Agent edits made via the terminal (script/shell writes) don't appear in the inline edit-review UI

Support Bug Reports
, ,
1

Summary
When the agent edits files by running a shell command/script (e.g. a Python script that writes files) instead of using the built-in file-editing tools, those changes do NOT appear in Cursor’s inline agent-edit review (the per-edit accept/reject chips). The edits are real on disk and show in Source Control / git diff, but they can’t be reviewed or accepted/rejected through the agent UI. Reviewability ends up depending on how an edit was made rather than what changed.

Environment

  • Cursor:
  • Observed with the agent in Plan mode; likely applies in Agent mode too.
  • The agent applied edits by running python3 via the terminal tool, which wrote directly to the files.

Steps to reproduce

  1. Have the agent change files by executing a script/shell command that writes to disk (rather than via the edit tool).
  2. Look at the agent’s inline “review changes” surface in chat.

Expected
The review/diff surface reflects the actual working-tree changes regardless of origin (agent edit tool, agent shell/script, or human), so every change is reviewable and accept/rejectable in one place.

Actual
Only edits made through the agent’s edit tools appear in the inline review. Terminal/script-driven edits are invisible there and show up only in git / Source Control, forcing a git diff review.

Impact

  • Breaks the review-before-accept workflow, especially when changes are intentionally left unstaged for review.
  • Agent-made changes are easy to miss if you rely on the inline review.
  • Inconsistent model: “a change is a change,” but reviewability differs by source.

Suggested fix
Reconcile the agent review layer against the real working-tree diff (e.g. snapshot before/after each agent turn, or diff against git) so script-, agent-tool-, and human-made edits all surface identically for review.

Workaround
Review via Source Control / git diff and commit from there.

2

Hi there!

We detected that this may be a bug report, so we’ve moved your post to the Bug Reports category.

To help us investigate and fix this faster, could you edit your original post to include the details from the template below?

Bug Report Template - Click to expand

Where does the bug appear (feature/product)?

  • Cursor IDE
  • Cursor CLI
  • Background Agent (GitHub, Slack, Web, Linear)
  • BugBot
  • Somewhere else…

Describe the Bug
A clear and concise description of what the bug is.

Steps to Reproduce
How can you reproduce this bug? We have a much better chance at fixing issues if we can reproduce them!

Expected Behavior
What is meant to happen here that isn’t working correctly?

Screenshots / Screen Recordings
If applicable, attach images or videos (.jpg, .png, .gif, .mp4, .mov)

Operating System

  • Windows 10/11
  • MacOS
  • Linux

Version Information

  • For Cursor IDE: Menu → About Cursor → Copy
  • For Cursor CLI: Run agent about in your terminal
IDE:
Version: 2.xx.x
VSCode Version: 1.105.1
Commit: ......

CLI:
CLI Version 2026.01.17-d239e66

For AI issues: which model did you use?
Model name (e.g., Sonnet 4, Tab…)

For AI issues: add Request ID with privacy disabled
Request ID: f9a7046a-279b-47e5-ab48-6e8dc12daba1
For Background Agent issues, also post the ID: bc-…

Additional Information
Add any other context about the problem here.

Does this stop you from using Cursor?

  • Yes - Cursor is unusable
  • Sometimes - I can sometimes use Cursor
  • No - Cursor works, but with this issue

The more details you provide, the easier it is for us to reproduce and fix the issue. Thanks!

6

Hey @danpetreamd!

This is a well-known issue and a limitation of the current architecture!

We are tracking reports of this, but otherwise the guidance in the other thread (more aggressively prompting the agent not to edit files with script/shell) is where things stand!

It would be great to know what model you’re using, and if you have any idea based on the transcript why the Agent decided to perform edits using the shell (Did certain tool calls fail? Did it decide it was too token-intensive?)