Prisma AIRS Codex Hooks
Real-time AI security scanning for the Codex CLI
Prisma AIRS Codex Hooks scans prompts, MCP tool traffic, and final responses in the Codex CLI in real-time via the Prisma AI Runtime Security (AIRS) Sync API. Blocks prompts and MCP tool calls before they execute, and audits tool outputs and final responses for prompt injections, malicious code, sensitive data leakage, toxic content, and policy violations.
Install
npm install -g @cdot65/prisma-airs-codex-hooks
How It Works
PostToolUse fires after the MCP tool already executed (this project runs it observe-only by policy), and Stop fires after the response has already streamed to the user. Stop terminates the turn on an AIRS block verdict so the session doesn't keep building on flagged content, but it cannot retract what was displayed. See Codex Hooks API.
By design, this project scans MCP tools only (mcp__.* matchers). Local Bash commands and apply_patch file edits are not sent to AIRS.
Capabilities
🛡️ Prompt Scanning
Scans every prompt before Codex processes it. Detects prompt injection, DLP violations, toxicity, and custom topic policy violations.
🧩 Response & Code Auditing
Parses the final assistant message to extract code blocks separately. Natural language and code are scanned independently; an AIRS block verdict terminates the turn (post-stream).
🔧 MCP Tool Scanning
Scans MCP tool inputs before execution (PreToolUse, can deny) and tool outputs after execution (PostToolUse, observe-only by policy). Both sent to AIRS as tool_event content.
🔒 Enforce or Observe
Three modes: observe (log only), enforce (block on detection), bypass (skip). Plus fail_mode to choose fail-open or fail-closed behavior on errors.
⚡ Fail-Open by Default
Never blocks the developer on infrastructure failures unless you opt into fail_mode: "closed". Circuit breaker pattern bypasses scanning after consecutive API failures with automatic recovery.
📦 Self-Contained Bundles
Each hook ships as a single minified ~125KB .mjs bundle that runs with plain node — no node_modules at runtime, fast startup.
Get Started
| Install | Install from npm, set environment variables, and register hooks in Codex. → Installation |
| Quick Start | Get scanning in under 5 minutes. → Quick Start |
| Configure | Modes, fail mode, enforcement actions, profiles, circuit breaker, and logging. → Configuration |
| Architecture | Scanning flow, module design, and key decisions. → Architecture |