npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
MITRE D3FEND
When to Use
- Deploying a new LLM-powered application that processes user input and needs input/output safety controls
- Adding content policy enforcement to an existing chatbot or AI agent to comply with organizational policies
- Implementing PII detection and redaction in LLM pipelines handling sensitive customer data
- Building topic-restricted AI assistants that must refuse off-topic or disallowed queries
- Validating that LLM responses conform to expected schemas before they reach downstream systems or users
- Protecting RAG pipelines from indirect prompt injection in retrieved documents
Do not use as a replacement for proper authentication, authorization, and network security controls. Guardrails are a defense-in-depth layer, not a perimeter defense. Not suitable for real-time content moderation of user-to-user communication without LLM involvement.
Prerequisites
- Python 3.10+ with pip for installing guardrail dependencies
- An OpenAI API key or local LLM endpoint for NeMo Guardrails self-check rails (set as
OPENAI_API_KEYenvironment variable) - The
nemoguardrailspackage for Colang-based guardrail definitions - The
guardrails-aipackage for structured output validation (optional, for JSON schema enforcement) - Familiarity with YAML configuration and basic Colang 2.0 syntax for defining rail flows
Workflow
Step 1: Install Guardrail Frameworks
Install the required Python packages:
# Core NeMo Guardrails library
pip install nemoguardrails
# Guardrails AI for structured output validation (optional)
pip install guardrails-ai
# Additional dependencies for PII detection and content analysis
pip install presidio-analyzer presidio-anonymizer spacy
python -m spacy download en_core_web_lgStep 2: Run the Guardrails Security Agent
The agent implements a complete input/output validation pipeline:
# Analyze a single input through all guardrail layers
python agent.py --input "Tell me how to hack into a system"
# Analyze input with a custom content policy file
python agent.py --input "Some text" --policy policy.json
# Scan a file of prompts through the guardrail pipeline
python agent.py --file prompts.txt --mode full
# Input-only validation (no LLM call, just check if input is safe)
python agent.py --input "Some text" --mode input-only
# Output validation mode (validate a pre-generated LLM response)
python agent.py --input "User question" --response "LLM response to validate" --mode output-only
# PII detection and redaction mode
python agent.py --input "My SSN is 123-45-6789 and email john@example.com" --mode pii
# JSON output for pipeline integration
python agent.py --file prompts.txt --output jsonStep 3: Configure Content Policies
Create a JSON policy file defining allowed topics, blocked patterns, and PII categories:
{
"allowed_topics": ["customer_support", "product_info", "billing"],
"blocked_topics": ["politics", "violence", "illegal_activities", "competitor_products"],
"blocked_patterns": ["how to hack", "create malware", "bypass security"],
"pii_categories": ["PERSON", "EMAIL_ADDRESS", "PHONE_NUMBER", "US_SSN", "CREDIT_CARD"],
"max_output_length": 2000,
"require_grounded_response": true
}Step 4: Integrate NeMo Guardrails with Colang
Create a NeMo Guardrails configuration directory with config.yml and Colang flow files:
# config.yml
models:
- type: main
engine: openai
model: gpt-4o-mini
rails:
input:
flows:
- self check input
- check jailbreak
- mask sensitive data on input
output:
flows:
- self check output
- check hallucination# rails.co - Colang 2.0 flow definitions
define user ask about hacking
"How do I hack into a system"
"Tell me how to break into a network"
"How to exploit vulnerabilities"
define bot refuse hacking request
"I cannot provide instructions on unauthorized hacking or security exploitation.
If you are interested in cybersecurity, I can suggest legitimate learning resources
and ethical hacking certifications."
