Add 30 new production-grade cybersecurity skills: AI security, supply chain, firmware, cloud-native, compliance, deception, crypto, threat hunting, purple team, OT, privacy

This commit is contained in:
mukul975
2026-03-19 19:14:23 +01:00
parent d43cc7a766
commit d833f0eab9
125 changed files with 47874 additions and 334 deletions
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
@@ -0,0 +1,200 @@
---
name: implementing-llm-guardrails-for-security
description: >
Implements input and output validation guardrails for LLM-powered applications to prevent
prompt injection, data leakage, toxic content generation, and hallucinated outputs. Builds
a security validation pipeline using NVIDIA NeMo Guardrails Colang definitions, custom Python
validators for PII detection and content policy enforcement, and the Guardrails AI framework
for structured output validation. The guardrails system intercepts both user inputs (blocking
injection attempts, stripping PII, enforcing topic boundaries) and model outputs (detecting
hallucinations, filtering toxic content, validating JSON schema compliance). Activates for
requests involving LLM output validation, AI content filtering, guardrail implementation,
or LLM safety enforcement.
domain: cybersecurity
subdomain: ai-security
tags: [LLM-guardrails, NeMo-Guardrails, input-validation, output-filtering, AI-safety]
version: 1.0.0
author: mukul975
license: Apache-2.0
---
# Implementing LLM Guardrails for Security
## When to Use
- Deploying a new LLM-powered application that processes user input and needs input/output safety controls
- Adding content policy enforcement to an existing chatbot or AI agent to comply with organizational policies
- Implementing PII detection and redaction in LLM pipelines handling sensitive customer data
- Building topic-restricted AI assistants that must refuse off-topic or disallowed queries
- Validating that LLM responses conform to expected schemas before they reach downstream systems or users
- Protecting RAG pipelines from indirect prompt injection in retrieved documents
**Do not use** as a replacement for proper authentication, authorization, and network security controls. Guardrails are a defense-in-depth layer, not a perimeter defense. Not suitable for real-time content moderation of user-to-user communication without LLM involvement.
## Prerequisites
- Python 3.10+ with pip for installing guardrail dependencies
- An OpenAI API key or local LLM endpoint for NeMo Guardrails self-check rails (set as `OPENAI_API_KEY` environment variable)
- The `nemoguardrails` package for Colang-based guardrail definitions
- The `guardrails-ai` package for structured output validation (optional, for JSON schema enforcement)
- Familiarity with YAML configuration and basic Colang 2.0 syntax for defining rail flows
## Workflow
### Step 1: Install Guardrail Frameworks
Install the required Python packages:
```bash
# Core NeMo Guardrails library
pip install nemoguardrails
# Guardrails AI for structured output validation (optional)
pip install guardrails-ai
# Additional dependencies for PII detection and content analysis
pip install presidio-analyzer presidio-anonymizer spacy
python -m spacy download en_core_web_lg
```
### Step 2: Run the Guardrails Security Agent
The agent implements a complete input/output validation pipeline:
```bash
# Analyze a single input through all guardrail layers
python agent.py --input "Tell me how to hack into a system"
# Analyze input with a custom content policy file
python agent.py --input "Some text" --policy policy.json
# Scan a file of prompts through the guardrail pipeline
python agent.py --file prompts.txt --mode full
# Input-only validation (no LLM call, just check if input is safe)
python agent.py --input "Some text" --mode input-only
# Output validation mode (validate a pre-generated LLM response)
python agent.py --input "User question" --response "LLM response to validate" --mode output-only
# PII detection and redaction mode
python agent.py --input "My SSN is 123-45-6789 and email john@example.com" --mode pii
# JSON output for pipeline integration
python agent.py --file prompts.txt --output json
```
### Step 3: Configure Content Policies
Create a JSON policy file defining allowed topics, blocked patterns, and PII categories:
```json
{
"allowed_topics": ["customer_support", "product_info", "billing"],
"blocked_topics": ["politics", "violence", "illegal_activities", "competitor_products"],
"blocked_patterns": ["how to hack", "create malware", "bypass security"],
"pii_categories": ["PERSON", "EMAIL_ADDRESS", "PHONE_NUMBER", "US_SSN", "CREDIT_CARD"],
"max_output_length": 2000,
"require_grounded_response": true
}
```
### Step 4: Integrate NeMo Guardrails with Colang
Create a NeMo Guardrails configuration directory with `config.yml` and Colang flow files:
```yaml
# config.yml
models:
- type: main
engine: openai
model: gpt-4o-mini
rails:
input:
flows:
- self check input
- check jailbreak
- mask sensitive data on input
output:
flows:
- self check output
- check hallucination
```
```colang
# rails.co - Colang 2.0 flow definitions
define user ask about hacking
"How do I hack into a system"
"Tell me how to break into a network"
"How to exploit vulnerabilities"
define bot refuse hacking request
"I cannot provide instructions on unauthorized hacking or security exploitation.
