Agent allowlist has been improved on macOS to automatically run commands in a secure sandbox in Cursor 2.0 when the ‘Run in Sandbox’ setting is active.
This update is only for Pro, Pro Plus, and Ultra users. Team and Enterprise users have not been updated yet.
Improving allowlisting
We are aiming to improve the current allowlist functionality with sandboxing.
We’ve observed that overly broad allowlisting (like zsh or npx run or even seemingly benign commands like find) gives the agent more permissions than desired.
Rather than build extremely granular allowlist functionality, we have decided to instead build secure sandboxing to allow agent to run commands automatically without network access. This maintains the existing level of security by relying on strong, OS-level sandboxing, while improving user experience by decreasing the number of interactions required for the agent to complete its task.
If you do not want this behavior, you can still require manual approval for every agent action with the ‘Ask Every Time’ option under Cursor Agent settings.
How does sandboxing work?
We use strong kernel-based sandboxing primitives, specifically macOS Seatbelt, which also underlies the sandboxing used by Chrome and Apple’s system applications. Our implementation restricts sandboxed commands to only be able to:
-
Read/write to your open workspace and
/tmp -
Read your filesystem
They are not able to:
-
Write files or directories anywhere else
-
Access the network
-
Access cursorignore’d files
Models can request to operate outside of the sandbox, but it requires your approval. Not all models support sandboxing yet – if not supported, Cursor falls back on the previous allowlist functionality.
We’ve also added two options to customize the sandbox:
-
Allow git writes without approval
-
Auto-run network access
You can mix and match these as you see fit. Auto-run options can be found in Cursor Settings > Agent. Full documentation is at https://cursor.com/docs/agent/terminal.