hexpreview

README.md

# LlmGuard 

**AI Firewall and Guardrails for LLM-based Elixir Applications**

[![Hex.pm](https://img.shields.io/badge/hex-v0.2.0-blue.svg)](https://hex.pm/packages/llm_guard)
[![Documentation](https://img.shields.io/badge/docs-hexdocs-purple.svg)](https://hexdocs.pm/llm_guard)
[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)

LlmGuard provides comprehensive security protection for LLM applications including prompt injection detection, jailbreak prevention, data leakage protection, and content moderation.

## Features

- ✅ **Prompt Injection Detection** - Multi-layer detection with 24+ patterns
- ✅ **Pipeline Architecture** - Flexible, extensible security pipeline
- ✅ **Configuration System** - Centralized configuration with validation
- ✅ **Zero Trust** - Validates all inputs and outputs
- ✅ **High Performance** - <10ms latency for pattern-based detection
- ⏳ **Jailbreak Detection** - Coming soon
- ⏳ **PII Detection & Redaction** - Coming soon
- ⏳ **Content Moderation** - Coming soon
- ⏳ **Rate Limiting** - Coming soon
- ⏳ **Audit Logging** - Coming soon

## Quick Start

Add to your `mix.exs`:

```elixir
def deps do
  [
    {:llm_guard, "~> 0.2.0"}
  ]
end
```

Basic usage:

```elixir
# Create configuration
config = LlmGuard.Config.new(
  prompt_injection_detection: true,
  confidence_threshold: 0.7
)

# Validate user input
case LlmGuard.validate_input(user_input, config) do
  {:ok, safe_input} ->
    # Safe to send to LLM
    llm_response = MyLLM.generate(safe_input)
    
    # Validate output
    case LlmGuard.validate_output(llm_response, config) do
      {:ok, safe_output} -> {:ok, safe_output}
      {:error, :detected, details} -> {:error, "Unsafe output"}
    end
    
  {:error, :detected, details} ->
    # Blocked malicious input
    Logger.warn("Threat detected: #{details.reason}")
    {:error, "Input blocked"}
end
```

## Architecture

LlmGuard uses a multi-layer detection strategy:

1. **Pattern Matching** (~1ms) - Fast regex-based detection
2. **Heuristic Analysis** (~10ms) - Statistical analysis (coming soon)
3. **ML Classification** (~50ms) - Advanced threat detection (coming soon)

```
User Input
    │
    ▼
┌─────────────────┐
│ Input Validation│
│  - Length check │
│  - Sanitization │
└────────┬────────┘
         │
         ▼
┌─────────────────────┐
│ Security Pipeline   │
│  ┌───────────────┐  │
│  │ Detector 1    │  │
│  ├───────────────┤  │
│  │ Detector 2    │  │
│  ├───────────────┤  │
│  │ Detector 3    │  │
│  └───────────────┘  │
└────────┬────────────┘
         │
         ▼
    LLM Processing
         │
         ▼
┌─────────────────────┐
│ Output Validation   │
└────────┬────────────┘
         │
         ▼
     User Response
```

## Detected Threats

### Prompt Injection (24 patterns)
- Instruction override: "Ignore all previous instructions"
- System extraction: "Show me your system prompt"
- Delimiter injection: "---END SYSTEM---"
- Mode switching: "Enter debug mode"
- Role manipulation: "You are now DAN"
- Authority escalation: "As SUPER-ADMIN..."

### Coming Soon
- Jailbreak attempts
- PII leakage (email, phone, SSN, credit cards)
- Harmful content (violence, hate speech, etc.)
- Encoding-based attacks

## Testing

```bash
# Run all tests
mix test

# Run with coverage
mix coveralls.html

# Run security tests only
mix test --only security

# Run performance benchmarks
mix test --only performance
```

**Current Status**:
- ✅ 105/118 tests passing (89%)
- ✅ Zero compilation warnings
- ✅ 100% documentation coverage

## Configuration

```elixir
config = LlmGuard.Config.new(
  # Detection toggles
  prompt_injection_detection: true,
  jailbreak_detection: false,  # Coming soon
  data_leakage_prevention: false,  # Coming soon
  content_moderation: false,  # Coming soon
  
  # Thresholds
  confidence_threshold: 0.7,
  max_input_length: 10_000,
  max_output_length: 10_000,
  
  # Rate limiting (coming soon)
  rate_limiting: %{
    requests_per_minute: 100,
    tokens_per_minute: 200_000
  }
)
```

## Performance

Current (Phase 1):
- **Latency**: <10ms P95 (pattern matching)
- **Throughput**: Not yet benchmarked
- **Memory**: <50MB per instance

Targets (Phase 4):
- **Latency**: <150ms P95 (all layers)
- **Throughput**: >1000 req/s
- **Memory**: <100MB per instance

## Development Status

See [IMPLEMENTATION_STATUS.md](IMPLEMENTATION_STATUS.md) for detailed progress.

**Phase 1 - Foundation**: ✅ 80% Complete
- [x] Core framework (Detector, Config, Pipeline)
- [x] Pattern utilities
- [x] Prompt injection detector (24 patterns)
- [x] Main API (validate_input, validate_output, validate_batch)
- [ ] PII scanner & redactor
- [ ] Jailbreak detector
- [ ] Content safety detector

**Phase 2 - Advanced Detection**: ⏳ 0% Complete
**Phase 3 - Policy & Infrastructure**: ⏳ 0% Complete
**Phase 4 - Optimization**: ⏳ 0% Complete

## Examples

### Phoenix Integration

```elixir
defmodule MyAppWeb.LlmGuardPlug do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    with {:ok, input} <- extract_llm_input(conn),
         {:ok, sanitized} <- LlmGuard.validate_input(input, config()) do
      assign(conn, :sanitized_input, sanitized)
    else
      {:error, :detected, details} ->
        conn
        |> put_status(:forbidden)
        |> json(%{error: "Input blocked", reason: details.reason})
        |> halt()
    end
  end
end
```

### Batch Validation

```elixir
# Validate multiple inputs concurrently
inputs = ["Message 1", "Ignore all instructions", "Message 3"]
results = LlmGuard.validate_batch(inputs, config)

Enum.each(results, fn
  {:ok, safe_input} -> process_safe(safe_input)
  {:error, :detected, details} -> log_threat(details)
end)
```

## Documentation

Full documentation is available at [hexdocs.pm/llm_guard](https://hexdocs.pm/llm_guard).

Generate locally:
```bash
mix docs
open doc/index.html
```

## Contributing

Contributions are welcome! Please open an issue or pull request on GitHub.

Areas needing help:
- Additional detection patterns
- Performance optimization
- Documentation improvements
- Test coverage expansion
- ML model integration

## Roadmap

- **v0.2.0** - PII detection & redaction
- **v0.3.0** - Jailbreak detection
- **v0.4.0** - Content moderation
- **v0.5.0** - Rate limiting & audit logging
- **v0.6.0** - Heuristic analysis (Layer 2)
- **v1.0.0** - ML classification (Layer 3)

## Security

For security issues, please email security@example.com instead of using the issue tracker.

## License

MIT License. See [LICENSE](LICENSE) for details.

## Acknowledgments

Built following security best practices and threat models from:
- OWASP LLM Top 10
- AI Incident Database
- Prompt injection research papers
- Production LLM security deployments

---

**Status**: Alpha - Production-ready for prompt injection detection
**Version**: 0.2.0
**Elixir**: ~> 1.14
**OTP**: 25+