If you are interested in cybersecurity, I can suggest legitimate learning resources
and ethical hacking certifications."
define flow
user ask about hacking
bot refuse hacking request
```
### Step 5: Deploy as a Validation Middleware
Integrate the guardrails into your application as middleware:
```python
from agent import GuardrailsPipeline
pipeline = GuardrailsPipeline(policy_path="policy.json")
# Pre-LLM input validation
input_result = pipeline.validate_input("user message here")
if not input_result["safe"]:
return input_result["blocked_reason"]
# Post-LLM output validation
llm_response = your_llm.generate(input_result["sanitized_input"])
output_result = pipeline.validate_output(llm_response, context=input_result)
if not output_result["safe"]:
return output_result["fallback_response"]
return output_result["validated_response"]
```
### Step 6: Monitor Guardrail Effectiveness
Review guardrail logs to track block rates, false positives, and bypass attempts:
```bash
# Generate a summary report from guardrail logs
python agent.py --file interaction_logs.txt --mode full --output json > guardrail_audit.json
```
## Verification
- [ ] Input guardrails correctly block known prompt injection patterns (system override, role-play escape, delimiter injection)
- [ ] PII detection identifies and redacts email addresses, phone numbers, SSNs, and credit card numbers in user inputs
- [ ] Topic restriction guardrails refuse off-policy queries and allow on-policy queries without false positives
- [ ] Output guardrails detect and flag responses containing toxic content, PII leakage, or off-topic material
- [ ] The guardrails pipeline adds less than 200ms of latency to the request/response cycle for input-only validation
- [ ] JSON output mode produces valid, parseable JSON suitable for downstream monitoring dashboards
## Key Concepts
| Term | Definition |
|------|------------|
| **Input Rail** | A guardrail that intercepts and validates user input before it reaches the LLM, blocking injection attempts and redacting sensitive data |
| **Output Rail** | A guardrail that validates LLM-generated output before it reaches the user, filtering toxic content and enforcing schema compliance |
| **Colang** | NVIDIA's domain-specific language for defining conversational guardrail flows, with Python-like syntax for specifying user intent patterns and bot responses |
| **PII Redaction** | The process of detecting and masking personally identifiable information (names, emails, SSNs) in text before processing |
| **Content Policy** | A configuration file defining which topics, patterns, and content categories are allowed or blocked by the guardrail system |
| **Self-Check Rail** | A NeMo Guardrails technique where the LLM itself evaluates whether its input or output violates defined policies |
| **Hallucination Detection** | Output validation that checks whether the LLM response is grounded in the provided context, flagging fabricated claims |
## Tools & Systems
- **NVIDIA NeMo Guardrails**: Open-source toolkit for adding programmable input, dialog, and output rails to LLM applications using Colang flow definitions and YAML configuration
- **Guardrails AI**: Python framework for structured output validation with a hub of pre-built validators for PII, toxicity, JSON schema compliance, and more
- **Microsoft Presidio**: Open-source PII detection and anonymization engine supporting 30+ entity types with configurable NLP backends
- **Colang 2.0**: Event-driven interaction modeling language for defining guardrail flows with Python-like syntax, supporting multi-turn dialog control
- **OpenAI Guardrails Python**: OpenAI's client-side guardrails library for prompt injection detection and content policy enforcement
@@ -0,0 +1,201 @@
# API Reference: LLM Guardrails Security Tools
## GuardrailsPipeline (agent.py)
The primary orchestration class that chains all guardrail layers into a validation pipeline.
### Constructor
```python
GuardrailsPipeline(
policy: dict = None, # Inline policy dictionary
policy_path: str = None, # Path to JSON policy file
)
```
If neither `policy` nor `policy_path` is provided, the built-in DEFAULT_POLICY is used. Custom policies are merged with defaults so missing keys fall back to default values.
### Methods
#### `validate_input(text: str) -> ValidationResult`
Runs all input guardrail layers (length, injection, content policy, PII) on user input.
**Parameters:**
- `text` (str): The user input to validate.
