fix(cursor): route hook script through hol-guard guard hook

[kantorcodes]

Summary

• Keep hook at the top level for hol-guard and plugin-guard hook scripts; only python -m codex_plugin_scanner.cli invocations use the guard hook prefix.
• Add regression coverage for both CLI entrypoint routing paths.

Testing

• PYTHONPATH=src python3 -m pytest tests/test_cursor_hooks.py::test_cursor_hook_script_source_routes_hook_argv_by_cli_entrypoint -q
• PYTHONPATH=src python3 -m pytest tests/test_guard_install_workspace.py::test_install_cursor_hook_script_allows_benign_shell_command -q
• PYTHONPATH=src python3 -m pytest "tests/test_cursor_headless_fixtures.py::TestCursorHeadlessHookExecution::test_cursor_hook_fixture_permission[benign-echo.json]" -q

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Code Review

This pull request updates the _uses_top_level_hook_command function in cursor_hooks.py to always return False, reflecting that the installed hol-guard CLI exposes hooks at hol-guard guard hook rather than hol-guard hook. A corresponding unit test has been added to verify this behavior. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[greptile-apps]

Greptile Summary

This PR extends the _uses_top_level_hook_command helper to recognise plugin-guard (in addition to the existing hol-guard) as a CLI entrypoint that exposes hook at the top level, so the generated Cursor hook script omits the redundant guard prefix for that entrypoint.

• cursor_hooks.py: set-membership check now covers both \"hol-guard\" and \"plugin-guard\"; an explanatory comment is added.
• tests/test_cursor_hooks.py: adds a new test verifying hol-guard generates [\"hook\", ...] and a module invocation generates [\"guard\", \"hook\", ...]; sys is imported for the module-path fixture.

Confidence Score: 5/5

Safe to merge — the change is a one-line set expansion with a clear, narrow scope and no risk of breaking existing behaviour.

The production change touches a single predicate function, is backward-compatible (the hol-guard branch is unchanged), and the new test confirms the two paths that were already known. The only gap is that plugin-guard itself is not exercised in the new test, but that does not affect correctness of existing flows.

No files require special attention.

Important Files Changed

Filename	Overview
src/codex_plugin_scanner/guard/adapters/cursor_hooks.py	Extends _uses_top_level_hook_command to recognise plugin-guard alongside hol-guard as a top-level hook entrypoint, so its generated argv omits the guard prefix.
tests/test_cursor_hooks.py	Adds test_cursor_hook_script_source_routes_hook_argv_by_cli_entrypoint covering the hol-guard and module-invocation paths, but the new plugin-guard case added in production code has no corresponding assertion.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[cursor_hook_script_source] --> B[_resolve_guard_cli_command]
    B --> C{shutil.which hol-guard found?}
    C -- yes --> D["guard_cli = ['hol-guard']"]
    C -- no --> E["guard_cli = ['python', '-m', 'codex_plugin_scanner.cli']"]
    D --> F[_uses_top_level_hook_command]
    E --> F
    F --> G{"cli name in {'hol-guard','plugin-guard'}?"}
    G -- True --> H["argv = ['hook', ...]"]
    G -- False --> I["argv = ['guard', 'hook', ...]"]
    H --> J[Render HOOK_SCRIPT_TEMPLATE]
    I --> J

Loading

_{Reviews (3): Last reviewed commit: "fix(cursor): keep top-level hook argv fo..." | Re-trigger Greptile}