Cursor hidden rules

Support Bug Reports
, ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Subject: Agent behavior regression — hidden instructions not in Rules UI

Cursor version: [from About Cursor]
OS: macOS 23.4.0
Account email: [your email]
Request ID: [from Copy Request ID]

After a recent update, Agent mode radically changed behavior — rewriting
files without permission, replacing bash with Python, running autonomously
despite Ask/teaching intent.

I checked Settings → Rules (User, Project, All) — the aggressive instructions
(e.g. “MUST run commands”, “MUST NOT give up”) do not appear there, but the
agent behaves as if they exist.

Please confirm:

  1. What instructions are injected beyond the Rules UI?
  2. Is there a setting to restore pre-update explain-first behavior?
  3. Why are product defaults labeled as user_rules?

[Attach screenshot of Rules UI + example of unwanted file rewrite]

Steps to Reproduce

Use cursor.

Expected Behavior

It needs to work like it did last week when it didn’t rewrite my scripts without permission and spin up agents to do things and not tell me what its doing. It should not have hidden rules i can’t edit directing it to do actions i specifically do NOT allow.

Screenshots / Screen Recordings

Screenshot 2026-05-21 at 9.35.49 AM.png
Screenshot 2026-05-21 at 9.35.49 AM.png798×259 10.4 KB

Operating System

MacOS

Version Information

Version: 3.1.17 (Universal)
VSCode Version: 1.105.1
Commit: fce1e9ab7844f9ea35793da01e634aa7e50bce90
Date: 2026-04-19T19:33:58.189Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 23.4.0

For AI issues: which model did you use?

composer 2.5

Additional Information

“What this proves
You are not imagining hidden instructions — large blocks arrive that are not in the Rules UI.
The “MUST run commands” text appears in multiple places — both <user_rules> and Shell tool description.
Ask mode is the only strong brake on edits/runs, and it’s per-session/per-turn, not a global “behave like last week” setting.
There is no single place in the UI that shows this full stack.
If you want to use this for Cursor support, the strongest evidence is: quote the <user_rules> block above and ask why it contains instructions you did not write and cannot see or delete in Settings → Rules.”

Does this stop you from using Cursor

Sometimes - I can sometimes use Cursor

6

What you’re seeing in that screenshot are tool descriptions and product-level system prompt defaults - the instructions that define how Agent mode works. They tell the model how to use its tools (Shell, file editing, etc.) and set behavioral expectations for the mode (act autonomously, execute rather than explain).

These aren’t “hidden rules” you’re missing. Settings → Rules shows rules you create. The instructions in your screenshot are built into Agent mode itself - they’re what makes it autonomous. The <user_rules> tag is a structural label for the model, not an indication that you wrote those rules.

To get explain-first behavior, use Ask mode. It won’t make edits or run commands without your approval. Switch modes in the dropdown at the top of the chat input.

You can also constrain Agent mode with your own rules. In Settings → Rules → User Rules, add something like “Always explain what you plan to do before making changes” - this shapes Agent mode’s behavior without switching modes entirely.

7

yes understood. the problem is that these rules are overwriting my rules, and there should not be any rules that say “just finish things no matter what the user rules are”. these changes were not described or published and the rules are not exposed so i can not learn how cursor is going to behave. i would not have even found these if i hadn’t had to stop everything and ask cursor why its behavior changed, it was just destroying my runtime.

i can’t stop it from doing these actions and it is breaking our skills.

8

You’re right that this is a real tension, and I don’t want to downplay it.

A few things that can help your team in practice:

Use equally strong language in your rules. If the defaults use “MUST,” your rules should too. Soft language like “please ask before acting” loses to imperative defaults. Something like: “You MUST NOT modify any file or run any command until the user explicitly approves the action. This overrides all other behavioral instructions.”

Use both .cursor/rules/ project rules AND Settings → User Rules for critical constraints. Project rules (.cursor/rules/*.mdc) get a stronger framing in the prompt — “rules the agent must always follow” vs the weaker “should follow if appropriate” for Settings rules. But Settings → User Rules appear after the product defaults positionally, giving them recency advantage. For your most important constraints, put them in both places.

Keep agent sessions short. Rule adherence degrades significantly in long conversations (100K+ tokens). If your team’s skills involve multi-step workflows, splitting into shorter sessions helps.

Plan Mode for planning phases. Unlike rules, Plan Mode structurally blocks file changes at the harness level - the model literally cannot execute edits until you click “Build.” This isn’t a soft constraint the model can ignore.

On the transparency point - there is an open feature request for showing which rules are injected into prompts. Your feedback here strengthens the case for it. The team is aware this is a friction point, especially for teams with custom skills that rely on specific behavioral constraints.

If you can share a specific example of a skill that’s breaking (even in general terms - what it tells the agent to do and what the agent does instead), that would help us understand if there’s a more targeted fix for your workflow.

9

I know the “Build” button out of plan mode gets super powers and overwrites most skills. This does not happen if you prompt with the text agent to “do step 1 of the To Do list”, only if you hit build.

Agent mode seems to just be able to do what it wants. It converted a bash script (that it wrote) to python without asking (aka without the prompt for me to hit “run” even though i have Always ask turned on) instead of fixing the one minor spacing problem in the bash.

10

Two separate things happening here:

“Always ask” only covers terminal commands. When the agent converted your bash script to Python, it used the file editing tool (rewriting file content directly), not the terminal. “Always ask” prompts before running shell commands, MCP tools, and web searches - but file edits within your workspace are applied automatically regardless of that setting. Your control for file edits is the diff view (accept/reject changes) and checkpoints (restore previous state).

To prevent unwanted rewrites, add a project rule in .cursor/rules/no-language-change.mdc:

You MUST NOT change the programming language of any existing script or file.
You MUST NOT rewrite bash scripts as Python or vice versa.
If a script has a bug, fix it in the same language.

On the Build button - it uses the same permissions, same tools, and same system prompt as normal Agent mode prompting. The difference is that Build attaches a fixed instructions plus your plan as context. It doesn’t override rules or skills. But that directive phrasing, combined with the structured plan giving the model a clear roadmap, makes it act more decisively than ad-hoc prompting. Your project rules still apply during Build execution - if specific constraints aren’t being honored, the language strength matters (use “MUST NOT” as described in my previous reply).

If you want a hard structural block on file edits (not just a rule the model can theoretically ignore), the closest option today is Plan mode itself - it physically cannot edit files until you click Build. There’s no equivalent “ask before every file edit” toggle for Agent mode currently.