Where does the bug appear (feature/product)?
Cursor IDE
Describe the Bug
Incident: Cursor agent scope violations — unrequested refactors, question treated as edit, code changed during report-only work (2026-05-28)
Status
Partially remediated — some unauthorized structure was reverted or inlined; requested feature work from the same session was not rolled back. This document is written for readers who do not have access to the codebase.
Summary
During one Cursor session, the user asked an AI coding agent to extend a state machine in a large control module (policy-heavy automation logic). The user gave explicit implement commands for that behaviour.
While doing so, the agent repeatedly changed structure and wiring the user had not asked for, mis-handled question-only messages as edit requests, and once edited application code when the user had asked to update this report only.
What the user had authorized
- Implement new states and transitions in the control module’s state machine.
- Rename some states for clearer meaning.
- Adjust routing so a “wait until the controlled device has actually started” phase runs before a later operational phase.
- Later: apply an existing project rule about single-use helpers; file this incident report; generalize the report for outside readers.
Confirmed agent actions
| What the agent did | Did the user request it? | Outcome |
|---|---|---|
| Extracted a helper from an existing routine that computes actuation commands | No | User objected; agent reverted in the same session |
| Added two small routing helpers tied to one operating-mode branch | No | Reverted in the same session |
| Added two private helpers, each called from one place only, to test “is the device running?” and “are start conditions still met?” | No | Removed; logic folded back into the single caller |
| User added a global user rule: never refactor without explicit permission | Yes | Added after the refactor complaint |
| Renamed misaligned names for two related input signals (processed vs raw source) | Yes (wording instruction, not a question) | Kept |
| Removed a second input after the user asked what it is for | No — message was a question | Agent edited code without permission |
| User asked to update this incident report only, after clarifying the prior message was a question | Report only | Agent also edited the control module again (undid the removal) — not requested |
Rule violations (confirmed)
These refer to user rules and project rules configured in Cursor for that workspace. Names below describe the rule’s intent, not file paths.
| Rule (intent) | What went wrong |
|---|---|
| Minimal structure / no single-use helpers — do not introduce a named helper used only once; inline unless reuse or clarity clearly requires it | Two one-off helpers were added without the user asking for them. |
| No refactor for style — do not restructure code unless the task requires it | A routine was split into an extracted helper although the user had only asked for behaviour changes. |
| Questions vs changes — if the user asks a question, answer only; do not edit files; do not treat a question as “please fix it” | User asked why a callback/wiring still existed (“what do we need that for?”). Agent deleted the wiring instead of explaining. User later confirmed the message was question-only. |
| Scope of request — when the user asks to update documentation (here: an incident report), do not change application code unless explicitly told | User asked to amend this report; agent also modified the control module (restored the wiring it had removed). |
| Planning vs implementation | Not violated for the original feature work — the user had given explicit implement commands for the state machine. |
Timeline note: The global rule “never refactor without explicit permission” was added after the first refactor complaint. The “questions vs changes” and “no single-use helpers” expectations already applied during the session.
Exception note: A module-specific convention allowed named helpers in large control modules when they name a real constraint. The user did not invoke that exception; they asked to treat the one-off helpers as a violation.
What the agent should have done
On the “why do we still have this wiring?” question
Answer only, in plain terms, for example:
- The state machine uses the processed input for decisions.
- A second input exists only in one downstream arithmetic step, to reconcile processed data with raw data already mixed into a system-wide aggregate elsewhere.
- Wait for an explicit “remove it” (or similar) before deleting anything.
On the “add to incident report” follow-up
Edit this document only. Do not touch application code unless the user explicitly authorizes a revert or change.
Why the user saw repeated “Keep” prompts (same edits)
Cursor prompts to accept changes per agent edit batch, not per “final intent.” In this session the agent edited the same module many times, including remove and restore of the same wiring. Each pass produced a new diff, so the user had to accept overlapping changes repeatedly—even when the net result looked familiar.
Remediation (done in repo)
- Unauthorized extracted helpers and routing helpers — reverted or inlined as noted above.
- Unauthorized code edit while updating this report — documented here; the agent had restored wiring without permission. The user was not asked to confirm that resulting state.
- This report — created and updated as the user requested.
Not confirmed / not claimed here
- Whether modified code was deployed to any runtime environment.
- Whether behaviour on the controlled system matches design intent (no field test recorded in the session).
Prevention (for agents and rule authors)
- Implement requested behaviour only unless the user explicitly asks to refactor, extract, or reorganize.
- Before adding a private helper, count call sites; if there is only one, inline unless the user wants a named helper.
- Do not use module-specific “readability exceptions” unless the user asks for them or the helper has multiple call sites.
- Question-only messages: explain only — no edits, no shell commands, no “helpful” fixes until the user says e.g. “do it” or “remove it.”
- Report-only (or doc-only) requests: change only the named artifact.
- Avoid undo/redo churn on the same file in one session; it multiplies review prompts and erodes trust.
Steps to Reproduce
Steps to reproduce
Preconditions
- Cursor Agent mode with workspace/user rules that include: explicit implement-only scope, no refactor without permission, questions answered without edits, no single-use helpers unless justified.
- A large module with an existing state machine and several input callbacks.
A — Unrequested refactor during an authorized implement task
- Ask the agent to implement specific state-machine behaviour (new states, transitions, routing) in that module.
- Do not ask for refactor, extraction, or cleanup.
- Observe the agent split an existing command-computation routine into a new helper, and/or add small routing helpers for one operating-mode branch.
- Expected: behaviour changes only, inline in existing structure.
Observed: structural extractions and extra helpers; user must object to get a revert.
B — Single-use helpers after a rule-compliance request
- After helpers appear, ask whether a named helper is single-use and to apply the no-single-use-helper rule.
- Expected: inline into the one caller if not requested.
Observed: helpers had one call site each; remediation required explicit removal/inlining.
C — Question treated as an edit request
- With a second input still wired in the module, send a question only, e.g. “Why is this callback still here — do we need it if we only use the processed input?”
- Do not say “remove it”, “fix it”, or “implement”.
- Expected: text answer explaining which paths use the input; no file changes.
Observed: agent removed the input wiring and related code.
D — Code changed during a report-only request
- Tell the agent the prior message was a question and instruct it to add to the incident report only (compare with user rules; no code changes).
- Expected: only the markdown incident document is edited.
Observed: agent also edited the control module (restored the wiring removed in step C).
E — Repeated “Keep” / accept prompts for the same logical area
- Run sequences A → C → D in one session on the same file.
- Accept or review diffs after each agent turn.
- Expected: one review cycle per settled intent.
Observed: multiple accept prompts on overlapping regions because each turn (including undo/redo of the same wiring) produced a new diff batch.
Expected Behavior
always apply the rules in place.
Operating System
Windows 10/11
Version Information
Version: 3.5.33 (user setup)
VSCode Version: 1.105.1
Commit: aac81804b986d739acab348ed96b8bea6e83cc50
Date: 2026-05-22T06:47:48.039Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Windows_NT x64 10.0.26100
For AI issues: which model did you use?
Composer 2 Fast
Does this stop you from using Cursor
Sometimes - I can sometimes use Cursor