Policy enforcement, PII detection, and audit trails for Cursor. Automatically governs tool execution via PreToolUse/PostToolUse hooks and provides 6 MCP tools for explicit governance queries.
Cursor selects a tool (Bash, Write, MCP, etc.)
│
▼
PreToolUse hook fires automatically
│ → check_policy("cursor.Bash", "rm -rf /")
│
├─ BLOCKED (exit 2) → Cursor receives denial, tool never runs
│
└─ ALLOWED (exit 0) → Tool executes normally
│
▼
PostToolUse hook fires automatically
│ → audit_tool_call(tool, input, output)
│ → check_output(tool result for PII/secrets)
│
├─ PII found → Cursor instructed to use redacted version
└─ Clean → Silent, no interruption
- AxonFlow v6.0.0+ running locally (
docker compose up -d) - Cursor IDE
jqandcurlinstalled
git clone https://github.com/getaxonflow/axonflow-cursor-plugin.gitexport AXONFLOW_ENDPOINT=http://localhost:8080
export AXONFLOW_AUTH="" # empty for community mode
export AXONFLOW_TIMEOUT_SECONDS=12 # optional override for remote deploymentsLoad the plugin in Cursor via the plugin settings or --plugin-dir flag.
In community mode (DEPLOYMENT_MODE=community), no auth is needed.
| Event | Hook | Action |
|---|---|---|
| Before governed tool call | PreToolUse | check_policy evaluates inputs against 80+ governance policies |
| After governed tool call | PostToolUse | audit_tool_call records execution in compliance audit trail |
| After governed tool call | PostToolUse | check_output scans output for PII/secrets |
Governed tools: Shell, Write, Edit, Read, Task, NotebookEdit, and MCP tools (mcp__*).
Fail behavior:
- AxonFlow unreachable (network failure) → fail-open, tool execution continues
- AxonFlow auth/config error → fail-closed, tool call blocked until configuration is fixed
- PostToolUse failures → never block (audit and PII scan are best-effort)
Use AXONFLOW_TIMEOUT_SECONDS to tune the hook HTTP timeout when AxonFlow is running remotely, behind a VPN, or over a higher-latency network path.
- PreToolUse defaults to 8 seconds when unset
- PostToolUse defaults to 5 seconds when unset
- Setting
AXONFLOW_TIMEOUT_SECONDSapplies the same timeout to all hook HTTP calls
| Tool | Purpose |
|---|---|
check_policy |
Evaluate specific inputs against policies |
check_output |
Scan specific content for PII/secrets |
audit_tool_call |
Record additional audit entries |
list_policies |
List active governance policies |
get_policy_stats |
Get governance activity summary |
search_audit_events |
Search individual audit records |
AxonFlow ships with 80+ built-in system policies:
- Dangerous commands — destructive filesystem operations, remote code execution, credential access, cloud metadata SSRF, path traversal
- SQL injection — 30+ patterns including UNION injection, stacked queries, auth bypass
- PII detection — SSN, credit card, email, phone, Aadhaar, PAN, NRIC/FIN
- Code security — API keys, connection strings, hardcoded secrets
- Prompt injection — instruction override and context manipulation
axonflow-cursor-plugin/
├── .cursor-plugin/
│ └── plugin.json # Plugin metadata
├── mcp.json # MCP server connection (6 governance tools)
├── hooks/
│ └── hooks.json # PreToolUse + PostToolUse hook definitions
├── skills/
│ ├── check-governance/ # Check if an action is allowed
│ ├── audit-search/ # Search audit trail
│ └── policy-stats/ # Governance activity summary
├── rules/
│ └── axonflow-governance.mdc # Always-on governance context
├── scripts/
│ ├── pre-tool-check.sh # Policy evaluation (PreToolUse)
│ └── post-tool-audit.sh # Audit + PII scan (PostToolUse)
├── tests/
│ ├── test-hooks.sh # Regression tests (mock + live)
│ └── E2E_TESTING_PLAYBOOK.md
└── .github/workflows/test.yml
- AxonFlow Documentation
- Cursor Integration Guide
- Claude Code Plugin — sister plugin
- OpenClaw Plugin
- Policy Enforcement
- Self-Hosted Deployment
- Security Best Practices
This Cursor plugin runs locally and does not send a direct telemetry ping to AxonFlow checkpoint services. Telemetry behavior for your self-hosted AxonFlow deployment and SDKs is documented separately at docs.getaxonflow.com/docs/telemetry.
MIT