kernex-core 0.7.0

Core types, traits, config, and error handling for Kernex
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! Guardrail trait for intercepting and filtering text at the pipeline layer.
//!
//! Guardrails run on input text before it reaches a provider and on output
//! text before it returns to the caller. Each check returns a
//! [`GuardrailAction`] that instructs the runtime to allow, block, or sanitize
//! the text.
//!
//! Wire a guardrail into the runtime via `RuntimeBuilder::guardrail_runner`.

use async_trait::async_trait;

/// What the runtime should do with text after a guardrail check.
#[derive(Debug)]
pub enum GuardrailAction {
    /// Allow the text to proceed unchanged.
    Allow,
    /// Reject the text. The runtime returns [`KernexError::Guardrail`] with the reason.
    ///
    /// [`KernexError::Guardrail`]: crate::error::KernexError::Guardrail
    Block(String),
    /// Replace the text with a sanitized version before it continues.
    Sanitize(String),
}

/// Intercept and filter text at the pipeline layer.
///
/// Implement this trait to add content filtering, PII redaction, prompt
/// injection detection, or compliance auditing. Wire it into the runtime via
/// `RuntimeBuilder::guardrail_runner`.
///
/// Both methods are called synchronously within the request pipeline:
/// `check_input` before the provider call, `check_output` after.
///
/// # Example
///
/// ```rust
/// use async_trait::async_trait;
/// use kernex_core::guardrails::{GuardrailAction, GuardrailRunner};
///
/// struct BlocklistGuardrail {
///     blocked_terms: Vec<&'static str>,
/// }
///
/// #[async_trait]
/// impl GuardrailRunner for BlocklistGuardrail {
///     async fn check_input(&self, text: &str) -> GuardrailAction {
///         for term in &self.blocked_terms {
///             if text.contains(term) {
///                 return GuardrailAction::Block(
///                     format!("blocked term detected: {term}")
///                 );
///             }
///         }
///         GuardrailAction::Allow
///     }
///
///     async fn check_output(&self, _text: &str) -> GuardrailAction {
///         GuardrailAction::Allow
///     }
/// }
/// ```
#[async_trait]
pub trait GuardrailRunner: Send + Sync {
    /// Check input text before it is sent to the provider.
    ///
    /// Return [`GuardrailAction::Block`] to reject the request entirely.
    /// Return [`GuardrailAction::Sanitize`] to replace the text before sending.
    async fn check_input(&self, text: &str) -> GuardrailAction;

    /// Check output text before it is returned to the caller.
    ///
    /// Return [`GuardrailAction::Block`] to surface an error instead of the response.
    /// Return [`GuardrailAction::Sanitize`] to redact the response before returning.
    ///
    /// For streaming responses, this runs on the fully accumulated text after
    /// the stream completes and only affects what is persisted to memory.
    async fn check_output(&self, text: &str) -> GuardrailAction;
}

/// No-op guardrail that allows all text through unchanged.
pub struct NoopGuardrailRunner;

#[async_trait]
impl GuardrailRunner for NoopGuardrailRunner {
    async fn check_input(&self, _text: &str) -> GuardrailAction {
        GuardrailAction::Allow
    }

    async fn check_output(&self, _text: &str) -> GuardrailAction {
        GuardrailAction::Allow
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn test_noop_allows_input() {
        let runner = NoopGuardrailRunner;
        let action = runner.check_input("some input text").await;
        assert!(matches!(action, GuardrailAction::Allow));
    }

    #[tokio::test]
    async fn test_noop_allows_output() {
        let runner = NoopGuardrailRunner;
        let action = runner.check_output("some output text").await;
        assert!(matches!(action, GuardrailAction::Allow));
    }

    #[tokio::test]
    async fn test_custom_block_guardrail() {
        struct BlockAll;
        #[async_trait]
        impl GuardrailRunner for BlockAll {
            async fn check_input(&self, _text: &str) -> GuardrailAction {
                GuardrailAction::Block("blocked".to_string())
            }
            async fn check_output(&self, _text: &str) -> GuardrailAction {
                GuardrailAction::Allow
            }
        }

        let runner = BlockAll;
        let action = runner.check_input("anything").await;
        assert!(matches!(action, GuardrailAction::Block(_)));
        if let GuardrailAction::Block(reason) = action {
            assert_eq!(reason, "blocked");
        }
    }

    #[tokio::test]
    async fn test_custom_sanitize_guardrail() {
        struct RedactPii;
        #[async_trait]
        impl GuardrailRunner for RedactPii {
            async fn check_input(&self, text: &str) -> GuardrailAction {
                GuardrailAction::Sanitize(text.replace("secret", "[REDACTED]"))
            }
            async fn check_output(&self, _text: &str) -> GuardrailAction {
                GuardrailAction::Allow
            }
        }

        let runner = RedactPii;
        let action = runner.check_input("my secret is 42").await;
        assert!(matches!(action, GuardrailAction::Sanitize(_)));
        if let GuardrailAction::Sanitize(clean) = action {
            assert_eq!(clean, "my [REDACTED] is 42");
        }
    }
}