cursor-before-shell-execution-guard

Block destructive shell commands and unsafe git history rewrites on Cursor's beforeShellExecution event.

hook BeforeShellExecution cursor mode: enforce

Block destructive shell commands and unsafe git history rewrites on Cursor’s beforeShellExecution event.

FieldValue
idcursor-before-shell-execution-guard
status_messageChecking shell-execution safety
modeenforce
logical_eventBeforeShellExecution
commandpython3 {repo_root}/hooks/wagents-hook.py cursor-before-shell-execution-guard --harness {harness}
timeout5
harnesses["cursor"]
Full hook config + policy reference
config/hook-registry.json (entry)
{
"id": "cursor-before-shell-execution-guard",
"description": "Block destructive shell commands and unsafe git history rewrites on Cursor's beforeShellExecution event.",
"status_message": "Checking shell-execution safety",
"mode": "enforce",
"logical_event": "BeforeShellExecution",
"command": "python3 {repo_root}/hooks/wagents-hook.py cursor-before-shell-execution-guard --harness {harness}",
"timeout": 5,
"harnesses": [
"cursor"
]
}
hooks/wagents-hook.py (dispatcher policy)
def _policy_cursor_before_shell_execution_guard(payload: NormalizedPayload) -> int:
reason = _destructive_shell_reason(payload.command)
if not reason:
if evaluate_git_commit_push is None:
if _SHELL_GIT_DANGEROUS_RE.search(payload.command or ""):
return _enforce_module_load_failure(
payload, "cursor-before-shell-execution-guard"
)
else:
reason = evaluate_git_commit_push(payload.command)
...

Command: python3 .../wagents-hook.py cursor-before-shell-execution-guard --harness cursor


View source on GitHub