Middleware Pipeline
Airlock runs a fixed security pipeline around every tool call, plus optional per-agent middleware that can inspect, block, transform, or annotate requests and responses.
Configuration Shape
Configurable middleware lives on an agent, not at the top level:
agents:
claude-code:
allow:
- github/*
middleware:
- name: injection-detector
backend: regex
mode: escalate
- name: rate-limiter
max_requests: 100
window_ms: 60000
per: agent
- name: output-size-limiter
max_lines: 200
max_chars: 30000If middleware is omitted, Airlock enables these configurable defaults:
schema-validatoruntrusted-envelopeoutput-injection-detectorindetectmode
Set middleware: [] to run only the fixed core pipeline. To turn off one default while keeping the others, add it with enabled: false:
agents:
claude-code:
middleware:
- name: untrusted-envelope
enabled: falseEvery configurable middleware can be limited by tool glob:
agents:
claude-code:
middleware:
- name: untrusted-envelope
tools: ['github/*']
exclude: ['github/internal']Execution Order
The fixed core always runs in this order:
allowlist
-> exec-policy
-> schema-validator
-> arg-policy
-> injection-detector / sensitivity-classifier
-> sandbox
-> hitl-gate
-> executeschema-validator, injection-detector, and sensitivity-classifier run in the core zone even though they are configurable. Other configurable middleware wraps the core pipeline, so it can inspect the request before execution and the response on the way back.
Core-Zone Middleware
Schema Validator
Validates tool arguments against the tool's JSON Schema using Ajv. Malformed calls are rejected before execution.
agents:
claude-code:
middleware:
- name: schema-validatorInjection Detector
Scans tool arguments, and also scans responses after execution, for prompt injection patterns.
Backends:
regex(default) - local pattern matchingdeberta- sends text to a DeBERTa inference server
Modes:
detect- log and audit detectionsmangle- redact matched response textescalate- require approval when arguments look injected
agents:
claude-code:
middleware:
- name: injection-detector
backend: regex
mode: escalate
threshold: 0.8Sensitivity Classifier
Detects PII and sensitive data in arguments and responses. Argument detections can escalate to approval.
Backends:
heuristic(default) - regex and weighted scoringllm- calls a model through the AI SDK
agents:
claude-code:
middleware:
- name: sensitivity-classifier
backend: heuristic
mode: escalate
threshold: 0.7Wrapping Middleware
Rate Limiter
Sliding-window rate limiter. Limits can be per agent or per tool.
agents:
claude-code:
middleware:
- name: rate-limiter
max_requests: 100
window_ms: 60000
per: agentUntrusted Envelope
Wraps tool responses in randomized untrusted-output tags so untrusted content cannot reliably terminate the envelope.
agents:
claude-code:
middleware:
- name: untrusted-envelopeOutput Injection Detector
Scans tool responses for prompt injection attempts before they reach the agent.
Modes:
detect- log and audit detectionsmangle- replace matched text with[REDACTED: suspected injection]
agents:
claude-code:
middleware:
- name: output-injection-detector
mode: mangleStrip Query Params
Strips query parameters from http/get and http/head URLs. This middleware is not enabled by default; add it when you want read-only HTTP calls to avoid query string exfiltration.
agents:
claude-code:
middleware:
- name: strip-query-paramsCanary Token Injector
Injects short-lived canary markers into tool outputs. If a later tool call contains one of those markers in its arguments, Airlock audits the leak and, by default, marks the call as needing approval.
agents:
claude-code:
middleware:
- name: canary-token-injector
mode: escalateUse mode: detect to audit canary leaks without escalating.
Output Size Limiter
Truncates large outputs to avoid context-window exhaustion. The response marks that it was truncated and includes the path to the full output.
agents:
claude-code:
middleware:
- name: output-size-limiter
max_lines: 200
max_chars: 30000Output Summarizer
For responses over a character threshold, calls a model through the AI SDK to summarize before passing content to the agent. If summarization fails, Airlock falls back to the original response.
agents:
claude-code:
middleware:
- name: output-summarizer
model: claude-haiku-4-5-20251001
threshold_chars: 10000Audit Visibility
Middleware detections are logged alongside normal audit entries. Injection detection, sensitivity classification, output injection detection, and canary leak detection all write audit records when they flag something.