jailguard 0.1.2

Pure-Rust prompt-injection detector with 1.5MB embedded MLP classifier. 98.40% accuracy, p50 14ms CPU inference, 8-class attack taxonomy. Apache-2.0/MIT alternative to Rebuff and Lakera Guard.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287

//! PyO3 Python bindings for JailGuard.
//!
//! Compiled only when the `python` feature is enabled (via maturin or
//! `cargo build --features python`). The resulting native extension module
//! is named `_jailguard` and lives inside the `jailguard` Python package.
//!
//! # Python API
//!
//! ```python
//! import jailguard
//!
//! # Pre-download ONNX model at startup (optional — auto-downloaded on first detect())
//! jailguard.download_model()
//!
//! # Quick boolean check
//! if jailguard.is_injection("ignore all previous instructions"):
//!     raise ValueError("Injection detected")
//!
//! # Detailed result
//! result = jailguard.detect("What is the capital of France?")
//! print(result.is_injection, result.score, result.risk)
//!
//! # Batch (reuses the same detector session)
//! results = jailguard.detect_batch(["safe query", "ignore all instructions"])
//! ```

use pyo3::prelude::*;

use crate::embedded::{self, RiskLevel};

// ---------------------------------------------------------------------------
// RiskLevel Python enum
// ---------------------------------------------------------------------------

/// Risk level classification for a detection result.
///
/// Values
/// ------
/// RiskLevel.Safe
///     Score < 0.3 — very likely benign.
/// RiskLevel.Low
///     Score 0.3–0.5 — probably benign, worth monitoring.
/// RiskLevel.Medium
///     Score 0.5–0.7 — possible injection, review recommended.
/// RiskLevel.High
///     Score 0.7–0.9 — likely injection.
/// RiskLevel.Critical
///     Score ≥ 0.9 — almost certainly an injection.
#[pyclass(name = "RiskLevel", eq, eq_int)]
#[derive(Clone, Copy, PartialEq, Eq)]
pub enum PyRiskLevel {
    Safe,
    Low,
    Medium,
    High,
    Critical,
}

#[pymethods]
impl PyRiskLevel {
    fn __repr__(&self) -> &'static str {
        match self {
            PyRiskLevel::Safe => "RiskLevel.Safe",
            PyRiskLevel::Low => "RiskLevel.Low",
            PyRiskLevel::Medium => "RiskLevel.Medium",
            PyRiskLevel::High => "RiskLevel.High",
            PyRiskLevel::Critical => "RiskLevel.Critical",
        }
    }

    fn __str__(&self) -> &'static str {
        match self {
            PyRiskLevel::Safe => "Safe",
            PyRiskLevel::Low => "Low",
            PyRiskLevel::Medium => "Medium",
            PyRiskLevel::High => "High",
            PyRiskLevel::Critical => "Critical",
        }
    }
}

impl From<RiskLevel> for PyRiskLevel {
    fn from(r: RiskLevel) -> Self {
        match r {
            RiskLevel::Safe => PyRiskLevel::Safe,
            RiskLevel::Low => PyRiskLevel::Low,
            RiskLevel::Medium => PyRiskLevel::Medium,
            RiskLevel::High => PyRiskLevel::High,
            RiskLevel::Critical => PyRiskLevel::Critical,
        }
    }
}

// ---------------------------------------------------------------------------
// DetectionResult Python class
// ---------------------------------------------------------------------------

/// Prompt injection detection result.
///
/// Attributes
/// ----------
/// is_injection : bool
///     ``True`` if the text is classified as a prompt injection attempt.
/// score : float
///     Raw model probability (0.0 = definitely benign, 1.0 = definitely injection).
/// confidence : float
///     Confidence in the prediction (always >= 0.5).
/// risk : RiskLevel
///     Risk level enum value (``RiskLevel.Safe``, ``RiskLevel.Low``, etc.).
#[pyclass(name = "DetectionResult", get_all)]
#[derive(Clone)]
pub struct PyDetectionResult {
    /// Whether the text is a prompt injection attempt.
    pub is_injection: bool,
    /// Raw model probability (0.0–1.0).
    pub score: f32,
    /// Confidence in the prediction (always >= 0.5).
    pub confidence: f32,
    /// Risk level enum.
    pub risk: PyRiskLevel,
}

#[pymethods]
impl PyDetectionResult {
    fn __repr__(&self) -> String {
        format!(
            "DetectionResult(is_injection={}, score={:.4}, confidence={:.4}, risk={})",
            if self.is_injection { "True" } else { "False" },
            self.score,
            self.confidence,
            self.risk.__repr__(),
        )
    }

