cursor-protected-file-guard

Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Cursor.

hook PreToolUse cursor mode: enforce

Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Cursor.

FieldValue
idcursor-protected-file-guard
status_messageChecking protected paths
modeenforce
logical_eventPreToolUse
matcherWrite|Edit|MultiEdit|apply_patch|edit|create|replace|write_file|Bash|bash|run_shell_command
commandpython3 {repo_root}/hooks/wagents-hook.py cursor-protected-file-guard --harness {harness}
timeout5
harnesses["cursor"]
Full hook config + command reference
config/hook-registry.json (entry)
{
"id": "cursor-protected-file-guard",
"description": "Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Cursor.",
"status_message": "Checking protected paths",
"mode": "enforce",
"logical_event": "PreToolUse",
"matcher": "Write|Edit|MultiEdit|apply_patch|edit|create|replace|write_file|Bash|bash|run_shell_command",
"command": "python3 {repo_root}/hooks/wagents-hook.py cursor-protected-file-guard --harness {harness}",
"timeout": 5,
"harnesses": [
"cursor"
]
}
hooks/wagents-hook.py (policy excerpt)
def _policy_codex_protected_file_guard(payload: NormalizedPayload) -> int:
reason = _protected_payload_reason(payload)
if reason:
return _deny(payload, reason, policy_id="cursor-protected-file-guard")
return 0

Command (Cursor): python3 {repo_root}/hooks/wagents-hook.py cursor-protected-file-guard --harness cursor


View source on GitHub