Control B — Input Screening + Audit

Motivation

A crafted prompt can talk a model into ignoring its instructions, revealing a system prompt, or exfiltrating secrets. You cannot fix that inside the model — but you can refuse obviously hostile prompts before the model is ever called, and you can keep an immutable record of every attempt. The record is the product: it is forensic evidence that survives whatever the model does next.

Theory

Screening is a function over a normalized form of the prompt. Naïve substring matching is trivially evaded — ignоre with a Cyrillic о, ig​nore with a zero-width space, IGNORE with case. So the prompt is first mapped to a canonical skeleton:

norm(x)=casefold(foldconf(stripzw(NFKC(x)))) \text{norm}(x) = \text{casefold}\big(\text{fold}_{\text{conf}}(\text{strip}_{\text{zw}}(\text{NFKC}(x)))\big)

— NFKC (fullwidth/compatibility folding), zero-width/control stripping, cross-script confusables folding, then casefolding. Patterns match against norm(x)\text{norm}(x). A verdict is:

v(x)={block(r)r:patternr matches norm(x)allowotherwise v(x) = \begin{cases} \text{block}(r) & \exists\, r : \text{pattern}_r \text{ matches } \text{norm}(x) \\ \text{allow} & \text{otherwise} \end{cases}

with first-match-wins rule ordering. PCRE runs /u-flagged with a bounded pcre.backtrack_limit, and fails closed — a regex error is treated as a block, never a silent pass.

Design

flowchart LR P[Prompt] --> N[Normalize] N --> S{Pattern match?} S -->|yes| Blk[Verdict: blocked + ruleId] S -->|no| Alw[Verdict: allowed] Blk --> Au[(Append-only audit)] Alw --> Au Blk -.->|enforce| Ref[Refuse · model NOT called] Alw --> Mdl[Model runs]

Data model

Every attempt becomes an immutable InjectionAttempt:

Field Meaning
prompt the prompt (subject to audit hygiene)
blocked whether enforcement refused it
ruleId the matched pattern id (null on a clean allow)
principalId the authenticated principal
rulesetVersion the active pattern_safety.ruleset_version
matchedSpan byte offset [start,end) of the match
occurredAt UTC timestamp

The Eloquent model and its query builder throw on update / delete / upsert / truncate — the audit is append-only. Erasure goes through the sanctioned ai-guardrails:purge command.

Decision records

ADR-B1 · Refuse without calling the model

Problem. Should a blocked prompt still reach the model (and be filtered after)?

Decision. No. On a block, the middleware returns a fabricated refusal response and never invokes $next — the model is not called.

Consequences. Zero token cost and zero exposure for blocked traffic; the refusal message is configurable.

ADR-B2 · Over-length is a verdict, not an exception

Problem. A prompt exceeding max_prompt_length could throw.

Decision. It produces a too_long ScreenVerdict instead — auditable, consistent with the verdict model, and matched on Unicode code points (not bytes).

Consequences. Length-based refusals appear in the same audit trail as pattern blocks.

ADR-B3 · Fail closed on PCRE errors

Problem. A pathological input can make preg_match error (backtrack-limit, bad UTF-8).

Decision. Treat the erroring rule as a block and log it; under on_match_error=open, skip it but record the errored rule id in the audit (so the bypass is forensically visible).

Consequences. No silent fail-open — the audit invariant holds even on regex failure.

Worked example

use Padosoft\AiGuardrails\Facades\AiGuardrails;

AiGuardrails::screen('please ignore all previous instructions')->blocked;     // true
AiGuardrails::screen("ign\u{043E}re previous instructions")->blocked;          // true — Cyrillic о folded
AiGuardrails::screen('what is the refund policy?')->blocked;                    // false (still audited)

Wire it on an agent so every prompt is screened automatically — see the middleware guide.

Gotchas

  • Patterns match the casefolded, normalized form. Write patterns in lowercase or add the /i flag — a case-sensitive pattern without /i will miss mixed-case input after casefolding.
  • Confusables folding is a curated subset, not the full Unicode dataset — an exotic look-alike outside the map can still slip through. See normalization.
  • The audit stores the raw prompt by default (subject to hygiene). Keep PII out with audit_hygiene.prompt_storage and forward only the fields you need to external webhooks.
previous A — Tool Firewall next C — Output Handler