Cursor Enforcer — Reference Sample

Prerequisites

• Cursor IDE installed
• Deployed Airlock Gateway and identity provider for your organization
• Mobile Approver distributed to reviewers via your organization's channel (MDM or internal app catalog)

Getting Started

1

Install the Extension

In Cursor, open the Extensions panel (Ctrl+Shift+X / Cmd+Shift+X), search for Airlock Enforcer, and install Airlock Cursor Enforcer.
2

Sign In

Open the Command Palette (Ctrl+Shift+P / Cmd+Shift+P) and run Airlock: Sign In. Authenticate with your organization's identity provider.
3

Pair with Mobile Approver

Run Airlock: Start Mobile Pairing from the Command Palette. A QR code will be displayed. On the Mobile Approver, go to Settings → Pair Another Workspace, scan the QR code or enter the pairing code manually.
4

Enable Auto Mode

Run Airlock: Enable Auto Mode to start intercepting AI actions. All agent commands will now require approver sign-off via the Mobile Approver.

Extension Commands

Command	Description
`Airlock: Sign In`	Authenticate with the Gateway
`Airlock: Sign Out`	Clear authentication
`Airlock: Start Mobile Pairing`	Pair with the Mobile Approver (QR code)
`Airlock: Unpair Mobile Approver`	Remove paired device
`Airlock: Enable Auto Mode`	Start automatic approval gating
`Airlock: Disable Auto Mode`	Stop gating
`Airlock: Show Status`	Show current endpoint, enforcer ID, pairing state

How It Works

Once installed, the Airlock Cursor Enforcer intercepts all AI-generated terminal commands and file mutations. Each action is encrypted with AES-256-GCM and submitted to the Gateway. Your Mobile Approver receives a push notification — you review the action and sign your decision with Ed25519. The enforcer verifies the signature locally before allowing execution.

Security model: The enforcer operates in fail-closed mode. If the gateway is unreachable, the signature is invalid, or the request times out — the action is blocked. No exceptions.