Skip to content

Add block-no-verify hooks to prevent agents from bypassing git hooks #3674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tupe12334 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add block-no-verify hooks to prevent agents from bypassing git hooks #3674

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9ebbc53
feat: add block-no-verify PreToolUse hook to .claude/settings.json
tupe12334 Mar 19, 2026
84767fe
feat: add block-no-verify beforeShellExecution hook to .cursor/hooks.…
tupe12334 Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .claude/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [{ "type": "command", "command": "npx block-no-verify@1.1.2" }]
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 npx violates project package manager convention

The project's CLAUDE.md explicitly mandates: "Package Manager: Use bun and bunx, not npm and npx". This hook should use bunx instead of npx to stay consistent with the rest of the project tooling.

Suggested change
"hooks": [{ "type": "command", "command": "npx block-no-verify@1.1.2" }]
"hooks": [{ "type": "command", "command": "bunx block-no-verify@1.1.2" }]

Copy link

@cursor cursor bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unlockfiled dependency auto-executed via npx on every command

Medium Severity

block-no-verify is fetched and executed via npx on every AI agent shell command, but it's not listed in package.json or tracked in bun.lock. This means no lockfile hash verification, no coverage by dependency audit tools, and a potential network fetch on each invocation. Adding it as a devDependency would bring it under the project's existing integrity and audit infrastructure.

Additional Locations (1)
Fix in Cursor Fix in Web

}
Comment on lines +5 to +7
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Hook fires on every Bash command, not just git commands

The matcher: "Bash" configuration causes npx block-no-verify@1.1.2 to be invoked before every single Bash command Claude Code runs — including file operations, test runs, builds, installs, etc. — not only git commands. This adds a process-spawn overhead to all shell activity in the agent.

block-no-verify already inspects the incoming stdin payload to determine whether the command is a git invocation with --no-verify, so non-git commands are harmlessly passed through. But spawning a new npx process for every Bash tool call (e.g. running the test suite, bun install, etc.) will noticeably slow down the agent loop.

Consider whether a narrower matcher (e.g. checking if the command string starts with git) or a wrapper script that short-circuits non-git calls early would be preferable.

]
}
}
7 changes: 7 additions & 0 deletions .cursor/hooks.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"hooks": {
"beforeShellExecution": [
{ "command": "npx block-no-verify@1.1.2", "event": "beforeShellExecution" }
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Redundant event field inside hook object

The "event": "beforeShellExecution" property inside the hook object duplicates the key that already names the hook in the parent "hooks" map. Most Cursor hook schema definitions only expect "command" (and optionally a "label") inside the individual hook entries — the event key is already provided by the parent key. This is harmless today but could cause confusion or breakage if Cursor's hook parser becomes stricter.

Suggested change
{ "command": "npx block-no-verify@1.1.2", "event": "beforeShellExecution" }
{ "command": "npx block-no-verify@1.1.2" }

Copy link
Contributor

@greptile-apps greptile-apps bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 npx violates project package manager convention

Same as .claude/settings.json — the project's CLAUDE.md mandates bunx over npx. This should be updated for consistency.

Suggested change
{ "command": "npx block-no-verify@1.1.2", "event": "beforeShellExecution" }
{ "command": "bunx block-no-verify@1.1.2" }

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Copy link

@cursor cursor bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spurious event field in Cursor hook object

Low Severity

The hook object includes "event": "beforeShellExecution" which is not part of the Cursor hooks schema. The documented properties for a hook entry are command, timeout, and matcher. The event type is already determined by the key under hooks. This extra field is redundant and inconsistent with both the Cursor docs and the block-no-verify README's own example configuration.

Fix in Cursor Fix in Web

]
}
}
Copy link

@cursor cursor bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing required version field in Cursor hooks config

High Severity

The .cursor/hooks.json file is missing the required "version": 1 top-level field. The Cursor hooks schema requires this field, and both the official Cursor docs and the block-no-verify README include it in their examples. Without it, the hook may fail to load or be silently ignored, meaning --no-verify bypass protection wouldn't actually work in Cursor.

Fix in Cursor Fix in Web