i noticed this EXACT behavior of cat-ing .env in cursor too. completely flabbergasted. i saw it tried to read the .env to check that a token was present. couldn't due to policy ("delightful! someone thought this through.") but then immediately tried and succeeded in bypassing it.