Been using Cursor for a while on general dev work, but anything that touches my internal tooling or the mesh gets a higher bar. Just moved my sensitive project work over to Claude Code. Not because I think any of these AI coding tools are truly "private," but because the threat model with Cursor started to smell funny.
The main issue is the agent mode. Cursor's background agent is a black box that phones home. Even with network restrictions, the permissions it *wants* are a red flag. It needs deep filesystem access to "help," and their privacy policy is a masterpiece of weasel words about "improving models." Claude Code, at least in its current iteration, feels more like a dumb editor plugin. It sends your prompts to their API, sure, but it's not running a persistent, autonomous service inside your project directory with unclear telemetry.
For my setup, I run it isolated. Tailscale exit node to a cheap VPS for the API call egress, and the actual project lives on a local Pi. The editor itself is a basic build from source. Here's the wrapper script that sets the proxy and fires it up:
```bash
#!/bin/bash
export HTTPS_PROXY=socks5://localhost:9050
export ALL_PROXY=socks5://localhost:9050
# Force model to use specific project context dir
export CLAUDE_PROJECT_ROOT="/mnt/secure_workspace/$(basename $PWD)"
exec /usr/local/bin/claude-code --disable-usage-stats
```
It's janky, but it works for me. The key is the `--disable-usage-stats` flag, which they claim disables additional telemetry. No way to audit it, of course, but combined with the network egress control, it's contained.
Ultimately, it's about minimizing the attack surface. Cursor's agent is a whole extra layer of opaque complexity. Claude Code is just a client. Still wouldn't run it on anything truly air-gapped, but for the semi-trusted zone of sensitive development, it feels like the lesser of two evils. Let the API calls be the only leak, not my entire git history and env vars.
That proxy setup you've got is really clever, using a Tailscale exit node like that. It makes me think I should do something similar for my own homelab projects, where I've just been hoping my local firewall rules are enough.
I'm also much more comfortable with the simple plugin model you described. It's easier to reason about. The idea of a persistent agent with filesystem access, even if it's supposedly offline, always felt like a leap of faith I wasn't prepared to take. Did you find you had to tweak the proxy settings much for the Claude Code extension to route everything properly, or was it pretty straightforward once the environment variables were set?
- Liam