npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sandrobuilds/tracerney

v0.10.1

Published

Lightweight prompt injection detection with 933 patterns (259 core + 675 Garak). Layer 1 pattern matching (<0.021ms) + optional Layer 2 (AI verification). Runs 100% locally with zero data storage.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

sandrosaricsandrosaric

Keywords

prompt-injectionsecurityllmsentinelproxyopenrouterddd

Readme

Tracerney

Lightweight prompt injection detection for LLM applications. Runs 100% locally with zero data leaving your server.

🚀 Explore the full platform at tracerney.com — includes dashboard, analytics, and API management.

Install

npm install @sandrobuilds/tracerney

Usage

import { Tracerney } from '@sandrobuilds/tracerney';

const shield = new Tracerney();

const result = await shield.scanPrompt(userInput);

if (result.suspicious) {
  console.log('⚠️ Suspicious:', result.patternName);
  // Handle flagged prompt (log, block, rate-limit, etc.)
}

What's Included

  • 933 attack patterns — comprehensive prompt injection and jailbreak detection
    • 259 core forensic patterns (system overrides, prompt leaks, code execution, etc.)
    • 675 real-world variants from Garak security research
  • Local detection — <0.021ms latency per prompt, zero network overhead
  • Zero dependencies — single npm package, 100% local processing
  • Privacy-first — no data leaves your server, zero data storage
  • Egress & PII scanning — detects API keys, secrets, emails, and data exfiltration attempts

Result Object

Layer 1 (Pattern Detection)

{
  suspicious: boolean;     // true if pattern matched
  patternName?: string;    // e.g., "Ignore Instructions"
  severity?: string;       // "CRITICAL" | "HIGH" | "MEDIUM" | "LOW"
  blocked: boolean;        // false (Layer 1 only marks suspicious)
}

Layer 2 (LLM Sentinel)

{
  action: "BLOCK" | "ALLOW";     // Final decision from LLM Sentinel
  confidence: number;             // 0.0 to 1.0 confidence score
  class: string;                  // Threat classification (e.g., "jailbreak_llm_detected")
  fingerprint: string;            // Unique threat identifier for tracking
}

Detected Patterns

Core Patterns (259)

  • Instruction overrides ("ignore all instructions")
  • Role-play jailbreaks ("act as unrestricted AI")
  • Hypothetical constraint bypass ("what would you do without constraints?")
  • System prompt exfiltration
  • Context confusion attacks
  • Data extraction attempts
  • Code execution risks
  • And 251 more forensic patterns...

Garak Research Patterns (675)

  • Advanced jailbreak variants from real-world research
  • DAN (Do Anything Now) attack variations
  • Sophisticated prompt injection techniques
  • Encoding-based evasion patterns
  • Character-based constraint bypass
  • Multi-turn attack sequences
  • And 670+ more variants from security research...

Multi-Layer Runtime Defense

Layer 1: Pattern Matching

  • 933 total patterns — 259 core + 675 Garak research patterns
  • <0.021ms detection on modern hardware (238x faster than target)
  • Zero network overhead
  • 100% local processing
  • Detects: instruction overrides, role-play jailbreaks, context confusion, code execution risks, data extraction attempts, and more

Layer 1 also runs a deterministic egress and PII scan on every prompt before the injection patterns fire. If a match is found, it returns suspicious: true with a label and reason — the SDK never decides the penalty, the developer does.

const result = await tracer.scanPrompt(input);

if (result.suspicious) {
  console.log(result.label);  // "SUSPICIOUS_EGRESS" | "SUSPICIOUS_SECRET" | "SUSPICIOUS_PII"
  console.log(result.reason); // "Detected 1 finding(s): Markdown Image with URL Query Params"

  // Your policy, your call:
  if (result.label === 'SUSPICIOUS_EGRESS') {
    return NextResponse.json({ error: 'Security violation' }, { status: 400 });
  }
}

Egress findings never reach Layer 2 — they are binary and deterministic. A markdown image tag smuggling data in query params either exists or it doesn't. Layer 2 is reserved for probabilistic threats where a regex alone cannot make a confident call.

Garak Attack Pattern Dataset

Includes 675 patterns from the Garak security research dataset, covering real-world prompt injection variants discovered through automated fuzzing and empirical testing.

