Environment Variables Reference
This page consolidates the environment variables a self-hosted operator uses to tune AxonFlow's built-in governance baseline. It complements the two conceptual guides:
- Governance Profiles — the
AXONFLOW_PROFILE/AXONFLOW_ENFORCEmodel. - Configuring System Policies — the per-surface action model.
Read those first for the "why"; use this page as the "what" — one table per group, with values, defaults, and editions.
How the levers combine
From highest priority to lowest, the effective action for a category is resolved as:
per-surface explicit var (MCP_*, GATEWAY_*)
-> global explicit var (PII_ACTION, SQLI_ACTION, ...)
-> AXONFLOW_ENFORCE per-category opt-in
-> AXONFLOW_PROFILE built-in posture
-> built-in default (equivalent to AXONFLOW_PROFILE=default)
An explicit *_ACTION variable always wins over a profile. Setting MCP_PII_ACTION=log with a global PII_ACTION=block means MCP flows log PII while gateway flows still block it.
Action values
Every *_ACTION variable accepts one of:
| Value | Effect |
|---|---|
block | request rejected with 403; decision recorded in the audit trail |
warn | request flows through unchanged; detection surfaced to the caller and recorded |
redact | detected content masked in the response with a category tag (e.g. [REDACTED:ssn]); PII only |
log | detection recorded in the audit trail only; no change to the response |
An unrecognized value falls back to the base configuration for that category rather than silently disabling it.
Enforcement profile
| Variable | Values | Default | Edition | Purpose |
|---|---|---|---|---|
AXONFLOW_PROFILE | dev, default, strict, compliance | default | Community | Pick a whole-posture preset without tuning individual *_ACTION vars. See the profile matrix. |
AXONFLOW_ENFORCE | comma list of pii, sqli, sensitive_data, high_risk, dangerous_queries, dangerous_commands, or the sentinels all / none | unset | Community | Flip individual categories to block on top of the active profile. An unknown token is a fatal startup error. |
The resolved posture is logged at agent and orchestrator startup ([Profile] agent active:).
Global detection actions
Applied to every surface unless a per-surface override is set.
The Default column below is the built-in default profile value for that category. dev, strict, and compliance shift several of them (see the profile matrix).
| Variable | Values | Default (default profile) | Edition | Governs |
|---|---|---|---|---|
PII_ACTION | action values | warn | Community | PII patterns (email, phone, national IDs) |
SQLI_ACTION | action values | warn | Community | SQL injection patterns |
DANGEROUS_QUERY_ACTION | action values | block | Community | destructive SQL statements (DROP, TRUNCATE) |
DANGEROUS_COMMAND_ACTION | action values | block | Community | dangerous shell commands and SSRF fetches (rm -rf, reverse shells, download-and-execute pipelines) |
SENSITIVE_DATA_ACTION | action values | warn | Community | secrets and credential-like content |
HIGH_RISK_ACTION | action values | warn | Community | high-risk aggregate category |
To mask PII rather than warn, set PII_ACTION=redact explicitly, or pick a stricter profile (strict / compliance block PII). The redact action applies to PII only.
MCP surface
Connector and SQL-style data-access flows.
| Variable | Values | Default | Edition | Purpose |
|---|---|---|---|---|
MCP_STATIC_POLICIES_ENABLED | true, false | true | Community | master switch for MCP-side static system-policy evaluation |
MCP_PII_ACTION | action values | inherits global | Community | PII action for MCP flows |
MCP_SQLI_ACTION | action values | inherits global | Community | SQL injection action for MCP flows |
MCP_DANGEROUS_QUERY_ACTION | action values | inherits global | Community | destructive-SQL action for MCP flows |
MCP_DANGEROUS_COMMAND_ACTION | action values | inherits global | Community | dangerous-shell-command action for MCP flows |
MCP_STATIC_POLICIES_SKIP_CATEGORIES | comma list of categories | unset | Community | suppress specific system-policy categories on MCP flows |
Gateway / proxy surface
Governed LLM requests through the Agent.
| Variable | Values | Default | Edition | Purpose |
|---|---|---|---|---|
GATEWAY_STATIC_POLICIES_ENABLED | true, false | true | Community | master switch for gateway-side static system-policy evaluation |
GATEWAY_PII_ACTION | action values | inherits global | Community | PII action for gateway/proxy flows |
GATEWAY_SQLI_ACTION | action values | inherits global | Community | SQL injection action for gateway/proxy flows |
GATEWAY_DANGEROUS_QUERY_ACTION | action values | inherits global | Community | destructive-SQL action for gateway/proxy flows |
GATEWAY_DANGEROUS_COMMAND_ACTION | action values | inherits global | Community | dangerous-shell-command action for gateway/proxy flows |
GATEWAY_STATIC_POLICIES_SKIP_CATEGORIES | comma list of categories | unset | Community | suppress specific system-policy categories on gateway/proxy flows |
Skip categories
The *_STATIC_POLICIES_SKIP_CATEGORIES variables accept a comma-separated list of these category names:
| Category | Covers |
|---|---|
pii-global | global PII (email, phone) |
pii-us | US-specific PII |
pii-india | India-specific PII |
pii-eu | EU-oriented PII |
pii-singapore | Singapore-specific PII |
pii-indonesia | Indonesia-specific PII (KTP/NIK) |
security-sqli | SQL injection detection |
sensitive-data | secrets and credential-like content |
security-admin | admin-table / schema access control |
security-dangerous | dangerous commands and indirect prompt-injection guards |
Capability-scoped evaluation
Execution-class detectors (SQL injection, dangerous commands) do not evaluate tools that AxonFlow classifies as text-document tools — for example a documentation editing tool whose input is prose, not executable statements. Content-borne detectors (all PII, prompt-injection guards) still evaluate everywhere. Classification happens server-side against a built-in registry; the tool name is never trusted from an unauthenticated caller.
| Variable | Values | Default | Edition | Purpose |
|---|---|---|---|---|
AXONFLOW_CAPABILITY_SCOPING_DISABLED | true, false | false | Community | set true to restore full evaluation on every tool (only ever widens evaluation) |
AXONFLOW_TEXT_DOCUMENT_TOOLS | comma list of tool names | unset | Enterprise | extend the built-in text-document registry with additional tool names |
Temporary false-positive posture
If detection is blocking legitimate documentation traffic while you validate a fix, you can relax the execution-class categories to warn while keeping PII masked by pinning PII_ACTION=redact (so the relaxation never widens PII exposure):
# Relax the execution-class detectors to warn during validation,
# and mask PII regardless.
SQLI_ACTION=warn
DANGEROUS_QUERY_ACTION=warn
DANGEROUS_COMMAND_ACTION=warn
PII_ACTION=redact
Scope it to one surface (for example only MCP flows) with the MCP_* variants so gateway/proxy traffic keeps the stricter posture. This is a stopgap — the durable fix is capability-scoped evaluation, which removes documentation tools from the execution-class detectors without lowering the posture for real data-access flows.
