Skip to main content

Prisma AIRS Codex Hooks

Prisma AIRS Codex Hooks

Real-time AI security scanning for the Codex CLI

npm CI License: MIT Node 18+


Prisma AIRS Codex Hooks scans prompts, MCP tool traffic, and final responses in the Codex CLI in real-time via the Prisma AI Runtime Security (AIRS) Sync API. Blocks prompts and MCP tool calls before they execute, and audits tool outputs and final responses for prompt injections, malicious code, sensitive data leakage, toxic content, and policy violations.


Install

npm install -g @cdot65/prisma-airs-codex-hooks

How It Works

PostToolUse and Stop fire after the fact

PostToolUse fires after the MCP tool already executed (this project runs it observe-only by policy), and Stop fires after the response has already streamed to the user. Stop terminates the turn on an AIRS block verdict so the session doesn't keep building on flagged content, but it cannot retract what was displayed. See Codex Hooks API.

Bash and file edits are not scanned

By design, this project scans MCP tools only (mcp__.* matchers). Local Bash commands and apply_patch file edits are not sent to AIRS.


Capabilities

🛡️ Prompt Scanning

Scans every prompt before Codex processes it. Detects prompt injection, DLP violations, toxicity, and custom topic policy violations.

Detection Services

🧩 Response & Code Auditing

Parses the final assistant message to extract code blocks separately. Natural language and code are scanned independently; an AIRS block verdict terminates the turn (post-stream).

Code Extraction

🔧 MCP Tool Scanning

Scans MCP tool inputs before execution (PreToolUse, can deny) and tool outputs after execution (PostToolUse, observe-only by policy). Both sent to AIRS as tool_event content.

Architecture

🔒 Enforce or Observe

Three modes: observe (log only), enforce (block on detection), bypass (skip). Plus fail_mode to choose fail-open or fail-closed behavior on errors.

Configuration

⚡ Fail-Open by Default

Never blocks the developer on infrastructure failures unless you opt into fail_mode: "closed". Circuit breaker pattern bypasses scanning after consecutive API failures with automatic recovery.

Circuit Breaker

📦 Self-Contained Bundles

Each hook ships as a single minified ~125KB .mjs bundle that runs with plain node — no node_modules at runtime, fast startup.

Installation


Get Started

InstallInstall from npm, set environment variables, and register hooks in Codex. → Installation
Quick StartGet scanning in under 5 minutes. → Quick Start
ConfigureModes, fail mode, enforcement actions, profiles, circuit breaker, and logging. → Configuration
ArchitectureScanning flow, module design, and key decisions. → Architecture