https://github.com/zafrem/bastion-sentinel
Bastion-RAG guardrail service: prompt-injection detection, metadata validation, and LLM output validation (hallucination, PII-leak, permission, industry filters). REST + gRPC.
https://github.com/zafrem/bastion-sentinel
ai-safety content-moderation golang grpc guardrails hallucination-detection llm-security output-validation pii prompt-injection prompt-injection-detection rag rest-api
Last synced: 3 days ago
JSON representation
Bastion-RAG guardrail service: prompt-injection detection, metadata validation, and LLM output validation (hallucination, PII-leak, permission, industry filters). REST + gRPC.
- Host: GitHub
- URL: https://github.com/zafrem/bastion-sentinel
- Owner: zafrem
- License: apache-2.0
- Created: 2026-05-17T01:12:20.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-06-07T09:54:35.000Z (about 1 month ago)
- Last Synced: 2026-06-07T11:22:35.397Z (about 1 month ago)
- Topics: ai-safety, content-moderation, golang, grpc, guardrails, hallucination-detection, llm-security, output-validation, pii, prompt-injection, prompt-injection-detection, rag, rest-api
- Language: Go
- Homepage:
- Size: 347 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Bastion-Sentinel (Module A)
## Overview
**Bastion-Sentinel** is the bidirectional security gateway of the Bastion-RAG framework. It serves as both the entry point (Sentinel-IN) and the exit point (Sentinel-OUT) for all interactions with the AI system.
Sentinel protects the system from malicious inputs (Prompt Injection) and ensures the safety and privacy of AI outputs (PII re-emergence, Hallucination filtering).
## Key Features
### Sentinel-IN (Input Gateway)
- **Prompt Injection Detection:** Multi-layered detection using regex, keywords, and ML models to block unauthorized instructions.
- **Metadata Verification:** Validates the structure and content of request metadata (e.g., UUIDs, tenant identifiers).
### Sentinel-OUT (Output Gateway)
- **PII Re-emergence Check:** Prevents the AI from accidentally revealing original PII that was previously anonymized.
- **Hallucination Detection:** Compares LLM responses against retrieved context to identify ungrounded claims.
- **Content Filtering:** Blocks inappropriate content, hate speech, and sensitive advice.
- **Permission Boundary Enforcement:** Ensures the response level matches the user's access permissions (e.g., K-anonymity).
## Architecture
- **Validation Engine:** A shared core that executes detection rules in parallel.
- **ML Scorer:** ONNX-based inference for identifying complex injection patterns and hallucinations.
- **Unified API:** Single service handling both `/v1/validate/input` and `/v1/validate/output`.
- **Streaming Support:** Real-time token-by-token validation for LLM responses.
## Getting Started
### Prerequisites
- Go 1.25+
- ONNX Runtime 1.16+
- Redis (Optional, for caching)
### Installation
```bash
go build -o sentinel ./cmd/sentinel
```
### Running the Server
```bash
# Run from the module root: the engine loads PII patterns from the relative
# path external/pii-pattern-engine/regex, so the working directory matters.
./sentinel server
```
The server starts with a built-in default configuration (REST `:8080`, gRPC
`:9090`). To override it, pass a YAML file with `--config `; see the
configurable keys below.
### Configurable detection patterns
The regexes used by the output validators and industry compliance filters are
externalized to the YAML config — override them without touching code. Every
field is optional; when omitted the built-in default is used, and an invalid
override falls back to the default. Available keys:
```yaml
output_validation:
hallucination:
claim_patterns:
numerical: "" # default: \b\d{1,3}(?:,\d{3})*(?:\.\d+)?(?:\s*(?:만|억|천|M|K|B))?\b
date: "" # default: \b\d{4}[-./]\d{1,2}[-./]\d{1,2}\b|\b\d{1,2}[-./]\d{1,2}[-./]\d{4}\b
percentage: "" # default: \b\d+(?:\.\d+)?%\b
permission_check:
