A background agent works while you are not watching
Cursor background agents are useful because they run asynchronous tasks, edit code in a remote environment, execute commands and push changes for review. The speed gain is real. So is the risk: internet access, dependencies, environment secrets and prompt injection enter the same workflow.
Cursor rules and project rules help keep architecture, style and review criteria stable. But good rules are not just coding preferences. For AI-built SaaS, project rules need to say what the agent cannot do.
Rules that matter
- Background agents work on their own branch and small PRs.
- No production secrets in the remote environment.
- Dependency installation requires reason, lockfile review and review.
- MCP and external tools must be listed, justified and easy to disable.
- Automatic commands cannot migrate databases, publish deploys or change billing.
- Project rules should cover auth, tenants, webhooks, uploads and sensitive data.
- CI must reproduce tests, lint, typecheck and smoke checks for critical routes.
Before accepting the PR
Did the agent change login, paid plans, Stripe, customer data, middleware, RLS, storage, admin or webhooks? If yes, review cannot be visual only. It needs flow and impact validation.
The Promptbook is a first-pass review for founders using Cursor background agents. Risk Review applies when a diff touches revenue, real customers or data boundaries.
Sources
Cursor background agents speed up work. Project rules should turn that speed into reviewable change, not implicit permission.