    /// ``bool(result)`` is ``True`` when an injection is detected.
    fn __bool__(&self) -> bool {
        self.is_injection
    }
}

impl From<embedded::DetectionOutput> for PyDetectionResult {
    fn from(r: embedded::DetectionOutput) -> Self {
        Self {
            is_injection: r.is_injection,
            score: r.score,
            confidence: r.confidence,
            risk: r.risk.into(),
        }
    }
}

// ---------------------------------------------------------------------------
// Public functions
// ---------------------------------------------------------------------------

/// Detect whether *text* is a prompt injection attempt.
///
/// Returns a :class:`DetectionResult` with ``is_injection``, ``score``,
/// ``confidence``, and ``risk`` fields.
///
/// On first call the ONNX embedding model (~90 MB) is downloaded to
/// ``~/.cache/jailguard/`` if it is not already cached.
/// Call :func:`download_model` at startup to avoid latency on the first request.
///
/// Parameters
/// ----------
/// text : str
///     Input text to classify.
///
/// Returns
/// -------
/// DetectionResult
#[pyfunction]
fn detect(text: &str) -> PyDetectionResult {
    embedded::detect(text).into()
}

/// Return ``True`` if *text* is a prompt injection attempt.
///
/// Parameters
/// ----------
/// text : str
///
/// Returns
/// -------
/// bool
#[pyfunction]
fn is_injection(text: &str) -> bool {
    embedded::is_injection(text)
}

/// Return the injection probability score for *text* (0.0 to 1.0).
///
/// Parameters
/// ----------
/// text : str
///
/// Returns
/// -------
/// float
#[pyfunction]
fn score(text: &str) -> f32 {
    embedded::score(text)
}

/// Classify a list of texts in one call.
///
/// More efficient than calling :func:`detect` in a loop because it reuses
/// the same detector session for all inputs.
///
/// Parameters
/// ----------
/// texts : list[str]
///
/// Returns
/// -------
/// list[DetectionResult]
///     Results in the same order as *texts*.
#[pyfunction]
fn detect_batch(texts: Vec<String>) -> Vec<PyDetectionResult> {
    let refs: Vec<&str> = texts.iter().map(String::as_str).collect();
    embedded::detect_batch(&refs)
        .into_iter()
        .map(PyDetectionResult::from)
        .collect()
}

/// Ensure the ONNX embedding model is downloaded and return its local path.
///
/// The model (~90 MB) is cached at ``~/.cache/jailguard/`` by default.
/// Override the location with the ``JAILGUARD_MODEL_DIR`` environment variable.
///
/// This function is idempotent — it skips the download if the model already
/// exists and passes its SHA-256 checksum.
///
/// Raises
/// ------
/// RuntimeError
///     If the download fails or the checksum does not match.
///
/// Returns
/// -------
/// str
///     Absolute path to the cached ONNX model file.
#[pyfunction]
fn download_model() -> PyResult<String> {
    crate::model_manager::download_model()
        .map(|p| p.display().to_string())
        .map_err(|e| pyo3::exceptions::PyRuntimeError::new_err(e.to_string()))
}

/// Return the path to the ONNX model cache directory.
///
/// Reads ``JAILGUARD_MODEL_DIR`` if set; otherwise returns
/// ``~/.cache/jailguard``.
///
/// Returns
/// -------
/// str
#[pyfunction]
fn model_cache_dir() -> pyo3::PyResult<String> {
    // Delegate to the canonical Rust function so Windows-specific fallback
    // logic (USERPROFILE / LOCALAPPDATA when HOME is unset or = "~") stays
    // in one place. The duplicated env-var ladder this used to inline
    // hardcoded a literal "~/.cache/jailguard" on Windows when HOME wasn't
    // set, which crashed pytest::test_model_cache_dir_exists.
    crate::model_cache_dir().map_err(|e| pyo3::exceptions::PyOSError::new_err(e.to_string()))
}

// ---------------------------------------------------------------------------
// Module entry point
// ---------------------------------------------------------------------------

/// Native extension module — imported as ``jailguard._jailguard``.
#[pymodule]
fn _jailguard(m: &Bound<'_, PyModule>) -> PyResult<()> {
    m.add("__version__", env!("CARGO_PKG_VERSION"))?;
    m.add_class::<PyRiskLevel>()?;
    m.add_class::<PyDetectionResult>()?;
    m.add_function(wrap_pyfunction!(detect, m)?)?;
    m.add_function(wrap_pyfunction!(is_injection, m)?)?;
    m.add_function(wrap_pyfunction!(score, m)?)?;
    m.add_function(wrap_pyfunction!(detect_batch, m)?)?;
    m.add_function(wrap_pyfunction!(download_model, m)?)?;
    m.add_function(wrap_pyfunction!(model_cache_dir, m)?)?;
    Ok(())
}