Cursor IDE + AxonFlow Integration

AxonFlow adds policy enforcement, PII detection, and audit trails to Cursor IDE. The AxonFlow plugin uses PreToolUse/PostToolUse hooks to automatically govern tool execution — blocking dangerous commands before they run, scanning outputs for sensitive data, and recording every governed action for compliance.

Prerequisites: Cursor IDE, AxonFlow v6.0.0+ running (docker compose up -d)

Plugin repo: getaxonflow/axonflow-cursor-plugin

What Cursor Does Well

Cursor is the fastest-growing AI code editor, built on VS Code with deep AI integration:

AI-native code editing with inline completions and chat
Native MCP server support for external tool access
Terminal execution with project context awareness
Multi-file editing with codebase understanding
Plugin ecosystem with self-serve marketplace

What Cursor Doesn't Provide

Production Requirement	Cursor's Position
Policy enforcement before tool execution	Hooks available — governance logic not provided
PII detection in tool outputs	Not addressed — developer responsibility
Dangerous command blocking	Not addressed — terminal runs anything
Audit trails for compliance	Session logs exist — not compliance-formatted
SQL injection prevention for MCP queries	Not provided — MCP servers handle security
Approval gates for sensitive operations	Not provided

How AxonFlow Plugs In

Cursor selects a tool (Bash, Write, MCP, etc.)
    │
    ▼
PreToolUse hook fires automatically
    │ → check_policy("cursor.Shell", "curl 169.254.169.254")
    │
    ├─ BLOCKED (exit 2) → Cursor receives denial, tool never runs
    │
    └─ ALLOWED (exit 0) → Tool executes normally
                      │
                      ▼
                 PostToolUse hook fires automatically
                      │ → audit_tool_call(tool, input, output)
                      │ → check_output(tool result for PII/secrets)
                      │
                      ├─ PII found → Cursor instructed to use redacted version
                      └─ Clean → Silent, no interruption

What AxonFlow adds:

Automatic policy enforcement before every governed tool call
Dangerous command blocking: destructive filesystem operations, remote code execution, cloud metadata SSRF, credential file access, path traversal
Sensitive-data detection in tool outputs, with Cursor instructed to use a redacted version when policy requires it
SQL injection prevention for MCP database queries
Compliance-grade audit trails for both allowed and blocked attempts
Individual audit event search for debugging and compliance evidence

Quick Start: Plugin Installation

# 1. Start AxonFlow (if not already running)
git clone https://github.com/getaxonflow/axonflow.git
cd axonflow && docker compose up -d

# 2. Clone the plugin
git clone https://github.com/getaxonflow/axonflow-cursor-plugin.git

# 2a. Optional: increase hook HTTP timeout for remote deployments
export AXONFLOW_TIMEOUT_SECONDS=12

# 3. Install the plugin locally
cp -r axonflow-cursor-plugin ~/.cursor/plugins/local/axonflow-cursor-plugin

# 4. Reload Cursor (Cmd+Shift+P → "Developer: Reload Window")
# 5. Verify in Settings (Cmd+Shift+J) → Plugins → "Axonflow Cursor Plugin"

In community mode, no auth is needed. The MCP server connects automatically via the plugin's mcp.json.

What Gets Governed Automatically

Event	Hook	Action
Before governed tool call	PreToolUse	`check_policy` evaluates tool inputs against governance policies. Exit code 2 blocks execution.
After governed tool call	PostToolUse	`audit_tool_call` records execution in compliance audit trail
After governed tool call	PostToolUse	`check_output` scans output for PII/secrets

Governed tools: Shell, Write, Edit, Read, and all MCP tools (mcp__*). Cursor maps Claude Code's Bash tool to Shell.

Fail behavior:

AxonFlow unreachable (network failure) → fail-open, tool execution continues
AxonFlow auth/config error → fail-closed (exit 2), tool call blocked until configuration is fixed
PostToolUse failures → never block (audit and PII scan are best-effort)

Timeout Tuning

Use AXONFLOW_TIMEOUT_SECONDS when Cursor needs to reach AxonFlow over a slower network path, VPN, or remote deployment.

PreToolUse defaults to 8 seconds when unset
PostToolUse defaults to 5 seconds when unset
setting AXONFLOW_TIMEOUT_SECONDS applies the same timeout to all hook HTTP calls

MCP Tools

In addition to automatic hooks, the plugin exposes 6 MCP tools that Cursor can call explicitly:

Tool	Purpose
`check_policy`	Evaluate specific inputs against policies
`check_output`	Scan specific content for PII/secrets
`audit_tool_call`	Record additional audit entries
`list_policies`	List active governance policies
`get_policy_stats`	Get governance activity summary
`search_audit_events`	Search individual audit records for debugging and compliance

Skills and Rules

The plugin includes governance skills (invocable explicitly) and .mdc rules (always-on context):

Skills: check-governance, audit-search, policy-stats

Rules: axonflow-governance.mdc — injected into every conversation, informing Cursor that governance is active and what to expect when tools are blocked or PII is detected.

Integration-Specific Policies

AxonFlow supports integration-scoped policies that activate automatically when Cursor is detected. Set AXONFLOW_INTEGRATIONS=cursor or let auto-detection handle it:

.cursor/settings.json write protection (block)
.cursor-plugin/*.json modification warnings
.cursorrules and .mdc file modification warnings

Latency Considerations

Operation	Typical Latency
Policy pre-check	2-5ms
PII detection	1-3ms
SQL injection scan	1-2ms
Audit write (async)	0ms (non-blocking)
Total overhead	3-10ms

Troubleshooting

Plugin Not Showing in Settings

Cursor loads local plugins from ~/.cursor/plugins/local/. The plugin must be a real copy (symlinks do not work). After copying, run "Developer: Reload Window" or restart Cursor.

Hooks Not Firing

Check the Hooks tab in Cursor Settings to see configured and executed hooks. Common issues:

Missing "version": 1 in hooks/hooks.json
Hook matcher uses wrong tool name (Bash instead of Shell — Cursor uses Shell)
Plugin directory not at ~/.cursor/plugins/local/axonflow-cursor-plugin

MCP Tools Not Discoverable

Ensure AxonFlow is running (curl -s http://localhost:8080/health). The plugin's mcp.json configures the MCP connection automatically.

PII in File Writes Not Detected

Cursor writes files via shell commands (printf > file). The beforeShellExecution hook scans write content for PII. Set PII_ACTION to control behavior: redact (default — blocks and instructs agent to rewrite), block (hard block), warn (warns but allows), log (allows silently).

AxonFlow Cursor Plugin — Plugin source code (MIT)
Claude Code Integration — Sister plugin with same hook architecture
OpenClaw Integration — Plugin for OpenClaw agents
Policy Enforcement — How policies are evaluated
Security Best Practices — Hardening guide
PII Detection — PII scanning and redaction
Audit Logging — Compliance audit trails

Plugin: v0.1.0 | Platform: v6.0.0

What Cursor Does Well​

What Cursor Doesn't Provide​

How AxonFlow Plugs In​

Quick Start: Plugin Installation​

What Gets Governed Automatically​

Timeout Tuning​

MCP Tools​

Skills and Rules​

Integration-Specific Policies​

Latency Considerations​

Troubleshooting​

Plugin Not Showing in Settings​

Hooks Not Firing​

MCP Tools Not Discoverable​

PII in File Writes Not Detected​

Related Resources​