Skip to main content

Environment Variables Reference

This page consolidates the environment variables a self-hosted operator uses to tune AxonFlow's built-in governance baseline. It complements the two conceptual guides:

Read those first for the "why"; use this page as the "what" — one table per group, with values, defaults, and editions.

How the levers combine

From highest priority to lowest, the effective action for a category is resolved as:

per-surface explicit var (MCP_*, GATEWAY_*)
-> global explicit var (PII_ACTION, SQLI_ACTION, ...)
-> AXONFLOW_ENFORCE per-category opt-in
-> AXONFLOW_PROFILE built-in posture
-> built-in default (equivalent to AXONFLOW_PROFILE=default)

An explicit *_ACTION variable always wins over a profile. Setting MCP_PII_ACTION=log with a global PII_ACTION=block means MCP flows log PII while gateway flows still block it.

Action values

Every *_ACTION variable accepts one of:

ValueEffect
blockrequest rejected with 403; decision recorded in the audit trail
warnrequest flows through unchanged; detection surfaced to the caller and recorded
redactdetected content masked in the response with a category tag (e.g. [REDACTED:ssn]); PII only
logdetection recorded in the audit trail only; no change to the response

An unrecognized value falls back to the base configuration for that category rather than silently disabling it.

Enforcement profile

VariableValuesDefaultEditionPurpose
AXONFLOW_PROFILEdev, default, strict, compliancedefaultCommunityPick a whole-posture preset without tuning individual *_ACTION vars. See the profile matrix.
AXONFLOW_ENFORCEcomma list of pii, sqli, sensitive_data, high_risk, dangerous_queries, dangerous_commands, or the sentinels all / noneunsetCommunityFlip individual categories to block on top of the active profile. An unknown token is a fatal startup error.

The resolved posture is logged at agent and orchestrator startup ([Profile] agent active:).

Global detection actions

Applied to every surface unless a per-surface override is set.

The Default column below is the built-in default profile value for that category. dev, strict, and compliance shift several of them (see the profile matrix).

VariableValuesDefault (default profile)EditionGoverns
PII_ACTIONaction valueswarnCommunityPII patterns (email, phone, national IDs)
SQLI_ACTIONaction valueswarnCommunitySQL injection patterns
DANGEROUS_QUERY_ACTIONaction valuesblockCommunitydestructive SQL statements (DROP, TRUNCATE)
DANGEROUS_COMMAND_ACTIONaction valuesblockCommunitydangerous shell commands and SSRF fetches (rm -rf, reverse shells, download-and-execute pipelines)
SENSITIVE_DATA_ACTIONaction valueswarnCommunitysecrets and credential-like content
HIGH_RISK_ACTIONaction valueswarnCommunityhigh-risk aggregate category
note

To mask PII rather than warn, set PII_ACTION=redact explicitly, or pick a stricter profile (strict / compliance block PII). The redact action applies to PII only.

MCP surface

Connector and SQL-style data-access flows.

VariableValuesDefaultEditionPurpose
MCP_STATIC_POLICIES_ENABLEDtrue, falsetrueCommunitymaster switch for MCP-side static system-policy evaluation
MCP_PII_ACTIONaction valuesinherits globalCommunityPII action for MCP flows
MCP_SQLI_ACTIONaction valuesinherits globalCommunitySQL injection action for MCP flows
MCP_DANGEROUS_QUERY_ACTIONaction valuesinherits globalCommunitydestructive-SQL action for MCP flows
MCP_DANGEROUS_COMMAND_ACTIONaction valuesinherits globalCommunitydangerous-shell-command action for MCP flows
MCP_STATIC_POLICIES_SKIP_CATEGORIEScomma list of categoriesunsetCommunitysuppress specific system-policy categories on MCP flows

Gateway / proxy surface

Governed LLM requests through the Agent.

VariableValuesDefaultEditionPurpose
GATEWAY_STATIC_POLICIES_ENABLEDtrue, falsetrueCommunitymaster switch for gateway-side static system-policy evaluation
GATEWAY_PII_ACTIONaction valuesinherits globalCommunityPII action for gateway/proxy flows
GATEWAY_SQLI_ACTIONaction valuesinherits globalCommunitySQL injection action for gateway/proxy flows
GATEWAY_DANGEROUS_QUERY_ACTIONaction valuesinherits globalCommunitydestructive-SQL action for gateway/proxy flows
GATEWAY_DANGEROUS_COMMAND_ACTIONaction valuesinherits globalCommunitydangerous-shell-command action for gateway/proxy flows
GATEWAY_STATIC_POLICIES_SKIP_CATEGORIEScomma list of categoriesunsetCommunitysuppress specific system-policy categories on gateway/proxy flows

Skip categories

The *_STATIC_POLICIES_SKIP_CATEGORIES variables accept a comma-separated list of these category names:

CategoryCovers
pii-globalglobal PII (email, phone)
pii-usUS-specific PII
pii-indiaIndia-specific PII
pii-euEU-oriented PII
pii-singaporeSingapore-specific PII
pii-indonesiaIndonesia-specific PII (KTP/NIK)
security-sqliSQL injection detection
sensitive-datasecrets and credential-like content
security-adminadmin-table / schema access control
security-dangerousdangerous commands and indirect prompt-injection guards

Capability-scoped evaluation

Execution-class detectors (SQL injection, dangerous commands) do not evaluate tools that AxonFlow classifies as text-document tools — for example a documentation editing tool whose input is prose, not executable statements. Content-borne detectors (all PII, prompt-injection guards) still evaluate everywhere. Classification happens server-side against a built-in registry; the tool name is never trusted from an unauthenticated caller.

VariableValuesDefaultEditionPurpose
AXONFLOW_CAPABILITY_SCOPING_DISABLEDtrue, falsefalseCommunityset true to restore full evaluation on every tool (only ever widens evaluation)
AXONFLOW_TEXT_DOCUMENT_TOOLScomma list of tool namesunsetEnterpriseextend the built-in text-document registry with additional tool names

Temporary false-positive posture

If detection is blocking legitimate documentation traffic while you validate a fix, you can relax the execution-class categories to warn while keeping PII masked by pinning PII_ACTION=redact (so the relaxation never widens PII exposure):

# Relax the execution-class detectors to warn during validation,
# and mask PII regardless.
SQLI_ACTION=warn
DANGEROUS_QUERY_ACTION=warn
DANGEROUS_COMMAND_ACTION=warn
PII_ACTION=redact

Scope it to one surface (for example only MCP flows) with the MCP_* variants so gateway/proxy traffic keeps the stricter posture. This is a stopgap — the durable fix is capability-scoped evaluation, which removes documentation tools from the execution-class detectors without lowering the posture for real data-access flows.