Javlon Baxtiyorov
← Writing

Your editor is now a training pipeline: what Grok 4.5 means for code provenance

Cursor's blog says Grok 4.5 was trained on trillions of tokens of real developer-agent sessions, and no public document says whether yours were in the set. The reason that question is unanswerable is the story.

Your editor is now a training pipeline: what Grok 4.5 means for code provenance
Photo · Unsplash

No public document tells you whether your specific coding sessions, under your specific plan, were in the Grok 4.5 training set. That is not an oversight I can point to and complain about. It is the shape of the arrangement now, and if you write code inside Cursor it is the fact you have to plan around.

Start with the timeline, because the speed of it is the point. On April 21, 2026, SpaceX — which had absorbed xAI in February — announced a $10 billion investment in Anysphere, Cursor's maker, with an option to acquire it outright for $60 billion, plus access to xAI's Colossus cluster (roughly 200,000 GPUs, scaling toward a million). On June 16 the option was exercised: a $60 billion all-stock acquisition, expected to close in Q3 pending regulators. A private beta followed on June 28. On July 8, Grok 4.5 shipped publicly, described by Cursor as the first model jointly trained by Cursor and xAI. Fewer than three months from investment to a shipped frontier model, with the editor vendor and the model lab ending as one balance sheet.

What 'trained on Cursor sessions' actually means

Cursor's own blog is direct about the input. Grok 4.5's training incorporated "trillions of tokens" of Cursor user data capturing developer-agent interactions, plus a distributed agent RL system that generates training environments from real sessions. This is not scraped public code. It is the transcript of you working — your prompts, the agent's tool calls, the edits you accepted and rejected, the shape of how you actually solve problems.

Read the blog again for what it does not say. No consent mechanism is named. There is no stated split between opted-in data and default data, no independent benchmark, no third-party audit of what went in. Engadget's coverage at launch found the same absence: company claims, no independent provenance analysis, no privacy examination. The one set of numbers that is public — pricing at $2 per million input tokens, trained on tens of thousands of GB300 GPUs, unavailable in the EU at launch — tells you about the product, not about whose work paid for it.

Privacy Mode, and the seam it leaves open

Cursor does have a control, and it is real as far as it goes. With Privacy Mode on, you get zero data retention with model providers and your code is not used for training. Business and Enterprise plans have it on by default and enforced. That is the honest half.

The other half: for individual users, Privacy Mode is off by default, and off means your codebases, prompts, and editor actions can be used to improve AI features and to train models. So the default state of a solo developer's account is the state that feeds the pipeline. You have to know the control exists, find it, and turn it on — before the sessions accumulate, not after.

And the mode does not cover everything you might assume it does. A November 2025 Hacker News thread documented that on team and enterprise subscriptions, commit-level telemetry is sent to Cursor's servers and cannot be disabled regardless of your Privacy Mode setting. Cursor's own Data Use page notes that risk and abuse classifiers may retain flagged data for investigation. Enterprise telemetry is a separate channel from training-data policy; abuse retention is a third. "Privacy Mode on" answers one question cleanly and leaves two others open by design.

How cleanly it answers even that one is worth a look. When a developer asked on Cursor's forum whether grok-code-fast-1's free period carved out an exception to the retention policy, a staff member eventually replied: "Privacy mode is privacy mode, doesn't matter the model." A good answer. The user had waited roughly a month to get it. If the simple yes/no takes a month, the provenance question — the one with no simple answer — is not going to be fast either.

The precedent that undercuts the docs

Here is why I do not treat the official documentation as sufficient. Cursor shipped Composer 2 without disclosing that its base model was Moonshot AI's Kimi K2.5. That did not come out in a blog post. A developer intercepted the literal model ID in API traffic, and co-founder Aman Sanger then admitted, "It was a miss to not mention the Kimi base in our blog from the start." Kimi's modified MIT license requires prominent attribution above a revenue threshold Cursor had cleared several times over at roughly $2 billion annualized, and the attribution was absent from the marketing.

I am not raising this to relitigate one disclosure. I am raising it as the calibration fact. What is actually inside a model you use daily was not verifiable from the official docs — it took someone reading packets. Composer 2's technical report is precise about method: RL in realistic Cursor sessions with the same tools and harness the deployed model uses, evaluated on CursorBench built from real coding sessions, scoring 61.3 on CursorBench, 73.7 on SWE-bench Multilingual, 61.7 on Terminal-Bench. The report is honest about how the model was trained and stayed quiet about what it was built on. Both were true at once. That is the gap you are operating inside.

Why vertical integration changes the calculus

The Copilot-era provenance fight was about public code, scraped once, and litigated slowly — Doe v. GitHub, filed in 2022, had its core copyright claims narrowed on standing in 2024 and 2025, with breach-of-contract and DMCA §1202 claims surviving into appeals as of now. That fight had a seam you could argue in: the tool and the training run were legibly separable events with a public dataset in between.

This arrangement has no such seam. The data is private, in-flight, and continuous, and the tool vendor and the model lab are converging onto one balance sheet. Privacy Mode was meaningful in part because "tool vendor" and "model provider" were different companies with different incentives; the mode drew a line between them. When one owns the other, the line still exists on paper but the incentive that policed it is gone. Cursor's privacy policy still describes xAI as a generic third-party provider. The business reality — $10B in, a $60B acquisition, shared Colossus infrastructure — is a different document, and public disclosure of what is actually inside has been lagging that reality by months.

This is the pattern, not the exception. OpenAI's roughly $3 billion move on Windsurf — 800,000-plus developers, a thousand-plus enterprises — was read widely as a play for usage data and developer lock-in as much as the product. Google's December 2025 partnership with Replit, whose annualized revenue had grown from $2.8M to $150M in a year, was framed openly as an answer to Cursor's momentum in vibe coding. The editor is being understood, across the industry, as a data asset.

What you can actually do this week

Concrete steps, in order. Verify your Privacy Mode status against your exact plan tier — do not assume; individual accounts default to off. Know that enterprise commit telemetry is a separate channel from training-data policy, so "we're on Business" does not mean "nothing leaves." When a vendor says "opt-in," ask what it actually gates: retention, training, both, per model or account-wide. Watch for undisclosed base-model swaps — the Kimi case says the model ID in your API traffic is more reliable than the blog. And treat vendor blog posts as marketing, not documentation, for any provenance question.

The unresolved question is the honest close. There is no public document stating whether your sessions, under your plan, were in the Grok 4.5 set. Set your controls for the world where the answer is yes, because that is the only version you can act on — and note the date you did it, so the record shows what was true when you decided.

Read next All writing →
← All writing Get in touch →