feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks

[tupe12334]

Summary

Creates .claude/settings.json with block-no-verify@1.1.2 as a PreToolUse Bash hook to prevent Claude Code agents from bypassing git hooks via the hook-skip flag.

Details

When an agent runs git commit or git push with the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks. block-no-verify reads tool_input.command from the Claude Code hook stdin payload, detects the hook-bypass flag across all git subcommands, and exits 2 to block.

Closes #7676

---

Disclosure: I am the author and maintainer of block-no-verify.

Summary by CodeRabbit

• Chores
  • Added configuration for internal development tooling and validation processes.

---

Note: This release contains no user-facing changes.

[vercel]

@tupe12334 is attempting to deploy a commit to the Prisma Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

The .claude/settings.json configuration file is modified to add a new hooks section that registers a PreToolUse hook for the Bash tool. This hook executes npx block-no-verify@1.1.2 before bash commands run, enabling detection and prevention of git hook-bypass flags.

Changes

Cohort / File(s)	Summary
Git Hook Prevention Configuration .claude/settings.json	Adds a PreToolUse hook configuration that registers block-no-verify@1.1.2 to run before Bash tool execution, preventing agents from bypassing git hooks with flag-based overrides.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a block-no-verify PreToolUse hook to prevent git hook bypass. It directly maps to the primary objective of the changeset.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from #7676: adds the hooks configuration to .claude/settings.json with PreToolUse Bash hook matching, registers the block-no-verify@1.1.2 command, and achieves the objective of preventing hook bypass.
Out of Scope Changes check	✅ Passed	All changes are strictly scoped to the linked issue #7676. The modification adds only the required hooks configuration to .claude/settings.json with no extraneous or unrelated changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude/settings.json:
- Line 9: Update the PreToolUse hook command string "npx block-no-verify@1.1.2"
to include the non-interactive flag so it won't prompt during execution;
specifically modify the "command" value to add "--yes" (i.e., "npx
block-no-verify@1.1.2 --yes") to ensure the hook runs unattended in
CI/non-interactive environments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 92da583a-e3ab-4b33-ac21-d0a62ed2daa1

📥 Commits

Reviewing files that changed from the base of the PR and between 6ce797f and 15362d7.

📒 Files selected for processing (1)

• .claude/settings.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For current npm/npx versions, when running npx @and the package is not installed locally, does npx prompt for confirmation by default? Is--yes the recommended way to make it non-interactive in automation/hooks?

💡 Result:

Yes, by default, when running npx <package>@<version> and the package is not installed locally (i.e., no matching version in local project dependencies or npx cache), npx prompts for confirmation before installing it from the registry to a cache folder. This behavior was introduced in npm 7+ for security reasons to prevent accidental execution of mistyped package names. --yes (or -y) is the recommended and officially documented way to suppress the prompt and automatically proceed with installation, making it suitable for non-interactive use in automation or hooks. Use npx --yes <package>@<version>. Alternatively, npm_config_yes=true npx ... works for backward compatibility with older npm versions.

Citations:

• 1: https://docs.npmjs.com/cli/v9/commands/npx/
• 2: https://docs.npmjs.com/cli/v11/commands/npx
• 3: https://stackoverflow.com/questions/70742968/automatically-accept-installing-npx-package
• 4: [BUG] New --yes behavior in npx is a breaking change that can't easily be handled npm/cli#2226
• 5: https://stackoverflow.com/questions/69006097/does-npx-no-longer-do-install-less-run

---

Add --yes flag to prevent interactive prompts in hook execution

The npx command prompts for install confirmation by default when a package isn't cached (npm 7+ security feature). In a PreToolUse hook running in a non-interactive environment—like CI/CD pipelines or automated tool execution—this prompt will hang or fail the hook entirely. Add the --yes flag to suppress the prompt and ensure reliable, non-blocking execution.

Suggested change

-            "command": "npx block-no-verify@1.1.2"
+            "command": "npx --yes block-no-verify@1.1.2"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"command": "npx block-no-verify@1.1.2"
	"command": "npx --yes block-no-verify@1.1.2"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.claude/settings.json at line 9, Update the PreToolUse hook command string
"npx block-no-verify@1.1.2" to include the non-interactive flag so it won't
prompt during execution; specifically modify the "command" value to add "--yes"
(i.e., "npx block-no-verify@1.1.2 --yes") to ensure the hook runs unattended in
CI/non-interactive environments.