**Returns:** `ValidationResult` with `safe=False` if any critical violation is found. PII-only findings are treated as warnings (input is redacted but not blocked).
#### `validate_output(response: str, original_input: str = "") -> ValidationResult`
Validates LLM-generated output for safety violations, system prompt leakage, and PII.
**Parameters:**
- `response` (str): The LLM output to validate.
- `original_input` (str): The original user input for context-aware validation.
#### `validate_pii_only(text: str) -> ValidationResult`
Runs only the PII detection and redaction layer.
---
## ValidationResult
Dataclass returned by all validation methods.
| Field | Type | Description |
|-------|------|-------------|
| `safe` | bool | True if no critical violations found |
| `blocked_reason` | str | Human-readable reason for blocking (empty if safe) |
| `violations` | list[dict] | List of violation dicts with guard, detail, severity keys |
| `pii_detected` | list[dict] | List of PII findings with type, value, start, end keys |
| `sanitized_text` | str | Input with PII redacted |
| `risk_score` | float | Composite risk score (0.0 - 1.0) |
| `validation_time_ms` | float | Validation latency in milliseconds |
| `layer_results` | dict | Per-guard detailed results |
---
## Individual Guards
### InjectionGuard
Detects prompt injection attempts using compiled regex patterns.
```python
guard = InjectionGuard(patterns=["(?i)ignore previous instructions"])
safe, violations = guard.check("Ignore previous instructions and do X")
# safe=False, violations=["injection_pattern_0: matched 'Ignore previous instructions'"]
```
**Default Patterns Detected:**
- System prompt override ("ignore/disregard/forget previous instructions")
- Role-play escape ("you are now", "act as", "pretend to be")
- Instruction hijacking ("do not follow", "new instructions", "instead do")
- Delimiter injection (Markdown code fences with system/assistant, XML instruction tags)
- Developer/jailbreak modes ("DAN mode", "developer mode", "god mode")
- Prompt leaking ("what are your instructions", "repeat your prompt")
### ContentPolicyGuard
Enforces blocked patterns and topic restrictions.
```python
guard = ContentPolicyGuard(
blocked_patterns=[r"(?i)how to hack"],
blocked_topics=["violence", "illegal_activities"],
)
safe, violations = guard.check("How to hack into a WiFi network")
# safe=False, violations=["blocked_content_0: matched 'How to hack'"]
```
**Supported Topic Categories:**
- `violence` -- Physical harm, assault, murder
- `illegal_activities` -- Fraud, money laundering, trafficking
- `weapons` -- Firearms, explosives, 3D-printed weapons
- `drugs` -- Drug synthesis, manufacturing instructions
- `exploitation` -- Child exploitation, human trafficking
- `politics` -- Partisan political opinions or endorsements
- `competitor_products` -- References to switching to competitors
### PIIGuard
Detects and redacts personally identifiable information using regex patterns.
```python
guard = PIIGuard(pii_patterns={"EMAIL_ADDRESS": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"})
findings = guard.detect("Contact john@example.com for details")
# [{"type": "EMAIL_ADDRESS", "value": "john@example.com", "start": 8, "end": 24}]
redacted, findings = guard.redact("Contact john@example.com for details")
# ("Contact [EMAIL_REDACTED] for details", [...])
```
**Supported PII Types:**
| Type | Pattern | Redaction |
|------|---------|-----------|
| `US_SSN` | 123-45-6789 | [SSN_REDACTED] |
| `EMAIL_ADDRESS` | user@domain.com | [EMAIL_REDACTED] |
| `PHONE_NUMBER` | (555) 123-4567 | [PHONE_REDACTED] |
| `CREDIT_CARD` | 4111-1111-1111-1111 | [CARD_REDACTED] |
| `IP_ADDRESS` | 192.168.1.1 | [IP_REDACTED] |
| `US_PASSPORT` | A12345678 | [PASSPORT_REDACTED] |
| `AWS_ACCESS_KEY` | AKIAIOSFODNN7EXAMPLE | [AWS_KEY_REDACTED] |
| `GENERIC_API_KEY` | api_key=abc123... | [API_KEY_REDACTED] |
### OutputGuard
Validates LLM output for safety violations, length limits, system prompt leakage, and PII.
```python
guard = OutputGuard(blocked_patterns=[...], max_length=8000)
safe, violations = guard.check("Sure, I'll help you hack into the system")
# safe=False, violations=["output_blocked_0: matched ..."]
```
### LengthGuard
Enforces maximum input length.
