No allow list for commands in plan mode?

Been using plan mode more heavily lately. I’m curious, why is a command allowlist not supported for plan mode? I honestly don’t exactly know what the sandboxing looks like, how secure it is, etc. I generally prefer the allowlist approach, where I can allow commands I know will always be benign, but be in control of allowing or rejecting commands that may be not.

Is there a reason why plan mode only allows Ask Every Time, Auto-Run in Sandbox and Run Everything, but not a Use Allowlist option?

Apparently this is not just a plan mode thing anymore? Cursor updated today, and I seem to have completely lost my allowlist for commands. I DO NOT like this new approach with the sandbox. For one, it seems to hang a lot, and I don’t know why. But beyond that, there are certain commands I NEVER want to run automatically, sandboxed or not, I WANT, EXPECT, INIST on being in control of them. In part, this halts the agent at certain points, and gives me a chance to determine if I even like the path it is taking.

Why are you guys removing the allowlist functionality? Is there a way to restore allowlist functionality? Because I really do not like this new approach at all. At all!

Just because a feature can be made doesn’t mean it should. At the very least, you should restore allow list, even if you keep this sandbox approach, because some of us use the allow list in a very specific way, and we have now completely lost the ability to control and manage the agent due to the loss of allowlist now…

Frustrated and disappointed.

@condor @deanrie

Let me ask a more pointed question. Even in a sandbox…if the agent runs a command, to DISCARD MY GIT WORKSPACE… Will that take effect, period, and actually DESTROY my workspace? This is a command I NEVER, EVER, EVER want the agent to run, EVER, period, sandbox or not. I WILL NOT allow the agent to nuke my workspace. So I’ve never added it to my allow list.

You guys have taken away my ability to prevent that, however these agents try to do it all too often! Which is explicitly WHY I have never added any such command that allows the agent to automatically and without my intervention, destroy my git workspace. I DO NOT trust the sandbox approach here. However, the ONLY other option you guys are giving me now, is to have to manually approve every single command! That is unacceptable!

Please, give us back allowlist control over terminal commands. There is no alternative for me. I will never allow every command to be executed, either in a sandbox or not, but having to manually approve every single command has absolutely decimated my velocity.

This was a terrible feature change, guys!!

@condor I am EXTREMELY concerned right now. I keep downgrading Cursor versions, but it seems like I am NO LONGER able to use the allowlist approach for terminal commands? IS this some kind of server-side managed feature? What version was it introduced? I had allowlist until today, then suddenly today, allowlist is just gone, and no matter how many versions I roll back, allowlist is not coming back.

I am GRAVELY CONCERNED here! I do not like this approach! As far as I can tell, this sandbox does NOTHING to stop the agent from executing whatever git commands it wants, and they absolutely DO affect my workspace! It is far, far too tedious to have to manually allow or deny every single individual command. This was a HORRIBLE, HORRIBLE change. Please restore allowlist functionality.

I kept rolling back. Finally reached version 1.7.25, and allowlist finally came back. Guys, this sandbox feature is horrid. I will not be using it. It causes some very strange behavior, and commands seem to hang a lot more frequently with it. It is supposed to be readonly, however that does not always seem to be the case, and it seems the agent can find ways around that, too. But read-only behavior, is NOT VIABLE for me, either! I simply CANNOT allow every command to be run without restraint…the agents far too often, try to do things that I DO NOT want them to do, and I have been extremely careful about not allowing certain commands into my allowlist. FIRST among them, are:

• rm
• git reset
• git --
• ssh

There are others, of course, but there are certain things I do not allow the agent to do without my EXPRESS permission EACH time such a command is run. So with your sandbox option SUPPLANTING allowlist terminal usage, I would have to resort to manually allowing or denying EVERY SINGLE command. Allowlist was one of the single greatest productivity enhancers for me, as it allowed me to allow benign commands to be run automatically, while restricting dangerous commands. Dangerous commands are run a fraction of the time benign commands are run.

The sandbox, however, causes all manner of problems. Aside from allowing any command to be run, and if the agent wants to find a way around the sandbox restrictions, it often seems to be able to, then it can effectively do anything, anyway.

At the same time, sandboxing with read-only capability is NOT effective for SO MANY things I do. I REQUIRE the ability to write to disk, for a range of things. In particular, while I do not allow the agent to git reset or git checkout or git discard files automatically, I DO use it to commit! However, committing with auto-run sandbox mode is a disaster, because the agent cannot stage files (even though, it seems to be able to discard them!) So it will try to stage, then try to write a commit message file (which fails), then try to commit with that commit message file (which results in the last commit message the agent was able to write, being used instead of the correct message), but then, only files that were already staged get committed, not all the files that were supposed to be staged and committed.

