feat(hooks): add if field to markitdown and deny-vendor-write hooks (#124)

* docs(track): add hooks-if-field-20260328

* feat(hooks): add if field to markitdown and deny-vendor-write hooks

Add permission rule syntax filters to reduce unnecessary hook process
spawns. Markitdown hook now only fires on binary doc extensions
(pptx/docx/xlsx/xls/ppt/doc). Deny-vendor-write hook now only fires
on edits targeting vendor/ or sources/ paths.

* chore(track): link PR #124 to hooks-if-field-20260328

* fix(hooks): use single-pattern if fields, descope settings hook

Permission rule syntax (gitignore spec) does not support | alternation.
Split markitdown hook into 6 separate entries, one per extension.
Remove if field from deny-vendor-write hook — would require 8 entries
(4 tool types × 2 paths), too verbose for the benefit.

Author: amondnet

.please/docs/tracks/active/hooks-if-field-20260328/metadata.json

@@ -0,0 +1,10 @@
+{
+  "track_id": "hooks-if-field-20260328",
+  "type": "feature",
+  "status": "in_progress",
+  "created_at": "2026-03-28T22:47:18+09:00",
+  "updated_at": "2026-03-28T22:48:00+09:00",
+  "issue": "",
+  "pr": "#124",
+  "project": ""
+}

.please/docs/tracks/active/hooks-if-field-20260328/plan.md

@@ -0,0 +1,93 @@
+# Plan: Add `if` Field to Hooks
+
+> Track: hooks-if-field-20260328
+> Spec: [spec.md](./spec.md)
+
+## Overview
+
+- **Source**: /please:plan
+- **Track**: hooks-if-field-20260328
+- **Created**: 2026-03-28
+- **Approach**: Targeted application — add `if` field to 2 hooks with clear performance benefit; skip 4 hooks where benefit is minimal or inapplicable.
+
+## Purpose
+
+Reduce unnecessary hook process invocations by adding the `if` field (permission rule syntax filter) to hooks where it meaningfully narrows scope. The `if` field prevents the hook process from spawning when the tool call doesn't match the pattern, providing a performance benefit for frequently-fired hooks.
+
+## Context
+
+Claude Code hooks support an `if` field that uses permission rule syntax with alternation (`|`) and glob patterns. It acts as a fine-grained filter within a matched group:
+1. `matcher` (coarse) — filters by tool name
+2. `if` (fine) — filters by tool name + arguments, avoids process spawn if no match
+
+Currently, **no hooks in this codebase use the `if` field**.
+
+## Architecture Decision
+
+**Apply `if` to 2 hooks with clear benefit:**
+- **Markitdown** PreToolUse (matcher: `Read`) — fires on every file read, but only handles 6 binary doc extensions
+- **Project settings** deny-vendor-write (matcher: `Write|Edit|MultiEdit|NotebookEdit`) — fires on every edit, but only blocks vendor/ and sources/ paths
+
+**Skip 4 hooks:**
+- **Worktree** deny-parent-access — parent path is dynamic/runtime, can't pre-filter with static `if`
+- **Gatekeeper** PreToolUse — script has complex DENY/ALLOW rules, `if` would duplicate logic
+- **Gatekeeper** PermissionRequest — already rare (only fires on unhandled PermissionRequest events)
+- **Fetch** PostToolUseFailure — already rare (only fires on WebFetch failures)
+
+## Tasks
+
+### Phase 1: Apply `if` field to hooks
+
+- T-1: Add `if` field to markitdown PreToolUse hook
+  - File: `plugins/markitdown/hooks/hooks.json`
+  - Approach: One hook entry per extension (permission rules don't support `|` alternation)
+  - Patterns: `Read(*.pptx)`, `Read(*.docx)`, `Read(*.xlsx)`, `Read(*.xls)`, `Read(*.ppt)`, `Read(*.doc)`
+  - Test: Validate with `claude plugin validate plugins/markitdown`
+
+- T-2: ~~Add `if` field to project settings deny-vendor-write hook~~ **DESCOPED**
+  - File: `.claude/settings.json`
+  - Reason: Would require 8 separate hook entries (4 tool types × 2 paths) since `|` is not supported. Too verbose for the benefit; the script already handles filtering efficiently.
+
+- T-3: Document evaluation of skipped hooks in spec as decisions
+
+## Key Files
+
+| File | Role |
+|------|------|
+| `plugins/markitdown/hooks/hooks.json` | Markitdown hook config (modify) |
+| `.claude/settings.json` | Project settings with hooks (modify) |
+| `plugins/markitdown/hooks/check-binary-doc.sh` | Script that handles binary docs (read-only reference) |
+| `hooks/deny-vendor-write.sh` | Script that blocks vendor writes (read-only reference) |
+
+## Verification
+
+- [ ] Markitdown hook no longer fires on plain text/code file reads
+- [ ] deny-vendor-write hook no longer fires on edits outside vendor/sources directories
+- [ ] All modified hooks pass plugin validation
+- [ ] No regression in hook behavior for target cases
+
+## Progress
+
+| Task | Status |
+|------|--------|
+| T-1: markitdown `if` field | completed |
+| T-2: settings `if` field | descoped — `|` not supported, 8 entries too verbose |
+| T-3: document skipped hooks | completed |
+
+## Decision Log
+
+| Decision | Rationale |
+|----------|-----------|
+| Skip worktree hook | Parent path is dynamic — static `if` pattern can't pre-filter |
+| Skip gatekeeper hooks | Script-level pattern matching is more flexible; `if` would duplicate logic |
+| Skip fetch hook | PostToolUseFailure on WebFetch is already very rare |
+| Descope settings hook | `|` alternation not supported in permission rules; 8 entries (4 tools × 2 paths) too verbose |
+| One entry per extension | Permission rules use gitignore spec — no alternation, each `if` takes a single pattern |
+
+## Surprises & Discoveries
+
+- Permission rule syntax follows gitignore spec — `|` alternation is NOT supported
+- Each `if` field takes exactly one pattern (e.g., `Read(*.docx)`)
+- Multiple hook entries in the same `hooks` array with different `if` patterns achieves OR behavior
+- `if` is evaluated before process spawn, providing genuine performance benefit
+- For multi-tool matchers (Write|Edit|...) with multiple paths, `if` becomes impractical without alternation

