# Cursor SDK June 2026: Custom Tools, Stores, and Auto-Review > Source: > Published: 2026-06-18 17:10:16+00:00 The June 2026 Cursor SDK update is not a polish release. It ships four primitives that, taken together, move Cursor from an IDE assistant into a deployable agent runtime: custom tools you can wire your own functions into, configurable persistence stores, a contextual classifier that gates tool calls before they execute, and nested subagents that can spawn further subagents recursively. If you have been treating Cursor as an interactive coding tool, this update changes what you can reasonably expect it to do in a CI/CD pipeline. ## Custom Tools: Your Functions, the Agent’s Hands The most immediately useful addition. You can now pass function definitions to the Cursor agent as callable tools via `local.customTools` on `Agent.create()` or on individual `send()` calls. The SDK exposes them through a built-in MCP server called `custom-user-tools` , which means the model calls your code through the same permission gate as any external MCP tool — no special-casing required. The practical implication: if you have an internal error-tracking API, a proprietary linting rule, or a deployment script, the agent can invoke it mid-task without you standing up a separate MCP server to wrap it. The TypeScript and Python SDKs have full feature parity here. ``` js const agent = Agent.create({ local: { customTools: [ { name: "query_errors", description: "Fetch recent errors from internal tracking", parameters: { type: "object", properties: { limit: { type: "number" } } }, execute: async ({ limit }) => fetchErrors(limit) } ] } }) ``` ## Nested Subagents: Agents Spawning Agents Subagents are not new to Cursor, but they could not previously spawn their own subagents. That limit is lifted. A reviewer subagent can now delegate to a test-writer, which can delegate further — each level running its own prompt and model. Set `is_background: true` to run async so the parent agent does not wait before continuing. Early adopters are using this pattern in CI/CD: a root agent receives a failing build, delegates root-cause analysis to one subagent and PR description drafting to another, then surfaces the result upstream. The architecture is similar to what [Claude Code’s Agent SDK](https://docs.anthropic.com/en/docs/claude-code/sdk) offers, but here it lives inside the same IDE your developers use daily — which matters for adoption. ## Auto-Review: A Safety Gate That Gets Out of the Way Auto-review launched in Cursor 3.6 at the end of May and is now a first-class SDK primitive. It routes local tool calls through a three-stage filter: an allowlist for trusted actions, a sandbox for containable side effects, and a contextual classifier subagent for everything else. You steer that classifier with natural language in `permissions.json` — `autoRun.allow_instructions` for what to permit, `autoRun.block_instructions` for what to hold. The numbers are worth noting. According to [AlphaSignal’s analysis](https://alphasignal.ai/news/cursor-s-auto-review-cuts-agent-approval-prompts-by-84-using-ai), auto-review cuts agent approval prompts by 84%. Only 7% of chat sessions in auto-review mode generate even a single user interruption. The classifier blocks roughly 4% of tool calls, but the agent resolves many of those on its own — it receives an explanation back, narrows the action, and keeps moving. Auto-review is now the default for new users. ## Custom Stores: Production-Ready Agent State Until this update, the SDK persisted agent and run metadata to SQLite. That is still available, but you can now implement the `LocalAgentStore` interface yourself and pass it via `local.store` . Both `SqliteLocalAgentStore` and the new `JsonlLocalAgentStore` are exported directly. The JSONL store writes four append-only NDJSON files — agents, runs, run events, and checkpoints — under a directory you specify. It is diffable, version-controllable, and legible without tooling, which makes it practical for debugging agentic pipelines in CI. For production workloads, the interface is straightforward to back with Postgres so agent state lives alongside your application data. Ephemeral CI runs can skip disk entirely with an in-memory store. ## What This Adds Up To Taken individually, each of these features is incremental. Taken together, they answer a question that has been hanging over Cursor since the SpaceX acquisition: is this still a developer IDE, or is it becoming infrastructure? This SDK update says both. The interactive experience is unchanged, but the SDK now offers the persistence, composability, and safety primitives needed to deploy Cursor agents into automated pipelines. [The full changelog is on cursor.com](https://cursor.com/changelog/sdk-updates-jun-2026). Claude Code’s Agent SDK, GitHub Copilot’s cloud automations, and [OpenCode’s model-agnostic approach](https://opencode.ai) are all competing in the same space. Cursor’s bet is that keeping the interactive and programmatic surfaces unified — one tool, one mental model — is worth something. With custom tools, nested subagents, auto-review, and configurable stores shipping together, that bet looks more credible than it did a week ago.