context.
PreToolUse doesn't work here because I need to inspect the actual output, and this applies to arbitrary tools (Python scripts, web fetches) where you can't predict output from the input alone. I can write PreToolUse for some specific common cases, but something may be still leaked, I want to check that actual tool output.

[claude]

This is a duplicate of #32105, which was fixed as of version 2.1.121.