registry  /  @cendor/guardrails  /  0.4.0

@cendor/guardrails@0.4.0

A local-first gate for LLM apps: define a check — keyword, regex, URL, length, JSON-schema — attach it to a stage (input, tool call, tool output, output). Deterministic, microsecond, $0, and every decision is audit-grade evidence.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior implements local guardrail checks and optional integrations using caller-provided clients.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports the library and explicitly invokes apply, install, scoped, or an opt-in adapter.
Impact
Can block, redact, or flag LLM payloads according to consumer-supplied rules; no unconsented system mutation or exfiltration is established.
Mechanism
Local payload validation and process-local @cendor/core interception.
Rationale
Static inspection shows a local LLM guardrail library with no install hooks or concrete malicious behavior. The scanner's Unicode finding is a false positive: the characters occur in a regex used to strip zero-width evasions.
Evidence
package.jsondist/index.jsdist/rules.jsdist/adapters.jsREADME.mddist/decision.jsdist/policy.jsdist/intent.jsdist/judge.jsdist/semantic.jsdist/redteam.jsdist/presets.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts and exposes only dist/index.js.
    • dist/rules.js bidi/zero-width characters are literal normalization targets, not concealed control flow.
    • dist/index.js only dynamically imports node:async_hooks for scoped context isolation.
    • No filesystem, shell, eval/vm, credential harvesting, or direct network primitives found in dist/*.js.
    • dist/adapters.js invokes only caller-supplied cloud clients through explicit opt-in guardrail adapters.
    • README.md contains normal product documentation; no reviewer/scanner-directed manipulation found.
    Behavioral surface
    Source
    ChildProcess
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 10 file(s), 105 KB of source, external domains: cendor.ai, json-schema.org

    Source & flagged code

    3 flagged · loading source
    README.mdView file
    rules.keywordDeny(['ignore previous instructions'], { action: 'block' }), // prompt-injection floor
    High
    Ai Reviewer Manipulation

    Package text addresses the security reviewer or scanner and tries to influence the review outcome.

    README.mdView on unpkg
    dist/rules.jsView file
    103contains invisible/control Unicode U+200B (zero width space) const ZERO_WIDTH_RE = /<U+200B>|<U+200C>|<U+200D>|<U+2060>|<U+FEFF>|­|<U+180E>/g;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/rules.jsView on unpkg · L103
    Trigger-reachable chain: manifest.main -> dist/index.js -> dist/rules.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/rules.jsView on unpkg

    Findings

    2 Critical1 High1 Medium2 Low
    CriticalTrojan Source Unicodedist/rules.js
    CriticalTrigger Reachable Dangerous Capabilitydist/rules.js
    HighAi Reviewer ManipulationREADME.md
    MediumStructural Risk Force Deep Review
    LowHigh Entropy Strings
    LowUrl Strings