Cursor hooks still called `npx block-no-verify@1.1.2`, the broken external
package whose matcher over-matches: it blocks legitimate `git commit`
whenever `--no-verify` (or `no-verify`) appears anywhere in the command
string, including inside the commit message body. The Claude Code surface
already routes through the in-repo `scripts/hooks/block-no-verify.js`,
which performs flag-position-aware tokenisation and passes 25 regression
tests covering every false-positive case from #2107.
Add a thin Cursor wrapper (`before-shell-execution-block-no-verify.js`)
that reads Cursor stdin, transforms to the Claude Code `tool_input.command`
shape, delegates to the local hook's exported `run()`, and forwards exit
code and stderr. Update `.cursor/hooks.json` to call the wrapper instead
of the npx package. New 14-case test file pins the false-positive cases
from the issue plus the still-blocked real bypass attempts.
Fixes#2107
