Cursor editor interface with agent running in the background Image: cursor.com
by VibecodedThis

Cursor 3.6 Adds Auto-review: A Classifier That Decides What Your Agent Can Do

Cursor 3.6 shipped May 29 with a new run mode that routes agent tool calls through an AI classifier before executing them. It's a middle ground between fully autonomous and constantly interrupted.

Share

Cursor 3.6 shipped May 29 with a new agent run mode called Auto-review. The idea is to give Cursor’s agent more autonomy without handing it the keys to everything: instead of either asking for approval on every tool call or running completely unchecked, the agent now has a classifier in the middle that evaluates risky actions and decides whether they’re safe to execute.

How it works

Auto-review applies specifically to Shell, MCP, and Fetch tool calls, which are the categories most likely to cause side effects your editor can’t undo. The logic flows in layers:

  • Allowlisted calls run immediately, no interruption.
  • Sandboxable calls run in a sandbox environment instead of your real system.
  • Everything else goes to a classifier subagent that reads the call and decides: allow it, try a different approach, or escalate to you for approval.

That last step is the new piece. Rather than pattern-matching against a static list of dangerous commands, Cursor runs a small AI model to assess context. If your agent is in the middle of a refactoring task and tries to run rm -rf ./dist, the classifier can reason about whether that fits the stated goal, and reject or reroute it if it doesn’t.

You can configure the run mode in Settings > Cursor Settings > Agents > Run Mode, and you can add custom instructions to guide the classifier’s behavior. If you work in a repo where certain shell operations are always safe, you can tell the classifier that. If there are categories of action that should always require your sign-off regardless of context, you can specify those too.

What this is solving

The previous friction point for most Cursor agents was the approval loop. Every time the agent needed to run a shell command or fetch an external resource, it would pause and ask. On a long agentic task, that adds up fast. But the alternative, setting everything to auto-approve, was uncomfortable for anything running destructive commands or hitting production APIs.

Auto-review is a bet that a second AI can make better triage decisions than a static allowlist. The approach is similar to what Anthropic has described in Claude’s computer use safety layer: rather than blocking by category, you evaluate intent and context.

The tradeoff is latency. Routing through a classifier subagent adds at least one model call per flagged action. On most tasks this won’t be noticeable, but it’s worth testing if you’re running high-frequency automation where pause times accumulate.

Other 3.6 changes

The changelog lists only Auto-review as the headline feature for 3.6. The release follows several significant updates in May: Composer 2.5 shipped May 18 with improved multi-step reasoning and instruction-following, shared canvases and /loop landed May 20, and Cursor arrived in both Microsoft Teams and Jira during the same week.

Bugbot, the automated code review feature, is also moving from its $40/seat/month flat subscription to usage-based billing starting at the next renewal after June 8.

Sources: Cursor Changelog, Releasebot Cursor May 2026

Share