feat(server): Implement Cursor CLI permissions management

Added new routes and handlers for managing Cursor CLI permissions, including:
- GET /api/setup/cursor-permissions: Retrieve current permissions configuration and available profiles.
- POST /api/setup/cursor-permissions/profile: Apply a predefined permission profile (global or project).
- POST /api/setup/cursor-permissions/custom: Set custom permissions for a project.
- DELETE /api/setup/cursor-permissions: Delete project-level permissions, reverting to global settings.
- GET /api/setup/cursor-permissions/example: Provide an example config file for a specified profile.

Also introduced a new service for handling Cursor CLI configuration files and updated the UI to support permissions management.

Affected files:
- Added new routes in index.ts and cursor-config.ts
- Created cursor-config-service.ts for permissions management logic
- Updated UI components to display and manage permissions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

apps/server/src/routes/setup/index.ts

@@ -17,6 +17,11 @@ import {
   createGetCursorConfigHandler,
   createSetCursorDefaultModelHandler,
   createSetCursorModelsHandler,
+  createGetCursorPermissionsHandler,
+  createApplyPermissionProfileHandler,
+  createSetCustomPermissionsHandler,
+  createDeleteProjectPermissionsHandler,
+  createGetExampleConfigHandler,
 } from './routes/cursor-config.js';
 
 export function createSetupRoutes(): Router {
@@ -38,5 +43,12 @@ export function createSetupRoutes(): Router {
   router.post('/cursor-config/default-model', createSetCursorDefaultModelHandler());
   router.post('/cursor-config/models', createSetCursorModelsHandler());
 
+  // Cursor CLI Permissions routes
+  router.get('/cursor-permissions', createGetCursorPermissionsHandler());
+  router.post('/cursor-permissions/profile', createApplyPermissionProfileHandler());
+  router.post('/cursor-permissions/custom', createSetCustomPermissionsHandler());
+  router.delete('/cursor-permissions', createDeleteProjectPermissionsHandler());
+  router.get('/cursor-permissions/example', createGetExampleConfigHandler());
+
   return router;
 }

apps/server/src/routes/setup/routes/cursor-config.ts

@@ -5,11 +5,36 @@
  * - GET /api/setup/cursor-config - Get current configuration
  * - POST /api/setup/cursor-config/default-model - Set default model
  * - POST /api/setup/cursor-config/models - Set enabled models
+ *
+ * Cursor CLI Permissions endpoints:
+ * - GET /api/setup/cursor-permissions - Get permissions config
+ * - POST /api/setup/cursor-permissions/profile - Apply a permission profile
+ * - POST /api/setup/cursor-permissions/custom - Set custom permissions
+ * - DELETE /api/setup/cursor-permissions - Delete project permissions (use global)
  */
 
 import type { Request, Response } from 'express';
 import { CursorConfigManager } from '../../../providers/cursor-config-manager.js';
-import { CURSOR_MODEL_MAP, type CursorModelId } from '@automaker/types';
+import {
+  CURSOR_MODEL_MAP,
+  CURSOR_PERMISSION_PROFILES,
+  type CursorModelId,
+  type CursorPermissionProfile,
+  type CursorCliPermissions,
+} from '@automaker/types';
+import {
+  readGlobalConfig,
+  readProjectConfig,
+  getEffectivePermissions,
+  applyProfileToProject,
+  applyProfileGlobally,
+  writeProjectConfig,
+  deleteProjectConfig,
+  detectProfile,
+  hasProjectConfig,
+  getAvailableProfiles,
+  generateExampleConfig,
+} from '../../../services/cursor-config-service.js';
 import { getErrorMessage, logError } from '../common.js';
 
