I’m running into an issue when Cursor Agent tries to run a terminal command with uv run with “Auto-Run in Sandbox” enabled. It always triggers this error:
error: failed to open file /Users/.../.cache/uv/sdists-v9/.gitignore: Operation not permitted (os error 1)
The agent then requests to run the command outside the sandbox, requiring my approval. This prevents me from letting it run autonomously without supervision.
Root cause: The uv package manager creates a .gitignore marker file in its cache directory (~/.cache/uv/) to prevent git from tracking cached files. The sandbox blocks all access to .git* files, so uv run fails even for simple commands like uv run python --version.
What I’ve tried:
Deleting the .gitignore file from the cache — uv recreates it on every run
Using --no-cache — uv still creates this file in its temp directory
Using UV_CACHE_DIR to put the cache inside the workspace — still blocked
The only workaround I’ve found is requesting all permissions, which defeats the purpose of the sandbox.
Potential fixes (suggested by Claude, not sure if they’d work):
Allow git_write permission to cover .gitignore files (currently it doesn’t seem to)
Distinguish between actual git repositories and .git* files in non-git directories
Has anyone else run into this? Is there a recommended workaround, or is this something that could be addressed in the sandbox itself?
Hey, thanks for the report. This is a known sandbox limitation. It blocks all .git* files for security.
Try adding an exception in the Global Cursor Ignore List:
Open Settings CMD+,
Search for “Global Cursor Ignore List”
Add a pattern to exclude .gitignore files in the uv cache
However, since the files are in ~/.cache (outside the workspace), this might not work. I’ll pass this to the dev team. The sandbox should treat .gitignore marker files in caches differently from real git repos.
As a temporary workaround, allow the needed commands in the Command Allowlist instead of using all permissions. That’s safer than full access.
Could you share whether the Global Cursor Ignore List workaround helped?
Adding **/.gitignore and **/.git to Global Cursor Ignore List didn’t seem to change anything. Even when using UV_CACHE_DIR=.uv-cache uv run ... to put the cache dir in the workspace didn’t matter.
Allowlisting uv run would mean these commands are allowed to run outside of the sandbox, right? Since uv run can be used to execute arbitrary code, that would be potentially unsafe.
At the moment I don’t have a workaround other than manually reviewing and accepting each uv command to run outside the sandbox.
Thanks for the detailed feedback on the workaround. I can confirm this is a legitimate issue. The sandbox should distinguish marker .gitignore files in package manager caches from real Git repositories.
Right now, the only option is to manually approve each uv run command. Adding this to an allowlist is indeed unsafe for arbitrary code.
I’ll pass this to the dev team as a bug so we can improve the sandbox detection logic. Thanks for the Gist, it’ll really help us reproduce the issue.