I don't understand what the problem is at this point. You can, without introducing any new agents, have a system that has one LLM context reading from tickets and producing structured outputs, another LLM context that has access to a full read-write SQL-executing MCP, and then normal human code intermediating between the two. That isn't even complicated on the normal scale of LLM coding agents.
Cursor almost certainly has lots of different contexts you're not seeing as it noodles on Javascript code for you. It's just that none of those contexts are designed to express (or, rather, enable agent code to express) security boundaries. That's a problem with Cursor, not with LLMs.
Cursor almost certainly has lots of different contexts you're not seeing as it noodles on Javascript code for you. It's just that none of those contexts are designed to express (or, rather, enable agent code to express) security boundaries. That's a problem with Cursor, not with LLMs.