 /**
@@ -134,3 +159,209 @@ export function createSetCursorModelsHandler() {
     }
   };
 }
+
+// =============================================================================
+// Cursor CLI Permissions Handlers
+// =============================================================================
+
+/**
+ * Creates handler for GET /api/setup/cursor-permissions
+ * Returns current permissions configuration and available profiles
+ */
+export function createGetCursorPermissionsHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const projectPath = req.query.projectPath as string | undefined;
+
+      // Get global config
+      const globalConfig = await readGlobalConfig();
+
+      // Get project config if path provided
+      const projectConfig = projectPath ? await readProjectConfig(projectPath) : null;
+
+      // Get effective permissions
+      const effectivePermissions = await getEffectivePermissions(projectPath);
+
+      // Detect which profile is active
+      const activeProfile = detectProfile(effectivePermissions);
+
+      // Check if project has its own config
+      const hasProject = projectPath ? await hasProjectConfig(projectPath) : false;
+
+      res.json({
+        success: true,
+        globalPermissions: globalConfig?.permissions || null,
+        projectPermissions: projectConfig?.permissions || null,
+        effectivePermissions,
+        activeProfile,
+        hasProjectConfig: hasProject,
+        availableProfiles: getAvailableProfiles(),
+      });
+    } catch (error) {
+      logError(error, 'Get Cursor permissions failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
+
+/**
+ * Creates handler for POST /api/setup/cursor-permissions/profile
+ * Applies a predefined permission profile
+ */
+export function createApplyPermissionProfileHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { profileId, projectPath, scope } = req.body as {
+        profileId: CursorPermissionProfile;
+        projectPath?: string;
+        scope: 'global' | 'project';
+      };
+
+      // Validate profile
+      const validProfiles = CURSOR_PERMISSION_PROFILES.map((p) => p.id);
+      if (!validProfiles.includes(profileId)) {
+        res.status(400).json({
+          success: false,
+          error: `Invalid profile. Valid profiles: ${validProfiles.join(', ')}`,
+        });
+        return;
+      }
+
+      if (scope === 'project') {
+        if (!projectPath) {
+          res.status(400).json({
+            success: false,
+            error: 'projectPath is required for project scope',
+          });
+          return;
+        }
+        await applyProfileToProject(projectPath, profileId);
+      } else {
+        await applyProfileGlobally(profileId);
+      }
+
+      res.json({
+        success: true,
+        message: `Applied "${profileId}" profile to ${scope}`,
+        scope,
+        profileId,
+      });
+    } catch (error) {
+      logError(error, 'Apply Cursor permission profile failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
+
+/**
+ * Creates handler for POST /api/setup/cursor-permissions/custom
+ * Sets custom permissions for a project
+ */
+export function createSetCustomPermissionsHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const { projectPath, permissions } = req.body as {
+        projectPath: string;
+        permissions: CursorCliPermissions;
+      };
+
+      if (!projectPath) {
+        res.status(400).json({
+          success: false,
+          error: 'projectPath is required',
+        });
+        return;
+      }
+
+      if (!permissions || !Array.isArray(permissions.allow) || !Array.isArray(permissions.deny)) {
+        res.status(400).json({
+          success: false,
+          error: 'permissions must have allow and deny arrays',
+        });
+        return;
+      }
+
+      await writeProjectConfig(projectPath, {
+        version: 1,
+        permissions,
+      });
+
+      res.json({
+        success: true,
+        message: 'Custom permissions saved',
+        permissions,
+      });
+    } catch (error) {
+      logError(error, 'Set custom Cursor permissions failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
+
+/**
+ * Creates handler for DELETE /api/setup/cursor-permissions
+ * Deletes project-level permissions (falls back to global)
+ */
+export function createDeleteProjectPermissionsHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const projectPath = req.query.projectPath as string;
+
+      if (!projectPath) {
+        res.status(400).json({
+          success: false,
+          error: 'projectPath query parameter is required',
+        });
+        return;
+      }
+
+      await deleteProjectConfig(projectPath);
+
+      res.json({
+        success: true,
+        message: 'Project permissions deleted, using global config',
+      });
+    } catch (error) {
+      logError(error, 'Delete Cursor project permissions failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}
+
+/**
+ * Creates handler for GET /api/setup/cursor-permissions/example
+ * Returns an example config file for a profile
+ */
+export function createGetExampleConfigHandler() {
+  return async (req: Request, res: Response): Promise<void> => {
+    try {
+      const profileId = (req.query.profileId as CursorPermissionProfile) || 'development';
+
+      const exampleConfig = generateExampleConfig(profileId);
+
+      res.json({
+        success: true,
+        profileId,
+        config: exampleConfig,
+      });
+    } catch (error) {
+      logError(error, 'Get example Cursor config failed');
+      res.status(500).json({
+        success: false,
+        error: getErrorMessage(error),
+      });
+    }
+  };
+}

