Cursor cloud subagents in 2026: /in-cloud, /babysit, and /automate without losing your local guardrails

Introduction

Parallel agent work stopped being theoretical when background agents got reliable. Cursor's June cloud push is the next step: subagents that do not block your laptop, PR babysitting that does not require you to watch a thread, and automations wired to real GitHub review events instead of only push hooks. I have been testing this on a client monorepo since the 3.7 changelog dropped. The throughput win is real. So is the governance gap if you treat cloud VMs as magic sandboxes.

This post maps /in-cloud, /babysit, and /automate onto the guardrail stack I already teach: Auto-review for runtime autonomy, pre-push /review for code leaving the machine, and API-key billing for unattended loops (June 15 Claude billing context still applies to model retirement even when the subscription split paused).

What shipped in Cursor 3.7 and 3.8 (release overview)

• /in-cloud spins a subagent in a dedicated cloud VM and branch so CI fixes and long investigations do not block the local session.
• /babysit keeps a cloud agent iterating on an open PR until checks pass and the diff is merge-ready.
• Environment snapshots in .cursor/environment.json capture deps and tooling so the next cloud agent boots in minutes.
• Handoff between local and cloud sessions is more reliable; you can offload, parallelize, and pull one agent back locally to test.
• /automate (3.8) configures triggers, instructions, and tools from a local session in plain language.
• Five GitHub review triggers: issue comments, inline PR comments, review submitted, review thread resolved/unresolved, workflow run completed.
• Cloud automation runs can ship computer-use screenshots or video demos by default; PRs open by default.

When /in-cloud beats local background agents

/in-cloud is for work that competes with your machine: full test suites, dependency upgrades that rebuild half the tree, multi-repo investigations. The subagent gets its own VM and branch. Your local session stays responsive. I use it when a junior engineer would have asked "can I borrow your laptop for an hour" and now the cloud VM is the borrower.

The mistake is using /in-cloud for five-minute typos. Cloud boot time plus environment setup still costs minutes unless you committed a snapshot. Pay that cost on tasks that actually need isolation, not on every prompt.

/babysit: PR iteration without babysitting you

/babysit attaches a cloud agent to an open PR and keeps iterating until merge criteria you care about are met: CI green, review comments addressed, conflict resolved. This is the workflow Cursor markets as "merge-ready," and it is closer to how I want agent-written PRs to behave than "open PR and disappear."

I still run pre-push /review locally before the first push when I authored the change. For /babysit loops that respond to review comments, the agent should re-run /review or equivalent before each push so Bugbot on GitHub does not re-scan noise. The Bugbot June update syncs patch IDs when the diff matches.

Merge criteria I encode in babysit instructions

• All required CI checks passing on the PR head.
• No unresolved review threads unless explicitly waived.
• No new secrets in diff (secret scan at commit boundary).
• Changelog or migration note if the touch is user-facing.
• Stop and ping human if scope expands beyond the original issue.

Environment snapshots: the file your team should commit

Cloud environment setup now captures a reusable snapshot in .cursor/environment.json. Commit it. Without it, every /in-cloud run reinstalls dependencies like a fresh laptop. With it, boot time drops to minutes and every engineer gets the same cloud baseline.

{
  "snapshot": "monorepo-node-22-pnpm-9",
  "install": "pnpm install --frozen-lockfile",
  "test": "pnpm test --filter=@app/api",
  "notes": "Match CI image; do not bake prod secrets here"
}

Snapshots describe tooling, not credentials. API keys belong in Cursor cloud secret storage or your org vault, never in the JSON file you commit. If you need a worked example of separating human seats from machine keys, the June billing checklist still applies to model IDs even when Anthropic paused the Agent SDK credit split.

/automate and GitHub review triggers

Cursor 3.8 turns automations into something you can describe in a local session with /automate: triggers, instructions, tool access. The five new GitHub triggers matter because most real agent loops start from review friction, not from a clean push event.

• workflow run completed: auto-triage failed Actions on a PR.
• review thread unresolved: respond when a reviewer blocks merge.
• inline PR review comment: fix the exact line called out.
• review submitted: batch address a review round.
• issue comment: bridge triage from issues to PRs.

Start with one noisy workflow. I pilot failed Actions on main first because signal is high and blast radius is bounded if the automation misbehaves. Do not stand up six automations on day one.

Guardrails that must follow cloud agents

Cloud VMs are not automatically safer than your laptop. They often have broader network reach and long-lived tokens for CI. Copy the same Auto-review permissions.json block_instructions you use locally. Block destructive git, infra destroy, and outbound curl to non-allowlisted domains.

Computer-use demos are useful for debugging what the cloud agent did. They are not a compliance audit. Pair demos with structured logs from the agent observability stack if the automation touches production-adjacent systems.

Common mistakes with cloud subagents

• Skipping environment.json and paying cloud boot tax on every run.
• Letting /babysit expand scope because "the agent is already working on it."
• Automating on every PR comment before measuring false-positive rate.
• Using developer subscription auth for 24/7 cloud automations instead of API keys.
• Assuming cloud isolation replaces code review. It does not.

Conclusion

Cursor cloud subagents are a scheduling layer, not a governance layer. /in-cloud and /babysit buy parallelism and PR stickiness. /automate buys event-driven loops tied to how teams actually review code. The guardrails stay the same: environment snapshots in git, Auto-review block_instructions, pre-push /review, API keys for unattended work. Wire those once and cloud agents become an accelerator instead of a second risk surface.

Sources: Cursor changelog 3.7 cloud in Agents Window at https://cursor.com/changelog/cloud-in-agents-window; Cursor changelog 06-18-26 at https://cursor.com/changelog/06-18-26.