[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83803":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":37,"readmeContent":38,"aiSummary":10,"trendingCount":15,"starSnapshotCount":15,"syncStatus":39,"lastSyncTime":40,"discoverSource":41},83803,"PROMPTPurify","securelayer7\u002FPROMPTPurify","securelayer7","Prompt-injection guardrail for LLM applications. Compact model that outperforms larger open-source guards. No regex, no signatures. Demo: anton.securelayer7.net","https:\u002F\u002Fanton.securelayer7.net",null,"TypeScript",65,19,1,0,4,8,13,56.7,"MIT License",false,"main",[24,25,26,27,28,29,30,31,32,33,34,35,36],"ai-firewall","ai-safety","ai-security","application-security","ctf","guardrails","jailbreak-detection","llm-guardrails","llm-security","prompt-engineering","prompt-injection","prompt-injection-detection","security","2026-06-12 04:01:42","\u003Cp align=\"center\">\n  \u003Cpicture>\n    \u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets\u002Flogo\u002Flogo-mark-dark-mode.png\">\n    \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"assets\u002Flogo\u002Flogo-mark-light-mode.png\">\n    \u003Cimg alt=\"promptpurify\" src=\"assets\u002Flogo\u002Flogo-mark-light-mode.png\" width=\"160\" height=\"160\">\n  \u003C\u002Fpicture>\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">promptpurify\u003C\u002Fh1>\n\n[![CI](https:\u002F\u002Fgithub.com\u002Fsecurelayer7\u002FPROMPTPurify\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fsecurelayer7\u002FPROMPTPurify\u002Factions\u002Fworkflows\u002Fci.yml)\n[![npm version](https:\u002F\u002Fimg.shields.io\u002Fnpm\u002Fv\u002Fpromptpurify.svg)](https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002Fpromptpurify)\n[![npm provenance](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fnpm-signed%20%2B%20provenance-success?logo=npm)](https:\u002F\u002Fwww.npmjs.com\u002Fpackage\u002Fpromptpurify)\n[![Hugging Face](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002F%F0%9F%A4%97%20Hugging%20Face-Securelayer7%2Fpromptpurify-yellow)](https:\u002F\u002Fhuggingface.co\u002FSecurelayer7\u002Fpromptpurify)\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-blue.svg)](LICENSE)\n[![Model card](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fmodel-card-informational)](MODEL_CARD.md)\n[![Security policy](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fsecurity-policy-critical)](SECURITY.md)\n\n**Tiny prompt-injection firewall for LLM chat apps. ~14 MB. CPU-only.**\nDrop-in guard between your user input and your LLM — runs on the same box,\nno GPU, no API, no extra service.\n\n> Built by the [SecureLayer7](https:\u002F\u002Fsecurelayer7.net) red-team. Most\n> OSS guardrails are hundreds of MB, want a GPU, and still miss the\n> attacks we see in production. We needed something we could ship inside\n> our own AI products and our customers' apps without any of that.\n\n## Why this exists\n\n| | promptpurify | typical OSS guardrail |\n|---|---|---|\n| Install size | **~14 MB ONNX** | 180 MB – 7 GB |\n| Inference | **CPU, single-digit ms** | GPU recommended |\n| Where it runs | **In your Node process** | Sidecar or hosted API |\n| Cost per call | **$0** | $ or GPU compute |\n\nBenchmark comparison vs OSS baselines → [docs\u002FBENCHMARKS.md](docs\u002FBENCHMARKS.md).\n\n## Install\n\n```bash\n# SDK (zero-dep, ~50 KB) — structural firewall + browser bundle\nnpm i promptpurify\n\n# Add the model (~14 MB ONNX) for the chat-injection guard\nnpm i onnxruntime-node\ncurl -L -o promptpurify-model.tar.gz \\\n  https:\u002F\u002Fgithub.com\u002Fsecurelayer7\u002FPROMPTPurify\u002Freleases\u002Fdownload\u002Fv0.0.1\u002Fpromptpurify-model.tar.gz\ncurl -L -o promptpurify-model.tar.gz.sha256 \\\n  https:\u002F\u002Fgithub.com\u002Fsecurelayer7\u002FPROMPTPurify\u002Freleases\u002Fdownload\u002Fv0.0.1\u002Fpromptpurify-model.tar.gz.sha256\nsha256sum -c promptpurify-model.tar.gz.sha256   # MUST print \"OK\"\ntar xzf promptpurify-model.tar.gz                # creates models\u002Fl5e\u002F\n```\n\nThe model isn't in the npm tarball — the SDK stays tiny for people who\nonly want the structural firewall (browser, edge, RAG). Full\ndistribution options: [docs\u002FSAMPLE-DATA.md](docs\u002FSAMPLE-DATA.md#how-to-get-the-model).