apps/server/src/services/cursor-config-service.ts

@@ -0,0 +1,280 @@
+/**
+ * Cursor Config Service
+ *
+ * Manages Cursor CLI permissions configuration files:
+ * - Global: ~/.cursor/cli-config.json
+ * - Project: <project>/.cursor/cli.json
+ *
+ * Based on: https://cursor.com/docs/cli/reference/configuration
+ */
+
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+import { createLogger } from '@automaker/utils';
+import type {
+  CursorCliConfigFile,
+  CursorCliPermissions,
+  CursorPermissionProfile,
+} from '@automaker/types';
+import {
+  CURSOR_STRICT_PROFILE,
+  CURSOR_DEVELOPMENT_PROFILE,
+  CURSOR_PERMISSION_PROFILES,
+} from '@automaker/types';
+
+const logger = createLogger('CursorConfigService');
+
+/**
+ * Get the path to the global Cursor CLI config
+ */
+export function getGlobalConfigPath(): string {
+  // Windows: $env:USERPROFILE\.cursor\cli-config.json
+  // macOS/Linux: ~/.cursor/cli-config.json
+  // XDG_CONFIG_HOME override on Linux: $XDG_CONFIG_HOME/cursor/cli-config.json
+  const xdgConfig = process.env.XDG_CONFIG_HOME;
+  const cursorConfigDir = process.env.CURSOR_CONFIG_DIR;
+
+  if (cursorConfigDir) {
+    return path.join(cursorConfigDir, 'cli-config.json');
+  }
+
+  if (process.platform === 'linux' && xdgConfig) {
+    return path.join(xdgConfig, 'cursor', 'cli-config.json');
+  }
+
+  return path.join(os.homedir(), '.cursor', 'cli-config.json');
+}
+
+/**
+ * Get the path to a project's Cursor CLI config
+ */
+export function getProjectConfigPath(projectPath: string): string {
+  return path.join(projectPath, '.cursor', 'cli.json');
+}
+
+/**
+ * Read the global Cursor CLI config
+ */
+export async function readGlobalConfig(): Promise<CursorCliConfigFile | null> {
+  const configPath = getGlobalConfigPath();
+
+  try {
+    const content = await fs.readFile(configPath, 'utf-8');
+    const config = JSON.parse(content) as CursorCliConfigFile;
+    logger.debug('Read global Cursor config from:', configPath);
+    return config;
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+      logger.debug('Global Cursor config not found at:', configPath);
+      return null;
+    }
+    logger.error('Failed to read global Cursor config:', error);
+    throw error;
+  }
+}
+
+/**
+ * Write the global Cursor CLI config
+ */
+export async function writeGlobalConfig(config: CursorCliConfigFile): Promise<void> {
+  const configPath = getGlobalConfigPath();
+  const configDir = path.dirname(configPath);
+
+  // Ensure directory exists
+  await fs.mkdir(configDir, { recursive: true });
+
+  // Write config
+  await fs.writeFile(configPath, JSON.stringify(config, null, 2));
+  logger.info('Wrote global Cursor config to:', configPath);
+}
+
+/**
+ * Read a project's Cursor CLI config
+ */
+export async function readProjectConfig(projectPath: string): Promise<CursorCliConfigFile | null> {
+  const configPath = getProjectConfigPath(projectPath);
+
+  try {
+    const content = await fs.readFile(configPath, 'utf-8');
+    const config = JSON.parse(content) as CursorCliConfigFile;
+    logger.debug('Read project Cursor config from:', configPath);
+    return config;
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
+      logger.debug('Project Cursor config not found at:', configPath);
+      return null;
+    }
+    logger.error('Failed to read project Cursor config:', error);
+    throw error;
+  }
+}
+
+/**
+ * Write a project's Cursor CLI config
+ *
+ * Note: Project-level config ONLY supports permissions.
+ * The version field and other settings are global-only.
+ * See: https://cursor.com/docs/cli/reference/configuration
+ */
+export async function writeProjectConfig(
+  projectPath: string,
+  config: CursorCliConfigFile
+): Promise<void> {
+  const configPath = getProjectConfigPath(projectPath);
+  const configDir = path.dirname(configPath);
+
+  // Ensure .cursor directory exists
+  await fs.mkdir(configDir, { recursive: true });
+
+  // Write config (project config ONLY supports permissions - no version field!)
