{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"rebuff","slug":"rebuff","name":"Rebuff","type":"repo","url":"https://github.com/protectai/rebuff","page_url":"https://unfragile.ai/rebuff","categories":["code-review-security","rag-knowledge"],"tags":[],"pricing":{"model":"free","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"rebuff__cap_0","uri":"capability://safety.moderation.multi.layered.heuristic.prompt.injection.detection","name":"multi-layered heuristic prompt injection detection","description":"Analyzes incoming prompts using fast, pattern-based keyword and rule matching to detect common prompt injection attack signatures before they reach the LLM. Operates as the first defense layer in the multi-layered strategy, using configurable thresholds to flag suspicious patterns like instruction overrides, role-play attempts, and known attack keywords. Executes synchronously with minimal latency overhead.","intents":["I want to block obvious prompt injection attempts before they reach my LLM","I need a lightweight, always-on first-pass filter that doesn't require external API calls","I want to tune detection sensitivity for my specific use case without retraining models"],"best_for":["teams building real-time LLM applications with strict latency requirements","developers deploying on resource-constrained environments","security teams needing transparent, auditable detection rules"],"limitations":["Cannot detect sophisticated, obfuscated attacks that don't match known patterns","Requires manual rule maintenance as new attack vectors emerge","High false-positive rate on legitimate inputs containing keywords like 'ignore' or 'override' in benign contexts","Language-specific rules may not generalize across non-English inputs"],"requires":["Python 3.8+ or Node.js 14+","No external dependencies for heuristic layer alone"],"input_types":["text"],"output_types":["detection_score","boolean_flag","matched_patterns"],"categories":["safety-moderation","pattern-matching"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_1","uri":"capability://safety.moderation.llm.based.semantic.prompt.injection.detection","name":"llm-based semantic prompt injection detection","description":"Delegates prompt analysis to a dedicated language model that evaluates semantic intent and malicious patterns beyond simple keyword matching. The LLM tactic accepts user input and returns a detection score based on the model's understanding of attack intent, allowing detection of sophisticated, paraphrased, or novel injection attempts. Integrates with configurable LLM backends (OpenAI, Anthropic, local models) and caches results to reduce API costs.","intents":["I need to detect sophisticated prompt injection attempts that bypass keyword filters","I want semantic understanding of whether user input is trying to manipulate my LLM","I need to detect novel attack patterns that don't match historical signatures"],"best_for":["applications handling complex, domain-specific user inputs where context matters","teams with budget for LLM API calls and can tolerate 100-500ms latency","security teams needing to detect intent-based attacks, not just pattern matches"],"limitations":["Adds 100-500ms latency per detection call depending on LLM provider and network","Requires API credentials and incurs per-request costs (typically $0.001-0.01 per call)","LLM responses are non-deterministic; same input may score differently across calls","Vulnerable to adversarial prompts designed to fool the detection model itself","Requires internet connectivity for cloud-based LLM backends"],"requires":["API key for OpenAI, Anthropic, or compatible LLM provider","Network connectivity to LLM backend","Python 3.8+ or Node.js 14+"],"input_types":["text"],"output_types":["detection_score","reasoning","confidence_level"],"categories":["safety-moderation","text-generation-language"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_10","uri":"capability://memory.knowledge.self.hardening.attack.pattern.learning.from.canary.leaks","name":"self-hardening attack pattern learning from canary leaks","description":"Automatically captures new attack patterns when canary tokens are leaked in LLM responses and stores them in the vector database for future detection. When isCanaryWordLeaked() detects a leak, the system extracts the leaked prompt, generates embeddings, and adds it to the vector database with metadata about the attack (timestamp, user, LLM model). Over time, the vector database grows with real-world attack examples, improving detection accuracy without manual threat intelligence curation.","intents":["I want my detection system to learn from real attacks and improve over time","I need to automatically capture novel attack patterns without manual analysis","I want to build institutional knowledge of attacks specific to my application"],"best_for":["organizations with mature security practices and incident response workflows","applications with high attack volume that can provide training data","teams building long-term threat intelligence programs"],"limitations":["Learning is reactive; only captures attacks that successfully leak canary tokens","No built-in deduplication; similar attacks may be stored multiple times in vector database","Requires manual review to prevent poisoning of database with false positives","Learning is application-specific; attack patterns don't transfer across different LLM applications","No feedback mechanism to validate