Nexus

Guardrails

Enforce content safety with PII detection, prompt injection blocking, and content filtering.

Guardrails inspect and optionally modify requests before they reach a provider, and responses before they reach the client.

Guard Interface

type Guard interface {
    Name() string
    Phase() Phase   // Pre, Post, or Both
    Check(ctx context.Context, content string) (*Result, error)
}

Built-in Guards

PII Detection

Detect and redact personally identifiable information:

import "github.com/xraph/nexus/guard/guards"

nexus.WithGuard(guards.NewPII(guards.ActionRedact))

Prompt Injection

Block prompt injection attempts:

nexus.WithGuard(guards.NewInjection())

Content Filter

Block harmful or inappropriate content:

nexus.WithGuard(guards.NewContentFilter())

Regex Rules

Custom pattern-based rules:

nexus.WithGuard(guards.NewRegex(
    guards.RegexRule{
        Pattern: `(?i)api[_-]?key`,
        Action:  guards.ActionBlock,
        Message: "API keys not allowed in prompts",
    },
))

Actions

Each guard can take one of four actions:

ActionBehavior
AllowRequest passes through unchanged
BlockRequest is rejected with an error
RedactMatched content is replaced with [REDACTED]
WarnRequest passes through, warning is logged

Streaming Guardrails

For streaming responses, Nexus supports three strategies:

  • Buffer — Collect the full response, then check
  • Passthrough — Check chunks as they arrive
  • Chunkwise — Buffer a window of chunks, then check
guard.NewGuardedStream(stream, guards, guard.StrategyPassthrough)

Routing

Route requests across providers using priority, cost-optimized, or round-robin strategies.

Caching

Cache LLM responses with deterministic keys and optional semantic matching.

On this page

Guard InterfaceBuilt-in GuardsPII DetectionPrompt InjectionContent FilterRegex RulesActionsStreaming Guardrails