Tell HN: Cursor agent force-pushed despite explicit "ask for permission" rules

Posted by xinbenlv 1 day ago

Counter7Comment8OpenOriginal

I've been using Cursor with Claude as my coding assistant. I set up explicit workspace rules stating that the agent must ask for my approval before executing any git operations (git commit, git add, git push, etc.).

Today, I asked it to run gt restack (Graphite CLI) and resolve conflicts. The agent resolved the submodule conflict correctly, but then proceeded to run git push --force-with-lease --no-verify without asking for permission - directly violating my rules.

The agent's defense was reasonable ("force push is expected after a rebase"), but that's exactly why I want to be asked first. The whole point of the rule is to maintain human oversight on destructive operations.

I'm curious:

Has anyone else experienced AI agents ignoring explicit safety rules? How are you handling guardrails for potentially destructive operations? Is there a more reliable way to enforce these boundaries?

The irony is that the agent acknowledged the rule violation in its apology, which means it "knew" the rule existed but chose to proceed anyway. This feels like a trust issue that could have much worse consequences in other scenarios.

Comments

Comment by slau 1 day ago

A few months ago, I switched to exclusively using an SSH key stored on my Yubikey token. I also recently switched to my default git config signing all commits with my SSH key. The way it’s setup means I have to touch my token every time I try to commit or push.

I typically commit everything myself—I’m still quite early in my adoption of coding agents. One of my first experience with OpenCode (which made me stop using it instantly) was when it tried to commit and force push a change after I simply asked it to look into a potential bug.

Claude Code seems to have better safeguards against this. However, I wonder how come we don’t generally run these things inside docker containers with only the current dir volume mounted or something to prevent spurious FS modifications.

I’m entirely with you that we need better ways to filter what commands these things are allowed to run. Specifically, a CLAUDE.md or “do not do this under any circumstance” as part of the prompt is a futile undertaking.

Comment by yellow_lead 1 day ago

> The irony is that the agent acknowledged the rule violation in its apology, which means it "knew"

No, the AI never "knew" anything! :)

Comment by dehugger 13 hours ago

Instructions are more like guidelines than actual rules. LLMs arent deterministic.

If there is an action you don't want them to ever take, dont provide them with the ability to do so.

Comment by apothegm 1 day ago

Hey always ignore boundaries. I prohibit agents from accessing version control at all. Makes sure I review code before it gets committed, and they can’t do stupid things like force-push.

Comment by compressedgas 1 day ago

The instructions that you give in the prompt are advisory.

You must use a security system to ensure that the access is actually limited.

Comment by hombre_fatal 1 day ago

Prompt instructions are never sufficient for this. The tool call itself needs to be gated.

With Claude Code, tools like Bash(“git *”) always ask for permission unless you’ve allowed it.

Figure out the Cursor equivalent of that.

Comment by xinbenlv 1 day ago

It happened multiple times to me on Claude Code too, next time I caught it I will try to record its history and show it here

Comment by 1 day ago

Comment by ThePowerOfFuet 1 day ago

It continues to surprise me that people continue to be surprised by this.