Switch to custom Bash tool. Mask secrets from Bashsubprocs. Simplify security handling.

This commit is contained in:
Colin McDonnell
2026-01-07 19:15:58 -08:00
parent 2cc081c912
commit 879d33403c
17 changed files with 50158 additions and 37973 deletions
+11 -16
View File
@@ -314,36 +314,31 @@ function configureCursorMcpServers({ mcpServers }: ConfigureMcpServersParams) {
/**
* Configure Cursor CLI sandbox mode via cli-config.json.
* When sandbox is enabled, denies all file writes and shell commands.
* In print mode without --force, writes are blocked by default, but we add
* explicit deny rules as defense in depth.
*
* See: https://cursor.com/docs/cli/reference/permissions
* SECURITY: Cursor spawns subprocesses with full process.env, leaking API keys.
* We deny native Shell via Shell(*) rule, forcing use of MCP bash tool which
* filters secrets. Note: Shell(**) does NOT work, must use Shell(*).
*
* Config path: $XDG_CONFIG_HOME/cursor/ (not ~/.cursor/) because createAgentEnv
* sets XDG_CONFIG_HOME=$HOME/.config. See issues/cursor-perms.md.
*/
function configureCursorSandbox({ sandbox }: { sandbox: boolean }): void {
const realHome = homedir();
const cursorConfigDir = join(realHome, ".cursor");
const cursorConfigDir = join(realHome, ".config", "cursor");
const cliConfigPath = join(cursorConfigDir, "cli-config.json");
mkdirSync(cursorConfigDir, { recursive: true });
const config = sandbox
? {
// sandbox mode: deny all writes and shell commands
permissions: {
allow: [
"Read(**)", // allow reading all files
],
deny: [
"Write(**)", // deny all file writes
"Shell(**)", // deny all shell commands
],
allow: ["Read(**)"],
deny: ["Write(**)", "Shell(*)"],
},
}
: {
// normal mode: allow everything
permissions: {
allow: ["Read(**)", "Write(**)", "Shell(**)"],
deny: [],
allow: ["Read(**)", "Write(**)"],
deny: ["Shell(*)"],
},
};