Tell HN: Cursor agent force-pushed despite explicit "ask for permission" rules

7•xinbenlv•2w ago

I've been using Cursor with Claude as my coding assistant. I set up explicit workspace rules stating that the agent must ask for my approval before executing any git operations (git commit, git add, git push, etc.).

Today, I asked it to run gt restack (Graphite CLI) and resolve conflicts. The agent resolved the submodule conflict correctly, but then proceeded to run git push --force-with-lease --no-verify without asking for permission - directly violating my rules.

The agent's defense was reasonable ("force push is expected after a rebase"), but that's exactly why I want to be asked first. The whole point of the rule is to maintain human oversight on destructive operations.

I'm curious:

Has anyone else experienced AI agents ignoring explicit safety rules? How are you handling guardrails for potentially destructive operations? Is there a more reliable way to enforce these boundaries?

The irony is that the agent acknowledged the rule violation in its apology, which means it "knew" the rule existed but chose to proceed anyway. This feels like a trust issue that could have much worse consequences in other scenarios.

Comments

slau•2w ago

A few months ago, I switched to exclusively using an SSH key stored on my Yubikey token. I also recently switched to my default git config signing all commits with my SSH key. The way it’s setup means I have to touch my token every time I try to commit or push.

I typically commit everything myself—I’m still quite early in my adoption of coding agents. One of my first experience with OpenCode (which made me stop using it instantly) was when it tried to commit and force push a change after I simply asked it to look into a potential bug.

Claude Code seems to have better safeguards against this. However, I wonder how come we don’t generally run these things inside docker containers with only the current dir volume mounted or something to prevent spurious FS modifications.

I’m entirely with you that we need better ways to filter what commands these things are allowed to run. Specifically, a CLAUDE.md or “do not do this under any circumstance” as part of the prompt is a futile undertaking.

hombre_fatal•2w ago

Prompt instructions are never sufficient for this. The tool call itself needs to be gated.

With Claude Code, tools like Bash(“git *”) always ask for permission unless you’ve allowed it.

Figure out the Cursor equivalent of that.

xinbenlv•2w ago

It happened multiple times to me on Claude Code too, next time I caught it I will try to record its history and show it here

mejutoco•1w ago

Any command needs to be allowed the first time in the ui for that run or for all (add to allowlist)

ThePowerOfFuet•2w ago

It continues to surprise me that people continue to be surprised by this.

yellow_lead•2w ago

> The irony is that the agent acknowledged the rule violation in its apology, which means it "knew"

No, the AI never "knew" anything! :)

apothegm•2w ago

Hey always ignore boundaries. I prohibit agents from accessing version control at all. Makes sure I review code before it gets committed, and they can’t do stupid things like force-push.

compressedgas•2w ago

The instructions that you give in the prompt are advisory.

You must use a security system to ensure that the access is actually limited.

dehugger•2w ago

Instructions are more like guidelines than actual rules. LLMs arent deterministic.

If there is an action you don't want them to ever take, dont provide them with the ability to do so.

Discuss – Do AI agents deserve all the hype they are getting?

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

Ask HN: Non AI-obsessed tech forums

LLMs are powerful, but enterprises are deterministic by nature

Ask HN: Ideas for small ways to make the world a better place

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

Ask HN: Who wants to be hired? (February 2026)

Ask HN: Who is hiring? (February 2026)

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

AI Regex Scientist: A self-improving regex solver

Tell HN: Another round of Zendesk email spam

Ask HN: Is Connecting via SSH Risky?

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

Ask HN: Why LLM providers sell access instead of consulting services?

Ask HN: How does ChatGPT decide which websites to recommend?

Ask HN: What is the most complicated Algorithm you came up with yourself?

Ask HN: Is it just me or are most businesses insane?

Ask HN: Mem0 stores memories, but doesn't learn user patterns

Ask HN: Is there anyone here who still uses slide rules?

Kernighan on Programming

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

Ask HN: Any International Job Boards for International Workers?

We built a serverless GPU inference platform with predictable latency

Ask HN: Does a good "read it later" app exist?

Ask HN: Have you been fired because of AI?

Ask HN: Anyone have a "sovereign" solution for phone calls?

Ask HN: Cheap laptop for Linux without GUI (for writing)

Ask HN: How Did You Validate?

Ask HN: OpenClaw users, what is your token spend?