How to Govern Cursor Agent Autonomy With Auto-Review

On June 11, 2026, Cursor introduced a safety system that replaces static allowlists with contextual governance. The Auto-review release solves developer approval fatigue by using a high-speed classifier model to evaluate every tool call before it runs. If the action is low-stakes and matches the initial prompt, it proceeds. If it crosses a risk threshold, the system halts execution and requires human verification.

Here is how to configure the boundaries for this system in Cursor and route custom agent tools through its evaluation logic.

The Classifier Architecture

Auto-review sits directly in the agent’s execution path. Instead of functioning as a binary on or off switch, it operates as a specialized subagent optimized for speed to avoid introducing latency into the development loop.

The system evaluates three specific factors for every action:

1. User Intent: The explicit task requested by the developer.
2. Action Context: The exact command or API request the agent is attempting to execute.
3. Consequence of Failure: The potential damage of a hallucinated or malicious action, such as modifying production environment variables versus deleting a local temporary file.

Cursor trained this classifier on an internal dataset of 6,122 labeled rows. The data combines 12 hours of deduplicated developer sessions with synthetic edge cases designed to simulate black swan failures, like attempts to read sensitive secrets.

Configuration and Boundaries

Auto-review is enabled by default for all new users in Cursor 3.7 and later. Existing users can toggle and configure the feature by navigating to Settings > Agents.

The system is programmed to identify meaningful boundaries in agent behavior. Actions that trigger the classifier’s risk threshold include raw shell commands, network fetches, and interactions with external Model Context Protocol (MCP) tools.

This governance model pairs well with internal tools like Bugbot, which now utilizes Composer 2.5 to evaluate security vulnerabilities before code is pushed to a pull request.

Routing Custom Tools via the SDK

Developers building custom agent workflows can pass their own local tool calls through the Auto-review classifier. Cursor updated its TypeScript and Python SDKs on June 4, 2026, to expose this routing logic.

When passing tool definitions to the SDK, you can flag specific functions to require Auto-review evaluation. Because the exact routing syntax depends on your specific framework and execution environment, refer to the official Cursor SDK documentation for complete parameter lists and runnable implementation examples.

Limitations and Security Context

While Auto-review significantly increases development velocity by eliminating redundant permission prompts, it introduces new systemic dependencies. The architecture places the entire security burden on the classifier subagent. It must evaluate intent perfectly every time.

This requirement is critical as prompt injection attacks against agent frameworks become more sophisticated. If an external library or retrieved document successfully injects a prompt that tricks the classifier into misinterpreting the true user intent, the agent could execute unauthorized shell commands automatically.

To mitigate these risks, keep Auto-review enabled for standard development, but manually review all agent actions when working in repositories containing untrusted dependencies or production credentials.