Skip to main content
Hooks let you run custom logic at defined points in the agent lifecycle — before/after tool execution, LLM calls, or at turn boundaries. Use them for approval workflows, audit logging, content filtering, or typed denials.
This page is the task-first guide. For the low-level type and payload inventory, see Hooks reference.

What this guide is for

Use this guide when you want to:
  • add approval gates
  • log or audit agent behavior
  • block unsafe tool inputs or outputs
  • choose between in-process, command, and HTTP hook runtimes

Hook points

Eight extension points are available:
HookPointClassificationWhen it fires
RunStartedpreStart of Agent::run(), before any LLM call
PreLlmRequestpreBefore each LLM streaming call
PreToolExecutionpreBefore each individual tool call is dispatched
TurnBoundarypreBetween turns, after all tool results are collected
PostLlmResponsepostAfter the LLM response is received
PostToolExecutionpostAfter each tool execution completes
RunCompletedpostAfter a successful run completes
RunFailedpostAfter a run fails with an error
Classification is determined by the is_pre() and is_post() methods on HookPoint. Foreground hooks block loop progression; background hooks run asynchronously for observation.

Capabilities

HookCapabilityPurpose
ObserveRead-only logging and metrics
GuardrailCan issue Deny decisions to block execution
The former Rewrite capability is deleted entirely; semantic patch authority is removed.

Execution modes

HookExecutionModeBehavior
ForegroundBlocks loop progression. Allow / Deny decisions are handled synchronously.
BackgroundRuns asynchronously for observation.
Pre-point background hooks must be observe-only. A background hook on a is_pre() point with any capability other than Observe is rejected with HookEngineError::InvalidConfiguration.
Semantic patch publication is retired. RuntimeHookResponse rejects unknown fields, so a runtime response carrying any legacy patches field fails closed during deserialization.

How to add a hook

1

Choose hook point and capability

Decide which HookPoint to fire at (e.g., PreToolExecution for tool guardrails) and whether the hook needs Observe or Guardrail.
2

Choose a runtime

Pick one of the three runtimes: in-process (Rust closure), command (subprocess), or HTTP (remote endpoint).
3

Add configuration

Add a [[hooks.entries]] block to the active realm config.toml (or register programmatically via HooksConfig).
4

Implement the handler

Write the handler that receives a HookInvocation and returns a RuntimeHookResponse with an optional decision.
5

Test with overrides

Use HookRunOverrides to test your hook in isolation through RPC, REST, MCP, or embedded builders before committing the config.
The docs below show run-scoped hook overrides conceptually, but the current CLI does not expose run-scoped hook override flags in normal builds. For now, use RPC, REST, MCP, or the SDK/embedded surfaces when you want per-run hook overrides.

Runtimes

Calls a registered Rust closure. Config:
{ "type": "in_process", "handler": "my-handler" }
(name is accepted as a legacy alias for handler.)The handler is registered at engine construction time via DefaultHookEngine::with_in_process_handler() or register_in_process_handler(). The handler type is:
type InProcessHookHandler = Arc<dyn Fn(HookInvocation) -> HandlerFuture + Send + Sync>;
Hook runtime failures fail closed through typed HookEngineError values; they are never converted into warning-only success or a hook-local Deny decision. Pre-point background hooks are still required to be Observe, because they cannot safely block a pre-execution boundary after the loop has moved on.

Decisions and patches

pub enum HookDecision {
    Allow,
    Deny {
        hook_id: HookId,
        reason_code: HookReasonCode,
        message: String,
        payload: Option<Value>,  // optional structured data
    },
}
Reason codes:
HookReasonCodeMeaning
PolicyViolationBusiness rule or policy constraint
SafetyViolationContent safety check
SchemaViolationSchema or format validation failure
TimeoutHook timed out (system-generated)
RuntimeErrorHook execution failed (system-generated)
The HookPatch type is deleted entirely. Older payloads such as llm_request, assistant_text, tool_args, tool_result, and run_result fail closed during deserialization instead of being ignored or applied.Hooks can observe typed projections and return Allow or Deny. Canonical provider parameters, assistant text, tool arguments, tool results, and final run text are owned by the runtime and tool execution path.

Runtime hook response

All three runtimes return the same RuntimeHookResponse structure: 
{
  "decision": { "decision": "deny", "hook_id": "my-guard", "reason_code": "policy_violation", "message": "blocked" }
}
decision is optional and is the only field. The struct is declared with deny_unknown_fields, so any legacy patches field — even an empty one — is rejected at deserialization.

