Cursor reads file outside of workspace (parent dir) without any prompt.
Steps to Reproduce
Create folder (Foo).
Working with Kiro on “Foo” and it creates “.kiro” folder in it.
Create “ttt” in “Foo” (meaningless; I want to create isolated env from Kiro)
Open it with cursor (cursor opens empty “ttt” folder; title bar shows “ttt”)
Enter plan mode and use same prompt with kiro to create plan
Then, cursor prompts to read parent dir by command with full path (I press skip: Rejected: User chose to skip)
Cursor says “The repo already has a detailed spec in .kiro/specs/...”
Note: show me the content you've read. first 20 lines.shows parent dir content.
Expected Behavior
Don’t read parent folder/file with and without prompt in protection mode, even if current (opened) directory doesn’t have a .git, or other folder/file that indicates 'here is workspace".
note: please do not say "you should run git init on that folder.. AI must not read outside of working directory with protection setting. (not only content itself, including scanning directory and file names)
Hey, thanks for the detailed report. This isn’t actually a bug, it’s the scope of the setting, and the name is a bit confusing.
External-File Protection only limits writing outside the workspace. That means creating, editing, or deleting files. You can see this in the toggle description on your screenshot: “Prevent Agent from creating or modifying files outside of the workspace automatically”. It doesn’t block reading files outside the workspace.
So the agent can technically read files from a parent directory, like ../.kiro/specs/..., if the model decides it’s useful for context. This shows up more in Plan mode since the agent intentionally explores a bit wider to gather context for the plan. If the agent tried to write to those parent files, protection would kick in.
If you want to fully isolate the workspace from the parent folder, a couple of options:
Open the workspace outside the Foo folder tree, so ../ can’t physically reach .kiro.
Use .cursorignore to exclude unwanted paths from the context.
A request to also block reading outside the workspace makes sense. It’s worth filing as a separate feature request so the team can consider expanding this setting.
It’s so terirble if I working on C:/Users/_me_/Documents, AI may scan my entire home directory, with just a reason “helpful for finding secrets”?
I want to prevent traversing upwards completely. I don’t want to place .cursorignore everywhere. (or, does cursor stop traversal when .cursorignore found?).
I get the concern. If you open Cursor right in Documents or your home directory, the agent can technically read files higher up the folder tree.
To avoid putting a .cursorignore in every folder, use Global ignore files in user settings. These patterns apply to all projects. This is great for sensitive stuff, for example:
Files that match ignore patterns are excluded from indexing and AI features, so the agent shouldn’t pull them in. But fully blocking reads from parent directories is still being discussed as unresolved behavior. So treat ignore as strong filtering, not a hard boundary.
If you need full isolation from the parent folder, the most reliable option is to open your workspace outside the Foo tree, so ../ can’t physically reach sibling folders.
Right now there isn’t a setting that means “block any reads above the workspace entirely.” It’s a reasonable request. I’d suggest posting it as a separate feature request thread so the team can track it better. The current thread is marked as a bug report, but this is really a request for new behavior, so a separate post will get better follow-up.