According to the help,docs, plan mode has the feature of “Wait for your approval before building” - this is not the case, and the agent simply decides to start implementing theb plan even while still in PLAN mode.
What you’re seeing is basically the opposite: the agent behaves like it’s in Agent Mode and begins implementing without an explicit “ok, build now,” which defeats the point of Plan Mode and can cause unintended changes.
​
What to do until a fix lands
While new Early Access updates roll out, you can reduce the damage by “pinning” stricter behavior using Rules:
Add a global (User) rule in Cursor settings that clearly says: “If I’m in PLAN mode, do not edit files, do not run commands, do not build; only propose a plan and wait for explicit approval.” (User Rules apply across all projects).
​
Add a project rule in .cursor/rules/ using .mdc so the instruction is always present for that repo; using alwaysApply: true is the key to keep it consistently included.
​
Example .mdc rule you can paste
Create: .cursor/rules/plan-no-build-without-approval.mdc
---
description: Safety: PLAN mode must not perform changes
alwaysApply: true
---
When the chat is in PLAN mode:
- Do not edit or create files.
- Do not run commands, builds, tests, installs, or migrations.
- Only propose a plan (steps, files involved, risks, alternatives).
- Before any implementation, ask for explicit user approval.
When the chat is in PLAN mode:
Do not edit or create files.
Do not run commands, builds, tests, installs, or migrations.
Only propose a plan (steps, files involved, risks, alternatives).
Before any implementation, ask for explicit user approval.
A second “safety” rule (real example)
You can also add an always-on rule to protect sensitive files like .env.
Example from my own experience: I once had the agent remove API keys from a .env during a change; after that I added a rule that says the agent must never delete or replace API keys/secrets “as part of cleanup/refactors,” and it’s worked well as a guardrail.
the .mdc rule approach is a good workaround. one small thing i’d add: in my experience the rule works better if you keep it really short. models tend to “forget” longer rules more often.
something like:
---
description: Plan mode safety
alwaysApply: true
---
CRITICAL: In PLAN mode, NEVER edit files or run commands. Only describe the plan. Wait for explicit user approval before any implementation.
shorter and more direct tends to stick better than a big list of bullet points. i think the model treats shorter rules with stronger keywords (CRITICAL, NEVER) as higher priority.
also worth noting: you mentioned you’re using “Auto” model. some models are worse at respecting mode boundaries than others. might be worth trying a specific model to see if the behavior changes.
@Andres_Cardona and @nedcodes shared a working workaround. Short .mdc rules with alwaysApply really do help.
This is a known issue, and we see similar reports regularly. The team is aware, but there’s no fix yet. Your report helps with prioritization.
If the workaround doesn’t help, or you notice the agent ignoring even the .mdc rules, let me know and I’ll send request ID instructions for debugging.
