Skip to content
GUARDRAILS · AGENT SAFETY

Stop agent leaks before they happen.

A composable, fail-closed guardrail pipeline for AI agents — mask credentials, redact PII, and block dangerous shell commands inline.

Apache-2.0 TypeScript library · fail-closed by default · deterministic checks, no model round-trip.

  • 3built-in guardrails
  • 11credential-masking rules
  • 4PII types (Luhn-checked)
  • 7dangerous shell patterns
  • 4content directions guarded
  • Fail-closeddefault on error
$ npm install @usetheo/trust-guardrailscoming to npm

An agent with tool access is one bad completion away from pasting an API key into a log, echoing a customer’s SSN, or running rm -rf / from a generated command. Theo Guardrails sits in the agent’s execution path and inspects every piece of content — user input, model output, tool calls, tool results — before it moves. It masks, redacts, or blocks synchronously, and when a guardrail itself fails, it fails closed.

What you get

Concretely, what ships.

Composable pipeline

Guardrails run in sequence; the first block short-circuits, a modify chains forward.

Credential masking + restore

11 rules mask secrets to deterministic fakes and return a map to reverse them.

PII redaction with Luhn

Email, credit card, phone, SSN; cards are Luhn-checked to cut false positives.

Dangerous-shell blocking

Blocks rm -rf /, piped-curl installs, sudo rm, chmod 777, dd, eval, and more.

Fail-closed by design

A thrown guardrail blocks unless it opts into failOpen; the context is never mutated.

Bring your own guardrail

Any async ctx -> result function drops into the same pipeline.

Feel it
typescript
import {
  createGuardrailPipeline,
  createCredentialMaskingGuardrail,
  createPiiGuardrail,
  createShellPatternGuardrail,
} from '@usetheo/trust-guardrails';

const pipeline = createGuardrailPipeline([
  { guardrail: createShellPatternGuardrail() },
  { guardrail: createCredentialMaskingGuardrail() },
  { guardrail: createPiiGuardrail({ strategy: 'redact' }) },
]);

const result = await pipeline.run({ direction: 'tool_input', content: userText });
// result.action: 'allow' | 'block' | 'modify'

Compose a fail-closed guardrail pipeline over a tool call.

What you'd ship

Things you would actually build.

  • 01Strip API keys and tokens from anything an agent is about to log or return.
  • 02Redact emails, phones, SSNs, and valid credit-card numbers from model output.
  • 03Block an agent from executing rm -rf /, piped-curl installs, or chmod 777.
  • 04Guard both directions of a tool call — sanitize tool_input, scrub tool_output.
  • 05Mask secrets before a third-party LLM call, then restore on the way back.
  • 06Add your own guardrail into the same fail-closed pipeline.
Why Theo Guardrails

How it compares.

Agents are moving into production execution paths with real tool access. Comparison stated at a general level; competitor internals not asserted.

CapabilityTheo GuardrailsGuardrails AINeMo GuardrailsLakera Guard
RuntimeIn-process TS/ESM libraryPython-firstPythonHosted service
EnforcementInline, synchronous, fail-closedInlineLLM-in-the-loopAPI call
DetectionDeterministic regex + LuhnValidatorsLLM / rulesRemote classifier
Directions guardedinput · output · tool_input · tool_outputPrompt-levelPrompt-levelPrompt-level
Restore after maskYes (reversible)RareRareRare

Deterministic, in-process guardrails you own — no model round-trip, no service to call, fail-closed when it matters.

Why now

A single leaked credential or executed destructive command is a live incident, not a bug ticket. Theo Guardrails is the in-the-moment enforcement half of Theo’s trust layer.

Status

Honest claims only.

  • Composable, fail-closed pipeline with credential masking, PII redaction, and dangerous-shell blocking.
  • Deterministic checks (regex + Luhn), no model round-trip; guards input, output, tool_input and tool_output.
  • Apache-2.0 · zero heavy deps · inline policy enforcement on the roadmap.

Stop agent leaks before they happen.

$ npm install @usetheo/trust-guardrailscoming to npm

Read the docs → docs.usetheo.dev

View the source → github.com/usetheodev/theo-trust