Connectors

Cursor

Cursor connector wires hooks.json with native ask on beforeShellExecution and beforeMCPExecution. Block on preToolUse, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop.

The Cursor connector wires DefenseClaw into Cursor's user-scoped hooks.json so every shell command and MCP tool call is inspected before it runs.

Setup

defenseclaw setup cursor

This runs the observability-only template. Cursor talks directly to its native upstream; DefenseClaw inspects via hooks. There is no proxy-enforcement path for Cursor — blocking happens hook-side via Cursor's documented beforeShellExecution, beforeMCPExecution, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, and stop events. Native ask is supported only on the two before*Execution events.

What setup cursor actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

setup cursor is shorthand for setup guardrail --connector cursor: it adds or reconfigures Cursor, defaults the connector to observe mode, and can join an existing hook-connector roster when you choose Add. To tune Cursor after install, keep using defenseclaw setup guardrail --connector cursor — see the variations below.

Common variations — pick the recipe that fits your phase

defenseclaw setup cursor

Confirms once, wires the hooks against ~/.cursor/hooks.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup cursor --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.

export DEFENSECLAW_LLM_KEY='replace-with-your-key'

defenseclaw setup cursor                                  # base alias first
defenseclaw setup guardrail \
  --connector cursor \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias selects Cursor; the follow-up setup guardrail --connector cursor swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Cursor has no proxy enforcement, but its hooks themselves can block. After setup cursor, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  cursor:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, beforeShellExecution and beforeMCPExecution surface a native ask in Cursor when the gateway returns a HITL verdict. The other block events (beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop) use an alert/context fallback with raw_action preserved; the TUI can review but not resume them.

Decision aids — should I turn this on?

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

hooks.json (DefenseClaw entries appended)

Cursor's MCP / skills / rules surfaces are discovered from user-global Cursor locations by default. Workspace-local overlays are included only when you explicitly pin a workspace.

Hook capabilities

Block events

  • preToolUse
  • beforeShellExecution
  • beforeMCPExecution
  • beforeReadFile
  • beforeTabFileRead
  • beforeSubmitPrompt
  • stop

Native ask events

  • beforeShellExecution
  • beforeMCPExecution

Cursor supports native ask only on documented ask-capable hook events: beforeShellExecution and beforeMCPExecution. The other block events (beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop) return an alert/context fallback and retain the original confirm intent in audit.

Disable

defenseclaw setup guardrail --disable