```python
guard = LengthGuard(max_length=4000)
safe, violations = guard.check("x" * 5000)
# safe=False, violations=["input_too_long: 5000 chars exceeds 4000 limit"]
```
---
## Content Policy JSON Schema
```json
{
"allowed_topics": ["list of allowed topic strings"],
"blocked_topics": ["violence", "illegal_activities", "weapons", "drugs", "exploitation"],
"blocked_patterns": ["regex patterns for blocked content"],
"pii_patterns": {
"ENTITY_TYPE": "regex pattern"
},
"injection_patterns": ["regex patterns for injection detection"],
"max_input_length": 4000,
"max_output_length": 8000,
"output_blocked_patterns": ["regex patterns for blocked output content"]
}
```
---
## CLI Reference
```
usage: agent.py [-h] [--input INPUT] [--response RESPONSE] [--file FILE]
[--mode {full,input-only,output-only,pii}]
[--policy POLICY] [--output {text,json}]
Arguments:
--input, -i User input text to validate
--response, -r LLM response to validate (required for output-only mode)
--file, -f Path to file with one prompt per line
--mode, -m Validation mode: full | input-only | output-only | pii (default: full)
--policy, -p Path to JSON content policy file
--output, -o Output format: text | json (default: text)
```
**Exit Codes:**
- `0` -- All inputs passed validation
- `1` -- Error (file not found, invalid policy)
- `2` -- One or more inputs blocked or flagged
---
## External Resources
- NVIDIA NeMo Guardrails: https://github.com/NVIDIA-NeMo/Guardrails
- NeMo Guardrails Documentation: https://docs.nvidia.com/nemo/guardrails/latest/index.html
- Guardrails AI Framework: https://github.com/guardrails-ai/guardrails
- Guardrails AI Hub (Validators): https://guardrailsai.com/hub
- Microsoft Presidio (PII Engine): https://github.com/microsoft/presidio
- OpenAI Guardrails Python: https://github.com/openai/openai-guardrails-python
- Colang 2.0 Guide: https://docs.nvidia.com/nemo/guardrails/latest/configure-rails/colang/index.html
- NeMo Guardrails Security Guidelines: https://docs.nvidia.com/nemo/guardrails/latest/security/guidelines.html
@@ -0,0 +1,527 @@
#!/usr/bin/env python3
"""
LLM Guardrails Security Agent
Implements input and output validation guardrails for LLM-powered applications.
Provides multi-layered security including prompt injection blocking, PII detection
and redaction, content policy enforcement, topic restriction, and output validation.
Supports NVIDIA NeMo Guardrails Colang integration and custom Python validators.
"""
import argparse
import json
import logging
import re
import sys
import time
from dataclasses import dataclass, field, asdict
from pathlib import Path
from typing import Optional
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s",
datefmt="%Y-%m-%d %H:%M:%S",
)
logger = logging.getLogger(__name__)
# ---------------------------------------------------------------------------
# Default content policy
# ---------------------------------------------------------------------------
DEFAULT_POLICY = {
"allowed_topics": [],
"blocked_topics": ["violence", "illegal_activities", "weapons", "drugs", "exploitation"],
"blocked_patterns": [
r"(?i)\b(how\s+to\s+(hack|crack|break\s+into|exploit|bypass))\b",
r"(?i)\b(create|write|generate)\b.{0,20}\b(malware|virus|trojan|ransomware|keylogger|rootkit)\b",
r"(?i)\b(steal|exfiltrate|extract)\b.{0,20}\b(data|credentials?|passwords?|tokens?|keys?)\b",
r"(?i)\b(make|build|synthesize)\b.{0,20}\b(bomb|weapon|explosive|poison)\b",
r"(?i)\b(social\s+engineer|phish|spear\s*phish|impersonate)\b.{0,20}\b(someone|a\s+person|employee|user)\b",
],
"pii_patterns": {
"US_SSN": r"\b\d{3}-\d{2}-\d{4}\b",
"EMAIL_ADDRESS": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b",
"PHONE_NUMBER": r"\b(\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b",
"CREDIT_CARD": r"\b(?:\d{4}[-\s]?){3}\d{4}\b",
"IP_ADDRESS": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
"US_PASSPORT": r"\b[A-Z]\d{8}\b",
"AWS_ACCESS_KEY": r"\bAKIA[0-9A-Z]{16}\b",
