[BUG] PostToolUse updatedToolOutput still not honored for Bash tool — secrets leak into model context

Resolved 💬 2 comments Opened Jun 4, 2026 by itdove Closed Jun 8, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a PostToolUse hook returns hookSpecificOutput.updatedToolOutput with redacted content for the Bash tool, Claude Code ignores the modified output and feeds the original (unredacted) tool result to the model. This means secrets detected in Bash output cannot be redacted before reaching the model.

This was previously reported in #54196, which was auto-closed for inactivity without being fixed.

What Should Happen?

When a PostToolUse hook returns updatedToolOutput, Claude Code should replace the tool result with the hook-provided content before passing it to the model. This is essential for security hooks that need to redact secrets, PII, or sensitive data from tool outputs.

Steps to Reproduce

  1. Configure a PostToolUse hook that detects secrets and returns redacted output:

``json
{
"hooks": {
"PostToolUse": [{
"matcher": "Bash",
"hooks": [{
"type": "command",
"command": "python3 -c \"import sys,json; d=json.load(sys.stdin); print(json.dumps({'hookSpecificOutput':{'updatedToolOutput':'[REDACTED]'}}))\""
}]
}]
}
}
``

  1. Run a Bash command that produces output containing a secret:

``
echo "API_KEY=sk-1234567890abcdef"
``

  1. The PostToolUse hook fires and returns updatedToolOutput: "[REDACTED]"
  1. Observe: Claude still sees the original output API_KEY=sk-1234567890abcdef and can echo it in subsequent responses

Impact

This breaks the entire PostToolUse redaction pipeline for security tools. Once a secret appears in Bash output:

  1. PostToolUse hook detects it and returns redacted text — ignored by Claude Code
  2. Model has the raw secret in context
  3. Model echoes the secret in subsequent responses
  4. Every future tool output referencing the secret triggers PostToolUse again — creating a loop of detections that cannot be remediated

This makes PostToolUse secret redaction effectively non-functional for the Bash tool.

Relationship to Other Issues

  • #54196 — Original report, auto-closed for inactivity (NOT_PLANNED)
  • #18653 — Feature request for tool result transform hook
  • #36843 — PostToolUse updatedBuiltinToolOutput support (closed)

Claude Model

Opus

Is this a regression?

No, it has never worked for the Bash tool.

Claude Code Version

Latest

Platform

Anthropic API

Operating System

macOS / Linux (reproduced on both)

Terminal/Shell

zsh / bash

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