This sandbox mode is terrible. So is having to manually approve every single command the agent runs. The allowlist was a VASTLY superior tool for managing the agent terminals.

Actually, 1.7.25 doesn’t work at all. Not one single terminal command is running, as far as I can tell.

Ok, moving forward from 1.7.25 to 1.7.28, seems to have restored terminal functionality without forcing me back into the darn terminal sandboxing. Please, please do not force your users into this sandbox terminal mode, or leave us without an allowlist mode.

Hi @jrista we have seen for some users issues with the allowlist and the safe approach was to use a sandbox instead. This has been adjusted also for all modes, not just for plan mode.

Just because some users have issues with something, doesn’t mean all users do. I will not use the sandbox. I’ve run into a multitude of problems with it, I loath the darn thing, and it is NOT an option for me. I really wish you guys would add the allowlist back, even if you leave the sandbox option in place, because sandbox does NOT support my need. Neither does the only other usable option, which is to manually allow every single command one at a time. That is UNACCEPTABLE! I have never once had any issues with the allowlist, and I REQUIRE the ability to have the agent make certain changes to my data. Sandbox simply doesn’t support that properly, but the option that always manually requires I approve EACH and EVERY command is too tedious and decimates my velocity.

You guys need to stop ■■■■■■■■ with GOOD things, because a few people had some issues. Not all of us have any issues with allowlist, so why not give your users the OPTION, rather than forcing us into something that 1) is NOT actually a replacement (Sandbox is READONLY!!!) and 2) does not meet our needs that a prior tool met PERFECTLY?

@deanrie @condor I wanted to make sure this particular thing here was clear:

Sandbox mode, is (nominally anyway) “read-only”. It is designed to not be able to write, however I’ve noticed the agent will try to get around that, if your prompt is strong enough. This read-only nature, means that Sandbox mode is NOT a drop-in replacement for the allow-list option we had before, as the allow-list option CAN make changes, it is NOT read-only, and I need that. As such, this makes Sandbox mode 100% completely non-viable for me. Sandbox simply functions differently, and it cannot do the same things that allowlist mode did. I cannot replace allowlist mode with Sandbox mode. The two options are incompatible given how I use the terminal through the agent.

I am a power user. It doesn’t matter what IDE I am using, I eventually learn all the features it has, and I tend to use the vast majority of them. I make very heavy use of the agent, I use it to do everything. A heck of a lot of what I do, involves terminal work, so the agent is constantly running terminal commands. This is why the severe terminal issues you guys had for so many months, was such a debilitating issue for me: It rendered half of the reason I use Cursor, unusable.

Sandbox mode cannot do, half of what I use the terminal for (or now, as it stands, what I have the agent use the terminal for, now that the agent is an endemic part of my daily work.) I WILL NOT allow the agent to run any command it wants. These models have repeatedly demonstrated exactly why they SHOULD LEVER be allowed to run any command, because they WILL and DO run (or try to run, thankfully my setup of the allowlist PREVENTED the agent from running countless dangerous or devastating commands in the past) commands you just cannot allow them to. So the “Run Everything” mode is, and has always been, and will always be, a non-starter for me. I’ll never use it.

The only other option you guys leave me with now, is the option to manually approve EVERY SINGLE COMMAND. The agent runs a TON of commands for me. This is not viable. I cannot be babysitting every agent chat, every moment of their execution, to be there when they need to run a command, because they are always running commands. So “Approve Everything” is also not viable, a non-starter. I CANNOT use it, it will dramatically increase my workload, and the entire reason I pay $200-300 or more a month for Cursor, will be gone. Cursor WAS accelerating my daily work. If I have to babysit every command, it will slow me down and waste my time.

When you guys added the allowlist to Cursor, it was the single best feature improvement since I had started using it. I don’t care what other people do…if they add bad commands to the allow list that they shouldn’t, that’s on them. I have very carefully curated the set of commands I have allowed the agent to run on its own, unattended. Most of them, are totally benign commands, like pwd, cd, various git commands that have no impact like git show, git log, etc. I do allow the agent to generate temp files, csv files, and various other things that are done at the command line because it is most efficient to do it that way. Because I use the terminal in a READ/WRITE manner, Sandbox is 100% completely and totally non-viable. It is not a drop-in alternative to the allowlist, as it simply does not provide the same functionality.

I just need you guys to understand how devastating this change is to my daily work. I’m a very heavy agent user, and a very heavy terminal user, and the agent now does most of my terminal work for me. I require READ/WRITE mode, and I cannot be manually approving every single individual command. I RELY on the allow list mode, it is absolutely fundamental to my work. There are no alternatives for what I do.