Isolate MCP allowList from shell permissions

Ideas Feature Requests
, ,
1

Feature request for product/service

Cursor IDE

Describe the request

Currently you can allowlist specific MCP tools to give the agent safe boundaries within which it can work without constant supervision, which is super useful for involved multi-tool workflows. However, you can’t enable auto-run on MCP tools without also enabling auto-run on sandboxed terminal commands. While the commands are sandboxed, and there’s technically an allowlist, my credentials will still be within scope of e.g. gcloud or aws clis, and the docs clearly state that terminal allowlists are not a security guarantee.

It would be useful if you could toggle the security posture of MCP tool calls and terminal access independently. So I could enforce that ALL terminal calls require explicit approval, while reliably allowlisting certain MCP tools that I can ensure are read-only. That way I could leave the agent to run without “probably” not deleting production!

3

For anyone else new to cursor and hitting this problem; enabling “legacy mode” on the agent’s terminal disables the sandboxing and makes it enforce the empty terminal allowlist properly.

I’ve seen suggestions that cursor are looking to replace those allowlists with sandboxing, and that’s why the previous behaviour is being “degraded” in the new terminal. That’s fine, and if legacy mode is there to stay then we’re all good, but if not then I’d like to suggest an option to at least wholly disable auto-approval through the terminal while still allowing auto-approved MCP. They’re just such different beasts in terms of risk profile.