specific_amount_pattern: "" # default amount-detection regex
# Industry compliance filters accept per-filter regex/keyword overrides.
# When patterns/keywords are empty the built-in HIPAA/GDPR/PCI/ITAR sets apply.
industry:
filters:
- builtin: hipaa
action_on_match: redact
patterns: [] # empty → DefaultHIPAAPatterns
keywords: []
```
## Documentation
- [Design Document](DESIGN.md)
- [SRS Document](docs/bastion_sentinel_srs_v1.0_en.md)
- [Output SRS Document](docs/bastion_sentinel_output_srs_v1.0_en.md)
**Technical deep-dives (code-based):**
- [Prompt Injection Detection](docs/prompt-injection-detection.md)
- [Metadata Filtering](docs/metadata-filtering.md)
## Testing & Fixtures
Fixture files live in `tests/fixtures/` as JSONL. The `"timestamp":"NOW"` placeholder is substituted with the current UTC time at runtime.
---
## Technical Stack
| Component | Technology |
|-----------|------------|
| Language | Go 1.25+ |
| gRPC / Protobuf | `google.golang.org/grpc` v1.64, `google.golang.org/protobuf` v1.36 |
| Caching | Redis 7.0+ (optional) via `github.com/redis/go-redis/v9` |
| CLI framework | `github.com/spf13/cobra` |
| Config | YAML via `gopkg.in/yaml.v3` |
| Metrics | Prometheus via `github.com/prometheus/client_golang` v1.23 |
| Logging | Structured JSON via `log/slog` (stdlib) |
| ML inference | `ml.Scorer` interface — `OnnxStub` active (returns 0.0); replace with `github.com/yalue/onnxruntime_go` |
---
## Implementation Status
### Sentinel-IN (Input Validation)
| Feature | Status |
|---------|--------|
| Prompt injection detection (regex + keyword) | ✅ |
| Metadata validation (schema + business rules) | ✅ |
| REST API (validate, batch, health, config) | ✅ |
| gRPC API (Validate, ValidateBatch, Health) | ✅ |
| Redis caching with in-memory fallback | ✅ |
| CLI (validate, try, testrun, interactive, config, server) | ✅ |
| Hot config reload via `POST /v1/config/reload` | ✅ |
| Payload size limits (10k chars / 4KB metadata) | ✅ |
| Kubernetes health probes (`/health/live`, `/health/ready`) | ✅ |
| Prometheus metrics with injection score histogram | ✅ |
| SIGHUP hot reload | ✅ |
| Structured logging — `log/slog` JSON + Elasticsearch shipping | ✅ |
| Security incident alerts (Slack / PagerDuty) | ✅ |
| Batch progress bar | ✅ |
| Engine benchmarks (`go test -bench=.`) | ✅ |
| Dockerfile (multi-stage Alpine) | ✅ |
| Kubernetes manifests + HPA | ✅ |
| Integration docker-compose + k6 load test | ✅ |
| ML inference (ONNX) | Stub only |
### Sentinel-OUT (Output Validation)
| Feature | Status |
|---------|--------|
| PII re-emergence detection (6 pattern families, EN + KR) | ✅ |
| PII auto-sanitization with modification log | ✅ |
| Hallucination detection (lexical grounding, claim extraction) | ✅ |
| Content filter (API keys, cloud credentials, internal paths) | ✅ |
| Permission boundary check (access level hierarchy) | ✅ |
| Format validation (length, UTF-8, control chars) | ✅ |
| REST API (`POST /v1/validate/output`, `/v1/validate/output/batch`) | ✅ |
| CLI (`validate-output` with `--explain`, `--access-level`) | ✅ |
| Streaming output validation | Stub (future) |
| Vault PII mapping cross-reference | Stub (pending Vault integration) |
---
## Performance Targets
| Metric | Target |
|--------|--------|
| Median latency (p50) | < 0.5 ms |
| Long-tail latency (p95) | < 1.0 ms |
| Throughput | ≥ 40,000 req/s |
| Detection accuracy | ≥ 95% |
---
## Other modules
* [Vault](../vault)
* [Navigator](../navigator)
* [Anchor](../anchor)
* [Tracker](../tracker)
---
## License
Apache License 2.0