README

Warden for Laravel

Enterprise prompt sanitization & LLM guardrails for Laravel — deterministic-first, offline-by-default, EU-resident.

Warden sits between your application and any LLM as a bidirectional guardrail layer. On the way in it normalises and inspects prompts (prompt injection, jailbreak, PII, secrets); on the way out it validates and filters the model's response (unsafe content, data leaks, markdown exfiltration, malformed output).

It is hybrid and modular: a deterministic core (regex, deny-lists, heuristics, Unicode normalization) that runs offline at zero cost, plus optional, swappable AI drivers (moderation APIs, self-hosted classifiers, LLM-as-judge) for semantic coverage when you want it. Zero mandatory dependencies beyond illuminate/contracts.

📚 Full documentation: laravel-warden.selli.io

Why Warden

• Deterministic-first. The rule layer is fast (p95 < 5 ms), free, explainable and fully testable. AI drivers are a second stage, never a prerequisite.
• Normalize before every check. A single pass (NFKC, confusable folding, invisible/bidi stripping, de-leet, spacing collapse, recursive base64/hex decode) precedes every detector — so deny-lists can't be trivially bypassed.
• Find vs. act are separate. Detectors return typed spans; the action (allow / redact / mask / encrypt / block / flag) is a policy decision.
• EU/Italy aware. Codice Fiscale, P.IVA, IBAN with checksum validation; GDPR / EU AI Act friendly; nothing leaves your infrastructure by default.

Installation

composer require sellinnate/warden

Publish the config (optional):

php artisan vendor:publish --tag=warden-config

Quick start

use Sellinnate\Warden\Facades\Warden;

// Inspect only — returns a Verdict, mutates nothing
$verdict = Warden::inspect($userPrompt);

if ($verdict->blocked()) {
    abort(422, 'Prompt not allowed.');
}

// Sanitize — returns the Verdict with cleaned text ready for the LLM
$clean = Warden::sanitize($userPrompt)->sanitizedText;

// Inspect the LLM output, restoring pseudonymized values from the Vault
$safe = Warden::inspectOutput($llmResponse, vault: $verdict->vault)->sanitizedText;

What it covers

Anchored to the OWASP Top 10 for LLM Applications (2025):

PII is EU/Italy-first with checksum-validated entities (Codice Fiscale incl. omocodia, Partita IVA, IBAN, credit cards). The reversible Vault lets you send de-identified text to the model and restore the user's real data in the answer.

Surfaces

// Facade one-liners
Warden::inspect($text); Warden::sanitize($text); Warden::inspectOutput($text, vault: $v);

// Validation rules
'prompt' => ['required', 'string', new NoPromptInjection],
'bio'    => ['nullable', 'string', new NoPii],

// HTTP middleware (scans nested fields, JSON-aware output)
Route::post('/chat', ChatController::class)->middleware('warden:input,strict');

// RAG / retrieval guard, fluent pipeline, custom policies, events, audit, cache…

Documentation

Full, exhaustive docs at laravel-warden.selli.io:

• Quick Start · Configuration
• Architecture · Normalization · Policies
• Scanners: Injection · Secrets · PII · NSFW · Output
• AI Drivers · Vault round-trip · RAG guard

Testing

composer test        # Pest
composer analyse     # PHPStan level 8
composer format      # Pint

Security

If you discover a security vulnerability, please review SECURITY.md for the responsible-disclosure process. Do not open a public issue.

Credits

• Filippo Calabrese and Sellinnate S.r.l.

License

The MIT License (MIT). See LICENSE.md.