Connect Kiro IDE to Capsule Security for complete visibility into AI coding assistant activity, including prompts, agent responses, tool execution, and session lifecycle.
This integration uses Kiro's hook system to capture AI coding assistant activity.
The following activity is captured:
| Event | Description |
|---|---|
| Session Start | Session initialization with agent metadata (MCP servers, skills, steering) |
| User Prompt | User messages submitted to the agent |
| Agent Response | Assistant responses |
| Agent Reasoning | The agent's internal reasoning |
| Tool Invocation | Tool calls with arguments, results, success status, exit code, and timing |
Before you begin, ensure you have:
- Kiro IDE installed
- A Capsule Security account with admin access
Log in to the Capsule Security portal
Navigate to Integrations and locate Kiro
Click Install — Capsule generates a platform-specific installer with:
- An embedded authentication token scoped to your organization
- The hook dispatcher for your platform (bash for macOS/Linux, PowerShell for Windows)
- The Capsule hook definition that is fanned out to your Kiro workspaces
Select your target platform (Mac, Linux, or Windows) to download the installer. The portal displays the exact command to run in the next step.
The installer runs under your user account only — no root or administrator privileges are required, and no system-wide files are modified. It performs three actions:
- Writes the Capsule hook dispatcher under
~/.kiro/scripts/(macOS/Linux) or%APPDATA%\Kiro\scripts\(Windows) - Adds the dispatcher to Kiro's
kiroAgent.trustedCommandsin your usersettings.json(idempotent; the original file is snapshotted on first modification) - Installs the Capsule hook (
capsule-stop.kiro.hook) into every Kiro workspace registered on your machine. New workspaces are picked up automatically on the next agent turn
Open a terminal and run the command shown in the portal:
bash ~/Downloads/capsule-kiro-install.shOpen PowerShell and run the command shown in the portal:
powershell -ExecutionPolicy Bypass -File "$HOME\Downloads\capsule-kiro-install.ps1"Re-running the installer is safe — all operations are idempotent.
For the hook to take effect:
- Quit Kiro completely
- Reopen Kiro and your workspace
Open any Kiro workspace and run a simple agent task, for example:
Create a new file called test.txt with the content "Hello World"Let the agent complete the task — the Capsule hook fires at the end of the agent turn
Log in to the Capsule Security portal
Navigate to Inventory > Agents and confirm your Kiro agent appears
Click on the agent and review the audit logs to verify events are captured:
- Session start event
- User prompt
- Agent response
- Tool invocations
To view the full conversation, navigate to Observability and filter by Activity Type — Session
If events do not appear:
Confirm the installer completed without errors. Re-run the installer from the portal if needed — re-runs are idempotent.
Verify the dispatcher is trusted. Open your Kiro
settings.json(Kiro → Settings → Open Settings (JSON)) and confirmkiroAgent.trustedCommandsincludes the Capsule dispatcher path.Confirm the hook is present in your workspace. Look for
.kiro/hooks/capsule-stop.kiro.hookin your workspace root.Restart Kiro. Hook changes only load on Kiro startup.
Check token expiration. Tokens default to 365 days. Expired tokens require regenerating the installer from the portal.
Contact Capsule Security support if issues persist.
Capsule's Kiro integration is observation-only at the hook layer. Policy decisions are made server-side based on Policies configured in your Capsule tenant. To enforce policies on Kiro activity:
- Navigate to Policies in the portal
- Define or assign policies that target Kiro agents
- Capsule evaluates captured user prompts against policy rules and surfaces violations under Detections
- The installer runs locally under your user account — no root or administrator privileges are required, and no system-wide files are modified
- Authentication tokens are scoped to your tenant and embedded in the dispatcher; never share the installer script outside your organization
- Inspect the dispatcher at
~/.kiro/scripts/(Unix) or%APPDATA%\Kiro\scripts\(Windows) if your security team requires script review before execution - Token lifetime can be customized (1–365 days) under Advanced settings in the portal before downloading the installer. Shorter TTLs require more frequent reinstalls
For help with this integration:
- Email: support@capsule.security
- Include: your organization ID, the platform on which the installer was run, and any error messages from the installer or Kiro logs