PreToolUse Hooks vs Advisory Prompt Rules
Why files like .cursorrules and CLAUDE.md cannot protect your codebase from high-risk agent operations, and how protocol-level PreToolUse hooks enforce deterministic safety.
Why this page exists
- Advisory files like CLAUDE.md are hints that the model can choose to ignore under pressure.
- Real security requires blocking unsafe operations before they hit the terminal or file system.
- PreToolUse hooks provide protocol-level enforcement that cannot be bypassed by agent reasoning.
The Vulnerability of Prompt-Level Rules
Files like .cursorrules, CLAUDE.md, or custom prompt instructions are simply part of the model's context window. They instruct the model on how it should behave. However, this model suffers from structural weaknesses:
- Context Drift: As conversations grow, early prompt instructions are deprioritized or pushed out of attention.
- Jailbreaking: The user prompt or an external file read can override instructions, forcing the agent to bypass its own rules.
- Self-Modification: Agents with file-writing privileges can edit or delete
.cursorrulesfiles to bypass constraints.
Deterministic PreToolUse Hook Enforcement
A PreToolUse hook intercepts execution at the Model Context Protocol (MCP) or platform layer. When the agent attempts to run a bash command, modify a file, or query a database, the call is evaluated by a local policy engine before execution.
If the action matches a known-bad pattern or violates a policy, the hook blocks it and returns a structured error response. The agent is physically stopped, preserving the system state and preventing the error before it can happen.
FAQ
Why are CLAUDE.md and .cursorrules files insufficient for security?
They are advisory prompt-level files. The agent can ignore them, overwrite them, suffer from context drift, or be jailbroken into bypassing them since they are not enforced at the runtime level.
How does a PreToolUse hook protect the codebase?
PreToolUse hooks intercept tool calls at the protocol layer before they are executed. If a command matches a blocked pattern, the hook denies execution, making safety deterministic rather than probabilistic.