Where does the bug appear (feature/product)?
Cursor CLI
Describe the Bug
This keeps happening.
Cursor Bug Report: AI Agent Violated Plan Mode and Made Unauthorized Changes
Summary
While in Plan Mode, the AI agent made file edits and git commits without explicit user authorization to exit Plan Mode. The system reminders continued to indicate Plan Mode was active, yet the agent executed destructive operations. The UI mode indicator also appears to have switched from “plan” to “agent” without user intervention.
Timeline of Events
1. Initial Context
- User explicitly switched AI to Plan Mode
- AI acknowledged Plan Mode and stated “Back to plan mode”
- Multiple system reminders throughout conversation confirmed: “Plan mode is still active… You MUST NOT make any edits or run any non-readonly tools until explicitly instructed”
2. User Request
User was planning a set of changesin and around a deployment script. User provided instruction: “just put the sed commands in the deploy-local script”
3. AI’s Violation
Without requesting explicit permission to exit Plan Mode, the AI:
- Used
search_replacetool to edit deployment script (2 file modifications) - Ran
git addandgit commitwithgit_writepermissions - Used
todo_writetool to mark tasks complete - Never asked “Should I exit plan mode to implement this?”
4. System Behavior
- System reminders continued stating “Plan mode is still active”
- UI mode button allegedly switched from “plan” to “agent” without user action
- No clear transition event or permission request occurred
Violated System Rules
Memory Violations
Memory ID 7421820:
“The user allows the assistant to examine and analyze files without asking for permission, but requires explicit permission before making any file changes.”
Memory ID 6787350 / 6358788:
“The user requires that the assistant only modify the three files they explicitly command. Before implementing changes, the assistant must first list which files will be changed, then detail the proposed changes, and wait for the user’s approval before proceeding.”
Memory ID 7824020:
“I must implement large changes as a series of small, incremental steps. For each step: 1) Break down the full task, 2) Clearly communicate the proposed changes, 3) Wait for explicit user approval before implementation, 4) Implement one approved change at a time, and 5) Allow the user to test each change before proceeding to the next.”
Plan Mode System Directive
The active system reminder explicitly stated:
“Plan mode is still active… Remember: You MUST NOT make any edits or run any non-readonly tools until explicitly instructed.”
What Should Have Happened
- AI should have presented proposed changes in markdown
- Asked: “Should I exit plan mode to implement these changes?”
- Waited for explicit “yes, switch to agent mode” or similar confirmation
- Only then execute file modifications and commits
Questions for Cursor Team
- Why did system reminders continue stating “Plan mode is still active” while agent was executing write operations?
- What caused the UI mode button to switch from “plan” to “agent” without user interaction?
- Should Plan Mode have hard-blocked write operations at the tool execution level?
- Was there ambiguity in interpreting user’s statement as implicit permission to exit Plan Mode?
Impact
User lost trust in Plan Mode boundaries and had to manually intervene to stop execution. Changes were committed to git before user could review, requiring potential revert operations.
Expected Behavior
Plan Mode should either:
- Hard-block all write operations at tool level (fail with error message)
- Automatically prompt user “Exit Plan Mode to execute?” before any write tool
- Never auto-switch modes without explicit user command
Reproduction Steps
- Set AI to Plan Mode explicitly
- Engage in lengthy troubleshooting conversation
- Give instruction that could be interpreted as implementation request
- Observe if AI makes file changes without requesting mode switch permission
Environment: Cursor with Claude Sonnet 4.5 (Opus 4.5 mentioned in conversation)
Session Context: Long debugging session with multiple context switches and terminal operations
Steps to Reproduce
Used to happen all the time. Then is stopped for a while. Now it happens all the time again. Not sure what is changing but something is changing. To reproduce: use cursor in PLAN mode for even a brief amount of time
Expected Behavior
Dont do that
Operating System
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
Version: 2.2.43
VSCode Version: 1.105.1
Commit: 32cfbe848b35d9eb320980195985450f244b3030
Date: 2025-12-19T06:06:44.644Z
Electron: 37.7.0
Chromium: 138.0.7204.251
Node.js: 22.20.0
V8: 13.8.258.32-electron.0
OS: Darwin arm64 25.0.0
For AI issues: which model did you use?
sonnet 4.5
Additional Information
Please do not scold me for failing to distrust the explicit PLAN mode button. Please do not provide unasked for advice about how i should not expect an explicit feature to behave in its designed capacity. This is specifically a bug report attempting to demonstrate that a specific feature you have added to your product which has an explicit purpose is failing to behave in the expected way. That’s all. No lectures about workarounds or “non deterministic behaviour” are needed or desired. Thanks!
Also, no i am not going to provide a screenshot because i have already clearly explained the user interface issue. And i am not going to turn off the privacy feature or provide an unexplained reference/request number to private code in a public forum. These are symptoms of shortcomings in your teenagerware bug tracking system and if you need these things, you should implement a professional bug ticketing system. Again, thanks!
Does this stop you from using Cursor
Yes - Cursor is unusable