Agent preemptively uses required_permissions: ["all"] instead of auto-running in sandbox (Allowlist with Sandbox)`

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

With Auto-Run Mode: Allowlist (with Sandbox) and ~/.cursor/sandbox.json including ~/.m2 in additionalReadonlyPaths, read-only shell commands (e.g. strings, jar, javap, find on Maven JARs under ~/.m2) should auto-run inside the sandbox without asking me to approve.

Instead, the Agent attaches required_permissions: ["all"] on the first attempt (no prior sandboxed failure). That requests execution outside the sandbox and triggers an approval dialog (“Run” / unsandboxed), which contradicts the Auto-Run UI text: “Tools will auto-run in a sandbox if possible.”

Example command that prompted approval despite .m2 in additionalReadonlyPaths:

strings /Users/user/.m2/repository/com/mycompany/r/r-system-test-common/1.0.0-SNAPSHOT/r-system-test-common-1.0.0-SNAPSHOT.jar 2>/dev/null | rg "ALERTING|STANDARD" | head -15

Shell tool payload included "required_permissions": ["all"] immediately — not after a sandbox denial.

In the same long Agent session, earlier identical .m2 reads ran without required_permissions and worked sandboxed. Later (after mvn used full_network/all), the model started tagging all .m2 inspection commands with ["all"] preemptively.

Manually re-running the same command in the sandbox succeeds for filesystem read; exit code 1 is from no grep matches in the JAR (constants are in bytecode), not from sandbox blocking .m2.

Steps to Reproduce

  1. Settings → Cursor Settings → Agents → Auto-Run: set mode to Allowlist (with Sandbox).
  2. Create or edit ~/.cursor/sandbox.json:
{
  "additionalReadonlyPaths": ["/Users/user/.m2"]
}
  1. Open Agent chat (model: Auto).
  2. Ask Agent to inspect a dependency JAR under ~/.m2, e.g. list ASTimeouts constants from r-system-test-common-*.jar.
  3. Observe Shell tool calls in the transcript: many use required_permissions: ["all"] on the first try → approval UI appears.
  4. (Optional) In the same session, compare with earlier read-only .m2 commands that omitted required_permissions — those ran sandboxed without approval.

Expected Behavior

Per Allowlist (with Sandbox) UI and terminal sandbox docs:

  • Read-only commands not on the Command Allowlist should auto-run in the sandbox without user approval.
  • additionalReadonlyPaths should allow reading ~/.m2 inside the sandbox.
  • User should only be prompted if sandbox cannot run the command, or the command is on a path that requires allowlist / explicit approval — not because the model preemptively set required_permissions: ["all"].

Operating System

MacOS

Version Information

Version: 3.5.17 (Universal)
VSCode Version: 1.105.1
Commit: d5b2fc092e16007956c9e5047f76097b9e626ca0
Date: 2026-05-20T02:43:31.559Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.4.0

For AI issues: which model did you use?

Auto

Does this stop you from using Cursor

No - Cursor works, but with this issue

6

Good diagnosis. The cause seems to be that every command running inside the sandbox gets a result message suggesting the model use required_permissions: ["all"] if it thinks the command failed due to sandbox restrictions.

Your sandbox.json config is correct. The sandbox can run these commands fine — the model just stops trying.

Workarounds:

  1. Start a fresh chat session — resets the pattern.

  2. Add the commands to your Command Allowlist (Cursor Settings > Agents > Auto-Run) — they’ll auto-run regardless of what the model requests.

Could you share a request ID from one of the problematic tool calls? (Three dots menu in chat > Copy Request ID.) That’ll help us file a precise bug report.