HookBus routes lifecycle events from hook-aware agents to subscribers.
Subscribers can allow, deny, ask, audit, track cost, filter data, inject memory, or return context to the next agent turn.
Start with HookBus Light and AgentProtect CRE Light. Claude Code, Codex CLI, Amp Code, Hermes Agent, OpenClaw, and any hook-aware runtime can publish to the same bus.
curl -fsSL https://hookbus.com/install.sh | bashWithout scaffolding around the executing agent, nothing sees what the last tool call returned. No policy layer blocks the next dangerous one. No memory layer reminds the agent what it already tried.
A PreToolUse, PostToolUse, approval decision, denial reason, runtime attestation, and action-governance profile should mean the same thing whether the collector is HookBus, a SIEM, an OpenTelemetry pipeline, or an internal governance service.
Every AI agent action is a lifecycle event. HookBus captures them all and fans them out to subscribers in parallel. Sync subscribers return a verdict (allow, deny, ask) and a reason. The bus consolidates on deny-wins. The reason is injected back into the agent’s next turn. Async subscribers observe without blocking.
One command. Pulls the Apache 2.0 bus and AgentProtect CRE Light as Docker images. Generates a bearer token. AgentSpend is optional.
curl -fsSL https://hookbus.com/install.sh | bashAny tool that can POST JSON can publish. No SDK required.
source ~/hookbus-light/.env
curl -X POST http://localhost:18800/event \
-H "Authorization: Bearer $HOOKBUS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"event_id": "manual-smoke-1",
"event_type": "PreToolUse",
"timestamp": "2026-04-28T00:00:00Z",
"source": "manual",
"session_id": "hello",
"tool_name": "Bash",
"tool_input": {"command": "rm -rf /"},
"metadata": {}
}'AgentProtect CRE Light evaluates, returns decision: deny with a reason. The bus consolidates and threads it back to the caller. Open http://localhost:18800/ to see the event in the dashboard.
Pick a publisher shim for your runtime. Claude Code, Amp, Hermes, OpenClaw, Codex, or any SDK with lifecycle hooks.
A publisher shim normalises the agent’s raw hook format into the canonical HookBus envelope and posts it to the bus. Five runtimes ship today, three more in flight, more on the way.
Every publisher is open source on GitHub under Apache 2.0 or MIT. Install with one curl command, fork and audit the source, or contribute back. All repos live under github.com/agentic-thinking.
Anthropic’s agentic CLI. Four hook events wired: UserPromptSubmit, PreToolUse, PostToolUse, Stop. MIT.
TypeScript plugin using Amp’s native plugin API. All five lifecycle events (session.start, agent.start, tool.call, tool.result, agent.end). MIT.
Python plugin for Hermes Agent. Hooks pre/post tool calls and post API requests. Exact token usage attribution. MIT.
Node plugin for OpenClaw’s extension API. Before/after tool call, LLM output. Model and token usage auto-attributed. MIT.
Codex CLI publisher for HookBus. SessionStart, UserPromptSubmit, PreToolUse, PostToolUse, and Stop mapped to AgentHook events. Includes install doctor and central-bus identity metadata.
Cursor agent shim. In active development.
Python shim for Anthropic’s Agent SDK. Pre/post tool, model response. MIT.
Python shim wrapping HookBusRunHooks(RunHooksBase). All four lifecycle events. MIT.
Gemini CLI, Kilo Code, Open Code, and many more. Any runtime with lifecycle hooks can publish to HookBus.
Add your runtime → · Any SDK with lifecycle hooks can publish. The spec shows what the envelope must contain.
A subscriber receives events, returns a verdict with a reason and metadata, publishes context back onto the bus. Sync blocks. Async observes. Any language that can serve JSON.
A subscriber tuned to fintech rules. A DLP filter for healthcare PII schemas. A cost tracker that posts to Jira. A memory layer backed by your vector database. Examples, not limits.
Ships with HookBus Light. L1 deterministic policy gate. Allow / deny / ask on PreToolUse. Deterministic, sub-10ms. MIT licensed.
Enterprise policy enforcement and execution control using patent-pending L1 deterministic and L2 probabilistic patterns. Blocks, allows, asks, approves, denies, and overrides before tool calls execute. DLP, secrets redaction, and PII protection built in.
