Your IDE for the internet of agents.
A native Cursor extension that bonds Composer, the Agent tab, and inline AI to a policy you own. Real enforcement runs as Cursor hooks (afterFileEdit, beforeReadFile, beforeShellExecution, beforeMCPExecution); the extension adds observability, palette commands, and the /chio-init scaffolder.
Drop-in extension. Repo-native policy.
Install from Cursor's marketplace (or sideload the .vsix). The extension adds a Chio sidebar, a status bar indicator, and a palette. /chio-init writes .chio/ + .cursor/hooks.json into the repo. Teams and CI share the same ruleset.
Install from the Cursor marketplace
Search 'chio' in Cursor's Extensions panel. Publisher is Backbay Industries; the listing is signed.
# Cursor → Extensions → search: chioInitialize the workspace
Runs Chio: Initialize workspace from the palette (or /chio-init in chat). Writes .chio/policy.yaml, .chio/hooks/, and .cursor/hooks.json. Every teammate inherits them.
# palette → Chio: Initialize workspaceBond the workspace
Mints an Agent Passport scoped to the repo; attenuates the capability. Re-bonds on session open.
/chio-bond// Registered by /chio-init · Cursor invokes these per keystroke. { "afterFileEdit": [".chio/hooks/composer.mjs"], "beforeReadFile": [".chio/hooks/composer.mjs"], "beforeShellExecution": [".chio/hooks/shell.mjs"], "beforeMCPExecution": [".chio/hooks/tool.mjs"] } // All hooks fail closed: any crash, timeout, or policy-load failure denies.
Every place Cursor runs, Chio mediates.
Four Cursor hook events map onto four enforcement scripts. You don't have to change how you work, just which daemon you're working against.
Composer patches.
composer.mjs enforces forbidden_paths, path_allowlist.write, patch_integrity, and an inline secret scan before the write lands.
patch_integrity · fsAgent tab shells.
shell.mjs consults shell_commands.allow / deny. Egress is pinned to your mesh.
shell · egressContext ingress.
composer.mjs scans file contents for secrets before they enter the model's context. Redactions are receipted as a deny.
<2ms · fail-closedEvery MCP tool.
tool.mjs calls ChioBridge.check against the 7-guard pipeline. Every mounted MCP server — yours, third-party, experimental — is bonded before Cursor can touch it.
mcp · attenuatedIDE features, governance-grade.
The plugin adds a side panel, a status bar indicator, and a handful of chat skills. The rest is invisible, until something tries to cross a line and a hook stops it.
Bond indicator
Status bar shows BONDED / AT-RISK / REVOKED with a live budget meter. Click to open the policy; hover for the receipt stream.
status-barComposer preview
Every multi-file patch is previewed with a deny reason next to any file that would be refused, before you apply.
preview · refuse-firstTeam policy
Policy lives in .chio/ under version control. CI runs the same guard pipeline via chio check on PRs; drift shows up as review comments.
ci · team-scopedPer-PR attenuation
.chio/branches/<branch>.yaml holds per-PR scope deltas. 'This PR can only touch /docs.' The delta is signed; the base policy is untouched.
per-branchSecret scanning
Model output is scanned inline before it reaches your buffer. Leaked keys are redacted and receipted as a deny.
secretsMCP mesh discovery
/chio-attach-mcp discovers MCP servers on your mesh, attenuates them, and registers into .cursor/mcp.json. No manual config.
mcp · meshDay-to-day Cursor, safer.
Ordinary Cursor moves, now reviewable. Every workflow produces a signed bundle you can attach to a PR, a ticket, or an audit response.
One bundle per PR. Signed.
Your IDE, ready for the internet of agents.
Every MCP server your team mounts, every agent in your Composer, every inline fix: the same kernel, the same receipts. Ship with Cursor; prove it with Chio.