+  const projectConfig = {
+    permissions: config.permissions,
+  };
+
+  await fs.writeFile(configPath, JSON.stringify(projectConfig, null, 2));
+  logger.info('Wrote project Cursor config to:', configPath);
+}
+
+/**
+ * Delete a project's Cursor CLI config
+ */
+export async function deleteProjectConfig(projectPath: string): Promise<void> {
+  const configPath = getProjectConfigPath(projectPath);
+
+  try {
+    await fs.unlink(configPath);
+    logger.info('Deleted project Cursor config:', configPath);
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
+      throw error;
+    }
+  }
+}
+
+/**
+ * Get the effective permissions for a project
+ * Project config takes precedence over global config
+ */
+export async function getEffectivePermissions(
+  projectPath?: string
+): Promise<CursorCliPermissions | null> {
+  // Try project config first
+  if (projectPath) {
+    const projectConfig = await readProjectConfig(projectPath);
+    if (projectConfig?.permissions) {
+      return projectConfig.permissions;
+    }
+  }
+
+  // Fall back to global config
+  const globalConfig = await readGlobalConfig();
+  return globalConfig?.permissions || null;
+}
+
+/**
+ * Apply a predefined permission profile to a project
+ */
+export async function applyProfileToProject(
+  projectPath: string,
+  profileId: CursorPermissionProfile
+): Promise<void> {
+  const profile = CURSOR_PERMISSION_PROFILES.find((p) => p.id === profileId);
+
+  if (!profile) {
+    throw new Error(`Unknown permission profile: ${profileId}`);
+  }
+
+  await writeProjectConfig(projectPath, {
+    version: 1,
+    permissions: profile.permissions,
+  });
+
+  logger.info(`Applied "${profile.name}" profile to project:`, projectPath);
+}
+
+/**
+ * Apply a predefined permission profile globally
+ */
+export async function applyProfileGlobally(profileId: CursorPermissionProfile): Promise<void> {
+  const profile = CURSOR_PERMISSION_PROFILES.find((p) => p.id === profileId);
+
+  if (!profile) {
+    throw new Error(`Unknown permission profile: ${profileId}`);
+  }
+
+  // Read existing global config to preserve other settings
+  const existingConfig = await readGlobalConfig();
+
+  await writeGlobalConfig({
+    version: 1,
+    ...existingConfig,
+    permissions: profile.permissions,
+  });
+
+  logger.info(`Applied "${profile.name}" profile globally`);
+}
+
+/**
+ * Detect which profile matches the current permissions
+ */
+export function detectProfile(
+  permissions: CursorCliPermissions | null
+): CursorPermissionProfile | null {
+  if (!permissions) {
+    return null;
+  }
+
+  // Check if permissions match a predefined profile
+  for (const profile of CURSOR_PERMISSION_PROFILES) {
+    const allowMatch =
+      JSON.stringify(profile.permissions.allow.sort()) === JSON.stringify(permissions.allow.sort());
+    const denyMatch =
+      JSON.stringify(profile.permissions.deny.sort()) === JSON.stringify(permissions.deny.sort());
+
+    if (allowMatch && denyMatch) {
+      return profile.id;
+    }
+  }
+
+  return 'custom';
+}
+
+/**
+ * Generate example config file content
+ */
+export function generateExampleConfig(profileId: CursorPermissionProfile = 'development'): string {
+  const profile =
+    CURSOR_PERMISSION_PROFILES.find((p) => p.id === profileId) || CURSOR_DEVELOPMENT_PROFILE;
+
+  const config: CursorCliConfigFile = {
+    version: 1,
+    permissions: profile.permissions,
+  };
+
+  return JSON.stringify(config, null, 2);
+}
+
+/**
+ * Check if a project has Cursor CLI config
+ */
+export async function hasProjectConfig(projectPath: string): Promise<boolean> {
+  const configPath = getProjectConfigPath(projectPath);
+
+  try {
+    await fs.access(configPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get all available permission profiles
+ */
+export function getAvailableProfiles() {
+  return CURSOR_PERMISSION_PROFILES;
+}
+
+// Export profile constants for convenience
+export { CURSOR_STRICT_PROFILE, CURSOR_DEVELOPMENT_PROFILE };