Source of truth: Last updated: 2026-05-13 — v3.8.0

) and upstream responses ().

fail-open: if a guardrail throws while executing, the registry records the error and continues with the next guardrail rather than failing the request. Blocking is an explicit decision (), never an accident.

→ ):

		+

first.

)

non-vision models and replaces the image parts with text descriptions produced by a configurable vision model before the upstream call. This lets text-only providers transparently handle multimodal payloads.

).
1. . Skip if none.
2. (, , , , ).
3. , call the vision model in parallel (), and inject text parts in their place — failed images become .
4. + meta (, , ).

. The guardrail exposes a constructor option so tests can inject fake and implementations.

)

both stages.

clones the payload, walks , , and arrays, and applies (from ) to string / fields. When and , detected PII is stripped/redacted in the outbound payload. Otherwise the call records detection counts without rewriting content.
• deep-clones the response, runs plus the Responses-API-shape masker ( — covers and ). If any redaction occurs, the modified response replaces the original.

, ) or rewrites.

)

			, guardrail short-circuits.
	/		, , or .
	option

from (shared detector set used elsewhere in the pipeline).
1. (currently and , both severity).
2. passed via constructor options (strings, regex, or records).

and at least one detection meets the severity threshold, returns . In / modes the guardrail logs but allows the call. The shared helper is also exported for callers that need to evaluate prompts without going through the registry.

)

class BaseGuardrail {
  enabled: boolean;
  name: string;
  priority: number;

  constructor(name: string, options?: { enabled?: boolean; priority?: number });

  async preCall(payload: unknown, context: GuardrailContext): Promise<GuardrailResult | void>;

  async postCall(response: unknown, context: GuardrailContext): Promise<GuardrailResult | void>;
}

interface GuardrailResult<TValue = unknown> {
  block?: boolean; // true short-circuits the chain
  message?: string; // surfaced when blocking
  meta?: Record<string, unknown> | null;
  modifiedPayload?: TValue; // returned by preCall to rewrite the request
  modifiedResponse?: TValue; // returned by postCall to rewrite the response
}

interface GuardrailContext {
  apiKeyInfo?: Record<string, unknown> | null;
  disabledGuardrails?: string[] | null;
  endpoint?: string | null;
  headers?: Headers | Record<string, unknown> | null;
  log?: GuardrailLog | Console | null;
  method?: string | null;
  model?: string | null;
  provider?: string | null;
  sourceFormat?: string | null;
  stream?: boolean;
  targetFormat?: string | null;
}

, , or . Returning a / replaces the value flowing through the chain for downstream guardrails.

)

exposes:

— adds (or replaces by normalized name) a guardrail and re-sorts by ascending .
• / — administrative helpers.
• — iterates active guardrails, threads the payload through , and stops on the first .
• — same flow on the response side.
• — clears state and optionally re-registers the defaults for clean test isolation.

where is an array of records that include per-guardrail , , , , and fields, useful for tracing.

aggregates a de-duplicated list of guardrail names that should be skipped for the current request. Sources (all optional, all merged):

• (top-level)
• (or legacy )

→ ). The result is passed through to the registry, which skips matching guardrails ( in ).

and :

builds the skip list from API key, body, and headers.
1. runs guardrails in ascending priority order:
   .
   • may rewrite the payload via .
   • short-circuits the chain and the handler returns a guardrail rejection response.
3. runs the same chain on the response. here drops the upstream response.

and logged via , but the chain continues — fail-open by design.

		to disable detection entirely.
	,	, , , or .
		.
		+ mode , request PII is stripped.
/	(downstream)

), not env vars: , , , , . Defaults live in .

import { BaseGuardrail, guardrailRegistry } from "@/lib/guardrails";

class BudgetGuardrail extends BaseGuardrail {
  constructor() {
    super("budget", { priority: 50 });
  }

  async preCall(payload, ctx) {
    if (ctx.apiKeyInfo?.budgetExceeded) {
      return { block: true, message: "Daily budget exceeded" };
    }
    return { block: false };
  }
}

guardrailRegistry.register(new BudgetGuardrail());

extending .
1. and/or .
2. ) or call at runtime — the registry replaces any prior guardrail with the same normalized name.
3. (existing examples: , , ).

between tests to start from a known state. Pass to start with an empty registry and register only the guardrails under test. The Vision Bridge guardrail accepts dependency injection (, ) so tests can exercise the full flow without DB or network access.

— implementation
• — shared detector that powers prompt-injection and PII masking
• — Vision Bridge defaults and forced-bridge model list
• — orthogonal layer (circuit breaker, cooldowns)
• — full env var reference