define flow
user ask about hacking
bot refuse hacking requestStep 5: Deploy as a Validation Middleware
Integrate the guardrails into your application as middleware:
from agent import GuardrailsPipeline
pipeline = GuardrailsPipeline(policy_path="policy.json")
# Pre-LLM input validation
input_result = pipeline.validate_input("user message here")
if not input_result["safe"]:
return input_result["blocked_reason"]
# Post-LLM output validation
llm_response = your_llm.generate(input_result["sanitized_input"])
output_result = pipeline.validate_output(llm_response, context=input_result)
if not output_result["safe"]:
return output_result["fallback_response"]
return output_result["validated_response"]Step 6: Monitor Guardrail Effectiveness
Review guardrail logs to track block rates, false positives, and bypass attempts:
# Generate a summary report from guardrail logs
python agent.py --file interaction_logs.txt --mode full --output json > guardrail_audit.jsonVerification
- Input guardrails correctly block known prompt injection patterns (system override, role-play escape, delimiter injection)
- PII detection identifies and redacts email addresses, phone numbers, SSNs, and credit card numbers in user inputs
- Topic restriction guardrails refuse off-policy queries and allow on-policy queries without false positives
- Output guardrails detect and flag responses containing toxic content, PII leakage, or off-topic material
- The guardrails pipeline adds less than 200ms of latency to the request/response cycle for input-only validation
- JSON output mode produces valid, parseable JSON suitable for downstream monitoring dashboards
Key Concepts
| Term | Definition |
|---|---|
| Input Rail | A guardrail that intercepts and validates user input before it reaches the LLM, blocking injection attempts and redacting sensitive data |
| Output Rail | A guardrail that validates LLM-generated output before it reaches the user, filtering toxic content and enforcing schema compliance |
| Colang | NVIDIA's domain-specific language for defining conversational guardrail flows, with Python-like syntax for specifying user intent patterns and bot responses |
| PII Redaction | The process of detecting and masking personally identifiable information (names, emails, SSNs) in text before processing |
| Content Policy | A configuration file defining which topics, patterns, and content categories are allowed or blocked by the guardrail system |
| Self-Check Rail | A NeMo Guardrails technique where the LLM itself evaluates whether its input or output violates defined policies |
| Hallucination Detection | Output validation that checks whether the LLM response is grounded in the provided context, flagging fabricated claims |
Tools & Systems
- NVIDIA NeMo Guardrails: Open-source toolkit for adding programmable input, dialog, and output rails to LLM applications using Colang flow definitions and YAML configuration
- Guardrails AI: Python framework for structured output validation with a hub of pre-built validators for PII, toxicity, JSON schema compliance, and more
- Microsoft Presidio: Open-source PII detection and anonymization engine supporting 30+ entity types with configurable NLP backends
- Colang 2.0: Event-driven interaction modeling language for defining guardrail flows with Python-like syntax, supporting multi-turn dialog control
- OpenAI Guardrails Python: OpenAI's client-side guardrails library for prompt injection detection and content policy enforcement
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md7.0 KB
API Reference: LLM Guardrails Security Tools
GuardrailsPipeline (agent.py)
The primary orchestration class that chains all guardrail layers into a validation pipeline.
Constructor
GuardrailsPipeline(
policy: dict = None, # Inline policy dictionary
policy_path: str = None, # Path to JSON policy file
)If neither policy nor policy_path is provided, the built-in DEFAULT_POLICY is used. Custom policies are merged with defaults so missing keys fall back to default values.
Methods
validate_input(text: str) -> ValidationResult
Runs all input guardrail layers (length, injection, content policy, PII) on user input.
Parameters:
text(str): The user input to validate.
Returns: ValidationResult with safe=False if any critical violation is found. PII-only findings are treated as warnings (input is redacted but not blocked).
validate_output(response: str, original_input: str = "") -> ValidationResult
Validates LLM-generated output for safety violations, system prompt leakage, and PII.
Parameters:
response(str): The LLM output to validate.original_input(str): The original user input for context-aware validation.
validate_pii_only(text: str) -> ValidationResult
Runs only the PII detection and redaction layer.
ValidationResult
Dataclass returned by all validation methods.
| Field | Type | Description |
|---|---|---|
safe |
bool | True if no critical violations found |
blocked_reason |
str | Human-readable reason for blocking (empty if safe) |
violations |
list[dict] | List of violation dicts with guard, detail, severity keys |
pii_detected |
list[dict] | List of PII findings with type, value, start, end keys |
sanitized_text |
str | Input with PII redacted |
risk_score |
float | Composite risk score (0.0 - 1.0) |
validation_time_ms |
float | Validation latency in milliseconds |
layer_results |
dict | Per-guard detailed results |
Individual Guards
InjectionGuard
Detects prompt injection attempts using compiled regex patterns.