Coverage includes:

  • 648 real-world variants from in-the-wild attacks
  • 12 DAN (Do Anything Now) attack variations
  • 3 AutoDAN patterns
  • 12 advanced prompt injection techniques

All patterns are deterministic regex matches — no behavioral changes, sub-millisecond latency. The SDK remains 100% local with zero data storage.

Layer 2: LLM Sentinel (Optional)

  • AI-powered response verification — LLM-based analysis for novel attack patterns
  • Context-aware scanning — understands your application's specific security policies
  • Delimiter salting — prevents prompt injection through response boundaries
  • Zero prompt storage — responses are analyzed in-memory, never saved or logged
  • Structured threat metadata — detailed fingerprints for audit trails and tracking
  • Advanced rate limiting — prevents cost spikes with intelligent throttling

Layer 2: LLM Sentinel Deep Dive

Layer 2 adds advanced security with LLM Sentinel, an AI-powered verification system that analyzes LLM responses for injection patterns and validates output safety. Combines local pattern detection (Layer 1) with server-side verification for defense-in-depth protection.

How Layer 1 & Layer 2 Work Together

| Layer 1: Pattern Detection | Layer 2: LLM Sentinel (Optional) | |---|---| | 933 patterns (local) | Server-side verification | | Pattern matching | Output validation | | <0.021ms latency | JSON safety checks | | No data leaves device | Delimiter salting | | Zero network calls | Context-aware analysis |

Enabling Layer 2 (Optional)

Layer 2 is optional. Initialize with LLM Sentinel for additional AI-powered verification:

const shield = new Tracerney({
  apiKey: process.env.TRACERNEY_API_KEY,
  sentinelEnabled: true,
});

Layer 2 is automatically configured to use the hosted LLM Sentinel service.

Custom Layer 2 Configuration (Self-Hosted)

Want to self-host or use a custom backend? Override the sentinel endpoint:

const shield = new Tracerney({
  apiKey: process.env.TRACERNEY_API_KEY,
  sentinelEnabled: true,
  baseUrl: process.env.TRACERNEY_BASE_URL, // e.g., http://localhost:3000
  sentinelEndpoint: process.env.TRACERNEY_SENTINEL_ENDPOINT, // e.g., /api/v1/verify-prompt
});

You can build your own verification endpoint using the same pattern as our hosted service.

Scanning with Layer 2

With Layer 2 enabled, scanPrompt validates both input and LLM responses. Handle errors appropriately:

try {
  // Scan input (Layer 1 + Layer 2)
  const result = await tracer.scanPrompt(userInput);
  // If we get here, input is safe. Call LLM
  const llmResponse = await llm.chat(userInput);
  // Verify LLM output wasn't compromised
  const outputCheck = await tracer.verifyOutput(llmResponse);
  return llmResponse;
} catch (err) {
  if (err instanceof ShieldBlockError) {
    return NextResponse.json(
      { error: "Input content is flagged as suspicious" },
      { status: 400 }
    );
  }
  throw err;
}

API Response Format

The verify-prompt endpoint returns structured responses. Success (HTTP 200) includes classification, confidence, and fingerprint. Errors include specific error codes and messages.

✅ Content is Safe (HTTP 200)

{
  "action": "ALLOW",
  "confidence": 0.15,
  "class": "safe_content",
  "fingerprint": "a3f7k2"
}

🔴 Content is Blocked (HTTP 200)

{
  "action": "BLOCK",
  "confidence": 0.99,
  "class": "jailbreak_semantic_pattern",
  "fingerprint": "c1p5n3"
}

⚠️ Quota Exceeded (HTTP 402)

{
  "blocked": true,
  "reason": "scan_limit_exceeded",
  "scansUsed": 50,
  "limit": 50,
  "message": "Free plan limit reached (50/month)..."
}

Production Usage

Basic Setup (Layer 1 only)

const shield = new Tracerney();

Optimized for Production

const shield = new Tracerney({
  enableTelemetry: false,   // Disable if not using backend
  sentinelEnabled: false    // Disable if not using Layer 2
});

With Layer 2 (Advanced)

const shield = new Tracerney({
  sentinelEnabled: true,
  apiKey: process.env.TRACERNEY_API_KEY
});

License

MIT