cursor-before-shell-execution-guard
Block destructive shell commands and unsafe git history rewrites on Cursor's beforeShellExecution event.
hook
BeforeShellExecution
cursor
mode: enforce
config/hook-registry.json (entry) hooks/wagents-hook.py (dispatcher policy)
Block destructive shell commands and unsafe git history rewrites on Cursor’s beforeShellExecution event.
Registry Entry
Section titled “Registry Entry”| Field | Value |
|---|---|
| id | cursor-before-shell-execution-guard |
| status_message | Checking shell-execution safety |
| mode | enforce |
| logical_event | BeforeShellExecution |
| command | python3 {repo_root}/hooks/wagents-hook.py cursor-before-shell-execution-guard --harness {harness} |
| timeout | 5 |
| harnesses | ["cursor"] |
Full hook config + policy reference
{ "id": "cursor-before-shell-execution-guard", "description": "Block destructive shell commands and unsafe git history rewrites on Cursor's beforeShellExecution event.", "status_message": "Checking shell-execution safety", "mode": "enforce", "logical_event": "BeforeShellExecution", "command": "python3 {repo_root}/hooks/wagents-hook.py cursor-before-shell-execution-guard --harness {harness}", "timeout": 5, "harnesses": [ "cursor" ]}def _policy_cursor_before_shell_execution_guard(payload: NormalizedPayload) -> int: reason = _destructive_shell_reason(payload.command) if not reason: if evaluate_git_commit_push is None: if _SHELL_GIT_DANGEROUS_RE.search(payload.command or ""): return _enforce_module_load_failure( payload, "cursor-before-shell-execution-guard" ) else: reason = evaluate_git_commit_push(payload.command) ...Command: python3 .../wagents-hook.py cursor-before-shell-execution-guard --harness cursor
Resources
Section titled “Resources”Hooks HubAll repo-managed lifecycle hooks.
wagents hooksInspect and validate hooks via CLI.
