Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

[BUG] AI Agent Write/StrReplace Tools Blocked on .cursor/rules/private/*.mdc Files

Summary

The AI agent’s Write and StrReplace tools fail with “Write permission denied” when writing to .mdc files in .cursor/rules/private/, despite full filesystem permissions. This is a regression - it worked in previous Cursor versions.

Environment

• Cursor Version: 2.1.50
• OS: macOS 14.6.0
• Impact: High - breaks programmatic rule management workflow

Reproduction Steps

1. Create .cursor/rules/private/ directory in workspace
2. Set full permissions: chmod -R 777 .cursor/rules/private/
3. Ask AI agent to write a .mdc file using Write tool
4. Result: “Write permission denied”

Evidence of Inconsistency

Write Tool (Blocked):

Write tool result: "Write permission denied: "

Shell Command (Works):

$ echo "Test" > .cursor/rules/private/test.mdc  # ✅ Success!

Python Script (Works):

with open('.cursor/rules/private/test.mdc', 'w') as f:
    f.write("Test")  # ✅ Success!

Permissions (Full Access):

$ ls -la .cursor/rules/private/
drwxrwxrwx@ 15 user  staff  480 Dec  8 15:30 .
-rwxrwxrwx@  1 user  staff 8118 Nov 27 10:00 example.mdc

Analysis

• Filesystem allows writes (777 permissions)
• Shell tool with required_permissions: ['all'] works
• Python scripts work
• Write tool blocked
• StrReplace tool blocked

Conclusion: Internal Cursor restriction on Write/StrReplace tools, not a filesystem issue.

Current Workaround

Using Python scripts via Shell tool (cumbersome):

python3 << 'EOF'
with open('.cursor/rules/private/my-rule.mdc', 'w') as f:
    f.write(content)
EOF

Request

Please restore direct Write/StrReplace access to .cursor/rules/private/*.mdc files as in previous versions. This is essential for AI agents to manage their own rules programmatically.

Additional Info

• Files are NOT tracked in git
• Directory is within workspace
• Same workflow worked in previous Cursor versions
• Issue appeared after recent Cursor update

Full detailed report: See attached cursor-bug-report.md for complete evidence and reproduction steps.

Steps to Reproduce

1. Create a .cursor/rules/private/ directory in your workspace
2. Set full permissions: chmod -R 777 .cursor/rules/private/
3. Ask the AI agent to create or update a .mdc file in that directory using the Write tool
4. Observe the error: “Write permission denied”

Expected Behavior

The Write and StrReplace tools should successfully write to files in .cursor/rules/private/ directory, just like they work on other files in the workspace.

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Cursor Version: 2.1.50

For AI issues: which model did you use?

Sonnet 4.5

Additional Information

cursor-bug-report.md

Bug Report: Write and StrReplace Tools Blocked on .cursor/rules/private/*.mdc Files

Description of the Bug

The AI agent’s Write and StrReplace tools fail with “Write permission denied” error when attempting to write to .mdc files in the .cursor/rules/private/ directory, despite proper filesystem permissions. This worked in previous versions of Cursor without any issues.

Impact

High - This breaks the workflow for managing private cursor rules programmatically. The AI agent cannot update its own private rules without cumbersome workarounds.

Steps to Reproduce

1. Create a .cursor/rules/private/ directory in your workspace
2. Set full permissions: chmod -R 777 .cursor/rules/private/
3. Ask the AI agent to create or update a .mdc file in that directory using the Write tool
4. Observe the error: “Write permission denied”

Expected Behavior

The Write and StrReplace tools should successfully write to files in .cursor/rules/private/ directory, just like they work on other files in the workspace.

Actual Behavior

Both Write and StrReplace tools are blocked with “Write permission denied” error, even though:

• Directory has full 777 permissions (drwxrwxrwx)
• All files have full 777 permissions
• The directory is within the workspace
• Files are not tracked in git
• Shell commands (with required_permissions: ['all']) can write successfully to the same location
• Python scripts can write successfully to the same location

Evidence

1. Directory Permissions (Full Access)

$ ls -la .cursor/rules/private/
drwxrwxrwx@ 15 lior.barak  staff    480 Dec  8 15:30 .
-rwxrwxrwx@  1 lior.barak  staff   8118 Nov 27 10:00 comet-slash-testing-framework.mdc
-rwxrwxrwx@  1 lior.barak  staff  14390 Nov 16 12:00 dataengine-runtime-improvements-design.mdc

2. Write Tool Fails

Write tool result: "Write permission denied: "

3. Shell Command Succeeds

$ echo "Test content" > .cursor/rules/private/test.mdc
$ cat .cursor/rules/private/test.mdc
Test content  # ✅ Success!

