Cursor ships a cursor-agent CLI for agents and scripts. Adding it as a pickled interface would extend matrix coverage to a third agentic CLI alongside Claude Code and Codex.
Live probe result (2026-05-24): blocked
Status: does not run on this dev box. Homebrew install crashes on launch; pickled cannot drive an adapter that cannot start.
brew install --cask cursor-cli
# Cask cursor-cli (2026.05.24-dda726e) installed successfully
cursor-agent --version
# Error: Failed to load native binding for darwin/arm64 (expected: ./merkle-tree-napi.darwin-arm64.node)
# Original error: Error: node-loader:
# Error: dlopen(.../merkle-tree-napi.darwin-arm64.node, 0x0001):
# code signature in <UUID> '.../merkle-tree-napi.darwin-arm64.node'
# not valid for use in process: library load disallowed by system policy
The native binding ships in the cask but macOS Gatekeeper refuses to load it. brew uninstall && brew install reproduces the same error. The probe never reached -p --output-format stream-json; the binary cannot start, so the stdout/stderr/exit-code/provenance schema this issue was supposed to verify remain unverified.
Possible workarounds (none tested):
xattr -d com.apple.quarantine on the native binding (manual per install).- Official
curl https://cursor.com/install -fsS | bash path (different distribution; might or might not be quarantined).
- Wait for Cursor to ship a properly-signed Homebrew cask.
Any of these would unblock local use, but none of them make the CI story reliable. A cursor-cli adapter that requires users to xattr their install or fall back to a shell-pipe-bash install on every CI runner is not the kind of adapter pickled should ship.
Feasibility note (research, not implementation)
Per the agreed plan, doc-only findings against Cursor's current public docs (May 2026). These remain useful for whenever the install story stabilizes.
Install + auth
curl https://cursor.com/install -fsS | bash # binary: cursor-agent (alias: agent)
# OR
brew install --cask cursor-cli # currently broken, see above
- API key env var:
CURSOR_API_KEY (recommended for CI). Alternative: --api-key <key> CLI flag. Key is generated in Cursor Dashboard → Integrations → API Keys.
Non-interactive surface
| Flag |
What it does |
Pickled fit |
-p, --print |
Required for non-interactive |
yes, mandatory |
--output-format text|json|stream-json |
Only works with --print |
use json for final answer, stream-json for provenance |
--model <id> |
Model pin |
yes, required (loader gate stays) |
--mode plan|ask|agent |
ask = read-only exploration; agent = full |
use ask for toolset: none cells |
--sandbox enabled|disabled |
Shell-execution sandbox |
enable by default |
-f, --force / --yolo |
Bypass permission prompts |
yes for CI (paired with --mode ask for safety) |
--workspace <path> |
Working directory |
yes, maps to tool.path |
--trust |
Headless, no prompts |
yes |
-H, --header |
Custom request headers (repeatable) |
not needed today |
Prompt is passed via -p "<text>" (argv), not stdin.
Output shapes
--output-format json — single object on success:
{
"type": "result",
"subtype": "success",
"is_error": false,
"duration_ms": 1234,
"duration_api_ms": 1234,
"result": "<full assistant text>",
"session_id": "<uuid>",
"request_id": "<optional>"
}--output-format stream-json — NDJSON events: system, user, assistant, tool_call, result. Only stream-json carries per-tool-call provenance.
Open questions / risks
- No
--no-file-edits flag. --mode ask is the documented read-only path; the docs explicitly note "No flags explicitly disable file edits or restrict tool access." Safe default would be --mode ask --sandbox enabled so toolset: none cells cannot mutate the workspace.
- Provenance from
stream-json schema unverified; the live probe could not reach it.
- Exit codes unverified.
- Model wrapping. Whether Cursor mediates the request or proxies straight to OpenAI/Anthropic affects matrix semantics. We'd label
cursor-cli as its own interface category, not as a flavor of an upstream provider.
- Install reliability. The current Homebrew cask is unusable. This is the load-bearing blocker.
Scope (v1, after install stabilizes)
- New target file
packages/core/src/targets/cli/cursor.ts.
- Provider key:
cursor-cli (mirrors claude-code/codex-cli naming).
- Start with
toolset: none only, using --mode ask --sandbox enabled --print --output-format json. Toolset adapters (web/mcp) ship per follow-up once cursor's surface is understood.
- Require explicit
model.
Status
Paused. Reopen when the install story is reliable across at least one of: a fixed Homebrew cask, a stable signed binary, or an officially documented CI install path that does not require shell-pipe-bash.
Cursor ships a
cursor-agentCLI for agents and scripts. Adding it as a pickled interface would extend matrix coverage to a third agentic CLI alongside Claude Code and Codex.Live probe result (2026-05-24): blocked
Status: does not run on this dev box. Homebrew install crashes on launch; pickled cannot drive an adapter that cannot start.
The native binding ships in the cask but macOS Gatekeeper refuses to load it.
brew uninstall && brew installreproduces the same error. The probe never reached-p --output-format stream-json; the binary cannot start, so the stdout/stderr/exit-code/provenance schema this issue was supposed to verify remain unverified.Possible workarounds (none tested):
xattr -d com.apple.quarantineon the native binding (manual per install).curl https://cursor.com/install -fsS | bashpath (different distribution; might or might not be quarantined).Any of these would unblock local use, but none of them make the CI story reliable. A cursor-cli adapter that requires users to
xattrtheir install or fall back to a shell-pipe-bash install on every CI runner is not the kind of adapter pickled should ship.Feasibility note (research, not implementation)
Per the agreed plan, doc-only findings against Cursor's current public docs (May 2026). These remain useful for whenever the install story stabilizes.
Install + auth
CURSOR_API_KEY(recommended for CI). Alternative:--api-key <key>CLI flag. Key is generated in Cursor Dashboard → Integrations → API Keys.Non-interactive surface
-p, --print--output-format text|json|stream-json--printjsonfor final answer,stream-jsonfor provenance--model <id>--mode plan|ask|agentask= read-only exploration;agent= fullaskfortoolset: nonecells--sandbox enabled|disabled-f, --force/--yolo--mode askfor safety)--workspace <path>tool.path--trust-H, --headerPrompt is passed via
-p "<text>"(argv), not stdin.Output shapes
--output-format json— single object on success:{ "type": "result", "subtype": "success", "is_error": false, "duration_ms": 1234, "duration_api_ms": 1234, "result": "<full assistant text>", "session_id": "<uuid>", "request_id": "<optional>" }--output-format stream-json— NDJSON events:system,user,assistant,tool_call,result. Only stream-json carries per-tool-call provenance.Open questions / risks
--no-file-editsflag.--mode askis the documented read-only path; the docs explicitly note "No flags explicitly disable file edits or restrict tool access." Safe default would be--mode ask --sandbox enabledsotoolset: nonecells cannot mutate the workspace.stream-jsonschema unverified; the live probe could not reach it.cursor-clias its own interface category, not as a flavor of an upstream provider.Scope (v1, after install stabilizes)
packages/core/src/targets/cli/cursor.ts.cursor-cli(mirrorsclaude-code/codex-clinaming).toolset: noneonly, using--mode ask --sandbox enabled --print --output-format json. Toolset adapters (web/mcp) ship per follow-up once cursor's surface is understood.model.Status
Paused. Reopen when the install story is reliable across at least one of: a fixed Homebrew cask, a stable signed binary, or an officially documented CI install path that does not require shell-pipe-bash.