guard = InjectionGuard(patterns=["(?i)ignore previous instructions"])
safe, violations = guard.check("Ignore previous instructions and do X")
# safe=False, violations=["injection_pattern_0: matched 'Ignore previous instructions'"]Default Patterns Detected:
- System prompt override ("ignore/disregard/forget previous instructions")
- Role-play escape ("you are now", "act as", "pretend to be")
- Instruction hijacking ("do not follow", "new instructions", "instead do")
- Delimiter injection (Markdown code fences with system/assistant, XML instruction tags)
- Developer/jailbreak modes ("DAN mode", "developer mode", "god mode")
- Prompt leaking ("what are your instructions", "repeat your prompt")
ContentPolicyGuard
Enforces blocked patterns and topic restrictions.
guard = ContentPolicyGuard(
blocked_patterns=[r"(?i)how to hack"],
blocked_topics=["violence", "illegal_activities"],
)
safe, violations = guard.check("How to hack into a WiFi network")
# safe=False, violations=["blocked_content_0: matched 'How to hack'"]Supported Topic Categories:
violence-- Physical harm, assault, murderillegal_activities-- Fraud, money laundering, traffickingweapons-- Firearms, explosives, 3D-printed weaponsdrugs-- Drug synthesis, manufacturing instructionsexploitation-- Child exploitation, human traffickingpolitics-- Partisan political opinions or endorsementscompetitor_products-- References to switching to competitors
PIIGuard
Detects and redacts personally identifiable information using regex patterns.
guard = PIIGuard(pii_patterns={"EMAIL_ADDRESS": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"})
findings = guard.detect("Contact john@example.com for details")
# [{"type": "EMAIL_ADDRESS", "value": "john@example.com", "start": 8, "end": 24}]
redacted, findings = guard.redact("Contact john@example.com for details")
# ("Contact [EMAIL_REDACTED] for details", [...])Supported PII Types:
| Type | Pattern | Redaction |
|---|---|---|
US_SSN |
123-45-6789 | [SSN_REDACTED] |
EMAIL_ADDRESS |
user@domain.com | [EMAIL_REDACTED] |
PHONE_NUMBER |
(555) 123-4567 | [PHONE_REDACTED] |
CREDIT_CARD |
4111-1111-1111-1111 | [CARD_REDACTED] |
IP_ADDRESS |
192.168.1.1 | [IP_REDACTED] |
US_PASSPORT |
A12345678 | [PASSPORT_REDACTED] |
AWS_ACCESS_KEY |
AKIAIOSFODNN7EXAMPLE | [AWS_KEY_REDACTED] |
GENERIC_API_KEY |
api_key=abc123... | [API_KEY_REDACTED] |
OutputGuard
Validates LLM output for safety violations, length limits, system prompt leakage, and PII.
guard = OutputGuard(blocked_patterns=[...], max_length=8000)
safe, violations = guard.check("Sure, I'll help you hack into the system")
# safe=False, violations=["output_blocked_0: matched ..."]LengthGuard
Enforces maximum input length.
