@lironle thanks for this comment 
I also had suspected some previously visible manually enabled cursor setting to be a likely root cause of the problem, potentially “MCP Tools Protection” and related YOLO/allowlist stuff which I had altered in the past.
After several cursor upgrades and profanity and lost productivity I decided to look deeper and to resolve this bs issue.
There was a lot of wasted hours and head banging and begging codex to help me out… and eventually I managed to get the MCP allow list, autorun etc to work in both sandboxed and unsanboxed modes.
Previously the list was indeed not editable manually (but new allowList entries did get added when I tried MCP tools), but the allow listed MCP tool calls finally run without frustratung manual confirmation.
Here is the issue description and the solution which worked for me, written by codex cli, which deserves the credit:
Problem
Even with MCP servers approved and auto-run enabled, Cursor kept prompting for every MCP tool call(Playwright, Python, Task Master, etc.) after restarts.
The UI toggles were useless because the some of these flags live in the global reactive store, but not in the currently visible profile settings, eg. “MCP Tools Protection”, which was likely manually enabled by the user in a previous cursor version which still exposed this in the UI.
Root cause
~/Library/Application Support/Cursor/User/globalStorage/state.vscdb
has a giant JSON blob (src.vs.platform.reactivestorage.browser.reactiveStorageServiceImpl.persistentStorage.applicationUser). Inside composerState the following keys were stuck in “safety” mode:
composerState.shouldAutoContinueToolCall = 0composerState.yoloMcpToolsDisabled = 1composerState.useYoloMode = 1composerState.modes4[0].fullAutoRun = false
Every time Cursor boots, it reads those values and immediately overrides whatever you set in the UI. That is why approvals kept coming back.
Compact fix script
- Quit Cursor completely
- Save the script below as
cursor-mcp-autorun-fix.shanywhere. - Run it. It backs up each
state.vscdb, flips the booleans in both global + profile DBs, and confirms the results. - Launch Cursor and test your MCP tools (sandboxed or unsandboxed).
#!/usr/bin/env bash
set -euo pipefail
ROOT="$HOME/Library/Application Support/Cursor"
STAMP=$(date +%Y%m%d-%H%M%S)
KEY='src.vs.platform.reactivestorage.browser.reactiveStorageServiceImpl.persistentStorage.applicationUser'
find "$ROOT/User" "$ROOT/User/profiles" -type f -name state.vscdb -print0 2>/dev/null | while IFS= read -r -d '' DB; do
cp "$DB" "$DB.bak.$STAMP" || true
/usr/bin/sqlite3 "$DB" "PRAGMA busy_timeout=5000; BEGIN;
UPDATE ItemTable SET value=json_set(value,
'$.shouldAutoContinueToolCall', 1,
'$.yoloMcpToolsDisabled', 0,
'$.isAutoApplyEnabled', 1
) WHERE key='$KEY' AND json_valid(value);
UPDATE ItemTable SET value=json_set(value,
'$.composerState.useYoloMode', 0,
'$.composerState.shouldAutoContinueToolCall', 1,
'$.composerState.yoloMcpToolsDisabled', 0,
'$.composerState.isAutoApplyEnabled', 1,
'$.composerState.modes4[0].autoRun', 1,
'$.composerState.modes4[0].fullAutoRun', 1
) WHERE key='$KEY' AND json_valid(value);
UPDATE ItemTable SET value=REPLACE(value,'\"mcpEnabled\": false','\"mcpEnabled\": true')
WHERE key='$KEY' AND value LIKE '%\"mcpEnabled\": false%';
COMMIT;";
/usr/bin/sqlite3 -readonly "$DB" "SELECT '$DB',
json_extract(value,'$.composerState.shouldAutoContinueToolCall'),
json_extract(value,'$.composerState.yoloMcpToolsDisabled'),
json_extract(value,'$.composerState.modes4[0].fullAutoRun')
FROM ItemTable WHERE key='$KEY';"
done
echo "Done. Restart Cursor and retest MCP autorun."
After running the script, both “Run everything (unsandboxed)” and “Run everything (sandboxed)” modes finally work as expected: MCP tool calls auto-run, the allowlist UI reappears as editable in sandboxed mode, and no more confirmation dialogs.