Skip to content

Cursor (Limited Protection)

Important Limitation

Cursor's native built-in tools (file read/write, terminal, code editing) do not go through MCP and cannot be protected by Rampart. This guide only covers MCP server protection, which is a small fraction of Cursor's tool usage.

For full protection, use Claude Code which exposes a hooks API that Rampart can intercept.

Cursor uses MCP servers for some tool access. Rampart can sit between Cursor and MCP servers as a transparent proxy.

Setup

In your Cursor MCP configuration, prefix each server command with rampart mcp --:

{
  "mcpServers": {
    "filesystem": {
      "command": "rampart",
      "args": ["mcp", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "."]
    }
  }
}

How It Works

Cursor → MCP tool call → rampart mcp (proxy) → Policy Engine → MCP Server
                                               → Audit Trail

Rampart speaks the MCP protocol natively. It intercepts every tools/call request, evaluates it against your policies, and either forwards it to the real MCP server or returns a JSON-RPC error.

Ask behavior: When a policy action is ask, the MCP proxy blocks and waits for human resolution via rampart approve <id> or the API. If denied or expired, it returns a JSON-RPC error to Cursor.

Denied tool calls never reach the MCP server. Cursor handles the error gracefully.

Auto-Generate Policies

Don't write policies from scratch — scan an MCP server's tool list:

rampart mcp scan -- npx @modelcontextprotocol/server-filesystem .

This generates a deny-by-default policy with an explicit rule for each tool. Review, customize, and deploy.

Monitor Mode

Start in audit-only mode to see what tools are being called before writing policies:

{
  "mcpServers": {
    "filesystem": {
      "command": "rampart",
      "args": ["mcp", "--mode", "monitor", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "."]
    }
  }
}

Monitor

rampart watch