.please/docs/tracks/active/hooks-if-field-20260328/spec.md

@@ -0,0 +1,44 @@
+# Add `if` Field to Hooks
+
+> Track: hooks-if-field-20260328
+
+## Overview
+
+Add the `if` field (permission rule syntax filter) to hooks that would benefit from more granular tool-call filtering. The `if` field narrows when a hook fires beyond the basic `matcher`, reducing unnecessary hook invocations and improving performance.
+
+## Background
+
+Claude Code hooks support an `if` field that uses permission rule syntax (e.g., `"Bash(git *)"`, `"Edit(*.ts)"`) to filter when a hook runs. This field only applies to tool events: PreToolUse, PostToolUse, PostToolUseFailure, and PermissionRequest. Currently, **no hooks in this codebase use the `if` field**.
+
+## Requirements
+
+### Functional Requirements
+
+- [ ] FR-1: Add `if` field to **markitdown** PreToolUse hook to filter `Read` calls to binary document extensions only (e.g., `*.docx`, `*.pptx`, `*.xlsx`, `*.xls`, `*.doc`, `*.ppt`)
+- [ ] FR-2: Add `if` field to **project settings** PreToolUse hook (`deny-vendor-write.sh`) to filter edit operations to `vendor/` and `sources/` paths only
+- [ ] FR-3: Add `if` field to **worktree** PreToolUse hook (`deny-parent-access.ts`) to narrow file operation scope where beneficial
+- [ ] FR-4: Evaluate gatekeeper and fetch hooks — only add `if` if it meaningfully reduces false invocations without conflicting with existing script logic
+
+### Non-functional Requirements
+
+- [ ] NFR-1: All `if` patterns must use valid permission rule syntax as documented by Claude Code
+- [ ] NFR-2: No behavioral change — hooks must fire for the same effective cases as before, just with fewer unnecessary invocations
+- [ ] NFR-3: Changes must pass `claude plugin validate` for affected plugins
+
+## Acceptance Criteria
+
+- [ ] AC-1: Markitdown hook no longer fires on plain text/code file reads
+- [ ] AC-2: deny-vendor-write hook no longer fires on edits outside vendor/sources directories
+- [ ] AC-3: All modified hooks pass plugin validation
+- [ ] AC-4: No regression in hook behavior for actual target cases
+
+## Out of Scope
+
+- SessionStart hooks (not tool events, `if` field not applicable)
+- Adding new hooks or changing existing hook logic/scripts
+- Modifying external-plugins (submodule repos maintained separately)
+
+## Assumptions
+
+- Permission rule syntax supports glob patterns with `*` for file path matching in Read/Edit/Write tools
+- The `if` field is evaluated before the hook command/script runs, providing a performance benefit

.please/docs/tracks/index.md

@@ -9,6 +9,7 @@
 | [nuxt-ui-hook-guidance-20260328](active/nuxt-ui-hook-guidance-20260328/plan.md) | Nuxt UI Hook Guidance | feature | TBD | 2026-03-28 | in_progress |
 | [nuxt-session-hook-20260328](active/nuxt-session-hook-20260328/) | Plugin Recommender | feature | — | 2026-03-28 | in_progress |
 | [add-code-intelligence-marketplace-20260328](active/add-code-intelligence-marketplace-20260328/plan.md) | Add code-intelligence marketplace | feature | - | 2026-03-28 | planned |
+| [hooks-if-field-20260328](active/hooks-if-field-20260328/) | Add `if` field to hooks | feature | — | 2026-03-28 | planned |
 
 ## Recently Completed
 

plugins/markitdown/hooks/hooks.json

@@ -7,6 +7,37 @@
           {
             "type": "command",
             "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.pptx)",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.docx)",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.xlsx)",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.xls)",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.ppt)",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/check-binary-doc.sh",
+            "if": "Read(*.doc)",
             "timeout": 5
           }
         ]