Cursor Automations, without drift
A practical Cursor guide to cursor mcp, rules, subagents, and a team checklist for reviewable automations.

Automations drift when you let them roam, and they stay clean when you scope the work before the first run. Cursor, Anysphere's AI code editor, lets you turn tasks into automations that run in the Agents Window, reach external systems through MCP, and follow your rules. Cursor MCP is the connector layer that gives an automation access to things outside your repo, like Slack or your analytics, which is exactly why its permission boundary deserves a look before anything runs. Most teams do not stall because Cursor cannot write code. They stall because the automation is too broad, too opaque, or too hard to review once the PR lands.
The fix is small and boring: decide the scope, then automate it, and keep that scope visible enough that a reviewer can trust the run without replaying your chat.
Scope the repos before you start
If a change touches app code, docs, and a service repo but the automation only sees one of them, it will drift. Cursor's multi-repo automations fit work that genuinely spans systems, and they only help when that shared context is real.
Write the boundary down first. A short scope card tells the agent where it can go and tells a reviewer where each edit should land.
# Multi-Repo Scope Card
- Repos in scope:
- app repo
- service repo
- docs repo
- Shared contract:
- API shape
- release note source
- Stop condition:
- all contract checks pass
- reviewer can trace each edit to one repo
If the task is narrow, skip the extra repos. More context is not free: it slows the run and muddies the review.
Use the no-repo path for connector work
Plenty of useful automations are not about code at all. Slack digests, product analytics, FAQ triage, finance pulls, and customer health checks all live on the no-repo path, where the work comes from connectors instead of a local tree.
This is where Cursor MCP matters most. Before you attach anything, name the external system, the permission scope, and the output format you expect back.
So when you ask how to add an MCP server to Cursor, start with the system and the permission path, not the connector URL. The URL is the easy part. The boundary is the part that protects you later.
Keep rules for constraints and skills for tasks
Cursor users tend to pile style guidance and task playbooks into .cursor/rules/*.mdc until the file becomes a junk drawer. Rules should constrain. Skills should teach.
Keep durable team constraints in rules, and move repeatable task behavior into a skill or a subagent note. That split keeps your rules short and your skills reusable across the team.
A small rule file is easier to trust than a long one. Here is a shape that stays legible:
---
description: Use for cross-repo release tasks that need scoped review
globs:
- "apps/**"
- "services/**"
apply: auto
---
- Check both repos before editing shared contracts.
- Do not change deployment settings without a reviewer note.
- Summarize cross-repo impact in the final response.
When you want to standardize the next piece of behavior, ask whether it is a constraint or a task. The answer tells you which file it belongs in. For a fuller treatment of where subagents and skills fit, see subagents and skills.
Review the MCP boundary before it ships
Adding MCP before the permission review is the fastest way to create a future incident. The Model Context Protocol spec is clear that tool access and data access need consent and control, and Cursor's MCP docs show how that lands in the product.
Run one check before anything goes live. List the server, the data it can reach, the user approval path, and the rollback plan. Connector power without review is just hidden blast radius, and if the team cannot explain the boundary out loud, the automation is not ready.
Here is the intake checklist I hand teams before they turn any task into an automation. Copy it as is.
# Automation intake checklist
- [ ] What is the task type: code, docs, ops, or mixed?
- [ ] Which repos, if any, are in scope?
- [ ] Which external systems are in scope through MCP?
- [ ] What data can the agent read?
- [ ] What actions can the agent take?
- [ ] Which Cursor rule applies?
- [ ] Which skill or subagent should handle the repeatable part?
- [ ] What is the expected output artifact?
- [ ] What should a reviewer verify before merge or release?
- [ ] What is the rollback or stop condition?
Common questions
-
What is Cursor MCP in an automation workflow?
Cursor MCP is the connector boundary that lets an automation reach external systems. It matters most on the no-repo path, where the work comes from connectors rather than a local tree: Slack digests, product analytics, FAQ triage, finance pulls, and customer health checks. Because that reach is external, the boundary needs a named scope before the first run.
-
How do you add an MCP server to Cursor safely?
Start with the system and the permission path, not the connector URL. Run a boundary check before anything ships: list the server, the data it can reach, the user approval path, and the rollback plan. The Cursor MCP docs and the Model Context Protocol spec both cover the consent and control rules you are checking against.
-
When should an automation be multi-repo?
Only when the shared context is real and the change truly spans app code, docs, or a service repo. If the task is narrow, extra repos slow the run and muddy the review. Write a scope card first with the repos in play, the shared contract, and the stop condition, so the agent stays inside the boundary you drew.
-
What belongs in rules versus skills?
Rules constrain, skills teach. Keep durable team constraints in
.cursor/rules/*.mdcand move repeatable task behavior into a skill or a subagent note. That split stops the rule file from becoming a junk drawer and keeps your skills reusable across the team, which makes both easier to review when a PR lands. -
What should every Cursor automation declare before it runs?
Its inputs, allowed tools, and expected artifact. With those three named up front, review gets faster because the reviewer checks a contract instead of reverse-engineering a mystery. The intake checklist adds the rest: the data scope, the actions allowed, and the rollback or stop condition.
Ship the next one with a scope card
Pick one task you keep running by hand, write its scope card and intake checklist before you automate it, then ask a teammate to defend the merge without replaying the chat. If they can, the boundary was clear enough. Bring it into the training topic and try the same test on the next one.
Further reading
Related training topics
Related research

Local MCP Connects Mac Apps to Agents
Local MCP connects AI assistants to Mac-only context, and the safe first test is a narrow, read-only MCP boundary.

Cursor subagents official docs and the missing contract
A governance guide for Cursor SDK agents: what the official docs cover, and the contract of owners, permissions, harness tests, and release gates.

Cursor subagents and skills for engineering teams
An operating model for Cursor subagents and skills: scope ledgers, rule precedence, artifact-first review, and a one-branch training drill.