beforeShellExecution hook permissions (allow/ask) ignored - allow-list takes precedence

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

The beforeShellExecution hook’s permission response (allow/ask/deny) is not respected by Cursor. The allow-list takes full precedence:

1. Hook allow ignored: If command is NOT in allow-list, hook’s “allow” doesn’t auto-run - Cursor still prompts
2. Hook ask ignored: If command IS in allow-list, hook’s “ask” doesn’t prompt - Cursor auto-runs

Only “deny” works correctly in all cases.

Steps to Reproduce

1. Create a beforeShellExecution hook that returns “allow” for read commands (e.g., gh pr list) and “ask” for write commands (e.g., gh issue create)

2. Test WITHOUT gh in Cursor’s allow-list:

   • Run gh pr list (hook returns “allow”)
   • Expected: auto-runs
   • Actual: prompts user

3. Test WITH gh in Cursor’s allow-list:

   • Run gh issue create (hook returns “ask”)
   • Expected: prompts user
   • Actual: auto-runs without prompting

4. Test “deny” (works correctly in both cases):

   • Hook returns “deny” → command is blocked ✓

Expected Behavior

Hook permissions should be respected regardless of the allow-list:

• “deny” → always block (works ✓)
• “ask” → always prompt (broken when command in allow-list)
• “allow” → always auto-run (broken when command not in allow-list)

The allow-list should only be a fallback when hook returns “allow” or no hook is configured.

Operating System

Linux

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.1.36
VSCode Version: 1.105.1
Commit: 9cd7c8b6cebcbccc1242df211dee45a4b6fe15e0
Date: 2025-11-26T03:43:48.079Z
Electron: 37.5.1
Chromium: 138.0.7204.251
Node.js: 22.19.0
V8: 13.8.258.32-electron.0
OS: Linux x64 6.12.59-1-lts

Does this stop you from using Cursor

No - Cursor works, but with this issue

It looks like the behavior is more consistent with what I want after a full restart of the IDE.

Glad it works for you now!

I wouldn’t say so. The behavior is really flaky. Some time my “ask” hooks are being run automatically. I haven’t nailed down the root cause yet but it looks like opening a second window can lead to cursor having a faulty state.

I’m also experiencing this issue.

I’ve got an approval system that handles approval requests via a beforeShellExecution hook. The hook correctly returns {“permission”: “allow”, “continue”: true} after it’s approved. The Cursor hooks log show “Hook 1 executed successfully and returned valid response” but the Cursor UI still shows “Waiting for approval” with the options to skip, allowlist or run. If I hit “Run” it finally executes.

If I add the command to Cursor’s allowlist, then my hook’s “allow” response is respected. Only “deny” hook responses work regardless of allowlist status.

Ideally the hook allow/deny decisions take precedence, assuming it’s implementing some corporate policy. Or you allow a “hook allow” to always grant execution unless the user has it on their deny list. This allows a user to be more restrictive than the hooks, but not more permissive.