Appearance
What's New in elsai Guardrails
Stay up to date with the latest features and improvements in elsai Guardrails.
Latest Release
Version 0.1.5 - July 2026
This release adds ARMS-backed run persistence and output data exfiltration detection:
ARMS Storage (Multi-Database)
Persist guardrail runs through the ARMS Backend to MongoDB, DynamoDB, or ClickHouse — automatically selected by your deployment.
Key Features:
- Backend API persistence with automatic
db_typediscovery - ARMS correlation via
link_arms(),link_run_context(), or environment variables - Buffered collection of checks, generate results, tool auth, and rate-limit events
- Optional SHA-256 text redaction with
store_raw_text: false
Learn more about ARMS Storage →
Quick Example:
yaml
guardrails:
storage:
enabled: true
project: my-app
arms_correlation: truebash
export API_BASE_URL=https://your-arms-backend
export ELSAI_ARMS_API_KEY=your-api-keyData Exfiltration Detection
Block or mask LLM responses that leak credentials, bulk PII, or export-style payloads.
Key Features:
- Secret, bulk sensitive, and abnormal output detectors with risk scoring
- Configurable warn (mask) and block thresholds
- Output-only checks integrated with
GuardrailSystemandLLMRails - Results persisted when ARMS storage is enabled
Learn more about Data Exfiltration Detection →
Quick Example:
yaml
guardrails:
data_exfiltration:
enabled: true
action_thresholds:
warn: 20
block: 80
detectors:
secrets: true
bulk_sensitive: true
abnormal_patterns: trueMigration Note
Direct database storage (storage.backend: mongodb|dynamodb|clickhouse) was removed. Use ARMS Backend storage instead. See ARMS Storage.
Version 0.1.4 - June 2026
This release adds agent safety controls for tool access and abuse prevention:
Tool Authorization
Ensure agents can access only approved tools through policy-driven allowlists and role-based permissions.
Key Features:
- Global
denied_toolsand role-basedallowed_toolslists - Sensitive tool gating with explicit approval metadata
- Pre-execution hooks via
before_tool_call()for agent frameworks - LangGraph integration with authorization nodes
Learn more about Tool Authorization →
Quick Example:
yaml
guardrails:
tool_authorization:
enabled: true
denied_tools:
- execute_shell
roles:
analyst:
allowed_tools:
- search_web
- calculatorRate Limiting & Abuse Prevention
Protect systems from excessive requests, infinite loops, and denial-of-wallet attacks.
Key Features:
- Per-session request and tool call quotas
- Cumulative tool execution time limits
- Session tracking with
create_session()and agent hooks - LangGraph integration with rate-limit nodes
Learn more about Rate Limiting →
Quick Example:
yaml
guardrails:
rate_limit:
enabled: true
max_requests_per_session: 5
max_tool_calls_per_session: 50
max_tool_execution_seconds: 60Token Budget Enforcement Update
New block_on_exceeded policy option controls enforcement behavior:
true— Block requests that exceed the token budgetfalse— Emit a warning and allow processing to continue
yaml
guardrails:
token_budget:
enabled: true
block_on_exceeded: trueLearn more about Token Budget Enforcement →
Version 0.1.3 - June 2026
This release adds enterprise-grade data protection and resource controls:
PII/PHI Detection and Data Masking
Identify sensitive personal and health information with configurable policies, confidence thresholds, and data masking.
Key Features:
- Entity-based detection powered by Microsoft Presidio Analyzer
- Support for PERSON, LOCATION, EMAIL_ADDRESS, PHONE_NUMBER, CREDIT_CARD, NRP, MEDICAL_LICENSE, US_SSN, IBAN_CODE, and IP_ADDRESS
- Configurable confidence thresholds with per-entity overrides
- Policy-driven actions: flag, block, review, or pass
- Data masking and regex-based PHI pattern detection
- Audit logging with entity type, confidence score, action taken, session ID, and timestamp
Learn more about PII/PHI Detection →
Quick Example:
yaml
guardrails:
pii:
enabled: true
input_checks: true
output_checks: true
default_confidence_threshold: 0.5
default_action: flag
default_mask: true
enable_phi_detection: true
entity_types:
- PERSON
- EMAIL_ADDRESS
- PHONE_NUMBER
- US_SSN
entity_policies:
US_SSN:
action: block
mask: trueToken Budget Enforcement
Control token usage by computing the full request context and rejecting oversized requests before LLM processing.
Key Features:
- Full-context token calculation including system prompts and conversation history
- Configurable per-request and per-run token limits
- Reserved output token allocation
- Rejection of requests that exceed configured budgets
Learn more about Token Budget Enforcement →
Quick Example:
yaml
guardrails:
token_budget:
enabled: true
input_checks: true
max_request_tokens: 50
max_run_tokens: 80
reserved_output_tokens: 10Version 0.1.2 - May 2026
Improvements:
- Fixed bugs in off-topic detection
- Added large text processing support for toxicity and sensitive data detection
- Added support for elsai-model 2.0.0
Version 0.1.1 - January 2026
We're excited to announce two powerful new features that expand guardrail capabilities:
Off-Topic Detection
Keep your AI conversations focused and on-track with configurable topic boundaries.
