Claude Code PreToolUse Hook: Block MCP Tool Calls Before They Run
The PreToolUse hook is the boundary where you intercept what a Claude Code, Cursor, or Codex agent is about to do — before the rm -rf, before the bad git push, before the destructive SQL. ThumbGate is the local-first, MIT-licensed CLI that ships production-grade PreToolUse, beforeMCPExecution, and beforeReadFile gating with one npx command, and learns from every thumbs-down so the same mistake never reaches the tool call twice.
Why this page exists
- PreToolUse is the only hook point where you can stop a destructive agent action — by the time PostToolUse fires, the damage is done.
- ThumbGate ships PreToolUse, beforeMCPExecution, and beforeReadFile gates out of the box for Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, and any MCP-compatible agent — no hand-written hook scripts to maintain per machine.
- A thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session, model, and agent — the part DIY hook repos cannot do.
What the PreToolUse hook actually is
In the Model Context Protocol agent loop, every tool the model calls — Bash, Edit, Write, a custom MCP server method — flows through a PreToolUse phase before execution. That phase is the only place where an external policy can intercept the call, inspect its arguments, and decide whether to allow, modify, warn, or deny it. PostToolUse fires after the side effect has already happened, which is too late for destructive actions.
beforeMCPExecution, beforeReadFile, and beforeSubmitPrompt are the same idea applied at the MCP and IDE layers. Cycode's February 2026 IDE-security blog popularized this naming for enterprise customers; ThumbGate ships the same hook surface as an open-source CLI you can install in 30 seconds.
What ThumbGate blocks at PreToolUse out of the box
- Catastrophic shell: rm -rf at home/root, sudo wrapping a dangerous command, find -delete on sensitive paths.
- Secret exfiltration: writes that contain API keys, tokens, or .env contents heading to the wrong directory.
- Workflow-scope violations: edits outside the declared task scope, off-branch git push, accidental main commits.
- Repeated mistakes from this team: anything you've already given a thumbs-down in a past session — auto-promoted to a hard prevention rule.
- MCP tool calls flagged by your project's gate config — pattern, severity, or learned-from-feedback rules.
Why DIY PreToolUse scripts stop working past week two
A hand-rolled hook script starts simple: a regex on the Bash command, a list of forbidden paths. By week two it has six edge cases, no test coverage, and lives in one machine's .claude directory — invisible to the rest of the team. By week four someone deletes it because it false-positived once on a legitimate command and nobody documented why.
ThumbGate ships the rules as a versioned config, the feedback loop as a CLI, the learning as cross-session prevention rules, and the proof as an audit trail your dashboard renders. The work you would do by hand on hooks, done once and shared.
FAQ
Is the PreToolUse hook the same as beforeMCPExecution?
Conceptually yes — both are the pre-execution interception point. PreToolUse is the Claude Code / Anthropic CLI term for the hook in the agent loop. beforeMCPExecution (and beforeReadFile, beforeSubmitPrompt) is the IDE-security framing popularized by Cycode for the same boundary at the MCP layer. ThumbGate implements all of them as one local-first gate engine.
Do I need this if Claude Code already has native hooks?
Native hooks give you the hook point. They do not give you the rule set, the cross-session learning, the team-wide rule sharing, or the audit trail. ThumbGate ships those on top of the hook so you stop maintaining bespoke scripts and start blocking the repeat mistakes specifically your agents make.
Does this run locally or call a cloud service?
Local-first. The PreToolUse decision happens in the hook process on your machine in milliseconds — no network round-trip, no cloud dependency, no data leaving the laptop. Optional hosted sync exists for teams that want to share rules across seats.