HookBus is the agent event bus for any AI agent or assistant that surfaces hooks. It routes lifecycle events to subscribers that can allow, deny, ask, audit, track cost, filter data, inject memory, or publish context back to the next turn.
Start local with HookBus Light and cre-agentprotect. Claude Code, Codex CLI, Amp Code, Hermes Agent, OpenClaw, or any hook-aware runtime can publish events to the same bus.
curl -fsSL https://hookbus.com/install.sh | bashWithout scaffolding around the executing agent, nothing sees what the last tool call returned. No policy layer blocks the next dangerous one. No memory layer reminds the agent what it already tried.
Every AI agent action is a lifecycle event. HookBus captures them all and fans them out to subscribers in parallel. Sync subscribers return a verdict (allow, deny, ask) and a reason. The bus consolidates on deny-wins. The reason is injected back into the agent’s next turn. Async subscribers observe without blocking.
One command. Pulls the Apache 2.0 bus and cre-agentprotect as Docker images. Generates a bearer token. AgentSpend is optional.
curl -fsSL https://hookbus.com/install.sh | bashAny tool that can POST JSON can publish. No SDK required.
source ~/hookbus-light/.env
curl -X POST http://localhost:18800/event \
-H "Authorization: Bearer $HOOKBUS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"event_id": "manual-smoke-1",
"event_type": "PreToolUse",
"timestamp": "2026-04-28T00:00:00Z",
"source": "manual",
"session_id": "hello",
"tool_name": "Bash",
"tool_input": {"command": "rm -rf /"},
"metadata": {}
}'cre-agentprotect evaluates, returns decision: deny with a reason. The bus consolidates and threads it back to the caller. Open http://localhost:18800/ to see the event in the dashboard.
Pick a publisher shim for your runtime. Claude Code, Amp, Hermes, OpenClaw, Codex, or any SDK with lifecycle hooks.
A publisher shim normalises the agent’s raw hook format into the canonical HookBus envelope and posts it to the bus. Five runtimes ship today, three more in flight, more on the way.
Every publisher is open source on GitHub under Apache 2.0 or MIT. Install with one curl command, fork and audit the source, or contribute back. All repos live under github.com/agentic-thinking.
Anthropic’s agentic CLI. Four hook events wired: UserPromptSubmit, PreToolUse, PostToolUse, Stop. MIT.
TypeScript plugin using Amp’s native plugin API. All five lifecycle events (session.start, agent.start, tool.call, tool.result, agent.end). MIT.
Python plugin for Hermes Agent. Hooks pre/post tool calls and post API requests. Exact token usage attribution. MIT.
Node plugin for OpenClaw’s extension API. Before/after tool call, LLM output. Model and token usage auto-attributed. MIT.
Codex CLI publisher for HookBus. SessionStart, UserPromptSubmit, PreToolUse, PostToolUse, and Stop mapped to AgentHook events. Includes install doctor and central-bus identity metadata.
Cursor agent shim. In active development.
Python shim for Anthropic’s Agent SDK. Pre/post tool, model response. MIT.
Python shim wrapping HookBusRunHooks(RunHooksBase). All four lifecycle events. MIT.
Gemini CLI, Kilo Code, Open Code, and many more. Any runtime with lifecycle hooks can publish to HookBus.
Add your runtime → · Any SDK with lifecycle hooks can publish. The spec shows what the envelope must contain.
A subscriber receives events, returns a verdict with a reason and metadata, publishes context back onto the bus. Sync blocks. Async observes. Any language that can serve JSON.
A subscriber tuned to fintech rules. A DLP filter for healthcare PII schemas. A cost tracker that posts to Jira. A memory layer backed by your vector database. Examples, not limits.
Ships with HookBus Light. L1 policy gate that can use Microsoft AGT as an AGT-compatible deterministic backend. Allow / deny / ask on PreToolUse. Deterministic, sub-10ms.
Ships with HookBus Light. Token and cost tracking per session, per agent, per team. SQLite store, dashboard on :8883.