Key Features:
- Define multiple allowed topics with descriptive guidelines
- Semantic matching to detect off-topic user inputs
- Flexible blocking or detection-only modes
- Perfect for specialized bots and assistants
Learn more about Off-Topic Detection →
Quick Example:
yaml
guardrails:
check_off_topic: true
block_off_topic: true
allowed_topics:
- name: "Product Support"
description: "Questions about our products and services"
- name: "Order Management"
description: "Order tracking, shipping, and delivery inquiries"SQL Syntax Validation
Validate SQL queries before execution to catch errors early and improve reliability.
Key Features:
- Support for 7 major SQL dialects (PostgreSQL, MySQL, SQL Server, SQLite, MongoDB, Oracle, Redshift)
- Detect syntax errors in user input or LLM-generated queries
- Prevent malformed queries from reaching your database
- Essential for text-to-SQL applications
Learn more about SQL Syntax Validation →
Quick Example:
yaml
guardrails:
check_sql_syntax: true
sql_dialect: "postgresql" # or mysql, sqlserver, sqlite, mongodb, oracle, redshiftGetting Started with New Features
Try ARMS Storage
yaml
guardrails:
storage:
enabled: true
project: my-app
arms_correlation: truepython
from elsai_guardrails.guardrails import LLMRails
rails = LLMRails.from_config("config.yml")
rails.guardrail_system.link_run_context(
run_id="run-1",
project_id="project-1",
)
rails.generate(messages=[{"role": "user", "content": "Hello"}])
rails.guardrail_system.end_run()Try Data Exfiltration Detection
yaml
guardrails:
data_exfiltration:
enabled: true
action_thresholds:
warn: 20
block: 80python
from elsai_guardrails.guardrails import GuardrailSystem, GuardrailConfig
from elsai_guardrails.guardrails.guardrail_policy import GuardrailPolicy
policy = GuardrailPolicy.from_yaml("config.yml")
guardrail = GuardrailSystem(
config=GuardrailConfig(check_toxicity=False, check_sensitive_data=False),
output_checks=True,
guardrail_policy=policy,
)
result = guardrail.check_output(llm_response)
print(result.exfiltration)Try PII/PHI Detection
python
from elsai_guardrails.guardrails import GuardrailSystem, GuardrailConfig
config = GuardrailConfig.from_yaml("config.yml")
guardrail = GuardrailSystem(config=config.guardrails)
result = guardrail.check_input("Contact John at john@example.com or 555-123-4567")Try Token Budget Enforcement
yaml
guardrails:
token_budget:
enabled: true
input_checks: true
max_request_tokens: 50
max_run_tokens: 80
reserved_output_tokens: 10Try Off-Topic Detection
python
from elsai_guardrails.guardrails import GuardrailSystem, GuardrailConfig
config = GuardrailConfig(
check_off_topic=True,
block_off_topic=True,
allowed_topics=[
{
"name": "Tech Support",
"description": "Technical questions and troubleshooting"
}
]
)
guardrail = GuardrailSystem(config=config)
result = guardrail.check_input("What's the weather today?") # Off-topic, will be blockedTry SQL Syntax Validation
python
from elsai_guardrails.guardrails import GuardrailSystem, GuardrailConfig
config = GuardrailConfig(
check_sql_syntax=True,
sql_dialect="postgresql"
)
guardrail = GuardrailSystem(config=config)
result = guardrail.check_input("SELECT * FROM users WHERE active = true") # Valid SQLPrevious Features
Core Guardrails
All existing guardrails continue to work seamlessly:
- Toxicity Detection - Identify and block harmful content
- Sensitive Data Protection - Detect PII like emails, phone numbers, credit cards
- Semantic Classification - Prevent jailbreak attempts and malicious requests
- Multi-LLM Support - Works with OpenAI, Anthropic, Gemini, AWS Bedrock, and more
Migration Guide
Upgrading to v0.1.5 is seamless for standard guardrail configurations — all existing check policies work without changes.
Opt-in Features
New features in 0.1.5 are disabled by default:
yaml
guardrails:
storage:
enabled: false
data_exfiltration:
enabled: falseAdding New Features
yaml
guardrails:
storage:
enabled: true
project: my-app
arms_correlation: true
data_exfiltration:
enabled: true
action_thresholds:
warn: 20
block: 80
tool_authorization:
enabled: true
denied_tools:
- execute_shell
rate_limit:
enabled: true
max_requests_per_session: 5Resources
- ARMS Storage Guide
- Data Exfiltration Detection Guide
- Tool Authorization Guide
- Rate Limiting Guide
- PII/PHI Detection Guide
- Token Budget Enforcement Guide
- Off-Topic Detection Guide
- SQL Syntax Validation Guide
- Configuration Reference
- YAML Configuration Examples
- Release Notes
Feedback
We'd love to hear your thoughts on the new features! If you have questions, suggestions, or issues:
- Check our FAQ
- Review Examples
- See Advanced Usage
Ready to get started? Quick Start Guide →
