Configuring Static Policies
AxonFlow ships with 73+ built-in static policies covering PII detection, SQL injection, dangerous queries, and sensitive data patterns. By default, these policies are enforced on all modes (MCP, Gateway/Proxy) with sensible defaults.
This guide covers how to configure policy behavior per mode using environment variables.
Overview
AxonFlow supports three operational modes, each configurable independently:
| Mode | Description | Config prefix |
|---|---|---|
| MCP | Model Context Protocol — database queries and tool executions | MCP_* |
| Gateway | LLM proxy — request/response scanning for LLM calls | GATEWAY_* |
| Proxy | Alias for Gateway (same config applies) | GATEWAY_* |
Default Behavior
With no configuration, all static policies are active:
| Category | Default Action | Description |
|---|---|---|
| PII (all regions) | redact | Replaces PII with placeholder tokens |
| SQL Injection | block | Blocks the request entirely |
| Dangerous Queries | block | Blocks DROP, TRUNCATE, etc. |
| Sensitive Data | warn | Logs a warning, allows the request |
| High Risk | warn | Logs a warning, allows the request |
Global Configuration
Set global defaults that apply to all modes:
# .env or docker-compose environment
PII_ACTION=redact # block | warn | redact | log
SQLI_ACTION=block # block | warn | log
DANGEROUS_QUERY_ACTION=block # block | warn | log
SENSITIVE_DATA_ACTION=warn # block | warn | log
HIGH_RISK_ACTION=warn # block | warn | log
Per-Mode Configuration
Override global defaults for a specific mode. Mode-specific values take precedence over global values.
MCP Mode
# Enable/disable all static policy evaluation on MCP
MCP_STATIC_POLICIES_ENABLED=true # default: true
# Override actions for MCP only
MCP_PII_ACTION=log # default: inherits PII_ACTION
MCP_SQLI_ACTION=warn # default: inherits SQLI_ACTION
MCP_DANGEROUS_QUERY_ACTION=warn # default: inherits DANGEROUS_QUERY_ACTION
# Skip specific policy categories on MCP
MCP_STATIC_POLICIES_SKIP_CATEGORIES=pii-global,pii-us
Gateway Mode
# Enable/disable all static policy evaluation on Gateway
GATEWAY_STATIC_POLICIES_ENABLED=true # default: true
# Override actions for Gateway only
GATEWAY_PII_ACTION=block # default: inherits PII_ACTION
GATEWAY_SQLI_ACTION=block # default: inherits SQLI_ACTION
# Skip specific policy categories on Gateway
GATEWAY_STATIC_POLICIES_SKIP_CATEGORIES=pii-india
Precedence
Environment variable precedence (highest to lowest):
Mode-specific (MCP_PII_ACTION, GATEWAY_PII_ACTION)
→ Global (PII_ACTION)
→ Engine default (redact for PII, block for SQLi)
Example
PII_ACTION=block # Global: block PII in all modes
MCP_PII_ACTION=log # Override: only log PII on MCP
# Result: MCP logs PII, Gateway blocks PII
Common Configurations
Development: Disable PII redaction on MCP
Useful when testing MCP queries locally and you don't want PII redacted from results:
MCP_PII_ACTION=log
Strict mode: Block everything
Block all policy violations instead of redacting or warning:
PII_ACTION=block
SQLI_ACTION=block
DANGEROUS_QUERY_ACTION=block
SENSITIVE_DATA_ACTION=block
HIGH_RISK_ACTION=block
MCP-only governance bypass
Disable static policies on MCP entirely (dynamic/tenant policies still apply):
MCP_STATIC_POLICIES_ENABLED=false
Different PII handling per mode
Redact PII on Gateway (user-facing), but only log on MCP (internal data pipelines):
GATEWAY_PII_ACTION=redact
MCP_PII_ACTION=log
Skip regional PII categories
If your deployment doesn't handle Indian PII, skip those patterns:
MCP_STATIC_POLICIES_SKIP_CATEGORIES=pii-india
GATEWAY_STATIC_POLICIES_SKIP_CATEGORIES=pii-india
Policy Categories
Available categories for *_SKIP_CATEGORIES:
| Category | Description |
|---|---|
pii-global | Global PII patterns (email, phone, credit card) |
pii-us | US-specific PII (SSN, driver's license) |
pii-india | India PII (Aadhaar, PAN, UPI) |
pii-eu | EU PII (IBAN, VAT, national IDs) |
pii-singapore | Singapore PII (NRIC, FIN, UEN) |
security-sqli | SQL injection patterns |
security-admin | Admin table/schema access (users, audit_log, config, information_schema) |
sensitive-data | API keys, tokens, secrets |
code-secrets | Hardcoded secrets and credentials in code |
code-unsafe | Unsafe code patterns |
code-compliance | Code compliance violations |
Docker Compose Example
services:
axonflow-agent:
image: getaxonflow/axonflow-agent:latest
environment:
# Global defaults
PII_ACTION: redact
SQLI_ACTION: block
# MCP: relaxed for internal data pipelines
MCP_PII_ACTION: log
MCP_SQLI_ACTION: warn
# Gateway: strict for user-facing LLM calls
GATEWAY_PII_ACTION: redact
GATEWAY_SQLI_ACTION: block
Enterprise Features
Enterprise edition adds:
| Feature | Description |
|---|---|
| Per-connector scoping | MCP_STATIC_POLICIES_CONNECTORS=postgres,mysql — limit policy evaluation to specific connectors |
| Per-policy API overrides | Override action/enabled per individual policy via API |
| Organization-level inheritance | Policies cascade from tenant to organization level |
Per-connector scoping uses the MCP_STATIC_POLICIES_CONNECTORS env var (comma-separated list of connector names). When set, static policies only evaluate on queries to those connectors. In Community edition, setting this variable logs a warning and the value is ignored.
Verifying Configuration
Check the agent logs on startup for the active configuration:
[Detection] Configuration: PII=redact SQLi=block DangerousQuery=block ...
[PolicyEngine] Initialized with TTL=5m0s, validators=true, graceful=true
For MCP-specific config:
[Detection] MCP Configuration: Enabled=true PII=log SQLi=warn ...
For Gateway-specific config:
[Detection] Gateway Configuration: Enabled=true PII=redact SQLi=block ...
Related
- Self-Hosted Deployment — Full deployment guide with env var reference
- Community vs Enterprise — Feature comparison matrix
- SQL Injection Scanning — SQLi scanner configuration
