cursor-before-read-file-guard
Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.
hook
BeforeReadFile
cursor
mode: enforce
config/hook-registry.json (entry) wagents/hooks/policies/before_read_file_guard.py (decision)
Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.
Registry Entry
Section titled “Registry Entry”| Field | Value |
|---|---|
| id | cursor-before-read-file-guard |
| status_message | Checking file-read safety |
| mode | enforce |
| logical_event | BeforeReadFile |
| command | python3 {repo_root}/hooks/wagents-hook.py cursor-before-read-file-guard --harness {harness} |
| timeout | 5 |
| harnesses | ["cursor"] |
Full hook config + policy reference
{ "id": "cursor-before-read-file-guard", "description": "Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.", "status_message": "Checking file-read safety", "mode": "enforce", "logical_event": "BeforeReadFile", "command": "python3 {repo_root}/hooks/wagents-hook.py cursor-before-read-file-guard --harness {harness}", "timeout": 5, "harnesses": [ "cursor" ]}def evaluate_before_read_file(path: str) -> str | None: """Return a deny reason if `path` looks secret-bearing, else None.""" # .env / .env.* files, private-key + credential basenames, # and sensitive suffixes (.pem, .key, .p12, ...) are blocked. ...Command: python3 .../wagents-hook.py cursor-before-read-file-guard --harness cursor
Resources
Section titled “Resources”Hooks HubAll repo-managed lifecycle hooks.
wagents hooksInspect and validate hooks via CLI.