"GENERIC_API_KEY": r"\b(?:api[_-]?key|token|secret)[=:\s]+['\"]?[A-Za-z0-9_\-]{20,}['\"]?",
},
"injection_patterns": [
r"(?i)\b(ignore|disregard|forget|override|bypass)\b.{0,30}\b(previous|above|prior|all|system|initial)\b.{0,20}\b(instructions?|prompts?|rules?)\b",
r"(?i)\b(you\s+are\s+now|act\s+as|pretend\s+(to\s+be|you\s+are)|simulate\s+being)\b",
r"(?i)\b(do\s+not\s+follow|stop\s+following|new\s+instructions?|instead\s+(do|say|output))\b",
r"(?i)(```\s*(system|assistant|user)\s*\n|<\s*/?\s*(system|instruction|prompt)\s*>)",
r"(?i)\b(developer\s+mode|DAN\s+mode|jailbreak\s+mode|god\s+mode|sudo\s+mode)\b",
r"(?i)\b(output|reveal|show|display|print|leak)\b.{0,30}\b(system\s+prompt|instructions?|config|password|api\s*key)\b",
r"(?i)\b(what\s+(is|are)\s+your\s+(system\s+)?instructions?|repeat\s+your\s+prompt|show\s+me\s+your\s+rules)\b",
],
"max_input_length": 4000,
"max_output_length": 8000,
"output_blocked_patterns": [
r"(?i)\b(my\s+system\s+prompt\s+is|here\s+are\s+my\s+instructions|as\s+an?\s+ai\s+language\s+model,?\s+i\s+don'?t\s+have\s+a\s+system\s+prompt)\b",
r"(?i)\b(sure,?\s+i'?ll\s+(help\s+you\s+)?(hack|create\s+malware|bypass\s+security|write\s+a\s+virus))\b",
],
}
@dataclass
class ValidationResult:
"""Result from a guardrail validation pass."""
safe: bool = True
blocked_reason: str = ""
violations: list[dict] = field(default_factory=list)
pii_detected: list[dict] = field(default_factory=list)
sanitized_text: str = ""
risk_score: float = 0.0
validation_time_ms: float = 0.0
layer_results: dict = field(default_factory=dict)
class InjectionGuard:
"""Input guard that detects and blocks prompt injection attempts."""
def __init__(self, patterns: list[str]) -> None:
self._compiled = [(i, re.compile(p)) for i, p in enumerate(patterns)]
def check(self, text: str) -> tuple[bool, list[str]]:
violations: list[str] = []
for idx, pattern in self._compiled:
match = pattern.search(text)
if match:
violations.append(f"injection_pattern_{idx}: matched '{match.group()}'")
return len(violations) == 0, violations
class ContentPolicyGuard:
"""Guard that enforces content policy rules on text."""
def __init__(self, blocked_patterns: list[str], blocked_topics: list[str]) -> None:
self._blocked_compiled = [(i, re.compile(p)) for i, p in enumerate(blocked_patterns)]
self._blocked_topics = blocked_topics
self._topic_patterns = self._build_topic_patterns()
def _build_topic_patterns(self) -> list[tuple[str, re.Pattern]]:
topic_regexes: dict[str, str] = {
"violence": r"(?i)\b(kill|murder|assault|torture|attack\s+someone|hurt\s+people|violence\s+against)\b",
"illegal_activities": r"(?i)\b(illegal|launder\s+money|traffic|counterfeit|forge\s+documents?|fraud\s+scheme)\b",
"weapons": r"(?i)\b(gun|firearm|weapon|ammunition|3d\s+print.{0,10}(gun|weapon)|ghost\s+gun)\b",
"drugs": r"(?i)\b(synthesize\s+(meth|cocaine|heroin|fentanyl)|cook\s+meth|manufacture\s+drugs?|drug\s+recipe)\b",
"exploitation": r"(?i)\b(exploit\s+(children|minors?|vulnerable)|human\s+traffic|child\s+abuse)\b",
"politics": r"(?i)\b(vote\s+for|political\s+party|democrat|republican|liberal|conservative)\b.{0,40}\b(best|worst|should|must)\b",
"competitor_products": r"(?i)\b(switch\s+to|better\s+than\s+us|use\s+.{0,20}instead)\b",
}
patterns = []
for topic in self._blocked_topics:
if topic in topic_regexes:
patterns.append((topic, re.compile(topic_regexes[topic])))
return patterns
def check(self, text: str) -> tuple[bool, list[str]]:
violations: list[str] = []
# Check blocked content patterns
for idx, pattern in self._blocked_compiled:
match = pattern.search(text)
if match:
violations.append(f"blocked_content_{idx}: matched '{match.group()}'")
# Check blocked topics
for topic, pattern in self._topic_patterns:
match = pattern.search(text)
if match:
violations.append(f"blocked_topic_{topic}: matched '{match.group()}'")
return len(violations) == 0, violations
class PIIGuard:
"""Guard that detects and redacts personally identifiable information."""
