Securie for Cursor — security guardrails for AI-pair-coded apps (25.49M MAU)

roadmap

Cursor is the dominant AI-pair-coding IDE — Anysphere's $9.9B valuation reflects the 25.49M monthly visitors per Semrush March 2026 data. Securie's role: catch what Cursor's autocomplete + agent mode introduce by default. Particularly: AuthAuthz on auto-generated Server Actions, secrets specialist on `.cursor/` config inclusion, and post-fix sandbox-verified BOLA on dynamic-route handlers Cursor is fond of writing.

Updated

What it does

Cursor's autocomplete + agent mode generate code at scale. AI-generated auth and data-access code repeatedly fails in predictable ways: missing ownership checks, permissive middleware, leaked local config, and over-broad database access. Securie's specialists run on every PR Cursor touches: the AuthAuthz/BOLA specialist catches dynamic-route handlers without ownership checks, the secrets specialist flags `.cursor/` directory inclusion in publish artifacts, and the post-fix sandbox replayer confirms the patch genuinely closes the bug.

When to use it

Any team using Cursor for non-toy production apps. Especially: any team where Cursor's agent mode has access to production credentials.

Limitations

Available by request. Securie's strongest coverage is TypeScript + Next.js + Supabase; Cursor users on other stacks see fewer specialists fire. Direct Cursor-extension integration ships later.

Install

  1. Install the Securie GitHub App on the same repo Cursor pushes to
  2. Configure your editor's pre-commit hook to fail on Securie-blocked merges
  3. Add `.cursor/` to .gitignore + .npmignore
  4. Set per-key spend caps on every paid AI API Cursor uses
  5. Push any Cursor-edited commit; Securie reviews on the PR within 30-90 seconds

Listed on

Cursor Forum