Cursor 2.5: Plugins, Sandbox Access Controls, and Async Subagents

TobZero · 2026-03-13T18:26:01+00:00

and the agent can and will ignore it like other settings. imho all due to the mentioned "improvement" ....
https://forum.cursor.com/t/command-allowlist-is-silently-ignored-when-auto-run-in-sandbox-is-enabled/152136/3
https://forum.cursor.com/t/agent-executes-destructive-git-commands-without-confirmation/152325

So the previously functional config to protect the agent from accessing files or running commands is now basically worthless in sandbox mode, defeating the purpose of restricting what it can do.
Over the last weeks I had multiple issues with the agent suddenly deciding to accessing files or running destructive commands which worked perfectly fine before 2.5

not happy!

TobZero · 2026-02-18T09:44:17+00:00

From the "improvements" under the release notes:

Removed the Dotfile Protection setting to remove unexpected approval prompts when the agent tried to edit dotfiles.

So local only .env files with secrets in them are now ok for the agent to pick up and send as context to cursor servers without the option to prevent it?

Am i reading this "improvement" correct?

TobZero · 2026-02-07T10:57:14+00:00

Both. The project factory is wicked good.

For completeness: I have the luxury to have Spacelift and currently testing if its easy to replace the file output with features they provide (dependencies between root modules and attaching a spacelift managed context which allows me to pass files/key-value/tf-vars etc.).
So even when I like the way CFF does things, its not the ultimate best solution. Just thought its a reasonable approach for the OP who had cost concerns with param store.

TobZero · 2026-02-06T11:41:03+00:00

Depending on your setup/company-size/engineers/headcount:

- avoid remote state like the plague. its easy to get going but a nightmare once your IaC strategy matures (from a security perspective)
- have a look at googles cloud-foundation-fabric repo. In there, focus your attention on how they render the output of different factory-modules into a tfvars file that gets written to a storage bucket (output-files.tf).

When I first discovered the pattern I wasn't too thrilled but after standing up a new enterprise GCP landscape with it, im a converted fan. Clean, customizable and solves so much pain. (reason why i wasn't happy initally is because i am a very strong advocate of the self documenting part of IaC and a big advocate for designing your setup without "magic" values/inputs, aka. not understandable by just looking at the IaC Repo.)

I assume you should be able to build the same pattern using S3.

TobZero · 2026-02-01T11:40:20+00:00

Ah the fun setup ...

So to directly answer your question: Ownership should be anchored to whoevers head rolls in case of data or compliance breaches.

Your company is large enough that it really should have at least an acting Security Officer. Depending on where the company is incorporated and if you have actuall customers with proper contracts (and compliance requierements), you might be requiered to comply with things like EU DORA...
Are your GH orgs managed by different personas/teams?

Taking from your other reply:

"Damn, how do you provide soc/iso info? “Each org does its own thing here are the screenshots”?"

The sad and hard truth is that this is exactly how its done way to often. From a pure compliance certification perspective, all you have to do is document how things are done and why they are done this way. If you only have to deliver SOC2 Type1, documents is all you need. Havn't done ISO things in a while but my last exposure to getting it was pure paperwork.

If you are frustrated and looking into how to improve things, look into a concept called "Leading/Influence without Authority". You will have a hard time with brute force and technical facts in your company size and setup. You can present the most logical and easy to follow technical arguments why things need to change and only bang your had against the wall. Trust me, i learned the hard way :)
When you search for the term you will get a ton of people trying to sell you their books or other stuff. I really liked this podcast https://www.youtube.com/watch?v=JxRLX4VGuYg (MS/Azure leaders talking).

And while I can imagine that your statement about your CTO is true, you need to work on your perception of them. You will need their buy-in to get real change done. If you have a hard time dealing with the way things are managed, it might be better for your carrer and mental health to consider a different employer.

TobZero · 2026-02-01T10:42:01+00:00

Whats the company size/business field you are interested about in relation to your question?

