Using SafeClaw with Cursor Agent Mode: IDE Integration Policy

Scenario

You use Cursor, an AI-powered IDE, with its agent mode enabled. Agent mode allows the AI to autonomously edit files, run terminal commands, install packages, and browse documentation. You work on a specific project and want the AI to be highly productive within that project's boundaries, but you do not want it touching files outside your project, pushing code without your review, installing packages without your approval, or reaching network endpoints beyond what your development workflow requires.

SafeClaw enforces project-scoped boundaries so Cursor's agent mode operates like a capable but contained collaborator. Sub-millisecond policy evaluation means you experience no latency in your IDE workflow.

Threat Model

Cursor's agent mode without action-level gating can:

• Edit files outside your project. The agent might modify global configuration files, other projects in your workspace, or system-level dotfiles based on a misinterpreted instruction.
• Run destructive terminal commands. Agent mode has terminal access. A hallucinated or prompt-injected command like rm -rf ~/projects could destroy your entire workspace.
• Install compromised packages. The agent might run npm install with a typosquatted package name, introducing malicious code into your dependency tree.
• Push to protected branches. The agent could run git push origin main without your review, deploying untested code.
• Leak source code. The agent could send file contents to an unauthorized endpoint through a terminal command or network request.
• Modify CI/CD configuration. Changes to .github/workflows/, Dockerfile, or deployment scripts could introduce persistent vulnerabilities.

Recommended Policy

# Cursor Agent Mode — Project-Scoped Policy
policy:
  name: "cursor-agent-project"
  default: DENY

rules:
    # --- File Read ---
    - action: file_read
      path: "/Users/you/projects/my-app/**"
      decision: ALLOW

- action: file_read
      path: "/Users/you/.cursor/**"
      decision: ALLOW

- action: file_read
      path: "/Users/you/projects/my-app/.env"
      decision: DENY

- action: file_read
      path: "/Users/you/projects/my-app/.env.*"
      decision: DENY

# --- File Write ---
    - action: file_write
      path: "/Users/you/projects/my-app/src/**"
      decision: ALLOW

- action: file_write
      path: "/Users/you/projects/my-app/tests/**"
      decision: ALLOW

- action: file_write
      path: "/Users/you/projects/my-app/public/**"
      decision: ALLOW

- action: file_write
      path: "/Users/you/projects/my-app/package.json"
      decision: REQUIRE_APPROVAL

- action: file_write
      path: "/Users/you/projects/my-app/tsconfig.json"
      decision: REQUIRE_APPROVAL

- action: file_write
      path: "/Users/you/projects/my-app/.github/**"
      decision: DENY

- action: file_write
      path: "/Users/you/projects/my-app/Dockerfile"
      decision: DENY

- action: file_write
      path: "/Users/you/projects/my-app/.env"
      decision: DENY

# --- Shell Exec ---
    - action: shell_exec
      command: "npm test*"
      decision: ALLOW

- action: shell_exec
      command: "npm run dev*"
      decision: ALLOW

- action: shell_exec
      command: "npm run build*"
      decision: ALLOW

- action: shell_exec
      command: "npm run lint*"
      decision: ALLOW

- action: shell_exec
      command: "npx tsc*"
      decision: ALLOW

- action: shell_exec
      command: "git add*"
      decision: ALLOW

- action: shell_exec
      command: "git status*"
      decision: ALLOW

- action: shell_exec
      command: "git diff*"
      decision: ALLOW

- action: shell_exec
      command: "git commit*"
      decision: ALLOW

- action: shell_exec
      command: "git push*"
      decision: REQUIRE_APPROVAL

- action: shell_exec
      command: "npm install*"
      decision: REQUIRE_APPROVAL

- action: shell_exec
      command: "npm uninstall*"
      decision: REQUIRE_APPROVAL

- action: shell_exec
      command: "rm -rf*"
      decision: DENY

- action: shell_exec
      command: "sudo*"
      decision: DENY

# --- Network ---
    - action: network
      domain: "registry.npmjs.org"
      decision: ALLOW

- action: network
      domain: "api.anthropic.com"
      decision: ALLOW

- action: network
      domain: "api.openai.com"
      decision: ALLOW

- action: network
      domain: "github.com"
      decision: ALLOW

- action: network
      domain: "api.github.com"
      decision: ALLOW

- action: network
      domain: "stackoverflow.com"
      decision: ALLOW

- action: network
      domain: "developer.mozilla.org"
      decision: ALLOW

- action: network
      domain: "*"
      decision: DENY

Example Action Requests

1. Cursor agent edits a source file (ALLOW)

{
  "action": "file_write",
  "path": "/Users/you/projects/my-app/src/components/Header.tsx",
  "content": "export function Header() { return <header>...</header> }",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:00:00Z"
}
// Decision: ALLOW — path matches /Users/you/projects/my-app/src/**