guard = LengthGuard(max_length=4000)
safe, violations = guard.check("x" * 5000)
# safe=False, violations=["input_too_long: 5000 chars exceeds 4000 limit"]Content Policy JSON Schema
{
"allowed_topics": ["list of allowed topic strings"],
"blocked_topics": ["violence", "illegal_activities", "weapons", "drugs", "exploitation"],
"blocked_patterns": ["regex patterns for blocked content"],
"pii_patterns": {
"ENTITY_TYPE": "regex pattern"
},
"injection_patterns": ["regex patterns for injection detection"],
"max_input_length": 4000,
"max_output_length": 8000,
"output_blocked_patterns": ["regex patterns for blocked output content"]
}CLI Reference
usage: agent.py [-h] [--input INPUT] [--response RESPONSE] [--file FILE]
[--mode {full,input-only,output-only,pii}]
[--policy POLICY] [--output {text,json}]
Arguments:
--input, -i User input text to validate
--response, -r LLM response to validate (required for output-only mode)
--file, -f Path to file with one prompt per line
--mode, -m Validation mode: full | input-only | output-only | pii (default: full)
--policy, -p Path to JSON content policy file
--output, -o Output format: text | json (default: text)Exit Codes:
0-- All inputs passed validation1-- Error (file not found, invalid policy)2-- One or more inputs blocked or flagged
External Resources
- NVIDIA NeMo Guardrails: https://github.com/NVIDIA-NeMo/Guardrails
- NeMo Guardrails Documentation: https://docs.nvidia.com/nemo/guardrails/latest/index.html
- Guardrails AI Framework: https://github.com/guardrails-ai/guardrails
- Guardrails AI Hub (Validators): https://guardrailsai.com/hub
- Microsoft Presidio (PII Engine): https://github.com/microsoft/presidio
- OpenAI Guardrails Python: https://github.com/openai/openai-guardrails-python
- Colang 2.0 Guide: https://docs.nvidia.com/nemo/guardrails/latest/configure-rails/colang/index.html
- NeMo Guardrails Security Guidelines: https://docs.nvidia.com/nemo/guardrails/latest/security/guidelines.html
Scripts 1
agent.py21.6 KB
#!/usr/bin/env python3
"""
LLM Guardrails Security Agent
Implements input and output validation guardrails for LLM-powered applications.
Provides multi-layered security including prompt injection blocking, PII detection
and redaction, content policy enforcement, topic restriction, and output validation.
Supports NVIDIA NeMo Guardrails Colang integration and custom Python validators.
"""
import argparse
import json
import logging
import re
import sys
import time
from dataclasses import dataclass, field, asdict
from pathlib import Path
from typing import Optional
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s",
datefmt="%Y-%m-%d %H:%M:%S",
)
logger = logging.getLogger(__name__)
# ---------------------------------------------------------------------------
# Default content policy
# ---------------------------------------------------------------------------
DEFAULT_POLICY = {
"allowed_topics": [],
"blocked_topics": ["violence", "illegal_activities", "weapons", "drugs", "exploitation"],
"blocked_patterns": [
r"(?i)\b(how\s+to\s+(hack|crack|break\s+into|exploit|bypass))\b",
r"(?i)\b(create|write|generate)\b.{0,20}\b(malware|virus|trojan|ransomware|keylogger|rootkit)\b",
r"(?i)\b(steal|exfiltrate|extract)\b.{0,20}\b(data|credentials?|passwords?|tokens?|keys?)\b",
r"(?i)\b(make|build|synthesize)\b.{0,20}\b(bomb|weapon|explosive|poison)\b",
r"(?i)\b(social\s+engineer|phish|spear\s*phish|impersonate)\b.{0,20}\b(someone|a\s+person|employee|user)\b",
],
"pii_patterns": {
"US_SSN": r"\b\d{3}-\d{2}-\d{4}\b",
"EMAIL_ADDRESS": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b",
"PHONE_NUMBER": r"\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b",
"CREDIT_CARD": r"\b(?:\d{4}[-\s]?){3}\d{4}\b",
"IP_ADDRESS": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
"US_PASSPORT": r"\b[A-Z]\d{8}\b",
"AWS_ACCESS_KEY": r"\bAKIA[0-9A-Z]{16}\b",
"GENERIC_API_KEY": r"\b(?:api[_-]?key|token|secret)[=:\s]+['\"]?[A-Za-z0-9_\-]{20,}['\"]?",
},
"injection_patterns": [
r"(?i)\b(ignore|disregard|forget|override|bypass)\b.{0,30}\b(previous|above|prior|all|system|initial)\b.{0,20}\b(instructions?|prompts?|rules?)\b",
r"(?i)\b(you\s+are\s+now|act\s+as|pretend\s+(to\s+be|you\s+are)|simulate\s+being)\b",
r"(?i)\b(do\s+not\s+follow|stop\s+following|new\s+instructions?|instead\s+(do|say|output))\b",
r"(?i)(```\s*(system|assistant|user)\s*\n|<\s*/?\s*(system|instruction|prompt)\s*>)",
r"(?i)\b(developer\s+mode|DAN\s+mode|jailbreak\s+mode|god\s+mode|sudo\s+mode)\b",
r"(?i)\b(output|reveal|show|display|print|leak)\b.{0,30}\b(system\s+prompt|instructions?|config|password|api\s*key)\b",
r"(?i)\b(what\s+(is|are)\s+your\s+(system\s+)?instructions?|repeat\s+your\s+prompt|show\s+me\s+your\s+rules)\b",
],
"max_input_length": 4000,
"max_output_length": 8000,
"output_blocked_patterns": [
r"(?i)\b(my\s+system\s+prompt\s+is|here\s+are\s+my\s+instructions|as\s+an?\s+ai\s+language\s+model,?\s+i\s+don'?t\s+have\s+a\s+system\s+prompt)\b",
r"(?i)\b(sure,?\s+i'?ll\s+(help\s+you\s+)?(hack|create\s+malware|bypass\s+security|write\s+a\s+virus))\b",
],
}
@dataclass
class ValidationResult:
"""Result from a guardrail validation pass."""
