feat: add block-no-verify PreToolUse hook to protect git hooks

[tupe12334]

Summary

Creates .claude/settings.json with block-no-verify@1.1.2 as a PreToolUse Bash hook to prevent Claude Code agents from bypassing git hooks via the hook-skip flag.

Details

When an agent runs git commit or git push with the hook-bypass flag, it silently disables pre-commit, commit-msg, and pre-push hooks. block-no-verify reads tool_input.command from the Claude Code hook stdin payload, detects the hook-bypass flag across all git subcommands, and exits 2 to block. The existing .claude/agents, .claude/rules, and .claude/skills are unchanged.

Closes #166203

---

Disclosure: I am the author and maintainer of block-no-verify.

[trunk-io]

Merging to master in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[blathers-crl]

Thank you for contributing to CockroachDB. Please ensure you have followed the guidelines for creating a PR.

Before a member of our team reviews your PR, I have some potential action items for you:

• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

I was unable to automatically find a reviewer. You can try CCing one of the following members:

• A person you worked with closely on this PR.
• The person who created the ticket, or a CRDB organization member involved with the ticket (author, commenter, etc.).
• Join our community slack channel and ask on #contributors.
• Try find someone else from here.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[cockroachlabs-cla-agent]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}