Add block-no-verify PreToolUse hook to .claude/settings.json#36105
Add block-no-verify PreToolUse hook to .claude/settings.json#36105tupe12334 wants to merge 1 commit intofacebook:mainfrom
Conversation
Prevents agents from bypassing git hooks via the hook-skip flag. Note: hooks run as system shell commands outside Claude's permission scope, so this works correctly even with deny: Bash(npx:*). Closes facebook#36104
|
Hi @tupe12334! Thank you for your pull request and welcome to our community. Action RequiredIn order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks! |
1 participant
Summary
Adds
block-no-verify@1.1.2as aPreToolUseBash hook in.claude/settings.json, alongside the existingSessionStarthook.Details
When an agent runs
git commitorgit pushwith the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks.block-no-verifyreadstool_input.commandfrom the Claude Code hook stdin, detects the hook-bypass flag across all git subcommands, and exits 2 to block.Note on
deny: Bash(npx:*): The deny list applies to what Claude Code can run via its Bash tool. Hooks run as system-level shell commands outside that permission scope, so this hook works correctly regardless.All existing
SessionStarthooks and permissions are preserved unchanged.Closes #36104
Disclosure: I am the author and maintainer of
block-no-verify.