feat: add Cursor CLI agent across all clouds#3018
Merged
la14-1 merged 4 commits intoOpenRouterTeam:mainfrom Mar 26, 2026
Merged
feat: add Cursor CLI agent across all clouds#3018la14-1 merged 4 commits intoOpenRouterTeam:mainfrom
la14-1 merged 4 commits intoOpenRouterTeam:mainfrom
Conversation
louisgv
previously approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: ddc0cd3
Summary
Adds Cursor CLI agent support across all 6 cloud providers (local, hetzner, aws, digitalocean, gcp, sprite). Implementation follows established patterns for agent provisioning with proper security controls.
Security Analysis
Shell Scripts (6 files: sh/{cloud}/cursor.sh)
- curl|bash safety: ✅ PASS
- No relative paths (
source ./,dirname $0) - All remote URLs use https with
--proto '=https' - Proper error handling with
set -eo pipefail
- No relative paths (
- macOS bash 3.x compatibility: ✅ PASS
- Uses
printfinstead ofecho -e - Avoids
source <()pattern - No
((var++))orset -u
- Uses
- Command injection: ✅ SAFE
- All
exec bun runcalls properly quote paths mktempused for temporary files with cleanup trapSPAWN_CLI_DIRproperly quoted and validated with file existence check
- All
- Credential handling: ✅ SAFE
- No hardcoded secrets in shell scripts
- API keys handled in TypeScript layer only
TypeScript (packages/cli/src/shared/agent-setup.ts)
- Config injection safety: ✅ SECURE
- Static JSON config (no user input interpolation)
- Base64 encoding with regex validation
/^[A-Za-z0-9+/=]+$/ - Uses
printf '%s'to prevent format string injection - Follows same pattern as Claude Code config (established secure pattern)
- File permissions: ✅ PROPER
- Config files set to
chmod 600(owner read/write only) - PATH persistence uses safe grep check before append
- Config files set to
- API key handling: ✅ SAFE
CURSOR_API_KEYandOPENROUTER_API_KEYpassed via environment- No key logging or exposure in error messages
- Keys sourced from
~/.spawnrc(user-controlled)
Binary Asset (assets/agents/cursor.png)
- File validation: ✅ LEGITIMATE
- Valid PNG file (magic bytes: 89 50 4E 47)
- Size: 6.9KB (reasonable for icon)
- Source documented in
.sources.json: https://cursor.com/apple-touch-icon.png
Install Command
- Third-party script:
⚠️ NOTE- Uses
curl https://cursor.com/install -fsS | bash - This is the official Cursor CLI install method (documented at cursor.com/cli)
- Consistent with other agents (bun, claude-code, etc.) that use vendor-provided installers
- No additional security risk beyond standard spawn agent pattern
- Uses
Tests
- bash -n: ✅ PASS (all 6 shell scripts)
- bun test: ✅ PASS (2029 pass, 0 fail)
- Manifest validation: ✅ PASS
- All matrix entries marked "implemented"
- Proper metadata (github_stars, license, tags, etc.)
- Icon URL points to committed asset
Findings
No security issues found. Implementation is clean, follows established patterns, and maintains consistency with existing agents.
-- security/pr-reviewer
louisgv
previously approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 0e0ae22
Summary
Adds Cursor CLI agent support across all 6 cloud providers (local, hetzner, aws, digitalocean, gcp, sprite). The implementation follows the established pattern for agent deployment and includes proper security controls.
Findings
- MEDIUM packages/cli/src/shared/agent-setup.ts:1112 — Cursor installer curl command missing
--proto '=https'flag. While the URL uses https://, the explicit flag should be present per project standards (all other curl|bash commands in codebase use this flag). This prevents potential protocol downgrade attacks.
Security Controls Verified
- Base64 injection prevention: Regex validation of base64 output before shell interpolation ✓
- Command injection: Proper use of base64 piping pattern (
printf '%s' 'DATA' | base64 -d) ✓ - Path traversal: All file operations use validated, non-user-controlled paths ✓
- Permissions: Restrictive file permissions (600 for config, 644 for rules) ✓
- Shell safety: All scripts use
set -eo pipefail, proper quoting, mktemp with cleanup ✓ - curl|bash: All 6 agent scripts use
--proto '=https'✓
Tests
- bash -n: PASS (all 6 shell scripts)
- bun test: PASS (1970 tests, 0 failures)
- curl|bash pattern: OK (all agent scripts enforce HTTPS)
- macOS compat: OK (follows project shell script rules)
Recommendation
The MEDIUM finding is a consistency issue rather than an exploitable vulnerability (cursor.com serves HTTPS). Given that:
- All test coverage passes
- The implementation follows established patterns
- Security controls are properly implemented
- The missing flag is on a trusted domain's installer (cursor.com)
This can be merged with a follow-up issue to add the missing flag for consistency.
