Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
MCP wildcard entries in ~/.cursor/permissions.json are not being honoured.
Wildcard-covered tools still show approval prompts and log needsApproval (not in allowlist). Exact MCP entries appear to execute without prompting, even though the permission log still reports needsApproval.
{
"mcpAllowlist": [
"honeycomb:get_*",
"honeycomb:refinery_docs",
"aws-managed-mcp:aws___*",
"aws-managed-mcp:aws___list_regions",
"aws-managed-mcp:aws___search_documentation"
]
}
The docs say mcpAllowlist supports server:*, *:tool, *:*, and glob-style patterns such as my-server:list_*.
aws-managed-mcp:aws___*, was added to test this specific behaviour and is not part of my normal allowlist
Steps to Reproduce
This is likely to be difficult to reproduce - I suspect it’s something “stuck” in my client, similar to MCP Allowlist doesn't work, also can't be edited .
In any case, I reproduce it by:
- restarting cursor, and making sure that all cursor-related processes had been killed
- ensuring MCPs were loaded and active, ensuring that security mode is “Allowlist (with Sandbox)” and the settings UI is showing that allowlist & approval behaviour is managed by
~/.cursor/permissions.json - instructing the agent to perform MCP calls that matched wildcards and calls that matched exact entries
- analysing logs on the items that worked and the ones that still prompted.
Expected Behavior
Wildcard & non-wildcard permissions.json entries match consistently.
What actually happened:
Wildcard-covered tools prompt and are blocked if I choose Skip.
Current log examples:
2026-07-03 11:07:39.193 [info] [permissions-service] shouldBlockMcp: toolName="get_workspace_context", providerIdentifier="honeycomb"
2026-07-03 11:07:39.194 [info] [permissions-service] shouldBlockMcp: needsApproval (not in allowlist) toolName="get_workspace_context", providerIdentifier="honeycomb", approvalMode="allowlist"
2026-07-03 11:09:45.887 [info] [permissions-service] shouldBlockMcp: toolName="aws___retrieve_skill", providerIdentifier="aws-managed-mcp"
2026-07-03 11:09:45.887 [info] [permissions-service] shouldBlockMcp: needsApproval (not in allowlist) toolName="aws___retrieve_skill", providerIdentifier="aws-managed-mcp", approvalMode="allowlist"
Renderer log confirms the approval prompt:
2026-07-03 11:07:39.217 [info] [ComposerWakelockManager] Released wakelock id=8 reason="user-approval-requested"
2026-07-03 11:09:45.909 [info] [ComposerWakelockManager] Released wakelock id=12 reason="user-approval-requested"
Exact entries behave differently. They also log needsApproval, but execute anyway without a visible prompt:
2026-07-03 11:08:45.172 [info] [permissions-service] shouldBlockMcp: toolName="refinery_docs", providerIdentifier="honeycomb"
2026-07-03 11:08:45.921 [info] [permissions-service] shouldBlockMcp: needsApproval (not in allowlist) toolName="refinery_docs", providerIdentifier="honeycomb", approvalMode="allowlist"
Request trace for the exact honeycomb:refinery_docs call:
2026-07-03T01:08:46.061Z span_started name="workbench_toolset.execute"
2026-07-03T01:08:47.320Z span_completed name="workbench_toolset.execute"
Exact AWS entry also executed:
2026-07-03 11:07:56.303 [info] [permissions-service] shouldBlockMcp: toolName="aws___list_regions", providerIdentifier="aws-managed-mcp"
2026-07-03 11:07:56.304 [info] [permissions-service] shouldBlockMcp: needsApproval (not in allowlist) toolName="aws___list_regions", providerIdentifier="aws-managed-mcp", approvalMode="allowlist"
2026-07-03T01:07:56.415Z span_started name="workbench_toolset.execute"
2026-07-03T01:08:02.730Z span_completed name="workbench_toolset.execute"
Historical Evidence
The same machine previously logged successful wildcard matches, so this is not a case where wildcard support never existed.
Historical log from 23 Jun showed entries like:
matchesMcpEntry: serverPattern="honeycomb", toolPattern="get_*", normalizedToolName="get_workspace_context", result=true
ALLOWED (explicitly in allowlist)
and:
matchesMcpEntry: serverPattern="prometheus", toolPattern="*", normalizedToolName="executequery", result=true
ALLOWED (explicitly in allowlist)
In the current broken state, I do not see matchesMcpEntry for the failing wildcard checks. The permission service goes straight to needsApproval (not in allowlist).
Operating System
MacOS
Version Information
Cursor 3.9.16 stable, Glass layout
From logs: client_version="3.9.16"
For AI issues: which model did you use?
Composer 2.5, GPT 5.5 XHigh to investigate & compile this report.
For AI issues: add Request ID with privacy disabled
492cdd24-7de5-41d3-b979-dcdb7836b0da
Does this stop you from using Cursor
No - Cursor works, but with this issue