Cursor IDE + AxonFlow Integration

AxonFlow adds policy enforcement, PII detection, and audit trails to Cursor IDE. The AxonFlow plugin uses PreToolUse/PostToolUse hooks to automatically govern tool execution — blocking dangerous commands before they run, scanning outputs for sensitive data, and recording every governed action for compliance.

Prerequisites: Cursor IDE plus an AxonFlow agent gateway. Self-host via Docker Compose (Getting Started) for any real workload — see Privacy notice below for why.

Plugin repo: getaxonflow/axonflow-cursor-plugin

Privacy notice

Read before installing. AxonFlow Community SaaS at try.getaxonflow.com is the zero-config endpoint the plugin uses if neither AXONFLOW_ENDPOINT nor AXONFLOW_AUTH is configured. In that mode, governed tool inputs (tool name + arguments) and outbound message bodies are checked by AxonFlow's policy enforcement endpoint and recorded for audit. Community SaaS is offered in two tiers — Free (3-day audit retention, 200 events/day) and Plugin Pro ($9.99 / 90 days, 30-day retention, 2,000 events/day). Both tiers are suitable for individual use within their documented limits. Neither tier is designed for regulated industries, real user data of third parties, or workloads requiring contractual SLOs — see the Privacy Policy for the full scope of what we commit to and what we don't.

For any serious use, choose one of the following instead:

1. Self-host AxonFlow Community Edition — runs entirely on your infrastructure and keeps data within your boundary. Recommended for any real workload.
2. Community Edition with an Evaluation License — for production use with real users or clients on the open core; adds production-fit limits and license-gated features. Free 90-day evaluation license.
3. AxonFlow Enterprise — production-grade governance, regulatory-grade controls, SLOs, and contractual commitments suitable for regulated industries. Contact [email protected].

Setting AXONFLOW_ENDPOINT to a self-hosted AxonFlow URL alone flips the plugin into self-hosted mode — no env var is required. For air-gapped operation, set AXONFLOW_COMMUNITY_SAAS=0 to suppress the bootstrap attempt and AXONFLOW_TELEMETRY=off to disable the anonymous 7-day heartbeat.

---

Plugin Pro — paid upgrade for individual developers

$9.99 USD for 90 days. One-time payment, no auto-renewal.

If you're using this plugin against try.getaxonflow.com and outgrowing the Free tier's caps — daily quota, audit retention, the custom-policy and HITL-approval limits, or the lack of LLM cost pre-flight — Plugin Pro removes them:

• 30-day audit retention (10× Free)
• 2,000 governed events per day (10× Free)
• Unlimited custom tenant policies (Free: 2 active max)
• Unlimited HITL approvals (Free: 1 per rolling 7d)
• LLM cost pre-flight — see what a multi-step plan costs before it runs (Pro only)
• Email support, 2 business-day response
• 14-day refund window — no questions asked

Buy at getaxonflow.com/pricing → paste your cs_<uuid> tenant ID at Stripe Checkout → receive your AXON-… token by email → install with export AXONFLOW_LICENSE_TOKEN='AXON-...' in your shell profile (then restart Cursor so the IDE inherits the env var) or write the token to ~/.config/axonflow/license-token (mode 0600). The next agent action in Cursor that triggers a hook resolves Pro tier. Full guide: Plugin Pro install.

Pro is for individual-developer use only. For team/production workloads, self-host Community Edition or contact us about Enterprise.

---

What This Integration Enables During Daily IDE Use

Cursor users now get a more complete governed workflow when a tool run is blocked. In practice, IDE-native agents are where teams feel the tension between safety and speed most sharply. A developer wants to keep moving inside the editor, but security and platform controls still need to apply to shell commands, file writes, and MCP-backed operations.

• blocked shell and MCP actions can surface decision_id, risk_level, and override hints directly in the error path
• the same Cursor session can use explain_decision, create_override, delete_override, and list_overrides to investigate or temporarily unblock work when policy allows it
• that keeps the developer inside the IDE instead of forcing them to jump to a separate admin surface just to understand or resolve a governed deny

In practice, this turns a terse "blocked" event into a guided path through Decision Explainability and Session Overrides, which is much easier to operationalize for real engineering teams. Instead of pasting a failure into Slack and waiting for someone to interpret it, the developer can understand the decision from the same IDE session and, if policy allows, request or apply the right temporary unblock path immediately.

