Skip to main content

Configuration Reference

Complete reference for airs-config.json.

Fields

endpoint

  • Type: string
  • Default: https://service.api.aisecurity.paloaltonetworks.com
  • Description: AIRS Sync API base URL. Supports ${PRISMA_AIRS_API_ENDPOINT} env var reference.

apiKeyEnvVar

  • Type: string
  • Default: PRISMA_AIRS_API_KEY
  • Description: Name of the environment variable containing the x-pan-token API key.

profiles

  • Type: { prompt: string, response: string, tool?: string }
  • Description: AIRS security profile names for prompt, response, and tool scanning. All three default to PRISMA_AIRS_PROFILE_NAME (or Cursor IDE - Hooks if unset). Use per-direction env vars only when you need different profiles for different scan types.
FieldEnv Var (override)Fallback
profiles.promptPRISMA_AIRS_PROMPT_PROFILEPRISMA_AIRS_PROFILE_NAMECursor IDE - Hooks
profiles.responsePRISMA_AIRS_RESPONSE_PROFILEPRISMA_AIRS_PROFILE_NAMECursor IDE - Hooks
profiles.toolPRISMA_AIRS_TOOL_PROFILEPRISMA_AIRS_PROFILE_NAMECursor IDE - Hooks

mode

  • Type: "observe" | "enforce" | "bypass"
  • Description: Scanning mode. See Modes.

timeout_ms

  • Type: number
  • Description: AIRS API request timeout in milliseconds.
  • Validation: Must be a positive number.

retry

{
"enabled": true,
"max_attempts": 1,
"backoff_base_ms": 200
}
FieldTypeDescription
enabledbooleanEnable retry on transient failures
max_attemptsnumberMaximum retry attempts
backoff_base_msnumberBase delay for exponential backoff

logging

{
"path": "~/.cursor/hooks/airs-scan.log",
"include_content": false
}
FieldTypeDescription
pathstringLog file path (~ resolved to home dir at runtime)
include_contentbooleanInclude prompt/response text in logs

enforcement

Per-detection-service enforcement actions. See Detection Services.

{
"prompt_injection": "block",
"dlp": "block",
"malicious_code": "block",
"url_categorization": "block",
"toxicity": "block",
"custom_topic": "block"
}

Valid values: "block", "mask", "allow".

circuit_breaker

{
"enabled": true,
"failure_threshold": 5,
"cooldown_ms": 60000
}

See Circuit Breaker.

content_limits

{
"max_scan_bytes": 51200,
"truncate_bytes": 20480
}
FieldTypeDefaultDescription
max_scan_bytesnumber51200 (50KB)Inputs larger than this are skipped entirely (fail-open)
truncate_bytesnumber20480 (20KB)Inputs above this threshold are truncated before scanning

Applies to all scan paths including beforeSubmitPrompt, beforeMCPExecution, postToolUse, and afterAgentResponse. Prevents excessive latency and API errors for large tool outputs, Bash results, or multi-file reads.

sanitize_mcp_output

{
"sanitize_mcp_output": true
}
FieldTypeDefaultDescription
sanitize_mcp_outputbooleanfalseIn enforce mode, replace flagged MCP tool output with a redaction notice via Cursor's updated_mcp_tool_output so the flagged content never reaches the model. Non-MCP tools are unaffected (Cursor only supports output replacement for MCP tools).

See Optional Hooks → MCP output sanitization.