PreToolUse hook `permissionDecision: "deny"` ignored for Edit tool — tool executes despite deny

[joseph-holland]

Bug

A PreToolUse hook returning a well-formed deny response (correct JSON, permissionDecision: "deny", exit code 2) is ignored for the Edit tool. Claude proceeds to execute the edit and the file is modified.

This is a governance/security concern — hooks are the only mechanism external tools have to enforce policy on tool execution.

Reproduction

1. Configure a PreToolUse hook that denies Edit calls to a specific file:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "",
      "hooks": [{
        "type": "command",
        "command": "vectimus hook --source claude-code"
      }]
    }]
  }
}

2. The hook returns this on stdout with exit code 2:

{"hookEventName": "PreToolUse", "permissionDecision": "deny", "permissionDecisionReason": "Blocked by policy: Block writes to governance config files"}

3. Verified the output manually:

$ echo '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/me/.claude/settings.json","old_string":"test","new_string":"test2"}}' | vectimus hook --source claude-code 2>/dev/null
{"hookEventName": "PreToolUse", "permissionDecision": "deny", "permissionDecisionReason": "Blocked by policy vectimus-fileint-004: Block writes to governance config files to prevent policy bypass"}
$ echo $?
2

4. Despite the deny, Claude executes the Edit and the file is modified.

Evidence

Audit log shows the hook evaluated and returned deny. There is no second evaluation — Claude did not retry. It received the deny and proceeded anyway.

19:19:59  Read  → file_read   → allow  file=/Users/me/.claude/settings.json
19:20:06  Edit  → file_write  → deny   file=/Users/me/.claude/settings.json

The file was modified at 19:20:06 despite the deny.

Expected behavior

When a PreToolUse hook returns permissionDecision: "deny" with exit code 2, the tool MUST NOT execute. The deny should be surfaced to the model as a blocked action.

Related issues

• Distinguish hook denial from hook error in PreToolUse output #31592 — Distinguish hook denial from hook error in PreToolUse output
• PreToolUse hook permissionDecision 'deny' not enforced for MCP server tool calls #33106 — PreToolUse hook permissionDecision: "deny" not enforced for MCP server tool calls

The pattern seems to be that PreToolUse hook denials are not reliably enforced across tool types.

This is critical for any external governance tool (Vectimus, Guardrails, custom enterprise hooks) that relies on PreToolUse to enforce policy. If deny is advisory rather than mandatory, the hook mechanism cannot provide security guarantees.

Environment

• Claude Code version: latest (via CLI)
• Platform: macOS (Darwin 25.3.0)
• Hook: Vectimus governance engine (returns well-formed deny JSON + exit 2)

[github-actions]

Found 3 possible duplicate issues:

1. PreToolUse hook permissionDecision 'deny' not enforced for MCP server tool calls #33106
2. [BUG] Edit/Write tools bypass permissions.ask rules (regression of #11226) #22055
3. EnterWorktree bypasses PreToolUse hooks — executes filesystem ops before hooks fire #35557

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[yurukusa]

I can confirm this pattern — Edit/Write deny behavior differs from Bash tool deny behavior. With Bash commands, exit code 2 reliably blocks execution. With Edit/Write, the behavior is inconsistent.
Workaround until this is fixed:
Instead of relying on permissionDecision: "deny", use the hook to make the edit fail by modifying the file to a read-only state before the edit, or use a PostToolUse hook to revert unauthorized changes:

INPUT=$(cat)
TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty')
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
    if should_deny "$FILE"; then
        chmod 444 "$FILE" 2>/dev/null
        echo "BLOCKED: Edit denied by policy for $FILE" >&2
        exit 2
    fi
fi
exit 0

Combined with a PostToolUse hook that checks if denied edits went through:

INPUT=$(cat)
TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty')
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
    if was_denied "$FILE"; then
        git checkout -- "$FILE" 2>/dev/null
        chmod 644 "$FILE" 2>/dev/null
    fi
fi

This is a defense-in-depth approach — the chmod prevents the write, and the PostToolUse hook reverts if it somehow got through.
Related: #36884 reports Edit/Write permission rules being ignored on Windows, suggesting this is a broader issue with Edit/Write tool permission enforcement.

[joseph-holland]

Update: resolved on our side — exit code was the issue

After deeper investigation, we found two bugs in our hook implementation:

1. Exit code 2 is treated as a hook crash, not a denial. Claude Code expects exit code 0 for both allow and deny. Exit 2 signals a hook error/crash, causing Claude Code to ignore the deny and proceed. This was not obvious from the documentation.

2. Missing hookSpecificOutput wrapper. Claude Code expects deny JSON wrapped in {"hookSpecificOutput": {...}}, not flat {"permissionDecision": "deny", ...}.

After fixing both — exit 0 + hookSpecificOutput wrapper — deny enforcement works correctly across all tool types (Read, Edit, Bash, Write).

Correct deny format

{"hookSpecificOutput": {"hookEventName": "PreToolUse", "permissionDecision": "deny", "permissionDecisionReason": "Blocked by policy ..."}}

With exit code 0.

Suggestion for the docs

It would help if the hooks documentation explicitly called out:

• Exit 0 = hook completed successfully (allow or deny based on stdout JSON)
• Exit non-zero = hook crashed (tool proceeds, hook failure is logged)
• The hookSpecificOutput wrapper is required for deny decisions

This distinction between "hook crashed" and "hook denied" tripped us up and likely affects other governance tools building on PreToolUse hooks.

Closing this as the issue was in our implementation, not in Claude Code. Thanks!

[github-actions]

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.