Skip to main content

Scanning Flow

Prompt Scanning

Response Scanning (observe-only)

Cursor limitation

afterAgentResponse is observe-only — Cursor displays the AI response before the hook fires. The scan still runs for audit and compliance purposes, but violations cannot block or retract the response.

Code Extraction Strategy

The code extractor processes AI responses using three strategies in priority order:

  1. Fenced code blocks -- ```language ... ``` with language detection
  2. Indented code blocks -- 4+ leading spaces
  3. Heuristic fallback -- content matching code indicators (imports, function definitions, braces) above a character threshold

Extracted code is joined with \n\n---\n\n separators and sent in the code_response field, which triggers WildFire/ATP malicious code scanning on the AIRS side.

MCP Tool Scanning (beforeMCPExecution — can block)

Tool Output Scanning (postToolUse — observe-only)

Cursor limitation

postToolUse is observe-only — the tool has already executed before the hook fires. Violations are logged and warnings emitted, but tool output cannot be blocked or retracted.

Content Splitting

AIRS FieldContentDetections
promptUser's prompt text or Write/Edit contentPrompt injection, DLP, toxicity, custom topics
responseNatural language from AI response or Bash outputDLP, toxicity, URL categorization
code_responseExtracted code blocks from AI responseMalicious code (WildFire/ATP)
tool_eventMCP tool inputs and outputsPrompt injection, DLP, malicious parameters
Why split content?

Sending code separately in code_response enables dedicated malicious code detection engines (WildFire, ATP) that don't run on natural language content. This catches things like reverse shells, credential stealers, and obfuscated payloads in generated code. Similarly, tool_event is routed to a security profile tuned for tool-call patterns.