GitHub Launches Claude Code Permissions Hook for Granular Pre‑Tool Use Control

GitHub’s new PreToolUse hook for Claude Code arrives at a moment when Anthropic’s own tooling is undergoing rapid upgrades. The open‑source project, posted on GitHub under the panuhorsmalahti/claude-code-permissions‑hook repository, supplies a single .toml file that lets developers define allow and deny rules, regex‑based pattern matching, and security exclusions for every tool Claude may invoke (GitHub repo). By handling permission decisions in a deterministic, file‑driven way, the hook sidesteps the “inconsistent” Bash permissions that have plagued Claude Code since at least December 2025, according to the repository’s README.

The hook’s design follows Anthropic’s published hook guidelines, but it also adds features that are not yet native to Claude Code. Auditing is built in: every tool‑use decision can be logged to a JSON file, with three audit levels—off, matched, and all—allowing teams to trace exactly which rules were applied (GitHub repo). Moreover, the configuration supports a fallback to a large‑language‑model for ambiguous cases; when static rules do not match, the hook can forward the request to an LLM (currently gpt‑4o‑mini) for a second opinion, provided an OPENAI_API_KEY is set (GitHub repo). This “LLM delegation” layer offers a safety net for edge‑case commands while preserving the deterministic core of the allow/deny matrix.

From a security standpoint, the hook’s rule hierarchy mirrors best‑practice access‑control models: deny rules are evaluated first and take precedence, followed by allow rules, and finally by the optional LLM delegation (GitHub repo). Sample deny entries block destructive Bash commands such as “rm ‑rf” and prevent reads of files ending in .env or .secret, while allow entries whitelist specific paths under a developer’s Dropbox folder and restrict Bash invocations to a curated set of cargo commands (GitHub repo). The ability to exclude patterns—e.g., blocking “..” in file paths—addresses classic path‑traversal vulnerabilities that have been a pain point for Claude Code users.

Anthropic’s recent product announcements provide context for why the community is building such a workaround now. CNET reported that the latest Claude Sonnet 4.5 model is marketed as a “coding beast,” with features like auto‑save and rollback that aim to streamline developer workflows (CNET). VentureBeat’s coverage of Claude Code 2.1.0 highlighted smoother agent interactions and smarter workflow orchestration (VentureBeat). Yet both pieces note that the underlying permission model remains a work in progress, and Anthropic has signaled that future releases may tighten tool‑use controls. The GitHub hook therefore positions itself as a short‑term bridge: it offers immediate, granular control while Anthropic refines its native permissions.

For enterprises evaluating Claude Code at scale, the hook’s Rust‑based implementation may be both a strength and a hurdle. The repository’s documentation stresses that the binary must be built with Cargo and that developers need basic Rust knowledge to compile and deploy the hook (GitHub repo). However, the same documentation also provides a clear integration path—adding a PreToolUse entry to .claude/settings.json that points to the compiled binary and the .toml configuration (GitHub repo). This straightforward plug‑in model means that teams can enforce policy without altering Claude’s core codebase, preserving the SaaS provider’s upgrade path while maintaining internal compliance standards.

In sum, GitHub’s Claude Code permissions hook fills a gap that Anthropic’s current product roadmap has yet to close. By delivering deterministic, auditable, and extensible rule enforcement, it gives developers a practical tool for mitigating the security inconsistencies that have surfaced in recent Claude releases. As Anthropic rolls out newer models like Sonnet 4.5 and Claude Code 2.1.0, the community will likely watch whether the native permission framework catches up or whether third‑party solutions such as this hook become a permanent fixture in the Claude ecosystem.