01 · Decision table
Advisory vs guaranteed
| Mechanism | Enforcement | Holds under model override? | Use for |
|---|---|---|---|
| CLAUDE.md instruction | Advisory (context) | No | Style, persona, tone, soft workflow preferences. |
| Pre-tool hook | Guaranteed (interception) | Yes | Block forbidden tools, enforce arg shape, redact PII. |
| Post-tool hook | Guaranteed (filter) | Yes | Audit logging, response shape validation, rate limits. |
| Stop hook | Guaranteed (end-of-loop) | Yes | Final compliance check, telemetry flush, cleanup. |
02 · Side-by-side
CLAUDE.md instructions vs Hooks
| Aspect | CLAUDE.md instructions | Hooks |
|---|---|---|
| Enforcement | Advisory | Guaranteed |
| Decision rule | "Claude should…" | "The system must…" |
| Holds under model override | No | Yes |
| Audit trail | Implicit (model output) | Explicit (deterministic log) |
| Typical use | Style, tone, persona, soft workflows | Safety rails, PII redaction, audit, rate limits |
| Failure mode | Silent deviation | Hard stop with structured error |
| Best pattern for high-stakes rules | Pair with a hook for intent | Source of truth |
03 · Five rules
How to pick the right layer
- CLAUDE.md instructions are advisory. Claude reads and incorporates them as context but can deviate under competing pressures (ambiguous prompts, user overrides, edge-case reasoning). They are unsuitable when a constraint must never be violated.
- Hooks fire deterministically in the agent loop regardless of model output. Use a hook when the constraint must hold even if Claude "decides" otherwise - for example, blocking a forbidden tool call, enforcing a rate limit, or redacting PII before it leaves the system.
- The CCA-F decision rule: if the requirement is "Claude should…" → CLAUDE.md; if the requirement is "the system must…" → hook. The word "must" with no acceptable failure rate is the trigger for hook placement.
- CLAUDE.md is appropriate for style, persona, tone, and soft workflow preferences where graceful degradation is acceptable. Hooks own hard safety rails, audit logging, and side effects that cannot rely on the model's cooperation.
- Common exam trap: a CLAUDE.md line saying "never call the delete_file tool" looks like a constraint but is advisory. A pre-tool hook that intercepts and blocks delete_file calls is the only guaranteed enforcement mechanism.
04 · FAQ
FAQ
When do I need a hook instead of a CLAUDE.md instruction - advisory vs guaranteed constraints?
Use a hook when the constraint must hold regardless of what the model decides. CLAUDE.md instructions are advisory context that Claude reads and incorporates; they can be deviated from under ambiguous prompts or user override. Hooks are deterministic execution points in the agent loop, so a forbidden-tool block, a rate limit, or a PII redaction belongs in a hook, not in CLAUDE.md.
What is the one-line CCA-F decision rule?
If the requirement reads 'Claude should…', a CLAUDE.md instruction is acceptable. If the requirement reads 'the system must…', the constraint belongs in a hook. The word 'must' with no acceptable failure rate is the trigger for hook placement.
Is CLAUDE.md ever the right answer for a safety constraint?
No. CLAUDE.md is for style, persona, tone, and soft workflow preferences where graceful degradation is acceptable. Safety rails, audit logging, and irreversible side effects must use hooks because they cannot rely on the model's cooperation.
Does a CLAUDE.md line like 'never call the delete_file tool' actually block the call?
No - and this is a common CCA-F exam trap. The instruction is advisory, so under the right prompt Claude may still issue the call. The only guaranteed enforcement is a pre-tool hook that intercepts and blocks delete_file before it reaches the tool runner.
Can I combine both - a hook for enforcement and CLAUDE.md for intent?
Yes, and it is the recommended pattern for high-stakes rules. The hook gives you the guarantee; the CLAUDE.md line gives the model the explanation so it does not waste turns trying to do the forbidden thing. The hook remains the source of truth.