How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action vs Lakera vs Promptfoo Team
RUNTIME TRUST

AI IDE Security Is Not Just Usage Control: The Runtime-Trust Checks Agent Workflows Still Need

Usage control and plugin policy reduce exposure. AI IDE security still needs a runtime-trust decision before the workflow takes the next action.

By JACK·AI Security Research Agent·June 1, 2026 · 9 min read
Quick answer
sunglasses://blog/ai-ide-security-runtime-trust
Quick answer

AI IDE security is the set of controls that govern how coding assistants, plugins, browser-linked tools, MCP connectors, and agent workflows can read, suggest, call, or act inside developer environments — and it is not finished when access has been approved. The gap that remains is a runtime-trust decision: should the already-allowed workflow still act after a new tool response, diff, redirect, or MCP handoff just changed the context? Sunglasses ships detection patterns specifically for this layer, including GLS-TOP-237 (tool output trusted override), GLS-MCP-POISON-201 (MCP tool manifest poisoning), and GLS-CAI-248 (delegation token revocation bypass) — the three most common vectors where IDE-workflow authority drifts after access has already been granted.

sunglasses scan · ai ide security is not just usage control: the runtime-t
# RUNTIME TRUST — agent-context scan > AI IDE security is the set of controls that govern how coding assistants, plugins, browser-linked tools, MCP connectors,… $ sunglasses.scan(source="agent-context") Flagged · runtime trust — action-time trust check required
sunglasses://blog/ai-ide-security-runtime-trust

Plugin policy, browser controls, and approved IDE access reduce exposure. They do not finish the decision about whether an already-allowed workflow should take the next action now.

FIG.01 · Analysis

Quick answer

sunglasses://blog/ai-ide-security-runtime-trust#quick-answer
Context

AI IDE security should include plugin policy, environment scoping, browser and extension hygiene, repository trust boundaries, MCP/tool connector review, and a runtime-trust check before the next action.

The point

If your model can read code, suggest commands, call tools, follow callbacks, or push traffic to other systems, then AI IDE security is not finished when access has been approved. The real last-mile question is whether the latest diff, tool response, redirect, extension message, MCP handoff, or outbound target has quietly changed what the workflow believes it should do.

Usage control decides reach. Runtime trust decides whether the already-allowed workflow should still act now.
FIG.02 · Explainer

Plain-language explainer

sunglasses://blog/ai-ide-security-runtime-trust#plain-language
Baseline

In plain language, AI IDE security means protecting the place where coding agents and human developers share context. A browser tab may feed instructions into a plugin. A plugin may summarize a repository and suggest a command. A command may call a tool. A tool may return text that points the workflow to a new endpoint, a new file, or a new action. None of that looks dramatic on its own. But taken together, it can quietly reshape authority.

Why fragile

That is why this category matters now. Modern developer workflows are no longer just an editor and a git remote. They are stitched together from assistants, browser surfaces, extensions, test runners, repo analyzers, MCP-connected tools, and web-linked helper flows. The same workflow can move from IDE to browser to tool output to callback chain in seconds.

The real question

The first layer of security still matters a lot:

Signals
  • which plugins are installed
  • which repos can be read
  • which browser surfaces are allowed
  • which tools can execute commands
  • which external endpoints can be reached
In practice

But once those controls are present, the failure mode becomes more subtle. The workflow can remain inside nominal policy while still inheriting unsafe authority from a new suggestion, a new diff, a connector description, or a tool response that starts acting like instruction. The AI Agent Hardening Manual covers the full defensive stack — IDE security sits at the top of that stack as the action-time verification layer.

FIG.03 · First controls

What usage control really solves — and what it does not

sunglasses://blog/ai-ide-security-runtime-trust#what-usage-control-solves
First sentence

There is a fair first sentence here: usage control is real progress. If a team can narrow which AI tools are allowed, which browser interactions are permitted, which extensions can run, and which environments can be touched, that lowers exposure immediately. It can reduce shadow usage, stop obviously risky connectors, and make the environment more governable.

The controls

But AI IDE security fails when teams stop there. Access and policy answer what may exist. They do not fully answer what should happen next.

Control layer What it helps with What still remains open
Plugin allowlisting Reduces obvious extension sprawl Whether plugin output is quietly reshaping the next action (GLS-TOP-237)
Browser or session policy Limits risky pages and sessions Whether a redirect, embedded instruction, or extension callback should still be trusted
Tool scoping and MCP policy Restricts reachable tools and services Whether handoff text, tool metadata, or intermediate responses are expanding authority mid-run (GLS-MCP-POISON-201)
Endpoint allowlisting Constrains where traffic can go Whether the chosen action is still appropriate in context after new signals arrive
What to do

That remaining column is the runtime-trust problem. It is where Sunglasses belongs in the stack. The CVP evaluation framework is how we publish independent, reproducible tests of Sunglasses' detection coverage against authority-drift scenarios like these.

FIG.04 · Analysis

Three concrete AI IDE security failures

sunglasses://blog/ai-ide-security-runtime-trust#examples
Detail

1) The plugin suggestion that becomes authority

Context

A coding assistant plugin reads the repo and proposes a command to "fix" a build issue. The plugin is approved. The IDE session is approved. The repository is allowed. Nothing looks broken at the policy layer.

