docs/context/cursor-hooks-reference.md
Hooks let you observe, control, and extend the agent loop using custom scripts. Hooks are spawned processes that communicate over stdio using JSON in both directions. They run before or after defined stages of the agent loop and can observe, block, or modify behavior.
With hooks, you can:
Hooks work with both Cursor Agent (Cmd+K/Agent Chat) and Cursor Tab (inline completions), but they use different hook events:
Agent (Cmd+K/Agent Chat) uses the standard hooks:
beforeShellExecution / afterShellExecution - Control shell commandsbeforeMCPExecution / afterMCPExecution - Control MCP tool usagebeforeReadFile / afterFileEdit - Control file access and editsbeforeSubmitPrompt - Validate prompts before submissionstop - Handle agent completionafterAgentResponse / afterAgentThought - Track agent responsesTab (inline completions) uses specialized hooks:
beforeTabFileRead - Control file access for Tab completionsafterTabFileEdit - Post-process Tab editsThese separate hooks allow different policies for autonomous Tab operations versus user-directed Agent operations.
Create a hooks.json file. You can create it at the project level (<project>/.cursor/hooks.json) or in your home directory (~/.cursor/hooks.json). Project-level hooks apply only to that specific project, while home directory hooks apply globally.
{
"version": 1,
"hooks": {
"afterFileEdit": [{ "command": "./hooks/format.sh" }]
}
}
Create your hook script at ~/.cursor/hooks/format.sh:
#!/bin/bash
# Read input, do something, exit 0
cat > /dev/null
exit 0
Make it executable:
chmod +x ~/.cursor/hooks/format.sh
Restart Cursor. Your hook now runs after every file edit.
{
"version": 1,
"hooks": {
"beforeShellExecution": [
{
"command": "./hooks/audit.sh"
},
{
"command": "./hooks/block-git.sh"
}
],
"beforeMCPExecution": [
{
"command": "./hooks/audit.sh"
}
],
"afterShellExecution": [
{
"command": "./hooks/audit.sh"
}
],
"afterMCPExecution": [
{
"command": "./hooks/audit.sh"
}
],
"afterFileEdit": [
{
"command": "./hooks/audit.sh"
}
],
"beforeSubmitPrompt": [
{
"command": "./hooks/audit.sh"
}
],
"stop": [
{
"command": "./hooks/audit.sh"
}
],
"beforeTabFileRead": [
{
"command": "./hooks/redact-secrets-tab.sh"
}
],
"afterTabFileEdit": [
{
"command": "./hooks/format-tab.sh"
}
]
}
}
#!/bin/bash
# audit.sh - Hook script that writes all JSON input to /tmp/agent-audit.log
# This script is designed to be called by Cursor's hooks system for auditing purposes
# Read JSON input from stdin
json_input=$(cat)
# Create timestamp for the log entry
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
# Create the log directory if it doesn't exist
mkdir -p "$(dirname /tmp/agent-audit.log)"
# Write the timestamped JSON entry to the audit log
echo "[$timestamp] $json_input" >> /tmp/agent-audit.log
# Exit successfully
exit 0
#!/bin/bash
# Hook to block git commands and redirect to gh tool usage
# This hook implements the beforeShellExecution hook from the Cursor Hooks Spec
# Initialize debug logging
echo "Hook execution started" >> /tmp/hooks.log
# Read JSON input from stdin
input=$(cat)
echo "Received input: $input" >> /tmp/hooks.log
# Parse the command from the JSON input
command=$(echo "$input" | jq -r '.command // empty')
echo "Parsed command: '$command'" >> /tmp/hooks.log
# Check if the command contains 'git' or 'gh'
if [[ "$command" =~ git[[:space:]] ]] || [[ "$command" == "git" ]]; then
echo "Git command detected - blocking: '$command'" >> /tmp/hooks.log
# Block the git command and provide guidance to use gh tool instead
cat << EOF
{
"continue": true,
"permission": "deny",
"user_message": "Git command blocked. Please use the GitHub CLI (gh) tool instead.",
"agent_message": "The git command '$command' has been blocked by a hook. Instead of using raw git commands, please use the 'gh' tool which provides better integration with GitHub and follows best practices. For example:\n- Instead of 'git clone', use 'gh repo clone'\n- Instead of 'git push', use 'gh repo sync' or the appropriate gh command\n- For other git operations, check if there's an equivalent gh command or use the GitHub web interface\n\nThis helps maintain consistency and leverages GitHub's enhanced tooling."
}
EOF
elif [[ "$command" =~ gh[[:space:]] ]] || [[ "$command" == "gh" ]]; then
echo "GitHub CLI command detected - asking for permission: '$command'" >> /tmp/hooks.log
# Ask for permission for gh commands
cat << EOF
{
"continue": true,
"permission": "ask",
"user_message": "GitHub CLI command requires permission: $command",
"agent_message": "The command '$command' uses the GitHub CLI (gh) which can interact with your GitHub repositories and account. Please review and approve this command if you want to proceed."
