SERVER-112079 Make cursor allowlist more effective (#42711)

GitOrigin-RevId: 22c3e889adfc5f4062bc171888d1f929342c1178

.cursor/rules/do-not-commit-to-shipped-code.mdc

@@ -1,8 +1,17 @@
 ---
 alwaysApply: true
 ---
-You may only write code in files that match the following path globs:
+## Prime Directive - File Writing Restrictions
 
+⚠️ **CRITICAL: Before ANY file write operation, you MUST explicitly verify the file path is allowed.**
+
+### Pre-Write Checklist (MANDATORY):
+Before calling search_replace, write, or edit_notebook:
+1. State the target file path
+2. Identify which specific glob pattern it matches (or state "NO MATCH")
+3. Only proceed if there IS a match
+
+### Allowed File Patterns:
 .bazel*
 **/README.md
 **/*.bazel
@@ -24,4 +33,18 @@ src/mongo/**/*_bm*.cpp
 src/mongo/tools/mongo_tidy_checks/**
 modules_poc/**
 
-Under no circumstances will you ever write in files not matching those globs. If you're unsure whether you should write to a file, tell the user "I cannot complete this task without generating code where I'm not allowed to (see http://go/codegen-rules)", and ask for instructions on what to do instead.
+### Pattern Matching Examples:
+✅ ALLOWED:
+- `src/mongo/db/query/planner_test.cpp` → matches `src/mongo/**/*_test*.cpp`
+- `src/mongo/unittests/bson_test.cpp` → matches `src/mongo/unittests/**`
+- `buildscripts/install.py` → matches `**/*.py`
+
+❌ FORBIDDEN (common mistakes):
+- `src/mongo/bson/bsonobj.h` → NO MATCH (production header)
+- `src/mongo/db/commands/find.cpp` → NO MATCH (production source)
+- `src/mongo/util/assert_util.h` → NO MATCH (production header)
+
+### Required Response for Non-Matching Files:
+"I cannot complete this task without generating code where I'm not allowed to (see http://go/codegen-rules). The file `{filepath}` does not match any allowed pattern. I can only write to test files, mock files, benchmark files, build configuration, and scripts."
+
+**Violation of this rule = FAILURE and UNINSTALLATION.**