feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks

[tupe12334]

Summary

Adds block-no-verify@1.1.2 as a PreToolUse Bash hook in .claude/settings.json, alongside the existing PostToolUse hooks.

Details

When an agent runs git commit or git push with the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks. block-no-verify reads tool_input.command from the Claude Code hook stdin payload, detects the hook-bypass flag across all git subcommands, and exits 2 to block. The existing PostToolUse hooks are preserved unchanged.

Closes #454

---

Disclosure: I am the author and maintainer of block-no-verify.

[greptile-apps]

Greptile Summary

This PR adds npx block-no-verify@1.1.2 as a PreToolUse hook for all Bash tool invocations in .claude/settings.json, with the goal of preventing the Claude agent from running git commit --no-verify or git push --no-verify to bypass git hooks. The existing PostToolUse hooks are left unchanged.

Key observations:

• The "matcher": "Bash" scope means the hook runs before every Bash command — not just git commands — adding npx startup overhead to all agent shell activity.
• The missing --yes / -y flag on npx can cause the command to prompt for confirmation in non-interactive environments (or on older npm versions), hanging the entire hook pipeline on first use.
• On any machine without a warm npm cache, npx must reach the npm registry to fetch the package. A firewall, offline environment, or transient network failure will stall the hook and block all Bash tool execution.
• The PR author discloses they are the sole maintainer of block-no-verify (1 GitHub star at time of review). While pinning to @1.1.2 is good hygiene, it doesn't protect against a targeted compromise of that specific artifact. Because this hook occupies a privileged position (receives every Bash tool_input.command and can block execution), independent review of the package source at that exact version is recommended before merging.

Confidence Score: 2/5

• Needs changes before merging — the hook can hang in offline/air-gapped environments and introduces a low-adoption, self-authored package into a privileged execution path.
• The change is small and the intent is sound, but the missing --yes flag is a concrete reliability risk (hook hangs on first run without a warm npm cache), and the combination of broad Bash scope + external package authored by the PR submitter warrants independent package-source review before merging.
• .claude/settings.json requires attention — specifically the npx invocation and its network dependency.

Important Files Changed

Filename	Overview
.claude/settings.json	Adds npx block-no-verify@1.1.2 as a PreToolUse hook on every Bash call; raises concerns around offline/air-gapped reliability, missing --yes flag, and the trust surface of a package authored by the PR submitter running in a privileged hook position.

Sequence Diagram

sequenceDiagram
    participant Agent as Claude Agent
    participant Hook as PreToolUse Hook
    participant npx as npx (block-no-verify@1.1.2)
    participant npm as npm Registry
    participant Bash as Bash Tool

    Agent->>Hook: Any Bash command (git or otherwise)
    Hook->>npx: Execute with tool_input via stdin
    alt Package not in local cache
        npx->>npm: Fetch block-no-verify@1.1.2
        npm-->>npx: Package (or timeout/error)
    end
    npx->>npx: Parse tool_input.command
    alt Command contains --no-verify / -n in git context
        npx-->>Hook: Exit 2 (BLOCK)
        Hook-->>Agent: Bash command blocked
    else Command is safe
        npx-->>Hook: Exit 0 (ALLOW)
        Hook->>Bash: Execute command
        Bash-->>Agent: Result
    end

Loading

_{Last reviewed commit: "feat: add block-no-v..."}

[greptile-apps]

Add --yes flag to prevent interactive prompt

npx without --yes (or -y) can prompt the user to confirm installation when the package is not already in the local npm cache, or on certain npm versions. In the non-interactive context of a Claude Code hook, this prompt would cause the hook — and therefore the entire Bash tool — to hang indefinitely on a fresh machine or CI environment.

Suggested change

	}
	"command": "npx --yes block-no-verify@1.1.2"

[greptile-apps]

Hook fires on every Bash invocation, not just git commands

The "matcher": "Bash" means block-no-verify is executed before every Bash tool call — file reads, test runs, npm install, build commands, etc. While block-no-verify should exit 0 quickly for non-git commands, npx itself adds startup overhead on each call, and critically, the first invocation on any machine without a warm npm cache will require a network round-trip to the npm registry. If the registry is unreachable (firewall, offline environment, network interruption), this hook can hang, blocking the entire Bash tool.

Consider whether the matcher should be more targeted (e.g. using a wrapper script that only invokes the tool when the command starts with git) or adding a network timeout to the hook execution.

[greptile-apps]

External package authored by the PR submitter runs in a privileged hook position

The PR description discloses (commendably) that the author is also the maintainer of block-no-verify. Nonetheless, this change introduces a third-party npm package — maintained by the same person opening the PR — that:

1. Runs before every Bash command executed by the Claude agent.
2. Can exit 2 to block any Bash command entirely.
3. Receives the full Claude Code hook stdin payload (including tool_input.command) on each invocation.

While pinning to @1.1.2 prevents unintended upgrades to future versions, it does not protect against a compromise of that specific published artifact on the npm registry. The package has minimal adoption (1 GitHub star at time of review), which lowers the scrutiny it receives from the community.

It is worth confirming with the team that the package's source at that exact version has been independently reviewed before merging, given the privileged position it occupies in the agent's execution path.