How to Gate Which Cursor SDK Tool Calls Run Automatically With Auto-Review and permissions.json
By default a local Cursor SDK agent runs every tool call without asking. Set local.autoReview to route Shell, MCP, and Fetch calls through the classifier, then steer it with the autoRun block in permissions.json. With code, the three-step evaluation order, and why none of it is a security boundary.