diff --git a/.githooks/pre-commit b/.githooks/pre-commit
index bacdcff..44f36ff 100755
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@@ -30,7 +30,7 @@ fi
 
 allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
-  allow_vscode_protected_raw="false"
+  allow_vscode_protected_raw="true"
 fi
 allow_vscode_protected="$(printf '%s' "$allow_vscode_protected_raw" | tr '[:upper:]' '[:lower:]')"
 
@@ -155,8 +155,8 @@ Use an agent branch first:
 After finishing work:
   bash scripts/agent-branch-finish.sh
 
-Optional repo override for manual VS Code protected-branch commits:
-  git config multiagent.allowVscodeProtectedBranchWrites true
+Optional repo hard-block for VS Code protected-branch commits:
+  git config multiagent.allowVscodeProtectedBranchWrites false
 
 VS Code Source Control commits on protected local-only branches
 (no upstream and no remote branch) are allowed automatically.
diff --git a/.githooks/pre-push b/.githooks/pre-push
index a0f066a..80a3240 100755
--- a/.githooks/pre-push
+++ b/.githooks/pre-push
@@ -12,7 +12,7 @@ fi
 
 allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
-  allow_vscode_protected_raw="false"
+  allow_vscode_protected_raw="true"
 fi
 allow_vscode_protected="$(printf '%s' "$allow_vscode_protected_raw" | tr '[:upper:]' '[:lower:]')"
 
@@ -77,8 +77,8 @@ if [[ "${#blocked_refs[@]}" -gt 0 ]]; then
     echo "[agent-branch-guard] Push to protected branch blocked."
     echo "[agent-branch-guard] Protected target(s): ${blocked_refs[*]}"
     echo "[agent-branch-guard] Use an agent branch and merge via PR."
-    echo "[agent-branch-guard] Optional VS Code override:"
-    echo "  git config multiagent.allowVscodeProtectedBranchWrites true"
+    echo "[agent-branch-guard] Optional repo hard-block for VS Code protected-branch push:"
+    echo "  git config multiagent.allowVscodeProtectedBranchWrites false"
     echo
     echo "Temporary bypass (not recommended):"
     echo "  ALLOW_PUSH_ON_PROTECTED_BRANCH=1 git push ..."
diff --git a/templates/githooks/pre-commit b/templates/githooks/pre-commit
index bacdcff..44f36ff 100755
--- a/templates/githooks/pre-commit
+++ b/templates/githooks/pre-commit
@@ -30,7 +30,7 @@ fi
 
 allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
-  allow_vscode_protected_raw="false"
+  allow_vscode_protected_raw="true"
 fi
 allow_vscode_protected="$(printf '%s' "$allow_vscode_protected_raw" | tr '[:upper:]' '[:lower:]')"
 
@@ -155,8 +155,8 @@ Use an agent branch first:
 After finishing work:
   bash scripts/agent-branch-finish.sh
 
-Optional repo override for manual VS Code protected-branch commits:
-  git config multiagent.allowVscodeProtectedBranchWrites true
+Optional repo hard-block for VS Code protected-branch commits:
+  git config multiagent.allowVscodeProtectedBranchWrites false
 
 VS Code Source Control commits on protected local-only branches
 (no upstream and no remote branch) are allowed automatically.
diff --git a/templates/githooks/pre-push b/templates/githooks/pre-push
index a0f066a..80a3240 100644
--- a/templates/githooks/pre-push
+++ b/templates/githooks/pre-push
@@ -12,7 +12,7 @@ fi
 
 allow_vscode_protected_raw="${MUSAFETY_ALLOW_VSCODE_PROTECTED_BRANCH_WRITES:-$(git config --get multiagent.allowVscodeProtectedBranchWrites || true)}"
 if [[ -z "$allow_vscode_protected_raw" ]]; then
-  allow_vscode_protected_raw="false"
+  allow_vscode_protected_raw="true"
 fi
 allow_vscode_protected="$(printf '%s' "$allow_vscode_protected_raw" | tr '[:upper:]' '[:lower:]')"
 