safe: bool = True
blocked_reason: str = ""
violations: list[dict] = field(default_factory=list)
pii_detected: list[dict] = field(default_factory=list)
sanitized_text: str = ""
risk_score: float = 0.0
validation_time_ms: float = 0.0
layer_results: dict = field(default_factory=dict)
class InjectionGuard:
"""Input guard that detects and blocks prompt injection attempts."""
def __init__(self, patterns: list[str]) -> None:
self._compiled = [(i, re.compile(p)) for i, p in enumerate(patterns)]
def check(self, text: str) -> tuple[bool, list[str]]:
violations: list[str] = []
for idx, pattern in self._compiled:
match = pattern.search(text)
if match:
violations.append(f"injection_pattern_{idx}: matched '{match.group()}'")
return len(violations) == 0, violations
class ContentPolicyGuard:
"""Guard that enforces content policy rules on text."""
def __init__(self, blocked_patterns: list[str], blocked_topics: list[str]) -> None:
self._blocked_compiled = [(i, re.compile(p)) for i, p in enumerate(blocked_patterns)]
self._blocked_topics = blocked_topics
self._topic_patterns = self._build_topic_patterns()
def _build_topic_patterns(self) -> list[tuple[str, re.Pattern]]:
topic_regexes: dict[str, str] = {
"violence": r"(?i)\b(kill|murder|assault|torture|attack\s+someone|hurt\s+people|violence\s+against)\b",
"illegal_activities": r"(?i)\b(illegal|launder\s+money|traffic|counterfeit|forge\s+documents?|fraud\s+scheme)\b",
"weapons": r"(?i)\b(gun|firearm|weapon|ammunition|3d\s+print.{0,10}(gun|weapon)|ghost\s+gun)\b",
"drugs": r"(?i)\b(synthesize\s+(meth|cocaine|heroin|fentanyl)|cook\s+meth|manufacture\s+drugs?|drug\s+recipe)\b",
"exploitation": r"(?i)\b(exploit\s+(children|minors?|vulnerable)|human\s+traffic|child\s+abuse)\b",
"politics": r"(?i)\b(vote\s+for|political\s+party|democrat|republican|liberal|conservative)\b.{0,40}\b(best|worst|should|must)\b",
"competitor_products": r"(?i)\b(switch\s+to|better\s+than\s+us|use\s+.{0,20}instead)\b",
}
patterns = []
for topic in self._blocked_topics:
if topic in topic_regexes:
patterns.append((topic, re.compile(topic_regexes[topic])))
return patterns
def check(self, text: str) -> tuple[bool, list[str]]:
violations: list[str] = []
# Check blocked content patterns
for idx, pattern in self._blocked_compiled:
match = pattern.search(text)
if match:
violations.append(f"blocked_content_{idx}: matched '{match.group()}'")
# Check blocked topics
for topic, pattern in self._topic_patterns:
match = pattern.search(text)
if match:
violations.append(f"blocked_topic_{topic}: matched '{match.group()}'")
return len(violations) == 0, violations
class PIIGuard:
"""Guard that detects and redacts personally identifiable information."""
