Advanced agent configuration & MCP
The FDE-depth layer: rules, MCP, sandboxing and matched guardrails.
The FDE technical layer: configuration is the product
After this you can name the three planes every agent interaction passes through and explain why configuration, not the model, is what an FDE sells.
At enterprise scale the model is a commodity.
The configuration is the differentiator. Anyone can install Cursor in an afternoon. The FDE earns their seat by turning a sharp tool into a governed, repeatable system: standards encoded once, context wired in safely, execution power clamped to least privilege.
Think in three planes that every agent interaction passes through:
- Knowledge is what the agent knows about your standards.
- Context is what the agent can see outside the repo.
- Capability is what the agent is allowed to do.
Get those three right and autonomy becomes a dial you can turn with confidence instead of a leap of faith.
An agent's behavior is the product of three configurable planes: knowledge, context, capability. The FDE's job is to make each one explicit, version-controlled and auditable. Then 'the agent did something dangerous' stops being a vibe. It becomes a config gap you can point to and close.
We don't 'trust the model.' We trust the controls around the model. Knowledge, context and capability are each configured, scoped and logged. Autonomy is something we earn with evidence, not something we hope for.
- Plane
- Knowledge
- Mechanism
- Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once. / AGENTS.md
- Failure if you skip it
- Agent reinvents your conventions every prompt; PRs drift from house style
- Plane
- Context
- Mechanism
- MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers + allowlists
- Failure if you skip it
- Agent guesses about Jira and observability it can't see or pulls from an ungoverned source
- Plane
- Capability
- Mechanism
- Allow/blocklists, hooks, sandboxing, VM isolation
- Failure if you skip it
- Agent runs a destructive command or exfiltrates data with no blast-radius control
| Plane | Mechanism | Failure if you skip it |
|---|---|---|
| Knowledge | Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once. / AGENTS.md | Agent reinvents your conventions every prompt; PRs drift from house style |
| Context | MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers + allowlists | Agent guesses about Jira and observability it can't see or pulls from an ungoverned source |
| Capability | Allow/blocklists, hooks, sandboxing, VM isolation | Agent runs a destructive command or exfiltrates data with no blast-radius control |
The three planes an FDE configures before anyone talks about autonomy.
Takeaway. An agent is knowledge + context + capability - the FDE sells the configuration of all three, not the model underneath.
Self-check
Project Rules in depth: encode standards once
After this you can scope rules across a monorepo with a root AGENTS.md plus nested area files, and explain why 'rules are files in git' is the load-bearing property.
Project RulesVersion-controlled instructions in the repo that every Cursor agent interaction inherits, so standards are encoded once. are how you stop re-explaining your codebase to the model on every prompt. Write your style, test and architecture standards once. They live in the repo, version-controlled and every agent interaction in that scope inherits them automatically.
The mechanism: rules live under .cursor/rules/ as scoped, area-specific files, plus the repo-root AGENTS.md, the open and portable convention for agent instructions.
Because they are files in git, they get the same lifecycle as any other source: code review, blame, PR history, rollback. Standards become an artifact instead of tribal knowledge in someone's head or a buried Slack thread.
Scope rules to the area they governglobal vs. nested
Don't dump everything into one mega-rule. A root AGENTS.md carries org-wide invariants: language, security posture, 'never touch generated files.' Then nest area-specific rules next to the code they apply to.
A stricter file in services/payments/ can demand 100% branch coverage and forbid new external calls, while web/ gets component conventions. The agent inherits the union, with the nearest scope winning. This is least-knowledge applied to standards: each subsystem teaches the agent exactly what it needs and nothing it doesn't.
Concrete, testable directives: 'Use pytest, not unittest.'
Architecture boundaries: 'No direct DB access from controllers; go through the repository layer.'
Pointers to canonical in-repo examples the agent can imitate.
Vague vibes: 'Write clean code.'
Stale rules pointing at modules that were deleted two refactors ago. Review them like any code.
One 2,000-line file that applies everywhere and is mostly noise the model skims past.
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. reads repo-scoped review rules from .cursor/BUGBOT.md, the same file-in-git pattern. The rules discipline isn't only for the coding agent. Your reviewer agent inherits standards from version-controlled files too.
