Cursor 3.6: Auto-review Run Mode
CursorCursor 3.6 introduces Auto-review Run Mode, a new agent execution setting that lets agents work for longer with fewer approval prompts while preserving safety. It applies to Shell, MCP, and Fetch tool calls: pre-approved operations run immediately, sandboxable calls run in isolation, and remaining actions route to a classifier subagent that decides whether to permit, redirect, or escalate them.
Sources & Mentions
3 external resources covering this update
Auto-review Run Mode
Cursor 3.6, released on May 29, 2026, introduces a new agent execution model called Auto-review Run Mode, designed to reduce the frequency of approval interruptions during long-running agent sessions without sacrificing safety controls.
The Problem It Solves
A persistent friction point for developers using Cursor's agent mode has been the volume of mid-task approval prompts. Every time an agent attempts a shell command, MCP call, or network fetch, users would be asked to confirm execution, interrupting flow and slowing down automation-heavy workflows. Auto-review Run Mode directly addresses this by introducing a layered evaluation system that minimizes unnecessary interruptions while retaining human oversight for genuinely sensitive operations.
How It Works
Auto-review Run Mode applies to three categories of agent tool calls: Shell, MCP, and Fetch. When an agent attempts one of these actions, the system evaluates it through a three-tier decision tree:
- Allowlisted calls run immediately without prompting. Users can define their own allowlist to pre-approve trusted commands.
- Sandboxable calls are automatically routed into Cursor's sandbox environment, where they execute with restricted network and filesystem access, eliminating the need for approval while containing potential impact.
- Remaining calls are sent to a classifier subagent, which uses context from the session and any user-provided agent instructions to determine whether to permit the call, suggest an alternative approach, or request explicit user approval.
This tiered approach means the vast majority of routine agent operations complete without interruption, while operations that fall outside the safe envelope are still reviewed before execution.
Configuration and Customization
The feature is available in Cursor 3.6 and can be enabled via Settings > Cursor Settings > Agents > Run Mode. Users can further customize the classifier subagent's behavior by providing instructions in their agent settings. For granular control, a .cursor/permissions.json file supports explicit allow and block rules for specific command categories, for example, permitting read-only shell operations and MCP calls while blocking commands like npx or writes outside the project directory.
Important Caveat
Cursor is transparent about the limits of this system: the classifier subagent is non-deterministic and can make mistakes. Auto-review Run Mode is designed to reduce friction, not to replace security controls or enforce strict access policies. Teams with security-sensitive requirements should continue to rely on sandbox boundaries and explicit allowlists rather than treating classifier decisions as authoritative.
Key Takeaways
- Auto-review Run Mode reduces agent approval interruptions by routing shell, MCP, and fetch calls through a three-tier evaluation system instead of always prompting the user.
- Allowlisted commands run immediately, giving users a way to pre-approve trusted operations.
- Sandboxable calls execute in an isolated environment with restricted filesystem and network access.
- A classifier subagent evaluates borderline calls using session context and user-defined instructions.
- The classifier is explicitly non-deterministic, so Cursor recommends it not be treated as a security boundary.
- Custom permissions can be defined per-project via a
.cursor/permissions.jsonfile.