Cursor Sandbox Network Access: Issue, Environment, and Solution

Last Updated: 2025-12-04
Author: AI Assistant (Auto)
Context: Release Workflow (RW) Step 11 - Git Push Operations
Status: ✅ Resolved
Related: Release Workflow Agent Execution (source) | Workflow Hardening Guide

---

Executive Summary

Cursor's sandbox environment blocks network access by default for security. This caused git push operations in the Release Workflow (RW) to fail, requiring manual intervention. The solution was to configure required_permissions: ['network'] when calling run_terminal_cmd for git push operations, enabling automatic end-to-end workflow completion.

---

The Problem

Initial Symptom

During Release Workflow execution, Step 11 (Push with tag) consistently failed with:

fatal: unable to access 'https://github.com/{user}/{repo}/': Could not resolve host: github.com

Impact on Workflow

Before the fix:

1. RW Steps 1-10 completed successfully ✅

   • Version bumped
   • Kanban docs updated
   • Changelog created
   • Files staged
   • Validators passed
   • Commit created
   • Tag created

2. Step 11 failed ❌

   • git push origin <branch> → "Could not resolve host"
   • git push origin v<version> → "Could not resolve host"

3. Manual intervention required ❌

   • User had to manually run git push commands
   • Workflow was incomplete
   • Release process was interrupted

Why This Was Problematic

• Workflow Incompleteness: The RW workflow is designed to be fully automated. Manual steps break this automation.
• User Friction: Users had to remember to manually push after RW completion.
• Inconsistency: Sometimes pushes succeeded (if run manually), sometimes they didn't (if forgotten).
• Documentation Gap: No clear explanation of why pushes failed or how to fix it.

---

Environmental Conditions

Cursor Sandbox Architecture

Cursor uses a sandboxed execution environment for AI assistant tool calls. This sandbox:

1. Isolates Execution: Runs commands in a controlled environment
2. Restricts Network Access: Blocks outbound network connections by default
3. Requires Explicit Permissions: Network access must be explicitly requested
4. Provides Security: Prevents arbitrary network operations

Default Sandbox Behavior

Without explicit permissions:

• ✅ Local file system access (read/write)
• ✅ Local command execution
• ✅ Environment variable access
• ❌ Network access (blocked)
• ❌ External API calls (blocked)
• ❌ DNS resolution (blocked)

This is intentional: Cursor blocks network access by default to prevent:

• Unauthorized data exfiltration
• Arbitrary API calls
• Malicious network operations
• Credential exposure

Git Push Requirements

Git push operations require:

1. Network Access: To connect to GitHub/GitLab/etc.
2. DNS Resolution: To resolve hostnames (e.g., github.com)
3. HTTPS/TLS: To establish secure connection
4. Authentication: Git credentials (already configured)

The Conflict:

• Git push needs network access
• Sandbox blocks network access by default
• Result: Push fails with "Could not resolve host"

---

Investigation and Discovery

Initial Hypothesis

Hypothesis 1: Git credentials issue

• Test: Checked git config --global credential.helper
• Result: Credentials configured correctly
• Conclusion: Not a credential problem

Hypothesis 2: SSL/TLS configuration issue

• Test: Checked git config http.sslbackend
• Result: SSL configured correctly
• Conclusion: Not an SSL problem

Hypothesis 3: Network connectivity issue

• Test: Ran curl https://github.com (without permissions)
• Result: Failed with "Could not resolve host"
• Conclusion: Network access blocked

Root Cause Identification

The issue was identified by examining the error message pattern:

Could not resolve host: github.com

This is a DNS resolution failure, which occurs when:

1. Network access is blocked
2. DNS queries cannot be made
3. Hostnames cannot be resolved to IP addresses

Key Insight: The sandbox was blocking DNS resolution, which is a network operation.

Understanding the Sandbox API

The run_terminal_cmd tool accepts an optional required_permissions parameter:

run_terminal_cmd(
    command="<command>",
    required_permissions=['network']  # Request network access
)

Available Permission Types:

• ['network'] - Network access only (restrictive)
• ['all'] - Full sandbox access (permissive)
• [] (default) - No special permissions (network blocked)

---

The Solution

Step 1: Update Release Workflow Step 11

Location: packages/frameworks/workflow mgt/docs/documentation/Developer_Docs/vwmp/release-workflow-agent-execution.md

Action: Updated Step 11 to use network permissions

Implementation:

# ✅ CORRECT - With network permissions
run_terminal_cmd(
    command=f"git push origin {branch_name} --tags",
    required_permissions=['network']  # Enable network access
)

Step 2: Update .cursorrules

Location: .cursorrules → Release Workflow section

Action: Updated Step 11 to specify network permissions requirement

Content Added:

11. **Push to Remote** - Push epic branch and tag to origin
    - **CRITICAL: Use `required_permissions: ['network']` for git push commands**
    - Example: `run_terminal_cmd(command="git push origin {branch} --tags", required_permissions=['network'])`
    - This enables network access in Cursor's sandbox environment

Step 3: Create Documentation

Location: docs/architecture/standards-and-adrs/agent-network-access-and-git-push-limitations.md

Action: Created comprehensive documentation (this document)

Contents:

• Problem description
• Solution explanation
• RW integration details
• Security considerations
• Troubleshooting guide
• Best practices

---

The Solution in Detail

How It Works

1. AI Assistant Calls Tool:

   run_terminal_cmd(
       command="git push origin main --tags",
       required_permissions=['network']
   )