# Payments service rules - All money is int cents; never float. - Every new endpoint requires a contract test + an idempotency key. - No new outbound network calls without an entry in ALLOWED_EGRESS.md. - Follow the repository pattern; controllers must not import the DB client. - Example to imitate: see charges/create_charge.py
Takeaway. Rules are files in git, so standards get review, blame and rollback - scope them per area, root for invariants, nested for the rest.
Self-check
QMultiple choice: A team puts every standard for a 40-service monorepo into a single root AGENTS.md. What's the best critique?
MCP: governed context outside the repo
After this you can explain what MCP exposes to the agent and run a proposed server through the FDE allowlist review before it touches the org.
Most of what an engineer needs to do a task well lives outside the repo.
Think of the Jira ticket, the Confluence runbook, the Datadog dashboard showing the error spike, the internal API docs. MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. (Model Context Protocol) is the standard bridge that lets the agent reach that context and the artifact graph is what it exposes through that bridge.
MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. is an open protocol. An MCP server wraps a system (Jira, Confluence, GitHub, an observability platform, an internal docs service) and exposes its data and actions as tools the agent can call. Instead of you copy-pasting a ticket into the chat, the agent queries the Jira MCP server directly, reads the acceptance criteria and links the PR back. The repo stops being an island.
Why the FDE cares: context quality drives output quality
An agent that can see the ticket, the design doc and the live error trace writes a far better fix than one guessing from the diff alone. MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. is the difference between autocomplete with extra steps and a teammate who actually read the context. Every server you connect is also a new trust boundary and a new data path, which is exactly why it has to be governed.
Every MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server is both a context source and an attack surface. A connected server can pull untrusted content into the model's context (a prompt-injection vector) and it can be a data-egress path. 'Connect everything' is how you turn a productivity feature into a data-exfiltration channel. Treat MCP servers like the third-party integrations they are: scoped, reviewed, allowlisted.
Governing allowed MCP serversallowlists, not free-for-all
- MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist - admins specify which MCP servers are permitted org-wide. Developers can't wire in an arbitrary server that ships data to who-knows-where.
- Scope per server - prefer read-only scopes for context-only servers like Confluence and docs. Reserve write and action scopes (creating Jira tickets, posting to Slack) for servers that genuinely need them.
- Privacy posture - Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. and ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. govern what leaves to the model. An MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server is a separate data path you reason about on its own.
- Audit - MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. calls are part of the activity you want logged, so you can answer 'what external systems did agents touch and when?'
- Who hosts it?
- First-party, vendor or community. Community servers get the most scrutiny.
- Read or write?
- Default to least scope and justify every write capability.
- What data flows through?
- Could it surface secrets, PIIPersonally Identifiable Information. Data that can identify a person (names, emails, SSNs); regulated and sensitive. or regulated data into context?
- On the allowlist?
- Not explicitly allowed by an admin means blocked. The allowlist is the control.
Run every proposed MCP server through this before it touches the org.
A team proposes a community-hosted issue-tracker MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. that asks for write scope. Walk the four questions. Who hosts it? Community, so it earns the most scrutiny. Read or write? It requests write, but the team only needs to read ticket detail, so the write capability isn't justified. What data flows? Ticket bodies can pull customer PIIPersonally Identifiable Information. Data that can identify a person (names, emails, SSNs); regulated and sensitive. and internal detail into context. On the allowlist? No admin has approved it.
Verdict: blocked. It goes live only after an admin adds it to the allowlist and the scope is downgraded to read-only. Start at least scope; widen later if a real write need shows up.
Takeaway. MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. is the bridge to context outside the repo - and every server you connect is a trust boundary, so it lives behind an admin allowlist at least scope.
Self-check
Capability controls: least privilege for what an agent can do
After this you can stack the four capability controls and say what blast radius each one contains that the others can't.
Knowledge and context shape what the agent says.
Capability controls govern what it can execute and that's where blast radiusHow much breaks if a change goes wrong; the scope of potential damage. lives. The principle is the one you'd apply to any service account: least privilege, deny by default, log everything.
The four capability controls
Specify which shell commands an agent may run. Allowlist npm test, git status, the linter. Blocklist rm -rf, curl | sh, infra CLIs.
Deny-by-default for high-risk repos: nothing runs unless explicitly permitted.
Programmatic interception points around agent actions. Run a script before or after a tool call to validate, redact, gate or log.
Use them for policy an allowlist can't express, like blocking writes to /infra or scanning for secrets before commit.