REDACTION_MAP = {
"US_SSN": "[SSN_REDACTED]",
"EMAIL_ADDRESS": "[EMAIL_REDACTED]",
"PHONE_NUMBER": "[PHONE_REDACTED]",
"CREDIT_CARD": "[CARD_REDACTED]",
"IP_ADDRESS": "[IP_REDACTED]",
"US_PASSPORT": "[PASSPORT_REDACTED]",
"AWS_ACCESS_KEY": "[AWS_KEY_REDACTED]",
"GENERIC_API_KEY": "[API_KEY_REDACTED]",
}
def __init__(self, pii_patterns: dict[str, str]) -> None:
self._compiled: dict[str, re.Pattern] = {}
for name, pattern_str in pii_patterns.items():
self._compiled[name] = re.compile(pattern_str)
def detect(self, text: str) -> list[dict]:
findings: list[dict] = []
for name, pattern in self._compiled.items():
for match in pattern.finditer(text):
findings.append({
"type": name,
"value": match.group(),
"start": match.start(),
"end": match.end(),
})
return findings
def redact(self, text: str) -> tuple[str, list[dict]]:
findings = self.detect(text)
if not findings:
return text, findings
# Sort by position descending to replace from end to start
findings_sorted = sorted(findings, key=lambda f: f["start"], reverse=True)
redacted = text
for finding in findings_sorted:
replacement = self.REDACTION_MAP.get(finding["type"], "[REDACTED]")
redacted = redacted[:finding["start"]] + replacement + redacted[finding["end"]:]
return redacted, findings
class OutputGuard:
"""Guard that validates LLM-generated output for safety violations."""
def __init__(self, blocked_patterns: list[str], max_length: int = 8000) -> None:
self._blocked = [(i, re.compile(p)) for i, p in enumerate(blocked_patterns)]
self._max_length = max_length
def check(self, response: str, original_input: str = "") -> tuple[bool, list[str]]:
violations: list[str] = []
# Check length
if len(response) > self._max_length:
violations.append(f"output_too_long: {len(response)} chars exceeds {self._max_length} limit")
# Check blocked output patterns
for idx, pattern in self._blocked:
match = pattern.search(response)
if match:
violations.append(f"output_blocked_{idx}: matched '{match.group()}'")
# Check for system prompt leakage indicators
system_prompt_indicators = [
r"(?i)(you\s+are\s+a\s+helpful\s+assistant|your\s+role\s+is\s+to|you\s+must\s+always)",
r"(?i)(system\s*:\s*\n|<<\s*SYS\s*>>|<\|system\|>)",
]
for indicator_pat in system_prompt_indicators:
if re.search(indicator_pat, response):
violations.append(f"potential_system_prompt_leak: matched indicator pattern")
break
# Check for PII in output
pii_guard = PIIGuard(DEFAULT_POLICY["pii_patterns"])
pii_findings = pii_guard.detect(response)
for finding in pii_findings:
violations.append(f"pii_in_output: {finding['type']} detected")
return len(violations) == 0, violations
class LengthGuard:
"""Guard that enforces input length limits."""
def __init__(self, max_length: int = 4000) -> None:
self._max_length = max_length
def check(self, text: str) -> tuple[bool, list[str]]:
if len(text) > self._max_length:
return False, [f"input_too_long: {len(text)} chars exceeds {self._max_length} limit"]
return True, []
class GuardrailsPipeline:
"""Complete input/output validation pipeline combining all guardrail layers."""