}
EOF
else
echo "Non-git/non-gh command detected - allowing: '$command'" >> /tmp/hooks.log
# Allow non-git/non-gh commands
cat << EOF
{
"continue": true,
"permission": "allow"
}
EOF
fi
We partner with ecosystem vendors who have built hooks support with Cursor. These integrations cover security scanning, governance, secrets management, and more.
| Partner | Description |
|---|---|
| MintMCP | Build a complete inventory of MCP servers, monitor tool usage patterns, and scan responses for sensitive data before it reaches the AI model. |
| Oasis Security | Enforce least-privilege policies on AI agent actions and maintain full audit trails across enterprise systems. |
| Runlayer | Wrap MCP tools and integrate with their MCP broker for centralized control and visibility over agent-to-tool interactions. |
| Partner | Description |
|---|---|
| Corridor | Get real-time feedback on code implementation and security design decisions as code is being written. |
| Semgrep | Automatically scan AI-generated code for vulnerabilities with real-time feedback to regenerate code until security issues are resolved. |
| Partner | Description |
|---|---|
| Endor Labs | Intercept package installations and scan for malicious dependencies, preventing supply chain attacks before they enter your codebase. |
| Partner | Description |
|---|---|
| Snyk | Review agent actions in real-time with Evo Agent Guard, detecting and preventing issues like prompt injection and dangerous tool calls. |
| Partner | Description |
|---|---|
| 1Password | Validate that environment files from 1Password Environments are properly mounted before shell commands execute, enabling just-in-time secrets access without writing credentials to disk. |
For more details about our hooks partners, see the Hooks for security and platform teams blog post.
Define hooks in a hooks.json file. Configuration can exist at multiple levels; higher-priority sources override lower ones:
~/.cursor/
├── hooks.json
└── hooks/
├── audit.sh
└── block-git.sh
/Library/Application Support/Cursor/hooks.json/etc/cursor/hooks.jsonC:\\ProgramData\\Cursor\\hooks.json<project-root>/.cursor/hooks.json~/.cursor/hooks.jsonPriority order (highest to lowest): Enterprise → Project → User
The hooks object maps hook names to arrays of hook definitions. Each definition currently supports a command property that can be a shell string, an absolute path, or a path relative to the hooks.json file.
{
"version": 1,
"hooks": {
"beforeShellExecution": [{ "command": "./script.sh" }],
"afterShellExecution": [{ "command": "./script.sh" }],
"afterMCPExecution": [{ "command": "./script.sh" }],
"afterFileEdit": [{ "command": "./format.sh" }],
"beforeTabFileRead": [{ "command": "./redact-secrets-tab.sh" }],
"afterTabFileEdit": [{ "command": "./format-tab.sh" }]
}
}
The Agent hooks (beforeShellExecution, afterShellExecution, beforeMCPExecution, afterMCPExecution, beforeReadFile, afterFileEdit, beforeSubmitPrompt, stop, afterAgentResponse, afterAgentThought) apply to Cmd+K and Agent Chat operations. The Tab hooks (beforeTabFileRead, afterTabFileEdit) apply specifically to inline Tab completions.
Hooks can be distributed to team members using project hooks (via version control), MDM tools, or Cursor's cloud distribution system.
Project hooks are the simplest way to share hooks with your team. Place a hooks.json file at <project-root>/.cursor/hooks.json and commit it to your repository. When team members open the project in a trusted workspace, Cursor automatically loads and runs the project hooks.
Project hooks:
Distribute hooks across your organization using Mobile Device Management (MDM) tools. Place the hooks.json file and hook scripts in the target directories on each machine.
User home directory (per-user distribution):
~/.cursor/hooks.json~/.cursor/hooks/ (for hook scripts)Global directories (system-wide distribution):
/Library/Application Support/Cursor/hooks.json/etc/cursor/hooks.jsonC:\\ProgramData\\Cursor\\hooks.jsonNote: MDM-based distribution is fully managed by your organization. Cursor does not deploy or manage files through your MDM solution. Ensure your internal IT or security team handles configuration, deployment, and updates in accordance with your organization's policies.
Enterprise teams can use Cursor's native cloud distribution to automatically sync hooks to all team members. Configure hooks in the web dashboard. Cursor automatically delivers configured hooks to all client machines when team members log in.
Cloud distribution provides:
Enterprise administrators can create, edit, and manage team hooks from the dashboard without requiring access to individual machines.
