Claude Code
TapPass installs PreToolUse and PostToolUse hooks into Claude Code. Every file read, bash command, and model call is policy-checked and audited.
Install
Section titled “Install”tappass claude-code install \ --gateway https://tappass.example.com \ --api-key tp_...This:
- Writes a hook script to
~/.tappass/tappass-hook.sh - Merges
PreToolUseandPostToolUseentries into~/.claude/settings.json - Sets
TAPPASS_HOOK_API_KEYfor the hook
What it captures
Section titled “What it captures”| Hook | When | What’s logged |
|---|---|---|
PreToolUse | Before Claude invokes a tool | Tool name, inputs, agent identity, session |
PostToolUse | After the tool returns | Outputs (redacted), duration, status |
What gets blocked
Section titled “What gets blocked”The hook returns a non-zero exit code when policy denies a tool use. tool_decision.rego controls this server-side — no Claude Code restart required when you update policy.
Example policy
Section titled “Example policy”package tool_decision
# Block `Bash` calls with `rm -rf` in dev environmentdeny[msg] { input.tool == "Bash" contains(input.args.command, "rm -rf") msg := "dangerous-rm"}Uninstall
Section titled “Uninstall”tappass claude-code uninstallRemoves the hooks from ~/.claude/settings.json. Leaves ~/.tappass/ in place in case you re-enable.
Verify
Section titled “Verify”tappass claude-code statusPrints whether hooks are registered and whether the gateway is reachable.