Sanctioned AI evidence control. Verifies registered publisher instances, device/workload registry bindings, approval references, and AgentHook evidence before enterprise AI sessions are treated as governed.
Action-level enforcement once the runtime session is registered and evidence-producing. Agentic Thinking patent-pending L1 deterministic policy plus L2 semantic intent verification using the customer's approved model path. Local CPU, no cloud, air-gap ready.
Hash-chained audit log for every event. SOC 2 and ISO 42001 evidence. Tamper-evident, exportable, regulator-ready.
Regex and classifier-based redaction across tool_input and tool_result. Blocks secrets, PII, credentials before they land in logs or context.
Keyword-match and semantic-match against a local knowledge base. Injects the right rule, example, or doc into the agent’s next turn via the return channel.
Cross-turn state keyed by session_id. Feeds forward what already happened. Queryable by other subscribers.
Human-in-the-loop approval queue for Ask decisions. Pauses the agent action, routes context to the right approver, records approval or denial as runtime evidence.
Async notification layer for compliance-shaped events. Sends alerts, approval summaries, exceptions, and incident evidence to the channels your governance process uses.
HookBus is an open protocol. Any subscriber that implements the response contract runs on any HookBus instance the moment you register it. No approval. No email. No queue.
Read the spec. Write a handler in any language that can serve JSON. Add it to your subscribers.yaml. That is the whole flow.
Want it in the public registry so other developers can find it? Open a PR.
The bus you install is the reference implementation, Apache 2.0. The envelope format, the subscriber contract, and the consolidation rules are defined in a versioned spec. Independent implementations in Go, Rust, Node, anything are welcome and expected.
The AgentHook specification is published and stewarded by Agentic Thinking Ltd under a perpetual Apache 2.0 commitment, with stewardship transfer to a neutral foundation on documented triggers. Read the charter →
The spec defines: publisher envelope schema, subscriber response schema (decision + reason + metadata), transport options (unix socket, HTTP, in-process), event-type normalisation map across popular SDKs, and the deny-wins consolidation rule.
HookBus Enterprise is a better bus plus the paid subscriber bundle. The Enterprise bus unlocks hot-reload, advanced consolidation, and failover groups. On top: HookBus FinalBoss for sanctioned AI evidence control, composable-rule-enforcer for action-level policy, Auditor, DLP Filter, KB Injector, Session Memory, Workflow, and Compliance Notifier. SLA, on-prem deployment, compliance evidence.
HookBus Enterprise governs approved, registered, evidence-producing AI runtime sessions. Corporates should block unauthorised CLI tools and agentic apps through existing endpoint, software, proxy, SASE, CASB, and identity controls. HookBus fits into the onboarding, joiner-mover-leaver, and access-review process for users approved to use AI.
| Feature | HookBus Light | HookBus Enterprise |
|---|---|---|
| The bus | ||
| Event routing, fan-out, deny-wins consolidation | included | included |
| Publisher shims (all runtimes) | included | included |
| Hot-reload subscribers (no restart) | — | included |
| Advanced consolidation (priority-weighted) | — | included |
| Subscriber failover & merge groups | — | included |
| Bundled subscribers | ||
| cre-agentprotect Light (AGT-compatible L1 deterministic) | included | included |
| AgentSpend (cost tracking) | included | included |
| HookBus FinalBoss (publisher/device registry control) | — | included |
| AgentProtect Enterprise (patent-pending L1 deterministic + L2 semantic) | — | included |
| Auditor (hash-chained, SOC 2 / ISO 42001) | — | included |
| DLP Filter (secrets & PII redaction) | — | included |
| KB Injector (rule & context injection) | — | included |
| Session Memory (cross-turn state) | — | included |
| Workflow (human-in-the-loop approval) | — | included |
| Compliance Notifier (alerts and evidence routing) | — | included |
Financial services, healthcare, public sector. Enterprise bundle with bundled subscribers, SLA, and compliance evidence.
HookBus is an open platform. The protocol is Apache 2.0 forever. Subscribers can be open or closed, free or paid, ours or yours. Where HookBus goes next is where you take it.