Skip to main content

Configuration Reference

Complete reference for airs-config.json.

Fields

endpoint

  • Type: string
  • Default: https://service.api.aisecurity.paloaltonetworks.com
  • Description: AIRS Sync API base URL. Supports ${PRISMA_AIRS_API_ENDPOINT} env var reference.

apiKeyEnvVar

  • Type: string
  • Default: PRISMA_AIRS_API_KEY
  • Description: Name of the environment variable containing the x-pan-token API key.

profiles

  • Type: { prompt: string, response: string, tool?: string }
  • Description: AIRS security profile names for prompt, response, and tool scanning. All three default to PRISMA_AIRS_PROFILE_NAME (or Codex CLI - Hooks if unset). Use per-direction env vars only when you need different profiles for different scan types.
FieldEnv Var (override)Fallback
profiles.promptPRISMA_AIRS_PROMPT_PROFILEPRISMA_AIRS_PROFILE_NAMECodex CLI - Hooks
profiles.responsePRISMA_AIRS_RESPONSE_PROFILEPRISMA_AIRS_PROFILE_NAMECodex CLI - Hooks
profiles.toolPRISMA_AIRS_TOOL_PROFILEPRISMA_AIRS_PROFILE_NAMECodex CLI - Hooks

mode

  • Type: "observe" | "enforce" | "bypass"
  • Description: Scanning mode. See Modes.

fail_mode

  • Type: "open" | "closed"
  • Default: "open"
  • Description: Behavior when scanning fails (AIRS unreachable, config errors). open never blocks on errors; closed blocks prompts and MCP tool calls when the scan cannot complete. The Stop hook (response scanning) is always fail-open because the response has already streamed.

timeout_ms

  • Type: number
  • Description: AIRS API request timeout in milliseconds.
  • Validation: Must be a positive number.

retry

{
"enabled": true,
"max_attempts": 1,
"backoff_base_ms": 200
}
FieldTypeDescription
enabledbooleanEnable retry on transient failures
max_attemptsnumberMaximum retry attempts
backoff_base_msnumberBase delay for exponential backoff

logging

{
"path": "~/.codex/hooks/airs-scan.log",
"include_content": false
}
FieldTypeDescription
pathstringLog file path (~ resolved to home dir at runtime)
include_contentbooleanInclude prompt/response text in logs

enforcement

Per-detection-service enforcement actions. See Detection Services.

{
"prompt_injection": "block",
"dlp": "block",
"malicious_code": "block",
"url_categorization": "block",
"toxicity": "block",
"custom_topic": "block"
}

Valid values: "block", "mask", "allow".

circuit_breaker

{
"enabled": true,
"failure_threshold": 5,
"cooldown_ms": 60000
}

See Circuit Breaker.

content_limits

{
"max_scan_bytes": 51200,
"truncate_bytes": 20000
}
FieldTypeDefaultDescription
max_scan_bytesnumber51200 (50KB)Inputs larger than this are skipped entirely (fail-open)
truncate_bytesnumber20000 (20KB)Inputs above this threshold are truncated before scanning

Applies to all scan paths: UserPromptSubmit, PreToolUse, PostToolUse, and Stop. Prevents excessive latency and API errors for large MCP tool outputs or long responses.