Enforced approvals for Cursor with the Pushary plugin, or notifications only with plain MCP

Complete the Quickstart first to get your API key, then come back here.

There are two ways to use Pushary with Cursor. The plugin is recommended.

Plugin (recommended): enforced approvals

Run setup and choose Cursor:

npx @pushary/agent-hooks@latest setup

This installs a plugin to ~/.cursor/plugins/local/pushary that gives you everything MCP gives you, plus an enforced gate on risky shell commands.

The plugin registers a beforeShellExecution hook. Before Cursor runs a shell command that matches a risky pattern (such as rm, --force, reset --hard, drop, or deploy), it pauses and routes the command through your permission policy. You approve or deny from your phone, and the command runs only after you say yes. If the check cannot complete, the command is blocked, not allowed.

This is enforced, not cooperative. The agent does not get to choose whether to ask. Cursor makes the command go through approval.

Restart Cursor (or run Developer: Reload Window) after setup to load the plugin.

Plain MCP: cooperative tools only

If you cannot install the plugin, add Pushary as an MCP server. During onboarding, click the Add to Cursor button, or add this to your .cursor/mcp.json:

{
  "mcpServers": {
    "pushary": {
      "url": "https://pushary.com/api/mcp/mcp",
      "headers": {
        "Authorization": "Bearer pk_xxx.xxx"
      }
    }
  }
}

Replace pk_xxx.xxx with your actual API key. This gives your agent the notification and question tools, so it can ping your phone and wait for an answer. But nothing is intercepted: the agent must choose to call the tools. If it never asks, you are never asked, even right before a dangerous command.

Plugin vs MCP at a glance

	Plugin	Plain MCP
Send notifications	Yes	Yes
Ask questions, wait for answers	Yes	Yes
Enforced approval before risky shell commands	Yes	No
Works without installing anything locally	No	Yes

The plugin is a strict superset: it bundles the same MCP tools and adds the gate.

Honest limits

The gate is shell only. Cursor only exposes a hook for shell execution, so file reads and edits are not gated.
The gate only fires on commands that match its risky-pattern list.
On Windows, Cursor can fail to pass the command to the hook (a known Cursor bug). When that happens the gate cannot run the phone approval and falls back to Cursor's own prompt, so it never silently allows. On affected setups, the cooperative MCP tools still work because the agent can call them directly. Run npx @pushary/agent-hooks@latest doctor to check the plugin and key, and look at Cursor's hooks output channel to see what the hook received.

Install the skill

The plugin already includes the skill. If you connected via plain MCP only, install it so your agent knows when to notify you:

npx skills add Pushary/pushary-skill

Complete the Quickstart first to get your API key, then come back here.

There are two ways to use Pushary with Cursor. The plugin is recommended.

Plugin (recommended): enforced approvals

Run setup and choose Cursor:

npx @pushary/agent-hooks@latest setup

This installs a plugin to ~/.cursor/plugins/local/pushary that gives you everything MCP gives you, plus an enforced gate on risky shell commands.

This is enforced, not cooperative. The agent does not get to choose whether to ask. Cursor makes the command go through approval.

Restart Cursor (or run Developer: Reload Window) after setup to load the plugin.

Plain MCP: cooperative tools only

If you cannot install the plugin, add Pushary as an MCP server. During onboarding, click the Add to Cursor button, or add this to your .cursor/mcp.json:

{
  "mcpServers": {
    "pushary": {
      "url": "https://pushary.com/api/mcp/mcp",
      "headers": {
        "Authorization": "Bearer pk_xxx.xxx"
      }
    }
  }
}

Plugin vs MCP at a glance

	Plugin	Plain MCP
Send notifications	Yes	Yes
Ask questions, wait for answers	Yes	Yes
Enforced approval before risky shell commands	Yes	No
Works without installing anything locally	No	Yes

The plugin is a strict superset: it bundles the same MCP tools and adds the gate.

Honest limits

The gate is shell only. Cursor only exposes a hook for shell execution, so file reads and edits are not gated.
The gate only fires on commands that match its risky-pattern list.
On Windows, Cursor can fail to pass the command to the hook (a known Cursor bug). When that happens the gate cannot run the phone approval and falls back to Cursor's own prompt, so it never silently allows. On affected setups, the cooperative MCP tools still work because the agent can call them directly. Run npx @pushary/agent-hooks@latest doctor to check the plugin and key, and look at Cursor's hooks output channel to see what the hook received.

Install the skill

The plugin already includes the skill. If you connected via plain MCP only, install it so your agent knows when to notify you:

npx skills add Pushary/pushary-skill

Cursor

Plugin (recommended): enforced approvals

Plain MCP: cooperative tools only

Plugin vs MCP at a glance

Honest limits

Install the skill

On this page

Cursor

Plugin (recommended): enforced approvals

Plain MCP: cooperative tools only

Plugin vs MCP at a glance

Honest limits

Install the skill

On this page