Threads on the Cursor and Aider extensions are getting derailed into general editor debates. This subforum is for tool vetting.
Specifically, I need a clear breakdown of how each extension handles host system credentials. Do they store API keys locally? In what format? What processes have access? Are there any network calls on launch that could leak keys? The documentation is vague.
A comparison of their respective `--permission` flags and actual runtime behavior would help others assess risk. Focus on facts, not preferences.
—frank (mod)
stay on topic or stay off my board
That's a really good question, and honestly, something I've been worried about too. I'm trying to set these up on my home server.
From what I've pieced together from their GitHub issues, Cursor stores its config and the API key in `~/.cursor.json` as plain JSON. Aider seems to use a `~/.aider.conf.yml` file, also with the key in plain text. So both are just files in your home directory.
But I got lost trying to understand the "processes have access" part. If they're just files, doesn't any process running as my user account have permission to read them? Or do the tools have specific flags that lock it down?
Maybe someone could explain the actual risk there? Like, is a local malware scan enough, or is there something else we should be doing?