@@ -77,8 +77,8 @@ if [[ "${#blocked_refs[@]}" -gt 0 ]]; then
     echo "[agent-branch-guard] Push to protected branch blocked."
     echo "[agent-branch-guard] Protected target(s): ${blocked_refs[*]}"
     echo "[agent-branch-guard] Use an agent branch and merge via PR."
-    echo "[agent-branch-guard] Optional VS Code override:"
-    echo "  git config multiagent.allowVscodeProtectedBranchWrites true"
+    echo "[agent-branch-guard] Optional repo hard-block for VS Code protected-branch push:"
+    echo "  git config multiagent.allowVscodeProtectedBranchWrites false"
     echo
     echo "Temporary bypass (not recommended):"
     echo "  ALLOW_PUSH_ON_PROTECTED_BRANCH=1 git push ..."
diff --git a/test/install.test.js b/test/install.test.js
index 320dec6..ab957ac 100644
--- a/test/install.test.js
+++ b/test/install.test.js
@@ -1168,11 +1168,10 @@ test('pre-commit blocks non-codex VS Code commits on custom protected branches b
     ALLOW_COMMIT_ON_PROTECTED_BRANCH: '0',
     VSCODE_GIT_IPC_HANDLE: '1',
   });
-  assert.equal(hookResult.status, 1, hookResult.stderr || hookResult.stdout);
-  assert.match(hookResult.stderr, /\[agent-branch-guard\] Direct commits on protected branches are blocked\./);
+  assert.equal(hookResult.status, 0, hookResult.stderr || hookResult.stdout);
 });
 
-test('pre-commit blocks non-codex protected branch commits from VS Code Source Control env by default', () => {
+test('pre-commit allows non-codex protected branch commits from VS Code Source Control env by default', () => {
   const repoDir = initRepo();
   seedCommit(repoDir);
   attachOriginRemote(repoDir);
@@ -1191,8 +1190,7 @@ test('pre-commit blocks non-codex protected branch commits from VS Code Source C
       VSCODE_IPC_HOOK_CLI: '1',
     },
   );
-  assert.equal(hookResult.status, 1, hookResult.stderr || hookResult.stdout);
-  assert.match(hookResult.stderr, /\[agent-branch-guard\] Direct commits on protected branches are blocked\./);
+  assert.equal(hookResult.status, 0, hookResult.stderr || hookResult.stdout);
 });
 
 test('pre-commit allows non-codex VS Code commits on protected local-only branches', () => {
@@ -1259,11 +1257,10 @@ test('pre-push blocks non-codex protected branch pushes from VS Code Source Cont
       VSCODE_IPC_HOOK_CLI: '1',
     },
   );
-  assert.equal(hookResult.status, 1, hookResult.stderr || hookResult.stdout);
-  assert.match(hookResult.stderr, /\[agent-branch-guard\] Push to protected branch blocked\./);
+  assert.equal(hookResult.status, 0, hookResult.stderr || hookResult.stdout);
 });
 
-test('pre-commit allows non-codex protected branch commits from VS Code Source Control env when explicitly enabled', () => {
+test('pre-commit blocks non-codex protected branch commits from VS Code Source Control env when explicitly disabled', () => {
   const repoDir = initRepo();
   seedCommit(repoDir);
   attachOriginRemote(repoDir);
@@ -1273,7 +1270,7 @@ test('pre-commit allows non-codex protected branch commits from VS Code Source C
 
   let configResult = runCmd(
     'git',
-    ['config', 'multiagent.allowVscodeProtectedBranchWrites', 'true'],
+    ['config', 'multiagent.allowVscodeProtectedBranchWrites', 'false'],
     repoDir,
   );
   assert.equal(configResult.status, 0, configResult.stderr || configResult.stdout);
@@ -1289,7 +1286,8 @@ test('pre-commit allows non-codex protected branch commits from VS Code Source C
       VSCODE_IPC_HOOK_CLI: '1',
     },
   );
-  assert.equal(hookResult.status, 0, hookResult.stderr || hookResult.stdout);
+  assert.equal(hookResult.status, 1, hookResult.stderr || hookResult.stdout);
+  assert.match(hookResult.stderr, /\[agent-branch-guard\] Direct commits on protected branches are blocked\./);
 });
 
 test('pre-commit does not treat TERM_PROGRAM=vscode as VS Code Source Control context', () => {
@@ -1329,7 +1327,7 @@ test('pre-push allows non-codex protected branch pushes from VS Code Source Cont
 
   let configResult = runCmd(
     'git',
-    ['config', 'multiagent.allowVscodeProtectedBranchWrites', 'true'],
+    ['config', 'multiagent.allowVscodeProtectedBranchWrites', 'false'],
     repoDir,
   );
   assert.equal(configResult.status, 0, configResult.stderr || configResult.stdout);
@@ -1347,7 +1345,8 @@ test('pre-push allows non-codex protected branch pushes from VS Code Source Cont
       VSCODE_IPC_HOOK_CLI: '1',
     },
   );
-  assert.equal(hookResult.status, 0, hookResult.stderr || hookResult.stdout);
+  assert.equal(hookResult.status, 1, hookResult.stderr || hookResult.stdout);
+  assert.match(hookResult.stderr, /\[agent-branch-guard\] Push to protected branch blocked\./);
 });
 
 test('pre-push blocks codex protected branch pushes even from VS Code Source Control env', () => {