[FEATURE] Allow plugin hooks from trusted marketplaces under allowManagedHooksOnly
Problem
allowManagedHooksOnly: true is binary — it blocks all non-managed hooks, including hooks shipped by plugins from trusted, org-approved marketplaces via strictKnownMarketplaces.
Organizations that lock down hooks for security (preventing arbitrary project-level hook injection) lose the ability to distribute hooks through their own vetted plugin marketplace.
Proposed Solution
A new setting (e.g., allowPluginHooksFromKnownMarketplaces: true) that permits hook execution from plugins installed via sources listed in strictKnownMarketplaces, while still blocking user-level, project-level, and hooks from unknown plugin sources.
{
"allowManagedHooksOnly": true,
"allowPluginHooksFromKnownMarketplaces": true,
"strictKnownMarketplaces": [
{ "source": "github", "repo": "anthropics/claude-plugins-official" },
{ "source": "github", "repo": "myorg/claude-plugin-marketplace" }
]
}
Use Case
We operate an internal plugin marketplace (strictKnownMarketplaces) with security-reviewed plugins. We want to distribute hooks (e.g., auto-formatting, audit logging) alongside those plugins — but allowManagedHooksOnly forces us to define every hook in the org-level managed config instead.
This creates operational overhead: every hook change requires an admin config update rather than a marketplace PR.
Current Workaround
Define all hooks directly in managed settings JSON. Works but doesn't scale — hooks can't be bundled with the plugins they complement.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