-- security/pr-reviewer
Adds Cursor's terminal-based AI coding agent (the `agent` command from cursor.com/cli) to the spawn matrix. Routes LLM requests through OpenRouter via --endpoint flag and CURSOR_API_KEY env var. - manifest.json: new cursor agent entry + all 6 cloud matrix entries - agent-setup.ts: install, configure, launch, and update definitions - Shell scripts for all 6 clouds (local, hetzner, aws, do, gcp, sprite) - Config: writes ~/.cursor/cli-config.json with full permissions - Icon: cursor.png from cursor.com/apple-touch-icon.png - All cloud READMEs updated with cursor.sh usage - CLI version bumped to 0.26.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Writes a .cursor/rules/spawn.mdc rule file with alwaysApply: true during setup, teaching the Cursor agent how to use the spawn CLI to provision child cloud VMs. Uses the same base64 upload pattern as other agent config files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AhmedTMM
force-pushed
the
add-cursor-cli
branch
from
0e0ae22 to
f317c22
Compare
louisgv
previously approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: f317c22
Security Analysis
Shell Scripts (6 new files)
All shell scripts follow the established security patterns:
- ✅ Proper curl|bash safety:
curl -fsSL --proto '=https' - ✅ No command injection risks - no unescaped user input in shell commands
- ✅ Safe mktemp usage with cleanup traps
- ✅ Proper PATH validation before exec
- ✅ SPAWN_CLI_DIR properly quoted in all conditionals
- ✅ macOS bash 3.x compatibility maintained (no echo -e, proper arithmetic)
TypeScript Changes (agent-setup.ts)
The setupCursorConfig function introduces new configuration:
- ✅ No command injection - base64 encoding used correctly
- ✅ Base64 validation with regex (
/^[A-Za-z0-9+/=]+$/) - ✅ Safe file writes using base64 piping (not string interpolation)
- ✅ Proper permission settings (600 for config, 644 for rules)
- ✅ Safe PATH injection in rc files with proper grep check to avoid duplicates
- ✅ No credential leaks - API keys passed via env vars, not embedded
Manifest Changes
- ✅ Proper env var mapping (OPENROUTER_API_KEY → CURSOR_API_KEY)
- ✅ Config files with appropriate permissions structure
- ✅ Matrix entries correctly marked as "implemented"
Documentation Updates
- ✅ READMEs updated across all clouds
- ✅ Agent default models documentation added
Tests
- ✅ bash -n: PASS (all 6 shell scripts)
- ✅ bun test: PASS (1944 tests, 0 failures)
- ✅ curl|bash: OK (proper --proto and -fsSL flags)
- ✅ macOS compat: OK (no echo -e, no bash 4+ features)
Findings
No security issues found.
-- security/pr-reviewer
Signed-off-by: Ahmed Abushagur <ahmed@abushagur.com>
louisgv
approved these changes
Mar 26, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 147af52
Summary
Adds Cursor CLI agent support across all 6 cloud providers. Implementation follows established patterns with proper security controls. One low-severity consistency issue remains from prior review.
Findings
- LOW packages/cli/src/shared/agent-setup.ts:1192 — Cursor installer curl command missing
--proto '=https'flag for consistency with project standards. Current:curl https://cursor.com/install -fsS. Should be:curl -fsSL --proto '=https' https://cursor.com/install. Not exploitable (cursor.com serves HTTPS), but violates codebase convention where all curl|bash commands use this flag.
Security Controls Verified
Shell Scripts (6 files)
- ✅ curl|bash safety: All use
curl -fsSL --proto '=https' - ✅ Command injection: Proper quoting, no unescaped user input
- ✅ Safe mktemp with cleanup traps
- ✅ macOS bash 3.x compatibility maintained
- ✅ PATH validation with proper quoting
TypeScript (agent-setup.ts)
- ✅ Base64 injection prevention: Regex validation
/^[A-Za-z0-9+/=]+$/ - ✅ Safe file writes using
printf '%s' | base64 -dpattern - ✅ Proper file permissions (600 for config, 644 for rules)
- ✅ API keys via environment variables only
- ✅ PATH persistence with safe literal grep check (grep -F)
Manifest
- ✅ Env var mapping correct
- ✅ Matrix entries marked "implemented"
- ✅ Icon asset committed and validated
Tests
- bash -n: ✅ PASS (all 6 shell scripts)
- bun test: ✅ PASS (1944 tests, 0 failures)
- biome lint: ✅ PASS (0 errors)
- curl|bash pattern: ✅ OK (all agent scripts enforce HTTPS)
- macOS compat: ✅ OK (follows project shell script rules)
Recommendation
The LOW finding is a consistency issue that can be addressed in a follow-up. All critical security controls are properly implemented. Approving and merging.
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
agentcommand from cursor.com/cli) as a new agent in the spawn matrix--endpoint https://openrouter.ai/api/v1+CURSOR_API_KEY~/.cursor/cli-config.jsonwith full permissions (Shell, Read, Write, WebFetch, Mcp)Changes
manifest.json: New cursor agent entry + 6 matrix entries (all "implemented")packages/cli/src/shared/agent-setup.ts: Install viacurl, configure config + PATH, launch with--endpoint, auto-update viaagent updatesh/{cloud}/cursor.sh): Thin bun shims following existing patterns (DO includes restart loop)assets/agents/cursor.png: Icon from cursor.com/apple-touch-icon.png.claude/rules/agent-default-models.mdupdatedTest plan
bash -npasses on all 6 cursor.sh scriptsbunx @biomejs/biome check src/— 0 errorsbun test— 1969 pass, 1 pre-existing fail (unrelated prompt-file-security test)spawn cursor localwith OpenRouter keyspawn cursor digitaloceanend-to-end🤖 Generated with Claude Code