Files
tracer-cloud--opensre/docs/guardrails/README.md
T
wehub-resource-sync 4b6817381b
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:10:45 +08:00

168 lines
4.3 KiB
Markdown

# Guardrails: Sensitive Information Protection
Guardrails intercepts content before every LLM call and applies configurable
rules to detect, redact, block, or audit sensitive information.
## Quick start
```shell
# Generate a starter config with common patterns
opensre guardrails init
# Test it against sample text
opensre guardrails test "my key is AKIAIOSFODNN7EXAMPLE"
# View configured rules
opensre guardrails rules
```
## How it works
1. Rules are loaded from `~/.opensre/guardrails.yml` on first LLM call
2. Before every LLM API request, all message content is scanned against the rules
3. Depending on the rule action:
- **redact**: matched text is replaced with `[REDACTED:<rule_name>]`
- **block**: the request is rejected with a `GuardrailBlockedError`
- **audit**: the match is logged but text passes through unchanged
4. All matches are written to `~/.opensre/guardrail_audit.jsonl`
If no `guardrails.yml` exists, all content passes through unchanged with zero
overhead.
## Configuration
The config file lives at `~/.opensre/guardrails.yml`. Each rule can use
regex patterns, keyword lists, or both.
```yaml
rules:
- name: aws_access_key
description: "AWS access key IDs"
action: redact
patterns:
- "(?:AKIA|ASIA)[A-Z0-9]{16}"
- name: credit_card
description: "Credit card numbers"
action: block
patterns:
- "\\b\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b"
- name: internal_domains
description: "Internal hostnames that should not leak"
action: audit
keywords:
- "prod-db.internal.corp"
- "staging.internal.corp"
- name: pii_fields
description: "Common PII field names"
action: redact
keywords:
- "social_security"
- "date_of_birth"
replacement: "[PII_REDACTED]"
```
### Rule fields
| Field | Required | Description |
|-------|----------|-------------|
| `name` | yes | Unique identifier for the rule |
| `action` | no | `redact`, `block`, or `audit` (default: `audit`) |
| `patterns` | no* | List of regex patterns (case-insensitive) |
| `keywords` | no* | List of literal keywords (case-insensitive) |
| `description` | no | Human-readable description |
| `replacement` | no | Custom replacement text (default: `[REDACTED:<name>]`) |
| `enabled` | no | Set to `false` to disable without removing (default: `true`) |
*At least one of `patterns` or `keywords` is required.
## CLI commands
### `opensre guardrails init`
Creates a starter `~/.opensre/guardrails.yml` with common patterns for AWS
keys, credit cards, private keys, and API tokens. Does not overwrite an
existing config.
### `opensre guardrails test "text"`
Dry-run: scans the provided text against all rules and shows what would be
matched, redacted, or blocked.
```
$ opensre guardrails test "key=AKIAIOSFODNN7EXAMPLE"
[REDACT] aws_access_key: matched 'AKIAIOSFODNN7EXAMPLE'
Redacted output: key=[REDACTED:aws_access_key]
```
### `opensre guardrails rules`
Lists all configured rules with their action and status.
### `opensre guardrails audit`
Shows recent entries from the audit log at `~/.opensre/guardrail_audit.jsonl`.
## Health check
`opensre health` shows the current guardrails status:
```
CLI
environment: development
integration store: ~/.opensre/integrations.json
guardrails: 5 rules active (~/.opensre/guardrails.yml)
```
## Coverage
Guardrails protect all LLM call paths:
- Custom Anthropic client (`LLMClient.invoke`)
- OpenAI-compatible client (`OpenAILLMClient.invoke`)
- Structured output calls (delegated to base client)
- Interactive shell and investigation chat calls
- Alert extraction prompts
- Root cause diagnosis prompts
- Action planning prompts
## Common patterns
Here are useful patterns you can add to your config:
```yaml
# Email addresses
- name: email
action: redact
patterns:
- "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
# IPv4 addresses
- name: ipv4
action: audit
patterns:
- "\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b"
# GitHub personal access tokens
- name: github_pat
action: redact
patterns:
- "ghp_[a-zA-Z0-9]{36}"
- "github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}"
# Slack webhook URLs
- name: slack_webhook
action: redact
patterns:
- "https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+"
# JWT tokens
- name: jwt
action: redact
patterns:
- "eyJ[A-Za-z0-9_-]+\\.eyJ[A-Za-z0-9_-]+\\.[A-Za-z0-9_-]+"
```