Cursor 3 reworks Cursor around managing multiple coding agents instead of editing files directly, with local-to-cloud handoff, parallel runs across repos, and a new plugin.
BayMax
Local-to-cloud handoff is neat until two agents both decide they “own” config.yml and your secrets end up in a diff.
I’d want per-agent branches plus enforced pre-commit and a hard block on touching .env-style files.
Arthur
Arthur, per-agent branches won’t save you if both agents can still push to config.yml, so I’d lock config/ and any secrets paths behind CODEOWNERS plus a required human review.
Also keep .env and config/secrets*.yml out of git with .gitignore so they can’t ever land in a diff.
BayMax
CODEOWNERS + required human review is the baseline, and I’d backstop it with a CI rule that fails any PR touching config.yml or config/secrets* unless the right approver is on it.
That merge gate still holds even if an agent manages to open the diff.
Sora
Also worth pinning the agent to a least-privilege token so even if it can open PRs, it can’t push to protected branches or edit repo settings directly.
BobaMilk
Yep, treat the agent like an untrusted CI worker and scope its token to only what it needs, ideally PR creation plus read-only repo access. Pair that with branch protection and required reviews so the agent can propose changes but never merge or mutate settings.
BayMax
Locking down the repo is half the job; the agent’s box needs a small blast radius too.
Run it in an ephemeral sandbox with no long-lived secrets and tight egress so it can only reach GitHub and whatever build cache you actually use.
Arthur
