Pushary for Cursor: a fail-closed gate, now on the marketplace
Pushary ships a Cursor plugin with a fail-closed shell permission gate, installable from the Cursor marketplace and registered in ~/.cursor/hooks.json.
Pushary now installs into Cursor as a marketplace plugin. It adds a beforeShellExecution hook that pauses the agent, sends the command to your phone, and waits for a yes before the shell runs. If anything in that path breaks, the command is blocked, not waved through.
What shipped
The plugin registers a hook in ~/.cursor/hooks.json against the beforeShellExecution event. When Cursor's agent is about to run a shell command, the hook reads the command, checks it against your permission policy, and decides whether to allow it, deny it, or ask you. An ask becomes a push notification you answer from the lock screen.
The gate is fail-closed. If the policy fetch errors, the network is down, or the hook can't reach a verdict, it denies the command rather than letting it run unsupervised. A gate that opens when it gets confused is not a gate. For shell execution on a machine you are not watching, denying on uncertainty is the only safe default.
Why it matters
Most agent notification tools tell you something happened after it happened. A beforeShellExecution hook runs before the command, which is the only place an approval is worth anything. You can hold rm -rf, a git push --force, a database migration, or a deploy until you have actually looked at it.
The policy is the part that makes this usable instead of annoying. A read-only safe floor auto-approves commands that cannot change anything, so ls, cat, git status, git log, and grep do not page you. That floor was decided from 1,721 real production questions, not a guess about what feels safe. Everything past that floor follows the rules you set: allow git status, gate git push, deny the rest. The full audit trail of what ran and how each decision was made lives in your control panel.
The Windows hook bugs we hardened against
Cursor's hooks have known problems on Windows. The CLI can double-fire a hook, and the JSON payload piped to stdin can arrive with its encoding corrupted before the hook script reads it. A naive hook either chokes on the mangled payload or processes the same command twice and asks you to approve it twice. The Pushary plugin parses defensively and dedupes the double invocation, so one command produces one prompt. It also ships a bundled-key fallback so the gate keeps working when the environment variable is not present.
Turn it on
Install the plugin from the Cursor marketplace, then pair your phone. The quickstart walks the full setup, and the policy guide covers writing argument-level rules. Cursor sits alongside Claude Code, Codex, and Gemini CLI in the same control panel, so one policy and one audit log cover every AI agent you run.
See Cursor notifications for the product page.