Sandboxing is a great feature in principle. But the way it was product-designed does not make sense to me, in particular, the way its settings are smushed together with auto-run settings. What I want is to be able to configure some commands to be auto-run in sandbox, other commands to be auto-run outside of the sandbox, and the remaining commands to ask every time.
Let me give an example. For me, commands like cat, cd, grep, git show etc are fine to auto-run inside the sandbox. However, for example in my repo, go test is generally safe to auto-run but must be auto-run outside of the sandbox because it relies on a MySQL binary that runs on a local network and isn’t accessible from the sandbox. And for me, I want to audit all other commands, so that Cursor doesn’t go rogue and run rm on the wrong directory or anything like that.
The fact that this configuration option is not available to me is so surprising to me. Rather, I only have have three options on wildly different places along the spectrum: “Ask Every Time” (safe but way too slow/inconvenient), “Auto-Run in Sandbox” (the closest behavior to what I want, but makes it impossible for an agent to accomplish it’s own work because every time it tries to run a single test in my system it fails and can’t figure out why, and also only after slowly redownloading hundreds of go modules because it can’t access my already-downloaded ones from its sandbox) to “Run Everything” (obviously way too dangerous).
What I feel is that how it should have been built is to allowlist certain commands to run outside the sandbox, and certain other commands to run inside the sandbox, and assume that it needs to ask every time for all other commands. I am curious if others feel the same way?
What’s even more surprising to me is that the agent can just decide to run things outside the sandbox if it wants to— so much for security! Convincing it to run outside of the sandbox is also not easy. I find it so hard to understand why this gets to be a decision the AI makes rather than one the user configures or decides.
Let me know if I’m misunderstanding things— I’d be thrilled to be wrong and find that I am misunderstanding how to use the Cursor settings available to me. Thanks so much!