REDACTION_MAP = {
"US_SSN": "[SSN_REDACTED]",
"EMAIL_ADDRESS": "[EMAIL_REDACTED]",
"PHONE_NUMBER": "[PHONE_REDACTED]",
"CREDIT_CARD": "[CARD_REDACTED]",
"IP_ADDRESS": "[IP_REDACTED]",
"US_PASSPORT": "[PASSPORT_REDACTED]",
"AWS_ACCESS_KEY": "[AWS_KEY_REDACTED]",
"GENERIC_API_KEY": "[API_KEY_REDACTED]",
}
def __init__(self, pii_patterns: dict[str, str]) -> None:
self._compiled: dict[str, re.Pattern] = {}
for name, pattern_str in pii_patterns.items():
self._compiled[name] = re.compile(pattern_str)
def detect(self, text: str) -> list[dict]:
findings: list[dict] = []
for name, pattern in self._compiled.items():
for match in pattern.finditer(text):
findings.append({
"type": name,
"value": match.group(),
"start": match.start(),
"end": match.end(),
})
return findings
def redact(self, text: str) -> tuple[str, list[dict]]:
findings = self.detect(text)
if not findings:
return text, findings
# Sort by position descending to replace from end to start
findings_sorted = sorted(findings, key=lambda f: f["start"], reverse=True)
redacted = text
for finding in findings_sorted:
replacement = self.REDACTION_MAP.get(finding["type"], "[REDACTED]")
redacted = redacted[:finding["start"]] + replacement + redacted[finding["end"]:]
return redacted, findings
class OutputGuard:
"""Guard that validates LLM-generated output for safety violations."""
def __init__(self, blocked_patterns: list[str], max_length: int = 8000) -> None:
self._blocked = [(i, re.compile(p)) for i, p in enumerate(blocked_patterns)]
self._max_length = max_length
def check(self, response: str, original_input: str = "") -> tuple[bool, list[str]]:
violations: list[str] = []
# Check length
if len(response) > self._max_length:
violations.append(f"output_too_long: {len(response)} chars exceeds {self._max_length} limit")
# Check blocked output patterns
for idx, pattern in self._blocked:
match = pattern.search(response)
if match:
violations.append(f"output_blocked_{idx}: matched '{match.group()}'")
# Check for system prompt leakage indicators
system_prompt_indicators = [
r"(?i)(you\s+are\s+a\s+helpful\s+assistant|your\s+role\s+is\s+to|you\s+must\s+always)",
r"(?i)(system\s*:\s*\n|<<\s*SYS\s*>>|<\|system\|>)",
]
for indicator_pat in system_prompt_indicators:
if re.search(indicator_pat, response):
violations.append(f"potential_system_prompt_leak: matched indicator pattern")
break
# Check for PII in output
pii_guard = PIIGuard(DEFAULT_POLICY["pii_patterns"])
pii_findings = pii_guard.detect(response)
for finding in pii_findings:
violations.append(f"pii_in_output: {finding['type']} detected")
return len(violations) == 0, violations
class LengthGuard:
"""Guard that enforces input length limits."""
def __init__(self, max_length: int = 4000) -> None:
self._max_length = max_length
def check(self, text: str) -> tuple[bool, list[str]]:
if len(text) > self._max_length:
return False, [f"input_too_long: {len(text)} chars exceeds {self._max_length} limit"]
return True, []
class GuardrailsPipeline:
"""Complete input/output validation pipeline combining all guardrail layers."""
