Skip to content

feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks#98

Open
tupe12334 wants to merge 1 commit intoawslabs:mainfrom
tupe12334:add-block-no-verify
Open

feat: add block-no-verify PreToolUse hook to prevent agents from bypassing git hooks#98
tupe12334 wants to merge 1 commit intoawslabs:mainfrom
tupe12334:add-block-no-verify

Conversation

@tupe12334
Copy link

@tupe12334 tupe12334 commented Mar 20, 2026

Summary

Adds block-no-verify@1.1.2 as a PreToolUse Bash hook in .claude/settings.json, alongside the existing attribution config.

Details

When an agent runs git commit or git push with the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks. block-no-verify reads tool_input.command from the Claude Code hook stdin payload, detects the hook-bypass flag across all git subcommands, and exits 2 to block. The existing attribution config is preserved unchanged.

Closes #97

Disclosure: I am the author and maintainer of block-no-verify.

@tupe12334
feat: add block-no-verify PreToolUse hook to .claude/settings.json
a4b509d 
Prevents agents from bypassing git hooks via the hook-skip flag.
@tupe12334 tupe12334 requested a review from a team as a code owner March 20, 2026 00:49
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Claude Code PreToolUse hook to block git commands that attempt to bypass repository git hooks (e.g., --no-verify), strengthening enforcement of existing quality gates for agent-driven commits/pushes.

Changes:

  • Add a PreToolUse hook in .claude/settings.json for the Bash tool.
  • Run npx block-no-verify@1.1.2 as the hook command while preserving existing attribution settings.

.claude/settings.json
"hooks": [
{
"type": "command",
"command": "npx block-no-verify@1.1.2"
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PreToolUse hook runs before every Bash tool invocation. Using npx without a non-interactive flag and without a timeout can cause the hook to hang (e.g., when npx needs to download/install the package and prompts for confirmation), effectively blocking all Bash commands. Consider running via npx --yes … / npm exec --yes … and setting an explicit timeout (and/or preinstalling the tool via the repo’s toolchain) so hook execution is bounded and reliable.

Suggested change
"command": "npx block-no-verify@1.1.2"
"command": "npx --yes block-no-verify@1.1.2",
"timeoutMs": 10000

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@scottschreckengaust scottschreckengaust Awaiting requested review from scottschreckengaust scottschreckengaust is a code owner automatically assigned from awslabs/agent-plugins-admins

@krokoko krokoko Awaiting requested review from krokoko krokoko is a code owner automatically assigned from awslabs/agent-plugins-admins

@theagenticguy theagenticguy Awaiting requested review from theagenticguy theagenticguy is a code owner automatically assigned from awslabs/agent-plugins-admins

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add block-no-verify hook to prevent agents from bypassing git hooks

2 participants

@tupe12334