beforeShellExecution returns permission: "ask" but sandboxed Agent shell still runs the command (sandbox: true)

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

When the Agent runs a shell command via the Shell tool, beforeShellExecution fires and returns {“permission”:“ask”}, but the command still executes in the same turn. The hook payload includes “sandbox”: true, which suggests the sandboxed Agent shell path may not be gating on hook permission the same way as non-sandbox / interactive shell.

Steps to Reproduce

Configure beforeShellExecution to return {“permission”:“ask”} for a given command (e.g. substring match on git + push).
In Agent chat, ask the assistant to run git push (or any command that triggers the hook).
Observe: hook log shows beforeShellExecution + permission: ask, but the terminal still runs.

Evidence (hook audit log)
Redact as needed (conversation IDs, email). Example line:

{
“ts”: “2026-03-20T16:01:50.086024”,
“event”: “beforeShellExecution”,
“payload”: {
“command”: “git push”,
“cwd”: “”,
“sandbox”: true,
“hook_event_name”: “beforeShellExecution”,
“cursor_version”: “2.6.19”,
“workspace_roots”: [“/path/to/workspace”]
},
“response”: { “permission”: “ask” }
}
Despite response.permission === “ask”, the command still ran in the sandbox.

Hypothesis
sandbox: true Agent shell execution may ignore ask (and possibly treat hooks as advisory only on that path), similar to known limitations where preToolUse accepts “ask” in the schema but does not enforce it (docs).
Alternatively, hook merge / precedence could be wrong, but in this case the single user hook clearly returns ask.
Request
Please confirm whether ask is intended to block sandboxed Agent shell until approval. If yes, this is a bug. If no, the docs should explicitly state that ask for beforeShellExecution does not apply when sandbox: true (or equivalent).

Expected Behavior

Per Hooks docs, beforeShellExecution output should support allow / deny / ask. If the hook returns ask, the shell command should not run until the user approves (or the run should block until resolved).

Actual behavior
The hook runs and returns ask, but the command still executes (e.g. git push runs and exits with an error, but the process was still executed).

Operating System

MacOS

Version Information

Version: 2.6.19 (Universal)
VSCode Version: 1.105.1
Commit: 224838f96445be37e3db643a163a817c15b36060
Date: 2026-03-12T04:07:27.435Z (1 wk ago)
Build Type: Stable
Release Track: Default
Electron: 39.4.0
Chromium: 142.0.7444.265
Node.js: 22.22.0
V8: 14.2.231.22-electron.0
OS: Darwin arm64 24.6.0

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

Hey, thanks for the detailed report. This is a known bug. The ask permission in hooks isn’t enforced right now, not just in the sandbox path, but in all shell execution paths. Only deny works. ask and allow are ignored.

The same issue is described here:

• Hook ASK output not stopping agent Hook ASK output not stopping agent
• beforeShellExecution hook permissions ignored beforeShellExecution hook permissions (allow/ask) ignored - allow-list takes precedence

The team is aware, but there’s no ETA yet.

Workaround: if you need to reliably block certain commands, use deny instead of ask. It’s the only permission level that works consistently right now.

Let me know if you’ve got any questions.

thanks. it would be helpful to explicitly say in the hooks documentation what the known bugs are so people don’t spend too much time on this. fwiw, the few searches i did in the forum didn’t reveal this particular issue.