How does command allowlist/denylist really work?

I pretty much want to allow Cursor to run any command except a few (mostly git add and git commit but also any console like rails console rails c etc.

I can’t figure out how the allow and deny list exactly work.

For instance all rails command can be called with or without bundle exec but that’s fine still I have just a few deny commands I can add the variations.

At the beginning I had only deny commands but Cursor would get stuck at approvals so I started adding allow commands which grew a lot but it’s been manageable.

The problem is with command parameters - for incense I’ve got grep in the allowlist but it asks me for permission when running eg. grep -A 5 -B 5 "STEP DEBUG.*contract ID\|CONTROLLER DEBUG.*Contract ID" log/test_p5.log

How does it exactly work?

Simple wildcards or regexes would solve this.

Do I need to add commands to allowlist once I have some in denylist?…

3 Likes

Yeah it would be great to have some better documentation around this with some real world examples.

3 Likes

It is not a simple exact match on the command name (executable). I’ve added git and it still ask about git log ... commands.

So is it a pattern on the whole command line?

In general the lack of sanboxing is a bit turnoff. Hope they will focus on this in the future (if not, at least provide a guide for how to best run the whole IDE in a sandbox on different platforms)

1 Like

You can sandbox with dev containers but the command matching is messed up.
Hey @cursor, fix it…………

1 Like

@cursor Any news or positioning how these rules work?

1 Like

+1 here. It’s a safety-critical alternative for babysitting each action of the AI agent. It needs to be better specified.

Even without malicious AI hijacks I’ve seen enough sudden AI meltdowns where it would go haywire and start randomly breaking things. For now I keep an IntelliJ IDE running in parallel to track local history (vscode local history extension isn’t a good replacement there).