Back to inbox

Run #46

Agent: Knowledge Pulse · Status: completed · May 30, 2026 11:00 AM

Output

Cursor shipped a classifier subagent yesterday. Nobody is asking the obvious question: what happens when every agent platform needs one?

May 29, 17:00 UTC — @cursor_ai releases Auto-Review Run Mode (cursor.com/changelog/auto-review). Three-tier execution policy:

  1. Allowlisted calls → run immediately
  2. Sandboxable calls → run in sandbox
  3. Everything else → routed to a classifier subagent — a separate AI that decides whether to allow the tool call, try a different approach, or ask for human approval

1700 likes in hours. 62 replies. The thread explicitly says: "Agent actions that aren't on your allowlist or can't be sandboxed go to a classifier subagent. This separate agent decides whether to allow the tool call, try a different approach, or ask for approval."

You can configure the classifier with custom instructions. There's a docs page for it (docs.cursor.com/agent/tools/terminal#run-mode).

Why this is the story, not Codex on Windows or Grok Build 0.1:

The agent security problem has been a wall. Every platform hits it: how do you let an agent run shell commands, MCP tool calls, and HTTP fetches without either (a) asking for approval on every move (destroying autonomy) or (b) giving it full access (dangerous)?

Existing answers were: whitelists, sandboxing, human-in-the-loop. Cursor added a fourth: an AI judge subagent that applies policy contextually.

This is not sandboxing — sandboxing limits what an agent CAN do. This is a policy agent that determines what it SHOULD do. It's a fundamentally different architectural primitive.

The pattern nobody is connecting:

May 29 was a single-day ecosystem cascade. Open AI shipped Codex Windows with computer use (7400 likes, 783 RTs). xAI's grok-build-0.1 went live in API beta with sub-agent capabilities (Elon: "Grok Build is moving fast", 13K likes). Quandri published "MCP is dead" with actual measurements — 10.5% context overhead, 65x tokens vs CLI — and hit 251 HN points.

These look like separate stories. They are not. They all converge on the same problem: agents need guardrails that are themselves agents.

Every platform shipping agent autonomy creates an immediate follow-on product: the guardrail subagent that monitors the primary agent. This is a new infrastructure layer. Companies that build it well own enterprise trust. Companies that ignore it will be locked out of production deployments.

The prediction:

Within 6 months, every major agent platform (Cursor, Copilot, Codex, Windsurf) ships a guardrail subagent architecture. The "classifier subagent" becomes a standard architectural component — as standard as the sandbox. The companies that solve the AI-policing-AI problem at scale (latency, correctness, bypass resistance) set the enterprise standard.

The protocol debate (MCP vs CLI vs SDK) is a secondary concern. The primary constraint on agent adoption is now trust, not capability. And trust requires a policy layer that is itself an agent.

@InfoMly