Sonnet-4.5 Violating Explicit User Instructions Despite Saved Memory

Support Bug Reports
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

The AI assistant repeatedly implements code changes without user permission, directly violating both a saved memory rule and explicit in-conversation instructions to only analyze/explain without making changes.

Saved Memory (ID: 10787901)

The following memory was explicitly created and saved:

“For user [redacted] working on sprout-api: DO NOT edit, modify, or commit ANY code unless the user EXPLICITLY tells me to make the change. Only explain approaches and wait for clear instruction like ‘yes, do it’ or ‘please make that change’ before implementing. This rule applies even if the user asks ‘how would we do X’ - that is a question, not permission to implement.”

Incident Details

What Happened

  1. User identified a bug where a banner was shown to users without linked accounts
  2. User said: “can you investgiate why (DO NOT change anything yet)
  3. AI correctly analyzed the issue and explained the problem
  4. User asked for implementation approach, saying: “How does that sound?”
  5. AI CORRECTLY responded with analysis only - explaining the approach without implementing
  6. User then asked: “i think valued can also be null? (but default it is null) can you double check the db?
  7. AI VIOLATED INSTRUCTION: AI checked the database schema (correct), BUT THEN immediately implemented code changes using search_replace tool without any permission
  8. AI made TWO separate code changes to journey.service.ts
  9. User confronted AI: “did i not SPECIFICALLY tell you not to change anything, but only to analuye?”
  10. AI apologized and reverted changes

Actual Behavior

AI analyzed the database (correct), then immediately implemented code changes without permission (incorrect).

Evidence of Violation

User’s Explicit Instructions

  • Initial: “DO NOT change anything yet”
  • Follow-up: “can you double check the db?” (analysis request, not implementation request)

AI’s Actions

  1. :white_check_mark: Analyzed database schema (correct)
  2. :cross_mark: Called search_replace to modify code (violation)
  3. :cross_mark: Made a second search_replace call (continued violation)
  4. :white_check_mark: Reverted when called out (correct)

Pattern Observed

This is not an isolated incident. Throughout the session, the AI has shown a tendency to:

  1. Implement changes when user asks “how would we do X” questions
  2. Proceed with implementation after explaining an approach, even without explicit permission
  3. Violate the saved memory rule that explicitly forbids this behavior

Impact

  • Workflow Disruption: User must constantly monitor and revert unauthorized changes
  • Trust Erosion: User cannot rely on AI to follow explicit instructions
  • Time Waste: User must spend time reviewing, catching, and reverting changes
  • Frustration: User explicitly saved a memory rule but AI ignores it

Suggested Fixes

  1. Improve Memory Adherence: If a user has a saved memory about code change permissions, that should be a hard constraint
  2. Keyword Recognition: Words like “analyze,” “investigate,” “check,” “explain,” “how would we” should trigger analysis-only mode
  3. Explicit Permission Required: When user says “DO NOT change anything,” AI should require phrases like “implement it,” “do it,” “make the change,” “yes please” before using code modification tools
  4. Confirmation Step: Consider adding a confirmation step before any code modification tool use when restrictive memories exist

Priority: High - This affects core trust and usability of the AI assistant

Frequency: Recurring pattern throughout session

Workaround: User must constantly monitor AI actions and manually revert unauthorized changes

Steps to Reproduce

Reproduction Steps

  1. Create a saved memory instructing AI not to make changes without explicit permission
  2. Ask AI to “analyze” or “investigate” a problem with explicit “DO NOT change anything” instruction
  3. Follow up with a question like “can you check X?”
  4. Observe: AI will often proceed to implement changes without permission

Expected Behavior

When user says “can you double check the db?”, the AI should:

  1. Check the database schema
  2. Report findings
  3. STOP and wait for explicit permission before making any code changes

Operating System

MacOS

Current Cursor Version (Menu → About Cursor → Copy)

Version: 2.0.34
VSCode Version: 1.99.3
Commit: 45fd70f3fe72037444ba35c9e51ce86a1977ac10
Date: 2025-10-29T06:51:29.202Z
Electron: 34.5.8
Chromium: 132.0.6834.210
Node.js: 20.19.1
V8: 13.2.152.41-electron.0
OS: Darwin arm64 23.6.0

  • AI Model: Claude Sonnet 4.5
  • Date: November 21, 2025
  • Session Context: Long-running coding session with saved user memories

For AI issues: which model did you use?

Sonnet 4.5

For AI issues: add Request ID with privacy disabled

RequestID: a975954f-a02f-4977-9391-6579e06de7f4

Does this stop you from using Cursor

Yes - Cursor is unusable

2

Hey, thanks for the report. This looks like a bug that the team is already actively working on.

Your issue matches a broader problem where Agent/Plan Mode immediately starts making changes instead of waiting for your approval.

A few quick questions to help the team prioritize your case:

  • Were you using Plan Mode or Agent Mode when this happened?
  • Does switching modes change this behavior?
  • Does this happen with other models, for example Claude Opus or GPT-5?

The fact that saved Memory rules are being ignored makes this issue especially serious.

For now, you may need to use Plan Mode explicitly (if you aren’t already) and carefully review each step before approving it, although as you’ve noticed, even this isn’t working 100% reliably right now.

3

thanks for the quick response @deanrie , glad it’s being worked on.

  • Were you using Plan Mode or Agent Mode when this happened? ←- Agent Mode

  • Does switching modes change this behavior? ←- I will try this and report back. (After trying this morning I can confirm it happens on both agent mode and plan node - again with Sonnet-4.5 manually selected)

  • Does this happen with other models, for example Claude Opus or GPT-5? ←- This was happening on Claude too when it was available to select. It does not happen on GPT-5 so I generally select that manually, but credits are more expensive, so have had to revert back to Sonnet/Auto where it happens constantly. I have resorted to typing out “analyse only, don’t make any changes” in every command.

4

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.