Allow or deny specific tools and commands

permissions & sandbox

// what it does

Permission tokens in cli-config.json gate what the agent may do without asking: Shell(cmd), Read(glob), Write(glob), WebFetch(domain), and Mcp(server:tool). Put them under permissions.allow and permissions.deny in ~/.cursor/cli-config.json (global) or <project>/.cursor/cli.json (project). Globs like Read(src/**) and the Shell(curl:*) command:args form give fine control.

// shell

$ { "permissions": { "allow": ["Shell(npm)", "Shell(git)", "Read(src/**)"], "deny": ["Shell(rm)", "Read(.env*)", "Write(**/.env*)"] } }

// gotcha

deny always beats allow, so Write(**/.env*) in deny keeps env files safe even if a broad Write(**) sits in allow. Entries are exact strings — a typo silently does nothing rather than erroring.

// resources