You can now let your agent run longer with fewer interruptions!
Auto-review is a new run mode that lets Cursor work for longer with fewer approval prompts, while keeping execution safe. It applies to Shell, MCP, and Fetch tool calls.
Every call goes through three checks in order:
Allowlist: if the call matches your terminal or MCP allowlist, it runs immediately.
Sandbox: if the call can run sandboxed, it runs there with network and filesystem restrictions. Available on macOS, Linux, and Windows (via WSL2); other platforms skip to the classifier.
Classifier: anything else goes to an LLM classifier, along with your current request and your custom instructions. It decides whether to allow the call, try a different approach, or surface a standard approval prompt.
The classifier adds no extra cost on top of your existing agent usage.
One thing to keep in mind: the classifier is non-deterministic and can make mistakes in both directions, so treat Auto-review as best-effort convenience, not a security boundary. For strict control, stick with Allowlist and approve calls yourself.
Set your run mode in Settings > Cursor Settings > Agents > Run Mode, and steer the classifier with custom instructions! More information in our docs.
Nice, however it would be better if I could add a specific instruction to the classifier: e.g. “Do not run any npx commands, allow all read only commands, disallow any commands that would modify files outside of the project directory”.
You can do that with a .cursor/permissions.json file in your repo!
{
"autoRun": {
"allow_instructions": [
"Allow read-only shell commands that inspect files, directories, git state, logs, process status, or command output without modifying files or external state.",
"Allow read-only MCP, WebFetch, and WebSearch calls that retrieve or inspect data without creating, updating, deleting, posting, triggering, or deploying anything."
],
"block_instructions": [
"Block all npx commands, regardless of arguments or apparent intent.",
"Block commands that create, edit, move, delete, chmod, chown, format, install, generate, or otherwise modify files outside the current project directory."
]
}
}
I would like to have Auto-Review (without sandbox) option. To me, sandbox never properly works, just confuses the model, and I don’t even understand the value proposition of it.
Allowlist + Classifier (with instructions) should be good enough. No need for sandbox at all.
Feature request: bring Auto-review to the Cursor CLI
The CLI (agent) only exposes approvalMode: “allowlist” or “unrestricted” — there’s no equivalent of the IDE’s Auto-review classifier. For people running agents in Docker sandboxes, CI, or headless (agent -p) mode, this gap matters:
unrestricted auto-approves everything (shell, MCP, fetch, file writes) with no classifier gate
allowlist is too interactive for unattended workflows
sandbox + unrestricted confines shell side-effects but still skips the classifier for MCP/fetch/file tools
A new approvalMode: “auto-review” in cli-config.json — reusing the existing permissions.json autoRun block for classifier steering — would close this gap and give IDE/CLI parity. The same three-step flow (allowlist → sandbox → classifier) would work great for headless/CI use cases where you want throughput without full --yolo.
@Colin would you be able to support my feature request for enabling Auto-review Run Mode on Cursor CLI?
This will make Cursor CLI more attractive than Claude Code for me. They are the only two AI coding agents I have access to at work, and our Cursor budgets are a lot higher so I can use it more.
So I enabled this. Programmed a bit. Took longer ansd longer. Then needed to go to bed, gave it a simple task like 30 seconds normally fix. Came back the next morning, it was still stuck in a “Explored 2 files, 3 searches, chat context summarized” LOOP like over and over and over again explored and summarized and my quota was at 99%. It fried my whole plan in one night doing absolutely nothing!
Now I can’t get it back. I disabled the auto renew thing but it still keeps doing it
Yeah it popped up as a new feature and asked if I wanted to enable it. I said yes. Then my tasks got slower and slower as the agent was keeping doing Explored - chat context summarized. Like over and over and over. Then I had to go to bed because it took SO long on a 30 second bug fix.
Next morning got to the PC and it was still in the Explore - chat summarize LOOP but my quota for auto and AI were both depleted at 99%.
I contacted suport they say they are working on it, but in the meantime… I obviously rolled back the auto-review to allow list but it is still going crazy and I have to stop it often. It is not usable right now.