Configuration Reference
Complete reference for airs-config.json.
Fields
endpoint
- Type:
string - Default:
https://service.api.aisecurity.paloaltonetworks.com - Description: AIRS Sync API base URL. Supports
${PRISMA_AIRS_API_ENDPOINT}env var reference.
apiKeyEnvVar
- Type:
string - Default:
PRISMA_AIRS_API_KEY - Description: Name of the environment variable containing the
x-pan-tokenAPI key.
profiles
- Type:
{ prompt: string, response: string, tool?: string } - Description: AIRS security profile names for prompt, response, and tool scanning. All three default to
PRISMA_AIRS_PROFILE_NAME(orCodex CLI - Hooksif unset). Use per-direction env vars only when you need different profiles for different scan types.
| Field | Env Var (override) | Fallback |
|---|---|---|
profiles.prompt | PRISMA_AIRS_PROMPT_PROFILE | PRISMA_AIRS_PROFILE_NAME → Codex CLI - Hooks |
profiles.response | PRISMA_AIRS_RESPONSE_PROFILE | PRISMA_AIRS_PROFILE_NAME → Codex CLI - Hooks |
profiles.tool | PRISMA_AIRS_TOOL_PROFILE | PRISMA_AIRS_PROFILE_NAME → Codex CLI - Hooks |
mode
- Type:
"observe" | "enforce" | "bypass" - Description: Scanning mode. See Modes.
fail_mode
- Type:
"open" | "closed" - Default:
"open" - Description: Behavior when scanning fails (AIRS unreachable, config errors).
opennever blocks on errors;closedblocks prompts and MCP tool calls when the scan cannot complete. TheStophook (response scanning) is always fail-open because the response has already streamed.
timeout_ms
- Type:
number - Description: AIRS API request timeout in milliseconds.
- Validation: Must be a positive number.
retry
{
"enabled": true,
"max_attempts": 1,
"backoff_base_ms": 200
}
| Field | Type | Description |
|---|---|---|
enabled | boolean | Enable retry on transient failures |
max_attempts | number | Maximum retry attempts |
backoff_base_ms | number | Base delay for exponential backoff |
logging
{
"path": "~/.codex/hooks/airs-scan.log",
"include_content": false
}
| Field | Type | Description |
|---|---|---|
path | string | Log file path (~ resolved to home dir at runtime) |
include_content | boolean | Include prompt/response text in logs |
enforcement
Per-detection-service enforcement actions. See Detection Services.
{
"prompt_injection": "block",
"dlp": "block",
"malicious_code": "block",
"url_categorization": "block",
"toxicity": "block",
"custom_topic": "block"
}
Valid values: "block", "mask", "allow".
circuit_breaker
{
"enabled": true,
"failure_threshold": 5,
"cooldown_ms": 60000
}
See Circuit Breaker.
content_limits
{
"max_scan_bytes": 51200,
"truncate_bytes": 20000
}
| Field | Type | Default | Description |
|---|---|---|---|
max_scan_bytes | number | 51200 (50KB) | Inputs larger than this are skipped entirely (fail-open) |
truncate_bytes | number | 20000 (20KB) | Inputs above this threshold are truncated before scanning |
Applies to all scan paths: UserPromptSubmit, PreToolUse, PostToolUse, and Stop. Prevents excessive latency and API errors for large MCP tool outputs or long responses.