4. Python Script Succeeds

with open('.cursor/rules/private/test.mdc', 'w') as f:
    f.write("Test content")
# ✅ Success!

Workaround

Currently using Python scripts via Shell tool with required_permissions: ['all'] to write files:

# Workaround - should not be necessary
python3 << 'EOF'
with open('.cursor/rules/private/my-rule.mdc', 'w') as f:
    f.write(content)
EOF

Environment

• Operating System: macOS 14.6.0 (Darwin 24.6.0)
• Cursor Version: 2.1.50
• Shell: zsh
• Workspace: Git repository at /Users/lior.barak/PycharmProjects/orion
• File Type: .mdc (Markdown with frontmatter)
• Directory: .cursor/rules/private/ (within workspace)

Additional Context

This issue appeared after a recent Cursor update. Previously, the AI agent could write to private rules directly without any workarounds. The behavior is inconsistent:

• Shell tool with required_permissions: ['all'] → Works
• Python scripts → Works
• Write tool → Blocked
• StrReplace tool → Blocked

This suggests an internal Cursor restriction on the Write/StrReplace tools specifically, rather than a filesystem permissions issue.

Regression

This is a regression - the same workflow worked in previous Cursor versions without any special permissions or workarounds.

Request

Please restore the ability for AI agents to write directly to .cursor/rules/private/*.mdc files using the Write and StrReplace tools, as this is essential for programmatic rule management.

Forum Post URL: [To be filled after posting]
Date Reported: December 8, 2024

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

Hey, thanks for the report.

It looks like the Write and StrReplace tools are being blocked because .cursor/rules/ is considered a configuration directory. According to the security docs (Agent Security | Cursor Docs), agents can modify workspace files without confirmation, but configuration files require approval.

The mismatch with the Shell tool (which works) and the fact that this is a regression point to a bug in the security logic.

I’ll pass this to the engineering team for a fix. You can keep using your workaround via Python scripts for now.

If you have a Request ID from the chat where the error occurred (right‑click the chat → Copy Request ID), please share it. That’ll help with debugging.

I’m encountering the same issue. Here’s a suggestion: similar to “Dotfile Protection,” we could add a “Configfile Protection” feature.

The problem:

From a usage perspective, .cursor/rules serves different purposes for different users:

1. Static configuration: Some users treat it as configuration files that should be protected from agent modifications
2. Dynamic context management: Others use it for dynamic context that agents need to edit regularly

Currently, there’s no way for agents to edit these files at all, which blocks the second use case entirely.

Proposed solution:

A universal, one-time setup approach: Protected File List configuration.

Let users decide which files should be protected. This could have two protection levels:

1. Never Edit: Files that should never be modified by agents
2. Ask for Permission: Files that agents can edit after user confirmation

When protection is disabled for certain files, agents can edit them without asking for permission each time.

This would balance security concerns with the flexibility needed for different workflows.

Thanks for the quick response, Dean!

I understand that .cursor/rules/ is considered a configuration directory. However, the issue is that Cursor doesn’t ask for approval at all - it just automatically denies the operation with “Write permission denied.”

According to the security docs you referenced, configuration files should require approval, not be blocked entirely. I would expect:

1. Agent attempts to write to .cursor/rules/private/*.mdc

2. Cursor prompts: “Agent wants to modify configuration file. Allow?”

3. I click “Allow” and grant permission

4. Write succeeds

Instead, what happens:

1. Agent attempts to write

2. Immediate denial - no prompt, no approval option

3. Write fails silently

The workaround (Python scripts via Shell tool) is pretty annoying and required me to create an additional rule (private-rule-update-workflow.mdc) just to ensure I don’t accidentally lose existing rule data when updating. The workflow now requires:

1. Read entire existing rule file

2. Merge existing + new content

3. Write via Python script workaround

4. Clean up temp files

This defeats the purpose of having a simple, programmatic way to manage rules.

