Releases: PIsberg/llm-fw
Release list
v0.3.0
Added
DLP — broad secret coverage
- Expanded the DLP secret-redaction dictionary to broad coverage of credentials that must never leave the org: AI/LLM providers (OpenAI, Anthropic, OpenRouter, Groq, xAI, Perplexity, Hugging Face, Replicate, Fireworks, NVIDIA, Anyscale, LangSmith); cloud (broadened AWS key prefixes + secret/session/MWS tokens, Google API/OAuth tokens, Azure Storage keys, DigitalOcean); source control / CI / infra (GitHub fine-grained PATs, GitLab, npm, PyPI, RubyGems, Docker Hub, Vault, Terraform Cloud, Databricks, Atlassian, New Relic, Sentry); and payment / commerce / comms (Stripe restricted + webhook secrets, Square, and others).
Fail-safe
- Global proxy bypass —
LLM_FW_BYPASS=true(proxy.bypass) turns the proxy into a transparent tunnel (no MITM, no detection, no blocking), restoring connectivity instantly if a detection change locks the operator out.
Changed
- System prompt is now a trusted surface — parsers gained
extractSystem()(Anthropic/OpenAI/Cohere/Gemini/Bedrock) and the pipeline excludes the system prompt from injection scanning by default, fixing false-positive blocks on legitimate LLM traffic. Opt back in viadetection.scanSystemPrompt. - Embedding stage uses a contrastive margin against the benign corpus so injections separate cleanly from benign instructions while preserving cross-lingual recall.
- Detection recall raised to 100% on the JBB-behaviors set with a lower false-positive rate across JBB, HarmBench, and AdvBench.
Fixed
- DGA/exfil: the entropy check now also screens the registrable (apex) label, so bare DGA domains are caught.
- Whitelist now honored —
normalizeDomainEntry()strips scheme/path/port/userinfo/leading*.|.and whitespace, so operator entries likehttps://webhook.site,webhook.site/, and*.example.comactually match. - Urdu/Somali injections now have deterministic heuristics like the other hand-coded languages.
Scorecard: 100% TPR / 0% FPR (heuristic + embedding, judge off).
Full changelog: v0.2.0...v0.3.0
0.2.0
What's new in v0.2.0
Detection — new attack classes
- Many-shot jailbreak — detects prompts stuffed with fabricated dialogue turns where the faux assistant demonstrates harmful compliance. Blocks on pattern + harmful
compliance; warns on a benign pasted transcript. (manyShot.*,LLM_FW_MANYSHOT_*) - Multi-turn crescendo — catches conversations that escalate over several turns toward harmful content and end on a boundary-pushing directive. Analyzed within the single
request (no session state needed). (crescendo.*,LLM_FW_CRESCENDO_*) - New heuristic rules — refusal-suppression, refusal-override, prefix-injection ("start your reply with 'Sure, here is'"), Skeleton Key, and Policy Puppetry.
- More obfuscation decoders — Base32 (RFC 4648) and Ascii85 (
<~ ~>) added to the candidate extractor. - Response-side harmful-compliance scan — audit-only defense-in-depth that flags a response containing a harmful how-to that slipped past the input stages.
(responseScan.harmfulCompliance,LLM_FW_RESPONSE_HARM_ENABLED) - Non-text content scanning — the full Stage 1–3 pipeline now inspects image and document content blocks. Opt-in OCR via Tesseract.js extracts text from images and runs it
through detection. (detection.nonTextContent.*,LLM_FW_NONTEXT_*) - Multilingual injection coverage — attack patterns and the embedding corpus extended to non-English languages; recall verified across language groups.
Trained classifier (generalization layer)
A local ONNX classifier (protectai/deberta-v3-base-prompt-injection-v2, Apache-2.0) is now available as an opt-in Stage 2.5. It roughly doubles recall on held-out benchmarks
with near-zero added false positives, runs entirely locally (no Ollama required), and lazy-loads ~700 MB on first use.
Config: detection.classifier.{enabled,blockThreshold} · LLM_FW_CLASSIFIER_{ENABLED,THRESHOLD}
Note: the benchmark found that using the Ollama judge as a general backstop (
judgeUnlessBenign) blocks 27–86% of benign traffic. That mode is now documented as not
recommended; the trained classifier is the precise alternative.
New providers
- AWS Bedrock — Converse and InvokeModel wire-format parser
- HuggingFace — updated to the current
router.huggingface.coendpoint - Cohere — tool result/use extraction implemented
- Azure OpenAI and regional Vertex tenant hosts now intercepted by default (
proxy.interceptDomains,LLM_FW_INTERCEPT_DOMAINS)
Dashboard
- Image/doc playground — upload any image or file to probe the non-text injection pipeline from the browser
- Advanced Tuning panel — live numeric/text inputs for every threshold (heuristic, embedding, classifier), DoS rate/token limits, and judge model; every row has an inline
explanation. All settings persist to~/.llm-fw/config.json
Performance
- LRU cache for the embedding stage — repeated or near-identical prompts skip ONNX inference entirely
Benchmark
Phase 1 public benchmark suite (scripts/run-benchmark.ts) with pinned dataset revisions, a per-class CI scorecard gate, and an honest scorecard at docs/BENCHMARK.md.
Scorecard: 110 attacks · 16 classes · 100% TPR · 0% FPR (heuristic + embedding, judge off)
Changed
setup/setup-judgewrite to~/.llm-fw/config.jsonvia read-merge — no longer clobbering existing config; judge settings now persist machine-widesetupno longer disables IDE TLS verification (http.proxyStrictSSL)LLM_FW_DIRis now honoured by every consumer (CA, pid, config, whitelist, model cache)setupaccepts--judge/--no-judgeand skips the interactive prompt on non-TTY stdin
Fixed
- Dropped
google.com/googleusercontent.comfrom the outbound URL-filter allowlist - Embedding stage no longer warns on empty/whitespace-only input
- Persona-anchor heuristic reworded to eliminate false positives on benign AI-assistant responses
Full diff: v0.1.0...v0.2.0
v0.1.0
Initial release of llm-fw � a local LLM prompt-injection firewall.
See CHANGELOG.md for the full feature list.
Published to npm with provenance by the Publish to npm workflow.