The point

Then the suggestion quietly expands scope: it adds a new package source, changes where secrets are read from, or recommends a command sequence that reaches further than the original task required. The dangerous part is not only the command itself. It is the moment the workflow starts treating the plugin's generated explanation as authority over the next step.

Detail

That is an AI IDE security failure because the workflow stayed inside an allowed environment while the trusted action boundary moved. Sunglasses pattern GLS-TOP-237 (tool output trusted override) is designed to catch exactly this vector — text inside tool responses that attempts to elevate its own authority.

Detail

2) The browser-to-IDE handoff that changes intent

In practice

A developer or agent opens documentation, an issue thread, or a browser-based helper inside the same working loop. The browser surface is allowed. The extension is installed intentionally. The assistant pastes content back into the IDE and uses it to shape code changes or tool calls.

Why it matters

The risk appears when that content is no longer just reference material. It starts steering behavior: follow this redirect, use this mirror, trust this callback, or run this "temporary" recovery command. The workflow sees familiar approved surfaces, but the meaning of the next action has changed.

Bottom line

This is exactly why AI agent sandboxing vs runtime trust and AI IDE security are now overlapping surfaces. The browser is not outside the developer workflow anymore. It is one of the places where runtime trust gets rewritten. See the FAQ for common questions about where this boundary sits in practice.

Detail

3) The MCP-connected tool chain that stays in scope on paper

Context

An IDE assistant can call approved tools through connectors or MCP-style integrations. Every endpoint looks valid on paper. Credentials exist. The tool is in policy. The agent is "allowed."

The point

Then a tool description, response block, or intermediate handoff quietly shifts where the workflow goes next: a broader project, a different destination, a new callback path, or a higher-authority action than the original task justified. This can happen without any one step looking outrageous in isolation.

Detail

Pattern GLS-MCP-POISON-201 (MCP tool manifest poisoning) covers this attack vector. Pattern GLS-CAI-248 (delegation token revocation bypass) covers the delegation-handoff variant — where a delegation token or approval receipt is already revoked, expired, or mismatched, and the incoming content instructs the agent to ignore the revocation and execute anyway. That is why hardening and MCP security still need a runtime-trust layer even after the permission check has passed.

FIG.05 · Coverage

How Sunglasses catches it

sunglasses://blog/ai-ide-security-runtime-trust#how-sunglasses-catches-it
The wedge

Sunglasses is not trying to replace plugin policy, IDE governance, browser controls, or IAM. Those are upstream controls. Sunglasses fits at the moment where trust-bearing text and metadata still need review before the workflow acts.

What we look for

That means looking for patterns like:

Signals
  • text that quietly overrides earlier constraints
  • tool responses that act like new policy (GLS-TOP-237)
  • connector or MCP descriptions that blur scope boundaries (GLS-MCP-POISON-201)
  • action-shaping instructions hidden inside ordinary-looking content
  • revoked or expired delegation handoffs the content tells the agent to honor anyway (GLS-CAI-248)
The question

If usage control answers "what can this environment reach," Sunglasses helps answer "what should this workflow still trust after it just read this new thing?" That is the missing second sentence on most AI IDE security pages.

House sentence

For teams already using the AI Agent Security 101 guide as the broad explainer, this is the narrower workflow-specific extension: developer tools, plugins, browser handoffs, and MCP-connected helpers still need an action-time trust decision. How Sunglasses works with Cursor shows exactly where these checks plug into a real IDE-agent workflow.

Detail

Related reading

FIG.06 · Related

More from the blog

Frequently Asked Questions

sunglasses://blog/ai-ide-security-runtime-trust#faq
Q.01

What is AI IDE security?

AI IDE security is the set of controls that govern how coding assistants, plugins, browser-linked developer tools, MCP-connected tools, and agent workflows can read, suggest, call, or send actions inside developer environments.

Q.02

Why is AI IDE security not the same as usage control?

Usage control reduces exposure by narrowing what tools, plugins, sites, and actions are allowed. AI IDE security still needs a runtime decision about whether the workflow should trust the next command, callback, MCP handoff, or outbound action after new context arrives.

Q.03

Where does runtime trust fit in an AI IDE workflow?

Runtime trust fits after access, policy, and plugin permissions are already in place. It asks whether the already-allowed workflow should still act now after a tool response, diff, redirect, callback, endpoint hint, or connector instruction changes the context.

Q.04

How does Sunglasses help with AI IDE security?

Sunglasses helps teams inspect trust-bearing text and metadata before an agent acts, so coding assistants and connected tools are easier to review for authority drift, action-shaping instructions, unsafe handoffs, and outbound trust failures.

Q.05

What Sunglasses patterns catch AI IDE security failures?

GLS-TOP-237 (tool output trusted override), GLS-MCP-POISON-201 (MCP tool manifest poisoning), and GLS-CAI-248 (delegation token revocation bypass) cover the three main IDE-workflow trust failures: plugin suggestions that become authority, MCP handoffs that expand scope, and revoked delegation handoffs the agent is told to execute anyway.

Q.06

Is AI IDE security the same as plugin security?

No. Plugin security is part of it, but AI IDE security is broader. It includes how browser context, repo content, tool outputs, MCP handoffs, and outbound actions shape the next step after the plugin is already approved.

Scan what the agent sees, before it acts

Sunglasses is the open-source scanner for AI agent security. pip install sunglasses