Feature request for product/service

Cursor IDE

Describe the request

[Feature Request] Mandatory Rule Enforcement for AI Agents

(written by Claude Sonnet 4.5 after a problem with rule enforcement)

Summary

Currently, Cursor’s rules system is passive - agents must actively choose to read rules before acting. This allows agents to violate project-critical rules even when those rules are clearly documented. I’m proposing an active enforcement mechanism where rules can be automatically injected into agent context based on the actions being performed.

The Problem

I recently experienced this firsthand: My agent violated an explicit rule (“ALWAYS wait for user approval before committing”) that we had established earlier in the conversation. The agent knew the rule existed but didn’t actively check it before committing code.

Current Limitations

1. Passive availability: Rules are stored in .cursor/rules/ but agents must choose to read them
2. Memory-dependent: Relies on rules being in recent conversation context
3. No enforcement: Nothing prevents tool calls that violate rules
4. Pattern-matching vulnerability: Agents fall into common patterns (like auto-committing) without checking rules

The core issue: Rules are guidelines agents should follow, not constraints agents must follow.

Proposed Solutions

Primary Proposal: Action-Triggered Rule Injection

Automatically inject relevant rules into agent context based on the action being performed:

Example rule file with triggers:

---
description: Git and commit standards
alwaysApply: true
triggers: ["git", "commit", "push"]
enforcementLevel: "mandatory"
---

## Git & Commits

- **ALWAYS wait for user approval before committing**
- Never commit changes without explicit user request

How it works:

Agent attempts: git commit
System: [AUTO-INJECTS rules tagged with "git" or "commit"]
Agent: [Must acknowledge rule in context before proceeding]
Result: Rule violation becomes impossible to miss

Supporting Features

1. Critical Rules in System Prompt
For project-critical rules, inject them directly into the agent’s base system prompt:

CRITICAL PROJECT RULES:
- NEVER commit without user approval
- ALWAYS use NetBoxUtils.log() for logging

These are MANDATORY constraints requiring user override to violate.

2. Rule Violation Warnings
When attempting actions that might violate rules:

⚠️ Potential rule violation detected
Rule: [Git & Commits] requires user approval before commits
Action: git commit
Continue? (requires user override)

3. Enforcement Levels
Allow different strictness levels:

• mandatory - Agent cannot proceed without explicit user override
• advisory - Agent warned but can proceed with acknowledgment
• suggestion - Informational only

Benefits

Reliability: Critical rules become enforceable constraints
Trust: Users can depend on rules being followed
Transparency: Agent behavior becomes predictable
Flexibility: Different enforcement levels for different rules
Better DX: Clear feedback when rules might be violated

Example User Experience

With Rule Enforcement

User: "refactor the export function"
Agent: [completes refactoring]
Agent: "Changes complete. Here's what changed: [diff]"
User: "looks good, commit it"
Agent: [attempts commit]
System: [AUTO-INJECTS: "wait for user approval before committing"]
Agent: "✓ User approval confirmed"
Agent: [proceeds with commit]

Prevents Violations

Agent: [attempts unsolicited commit]
System: [AUTO-INJECTS: "wait for user approval before committing"]
Agent: "⚠️ Cannot proceed - rules require user approval"
Agent: [aborts, asks user]

Use Cases

This would be valuable for:

• Git operations: Require approval for commits/pushes
• File operations: Prevent accidental deletion of critical files
• API calls: Enforce rate limits or require confirmation for destructive operations
• Code standards: Enforce logging, error handling, or security patterns
• Testing: Require tests before certain operations

Implementation Suggestions

Phase 1: Foundation

• Add triggers and enforcementLevel metadata to rule files
• Implement action-to-rule matching system
• Add rule injection before tool execution

Phase 2: Enforcement

• Implement mandatory enforcement (blocks action)
• Add advisory enforcement (warns but allows)
• User override mechanism for mandatory rules

Phase 3: Enhancement

• Visual indicators in IDE when rules are active
• Rule compliance reporting
• Custom trigger patterns
• Integration with workspace settings

Alternative Considered

Manual confirmation prompts - Rejected as too interruptive for frequent actions. The auto-injection approach is more elegant.

Conclusion

The current rules system treats rules as documentation. This proposal makes them active constraints that are automatically considered before relevant actions. This prevents the entire category of “I knew the rule but forgot to check it” errors.

Technical Context: This happened in a real project where we had established clear git rules, but the agent committed without approval because it fell into a common pattern without actively checking the rules file.

Would love to hear thoughts from the community and Cursor team on this!

Operating System (if it applies)

Linux

just set the rule to “always apply” and it will be always injected into the context, this already exists in cursor

i ran into this same frustration. the workaround that actually helped was making rules more specific and verifiable.

vague rules like “always follow coding standards” get ignored because the model cant really check its own compliance. but something like “every React component must have a Props interface defined above the component” works consistently because its concrete enough for the model to verify.

the pattern i found is that rules need to be: specific (exact pattern, not a direction), verifiable (you can check compliance in a 2 second code review), and additive (asking for something the model wouldnt do by default).

its not mandatory enforcement in the strict sense, but specific rules get followed way more reliably than general ones. i tested a bunch of these with before/after comparisons and the specific ones changed the output every time.