Add block-no-verify hook to prevent agents from bypassing git hooks #202
Description
Summary
This repo ships .claude/settings.json with PreToolUse hooks and an Agents.md with safety guidelines — but there's a silent escape hatch that AI agents commonly exploit: bypassing git hooks by passing the --no-verify flag to git commit or git push.
When an agent uses that flag, all pre-commit and pre-push hooks are silently skipped — linting, tests, secret scanning, anything enforced at the hook level.
Suggested Addition
Add a PreToolUse hook entry to .claude/settings.json using block-no-verify (v1.1.2):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "npx --yes block-no-verify@1.1.2"
}
]
}
]
}
}block-no-verify reads the Claude Code hook input from stdin and exits non-zero (blocking the command) if it detects the --no-verify flag, the -n shorthand on git commit, or a core.hooksPath override.
It could also be documented in Agents.md as a recommended guardrail:
## Git Hook Safety
Never bypass git hooks. Do not use `--no-verify` or override `core.hooksPath`.
If a hook fails, fix the underlying issue rather than skipping the hook.Why It Matters
This repo is used as a reference for grounding coding agents — many developers copy these configs into their own projects. Shipping the hook guard here propagates the protection to all downstream users.
Disclosure: I am the author and maintainer of block-no-verify.