0.2.0
What's new in v0.2.0
Detection — new attack classes
- Many-shot jailbreak — detects prompts stuffed with fabricated dialogue turns where the faux assistant demonstrates harmful compliance. Blocks on pattern + harmful
compliance; warns on a benign pasted transcript. (manyShot.*,LLM_FW_MANYSHOT_*) - Multi-turn crescendo — catches conversations that escalate over several turns toward harmful content and end on a boundary-pushing directive. Analyzed within the single
request (no session state needed). (crescendo.*,LLM_FW_CRESCENDO_*) - New heuristic rules — refusal-suppression, refusal-override, prefix-injection ("start your reply with 'Sure, here is'"), Skeleton Key, and Policy Puppetry.
- More obfuscation decoders — Base32 (RFC 4648) and Ascii85 (
<~ ~>) added to the candidate extractor. - Response-side harmful-compliance scan — audit-only defense-in-depth that flags a response containing a harmful how-to that slipped past the input stages.
(responseScan.harmfulCompliance,LLM_FW_RESPONSE_HARM_ENABLED) - Non-text content scanning — the full Stage 1–3 pipeline now inspects image and document content blocks. Opt-in OCR via Tesseract.js extracts text from images and runs it
through detection. (detection.nonTextContent.*,LLM_FW_NONTEXT_*) - Multilingual injection coverage — attack patterns and the embedding corpus extended to non-English languages; recall verified across language groups.
Trained classifier (generalization layer)
A local ONNX classifier (protectai/deberta-v3-base-prompt-injection-v2, Apache-2.0) is now available as an opt-in Stage 2.5. It roughly doubles recall on held-out benchmarks
with near-zero added false positives, runs entirely locally (no Ollama required), and lazy-loads ~700 MB on first use.
Config: detection.classifier.{enabled,blockThreshold} · LLM_FW_CLASSIFIER_{ENABLED,THRESHOLD}
Note: the benchmark found that using the Ollama judge as a general backstop (
judgeUnlessBenign) blocks 27–86% of benign traffic. That mode is now documented as not
recommended; the trained classifier is the precise alternative.
New providers
- AWS Bedrock — Converse and InvokeModel wire-format parser
- HuggingFace — updated to the current
router.huggingface.coendpoint - Cohere — tool result/use extraction implemented
- Azure OpenAI and regional Vertex tenant hosts now intercepted by default (
proxy.interceptDomains,LLM_FW_INTERCEPT_DOMAINS)
Dashboard
- Image/doc playground — upload any image or file to probe the non-text injection pipeline from the browser
- Advanced Tuning panel — live numeric/text inputs for every threshold (heuristic, embedding, classifier), DoS rate/token limits, and judge model; every row has an inline
explanation. All settings persist to~/.llm-fw/config.json
Performance
- LRU cache for the embedding stage — repeated or near-identical prompts skip ONNX inference entirely
Benchmark
Phase 1 public benchmark suite (scripts/run-benchmark.ts) with pinned dataset revisions, a per-class CI scorecard gate, and an honest scorecard at docs/BENCHMARK.md.
Scorecard: 110 attacks · 16 classes · 100% TPR · 0% FPR (heuristic + embedding, judge off)
Changed
setup/setup-judgewrite to~/.llm-fw/config.jsonvia read-merge — no longer clobbering existing config; judge settings now persist machine-widesetupno longer disables IDE TLS verification (http.proxyStrictSSL)LLM_FW_DIRis now honoured by every consumer (CA, pid, config, whitelist, model cache)setupaccepts--judge/--no-judgeand skips the interactive prompt on non-TTY stdin
Fixed
- Dropped
google.com/googleusercontent.comfrom the outbound URL-filter allowlist - Embedding stage no longer warns on empty/whitespace-only input
- Persona-anchor heuristic reworded to eliminate false positives on benign AI-assistant responses
Full diff: v0.1.0...v0.2.0