Hubspot Output Path Governance

Workflow

1. Intercept the write operation — the PostToolUse hook fires after any Write or Bash tool call that creates a file. Parse the output path from tool_input.file_path or the bash command's redirection target.
2. Classify the artifact — match the output path against the classification table above. Determine if the path is canonical, tolerated, or blocked.
3. Evaluate portal-centric structure — confirm the path includes the portal ID segment when writing portal-specific data. If HUBSPOT_PORTAL_ID is set in the environment, the path must contain it.
4. Block writes to source directories — if the path resolves under scripts/, hooks/, agents/, commands/, skills/, or templates/, emit a block decision with a clear remediation path.
5. Emit non-blocking guidance for tolerated paths — if the path is tolerated but not canonical, emit a warn with the recommended canonical path in the remediation field of the response envelope.
6. Log the path governance decision — write {ts, artifact_type, path, decision, canonical_path} to logs/output-path-audit.jsonl for compliance review.

Routing Boundaries

Use this skill for output path validation and artifact placement governance only. Defer to hubspot-hook-subprocess-and-tempfile-safety for tempfile lifecycle and to hubspot-hook-response-contracts for envelope formatting.

References

• Output Path Validation
• Artifact Classification Rules
• Nonblocking Guidance Patterns