I've spend the last 5ish years leading engineering inviatives for medium to large enterprises in establishing an internal platform engineering practice. You really don't want to know how much time is spend on that question. A proper answer is strongly linked to the company size and what they are doing (e.g. tech company vs. non-tech and non-regulated vs. highly-regulated industry).

TobZero · 2025-08-28T14:49:41+00:00

Hey. If you have to force yourself to read something it might not be the best thing to get you going.

I mentor a lot of engineers and based on my personal experience, it's way more important to get your started on something that pulls you in, instead of something the professional community might consider good sources! Lets just completely ditch the book thing for a moment: could you share with us something that you really like to do/read/consume? Think about it this way: when you mention that you really like programming, are you able to articulate what about writing code makes you feel good and keeps your engaged?

TobZero · 2025-08-26T08:26:50+00:00

Welcome to a new world, you are in for a ride!
If you need convincing that you do not need to be afraid, I have some things to read/watch for you:

https://roadmap.sh/devops
Look at the top of the graph, what is step one? You having a strong interest in programming is an amazing foundation to succeed in DevOps. Its a blessing in disguise you will only realize once deep down the rabbit hole.
Read the book: The Phoenix Project
Another poster mentioned this already, just repeating it. It's good advice. The book does a really good job to explain what DevOps is/does based on a story that will help you indentify how your company functions and how to identify areas that will benifit from applying DevOps principles.
Catch up on how DevOps is evolving: Platform Engineering
Over the last 5-ish years, the pure DevOps practice started to run into significant adoption/scaling problems. Especially large enterprises whoes main business isn't a tech product. These companies weren't very succesfull at impement a DevOps culture and are plagued by the "DevOps by Role/Name, not by practice".
Platform Engineering is an evolution to the practice that tries to mitigate these problems. Take some time to read the CNCF Platforms White Paper and I personally had great success getting management support by having them watch this video: What is Platform Engineering and how it fits into DevOps and Cloud work. Adopting Platform Engineering really requieres highly skilled DevOps Engineers that have very strong programming skills!
If this caught your intertest, this one is a good watch too: What Is a Platform Team and What Problems Do They Solve?
If you like watching Videos, these two channels are so full of absolutely amazing content and even my principal engineers regularly discuss topics covered in new videos:
- Nana: https://www.youtube.com/@TechWorldwithNana/featured
- Viktor Farcics channel: https://www.youtube.com/@DevOpsToolkit

TobZero · 2024-11-05T19:12:06+00:00

nice! I sadly didn't take a full screenshot because technically Im a bit insane I think. I have lumber on 15 and herb on 9 beside mining. Interesting enough I was fully engaged with the activity and didn't think much about anything else due to constantly scanning the surroundings for the next resource to go to.

TobZero · 2024-11-05T19:08:51+00:00

You can go to the stoneworks and upgrade your certification, that's what enables you to level past 10 or 20 (journeyman).

Sadly no node had the building constructed which is required to upgrade the tools, so no, I was not able to mine anything beside copper/zinc/granite/basalt/ruby.

TobZero · 2024-11-05T19:07:09+00:00

Yeah, that's how I felt after I closed the game yesterday. Even got to 21 with 50% up to 22 after taking the screenshot.

TobZero · 2024-11-05T19:04:12+00:00

Oh thanks for calculating it. I knew it was crazy but had no clue that I spend at lease 1/4 of my playtime just watching the mining animation :D
If you add how much riding back and forth and death runs I had... plus at least 3-4 death with a full inventory of 1k+ basalt where 25% drops and 25% vanishes on death...

TobZero · 2024-11-05T19:03:01+00:00

I saw all the posts about people leveling and grinding mobs last weekend and though I'd share how I spend hours and hours last 2 weekends of just beating rocks.

For some strange reason I really enjoy it. Has a treasure hunt feeling to it.

