Auto-review Run Mode

Colin · May 29, 2026, 5:04pm

You can now let your agent run longer with fewer interruptions!

Auto-review is a new run mode that lets Cursor work for longer with fewer approval prompts, while keeping execution safe. It applies to Shell, MCP, and Fetch tool calls.

Every call goes through three checks in order:

Allowlist: if the call matches your terminal or MCP allowlist, it runs immediately.
Sandbox: if the call can run sandboxed, it runs there with network and filesystem restrictions. Available on macOS, Linux, and Windows (via WSL2); other platforms skip to the classifier.
Classifier: anything else goes to an LLM classifier, along with your current request and your custom instructions. It decides whether to allow the call, try a different approach, or surface a standard approval prompt.

The classifier adds no extra cost on top of your existing agent usage.

One thing to keep in mind: the classifier is non-deterministic and can make mistakes in both directions, so treat Auto-review as best-effort convenience, not a security boundary. For strict control, stick with Allowlist and approve calls yourself.

Set your run mode in Settings > Cursor Settings > Agents > Run Mode, and steer the classifier with custom instructions! More information in our docs.

Available now in Cursor 3.6!

liquefy · May 29, 2026, 6:28pm

Nice, however it would be better if I could add a specific instruction to the classifier: e.g. “Do not run any npx commands, allow all read only commands, disallow any commands that would modify files outside of the project directory”.

Colin · May 29, 2026, 6:36pm

You can do that with a .cursor/permissions.json file in your repo!

{
  "autoRun": {
    "allow_instructions": [
      "Allow read-only shell commands that inspect files, directories, git state, logs, process status, or command output without modifying files or external state.",
      "Allow read-only MCP, WebFetch, and WebSearch calls that retrieve or inspect data without creating, updating, deleting, posting, triggering, or deploying anything."
    ],
    "block_instructions": [
      "Block all npx commands, regardless of arguments or apparent intent.",
      "Block commands that create, edit, move, delete, chmod, chown, format, install, generate, or otherwise modify files outside the current project directory."
    ]
  }
}

sergey-ltk · May 30, 2026, 5:55pm

I would like to have Auto-Review (without sandbox) option. To me, sandbox never properly works, just confuses the model, and I don’t even understand the value proposition of it.

Allowlist + Classifier (with instructions) should be good enough. No need for sandbox at all.

Topic		Replies	Views
The configuration settings for sandboxing and auto-run are lacking Feedback sandbox , terminal , auto-run	0	130	January 29, 2026
Disable permissions ask in sandbox Feature Requests sandbox , terminal , auto-run , cli	1	107	April 13, 2026
No option to use allowlist without sandbox Feedback sandbox , terminal , auto-run	3	465	March 4, 2026
Allowlist in sandbox mode Feature Requests sandbox , terminal , auto-run	0	138	April 3, 2026
'Composer 2 Fast' prompting to approve most, if not all, of its internal workings Help terminal , auto-run , composer	4	142	March 22, 2026

Auto-review Run Mode

Related topics