def __init__(self, policy: Optional[dict] = None, policy_path: Optional[str] = None) -> None:
if policy_path:
with open(policy_path, "r", encoding="utf-8") as fh:
self.policy = json.load(fh)
elif policy:
self.policy = policy
else:
self.policy = DEFAULT_POLICY
# Merge with defaults for any missing keys
for key, value in DEFAULT_POLICY.items():
if key not in self.policy:
self.policy[key] = value
# Initialize guards
self.injection_guard = InjectionGuard(self.policy.get("injection_patterns", []))
self.content_guard = ContentPolicyGuard(
blocked_patterns=self.policy.get("blocked_patterns", []),
blocked_topics=self.policy.get("blocked_topics", []),
)
self.pii_guard = PIIGuard(self.policy.get("pii_patterns", {}))
self.length_guard = LengthGuard(self.policy.get("max_input_length", 4000))
self.output_guard = OutputGuard(
blocked_patterns=self.policy.get("output_blocked_patterns", []),
max_length=self.policy.get("max_output_length", 8000),
)
def validate_input(self, text: str) -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=text)
all_violations: list[dict] = []
# Layer 1: Length check
length_safe, length_issues = self.length_guard.check(text)
result.layer_results["length_guard"] = {"safe": length_safe, "issues": length_issues}
if not length_safe:
for issue in length_issues:
all_violations.append({"guard": "length", "detail": issue})
# Layer 2: Injection detection
injection_safe, injection_issues = self.injection_guard.check(text)
result.layer_results["injection_guard"] = {"safe": injection_safe, "issues": injection_issues}
if not injection_safe:
for issue in injection_issues:
all_violations.append({"guard": "injection", "detail": issue})
# Layer 3: Content policy
content_safe, content_issues = self.content_guard.check(text)
result.layer_results["content_policy_guard"] = {"safe": content_safe, "issues": content_issues}
if not content_safe:
for issue in content_issues:
all_violations.append({"guard": "content_policy", "detail": issue})
# Layer 4: PII detection and redaction
redacted_text, pii_findings = self.pii_guard.redact(text)
result.pii_detected = pii_findings
result.sanitized_text = redacted_text
result.layer_results["pii_guard"] = {
"pii_found": len(pii_findings),
"types": list(set(f["type"] for f in pii_findings)),
}
if pii_findings:
for finding in pii_findings:
all_violations.append({
"guard": "pii",
"detail": f"detected {finding['type']}",
"severity": "warning",
})
# Compute risk score
critical_violations = sum(1 for v in all_violations if v.get("severity") != "warning")
warning_violations = sum(1 for v in all_violations if v.get("severity") == "warning")
result.risk_score = min(1.0, critical_violations * 0.35 + warning_violations * 0.1)
# Final verdict: block on critical violations, warn on PII-only
result.violations = all_violations
if critical_violations > 0:
result.safe = False
reasons = [v["detail"] for v in all_violations if v.get("severity") != "warning"]
result.blocked_reason = "; ".join(reasons[:3])
else:
result.safe = True
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def validate_output(self, response: str, original_input: str = "") -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=response)
all_violations: list[dict] = []
# Check output safety
output_safe, output_issues = self.output_guard.check(response, original_input)
result.layer_results["output_guard"] = {"safe": output_safe, "issues": output_issues}
if not output_safe:
for issue in output_issues:
all_violations.append({"guard": "output", "detail": issue})
# PII redaction on output
redacted_output, pii_findings = self.pii_guard.redact(response)
result.pii_detected = pii_findings
result.sanitized_text = redacted_output
result.violations = all_violations
critical = sum(1 for v in all_violations if "pii_in_output" not in v.get("detail", ""))
result.risk_score = min(1.0, critical * 0.35 + len(pii_findings) * 0.1)
if critical > 0:
result.safe = False
reasons = [v["detail"] for v in all_violations]
result.blocked_reason = "; ".join(reasons[:3])
else:
result.safe = True
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def validate_pii_only(self, text: str) -> ValidationResult:
start = time.perf_counter()
result = ValidationResult(sanitized_text=text)
redacted_text, pii_findings = self.pii_guard.redact(text)
result.pii_detected = pii_findings
result.sanitized_text = redacted_text
result.safe = len(pii_findings) == 0
if pii_findings:
types_found = list(set(f["type"] for f in pii_findings))
result.blocked_reason = f"PII detected: {', '.join(types_found)}"
result.violations = [{"guard": "pii", "detail": f"detected {f['type']}"} for f in pii_findings]
result.risk_score = min(1.0, len(pii_findings) * 0.15)
result.validation_time_ms = round((time.perf_counter() - start) * 1000, 2)
return result
def format_result_text(result: ValidationResult, label: str = "INPUT") -> str:
"""Format a validation result as human-readable text."""
