Hey, thanks for the report. This is a known issue. The agent’s Read tool doesn’t fully respect .gitignore.
What’s happening: .env* is on the default ignore list, but that list is currently applied only to indexing, not to agent tool calls like Read file. So the agent can still explicitly open and read .env if it decides to.
The workaround you found is the right approach: .cursorignore. A couple tips to make it more reliable:
You can set this globally so it applies to all projects: VS Code Settings > General > Global Cursor Ignore List. Add patterns like **/.env and **/.env.*.
Keep in mind the docs say the terminal and MCP tools used by the agent can’t be blocked via .cursorignore, so the agent can still access env contents through terminal commands like cat .env. More here: Ignore files | Cursor Docs
The team is aware of this gap between indexing-level ignores and agent tool-level ignores.
Let me know if the global ignore list approach works for you.