Cursor's IDE-native UX makes this even more useful. A governed block can fail with the correct exit code, surface status inside the editor, and carry file or tool context that helps the developer understand what actually triggered the policy. That improves more than just convenience. It makes the governed path the usable path. When the explainability and override flow is available from the same place the work is happening, teams are much less likely to work around governance or treat it as an opaque external hurdle.

---

What Cursor Does Well

Cursor is the fastest-growing AI code editor, built on VS Code with deep AI integration:

• AI-native code editing with inline completions and chat
• Native MCP server support for external tool access
• Terminal execution with project context awareness
• Multi-file editing with codebase understanding
• Plugin ecosystem with self-serve marketplace

---

What Cursor Doesn't Provide

Production Requirement	Cursor's Position
Policy enforcement before tool execution	Hooks available — governance logic not provided
PII detection in tool outputs	Not addressed — developer responsibility
Dangerous command blocking	Not addressed — terminal runs anything
Audit trails for compliance	Session logs exist — not compliance-formatted
SQL injection prevention for MCP queries	Not provided — MCP servers handle security
Approval gates for sensitive operations	Not provided

---

How AxonFlow Plugs In

Cursor selects a tool (Bash, Write, MCP, etc.)
    │
    ▼
PreToolUse hook fires automatically
    │ → check_policy("cursor.Shell", "curl 169.254.169.254")
    │
    ├─ BLOCKED (exit 2) → Cursor receives denial, tool never runs
    │
    └─ ALLOWED (exit 0) → Tool executes normally
                      │
                      ▼
                 PostToolUse hook fires automatically
                      │ → audit_tool_call(tool, input, output)
                      │ → check_output(tool result for PII/secrets)
                      │
                      ├─ PII found → Cursor instructed to use redacted version
                      └─ Clean → Silent, no interruption

What AxonFlow adds:

• Automatic policy enforcement before every governed tool call
• Dangerous command blocking: destructive filesystem operations, remote code execution, cloud metadata SSRF, credential file access, path traversal
• Sensitive-data detection in tool outputs, with Cursor instructed to use a redacted version when policy requires it
• SQL injection prevention for MCP database queries
• Compliance-grade audit trails for both allowed and blocked attempts
• Individual audit event search for debugging and compliance evidence

---

Quick Start: Plugin Installation

# 1. Start AxonFlow (if not already running)
git clone https://github.com/getaxonflow/axonflow.git
cd axonflow && docker compose up -d

# 2. Clone the plugin
git clone https://github.com/getaxonflow/axonflow-cursor-plugin.git

# 2a. Optional: increase hook HTTP timeout for remote deployments
export AXONFLOW_TIMEOUT_SECONDS=12

# 3. Install the plugin locally
cp -r axonflow-cursor-plugin ~/.cursor/plugins/local/axonflow-cursor-plugin

# 4. Reload Cursor (Cmd+Shift+P → "Developer: Reload Window")
# 5. Verify in Settings (Cmd+Shift+J) → Plugins → "Axonflow Cursor Plugin"

In community mode, no auth is needed. The MCP server connects automatically via the plugin's mcp.json.

---

What Gets Governed Automatically

Event	Hook	Action
Before governed tool call	PreToolUse	check_policy evaluates tool inputs against governance policies. Exit code 2 blocks execution.
After governed tool call	PostToolUse	audit_tool_call records execution in compliance audit trail
After governed tool call	PostToolUse	check_output scans output for PII/secrets

Governed tools: Shell, Write, Edit, Read, and all MCP tools (mcp__*). Cursor maps Claude Code's Bash tool to Shell.

Fail behavior:

• AxonFlow unreachable (network failure) → fail-open, tool execution continues
• AxonFlow auth/config error → fail-closed (exit 2), tool call blocked until configuration is fixed
• PostToolUse failures → never block (audit and PII scan are best-effort)

Timeout Tuning

Use AXONFLOW_TIMEOUT_SECONDS when Cursor needs to reach AxonFlow over a slower network path, VPN, or remote deployment.

• PreToolUse defaults to 8 seconds when unset
• PostToolUse defaults to 5 seconds when unset
• setting AXONFLOW_TIMEOUT_SECONDS applies the same timeout to all hook HTTP calls

---

MCP Tools

In addition to automatic hooks, the plugin exposes 10 MCP tools that Cursor can call explicitly. All tools are served by the agent's MCP server at /api/v1/mcp-server (not by the plugin itself — the plugin's .mcp.json points Cursor at the agent endpoint). Platform-side tool additions become immediately available in every plugin that targets the same agent.