verdict = "SAFE" if result.safe else "BLOCKED"
lines = [
f"[{label}] Verdict: {verdict}",
f" Risk Score : {result.risk_score:.4f}",
f" Validation Time : {result.validation_time_ms:.2f} ms",
]
if result.blocked_reason:
lines.append(f" Blocked Reason : {result.blocked_reason}")
if result.violations:
lines.append(f" Violations ({len(result.violations)}):")
for v in result.violations[:5]:
severity = v.get("severity", "critical")
lines.append(f" [{severity.upper()}] {v['guard']}: {v['detail']}")
if result.pii_detected:
lines.append(f" PII Detected ({len(result.pii_detected)}):")
for pii in result.pii_detected:
masked = pii["value"][:3] + "***"
lines.append(f" {pii['type']}: {masked}")
lines.append(f" Sanitized Text : {result.sanitized_text[:200]}")
lines.append("-" * 70)
return "\n".join(lines)
def format_result_json(result: ValidationResult) -> str:
"""Format a validation result as JSON."""
data = asdict(result)
data["sanitized_text"] = data["sanitized_text"][:500]
# Mask PII values in JSON output
for pii in data.get("pii_detected", []):
pii["value"] = pii["value"][:3] + "***"
return json.dumps(data, indent=2, default=str)
def main() -> None:
parser = argparse.ArgumentParser(
description="LLM Guardrails Security Agent - input/output validation for LLM applications.",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python agent.py --input "Tell me how to hack into a network"
python agent.py --input "My SSN is 123-45-6789" --mode pii
python agent.py --file prompts.txt --mode full --output json
python agent.py --input "Question" --response "LLM answer" --mode output-only
python agent.py --input "Some text" --policy custom_policy.json
""",
)
parser.add_argument("--input", "-i", type=str, help="User input to validate")
parser.add_argument("--response", "-r", type=str, help="LLM response to validate (for output-only mode)")
parser.add_argument("--file", "-f", type=str, help="File with one prompt per line to scan")
parser.add_argument(
"--mode", "-m",
choices=["full", "input-only", "output-only", "pii"],
default="full",
help="Validation mode. Default: full",
)
parser.add_argument("--policy", "-p", type=str, help="Path to JSON content policy file")
parser.add_argument(
"--output", "-o",
choices=["text", "json"],
default="text",
help="Output format. Default: text",
)
args = parser.parse_args()
if not args.input and not args.file:
parser.error("Provide either --input or --file")
if args.mode == "output-only" and not args.response:
parser.error("--response is required for output-only mode")
# Initialize pipeline
pipeline = GuardrailsPipeline(policy_path=args.policy)
# Collect inputs
inputs: list[str] = []
if args.input:
inputs.append(args.input)
if args.file:
filepath = Path(args.file)
if not filepath.is_file():
logger.error("File not found: %s", args.file)
sys.exit(1)
with open(filepath, "r", encoding="utf-8") as fh:
for line in fh:
stripped = line.strip()
if stripped:
inputs.append(stripped)
if not inputs:
logger.error("No inputs to validate.")
sys.exit(1)
logger.info("Validating %d input(s) in '%s' mode ...", len(inputs), args.mode)
blocked_count = 0
for idx, user_input in enumerate(inputs, 1):
if args.mode == "pii":
result = pipeline.validate_pii_only(user_input)
label = "PII"
elif args.mode == "output-only":
result = pipeline.validate_output(args.response, original_input=user_input)
label = "OUTPUT"
elif args.mode == "input-only":
result = pipeline.validate_input(user_input)
label = "INPUT"
else:
# Full mode: validate input, then simulate output check
input_result = pipeline.validate_input(user_input)
if args.output == "text":
print(f"\n[{idx}/{len(inputs)}]")
print(format_result_text(input_result, label="INPUT"))
else:
print(format_result_json(input_result))
if not input_result.safe:
blocked_count += 1
# If a response is provided, also validate output
if args.response:
output_result = pipeline.validate_output(args.response, original_input=user_input)
if args.output == "text":
print(format_result_text(output_result, label="OUTPUT"))
else:
print(format_result_json(output_result))
if not output_result.safe:
blocked_count += 1
continue
if not result.safe:
blocked_count += 1
if args.output == "text":
print(f"\n[{idx}/{len(inputs)}]")
print(format_result_text(result, label=label))
else:
print(format_result_json(result))
# Summary
if args.output == "text" and len(inputs) > 1:
print(f"\n{'=' * 70}")
print(f"SUMMARY: {blocked_count}/{len(inputs)} inputs blocked or flagged")
if blocked_count > 0:
sys.exit(2)
sys.exit(0)
if __name__ == "__main__":
main()