feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks

[tupe12334]

Summary

Adds block-no-verify@1.1.2 as a PreToolUse Bash hook in .claude/settings.json, alongside the existing PostToolUse hooks.

Details

When an agent runs git commit or git push with the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks. block-no-verify reads tool_input.command from the Claude Code hook stdin payload, detects the hook-bypass flag across all git subcommands, and exits 2 to block. The existing PostToolUse hooks are preserved unchanged.

Closes #1088

---

Disclosure: I am the author and maintainer of block-no-verify.

Summary by CodeRabbit

• Chores
  • Updated development tooling configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

A PreToolUse hook configuration is added to .claude/settings.json that executes npx block-no-verify@1.1.2 before Bash tool invocation, preventing Claude Code agents from bypassing git hooks via --no-verify flags on git commands.

Changes

Cohort / File(s)	Summary
Hook Configuration .claude/settings.json	Added PreToolUse hook entry matching Bash tool that runs block-no-verify@1.1.2 command hook to intercept and block git hook-bypass attempts.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 With whiskers twitching, I hop with glee,
No more sneaky --no-verify!
Block-no-verify stands tall and true,
Protecting hooks from agents too—
Quality gates shall never flee! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a block-no-verify PreToolUse hook to prevent agents from bypassing git hooks.
Linked Issues check	✅ Passed	The pull request fully meets the objective from issue #1088 by adding block-no-verify@1.1.2 as a PreToolUse Bash hook in .claude/settings.json to prevent git hook bypass.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective; only .claude/settings.json is modified to add the required PreToolUse hook configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.claude/settings.json (1)

29-29: Prefer a locally pinned executable over runtime npx fetches.

Running npx block-no-verify@1.1.2 in a pre-exec hook introduces reliability and supply-chain drift at runtime (npm availability/cache/prompt behavior). To fix this, add block-no-verify as a repo dependency and invoke the local binary from lockfile-pinned artifacts.

Suggested approach

1. Add to package.json: "block-no-verify": "1.1.2"
2. Run npm install to update lockfile
3. Update command:

-            "command": "npx block-no-verify@1.1.2"
+            "command": "./node_modules/.bin/block-no-verify"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/settings.json at line 29, Replace the runtime npx fetch with a
repo-pinned binary: add "block-no-verify": "1.1.2" to package.json and run npm
install to update the lockfile, then change the settings.json "command" value
from "npx block-no-verify@1.1.2" to the local pinned binary invocation such as
"node_modules/.bin/block-no-verify" (or the equivalent package manager-aware
path) so the hook uses the lockfile-pinned artifact instead of fetching at
runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.claude/settings.json:
- Line 29: Replace the runtime npx fetch with a repo-pinned binary: add
"block-no-verify": "1.1.2" to package.json and run npm install to update the
lockfile, then change the settings.json "command" value from "npx
block-no-verify@1.1.2" to the local pinned binary invocation such as
"node_modules/.bin/block-no-verify" (or the equivalent package manager-aware
path) so the hook uses the lockfile-pinned artifact instead of fetching at
runtime.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d7d18c6-d37d-41db-956a-f3689f1aaebb

📥 Commits

Reviewing files that changed from the base of the PR and between 1c287d3 and c110865.

📒 Files selected for processing (1)

• .claude/settings.json