Constrain the environment the agent's commands run in: limited filesystem, controlled egress, so an executed command can't roam the host.
Containment for the local execution surface.
The strongest boundary. Run the agent in an isolated cloud VM with scoped permissions, off the developer's trusted laptop.
Compromise stays in a disposable box.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Allowlist → hooks → terminal sandbox → VM isolation. Each layer names the blast radius it contains that the others can't, so none is load-bearing alone.
Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. now combine isolated VMs with guided environment setup, reusable snapshots, /in-cloud subagents and local/cloud handoff. Autofix still belongs in the same autonomy ladder: a remote agent can work in isolation, but the merge gate stays human-owned.
Stack these, don't pick one. Each layer assumes the one above it can fail.
Asked 'how do you stop an agent from doing something destructive?', name the layered model: allow/blocklist the command vocabulary, enforce policy with hooks, sandbox the terminal, isolate autonomous runs in scoped VMs with audit logs. Then close: we gate higher autonomy on evidence, so we're never leaning on a single control.
Takeaway. Allowlists set the vocabulary, hooks enforce policy, sandboxing contains local runs, VM isolation contains autonomous ones - stack all four so none is load-bearing alone.
Self-check
The agent surface and matched guardrails per rung
After this you can place a given agent surface on the autonomy ladder and name the guardrails that have to intensify as the human leaves the loop.
There is no single 'agent.'
There's a ladder of surfaces, from near-zero autonomy to fully headless and each rung needs guardrails matched to its blast radiusHow much breaks if a change goes wrong; the scope of potential damage.. The mistake teams make is applying laptop-grade trust to async, multi-repo execution. The worse mistake is starting at the top of the ladder.
Interactive diagram. Step through it with the Next and Previous controls below, or Tab to a region to read its detail.
Each rung up adds reach and removes a human from the loop, so each rung up must add controls. Higher autonomy is conditional on evidence plus controls, never the start.
- Rung
- 1
- Surface
- Tab / inline completion
- Human in loop?
- Every keystroke
- Matched guardrails
- Rules; trivial blast radiusHow much breaks if a change goes wrong; the scope of potential damage.
- Rung
- 2
- Surface
- IDE agent - Ask / Plan
- Human in loop?
- Reviews plan before acting
- Matched guardrails
- Rules + MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. read scopes; plan reviewed before execution
- Rung
- 3
- Surface
- CLI - plan / ask / debug
- Human in loop?
- Drives interactively in terminal
- Matched guardrails
- Command allowlist + terminal sandboxing; interactive /debug
- Rung
- 4
- Surface
- Headless in CI
- Human in loop?
- Pipeline gates, async
- Matched guardrails
- Locked allowlist, hooks, scoped CI creds, required checks
- Rung
- 5
- Surface
- Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. - isolated VMs
- Human in loop?
- Async, parallel multi-repo
- Matched guardrails
- VM isolation, scoped permissions, audit logs, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist
- Rung
- 6
- Surface
- SDK / fully headless
- Human in loop?
- Programmatic, no interactive human
- Matched guardrails
- All of the above + deny-by-default, tight egress, mandatory review on merge
| Rung | Surface | Human in loop? | Matched guardrails |
|---|---|---|---|
| 1 | Tab / inline completion | Every keystroke | Rules; trivial blast radiusHow much breaks if a change goes wrong; the scope of potential damage. |
| 2 | IDE agent - Ask / Plan | Reviews plan before acting | Rules + MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. read scopes; plan reviewed before execution |
| 3 | CLI - plan / ask / debug | Drives interactively in terminal | Command allowlist + terminal sandboxing; interactive /debug |
| 4 | Headless in CI | Pipeline gates, async | Locked allowlist, hooks, scoped CI creds, required checks |
| 5 | Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. - isolated VMs | Async, parallel multi-repo | VM isolation, scoped permissions, audit logs, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist |
| 6 | SDK / fully headless | Programmatic, no interactive human | All of the above + deny-by-default, tight egress, mandatory review on merge |
Surface to guardrail mapping. Verified surfaces: CLI /debug; Cloud Agents with isolated VMs, parallel multi-repo, async runs.
Notice the inversion. As the human leaves the loop, the configuration has to carry the trust the human used to provide. At rung 1 a typo is nothing. At rung 6 a misconfigured egress rule is an incident. Guardrails don't stay constant up the ladder. They intensify in lockstep with reach.