def __init__(self, policy: Optional[dict] = None, policy_path: Optional[str] = None) -> None:
if policy_path:
with open(policy_path, "r", encoding="utf-8") as fh:
self.policy = json.load(fh)
elif policy:
self.policy = policy
else:
self.policy = DEFAULT_POLICY
# Merge with defaults for any missing keys
for key, value in DEFAULT_POLICY.items():
if key not in self.policy:
self.policy[key] = value
# Initialize guards
self.injection_guard = InjectionGuard(self.policy.get("injection_patterns", []))
self.content_guard = ContentPolicyGuard(
blocked_patterns=self.policy.get("blocked_patterns", []),
blocked_topics=self.policy.get("blocked_topics", []),
)
self.pii_guard = PIIGuard(self.policy.get("pii_patterns", {}))
self.length_guard = LengthGuard(self.policy.get("max_input_length", 4000))
self.output_guard = OutputGuard(
blocked_patterns=self.policy.get("output_blocked_patterns", []),
max_length=self.policy.get("max_output_length", 8000),
)
def validate_input(self, text: str) -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=text)
all_violations: list[dict] = []
# Layer 1: Length check
length_safe, length_issues = self.length_guard.check(text)
result.layer_results["length_guard"] = {"safe": length_safe, "issues": length_issues}
if not length_safe:
for issue in length_issues:
all_violations.append({"guard": "length", "detail": issue})
# Layer 2: Injection detection
injection_safe, injection_issues = self.injection_guard.check(text)
result.layer_results["injection_guard"] = {"safe": injection_safe, "issues": injection_issues}
if not injection_safe:
for issue in injection_issues:
all_violations.append({"guard": "injection", "detail": issue})
# Layer 3: Content policy
content_safe, content_issues = self.content_guard.check(text)
result.layer_results["content_policy_guard"] = {"safe": content_safe, "issues": content_issues}
if not content_safe:
for issue in content_issues:
all_violations.append({"guard": "content_policy", "detail": issue})
# Layer 4: PII detection and redaction
redacted_text, pii_findings = self.pii_guard.redact(text)
result.pii_detected = pii_findings
result.sanitized_text = redacted_text
result.layer_results["pii_guard"] = {
"pii_found": len(pii_findings),
"types": list(set(f["type"] for f in pii_findings)),
}
if pii_findings:
for finding in pii_findings:
all_violations.append({
"guard": "pii",
"detail": f"detected {finding['type']}",
"severity": "warning",
})
# Compute risk score
critical_violations = sum(1 for v in all_violations if v.get("severity") != "warning")
warning_violations = sum(1 for v in all_violations if v.get("severity") == "warning")
result.risk_score = min(1.0, critical_violations * 0.35 + warning_violations * 0.1)
# Final verdict: block on critical violations, warn on PII-only
result.violations = all_violations
if critical_violations > 0:
result.safe = False
reasons = [v["detail"] for v in all_violations if v.get("severity") != "warning"]
result.blocked_reason = "; ".join(reasons[:3])
else:
result.safe = True
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def validate_output(self, response: str, original_input: str = "") -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=response)
all_violations: list[dict] = []
# Check output safety
output_safe, output_issues = self.output_guard.check(response, original_input)
result.layer_results["output_guard"] = {"safe": output_safe, "issues": output_issues}
if not output_safe:
for issue in output_issues:
all_violations.append({"guard": "output", "detail": issue})
# PII redaction on output
redacted_output, pii_findings = self.pii_guard.redact(response)
result.pii_detected = pii_findings
result.sanitized_text = redacted_output
result.violations = all_violations
critical = sum(1 for v in all_violations if "pii_in_output" not in v.get("detail", ""))
result.risk_score = min(1.0, critical * 0.35 + len(pii_findings) * 0.1)
if critical > 0:
result.safe = False
reasons = [v["detail"] for v in all_violations]
result.blocked_reason = "; ".join(reasons[:3])
else:
result.safe = True
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def validate_pii_only(self, text: str) -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=text)
redacted_text, pii_findings = self.pii_guard.redact(text)
result.pii_detected = pii_findings
result.sanitized_text = redacted_text
result.safe = len(pii_findings) == 0
if pii_findings:
types_found = list(set(f["type"] for f in pii_findings))
result.blocked_reason = f"PII detected: {', '.join(types_found)}"
result.violations = [{"guard": "pii", "detail": f"detected {f['type']}"} for f in pii_findings]
result.risk_score = min(1.0, len(pii_findings) * 0.15)
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def format_result_text(result: ValidationResult, label: str = "INPUT") -> str:
"""Format a validation result as human-readable text."""
