Skip to content
in/guard/out
in/guard/out

Solutions

Every guardrail, on one wire.

Core protection – PII, numeric grounding, format, safety, and metering – is always on. Agent and MCP guards are opt-in per key and per user. Nothing is “overly strict”: a check that isn’t configured simply skips, so ordinary traffic is untouched.

§01 Hallucination prevention & fact-checking

Answers that match the source

The headline check. A deterministic first pass catches botched arithmetic, altered figures, and contradictions at zero model cost; an LLM judge and optional retrieval add fact-checking on top.

Numeric grounding

Recomputes arithmetic, flags numbers that drift from the source, and catches directional contradictions – deterministically, at zero model cost.

Fact & consistency judge

A guard model catches internal contradictions and claims that are false by common world knowledge – the things arithmetic can’t.

External grounding

Verify answers against three independent sources – RAG over your vector store, live web search, or a second-model consilium – each priced into the request.

§02 Data protection

Sensitive data never leaves unescorted

The proxy screens PII out of outbound requests and restores it on the way back – so the model works with placeholders and the real values never touch the provider.

PII screen & restore

Presidio detects names, emails, cards, SSNs, IBANs and more; each becomes a reversible placeholder the proxy swaps back into the response.

Taint tracking

Because the proxy created the placeholders, it knows exactly which tokens are sensitive – and blocks screened PII or secrets from leaving inside a tool call.

Canary leak detection

A unique marker seeded into the system prompt; if the model ever echoes it back, the instructions leaked and the request is flagged or redacted.

§03 Output control

Shape and safety, enforced

Structured output is validated and repaired; unsafe content is blocked or censored; the input is scanned for prompt injection before it ever reaches the model.

Format enforcement

Native structured output plus Outlines/Pydantic validate-and-repair, so downstream code always gets the shape it expects.

Profanity & topic safety

better_profanity plus content-safety classifiers (ShieldGemma, Llama Guard, WildGuard) block or surgically censor unsafe responses.

Injection defense

A deterministic regex pass plus Prompt Guard 2 catch jailbreaks and instruction-override attempts on the input – and on untrusted tool results.

§04 AI Agents & MCP

Protection for tool-using loops

Agents resend their entire context on every iteration, so the proxy holds a near-complete trace of the run as it unfolds. Two classes of protection – invariants need no plan; conformance uses the intent that’s already in the context or that you declare.

Tool policy & permission tiers

Per-API-key allow/deny lists, JSON-schema validation, and risk tiers (read < network < write < exec < delete < payment) with escalation and dangerous-argument detection.

Action grounding

A payment’s IBAN, a recipient’s email, an amount – must appear in the run’s sources. A payee that appears nowhere the agent legitimately read is fabricated or injected.

Tool-result injection scan

A tool result is untrusted input; it’s injection-scanned before it can re-enter the model’s context on the next loop.

Loop guard & run budgets

Fingerprints repeated tool calls to catch runaway loops, and enforces hard cost / step / tool ceilings per run – before the next model call spends a token.

Conformance judge

The plan is usually already in the system prompt. A cheap judge checks each tool call against the stated rules – instruction-hierarchy conformance with zero integration.

Sequence policies + n8n import

A declarative ordering grammar (pay requires lookup_vendor, send_email max 3) enforced as a state machine – authored by hand or auto-compiled from an n8n workflow export.

Learned baselines

Observe N runs, fingerprint normal behavior, then flag deviation – the drift declared policies miss when the workflow changes and the policy doesn’t.

MCP manifest pinning

In gateway mode the proxy pins a server’s tool manifest and flags drift – protection against a rug-pulled MCP server.

§05 How it works

One pipeline runs inbound checks, calls your model, then runs outbound checks. It’s engineered to keep overhead low; actual latency depends on the checks you enable, your model, and your traffic, so each stage times itself and the dashboard shows the real per-request cost rather than a headline figure. Every guard-model sub-call is priced into the run.

Inbound
before your model
  • pii screen
  • injection
  • tool-result scan
  • budget gate
Upstream
the model call
  • LLM (OpenAI, Claude, local LLM, etc.)
Outbound
after your model
  • format
  • grounding
  • safety
  • tool policy
  • permission
  • action grounding
  • taint
  • conformance
  • sequence
  • pii restore
§06 Integrate & operate
Drop-in integration

Point your existing OpenAI-compatible SDK at it – change only the base URL. Works with n8n, LangChain, and MCP clients; PII is screened before anything reaches the model provider.

Policy per key & user

Allow/deny lists, risk tiers, approval tiers, budgets and sequence policies scoped per API key. Versioned as policy-as-code with rollback.

A dashboard that shows the run

The reconstructed run graph, per-stage timings, cost burn-down, and honest coverage of which consequential actions were checkpointed.