Autonomy and control move together. Every rung that removes a human from the loop must add a control that takes their place: a tighter allowlist, a hook, an isolation boundary, a required review on merge. If reach goes up and controls stay flat, that's the gap I'd close first.
Takeaway. As the human leaves the loop, configuration carries the trust they used to provide - guardrails must intensify rung by rung, never stay flat.
Self-check
QMultiple choice: Moving an agent from the IDE (Plan modeA mode that makes no edits: it researches the codebase and produces an editable plan you review before any code changes., human reviews each plan) to async Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. doing parallel multi-repo work. What MUST change about guardrails?
Prompt injection, untrusted content and a SOX pilot config
After this you can trace how a prompt injection gets neutralized by layered controls and stand up the deny-by-default SOX pilot posture from memory.
Once an agent reads external content (a web page, a Jira comment, an MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs.-sourced doc), that content can contain instructions.
Prompt injection is the agent equivalent of SQL injection: untrusted input smuggling commands into a privileged context. You defend by assuming any non-repo content is hostile and clamping what the agent can do with it.
Prompt-injection & untrusted-content defense
- Treat fetched/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. content as untrusted data, never as instructions - the model may read it, but capability controls decide what it can act on.
- Least privilege limits the damage - even a successful injection can't
rm -rfor exfiltrate when commands are blocklisted, egress is sandboxed and the run is VM-isolated. - MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist shrinks the injection surface - fewer connected servers means fewer paths for hostile content to enter.
- Hooks as a tripwire - scan for secret patterns before commit or egress and gate writes to sensitive paths.
- Human review on merge - for anything regulated, a person signs off. The agent proposes, the human disposes.
The dangerous combination is high capability plus untrusted context plus no human gate. An agent that can run arbitrary shell, reads an attacker-controlled web page via MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. and auto-merges is a remote-code-execution path with extra steps. Break that chain at any link and the attack dies.
A concrete least-privilege pilot config for a SOX repodeny-by-default
SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. repos govern financial reporting controls. Segregation of duties and change-evidence are non-negotiable. The agent can be a force multiplier here, but it starts maximally clamped and earns nothing on day one beyond proposing changes a human reviews.
- Privacy
- Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. on (note: ZDR is not available with your own API keys).
- Rules
- Nested AGENTS.md: 'no schema/migration changes without human author', coverage + contract-test requirements, repository-pattern boundaries.
- MCP
- Read-only allowlist: Jira (read), Confluence runbooks (read). No write or action servers in the pilot.
- Commands
- Deny-by-default. Allow only: test runner, linter,
git status/diff. Blocklist infra CLIs, package publish, network fetch. - Hooks
- Pre-commit secret scan; block writes outside the service dir; log every tool call.
- Execution
- Terminal sandboxed; autonomous work runs in isolated Cloud Agent VMs with scoped, short-lived creds.
- Merge gate
- Agent never merges. Mandatory human review plus a separate approver to preserve segregation of duties. Audit logs + AI-code tracking on.
Least privilege isn't paranoia in a SOX repo. It's the auditable baseline you expand FROM.
Maturity path: autonomy is earned
You don't start at Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. auto-merging in a SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. repo. You start at 'propose, human disposes' and graduate rungs as evidence accrues: clean review pass rates, no escaped defects, audit trail intact. Box's published numbers (85%+ daily active, 30–50% throughput, +75% usage in six weeks driven by mentorship) came from staged adoption, not a big-bang autonomy switch. Higher autonomy is conditional on evidence and controls. It is never the start.
When a CISOChief Information Security Officer. The executive who owns security; usually the hardest and most important person to win over. asks 'how do we let agents into our SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. repo without failing an audit?', walk the pilot: deny-by-default commands, read-only MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. allowlist, hooks for secret-scan and path-gating, sandboxed and VM-isolated execution and a hard human-review plus separate-approver merge gate that preserves segregation of duties. Then close: we widen scope only as evidence earns it, with audit logs and AI-code tracking proving the control the whole way.
Takeaway. Defend prompt injection by layering controls so no single fooled model causes harm - and let a SOXSarbanes-Oxley Act. A US law that forces companies to keep auditable controls over any system that affects their financial reporting. agent earn autonomy from a deny-by-default baseline, never assume it.