Comment by niyikiza

Two things get called "hooks" here. Exit code 2 + stderr is a real control. JSON in stdout degrades to a string in the model's tool-result context, where the model is correctly trained to resist instructions because that's where prompt injections show up. OP hit the second one. It's popular because the ergonomics are friendlier, but for any serious control you want to use deterministic execution guards outside of the agent's reasoning layer.

Disclosure: I'm working on an open source authorization tool for agents.