Skip to content

Prisma AIRS Cursor Hooks

Real-time AI security scanning for the Cursor IDE

npm CI License: MIT Node 18+

Prisma AIRS Cursor Hooks scans prompts and AI responses in the Cursor IDE in real-time via the Prisma AI Runtime Security (AIRS) Sync API. Blocks prompts before they reach the LLM and audits AI responses for prompt injections, malicious code, sensitive data leakage, toxic content, and policy violations.

Install

npm install -g @cdot65/prisma-airs-cursor-hooks

How It Works

flowchart LR
    A[Developer Prompt] --> B[beforeSubmitPrompt Hook]
    B -->|AIRS Scan| C{Verdict}
    C -->|Allow| D[Cursor AI Agent]
    C -->|Block| E[Block Message]
    D --> F[MCP Tool Call]
    F --> G[beforeMCPExecution Hook]
    G -->|AIRS Scan| H{Verdict}
    H -->|Allow| I[Tool Execution]
    H -->|Block| J[Block Message]
    I --> K[Tool Output]
    K --> L[postToolUse Hook]
    L -->|AIRS Scan| M[Log + Warn]
    D --> N[AI Response]
    N --> O[Display to Developer]
    O --> P[afterAgentResponse Hook]
    P -->|AIRS Scan| Q{Verdict}
    Q -->|Clean| R[No Action]
    Q -->|Violation| S[Log + Warn]

postToolUse and afterAgentResponse are observe-only

postToolUse and afterAgentResponse fire after content is already processed or displayed. They cannot block or retract content — they scan for audit, compliance, and security alerting. See Cursor Limitation.

Capabilities

  • Prompt Scanning

    Scans every prompt before it reaches the AI agent. Detects prompt injection, DLP violations, toxicity, and custom topic policy violations.

    Detection Services

  • Response & Code Auditing

    Parses AI responses to extract code blocks separately. Natural language and code are scanned independently for audit and compliance. Observe-only — Cursor cannot block responses.

    Code Extraction

  • Tool & MCP Scanning

    Scans MCP tool inputs before execution (beforeMCPExecution, can block) and tool outputs after execution (postToolUse, observe-only). Routes by tool type: MCP → tool_event, Bash → response, Write/Edit → DLP scan.

    Architecture

  • Enforce or Observe

    Three modes: observe (log only), enforce (block on detection), bypass (skip). Start in observe mode to audit, switch to enforce when ready.

    Configuration

  • Fail-Open Design

    Never blocks the developer on infrastructure failures. Circuit breaker pattern bypasses scanning after consecutive API failures with automatic recovery.

    Circuit Breaker

Get Started

  • Install

    Install from npm, set environment variables, and register hooks in Cursor.

    Installation

  • Quick Start

    Get scanning in under 5 minutes.

    Quick Start

  • Configure

    Modes, enforcement actions, profiles, circuit breaker, and logging.

    Configuration

  • Architecture

    Scanning flow, module design, and key decisions.

    Architecture