What is an Agentic Control Plane?

An Agentic Control Plane is a governance layer that sits between AI coding agents and their tools. It logs every tool call, enforces permissions and policies, and provides audit trails — giving teams visibility and control over what their AI agents are doing.

How does ACP work with Claude Code?

ACP installs a PreToolUse hook in Claude Code that fires before every tool call (Bash, Read, Write, Edit, WebFetch). The hook sends the tool name and input to ACP's governance API for policy evaluation and audit logging. Round-trip is approximately 200ms.

How do I install ACP?

Run one command: curl -sf https://agenticcontrolplane.com/install.sh | bash. This auto-detects Claude Code and OpenClaw, installs the appropriate hooks, and opens your browser to set up your workspace.

Does ACP work with Cursor's Composer agent?

Yes. The hook fires on every Composer tool call regardless of YOLO/approval mode.

Is Cursor's Privacy Mode compatible with ACP?

Yes. Privacy Mode controls Cursor's own telemetry. ACP runs locally and POSTs to your workspace gateway — orthogonal to Privacy Mode.

Can ACP redact a Cursor file edit before it lands?

Not today — PostToolUse is observe-only in the current hook API. ACP can flag findings; mutation requires the upcoming SDK adapter approach.

Does ACP slow down Cursor?

Hook adds the round-trip latency to api.agenticcontrolplane.com — typically <100ms. PreToolUse is fail-closed with a 4s timeout; PostToolUse is fire-and-forget.

Govern Cursor with Agentic Control Plane

Cursor’s Composer agent executes tool calls on your codebase — file edits, Bash commands, MCP tool invocations — at scale. ACP intercepts each one via Cursor’s hook API, logs identity-attributed audit events, and enforces policy when you’re ready to switch from observe to enforce.

TL;DR

curl -sf https://agenticcontrolplane.com/install.sh | bash

The script detects Cursor (~/.cursor exists or cursor on PATH), writes ~/.acp/govern.mjs, registers it under ~/.cursor/hooks.json for both preToolUse and postToolUse events, and opens the browser to provision a workspace. Restart Cursor and every Composer tool call is governed.

How it works

Cursor’s hook system mirrors Claude Code’s but uses lowercase event names. ACP installs the same govern.mjs script for both products — the dispatcher inside the script handles either event shape:

preToolUse — fires before tool execution. POSTs to /govern/tool-use. Returns permissionDecision: "deny" to block.
postToolUse — fires after tool returns. POSTs to /govern/tool-output. Audit log entry written; PII/secret findings surfaced.

Cursor’s hook API is newer than Claude Code’s. Most fields map directly; a few quirks are documented in Limitations below.

What gets installed and where

Path	Purpose
`~/.acp/govern.mjs`	Hook script, shared with Claude Code/Codex installs
`~/.acp/credentials`	Bearer token from browser OAuth
`~/.cursor/hooks.json`	Adds `hooks.preToolUse[]` and `hooks.postToolUse[]` entries

Idempotent. Safe to re-run.

What you’ll see in the dashboard

Cursor traffic appears as Cursor in cloud.agenticcontrolplane.com/agents. Activity is broken down by Cursor’s reported tier (when present) — typically interactive for Composer-driven sessions.

The Activity log page (/activity) shows individual tool calls with the Cursor session ID, Composer’s reported tool name (Read, Edit, Apply Patch, Run Terminal), and any policy decisions.

Setting up policy

Cursor traffic governs the same way as any other client — through the three-axis Policies model:

Tool policies — restrict destructive Bash commands, gate file writes outside the workspace
Agent policies — set per-tier rules (interactive Composer vs autonomous Composer agent runs)
User policies — gate sensitive operations (Stripe, prod database access) per identity

Audit-mode-first is the right default. Enforce mode after a few days of observed traffic.

Limitations

Cursor’s hook API is less mature than Claude Code’s. Expect schema fields to evolve as Cursor stabilizes. The govern.mjs dispatcher accommodates both Claude and Cursor field names but may need updates as Cursor changes.
No equivalent to Claude Code’s Agent tool subagent metadata. Cursor Composer doesn’t expose a comparable named-subagent concept today, so the dashboard’s named-agent attribution is sparser for Cursor than for Claude Code.
No --dangerously-skip-permissions flag but YOLO mode in Composer can autorun some tools without prompting. Hooks still fire — there’s no equivalent escape hatch in Cursor today.
Cursor’s Privacy Mode affects what telemetry Cursor itself sends — it does not affect ACP’s hooks. ACP runs locally on your machine and POSTs to your workspace’s gateway. Privacy Mode and ACP are orthogonal.
PostToolUse output mutation is observe-only. ACP can flag PII and prompt-injection findings into the audit log; rewriting the tool output before Cursor sees it isn’t supported in the current hook API.

Troubleshooting

Hook isn’t firing. Restart Cursor completely (quit and re-open). Hook configuration is read on Cursor startup.

“ACP unreachable” denials. PreToolUse is fail-closed by default. If ~/.acp/credentials is empty or expired, every tool call is blocked. Re-run the installer to re-authenticate.

Cursor doesn’t see the hook. Confirm ~/.cursor/hooks.json exists and is valid JSON. Cursor silently ignores invalid hook configs.

Composer YOLO mode tool calls aren’t being intercepted. They should be — file an issue if you see otherwise. Hook should fire regardless of approval mode.

Claude Code — same hook pattern, more mature hook API
OpenAI Codex CLI — Codex hooks (with the Bash-only caveat)
Cline — VS Code extension that pairs well with Cursor for some workflows; uses MCP-based governance instead of hooks
Agent-to-Agent governance — what happens when Composer chains across multiple agent invocations