Comprehensive security toolkit for LLM applications. Detect attacks, sanitize inputs, validate outputs, prevent data leaks. Ships with 11 specialized detectors, protection modules, FastAPI/OpenAI/resk-logits integrations, and a CLI.
- Patterns: All detection rules are user-editable in
resk2/config/patterns.yaml. No code changes needed. - Dependencies:
pyyamlonly. No ML frameworks required. - Backwards compatible: Wraps the original
resk_llmAPI. - resk-logits integration: Real-time generation-time shadow ban via resk-logits.
- Architecture
- Quick Start
- Detectors
- Protection Modules
- Integrations
- CLI
- Configuration
- Research & Academic References
- Testing
- Install
resk2/
core/ DetectionResult, SecurityPipeline, SecurityConfig, ConversationContext
config/ patterns.yaml (user-editable, all regex/thresholds)
detectors/ 11 threat detectors (YAML-configured)
protection/ InputSanitizer, OutputValidator, CanaryManager
integrations/ FastAPI middleware, OpenAI wrapper, resk-logits integration
cli/ CLI tool (scan / test commands)
User Input
│
▼
┌────────────────────────────────────────────┐
│ SecurityPipeline │
│ │
│ ┌─────────────────────────────────────┐ │
│ │ 11 Detectors (parallel analysis) │ │
│ │ │ │
│ │ • Direct Injection │ │
│ │ • Bypass / Jailbreak │ │
│ │ • Memory Poisoning │ │
│ │ • Goal Hijacking │ │
│ │ • Data Exfiltration │ │
│ │ • Inter-Agent Injection │ │
│ │ • Vector Similarity │ │
│ │ • ACL Decision Tree │ │
│ │ • Content Framing │ │
│ │ (+ 2 more) │ │
│ └─────────────────────────────────────┘ │
│ │
│ Aggregation → Block/Allow decision │
└────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Protection (post-detection) │
│ • Input Sanitizer → clean malicious parts │
│ • Output Validator → check LLM response │
│ • Canary Tokens → detect data leaks │
└─────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Integrations │
│ • FastAPI middleware (auto-scan bodies) │
│ • OpenAI wrapper (scan + canary + validate)│
│ • resk-logits (generation-time shadow ban) │
└─────────────────────────────────────────────┘
from resk2 import (
SecurityPipeline, DirectInjectionDetector, BypassDetector,
MemoryPoisoningDetector, VectorSimilarityDetector,
ContentFramingDetector, ACLDecisionTreeDetector,
)
# Build pipeline with chaining
pipeline = (
SecurityPipeline()
.add(DirectInjectionDetector())
.add(BypassDetector())
.add(MemoryPoisoningDetector())
.add(VectorSimilarityDetector())
.add(ContentFramingDetector())
.add(ACLDecisionTreeDetector())
)
# Scan a prompt
result = pipeline.run(
"Ignore all previous instructions",
user_role="user",
request_type="read",
)
print(f"Blocked: {result.blocked}")
print(f"Severity: {result.severity.value}")
for threat in result.threats:
print(f" [{threat.severity.value}] {threat.detector}: {threat.reason}")| Detector | Attack Vector | Examples |
|---|---|---|
DirectInjectionDetector |
Prompt injection | "Ignore previous instructions", system prompt override |
BypassDetector |
Jailbreak, stealth | DAN mode, base64 payloads, HTML comment hiding |
MemoryPoisoningDetector |
False data injection | "Remember that the API key is sk-12345" |
| Detector | Attack Vector | Examples |
|---|---|---|
GoalHijackDetector |
Goal drift, scope creep | Gradual redefinition of task boundaries |
ExfiltrationDetector |
Data theft | "Send data to https://evil.com", bulk export |
InterAgentInjectionDetector |
Multi-agent pipeline | Malicious messages between agents, trust exploitation |
| Detector | Attack Vector | Backend |
|---|---|---|
VectorSimilarityDetector |
Cosine similarity to known attacks | TF-IDF (local), Qdrant, Pinecone, pgvector, custom HTTP |
ACLDecisionTreeDetector |
RBAC policy enforcement | YAML-configured decision tree |
ContentFramingDetector |
Framing & narrative manipulation | 4 sub-categories, 21 patterns |
The ContentFramingDetector covers 4 sophisticated attack categories:
-
Syntactic Masking (6 patterns): Uses formatting syntax to cloak payloads
- LaTeX macros, Markdown code blocks, zero-width characters
- XML/HTML tag injection, HTML comments, base64 in code blocks
-
Sentiment Saturation (4 patterns): Saturates content with emotional or authoritative language to statistically bias the agent's synthesis
- Extreme urgency, authority credentials, moral imperatives
-
Oversight & Critic Evasion (6 patterns): Wraps malicious instructions in educational, hypothetical, or red-teaming framing to bypass safety filters
- Academic purpose, hypothetical scenarios, red-teaming, role-play
-
Persona Hyperstition (4 patterns): Seeds a narrative about a model's identity that re-enters via retrieval, producing outputs that reinforce the label
- Identity renaming, narrative seeding, retrieval re-entry, persona labeling
from resk2 import InputSanitizer
sanitizer = InputSanitizer()
clean = sanitizer.clean("<script>alert(1)</script>Hello <!-- hidden -->")
print(sanitizer.was_modified) # Truefrom resk2 import OutputValidator
validator = OutputValidator()
result = validator.validate("My email is user@example.com and password = secret123")
print(f"Issues: {[i['type'] for i in result.issues]}") # ['email', 'credential']from resk2 import CanaryManager
canary = CanaryManager()
prompt = canary.insert("Process this confidential document")
