fix(.cursor/hooks): route block-no-verify through local hook to fix message-body false positives (#2107) (#2177)

Cursor hooks still called `npx block-no-verify@1.1.2`, the broken external package whose matcher over-matches: it blocks legitimate `git commit` whenever `--no-verify` (or `no-verify`) appears anywhere in the command string, including inside the commit message body. The Claude Code surface already routes through the in-repo `scripts/hooks/block-no-verify.js`, which performs flag-position-aware tokenisation and passes 25 regression tests covering every false-positive case from #2107. Add a thin Cursor wrapper (`before-shell-execution-block-no-verify.js`) that reads Cursor stdin, transforms to the Claude Code `tool_input.command` shape, delegates to the local hook's exported `run()`, and forwards exit code and stderr. Update `.cursor/hooks.json` to call the wrapper instead of the npx package. New 14-case test file pins the false-positive cases from the issue plus the still-blocked real bypass attempts. Fixes #2107
2026-06-12 03:03:23 +08:00 · 2026-06-07 10:31:36 +05:30
parent 8dc43e5f60
commit d8a84b5f7b
3 changed files with 211 additions and 1 deletions
--- a/.cursor/hooks.json
+++ b/.cursor/hooks.json
@@ -17,7 +17,7 @@
    ],
    "beforeShellExecution": [
      {
-        "command": "npx block-no-verify@1.1.2",
+        "command": "node .cursor/hooks/before-shell-execution-block-no-verify.js",
        "event": "beforeShellExecution",
        "description": "Block git hook-bypass flag to protect pre-commit, commit-msg, and pre-push hooks from being skipped"
      },