Hey, thanks for the report. This confirms the bug - sandbox mode is bypassing your command allowlist and running git checkout even though you explicitly excluded it.
This is a known issue: the new sandbox in Cursor 2.0 bypasses the allowlist for git commands: Agents git committing when they shouldn't
Fix:
- Open Settings → Agents → Auto Run
- Enable “Legacy Terminal Tool”
- This restores proper allowlist enforcement and stops the agent from running git checkout without approval
Your allowlist looks carefully configured (I can see you excluded destructive commands like git checkout), so the Legacy Terminal Tool should fit your setup well.
Let me know if this resolves it.