Invocation payload

Hooks receive a HookInvocation struct containing contextual data. Fields are populated based on the hook point:
FieldTypePopulated at
pointHookPointAlways
session_idSessionIdAlways
turn_numberOption<u32>Most points
prompt_inputOption<RunInput>RunStarted
error_reportOption<AgentErrorReport>RunFailed
error_classOption<AgentErrorClass>RunFailed
llm_requestOption<HookLlmRequest>PreLlmRequest
llm_responseOption<HookLlmResponse>PostLlmResponse
tool_callOption<HookToolCall>PreToolExecution
tool_resultOption<HookToolResult>PostToolExecution
For command and HTTP hooks, the serialized wire payload additionally carries prompt and error strings. These are serialize-only projections of prompt_input and error_report; they are never stored fields and are never deserialized back as authority.
  • HookLlmRequest: max_tokens, temperature, provider_params, message_count
  • HookLlmResponse: assistant_text, tool_call_names, stop_reason, usage
  • HookToolCall: tool_use_id, name, args
  • HookToolResult: tool_use_id, name, content_blocks, is_error (the wire payload adds a serialize-only content text projection)
HookToolResult.content_blocks carries the typed tool-result blocks, including image blocks, in original order. The wire payload also serializes a content string — a text projection derived from content_blocks for external command/HTTP hooks; in Rust, use HookToolResult::text_projection(). Both are observational projections and cannot be returned as a rewrite.

Priority ordering and deny short-circuiting

Foreground hooks are sorted by priority (ascending), then by registration_index (ascending, for determinism when priorities are equal). Lower numeric priority values run first. When a foreground hook returns Deny:
1

Record denial

The denial is recorded as the merged decision.
2

Skip remaining foreground hooks

All remaining foreground hooks are skipped (short-circuit).
3

Skip background hooks

All background hooks are skipped (they only fire when no foreground Deny occurred).
A priority-1 guardrail that denies will prevent a priority-100 observer from running.

Configuration

Hook configuration lives under the [hooks] table:
[hooks]
default_timeout_ms = 5000       # Default: 5000
payload_max_bytes = 131072      # Default: 128 * 1024 (128 KiB)
background_max_concurrency = 32 # Default: 32

[[hooks.entries]]
id = "safety-check"
enabled = true
point = "pre_tool_execution"
mode = "foreground"
capability = "guardrail"
priority = 10
# timeout_ms = 10000              # Optional; overrides default_timeout_ms

[hooks.entries.runtime]
type = "command"
command = "python3"
args = ["hooks/safety_check.py"]
FieldTypeDefaultDescription
idHookId"hook"Unique identifier for the hook
enabledbooltrueWhether the hook is active
pointHookPointTurnBoundaryWhich hook point to fire at
modeHookExecutionModeForegroundForeground or background
capabilityHookCapabilityObserveWhat the hook can do
priorityi32100Execution order (lower runs first)
timeout_msOption<u64>NoneOverride default timeout
runtimeHookAdapterConfigin_process/noopRuntime configuration
Hook loading is runtime-root aware. In workspace-derived realms, global and project hook entries are layered (~/.rkat/config.toml then .rkat/config.toml) and merged with active realm config hooks. In non-workspace realms, realm config is primary and no project config may be discovered.

Per-run overrides

The HookRunOverrides struct allows per-request hook customization: 
pub struct HookRunOverrides {
    pub entries: Vec<HookEntryConfig>,  // Additional hooks for this run
    pub disable: Vec<HookId>,           // Hook IDs to disable for this run
}
Disabled hooks are removed from the effective entry list. Override entries are appended after the filtered base entries. All resulting entries are re-validated.
Run-scoped hook override flags are not currently exposed on the normal rkat run surface. Use JSON-RPC, REST, MCP, or SDK/embedded surfaces for per-run hook override testing.

Agent events

The hook engine emits AgentEvent variants during execution:
EventWhen
HookStartedA hook begins execution
HookCompletedA hook finishes successfully
HookFailedA hook encounters an error
HookDeniedA hook returns a Deny decision

SDK usage

use meerkat_hooks::{DefaultHookEngine, RuntimeHookResponse};
use meerkat_core::{HooksConfig, HookEntryConfig, HookId, HookPoint,
                   HookCapability, HookAdapterConfig};
use std::sync::Arc;

let mut config = HooksConfig::default();
config.entries.push(HookEntryConfig {
    id: HookId::new("my-guardrail"),
    point: HookPoint::PreToolExecution,
    capability: HookCapability::Guardrail,
    priority: 10,
    runtime: HookAdapterConfig::in_process("my-handler"),
    ..Default::default()
});

let engine = DefaultHookEngine::new(config)
    .with_in_process_handler(
        "my-handler",
        Arc::new(|invocation| {
            Box::pin(async move {
                // Inspect invocation.tool_call, return decision
                Ok(RuntimeHookResponse::default())
            })
        }),
    );

use meerkat_core::HookRunOverrides;

let overrides = HookRunOverrides {
    disable: vec![HookId::new("noisy-observer")],
    entries: vec![],
};

// Pass via AgentBuildConfig.hooks_override

See also