cursor-before-read-file-guard

Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.

hook BeforeReadFile cursor mode: enforce

Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.

FieldValue
idcursor-before-read-file-guard
status_messageChecking file-read safety
modeenforce
logical_eventBeforeReadFile
commandpython3 {repo_root}/hooks/wagents-hook.py cursor-before-read-file-guard --harness {harness}
timeout5
harnesses["cursor"]
Full hook config + policy reference
config/hook-registry.json (entry)
{
"id": "cursor-before-read-file-guard",
"description": "Block reads of secret-bearing files (.env, keys, credential stores) before they enter Cursor context.",
"status_message": "Checking file-read safety",
"mode": "enforce",
"logical_event": "BeforeReadFile",
"command": "python3 {repo_root}/hooks/wagents-hook.py cursor-before-read-file-guard --harness {harness}",
"timeout": 5,
"harnesses": [
"cursor"
]
}
wagents/hooks/policies/before_read_file_guard.py (decision)
def evaluate_before_read_file(path: str) -> str | None:
"""Return a deny reason if `path` looks secret-bearing, else None."""
# .env / .env.* files, private-key + credential basenames,
# and sensitive suffixes (.pem, .key, .p12, ...) are blocked.
...

Command: python3 .../wagents-hook.py cursor-before-read-file-guard --harness cursor


View source on GitHub