cursor-hooks/install.sh at main · StacklokLabs/cursor-hooks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash
# Install ToolHive MCP governance hook for Cursor
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
HOOK_SOURCE="$SCRIPT_DIR/hooks/stacklok-hook.sh"
HOOK_NAME="stacklok-hook.sh"

CURSOR_DIR="$HOME/.cursor"
HOOKS_DIR="$CURSOR_DIR/hooks"
HOOKS_JSON="$CURSOR_DIR/hooks.json"
HOOK_TARGET="$HOOKS_DIR/$HOOK_NAME"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Parse command line arguments
REGISTRY_ONLY=false
for arg in "$@"; do
    case $arg in
        --registry-only)
            REGISTRY_ONLY=true
            ;;
        --help|-h)
            echo "Usage: $0 [OPTIONS]"
            echo
            echo "Options:"
            echo "  --registry-only   Only allow MCP servers from the configured ToolHive registry"
            echo "                    (blocks custom/local servers not in the registry)"
            echo "  --help, -h        Show this help message"
            exit 0
            ;;
    esac
done

echo "Installing Stacklok MCP governance hook for Cursor..."
if [ "$REGISTRY_ONLY" = true ]; then
    echo -e "${YELLOW}Registry-only mode enabled${NC}"
fi
echo

# Check dependencies
check_dependency() {
    if ! command -v "$1" &> /dev/null; then
        echo -e "${RED}Error: '$1' is required but not installed.${NC}"
        echo "$2"
        exit 1
    fi
}

check_dependency "jq" "Install with: brew install jq (macOS) or apt install jq (Linux)"
check_dependency "thv" "Install ToolHive from: https://github.com/stacklok/toolhive"

echo -e "${GREEN}Dependencies OK${NC}"

# Verify source hook exists
if [[ ! -f "$HOOK_SOURCE" ]]; then
    echo -e "${RED}Error: Hook script not found at $HOOK_SOURCE${NC}"
    exit 1
fi

# Create hooks directory
mkdir -p "$HOOKS_DIR"

# Copy hook script
cp "$HOOK_SOURCE" "$HOOK_TARGET"
chmod +x "$HOOK_TARGET"
echo "Installed hook: $HOOK_TARGET"

# Create or merge hooks.json
if [ "$REGISTRY_ONLY" = true ]; then
    HOOK_COMMAND="THV_REGISTRY_ONLY=true $HOOK_TARGET"
else
    HOOK_COMMAND="$HOOK_TARGET"
fi
HOOK_ENTRY="{\"command\": \"$HOOK_COMMAND\"}"

if [[ -f "$HOOKS_JSON" ]]; then
    # File exists - merge our hook
    EXISTING=$(cat "$HOOKS_JSON")

    # Check if beforeMCPExecution already has our hook (with or without env var prefix)
    if echo "$EXISTING" | jq -e ".hooks.beforeMCPExecution[] | select(.command | contains(\"$HOOK_TARGET\"))" > /dev/null 2>&1; then
        echo -e "${YELLOW}Hook already configured in $HOOKS_JSON. Please remove the current hook and reinstall.${NC}"
    else
        # Add our hook to beforeMCPExecution array (create array if needed)
        UPDATED=$(echo "$EXISTING" | jq ".hooks.beforeMCPExecution = (.hooks.beforeMCPExecution // []) + [$HOOK_ENTRY]")
        echo "$UPDATED" > "$HOOKS_JSON"
        echo "Updated: $HOOKS_JSON"
    fi
else
    # Create new hooks.json
    cat > "$HOOKS_JSON" << EOF
{
  "version": 1,
  "hooks": {
    "beforeMCPExecution": [
      {"command": "$HOOK_COMMAND"}
    ]
  }
}
EOF
    echo "Created: $HOOKS_JSON"
fi

echo
echo -e "${GREEN}Installation complete!${NC}"
echo
echo "Next steps:"
echo "  1. Restart Cursor"
echo "  2. Open Settings > Hooks to verify the hook is registered"
echo "  3. MCP calls will now be validated against ToolHive"
if [ "$REGISTRY_ONLY" = true ]; then
    echo
    echo -e "${YELLOW}Registry-only mode:${NC}"
    echo "  - Only MCP servers from the configured ToolHive registry are allowed"
    echo "  - Custom/local servers will be blocked"
    echo "  - To allow a blocked server, contact your administrator"
fi