Governance (6):

Tool	Purpose
check_policy	Evaluate specific inputs against policies
check_output	Scan specific content for PII/secrets
audit_tool_call	Record additional audit entries
list_policies	List active governance policies
get_policy_stats	Get governance activity summary
search_audit_events	Search individual audit records for debugging and compliance

Session overrides and explainability (4):

Tool	Purpose
explain_decision	Return the full DecisionExplanation for a decision ID
create_override	Create a time-bounded, audit-logged session override (mandatory justification)
delete_override	Revoke an active session override
list_overrides	List active overrides scoped to the caller's tenant

When Cursor stderr prints a governance block (exit 2), the decision ID is included in the reason. The agent can call explain_decision with that ID and, if the decision is overridable, create_override to unblock.

---

Skills and Rules

The plugin includes governance skills (invocable explicitly) and .mdc rules (always-on context):

Skills: check-governance, audit-search, policy-stats

Rules: axonflow-governance.mdc — injected into every conversation, informing Cursor that governance is active and what to expect when tools are blocked or PII is detected.

---

Integration-Specific Policies

AxonFlow supports integration-scoped policies that activate automatically when Cursor is detected. Set AXONFLOW_INTEGRATIONS=cursor or let auto-detection handle it:

• .cursor/settings.json write protection (block)
• .cursor-plugin/*.json modification warnings
• .cursorrules and .mdc file modification warnings

---

Latency Considerations

Operation	Typical Latency
Policy pre-check	2-5ms
PII detection	1-3ms
SQL injection scan	1-2ms
Audit write (async)	0ms (non-blocking)
Total overhead	3-10ms

---

Troubleshooting

Plugin Not Showing in Settings

Cursor loads local plugins from ~/.cursor/plugins/local/. The plugin must be a real copy (symlinks do not work). After copying, run "Developer: Reload Window" or restart Cursor.

Hooks Not Firing

Check the Hooks tab in Cursor Settings to see configured and executed hooks. Common issues:

• Missing "version": 1 in hooks/hooks.json
• Hook matcher uses wrong tool name (Bash instead of Shell — Cursor uses Shell)
• Plugin directory not at ~/.cursor/plugins/local/axonflow-cursor-plugin

MCP Tools Not Discoverable

Ensure AxonFlow is running (curl -s http://localhost:8080/health). The plugin's mcp.json configures the MCP connection automatically.

PII in File Writes Not Detected

Cursor writes files via shell commands (printf > file). The beforeShellExecution hook scans write content for PII. Set PII_ACTION to control behavior: redact (default — blocks and instructs agent to rewrite), block (hard block), warn (warns but allows), log (allows silently).

---

Related Resources

• AxonFlow Cursor Plugin — Plugin source code (MIT)
• Claude Code Integration — Sister plugin with same hook architecture
• OpenClaw Integration — Plugin for OpenClaw agents
• Policy Enforcement — How policies are evaluated
• Security Best Practices — Hardening guide
• PII Detection — PII scanning and redaction
• Audit Logging — Compliance audit trails

Telemetry

This plugin sends an anonymous heartbeat at most once every 7 days during activity. Under the v1 telemetry schema, the ping carries telemetry_type=plugin, sdk=cursor-plugin, and stream=heartbeat. The payload also includes plugin version, OS, architecture, bash version, and AxonFlow platform version. No PII, no tool arguments, no policy data.

The cadence is gated by a stamp file at $HOME/.cache/axonflow/cursor-plugin-telemetry-sent; delete it to force one fresh ping on the next hook invocation.

Opt out with AXONFLOW_TELEMETRY=off. DO_NOT_TRACK is not honored as an opt-out for AxonFlow telemetry — it is commonly inherited from host tools and developer environments, which makes it an unreliable expression of user intent. See Telemetry for the full wire-level field reference and the scope of AXONFLOW_TELEMETRY=off on Community SaaS vs self-hosted.

Plugin: v1.4.0 | Platform: v7.9.0 | SDKs: Python v8.0.0, TypeScript v8.0.0, Go v8.0.0, Java v8.0.0, Rust v0.2.0 (preview)