whether learned patterns actually improve detection"],"requires":["Vector database with write access","Canary token detection enabled in application","Python 3.8+ or Node.js 14+"],"input_types":["leaked_prompt","attack_metadata"],"output_types":["vector_database_entry","attack_record"],"categories":["memory-knowledge","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_11","uri":"capability://automation.workflow.deployment.and.self.hosting.with.environment.configuration","name":"deployment and self-hosting with environment configuration","description":"Supports multiple deployment models including cloud-hosted (Netlify), Docker containerization, and self-hosted on-premise installations. Configuration is managed through environment variables for API keys, database connections, and detection thresholds, enabling different configurations per environment (dev, staging, production) without code changes. Includes Docker Compose templates for quick self-hosted setup with all dependencies (vector database, LLM backend).","intents":["I want to self-host Rebuff on-premise for compliance or data residency requirements","I need to deploy Rebuff to multiple environments with different configurations","I want to containerize Rebuff for Kubernetes or Docker Swarm deployments"],"best_for":["organizations with strict data residency or compliance requirements (HIPAA, GDPR, SOC 2)","teams deploying to Kubernetes or container orchestration platforms","enterprises with existing infrastructure and DevOps practices"],"limitations":["Self-hosting requires managing vector database and LLM backend infrastructure","Environment variable configuration is flat; no hierarchical or nested configuration support","No built-in secrets management; requires external tools (Vault, AWS Secrets Manager)","Docker Compose templates are example-only; production deployments require customization","No automatic scaling; self-hosted deployments require manual load balancing setup"],"requires":["Docker and Docker Compose for containerized deployments","Python 3.8+ or Node.js 14+ for non-containerized deployments","Vector database instance (Pinecone, Weaviate, Milvus, or self-hosted)","LLM backend (OpenAI, Anthropic, or self-hosted)"],"input_types":["environment_variables","configuration_files"],"output_types":["deployed_service","docker_image"],"categories":["automation-workflow","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_12","uri":"capability://planning.reasoning.detection.result.explanation.and.scoring.breakdown","name":"detection result explanation and scoring breakdown","description":"Returns detailed explanations for each detection decision, including per-tactic scores, matched patterns, and reasoning from the LLM-based detector. When a prompt is flagged, developers can see which tactics triggered (heuristic keywords matched, vector similarity score, LLM confidence), enabling debugging and tuning of detection rules. Scores are normalized to 0-1 range for comparison across tactics with different scoring schemes.","intents":["I want to understand why a prompt was flagged so I can tune detection rules","I need to debug false positives and adjust thresholds for my use case","I want to explain detection decisions to users or stakeholders"],"best_for":["security teams tuning detection rules and thresholds","developers debugging detection behavior","organizations needing to explain security decisions to users"],"limitations":["Explanations are tactic-specific; no unified explanation across all tactics","LLM-based explanations are non-deterministic; same input may produce different reasoning","Detailed explanations add latency (50-100ms) compared to binary detection results","No built-in visualization of score distributions or threshold comparisons"],"requires":["Python 3.8+ or Node.js 14+"],"input_types":["text"],"output_types":["detection_result_with_explanation","score_breakdown","matched_patterns"],"categories":["planning-reasoning","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_2","uri":"capability://memory.knowledge.vector.database.similarity.matching.against.known.attacks","name":"vector database similarity matching against known attacks","description":"Stores embeddings of previously detected or known prompt injection attacks in a vector database and compares incoming prompts against this corpus using cosine similarity or other distance metrics. When a new prompt is submitted, it's embedded and compared to the attack vector store; if similarity exceeds a configurable threshold, the input is flagged. This layer learns from past incidents and enables cross-organization threat intelligence sharing.","intents":["I want to detect variations of attacks we've seen before without retraining models","I need to share threat intelligence about new attacks across my organization","I want a persistent memory of attack patterns that improves over time"],"best_for":["organizations with mature security practices that log and analyze attacks","teams deploying multiple LLM applications that benefit from shared threat databases","security teams building institutional knowledge of attack patterns"],"limitations":["Requires external vector database (Pinecone, Weaviate, Milvus, etc.) with associated infrastructure and costs","Embedding generation adds 50-200ms latency per request","Effectiveness depends on quality and comprehensiveness of the attack corpus; sparse databases produce false negatives","Vector similarity is sensitive to