verdict = "SAFE" if result.safe else "BLOCKED"
lines = [
f"[{label}] Verdict: {verdict}",
f" Risk Score : {result.risk_score:.4f}",
f" Validation Time : {result.validation_time_ms:.2f} ms",
]
if result.blocked_reason:
lines.append(f" Blocked Reason : {result.blocked_reason}")
if result.violations:
lines.append(f" Violations ({len(result.violations)}):")
for v in result.violations[:5]:
severity = v.get("severity", "critical")
lines.append(f" [{severity.upper()}] {v['guard']}: {v['detail']}")
if result.pii_detected:
lines.append(f" PII Detected ({len(result.pii_detected)}):")
for pii in result.pii_detected:
masked = pii["value"][:3] + "***"
lines.append(f" {pii['type']}: {masked}")
lines.append(f" Sanitized Text : {result.sanitized_text[:200]}")
lines.append("-" * 70)
return "\n".join(lines)
def format_result_json(result: ValidationResult) -> str:
"""Format a validation result as JSON."""
data = asdict(result)
data["sanitized_text"] = data["sanitized_text"][:500]
# Mask PII values in JSON output
for pii in data.get("pii_detected", []):
pii["value"] = pii["value"][:3] + "***"
return json.dumps(data, indent=2, default=str)
def main() -> None:
parser = argparse.ArgumentParser(
description="LLM Guardrails Security Agent - input/output validation for LLM applications.",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python agent.py --input "Tell me how to hack into a network"
python agent.py --input "My SSN is 123-45-6789" --mode pii
python agent.py --file prompts.txt --mode full --output json
python agent.py --input "Question" --response "LLM answer" --mode output-only
python agent.py --input "Some text" --policy custom_policy.json
""",
)
parser.add_argument("--input", "-i", type=str, help="User input to validate")
parser.add_argument("--response", "-r", type=str, help="LLM response to validate (for output-only mode)")
parser.add_argument("--file", "-f", type=str, help="File with one prompt per line to scan")
parser.add_argument(
"--mode", "-m",
choices=["full", "input-only", "output-only", "pii"],
default="full",
help="Validation mode. Default: full",
)
parser.add_argument("--policy", "-p", type=str, help="Path to JSON content policy file")
parser.add_argument(
"--output", "-o",
choices=["text", "json"],
default="text",
help="Output format. Default: text",
)
args = parser.parse_args()
if not args.input and not args.file:
parser.error("Provide either --input or --file")
if args.mode == "output-only" and not args.response:
parser.error("--response is required for output-only mode")
# Initialize pipeline
pipeline = GuardrailsPipeline(policy_path=args.policy)
# Collect inputs
inputs: list[str] = []
if args.input:
inputs.append(args.input)
if args.file:
filepath = Path(args.file)
if not filepath.is_file():
logger.error("File not found: %s", args.file)
sys.exit(1)
with open(filepath, "r", encoding="utf-8") as fh:
for line in fh:
stripped = line.strip()
if stripped:
inputs.append(stripped)
if not inputs:
logger.error("No inputs to validate.")
sys.exit(1)
logger.info("Validating %d input(s) in '%s' mode ...", len(inputs), args.mode)
blocked_count = 0
for idx, user_input in enumerate(inputs, 1):
if args.mode == "pii":
result = pipeline.validate_pii_only(user_input)
label = "PII"
elif args.mode == "output-only":
result = pipeline.validate_output(args.response, original_input=user_input)
label = "OUTPUT"
elif args.mode == "input-only":
result = pipeline.validate_input(user_input)
label = "INPUT"
else:
# Full mode: validate input, then simulate output check
input_result = pipeline.validate_input(user_input)
if args.output == "text":
print(f"\n[{idx}/{len(inputs)}]")
print(format_result_text(input_result, label="INPUT"))
else:
print(format_result_json(input_result))
if not input_result.safe:
blocked_count += 1
# If a response is provided, also validate output
if args.response:
output_result = pipeline.validate_output(args.response, original_input=user_input)
if args.output == "text":
print(format_result_text(output_result, label="OUTPUT"))
else:
print(format_result_json(output_result))
if not output_result.safe:
blocked_count += 1
continue
if not result.safe:
blocked_count += 1
if args.output == "text":
print(f"\n[{idx}/{len(inputs)}]")
print(format_result_text(result, label=label))
else:
print(format_result_json(result))
# Summary
if args.output == "text" and len(inputs) > 1:
print(f"\n{'=' * 70}")
print(f"SUMMARY: {blocked_count}/{len(inputs)} inputs blocked or flagged")
if blocked_count > 0:
sys.exit(2)
sys.exit(0)
if __name__ == "__main__":
main()