Solutions
Every guardrail, on one wire.
Core protection – PII, numeric grounding, format, safety, and metering – is always on. Agent and MCP guards are opt-in per key and per user. Nothing is “overly strict”: a check that isn’t configured simply skips, so ordinary traffic is untouched.
Answers that match the source
The headline check. A deterministic first pass catches botched arithmetic, altered figures, and contradictions at zero model cost; an LLM judge and optional retrieval add fact-checking on top.
Numeric grounding
Recomputes arithmetic, flags numbers that drift from the source, and catches directional contradictions – deterministically, at zero model cost.
Fact & consistency judge
A guard model catches internal contradictions and claims that are false by common world knowledge – the things arithmetic can’t.
External grounding
Verify answers against three independent sources – RAG over your vector store, live web search, or a second-model consilium – each priced into the request.
Sensitive data never leaves unescorted
The proxy screens PII out of outbound requests and restores it on the way back – so the model works with placeholders and the real values never touch the provider.
PII screen & restore
Presidio detects names, emails, cards, SSNs, IBANs and more; each becomes a reversible placeholder the proxy swaps back into the response.
Taint tracking
Because the proxy created the placeholders, it knows exactly which tokens are sensitive – and blocks screened PII or secrets from leaving inside a tool call.
Canary leak detection
A unique marker seeded into the system prompt; if the model ever echoes it back, the instructions leaked and the request is flagged or redacted.
Shape and safety, enforced
Structured output is validated and repaired; unsafe content is blocked or censored; the input is scanned for prompt injection before it ever reaches the model.
Format enforcement
Native structured output plus Outlines/Pydantic validate-and-repair, so downstream code always gets the shape it expects.
Profanity & topic safety
better_profanity plus content-safety classifiers (ShieldGemma, Llama Guard, WildGuard) block or surgically censor unsafe responses.
Injection defense
A deterministic regex pass plus Prompt Guard 2 catch jailbreaks and instruction-override attempts on the input – and on untrusted tool results.
Protection for tool-using loops
Agents resend their entire context on every iteration, so the proxy holds a near-complete trace of the run as it unfolds. Two classes of protection – invariants need no plan; conformance uses the intent that’s already in the context or that you declare.
Tool policy & permission tiers
Per-API-key allow/deny lists, JSON-schema validation, and risk tiers (read < network < write < exec < delete < payment) with escalation and dangerous-argument detection.
Action grounding
A payment’s IBAN, a recipient’s email, an amount – must appear in the run’s sources. A payee that appears nowhere the agent legitimately read is fabricated or injected.
Tool-result injection scan
A tool result is untrusted input; it’s injection-scanned before it can re-enter the model’s context on the next loop.
Loop guard & run budgets
Fingerprints repeated tool calls to catch runaway loops, and enforces hard cost / step / tool ceilings per run – before the next model call spends a token.
Conformance judge
The plan is usually already in the system prompt. A cheap judge checks each tool call against the stated rules – instruction-hierarchy conformance with zero integration.
Sequence policies + n8n import
A declarative ordering grammar (pay requires lookup_vendor, send_email max 3) enforced as a state machine – authored by hand or auto-compiled from an n8n workflow export.
Learned baselines
Observe N runs, fingerprint normal behavior, then flag deviation – the drift declared policies miss when the workflow changes and the policy doesn’t.
MCP manifest pinning
In gateway mode the proxy pins a server’s tool manifest and flags drift – protection against a rug-pulled MCP server.
One pipeline runs inbound checks, calls your model, then runs outbound checks. It’s engineered to keep overhead low; actual latency depends on the checks you enable, your model, and your traffic, so each stage times itself and the dashboard shows the real per-request cost rather than a headline figure. Every guard-model sub-call is priced into the run.
- pii screen
- injection
- tool-result scan
- budget gate
- LLM (OpenAI, Claude, local LLM, etc.)
- format
- grounding
- safety
- tool policy
- permission
- action grounding
- taint
- conformance
- sequence
- pii restore
Point your existing OpenAI-compatible SDK at it – change only the base URL. Works with n8n, LangChain, and MCP clients; PII is screened before anything reaches the model provider.
Allow/deny lists, risk tiers, approval tiers, budgets and sequence policies scoped per API key. Versioned as policy-as-code with rollback.
The reconstructed run graph, per-stage timings, cost burn-down, and honest coverage of which consequential actions were checkpointed.
Hallucination detection
Catch hallucinations before they reach a user
PII leak prevention
PII never reaches the model provider
Prompt injection defense
Untrusted text should never steer your model
Structured output
“Return JSON” should mean valid JSON
Content safety
Unsafe output stops at the boundary
Cost & observability
Measured, not estimated