embedding model choice; switching models requires re-embedding entire corpus","No built-in mechanism to prevent poisoning of the vector database with false attack labels"],"requires":["Vector database instance (Pinecone, Weaviate, Milvus, or compatible)","Embedding model API key or local embedding service","Python 3.8+ or Node.js 14+","Network connectivity to vector database"],"input_types":["text"],"output_types":["similarity_score","matched_attack_id","confidence_level"],"categories":["memory-knowledge","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_3","uri":"capability://safety.moderation.canary.token.injection.and.leak.detection","name":"canary token injection and leak detection","description":"Inserts randomly generated, unique canary words into system prompts as invisible markers, then monitors LLM outputs to detect whether the model has leaked its instructions. When a canary word appears in the model's response, it indicates the model has exposed its system prompt or instructions to the user. This mechanism detects successful prompt injection attacks even if earlier layers missed them, and enables logging of new attack patterns to the vector database for future detection.","intents":["I want to detect when my LLM has leaked its system instructions due to a prompt injection","I need to capture new attack patterns in real-time and add them to my threat database","I want to know if a user successfully manipulated my LLM even if my detection layers didn't flag it"],"best_for":["applications with sensitive system prompts that must remain confidential","teams building feedback loops to improve detection over time","security teams needing post-incident analysis and attack pattern collection"],"limitations":["Only detects leaks that occur; does not prevent attacks, only reveals them after the fact","Canary words can be detected and filtered by sophisticated attackers if they reverse-engineer the system","Requires manual integration into application code; cannot be applied retroactively to existing LLM calls","False positives if canary words collide with legitimate model outputs (rare but possible)","Adds complexity to prompt engineering; developers must manage canary word insertion and checking"],"requires":["Application code modification to call addCanaryWord() before LLM and isCanaryWordLeaked() after","Python 3.8+ or Node.js 14+","Access to LLM response text for leak detection"],"input_types":["text","system_prompt"],"output_types":["canary_word","leak_detected_boolean","leaked_content"],"categories":["safety-moderation","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_4","uri":"capability://planning.reasoning.strategy.pattern.based.detection.configuration","name":"strategy pattern-based detection configuration","description":"Organizes all detection tactics (heuristic, LLM-based, vector database, canary tokens) using the strategy design pattern, allowing developers to enable/disable specific tactics, adjust per-tactic thresholds, and compose custom detection pipelines without modifying core code. Each tactic is a pluggable strategy with a standard interface, and the SDK initializes with a sensible default strategy that includes all three main tactics. Configuration is applied at SDK initialization and can be overridden per-request.","intents":["I want to customize which detection methods run based on my security posture and latency budget","I need to tune detection sensitivity differently for different user segments or input types","I want to disable expensive detection tactics in low-risk scenarios to reduce costs"],"best_for":["teams with varying security requirements across different application features","organizations optimizing for cost-latency tradeoffs in production deployments","developers building extensible security frameworks that support custom detection tactics"],"limitations":["Strategy pattern adds abstraction overhead; developers must understand tactic interfaces to extend","No built-in A/B testing framework for comparing strategy configurations","Configuration is static per SDK instance; runtime strategy switching requires SDK re-initialization","No automatic threshold tuning; developers must manually adjust thresholds based on false positive/negative rates"],"requires":["Python 3.8+ or Node.js 14+","Understanding of strategy pattern and Rebuff's tactic interfaces"],"input_types":["configuration_object"],"output_types":["configured_sdk_instance"],"categories":["planning-reasoning","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_5","uri":"capability://tool.use.integration.python.sdk.with.synchronous.and.asynchronous.detection.apis","name":"python sdk with synchronous and asynchronous detection apis","description":"Provides Python bindings for all Rebuff detection capabilities with both synchronous (blocking) and asynchronous (non-blocking) APIs. The SDK wraps the core detection logic and handles LLM backend integration, vector database connections, and result caching. Supports context managers for resource cleanup and includes built-in retry logic with exponential backoff for transient failures in external service calls.","intents":["I want to integrate Rebuff detection into my Python LLM application with minimal code changes","I need async detection that doesn't block my application's event loop","I want automatic retry and error handling for external service failures"],"best_for":["Python developers building LLM applications with FastAPI, Django, or