Problem
Windows HAPI Cursor sessions run ACP with yolo, which auto-approves shell at the CLI PermissionAdapter layer. Cursor beforeShellExecution hooks often do not fire in that path, so the 2026-06-20 incident command shape (ssh server "kill … && hapi-driver-db-prep … && nohup bun run …") can execute against Linux production.
Solution
- Shared
productionMutationGuard module (pattern match + remote SSH compound check)
- Wire into
PermissionAdapter before yolo auto-approve — deny even in yolo
- Tests for incident shape, read-only ssh OK, local manual-hub block
Deploy
Merge to fork main → driver soup layer → Teemo runner rebuild.
See docs/operator/windows-estate-agents.md.
Problem
Windows HAPI Cursor sessions run ACP with
yolo, which auto-approves shell at the CLIPermissionAdapterlayer. CursorbeforeShellExecutionhooks often do not fire in that path, so the 2026-06-20 incident command shape (ssh server "kill … && hapi-driver-db-prep … && nohup bun run …") can execute against Linux production.Solution
productionMutationGuardmodule (pattern match + remote SSH compound check)PermissionAdapterbefore yolo auto-approve — deny even in yoloDeploy
Merge to fork main → driver soup layer → Teemo runner rebuild.
See
docs/operator/windows-estate-agents.md.