CiscoCiscoDefenseClaw
Connectors

Cursor

Cursor connector wires hooks.json with native ask on beforeShellExecution and beforeMCPExecution. Block on preToolUse, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop.

The Cursor connector wires DefenseClaw into Cursor's user-scoped hooks.json so every shell command and MCP tool call is inspected before it runs.

Setup

defenseclaw setup cursor

This runs the observability-only template. Cursor talks directly to its native upstream; DefenseClaw inspects via hooks. There is no proxy-enforcement path for Cursor — blocking happens hook-side via Cursor's documented beforeShellExecution, beforeMCPExecution, beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, and stop events. Native ask is supported only on the two before*Execution events.

What setup cursor actually does

The wrapper accepts exactly three flags. The underlying guardrail config falls back to the values DefenseClaw ships with — schema-defined in internal/config/config.go and documented on the Defaults page.

FlagDefaultWhat it does
--yes / -yoffSkip the confirmation prompt (alias: --non-interactive, --accept-defaults).
--restart / --no-restart--restartBounce defenseclaw-gateway after applying changes so the new hooks wire in.
--with-local-stack / --no-local-stack--no-local-stackAlso bring up the bundled Prom/Loki/Tempo/Grafana stack via setup local-observability up.

Pinned by the alias regardless of flags: claw.mode=cursor, guardrail.connector=cursor, guardrail.mode=observe, guardrail.scanner_mode=local, guardrail.judge.enabled=false, guardrail.detection_strategy=regex_only. To tune any of those after install, use defenseclaw setup guardrail --connector cursor — see the variations below.

Common variations — pick the recipe that fits your phase

defenseclaw setup cursor

Confirms once, wires the hooks against ~/.cursor/hooks.json, restarts the gateway. Findings flow to ~/.defenseclaw/gateway.jsonl and the TUI; no traffic is intercepted, no requests are blocked. Pass --yes to skip the confirmation in CI.

defenseclaw setup cursor --yes --with-local-stack

Same as standard but also runs setup local-observability up so Prom/Loki/Tempo/Grafana come up locally for ad-hoc dashboards. See Local observability.

export DEFENSECLAW_LLM_KEY=<your-key>

defenseclaw setup cursor                                  # base alias first
defenseclaw setup guardrail \
  --connector cursor \
  --rule-pack strict \
  --scanner-mode both \
  --detection-strategy regex_judge \
  --judge-model anthropic/claude-sonnet-4-20250514 \
  --judge-api-key-env DEFENSECLAW_LLM_KEY \
  --restart

The alias keeps the connector pinned; the follow-up setup guardrail swaps in the strict rule pack, runs both local + Cisco AI Defense scanners, and turns the LLM judge on as a second-pass adjudicator on regex-flagged events.

Cursor has no proxy enforcement, but its hooks themselves can block. After setup cursor, edit ~/.defenseclaw/config.yaml and set the per-connector hook mode:

connector_hooks:
  cursor:
    enabled: true
    mode: action          # observe (default) | action
    fail_mode: open       # open | closed

Then defenseclaw setup guardrail --restart to re-wire. With mode: action, beforeShellExecution and beforeMCPExecution will surface a native ask in Cursor when the gateway returns a HITL verdict; the other block events (beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop) downgrade to a confirm verdict in the DefenseClaw TUI.

Decision aids — should I turn this on?

Human-in-the-loop (HITL)

Per-connector ask matrix. Cursor supports native ask only on beforeShellExecution and beforeMCPExecution; other events downgrade to confirm.

Full setup guardrail flag reference

All ~20 flags you can pass via `setup guardrail --connector cursor` after the alias has pinned things.

Defaults & rule packs

What permissive / default / strict actually ship, and which one matches your risk tolerance.

Interactive wizard

Animated terminal demo of the prompt-by-prompt setup flow — the safest path the first time.

Not sure what to pick? Run defenseclaw setup guardrail (no flags) — the interactive wizard walks you through every choice with safe defaults pre-selected and inline help. The Prompt → flag mapping table gives you the CI-shaped command for the same configuration.

Files DefenseClaw will modify

hooks.json (DefenseClaw entries appended)

Cursor's MCP / skills / rules surfaces are workspace-scoped — DefenseClaw discovers them when you open a workspace but never auto-creates configuration there.

Hook capabilities

Block events

  • preToolUse
  • beforeShellExecution
  • beforeMCPExecution
  • beforeReadFile
  • beforeTabFileRead
  • beforeSubmitPrompt
  • stop

Native ask events

  • beforeShellExecution
  • beforeMCPExecution

Cursor supports native ask only on documented ask-capable hook events: beforeShellExecution and beforeMCPExecution. The other block events (beforeReadFile, beforeTabFileRead, beforeSubmitPrompt, stop) downgrade HITL to a confirm verdict.

Disable

defenseclaw setup guardrail --disable

OpenClaw

The reference proxy connector. DefenseClaw ships a TypeScript plugin that wires OpenClaw's fetch interceptor and before_tool_call hook directly into the gateway.

Hermes

Hermes connector wires config.yaml hooks for the Hermes agent runtime, with discovery for MCP, skills, and plugins.