Request ID: b7b8011e-7d72-4301-b63a-a4b91d040df9
(can be found at:
Step 2: Test Direct Write

Now let’s try writing directly with the Write tool:

Edit write permission denied.

Still blocked! Even with 777 permissions, the Write tool is denied.)

Exactly! I’m a user like your bullet point #2 - I use .cursor/rules dynamically.

After a couple of prompts and progress, or when I read new Confluence pages at my company, I want to create new private rules for Cursor to be better at my specific work. So I make dynamic rules that update regularly and add new ones every day for improvement.

The agent knows how to write the best rules for itself - no need for me to manually craft them. It learns from our work together and documents patterns, best practices, and project-specific knowledge automatically.

Like you said: “no way for agents to edit these files at all” - this blocks me a lot in my work with the agent AI.

I would be glad to have an option to allow Cursor full permissions to these rules for all CRUD operations (mainly creating and updating existing rules). A “Trust Agent for Rules Management” toggle would be perfect for my workflow.

Your “Protected File List” suggestion is excellent - it would let users like me opt-in to dynamic rule management while keeping others protected by default.

Thanks, got it. This is a bug: for .cursor/rules there should be a confirmation prompt, not an auto-decline. I’ve already passed it to the engineering team and we’ll fix it.

We need a bit more info:

• Reproduce the StrReplace issue and send a separate Request ID
• Confirm whether Privacy Mode was turned off when you collected the ID
• If possible, attach a short screenshot or video of the refusal happening without a permission prompt, plus any console errors (Help > Toggle Developer Tools)

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

cursor ide can’t modify files under .cursor directory , write permissions denied on windows system

Steps to Reproduce

i ask agent to modify .cursor/commands/xxx.md files, but i failed.
and i tried to change .cursor’s permissions, it did not work.
other tries, like runs as administrator , it did not work

Screenshots / Screen Recordings

Operating System

Windows 10/11

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.2.14 (system setup)
VSCode Version: 1.105.1
Commit: 1685afce45886aa5579025ac7e077fc3d4369c50
Date: 2025-12-11T01:12:35.790Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Windows_NT x64 10.0.26100

Does this stop you from using Cursor

No - Cursor works, but with this issue

I’ve experienced the same (similar issue). Maybe it’s related to Flutter MCP and ClickUp MCP being installed? Still doesn’t work after removing them

To reproduce, I’ve specifically asked the LLM to try using the tool

```

/Users/balazsbenedek/development/easyling/easyling/pagetranslate/src/main/webapp/_el/dart/app/el_paw/lib/widget/site_content/pages/presentation/pages_directory.dart

// Auto-expand if there are results OR if search is active (even with empty results)

// Auto-expand if there are results OR if search is active (shows empty state for no results)

And it failed

This workaround works for me (Mac OS, Composer 1). Add this to your AGENTS.md file:

Workaround: Editing .cursor/ files

Problem: Cursor blocks Write/StrReplace tools on .cursor/ directory.

write permission denied: 

Workaround: Use copy-ask-move (paths relative to repo root):

Safety Note: This bypasses Cursor’s built-in protection. User confirmation is mandatory before overwriting.

1. copy: cp .cursor/path/to/file tmp_file
2. edit: tmp_file with StrReplace and Write tools
3. ask user for confirmation
4. stop — do not proceed without explicit approval
5. move: mv tmp_file .cursor/path/to/file (only after user confirms)

New update: removing Flutter MCP and restarting the laptop helped!

Please guys, huge blocker. Sorry if bumping is against the rules.

Problem statement: Agent should be able to edit files under .cursor/rules.

Hi, just checking in — any progress or tentative timeline on this issue? Thanks!

Thanks guys, you are great

Bump: this started happening for me in the past few days where agents are denied write access to rules files without any way for me to approve it

(It worked fine last week where the agent had a permission prompt to edit a .cursor/rules/*.mdc file).

The workarounds of getting AI to make the edits to a separate file and copying across aren’t great

Bump - this is happening again for me.

I noticed this behavior today. Could you please look into a fix? Alternatively, it would be great to have a configurable option that allows us to set a permanent preference for Cursor to edit rules.
Thank you!