@llm-guardrails/core
v0.4.1
Published
TypeScript-native LLM guardrails with behavioral analysis, budget controls, and topic gating. Zero runtime dependencies. 100% test pass rate.
Maintainers
webtacularsReadme
LLM Guardrails
Protect your AI applications from prompt injection, data leaks, and abuse in just 3 lines of code
Status: ✅ Production Ready (v0.4.0) | 🚀 12μs average latency | ⚡ 80,000 checks/sec
The first TypeScript-native guardrails system with zero dependencies, combining ultra-fast content scanning, behavioral threat detection, budget controls, and topic gating in one unified package.
Quick Links: Installation • Why Choose This? • Quick Start • Features • Integrations • Docs
⚡ 3-Second Start
Protect your LLM app in 3 lines:
import { GuardrailEngine } from '@llm-guardrails/core';
const engine = new GuardrailEngine({ guards: ['injection', 'pii', 'toxicity'] });
const result = await engine.checkInput(userMessage);
if (result.blocked) throw new Error(result.reason);That's it! Your app is now protected from prompt injection, data leaks, and toxic content.
📦 Installation
npm install @llm-guardrails/coreZero runtime dependencies - No bloat, no supply chain risks.
🎯 Why Choose This?
The Only Complete TypeScript Guardrails Solution
| Feature | @llm-guardrails | MoltGuard | Aegis SDK | AI Warden | LLM Guard | |---------|---------------------|-----------|-----------|-----------|-----------| | Language | TypeScript | TypeScript | TypeScript | TypeScript | Python | | Performance | 🥇 12μs (0.012ms) | ~50-100ms | ~50-100ms | API-based | 50-200ms | | Dependencies | 🥇 0 | 5+ | 8+ | Unknown | 50+ | | Guard Count | 11 guards | ~4 guards | Injection only | 2-3 guards | 8 guards | | Behavioral Analysis | ✅ 15+ patterns | ❌ No | ❌ No | ❌ No | ❌ No | | Budget Controls | ✅ 20+ models | ❌ No | ❌ No | ❌ No | ❌ No | | L3 LLM Validation | ✅ 5 providers | ❌ No | ❌ No | ❌ No | ❌ No | | Topic Gating | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | | Test Pass Rate | 🥇 100% (433/433) | Unknown | Unknown | Unknown | ~90% |
Key Advantages:
- ✅ 10-1000x faster - 12μs vs 50-200ms (TypeScript) or seconds (Python)
- ✅ Most comprehensive - 11 guards vs 2-4 in competitors
- ✅ Only library with behavioral threat detection - Track cross-message attack patterns
- ✅ Only library with budget controls - Track costs for 20+ LLM models
- ✅ Only library with topic gating - Filter domain-specific requests
- ✅ Zero dependencies - No supply chain vulnerabilities
- ✅ 100% test pass rate - Validated against real-world attacks
🚀 Quick Start
Basic Usage
import { GuardrailEngine } from '@llm-guardrails/core';
// Simple string-based API
const engine = new GuardrailEngine({
guards: ['injection', 'pii', 'secrets', 'toxicity'],
level: 'standard', // 'basic' | 'standard' | 'advanced'
});
// Check input
const result = await engine.checkInput('My email is [email protected]');
if (result.blocked) {
console.log(`❌ Blocked: ${result.reason}`);
} else {
console.log('✅ Safe to proceed');
}Output Guard Protection
Protect agent responses from leaking sensitive information:
import { GuardrailEngine } from '@llm-guardrails/core';
const engine = new GuardrailEngine({
guards: ['leakage', 'secrets'],
outputBlockStrategy: 'block',
blockedMessage: 'I cannot share that information',
});
// Check agent output before returning to user
const agentResponse = await callYourLLM(userInput);
const outputCheck = await engine.checkOutput(agentResponse);
if (outputCheck.blocked) {
return outputCheck.sanitized; // Safe message
} else {
return agentResponse; // Original response
}Custom Sensitive Terms
Block project-specific terms in responses:
const engine = new GuardrailEngine({
guards: [
{
name: 'leakage',
config: {
customTerms: ['MyInternalFramework', 'SecretProjectName'],
},
},
],
outputBlockStrategy: 'block',
});Configurable Failure Modes
Balance security vs availability:
const engine = new GuardrailEngine({
guards: ['injection', 'pii', 'leakage'],
failMode: {
mode: 'open', // Default: prefer availability
perGuard: {
'injection': 'closed', // Critical: always block on error
'leakage': 'closed',
},
},
});Advanced: Full Control
import { GuardrailEngine, PIIGuard, InjectionGuard, DETECTION_PRESETS } from '@llm-guardrails/core';
const engine = new GuardrailEngine({
guards: [
new PIIGuard(DETECTION_PRESETS.standard),
new InjectionGuard(DETECTION_PRESETS.standard),
],
onBlock: (result) => {
console.error(`Blocked by ${result.guard}: ${result.reason}`);
},
});Topic Gating (Domain-Specific Filtering)
Block off-topic requests for domain-specific chatbots:
const engine = new GuardrailEngine({
guards: [
{
name: 'topic-gating',
config: {
// Fast keyword-based filtering (L1/L2)
blockedKeywords: ['equation', 'solve', 'code', 'function'],
allowedKeywords: ['pricing', 'order', 'support', 'product'],
// Semantic topic descriptions (L3 LLM validation)
blockedTopicsDescription: 'Math problems, coding questions, trivia',
allowedTopicsDescription: 'Product questions, pricing, support',
},
},
'pii', // Add other guards
],
});
// Blocks: "What is 2+2?" or "Write me a function"
// Allows: "What is your pricing?" or "How do I place an order?"Prefilter Mode (Fast L1+L2 Only)
For cost-sensitive scenarios, disable L3 LLM validation:
const engine = new GuardrailEngine({
guards: ['injection', 'pii', 'secrets'],
prefilterMode: true, // Only use L1+L2 (< 5ms), never L3 (50-200ms)
level: 'advanced',
});
// Runs only L1+L2 detection - perfect for high-volume or cost-constrained appsSee Documentation for Behavioral Analysis, Budget Controls, and L3 LLM Validation setup.