Correlates API-key usage, user and device approval, runtime registration, and runtime evidence to detect sanctioned AI use that is approved but unmanaged.
Human-in-the-loop approval routing for Approve, Deny, and Ask decisions, with durable approval state and two-person verification where required.
Alerts, escalation paths, incident-shaped event detection, and regulator-format reporting workflows.
Answers "should the agent be doing this right now?" Evaluates goal alignment against policy context before execution proceeds.
Controlled context injection and knowledge ownership. Injects the right rule, example, or doc into the agent’s next turn. Includes cross-turn session memory keyed by session_id.
LLM gateway for L2 probabilistic policy evaluation. Connects to any provider — Ollama, Bedrock, Azure OpenAI, Anthropic, or local models. CPU-only capable, no frontier model required.
Runtime evidence, audit records, exportable trails, and retention support for assurance programmes. Hash-chained, tamper-evident, SOC 2 and ISO 42001 ready.
HookBus is an open protocol. Any subscriber that implements the response contract runs on any HookBus instance the moment you register it. No approval. No email. No queue.
Read the spec. Write a handler in any language that can serve JSON. Add it to your subscribers.yaml. That is the whole flow.
Want it in the public registry so other developers can find it? Open a PR.
The bus you install is the reference implementation, Apache 2.0. The envelope format, the subscriber contract, and the consolidation rules are defined in a versioned spec. Independent implementations in Go, Rust, Node, anything are welcome and expected.
The AgentHook specification is published and stewarded by Agentic Thinking Ltd under a perpetual Apache 2.0 commitment, with stewardship transfer to a neutral foundation on documented triggers. Read the charter →
The spec defines: publisher envelope schema, subscriber response schema (decision + reason + metadata), transport options (unix socket, HTTP, in-process), event-type normalisation map across popular SDKs, and the deny-wins consolidation rule.
HookBus is the reference implementation, not the only valid implementation. Build your own publisher, subscriber, collector, bus, or OpenTelemetry exporter against AgentHook.
AgentProtect is a better bus plus the paid subscriber bundle. The Enterprise bus unlocks hot-reload, advanced consolidation, and failover groups. On top: AgentProtect for policy enforcement, AgentRegistry for sanctioned AI evidence control, AgentFlow for human approval routing, AgentNotify for compliance alerts, AgentGoal for goal alignment, AgentKnowledge for context injection and session memory, AgentIntelligence for L2 LLM evaluation, and AgentAuditor for hash-chained audit trails. Eight subscribers, one bundle. SLA, on-prem deployment, compliance evidence.
AgentProtect governs approved, registered, evidence-producing AI runtime sessions. Corporates should block unauthorised CLI tools and agentic apps through existing endpoint, software, proxy, SASE, CASB, and identity controls. HookBus fits into the onboarding, joiner-mover-leaver, and access-review process for users approved to use AI.
| Feature | HookBus Light | AgentProtect |
|---|---|---|
| The bus | ||
| Event routing, fan-out, deny-wins consolidation | included | included |
| Publisher shims (all runtimes) | included | included |
| Hot-reload subscribers (no restart) | — | included |
| Advanced consolidation (priority-weighted) | — | included |
| Subscriber failover & merge groups | — | included |
| Bundled subscribers | ||
| AgentProtect CRE Light (L1 deterministic policy gate) | included | included |
| AgentSpend (cost tracking) | included | included |
| AgentProtect — policy enforcement (L1+L2, DLP, secrets) | — | included |
| AgentRegistry — sanctioned AI evidence control | — | included |
| AgentFlow — human-in-the-loop approval routing | — | included |
| AgentNotify — compliance alerts and reporting | — | included |
| AgentGoal — goal alignment evaluation | — | included |
| AgentKnowledge — context injection + session memory | — | included |
| AgentIntelligence — L2 probabilistic LLM evaluation | — | included |
| AgentAuditor — hash-chained audit trails | — | included |
Financial services, healthcare, public sector. Enterprise bundle with bundled subscribers, SLA, and compliance evidence.
HookBus is an open platform. The protocol is Apache 2.0 forever. Subscribers can be open or closed, free or paid, ours or yours. Where HookBus goes next is where you take it.