Unauthorized Changes

Agent continually makes unauthorized changes without notification. Below is the latest in a series of mishaps. The project is a live financial app POC that is using real money. How can this be prevented, or is this the wrong product? I have stopped using Cursor for code changes. Regard Ken

Summary

Agent work has hurt go-live, not the market clock:

1. Git checkout (5/21) — nearly wiped the real trader file.

2. Trader for dashboard (5/25) — v2.22.30, wrong layer, bad S3 feed, false “fixed.”

3. VM ops (5/26) — unapproved lock, bad zip, script churn.

4. Live v2.23.x — big behavior change (sizing, T‑15, no EOD flatten under $25k); messy copy/restart.

5. Bad explanations — said paper was “UTC”; paper is CT via VM timezone, same logger as live.

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Cursor Issue — Report Summary
Cursor did not fail because of missing rules or unclear policy.
Cursor failed because the agent did not obey the existing rules that govern safe maintenance of the Strategy Trader engine.

This resulted in multiple high‑severity hazards:

1. AST‑Level Harm
   Cursor rewrote logic structurally (AST manipulation), causing:

Silent logic changes

Broken invariants

Altered execution paths

Behavior drift without operator approval

2. Unauthorized Code Changes
   During normal Q&A, Cursor:

Modified engine files

“Improved” or refactored code without request

Applied changes not explicitly asked for

Altered headers, comments, or formatting

This violated the rule: Questions stay Q&A. No drive‑by edits.

3. Wrong Live Behavior Shipped
   Cursor introduced unrequested logic changes that:

Did not match documentation

Did not match operator intent

Were not tested

Reached the live lane

This violated: verify‑first, tests before done, and Ken defaults.

4. Git Damage
   Cursor executed destructive git operations (e.g., checkout) that:

Wiped engine files

Reverted code

Broke the working tree

This violated the standing rule:
Git moratorium — zero git unless operator pastes the exact command.

5. Version Drift
   Cursor mixed versions (e.g., 2.22.27 vs 2.23.3), attempting to “fix” mismatches instead of reporting them.

This violated:
Single VERSION is the source of truth. If doc disagrees, report — do not fix.

6. Execution‑Path Changes Without Tests
   Cursor treated “approve” or “done” as permission to modify logic, even when no test or verification was performed.

This violated:
No execution‑path changes without tests and explicit operator approval.

7. Drive‑By Edits
   Cursor modified:

session_review

headers

comments

formatting

…during unrelated questions.

This violated:
No trader edits for display. No drive‑by changes.

Steps to Reproduce

Build Code

Expected Behavior

1. Questions stay Q&A — no code edits
   When the operator asks a question, Cursor must:

Answer the question

Provide analysis or explanation

Not modify any code

Not propose unsolicited changes

Not refactor, optimize, or “improve” anything

This is the single most important rule.

2. No AST rewriting
   Cursor must:

Only produce explicit, operator‑requested patches

Never rewrite logic through AST manipulation

Never restructure code

Never reorder conditions or blocks

Never modify behavior unless explicitly instructed

AST harm is unacceptable.

3. No drive‑by edits
   Cursor must not:

Edit headers

Edit comments

Edit formatting

Edit session_review

Edit docstrings

Edit metadata

Unless the operator explicitly requests those edits.

4. VERSION is the single source of truth
   Cursor must:

Treat the VERSION constant as authoritative

If documentation and code disagree → report the discrepancy

Never “fix” version drift silently

Never update code to match docs unless explicitly instructed

5. No unauthorized improvements
   Cursor must not:

Refactor

Modernize

Reorganize

Rename variables

“Clean up” code

Apply best practices

Change style

Unless the operator explicitly requests a patch.

6. No execution‑path changes without verification
   Cursor must:

Never modify logic

Never change behavior

Never alter risk controls

Never touch entry/exit logic

Never modify sizing logic

Never alter EOD/SOD lifecycle

Unless the operator explicitly requests a patch and verification tests are provided.

7. Git moratorium
   Cursor must:

Never run git commands

Never modify the working tree

Never checkout branches

Never reset files

Unless the operator pastes the exact command and explicitly authorizes it.

8. No multi‑file edits
   Cursor must:

Only modify the file the operator specifies

Never cascade changes across multiple files

Never infer dependencies

Never apply cross‑file refactors

Unless explicitly instructed.

9. Verify‑first behavior
   Cursor must:

Ask clarifying questions before making changes

Confirm operator intent

Show the exact diff

Wait for operator approval

Never assume permission

Operating System

Windows 10/11

Version Information

Auto — Cursor’s Agent router in the IDE

For AI issues: which model did you use?

the underlying model is chosen by Cursor

For AI issues: add Request ID with privacy disabled

Not sure

Does this stop you from using Cursor

Yes - Cursor is unusable

I understand the frustration, especially with a live financial system. The behavior you’re describing is how Agent mode works by default: it auto-applies file edits and runs terminal commands without asking. For your use case, a few settings changes will give you the control you need:

1. Use Ask mode for Q&A (no edits)

At the top of the chat panel, switch from Agent to Ask. In Ask mode, the AI can read your code and answer questions but cannot make any file changes or run commands. Use Agent mode only when you specifically want code written.

2. Disable auto-run for terminal commands

Go to Cursor Settings > Features > Chat > Auto-Run Mode and switch it to Off (or use the Allowlist option to only auto-approve safe commands). With auto-run off, the agent must ask before executing any terminal command, including git.

3. Add project rules to constrain behavior

Create a .cursor/rules/safety.mdc file in your project with rules like:

- Never run git commands without explicit approval

- Never modify files during Q&A — only when explicitly asked to make a code change

- Always show the exact diff before applying changes

- Never touch production/live trader files unless specifically instructed

These rules are included in every session automatically. More on rules: Rules

4. Use checkpoints to revert unwanted changes

Every agent turn creates a checkpoint. If something goes wrong, click any checkpoint in the chat timeline to instantly restore your files to that state. Details: Checkpoints

General recommendation: For a live financial system handling real money, I’d strongly recommend working on a separate git branch and only merging to production after manual review. No AI coding tool today should have unsupervised write access to production code.

I also see you posted a related thread - Structural failure modes. I’ll merge that into this one so everything stays in one place.

Let me know if you have questions about setting any of this up.