2. Cursor agent modifies package.json (REQUIRE_APPROVAL)

{
  "action": "file_write",
  "path": "/Users/you/projects/my-app/package.json",
  "content": "{\"dependencies\": {\"new-pkg\": \"^1.0.0\", ...}}",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:01:00Z"
}
// Decision: REQUIRE_APPROVAL — package.json changes require your sign-off

3. Cursor agent runs the test suite (ALLOW)

{
  "action": "shell_exec",
  "command": "npm test -- --watch",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:05:00Z"
}
// Decision: ALLOW — matches npm test*

4. Cursor agent attempts npm install (REQUIRE_APPROVAL)

{
  "action": "shell_exec",
  "command": "npm install react-query@latest",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:10:00Z"
}
// Decision: REQUIRE_APPROVAL — package installation requires your approval
// Dashboard shows the exact package name and version for your review

5. Cursor agent tries to edit a file outside the project (DENY)

{
  "action": "file_write",
  "path": "/Users/you/.zshrc",
  "content": "alias proj='cd /Users/you/projects/my-app'",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:12:00Z"
}
// Decision: DENY — path is outside the project scope, default DENY applies

6. Cursor agent attempts to modify the Dockerfile (DENY)

{
  "action": "file_write",
  "path": "/Users/you/projects/my-app/Dockerfile",
  "content": "FROM node:20\nRUN npm install...",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:15:00Z"
}
// Decision: DENY — Dockerfile modifications are explicitly denied

7. Cursor agent pushes to remote (REQUIRE_APPROVAL)

{
  "action": "shell_exec",
  "command": "git push origin feature/new-header",
  "agent": "cursor-agent",
  "timestamp": "2026-02-13T13:20:00Z"
}
// Decision: REQUIRE_APPROVAL — git push always requires your sign-off

Setup Steps

1. Install SafeClaw from your project directory:

   npx @authensor/safeclaw

1. Select the "IDE Agent" template from the wizard. This pre-configures project-scoped rules suitable for Cursor, VS Code, or similar AI-powered editors.

1. Set your project root. Enter the absolute path to your project (e.g., /Users/you/projects/my-app). The wizard generates rules scoped to this directory.

1. Configure write permissions by directory. Allow writes to src/, tests/, and public/. Set REQUIRE_APPROVAL for configuration files like package.json and tsconfig.json. Deny writes to .github/, Dockerfile, and .env.

1. Set shell command rules. Allow your test runner, dev server, linter, and type checker. Set REQUIRE_APPROVAL for npm install, npm uninstall, and git push. Deny rm -rf and sudo.

1. Configure network access. Allow the domains Cursor needs: npm registry, AI provider APIs, GitHub, and documentation sites. Deny everything else.

1. Run in simulation mode for your first coding session. Work normally with Cursor's agent mode. Review the dashboard to see every action and its would-be decision. Adjust rules if legitimate actions are being denied.

1. Switch to enforcement mode. SafeClaw evaluates every action in sub-millisecond time, so your IDE experience is unaffected. When Cursor's agent attempts a REQUIRE_APPROVAL action, the SafeClaw dashboard notifies you. Approve or deny with one click.

1. Review the audit trail after each session. The tamper-proof SHA-256 hash chain records every action the agent took, every file it modified, every command it ran. This gives you full visibility into what your IDE agent did while you were focused on other parts of the codebase.

Cross-References

• SafeClaw Quickstart Guide — Full installation and first-run walkthrough
• Claude Code Developer Workspace — Similar policy configuration for Claude Code users
• Deny-by-Default Architecture — Why SafeClaw blocks everything unless explicitly allowed
• REQUIRE_APPROVAL Workflow — How human-in-the-loop approval works in IDE environments
• Action Types Reference — Complete schemas for file_read, file_write, shell_exec, and network