🛡️ What You Get
11 Content Guards (100% Test Pass Rate)
- PIIGuard - 10+ PII types (emails, phones, SSNs, credit cards, etc.)
- InjectionGuard - 100+ patterns (DAN, translation, markdown, DEBUG)
- SecretGuard - API keys, AWS credentials, tokens (entropy + context)
- ToxicityGuard - Personal attacks, threats, harassment
- LeakageGuard - System prompt extraction, diagnostic requests
- HateSpeechGuard - Slurs, discrimination, violence incitement
- BiasGuard - Gender stereotypes, age bias, appearance-based discrimination
- AdultContentGuard - NSFW content filtering
- CopyrightGuard - Long verbatim text, copyright markers
- ProfanityGuard - Profanity detection with count-based scoring
- TopicGatingGuard - Domain-specific topic filtering (math, coding, trivia, etc.)
Hybrid L1/L2/L3 Detection System
User Input → L1 (12μs, 85% catch) → L2 (2ms, 95% accuracy) → L3 (150ms, 97% accuracy)
↑ Only 1% escalate here- L1: Fast keyword checks (12μs)
- L2: 100+ compiled regex patterns (2ms) - 100% on test suite
- L3: Optional LLM validation (5 providers: Anthropic, OpenAI, LiteLLM, Vertex, Bedrock)
Performance: 12μs average latency • 80,000 checks/sec • 100% test pass rate
Behavioral Analysis (15+ Patterns)
Track cross-message attack patterns:
- 🔴 Critical: file-exfiltration, credential-theft, backdoor-creation, log-tampering
- 🟠 High: escalation-attempts, secret-scanning
- 🟡 Medium: mass-data-access, permission-probing
- ...and 7 more patterns
Budget System
- Per-session/per-user cost limits
- 20+ models supported (GPT, Claude, Gemini, Mistral, Cohere, Llama)
- Real-time pricing and token counting
- Alert thresholds
See Documentation for complete feature details.
🔌 Integration Examples
Next.js API Route
import { GuardrailEngine } from '@llm-guardrails/core';
import OpenAI from 'openai';
const engine = new GuardrailEngine({ guards: ['injection', 'pii'] });
const openai = new OpenAI();
export async function POST(req: Request) {
const { message } = await req.json();
// Check input before sending to LLM
const check = await engine.checkInput(message);
if (check.blocked) {
return Response.json({ error: check.reason }, { status: 400 });
}
const completion = await openai.chat.completions.create({
model: 'gpt-4o-mini',
messages: [{ role: 'user', content: message }],
});
return Response.json({ reply: completion.choices[0].message.content });
}Express.js Server
import express from 'express';
import { GuardrailEngine } from '@llm-guardrails/core';
const app = express();
const engine = new GuardrailEngine({ guards: ['injection', 'pii', 'toxicity'] });
app.post('/chat', async (req, res) => {
const result = await engine.checkInput(req.body.message);
if (result.blocked) {
return res.status(400).json({ error: result.reason });
}
// Continue with your LLM call...
const reply = await yourLLM.complete(req.body.message);
res.json({ reply });
});Mastra AI Agent (1 Line)
import { Agent } from '@mastra/core';
import { quickGuard } from '@llm-guardrails/mastra';
const agent = new Agent({ name: 'Support Bot' });
const guardedAgent = quickGuard(agent, 'production'); // ✨ One line!
const response = await guardedAgent.generate(userInput); // Protected!More integrations: OpenAI SDK • Anthropic SDK • LiteLLM (100+ models) • Mastra
📚 Documentation
Core Guides
- Documentation Hub - Complete documentation index
- Getting Started - Installation and first steps
- API Reference - Complete API documentation
Integrations
- OpenAI SDK - Drop-in replacement (1 line change)
- Anthropic SDK - Drop-in replacement (1 line change)
- LiteLLM - Access 100+ models (Anthropic, OpenAI, Gemini, Ollama, etc.)
- Mastra - Protect Mastra AI agents
- Integration Comparison - Choose the right approach
Advanced
- L3 LLM Validation - 96-97% accuracy with 5 LLM providers
- Behavioral Patterns - Cross-message threat detection
- Performance Guide - Achieve 12μs latency, 80K checks/sec
- Examples - 15+ working code examples
🤝 Contributing
Contributions welcome! This project is under active development.
# Clone
git clone https://github.com/llm-guardrails/llm-guardrails.git
# Install
npm install
# Test
npm test
# Build
npm run build📄 License
MIT © 2025
🙏 Acknowledgments
Validated against and inspired by:
- LLM Guard (ProtectAI) - Python library with comprehensive guard patterns
- OpenAI Guardrails - Industry standard test cases and patterns
- Guardrails AI - Validation framework concepts
- MoltGuard (@openguardrails) - TypeScript guardrails reference
- Aegis SDK - Streaming-first defense patterns
Built from scratch in TypeScript for optimal architecture, zero technical debt, and zero dependencies.