Coding agents are fast. Approval prompts are not. Every time a local agent wants to run a shell command, call an MCP server, or fetch a URL, the old model was binary: either you approve everything manually, or you flip on YOLO mode and hope for the best. Cursor's new Auto-review replaces that binary with a spectrum, using a small AI classifier to decide in real time which actions need a human and which ones can just run.

The approval fatigue problem

Long autonomous sessions hit a wall called approval fatigue: after 50 clicks, you stop reading what you're approving. That's worse than no approval -- it's an illusion of oversight. The irony is that asking for permission too often is itself a safety failure. When every action looks the same in a prompt dialog, the genuinely dangerous ones get lost in the noise.

Between default mode, where you approve every risky action, and YOLO mode, where the agent approves nothing and runs everything, there was nothing. Auto-review fills that gap with a classifier subagent that handles the gray zone so you do not have to.

How the three-stage filter works

Cursor now routes each tool call through a three-stage filter: an allowlist runs trusted calls instantly, a sandbox isolates anything that can be contained, and a classifier subagent decides what to do with everything else. The ordering matters: the flow is ordered cheapest-to-most-expensive, which matters because every classifier check costs a model round-trip.

• Allowlist: Trusted, pre-approved commands run immediately with no model in the loop at all.
• Sandbox: The sandbox limits filesystem and network access. The call completes, the agent sees the output, but your local state isn't affected.
• Classifier subagent: Everything else goes to a classifier subagent that makes a three-way call: allow the action and run it, try a different approach that stays within safe bounds, or surface the decision to you for approval.

It applies to Shell, MCP, and Fetch tool calls. That last category matters more than it sounds -- with Cursor connecting to more MCP servers each month, an MCP call into your database or your billing provider can do more damage than