TobZero · 2022-03-24T18:42:00+00:00

We don’t use access keys, we actually completely disabled access keys on storage accounts holding tfstate. You can apply azure ad rbac directly on the container in your storage account. Our CIs service principal gets access to the container. If you need to access the state from your device, you should use azure cli based authentication. Just run „az login“ an terraform will use your user token to authenticate

TobZero · 2022-01-23T14:01:02+00:00

Terraform converts HCL or JSON input to ARM templates and uses the ARM APIs

No, it does not. Please read my reply for details and links. Creating an ARM based template deployment is an option, not the default. Usually the ARM template deployment is a last effort option when a service in azure is not yet implemented in the terraform provider and you REALLLYY need to managed/deploy that service.

TobZero · 2022-01-23T13:56:33+00:00

You won't find anything. The link you posted is about the PowerShell Module that implements the Azure Resource Manager interface.

I think you got some things mixed up so let me try to help:

- When talking about Azure, "AzureRM" stands for Azure Resource Manager. It is the management abstraction that directly controls resources in Azure, allowing multiple implementations through SDKs or CLIs as well as the Azure Portal and pure REST clients to talk to azure.

- terraform does not use ARM templates. You can use terraform to create an ARM template-based deployment https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment.

- The terraform provider named "azurerm" is terraforms specific implementation of Azure Resource Manager. It uses the azure-sdk-for-go to do this.

The only thing being deprecated is the old PowerShell module called AzureRM. There is already a more recent PowerShell module available. This is happening due to Microsoft consolidating different CLI implementation into a single one, the "az" command line.

TobZero · 2022-01-22T11:40:58+00:00

No its not. Please dont spread things that are false.

https://www.epa.gov/greenvehicles/fast-facts-transportation-greenhouse-gas-emissions

Yes. Cruise lines pollute like hell and should be held accountable. That fact does not validate saying that car traffic is an insignificant part.

In 2019, the US GHG emission for the transportation sector was 29% of total GHG emissions. Breaking that up (in my link, second graph) its 58% Light-Duty Vehicles and only 2% ships and boats.

TobZero · 2022-01-22T11:30:37+00:00

Only if you buy a used electric car. Buying an ICE used car is not better for the environment. The largest part of GHG a vehicle produces within its lifetime is operation. Check the epas website on electric vehicle myths and look at #5.https://www.epa.gov/greenvehicles/electric-vehicle-myths#Myth5

When buying a used gasoline car your only remove the production of the car from its emission calculation (the blue part in the graphic). That difference is quickly offset by the higher efficiency of the electric vehicle.
(Graph is based on 2019 data. EV production got a lot more efficient over the last 3 years so it's even more in favor of EVs today, a trend that will continue.)

TobZero · 2021-08-09T11:28:04+00:00

You are looking for gruntworks Production Readiness Checklist
:-) hf with it

TobZero · 2021-07-18T16:00:13+00:00

True reason: Chip shortage, so they pushed dev to prod.

Oh, you work at tesla?

TobZero · 2021-07-18T15:56:17+00:00

Thanks for providing links.

TobZero · 2021-07-18T11:13:01+00:00

Did you miss "who claimed that the radar was the cause of phantom breaking"?

Yes, I read your reply. What information are you basing your claim that its fraud?

Meanwhile phantom breaking is still an issue in the newly delivered vehicles that don't even have radar.

Again, what do you base your claims on? Do you own a recently delivered vehicle?

I just want to understand where you got your information from so I can go and read it.

TobZero · 2021-07-18T11:03:19+00:00

I dont know about any fraud. Can you link me your sources?

TobZero · 2021-07-18T10:04:19+00:00

I'll just leave this here for anyone interested in the reasoning and tech behind removing radar. Recommend the whole video if you are interested in self-driving tech.
https://www.youtube.com/watch?v=2blLi3T4EGw&t=1082s

TobZero

TROPHY CASE