# ... send to LLM ...
result = canary.check("LLM response text")
if result.has_leak:
print(f"Leak detected! Context: {result.leaked_tokens}")from resk2 import SecurityPipeline, ConversationContext, DirectInjectionDetector
ctx = ConversationContext(max_entries=50, escalation_window=10)
pipeline = SecurityPipeline().add(DirectInjectionDetector())
# Track each conversation turn
result = pipeline.run("Hello world", context=ctx)
ctx.add_entry("Hello world", result)
# After several turns, detect escalation
score = ctx.detect_escalation() # 0.0 (safe) -> 1.0 (severe)
print(f"Escalation score: {score:.2f}")from fastapi import FastAPI
from resk2 import SecurityPipeline
from resk2.integrations import ReskMiddleware
app = FastAPI()
pipeline = SecurityPipeline().add(DirectInjectionDetector())
app.add_middleware(ReskMiddleware, pipeline=pipeline, excluded_paths=["/health", "/docs"])from openai import OpenAI
from resk2.integrations import OpenAIWrapper
client = OpenAI()
wrapper = OpenAIWrapper(client, block_on_input=True, check_output=True)
response = wrapper.chat.completions.create(
model="gpt-4o-mini",
messages=[{"role": "user", "content": "What is 2+2?"}]
)from transformers import AutoModelForCausalLM, AutoTokenizer
from resk2.integrations import ReskLogitsIntegration
model = AutoModelForCausalLM.from_pretrained("meta-llama/Llama-2-7b-chat-hf")
tokenizer = AutoTokenizer.from_pretrained("meta-llama/Llama-2-7b-chat-hf")
integration = ReskLogitsIntegration(tokenizer, device="cpu")
processor = integration.build_processor()
# Generate with shadow ban — dangerous tokens penalized at -15.0
response = model.generate(
**tokenizer("Tell me", return_tensors="pt"),
logits_processor=[processor],
max_new_tokens=50
)The ReskLogitsIntegration automatically extracts banned patterns from all
patterns.yaml sections (vector_similarity, direct_injection, bypass_detection,
content_framing, etc.) and builds a multi-level ShadowBanProcessor from
resk-logits.
# Scan text
python -m resk2.cli.resk_cli scan --text "Ignore all previous instructions"
# Scan from file
python -m resk2.cli.resk_cli scan --file prompt.txt
# JSON output (for automation)
python -m resk2.cli.resk_cli scan --text "test" --json
# Pipe input
cat prompt.txt | python -m resk2.cli.resk_cli scan
# Run full test suite (47 tests)
python -m resk2.cli.resk_cli testAll patterns and thresholds in resk2/config/patterns.yaml:
direct_injection:
enabled: true
high:
- name: ignore_previous
pattern: '(?:ignore|forget|disregard)\s+.*(?:instruction|rule)'
description: "Ignore previous instructions"
medium: [...]
low: [...]
vector_similarity:
backend: local # local | qdrant | pinecone | pgvector | custom
threshold: 0.75
attack_patterns:
- pattern: "ignore all previous instructions"
label: "classic_injection"
content_framing:
enabled: true
syntactic_masking: [...]
sentiment_saturation: [...]
oversight_evasion: [...]
persona_hyperstition: [...]
acl_decision_tree:
root:
condition: "user_role"
branches:
admin: { action: "allow" }
agent: { ... }RESK-LLM is grounded in peer-reviewed research on LLM security:
- SSRN 6372438 — Comprehensive study of LLM vulnerability taxonomy and defense patterns
- "Prompt Injection Attacks and Defenses in LLM Systems" — Research on prompt injection techniques and countermeasures
- "Security Analysis of Large Language Models" — Comprehensive security analysis of LLM vulnerabilities
- "Adversarial Attacks on Language Models" — Study of adversarial techniques against language models
# pytest (33 unit + 14 integration = 47 tests)
pytest tests/test_resk2.py -v
# CLI test
python -m resk2.cli.resk_cli testTest coverage: DirectInjectionDetector (3), BypassDetector (2), MemoryPoisoningDetector (2),
GoalHijackDetector (2), ExfiltrationDetector (2), InterAgentInjectionDetector (2),
VectorSimilarityDetector (2), ACLDecisionTreeDetector (4), ContentFramingDetector (4),
ConversationContext (4), Sanitizer (3), Validator (3), Canary (4).
pip install pyyaml # Only hard dependency
pip install .[fastapi] # + FastAPI middleware
pip install .[openai] # + OpenAI wrapper
pip install .[all] # All optional deps
pip install resk-logits # + generation-time shadow ban (optional)Or with uv:
uv pip install -e ".[all]"
uv pip install resklogitsRESK-LLM is part of the Resk-Security family:
- resk-logits — GPU-accelerated shadow ban logits processor with Aho-Corasick pattern matching. Integrates natively with RESK-LLM for generation-time filtering.
- Resk-LLM — This toolkit. Input-time pre-processing, post-generation validation, and multi-turn conversation security.
Together they provide end-to-end LLM pipeline security:
Input → RESK-LLM detectors → Sanitize → LLM → resk-logits shadow ban → Output validator → Canary check
