[FEATURE] Allow plugin hooks from trusted marketplaces under allowManagedHooksOnly

Resolved 💬 2 comments Opened Apr 2, 2026 by rolandsusans Closed May 11, 2026

Problem

allowManagedHooksOnly: true is binary — it blocks all non-managed hooks, including hooks shipped by plugins from trusted, org-approved marketplaces via strictKnownMarketplaces.

Organizations that lock down hooks for security (preventing arbitrary project-level hook injection) lose the ability to distribute hooks through their own vetted plugin marketplace.

Proposed Solution

A new setting (e.g., allowPluginHooksFromKnownMarketplaces: true) that permits hook execution from plugins installed via sources listed in strictKnownMarketplaces, while still blocking user-level, project-level, and hooks from unknown plugin sources.

{
  "allowManagedHooksOnly": true,
  "allowPluginHooksFromKnownMarketplaces": true,
  "strictKnownMarketplaces": [
    { "source": "github", "repo": "anthropics/claude-plugins-official" },
    { "source": "github", "repo": "myorg/claude-plugin-marketplace" }
  ]
}

Use Case

We operate an internal plugin marketplace (strictKnownMarketplaces) with security-reviewed plugins. We want to distribute hooks (e.g., auto-formatting, audit logging) alongside those plugins — but allowManagedHooksOnly forces us to define every hook in the org-level managed config instead.

This creates operational overhead: every hook change requires an admin config update rather than a marketplace PR.

Current Workaround

Define all hooks directly in managed settings JSON. Works but doesn't scale — hooks can't be bundled with the plugins they complement.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