Configuration Reference
Complete reference for airs-config.json.
Fields
endpoint
- Type:
string - Default:
https://service.api.aisecurity.paloaltonetworks.com - Description: AIRS Sync API base URL. Supports
${PRISMA_AIRS_API_ENDPOINT}env var reference.
apiKeyEnvVar
- Type:
string - Default:
PRISMA_AIRS_API_KEY - Description: Name of the environment variable containing the
x-pan-tokenAPI key.
profiles
- Type:
{ prompt: string, response: string, tool?: string } - Description: AIRS security profile names for prompt, response, and tool scanning. All three default to
PRISMA_AIRS_PROFILE_NAME(orCursor IDE - Hooksif unset). Use per-direction env vars only when you need different profiles for different scan types.
| Field | Env Var (override) | Fallback |
|---|---|---|
profiles.prompt | PRISMA_AIRS_PROMPT_PROFILE | PRISMA_AIRS_PROFILE_NAME → Cursor IDE - Hooks |
profiles.response | PRISMA_AIRS_RESPONSE_PROFILE | PRISMA_AIRS_PROFILE_NAME → Cursor IDE - Hooks |
profiles.tool | PRISMA_AIRS_TOOL_PROFILE | PRISMA_AIRS_PROFILE_NAME → Cursor IDE - Hooks |
mode
- Type:
"observe" | "enforce" | "bypass" - Description: Scanning mode. See Modes.
timeout_ms
- Type:
number - Description: AIRS API request timeout in milliseconds.
- Validation: Must be a positive number.
retry
{
"enabled": true,
"max_attempts": 1,
"backoff_base_ms": 200
}
| Field | Type | Description |
|---|---|---|
enabled | boolean | Enable retry on transient failures |
max_attempts | number | Maximum retry attempts |
backoff_base_ms | number | Base delay for exponential backoff |
logging
{
"path": "~/.cursor/hooks/airs-scan.log",
"include_content": false
}
| Field | Type | Description |
|---|---|---|
path | string | Log file path (~ resolved to home dir at runtime) |
include_content | boolean | Include prompt/response text in logs |
enforcement
Per-detection-service enforcement actions. See Detection Services.
{
"prompt_injection": "block",
"dlp": "block",
"malicious_code": "block",
"url_categorization": "block",
"toxicity": "block",
"custom_topic": "block"
}
Valid values: "block", "mask", "allow".
circuit_breaker
{
"enabled": true,
"failure_threshold": 5,
"cooldown_ms": 60000
}
See Circuit Breaker.
content_limits
{
"max_scan_bytes": 51200,
"truncate_bytes": 20480
}
| Field | Type | Default | Description |
|---|---|---|---|
max_scan_bytes | number | 51200 (50KB) | Inputs larger than this are skipped entirely (fail-open) |
truncate_bytes | number | 20480 (20KB) | Inputs above this threshold are truncated before scanning |
Applies to all scan paths including beforeSubmitPrompt, beforeMCPExecution, postToolUse, and afterAgentResponse. Prevents excessive latency and API errors for large tool outputs, Bash results, or multi-file reads.
sanitize_mcp_output
{
"sanitize_mcp_output": true
}
| Field | Type | Default | Description |
|---|---|---|---|
sanitize_mcp_output | boolean | false | In enforce mode, replace flagged MCP tool output with a redaction notice via Cursor's updated_mcp_tool_output so the flagged content never reaches the model. Non-MCP tools are unaffected (Cursor only supports output replacement for MCP tools). |