async frameworks","teams using Python as their primary development language","applications requiring both sync and async detection paths"],"limitations":["Python SDK only; no support for other languages (JavaScript SDK is separate)","Async API requires Python 3.7+ with asyncio support","Retry logic uses exponential backoff with fixed parameters; not customizable","No built-in connection pooling for vector database; each request may create new connections"],"requires":["Python 3.8+","pip or poetry for dependency management","Optional: API keys for LLM and vector database backends"],"input_types":["text"],"output_types":["detection_result_object","json"],"categories":["tool-use-integration","code-generation-editing"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_6","uri":"capability://tool.use.integration.javascript.typescript.sdk.with.browser.and.node.js.support","name":"javascript/typescript sdk with browser and node.js support","description":"Provides JavaScript/TypeScript bindings for Rebuff detection with support for both browser and Node.js environments. The SDK includes type definitions for all detection methods, supports both Promise-based and callback-based APIs, and handles cross-origin requests for browser deployments. Includes built-in result caching to reduce redundant API calls and supports custom fetch implementations for environments with restricted network access.","intents":["I want to add client-side prompt injection detection to my web application","I need TypeScript types for type-safe Rebuff integration in my Node.js backend","I want to cache detection results to reduce API calls in high-traffic applications"],"best_for":["JavaScript/TypeScript developers building LLM-powered web and Node.js applications","teams using modern JavaScript frameworks (React, Vue, Next.js)","applications requiring client-side security checks before sending prompts to backend"],"limitations":["Browser deployment requires CORS-enabled backend or proxy; direct API calls may be blocked","Result caching is in-memory only; not shared across browser tabs or server instances","No built-in rate limiting; high-frequency detection calls may hit API quotas","TypeScript definitions are generated from runtime code; may lag behind actual API changes"],"requires":["Node.js 14+ or modern browser with fetch API support","npm or yarn for dependency management","Optional: API keys for LLM and vector database backends"],"input_types":["text"],"output_types":["detection_result_object","json"],"categories":["tool-use-integration","code-generation-editing"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_7","uri":"capability://safety.moderation.interactive.playground.ui.for.detection.testing","name":"interactive playground ui for detection testing","description":"Provides a web-based interface for testing prompt injection detection without writing code. Users can input prompts, configure detection tactics and thresholds, and see real-time detection results with explanations. The playground supports multiple LLM backends and vector databases, allows saving test cases, and generates shareable links for collaboration. Useful for security teams to validate detection rules before deployment.","intents":["I want to test my detection configuration against known attacks before deploying","I need to collaborate with my team on detection rule tuning without code","I want to understand why a specific prompt was flagged or allowed"],"best_for":["security teams validating detection rules and thresholds","non-technical stakeholders reviewing security configurations","developers debugging detection behavior for specific inputs"],"limitations":["Playground is read-only for production data; cannot modify vector database or LLM configuration from UI","No built-in audit logging of playground usage; cannot track who tested what","Saved test cases are stored in browser localStorage; not synced across devices","Limited to single-prompt testing; no batch testing or automation"],"requires":["Web browser with JavaScript support","Network connectivity to Rebuff playground server"],"input_types":["text"],"output_types":["detection_result_object","visualization","shareable_link"],"categories":["safety-moderation","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_8","uri":"capability://memory.knowledge.pluggable.vector.database.backend.abstraction","name":"pluggable vector database backend abstraction","description":"Abstracts vector database operations behind a standard interface, allowing users to choose between Pinecone, Weaviate, Milvus, or implement custom backends. The abstraction handles embedding generation, similarity search, and result ranking. Users configure the vector database backend at SDK initialization, and the detection layer transparently uses the configured backend without code changes. Supports batch operations for bulk attack pattern ingestion.","intents":["I want to use my existing vector database infrastructure with Rebuff","I need to choose a vector database based on compliance or cost requirements","I want to implement a custom vector database backend for specialized use cases"],"best_for":["organizations with existing vector database infrastructure","teams with specific compliance requirements (e.g., on-premise, HIPAA, GDPR)","developers building custom threat intelligence systems"],"limitations":["Abstraction adds ~50-100ms latency per similarity search due to serialization overhead","Custom backend