\n\n## 3-line drop-in\n\n```ts\nimport { createL5eRunner } from \"promptpurify\u002Fl5\";\n\nconst guard = await createL5eRunner();\n\n\u002F\u002F In your \u002Fchat handler:\nconst score = await guard.score(userMessage);\nif (score >= 0.95) return refusal();              \u002F\u002F hard block\nif (score >= 0.85) flagForReview(userMessage);    \u002F\u002F advisory\nconst reply = await yourLLM.complete(userMessage); \u002F\u002F pass through\n```\n\nWorks with Groq, OpenAI, Anthropic, vLLM, local LLMs —\npromptpurify never talks to your LLM, only to your input.\n\nFor the deterministic structural firewall (Unicode neutralization,\nrole-fenced messages, output exfil guard) see\n[docs\u002FQUICKSTART.md](docs\u002FQUICKSTART.md).\n\n## Built from scratch\n\nWe built our model from random initialization because no existing OSS\nguardrail gave us the size \u002F latency tradeoff we wanted to ship in our\nown products.\n\n- **From-scratch.** No teacher weights from any vendor classifier are\n  redistributed.\n- **Benchmarked against public datasets** for direct comparison with OSS\n  baselines (ProtectAI v2, deepset, Meta Prompt-Guard, Meta Prompt-Guard-2). Held-out\n  evaluation; false positives reported alongside recall.\n- **MIT-licensed weights.** Use in production, paid or free.\n\nFull architecture overview → [docs\u002FHOW-IT-WORKS.md](docs\u002FHOW-IT-WORKS.md).\n\n## Try to break it\n\nWe run a live adversarial challenge at\n**[anton.securelayer7.net](https:\u002F\u002Fanton.securelayer7.net)**. Ask Son of\nAnton for the password. If you can get it past the guard, tell us how —\n[SECURITY.md](SECURITY.md).\n\n## Sample app\n\nA fintech customer-support chatbot wired up with promptpurify, ready to\nrun locally:\n\n```bash\ncd examples\u002Fcustomer-support && npm install\nGROQ_API_KEY=gsk_... node server.mjs\n# http:\u002F\u002Flocalhost:8787\n```\n\nSee [`examples\u002Fcustomer-support\u002FREADME.md`](examples\u002Fcustomer-support\u002FREADME.md).\n\n## Read more\n\n- **[docs\u002FQUICKSTART.md](docs\u002FQUICKSTART.md)** — install paths,\n  structural firewall, browser bundle, integration patterns.\n- **[docs\u002FHOW-IT-WORKS.md](docs\u002FHOW-IT-WORKS.md)** — the layers, what\n  each catches.\n- **[docs\u002FBENCHMARKS.md](docs\u002FBENCHMARKS.md)** — comparison with OSS\n  baselines, methodology.\n- **[docs\u002FSAMPLE-DATA.md](docs\u002FSAMPLE-DATA.md)** — what ships in the\n  repo for benchmarking.\n- **[docs\u002FREPRODUCE.md](docs\u002FREPRODUCE.md)** — run the bench yourself.\n- **[docs\u002FHONEST-LIMITS.md](docs\u002FHONEST-LIMITS.md)** — what to pair\n  promptpurify with for full coverage.\n\n## What promptpurify is *not*\n\n- Not a guarantee. There is no `.safe` boolean.\n- Not a content classifier. Catches prompt-injection, not toxicity \u002F\n  CSAM \u002F hate. Pair with a content filter.\n- Not a multi-turn auditor. Pair with conversation-level monitoring.\n\n## Verified releases\n\nEverything we ship is signed and verifiable end-to-end:\n\n- **npm package** signed with [npm provenance](https:\u002F\u002Fdocs.npmjs.com\u002Fgenerating-provenance-statements) from this exact GitHub Actions run. Verify locally:\n  ```bash\n  npm audit signatures   # ✓ verified registry signature + provenance attestation\n  ```\n- **Model tarball** ([releases](https:\u002F\u002Fgithub.com\u002Fsecurelayer7\u002FPROMPTPurify\u002Freleases\u002Ftag\u002Fv0.0.1)) carries a keyless [Sigstore cosign](https:\u002F\u002Fsigstore.dev) signature (`*.cosign.bundle`), a [SLSA build provenance attestation](https:\u002F\u002Fslsa.dev), a SHA256 manifest, and a CycloneDX SBOM (`SBOM.cdx.json`).\n- **In-repo `models\u002Fl5e\u002FSHA256SUMS`** — every artifact checksummed; verified in CI on every PR.\n\nIf any of those checks fail on your end, the package is not promptpurify — file a security report under [SECURITY.md](SECURITY.md).\n\n## Acknowledgments\n\nThe name and the design philosophy are inspired by\n[**DOMPurify**](https:\u002F\u002Fgithub.com\u002Fcure53\u002FDOMPurify) by [Cure53](https:\u002F\u002Fcure53.de) —\nthe same idea, applied to LLM prompts instead of HTML. Thanks to\n**Mario Heiderich** for suggesting the name.\n\n## License\n\nMIT for the SDK and the model weights. Benchmark sources we evaluate\nagainst are listed in\n[training\u002FCORPUS_LICENSES.json](training\u002FCORPUS_LICENSES.json).\n\nSecurity disclosures: [SECURITY.md](SECURITY.md).\n",2,"2026-06-11 04:11:31","CREATED_QUERY"]