Castra – Strip orchestration rights from your LLMs

Intercepts and modifies LLM prompts to remove or restrict orchestration directives, function-calling permissions, and tool-use capabilities before they reach the model. Works by parsing incoming prompts, identifying orchestration-related instructions (tool invocation, workflow control, agent loops), and either stripping them entirely or replacing them with constrained versions that prevent unauthorized execution. Uses pattern matching and instruction rewriting to maintain semantic intent while removing dangerous orchestration primitives.

Provides a command-line interface for batch processing prompts through a transformation pipeline that validates, modifies, and logs changes to LLM instructions. Accepts prompts as input (via stdin, files, or API), applies orchestration stripping rules, validates the output against a policy schema, and returns sanitized prompts with detailed change logs. Implements a composable filter chain architecture where each stage (detection, stripping, validation, logging) can be independently configured or extended.

Analyzes prompts to identify and classify different types of orchestration directives (tool-calling, function invocation, agent loops, workflow control, multi-step planning). Uses pattern recognition and semantic analysis to detect both explicit orchestration instructions (e.g., 'call the weather API') and implicit ones (e.g., 'use available tools to solve this'). Classifies detected capabilities by type and severity, enabling fine-grained policy decisions about which to allow, restrict, or remove.

Enforces user-defined policies that specify which orchestration capabilities are allowed, restricted, or forbidden in prompts. Policies are defined as configuration files (YAML/JSON) that map capability types to enforcement actions (allow, restrict, deny). During prompt processing, the system checks detected capabilities against the policy and either permits them, applies restrictions (e.g., rate limiting, approval gates), or blocks them entirely. Supports role-based policies where different users or contexts have different capability allowances.

Automatically rewrites prompts to add explicit constraints on orchestration capabilities, converting unrestricted orchestration requests into bounded versions. For example, converts 'use any available tools to solve this' into 'use only the following tools: [list] and make at most 3 function calls'. Uses template-based rewriting that preserves the original intent while adding safety boundaries. Supports custom rewrite rules that can be tailored to specific LLM models or use cases.