implementation requires understanding Rebuff's vector database interface","No automatic schema migration when switching backends; requires manual data migration","Batch operations are not atomic; partial failures may leave database in inconsistent state"],"requires":["Vector database instance (Pinecone, Weaviate, Milvus, or custom)","Python 3.8+ or Node.js 14+","API credentials or connection string for vector database"],"input_types":["text","embeddings"],"output_types":["similarity_results","matched_attacks"],"categories":["memory-knowledge","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__cap_9","uri":"capability://automation.workflow.result.caching.with.configurable.ttl.and.eviction.policies","name":"result caching with configurable ttl and eviction policies","description":"Caches detection results in memory with configurable time-to-live (TTL) and eviction policies (LRU, LFU, FIFO). When the same prompt is submitted multiple times within the TTL window, cached results are returned without re-running detection tactics, reducing latency and API costs. Cache key is computed from prompt hash and configuration state, ensuring cache hits only occur for identical inputs and settings. Supports cache invalidation on demand.","intents":["I want to reduce detection latency for repeated prompts without sacrificing accuracy","I need to minimize API costs by avoiding redundant LLM and vector database calls","I want to control cache memory usage with configurable eviction policies"],"best_for":["applications with repetitive user inputs or batch processing","cost-sensitive deployments where API call reduction is critical","high-throughput systems where latency reduction is important"],"limitations":["Cache is in-memory only; not shared across SDK instances or server processes","Cache key is based on prompt hash; semantic variations of the same attack may not hit cache","TTL is global; cannot set different TTLs for different detection tactics","No distributed caching support; multi-server deployments require separate caches per instance","Cache invalidation is manual; no automatic invalidation when vector database is updated"],"requires":["Python 3.8+ or Node.js 14+","Available memory for cache storage (configurable max size)"],"input_types":["text"],"output_types":["cached_detection_result","cache_hit_boolean"],"categories":["automation-workflow","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"rebuff__headline","uri":"capability://safety.moderation.self.hardening.prompt.injection.detection.framework","name":"self-hardening prompt injection detection framework","description":"Rebuff is an open-source security framework designed to protect AI applications from prompt injection attacks using multi-layered defenses, including heuristic analysis and LLM-based detection.","intents":["best prompt injection detection tool","prompt injection prevention for AI applications","open-source security framework for LLMs","how to secure AI from prompt injections","self-hardening prompt detection solutions"],"best_for":["AI developers","security engineers"],"limitations":[],"requires":[],"input_types":["user prompts"],"output_types":["detection alerts","security reports"],"categories":["safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":57,"verified":false,"data_access_risk":"high","permissions":["Python 3.8+ or Node.js 14+","No external dependencies for heuristic layer alone","API key for OpenAI, Anthropic, or compatible LLM provider","Network connectivity to LLM backend","Vector database with write access","Canary token detection enabled in application","Docker and Docker Compose for containerized deployments","Python 3.8+ or Node.js 14+ for non-containerized deployments","Vector database instance (Pinecone, Weaviate, Milvus, or self-hosted)","LLM backend (OpenAI, Anthropic, or self-hosted)"],"failure_modes":["Cannot detect sophisticated, obfuscated attacks that don't match known patterns","Requires manual rule maintenance as new attack vectors emerge","High false-positive rate on legitimate inputs containing keywords like 'ignore' or 'override' in benign contexts","Language-specific rules may not generalize across non-English inputs","Adds 100-500ms latency per detection call depending on LLM provider and network","Requires API credentials and incurs per-request costs (typically $0.001-0.01 per call)","LLM responses are non-deterministic; same input may score differently across calls","Vulnerable to adversarial prompts designed to fool the detection model itself","Requires internet connectivity for cloud-based LLM backends","Learning is reactive; only captures attacks that successfully leak canary tokens","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.7,"quality":0.9,"ecosystem":0.49999999999999994,"match_graph":0.25,"freshness":0.52,"weights":{"adoption":0.3,"quality":0.2,"ecosystem":0.15,"match_graph":0.3,"freshness":0.05}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-06-17T09:51:05.296Z","last_scraped_at":null,"last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=rebuff","compare_url":"https://unfragile.ai/compare?artifact=rebuff"}},"signature":"HBLh3/TPXijUM91S8lxVWTGIMVQrpBLKFpzfRpXvexpO9pd9l5jtP25vbCSsBGrQd3a5QxI/7f7NewTawOdfDw==","signedAt":"2026-06-21T14:20:47.570Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/rebuff","artifact":"https://unfragile.ai/rebuff","verify":"https://unfragile.ai/api/v1/verify?slug=rebuff","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}