[FEATURE] Have SessionStart (or a new hook) that can prevent the session from starting up at all
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
I'm trying to add a CLAUDE.md and other critical files integrity check, to try and prevent malicious updating/overwriting of CLAUDE.md (at least the ~/.claude/CLAUDE.md). I did find that UserPromptSubmit can block (and then present the user with the error message), but that's messy and annoying and an additional thing to have run every time I submit a prompt, even if all it's doing is checking if a file exists from the SessionStart hook which found the critical files integrity (via sha256 hash) has changed, and so creates a known file to block user input.
Proposed Solution
Have SessionStart or new hook (perhaps SystemStartup?) allow exit status 2 to block/terminate from things starting up and display the STDERR.
Alternative Solutions
SessionStart performs the integrity check, if fails, sets a known file. UserPromptSubmit then checks, on every user input, if that file exists. If it does, blocks input and STDERR an error message to be displayed to the user.
Priority
Medium - Would be very helpful
Feature Category
Configuration and settings
Use Case Example
When updating CLAUDE.md, after doing so, run update-integrity-check.sh, this:
- Takes sha256 of set of critical files, stores them to a
.integrityfile - Ensures that file is 400 permissions
On Claude Code startup:
startup-guard-hook.tsgoes through the same list of critical files, for each- Take sha256 of each file, compares to the sha256 in
.integrityfile - If one doesn't match, exit 2 with error message
- Assuming all pass, exit cleanly
I do have a separate PreToolUse hook which is checking for various attempts to read/edit/etc the .integrity or the startup hook or the update shell script, to help prevent an agent which has been compromised from possibly modifying/preventing detection. Not perfect, but layered protections.
Additional Context
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