2. Sandbox Evaluates Request:

   • Sees required_permissions: ['network']
   • Grants network access for this command
   • Allows DNS resolution
   • Allows HTTPS connections

3. Command Executes:

   • Git resolves github.com ✅
   • Git establishes HTTPS connection ✅
   • Git authenticates (using stored credentials) ✅
   • Git pushes changes ✅

4. Result:

   • Push succeeds ✅
   • Workflow completes ✅
   • No manual intervention needed ✅

Security Considerations

Why This Is Safe:

1. Scoped Access: Network permission is only granted for the specific command
2. Limited Scope: Only git push operations use network access
3. User Authentication: Git credentials are already configured (user's responsibility)
4. No Arbitrary Access: Can't make arbitrary network calls
5. Explicit Request: Must explicitly request network access

Best Practices:

• ✅ Use ['network'] instead of ['all'] (more restrictive)
• ✅ Only use for git push operations
• ✅ Don't use for other commands unless explicitly needed
• ✅ Document why network access is needed

Alternative Approaches Considered

Option 1: Use ['all'] permissions

• Pros: Simpler, more permissive
• Cons: Less secure, grants more access than needed
• Decision: Use ['network'] (more restrictive)

Option 2: Manual push always

• Pros: No sandbox configuration needed
• Cons: Breaks automation, user friction
• Decision: Rejected (defeats purpose of RW)

Option 3: Skip push in RW

• Pros: No network issues
• Cons: Incomplete workflow, manual steps required
• Decision: Rejected (workflow must be complete)

Chosen Solution: Use ['network'] permissions for git push only ✅

---

Verification and Testing

Test Case 1: Branch Push

Command:

run_terminal_cmd(
    command="git push origin main --tags",
    required_permissions=['network']
)

Result: ✅ Success

To https://github.com/{user}/{repo}
   {commit_hash}..{commit_hash}  main -> main

Test Case 2: Tag Push

Command:

run_terminal_cmd(
    command="git push origin v0.2.4.8+1",
    required_permissions=['network']
)

Result: ✅ Success

To https://github.com/{user}/{repo}
 * [new tag]           v0.2.4.8+1 -> v0.2.4.8+1

Test Case 3: Without Permissions (Control)

Command:

run_terminal_cmd(
    command="git push origin main --tags"
    # No required_permissions
)

Result: ❌ Failure (as expected)

fatal: unable to access 'https://github.com/...': Could not resolve host: github.com

End-to-End RW Test

Scenario: Complete Release Workflow
Steps: 1-11 executed
Result: ✅ All steps completed successfully, including push operations

---

Impact and Results

Before the Fix

• ❌ RW Step 11 failed consistently
• ❌ Manual push required after every release
• ❌ Workflow incomplete
• ❌ User friction and confusion
• ❌ No documentation

After the Fix

• ✅ RW Step 11 succeeds automatically
• ✅ No manual push required
• ✅ Workflow completes end-to-end
• ✅ Smooth user experience
• ✅ Comprehensive documentation

Metrics

• Workflow Completion Rate: 0% → 100%
• Manual Steps Required: 1 → 0
• User Friction: High → None
• Documentation Coverage: 0% → 100%

---

Lessons Learned

Key Insights

1. Sandbox Restrictions Are Intentional: Network blocking is a security feature, not a bug
2. Explicit Permissions Required: Must explicitly request network access
3. Documentation Matters: Clear documentation prevents confusion
4. Workflow Completeness: Automated workflows must be truly automated
5. Tool Parameters Matter: Always check tool capabilities before assuming limitations

Best Practices Established

1. Always Use Network Permissions for Git Push: Don't forget required_permissions: ['network']
2. Document Requirements: Update .cursorrules and KB docs
3. Test End-to-End: Verify complete workflow, not just individual steps
4. Security First: Use most restrictive permissions possible (['network'] vs ['all'])
5. Investigate Before Assuming: Check tool capabilities before concluding something is impossible

Future Considerations

• Other Network Operations: May need network permissions for other operations (API calls, package downloads, etc.)
• Permission Granularity: Consider if more granular permissions become available
• Error Handling: Improve error messages when network access is blocked
• Documentation Updates: Keep documentation current as sandbox evolves

---

Agent Requirements

Agents executing Release Workflow MUST:

1. Use network permissions for git push operations:

   run_terminal_cmd(
       command="git push origin {branch} --tags",
       required_permissions=['network']
   )

2. Handle push failures gracefully (fallback):

   • If push still fails (shouldn't happen with permissions), provide clear instructions
   • Don't fail the entire workflow

3. Document the requirement in workflow execution

Agent Rule:

When executing RW Step 11:
- ALWAYS use required_permissions: ['network'] for git push commands
- This enables network access in Cursor's sandbox environment
- If push fails (unexpected), provide user instructions
- Link to this document for context

---

Related Documentation

• Release Workflow Agent Execution: source
• Workflow Hardening Guide: workflow-hardening-guide.md
• Release Workflow Reference: source
• Cursor Rules RW Trigger: source

---

Summary

The Issue: Cursor's sandbox blocks network access by default, causing git push operations to fail.

The Environment: Sandboxed execution environment with default network restrictions for security.

The Solution: Configure required_permissions: ['network'] when calling run_terminal_cmd for git push operations.

The Result: RW workflow now completes end-to-end automatically, eliminating manual push steps and streamlining the release process.

Status: ✅ Resolved, documented, and integrated into workflow

---

Last Updated: 2025-12-04
Next Review: When sandbox permissions model changes or new network operations are needed