Skip to content

Releases: PIsberg/llm-fw

v0.3.0

Choose a tag to compare

@PIsberg PIsberg released this 15 Jun 18:30

Added

DLP — broad secret coverage

  • Expanded the DLP secret-redaction dictionary to broad coverage of credentials that must never leave the org: AI/LLM providers (OpenAI, Anthropic, OpenRouter, Groq, xAI, Perplexity, Hugging Face, Replicate, Fireworks, NVIDIA, Anyscale, LangSmith); cloud (broadened AWS key prefixes + secret/session/MWS tokens, Google API/OAuth tokens, Azure Storage keys, DigitalOcean); source control / CI / infra (GitHub fine-grained PATs, GitLab, npm, PyPI, RubyGems, Docker Hub, Vault, Terraform Cloud, Databricks, Atlassian, New Relic, Sentry); and payment / commerce / comms (Stripe restricted + webhook secrets, Square, and others).

Fail-safe

  • Global proxy bypass — LLM_FW_BYPASS=true (proxy.bypass) turns the proxy into a transparent tunnel (no MITM, no detection, no blocking), restoring connectivity instantly if a detection change locks the operator out.

Changed

  • System prompt is now a trusted surface — parsers gained extractSystem() (Anthropic/OpenAI/Cohere/Gemini/Bedrock) and the pipeline excludes the system prompt from injection scanning by default, fixing false-positive blocks on legitimate LLM traffic. Opt back in via detection.scanSystemPrompt.
  • Embedding stage uses a contrastive margin against the benign corpus so injections separate cleanly from benign instructions while preserving cross-lingual recall.
  • Detection recall raised to 100% on the JBB-behaviors set with a lower false-positive rate across JBB, HarmBench, and AdvBench.

Fixed

  • DGA/exfil: the entropy check now also screens the registrable (apex) label, so bare DGA domains are caught.
  • Whitelist now honored — normalizeDomainEntry() strips scheme/path/port/userinfo/leading *.|. and whitespace, so operator entries like https://webhook.site, webhook.site/, and *.example.com actually match.
  • Urdu/Somali injections now have deterministic heuristics like the other hand-coded languages.

Scorecard: 100% TPR / 0% FPR (heuristic + embedding, judge off).

Full changelog: v0.2.0...v0.3.0

0.2.0

Choose a tag to compare

@PIsberg PIsberg released this 12 Jun 18:02

What's new in v0.2.0

Detection — new attack classes

  • Many-shot jailbreak — detects prompts stuffed with fabricated dialogue turns where the faux assistant demonstrates harmful compliance. Blocks on pattern + harmful
    compliance; warns on a benign pasted transcript. (manyShot.*, LLM_FW_MANYSHOT_*)
  • Multi-turn crescendo — catches conversations that escalate over several turns toward harmful content and end on a boundary-pushing directive. Analyzed within the single
    request (no session state needed). (crescendo.*, LLM_FW_CRESCENDO_*)
  • New heuristic rules — refusal-suppression, refusal-override, prefix-injection ("start your reply with 'Sure, here is'"), Skeleton Key, and Policy Puppetry.
  • More obfuscation decoders — Base32 (RFC 4648) and Ascii85 (<~ ~>) added to the candidate extractor.
  • Response-side harmful-compliance scan — audit-only defense-in-depth that flags a response containing a harmful how-to that slipped past the input stages.
    (responseScan.harmfulCompliance, LLM_FW_RESPONSE_HARM_ENABLED)
  • Non-text content scanning — the full Stage 1–3 pipeline now inspects image and document content blocks. Opt-in OCR via Tesseract.js extracts text from images and runs it
    through detection. (detection.nonTextContent.*, LLM_FW_NONTEXT_*)
  • Multilingual injection coverage — attack patterns and the embedding corpus extended to non-English languages; recall verified across language groups.

Trained classifier (generalization layer)

A local ONNX classifier (protectai/deberta-v3-base-prompt-injection-v2, Apache-2.0) is now available as an opt-in Stage 2.5. It roughly doubles recall on held-out benchmarks
with near-zero added false positives, runs entirely locally (no Ollama required), and lazy-loads ~700 MB on first use.

Config: detection.classifier.{enabled,blockThreshold} · LLM_FW_CLASSIFIER_{ENABLED,THRESHOLD}

Note: the benchmark found that using the Ollama judge as a general backstop (judgeUnlessBenign) blocks 27–86% of benign traffic. That mode is now documented as not
recommended; the trained classifier is the precise alternative.

New providers

  • AWS Bedrock — Converse and InvokeModel wire-format parser
  • HuggingFace — updated to the current router.huggingface.co endpoint
  • Cohere — tool result/use extraction implemented
  • Azure OpenAI and regional Vertex tenant hosts now intercepted by default (proxy.interceptDomains, LLM_FW_INTERCEPT_DOMAINS)

Dashboard

  • Image/doc playground — upload any image or file to probe the non-text injection pipeline from the browser
  • Advanced Tuning panel — live numeric/text inputs for every threshold (heuristic, embedding, classifier), DoS rate/token limits, and judge model; every row has an inline
    explanation. All settings persist to ~/.llm-fw/config.json

Performance

  • LRU cache for the embedding stage — repeated or near-identical prompts skip ONNX inference entirely

Benchmark

Phase 1 public benchmark suite (scripts/run-benchmark.ts) with pinned dataset revisions, a per-class CI scorecard gate, and an honest scorecard at docs/BENCHMARK.md.

Scorecard: 110 attacks · 16 classes · 100% TPR · 0% FPR (heuristic + embedding, judge off)


Changed

  • setup / setup-judge write to ~/.llm-fw/config.json via read-merge — no longer clobbering existing config; judge settings now persist machine-wide
  • setup no longer disables IDE TLS verification (http.proxyStrictSSL)
  • LLM_FW_DIR is now honoured by every consumer (CA, pid, config, whitelist, model cache)
  • setup accepts --judge / --no-judge and skips the interactive prompt on non-TTY stdin

Fixed

  • Dropped google.com / googleusercontent.com from the outbound URL-filter allowlist
  • Embedding stage no longer warns on empty/whitespace-only input
  • Persona-anchor heuristic reworded to eliminate false positives on benign AI-assistant responses

Full diff: v0.1.0...v0.2.0

v0.1.0

Choose a tag to compare

@PIsberg PIsberg released this 09 Jun 16:32
4cde28d

Initial release of llm-fw � a local LLM prompt-injection firewall.

See CHANGELOG.md for the full feature list.

Published to npm with provenance by the Publish to npm workflow.