Cursor 3.5 Automations in Production: A PSF Domain Assessment

Automations ingest triggers from repos, Jira, Slack, Stripe, and other connectors without a native input classification or scope gate before the agent runs.

Cursor 3.5 expands Automations into the Agents Window and adds no-repo templates (Slack digest, Stripe revenue, customer health) that pull signals from tools outside your codebase. Multi-repo automations widen the context surface: an agent can reason across repositories that may contain different sensitivity tiers. The platform records what ran; it does not decide whether a Slack mention, billing webhook, or Jira comment is in policy before execution. For production, treat every external trigger as untrusted input unless your automation prompt and tool allowlists explicitly constrain it.

Shared canvases improve human review of agent artifacts, but the runtime does not enforce output contracts before side effects (PRs, messages, billing actions) execute.

May 20, 2026 adds shareable canvases: live snapshots of agent-built reports, dashboards, and interfaces that teammates can open in the browser with read-only dashboard access. That is a useful review primitive for PSF Domain 2 when teams use canvases as a deliberate gate before promoting work. It is not automatic validation. An automation can still open a pull request, post to Slack, or mutate connected systems according to harness permissions unless you implement validators in the agent definition or block tool calls until a human approves the canvas. Compare with the SSE validation pattern in our Cursor SDK assessment: streaming visibility helps; enforcement remains yours.

Multi-repo and no-repo automations multiply credential and data-exfiltration surfaces; Cursor does not classify or redact sensitive content across connected systems by default.

Attaching multiple repositories to one automation means the agent context may include secrets, customer data, and proprietary logic from every attached repo unless you scope directories and vault credentials first. No-repo automations connect operational systems (Stripe, Slack, Databricks per marketplace templates) where regulated or financial data is common. Shared canvases can expose summaries derived from that data to anyone with the link on eligible plans. Cloud execution improves isolation versus local agents, but isolation is not data governance. Teams in regulated industries should map data categories before enabling cross-repo or billing-connected automations.

Agents Window management, shared canvas links, and cloud run history improve operator visibility; unified export to enterprise observability stacks still requires integration work.

Cursor centralises automation creation beside interactive agents, which reduces the blind spot of cron jobs defined only in YAML. Dashboard visibility into team canvases supports post-hoc review. Cloud agent runs remain queryable after completion (consistent with the Cursor SDK event model). What is missing for PSF Domain 4 at enterprise scale: structured trace export to OpenTelemetry, SIEM correlation IDs, and retention policies aligned to compliance schedules. Practitioners should treat Cursor telemetry as a supplement to, not a replacement for, production monitoring on the systems automations touch (AWS, Stripe, Slack).

Versioned 3.5 release, bounded promo pricing, and read-only canvas sharing help controlled rollout; blast-radius limits on multi-step unattended runs are still practitioner-defined.

Cursor documents release 3.5 on May 20, 2026 with Automations in the Agents Window, multi-repo attachment, no-repo templates, and canvas sharing. Composer 2.5 shipped May 18, 2026 as the default coding model with published token pricing, which matters for cost predictability on long automations. The platform offers a temporary 50% discount on agent runs for newly created automations (seven days from release), which encourages experimentation but can mask runaway spend if teams skip budgets. Multi-repo agents can modify, test, and verify across codebases in one run: powerful for platform teams, risky without step budgets and branch protections. Prefer staging repos and feature branches for automation write access.

Canvas sharing and Jira assignment patterns support human review; scheduled no-repo automations can still act without a human in the loop unless you architect checkpoints.

The May 19, 2026 Jira integration lets teams assign work items to Cursor or mention @Cursor in comments, which maps naturally to ticket-scoped human intent before a run starts. Shared canvases enable asynchronous review. Conversely, marketplace templates for Slack digests, Stripe reports, and customer health monitoring are designed to run on schedules with minimal human initiation. PSF Domain 6 requires explicit escalation for irreversible or high-impact actions. Cursor provides pause and review primitives in interactive agents; automations inherit those only if you configure them.

Cloud isolation and enterprise plans help containment; MCP breadth, multi-repo tokens, and third-party connectors increase supply-chain and over-permission risk.

No-repo automations encourage connecting MCP servers and SaaS APIs without a repository boundary, similar to ambient agent risks documented in our Cursor SDK assessment. Multi-repo automations need least-privilege Git access across every attached remote. Jira integration requires Commercial Cloud with Rovo and admin consent: review OAuth scopes during install. Composer 2.5 improves instruction following, which aids safety when prompts are well scoped and aids attackers when prompts are hijacked via poisoned tickets or Slack threads. Run periodic adversarial tests on automation triggers, not only on chat UI inputs.

Automations, canvases, and no-repo connectors concentrate operational dependence on Cursor and its model and SaaS partners without portable runbooks or contractual exit artifacts.

PSF Domain 8 covers supplier change, model exit, and continuity when a vendor tightens terms, deprecates APIs, or becomes unavailable. Cursor 3.5 deepens platform stickiness: multi-repo and no-repo automations, marketplace templates for Stripe and Slack, and shared canvases are not exportable orchestration packages you can replay on another harness. Composer 2.5 is the default coding model with promotional pricing that can shift; teams lack a first-party abstraction to pin behaviour across model generations. Jira and MCP connectors add secondary vendors whose outages block automations even when Cursor is up. Enterprise plans may offer DPAs and support SLAs, but practitioners still need written fallback paths (alternate IDE agents, frozen prompts in git, secondary model routes) before production schedules depend on Cursor-only automation IDs.