All hooks receive a base set of fields in addition to their hook-specific fields:
{
"conversation_id": "string",
"generation_id": "string",
"model": "string",
"hook_event_name": "string",
"cursor_version": "string",
"workspace_roots": ["<path>"],
"user_email": "string | null"
}
| Field | Type | Description |
|---|---|---|
conversation_id | string | Stable ID of the conversation across many turns |
generation_id | string | The current generation that changes with every user message |
model | string | The model configured for the composer that triggered the hook |
hook_event_name | string | Which hook is being run |
cursor_version | string | Cursor application version (e.g. "1.7.2") |
workspace_roots | string[] | The list of root folders in the workspace (normally just one, but multiroot workspaces can have multiple) |
user_email | string | null | Email address of the authenticated user, if available |
Called before any shell command or MCP tool is executed. Return a permission decision.
// beforeShellExecution input
{
"command": "<full terminal command>",
"cwd": "<current working directory>"
}
// beforeMCPExecution input
{
"tool_name": "<tool name>",
"tool_input": "<json params>"
}
// Plus either:
{ "url": "<server url>" }
// Or:
{ "command": "<command string>" }
// Output
{
"permission": "allow" | "deny" | "ask",
"user_message": "<message shown in client>",
"agent_message": "<message sent to agent>"
}
Fires after a shell command executes; useful for auditing or collecting metrics from command output.
// Input
{
"command": "<full terminal command>",
"output": "<full terminal output>",
"duration": 1234
}
| Field | Type | Description |
|---|---|---|
command | string | The full terminal command that was executed |
output | string | Full output captured from the terminal |
duration | number | Duration in milliseconds spent executing the shell command (excludes approval wait time) |
Fires after an MCP tool executes; includes the tool's input parameters and full JSON result.
// Input
{
"tool_name": "<tool name>",
"tool_input": "<json params>",
"result_json": "<tool result json>",
"duration": 1234
}
| Field | Type | Description |
|---|---|---|
tool_name | string | Name of the MCP tool that was executed |
tool_input | string | JSON params string passed to the tool |
result_json | string | JSON string of the tool response |
duration | number | Duration in milliseconds spent executing the MCP tool (excludes approval wait time) |
Fires after the Agent edits a file; useful for formatters or accounting of agent-written code.
// Input
{
"file_path": "<absolute path>",
"edits": [{ "old_string": "<search>", "new_string": "<replace>" }]
}
Called before Tab (inline completions) reads a file. Enable redaction or access control before Tab accesses file contents.
Key differences from beforeReadFile:
attachments field (Tab doesn't use prompt attachments)// Input
{
"file_path": "<absolute path>",
"content": "<file contents>"
}
// Output
{
"permission": "allow" | "deny"
}
Called after Tab (inline completions) edits a file. Useful for formatters or auditing of Tab-written code.
Key differences from afterFileEdit:
range, old_line, and new_line for precise edit tracking// Input
{
"file_path": "<absolute path>",
"edits": [
{
"old_string": "<search>",
"new_string": "<replace>",
"range": {
"start_line_number": 10,
"start_column": 5,
"end_line_number": 10,
"end_column": 20
},
"old_line": "<line before edit>",
"new_line": "<line after edit>"
}
]
}
// Output
{
// No output fields currently supported
}
Called right after user hits send but before backend request. Can prevent submission.
// Input
{
"prompt": "<user prompt text>",
"attachments": [
{
"type": "file" | "rule",
"filePath": "<absolute path>"
}
]
}
// Output
{
"continue": true | false,
"user_message": "<message shown to user when blocked>"
}
| Output Field | Type | Description |
|---|---|---|
continue | boolean | Whether to allow the prompt submission to proceed |
user_message | string (optional) | Message shown to the user when the prompt is blocked |
Called after the agent has completed an assistant message.
// Input
{
"text": "<assistant final text>"
}
Called after the agent completes a thinking block. Useful for observing the agent's reasoning process.
// Input
{
"text": "<fully aggregated thinking text>",
"duration_ms": 5000
}
// Output
{
// No output fields currently supported
}
| Field | Type | Description |
|---|---|---|
text | string | Fully aggregated thinking text for the completed block |
duration_ms | number (optional) | Duration in milliseconds for the thinking block |
Called when the agent loop ends. Can optionally auto-submit a follow-up user message to keep iterating.
// Input
{
"status": "completed" | "aborted" | "error",
"loop_count": 0
}
// Output
{
"followup_message": "<message text>"
}
followup_message is a string. When provided and non-empty, Cursor will automatically submit it as the next user message. This enables loop-style flows (e.g., iterate until a goal is met).loop_count field indicates how many times the stop hook has already triggered an automatic follow-up for this conversation (starts at 0). To prevent infinite loops, a maximum of 5 auto follow-ups is enforced.How to confirm hooks are active
There is a Hooks tab in Cursor Settings to debug configured and executed hooks, as well as a Hooks output channel to see errors.
If hooks are not working
hooks.json when using relative paths.