Vendor-neutral guardrails for AI coding agents. Protects against prompt injection attacks.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for ottosulin from gravatar.com ottosulin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Otto Sulin
  • Tags prompt-injection , guardrails , llm-security , ai-safety , claude-code , opencode , ai-coding-agent
  • Requires: Python >=3.12
  • Provides-Extra: all , aprielguard
Classifiers
Report project as malware

Project description

Context Protector

PyPI version Python License CI

Protect AI coding agents from prompt injection attacks. Works with Claude Code and other AI coding tools.

Features

  • Prompt Injection Detection - Block malicious inputs before tool execution
  • Output Scanning - Detect threats in tool outputs (file reads, API responses)
  • Multiple Backends - LlamaFirewall (default), NeMo Guardrails, GCP Model Armor
  • Fully Local - No cloud dependencies required (optional Ollama support)

Installation

# Using uv (recommended)
uv tool install context-protector

# Using pip
pip install context-protector

# Using pipx
pipx install context-protector

Quick Start (Claude Code)

1. Install and initialize:

context-protector init

2. Add to Claude Code settings (~/.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "*",
        "hooks": [{"type": "command", "command": "context-protector"}]
      }
    ],
    "PostToolUse": [
      {
        "matcher": "*",
        "hooks": [{"type": "command", "command": "context-protector"}]
      }
    ]
  }
}

3. Done! Context Protector will now scan all tool inputs and outputs.

How It Works

┌─────────────────────────────────────────────────────────────┐
│                      Claude Code                            │
│                                                             │
│  Tool Request ──► PreToolUse Hook ──► context-protector     │
│                        │                    │               │
│                   [ALLOW/BLOCK]        Scan Input           │
│                        │                    │               │
│  Tool Response ◄── PostToolUse Hook ◄── context-protector   │
│                        │                    │               │
│                   [WARN/BLOCK]         Scan Output          │
└─────────────────────────────────────────────────────────────┘

Configuration

Config file: ~/.config/context-protector/config.yaml

general:
  response_mode: warn    # warn (default) or block

llama_firewall:
  scanner_mode: auto     # auto, basic, or full

Run context-protector init to create a config file with all options.

Environment Variables

All settings can be overridden with environment variables (prefix: CONTEXT_PROTECTOR_):

export CONTEXT_PROTECTOR_RESPONSE_MODE=block
export CONTEXT_PROTECTOR_SCANNER_MODE=basic

Providers

LlamaFirewall (Default)

Meta's LlamaFirewall for ML-based prompt injection detection.

Mode Description
auto Tries ML detection, falls back to pattern-based if auth fails
basic Pattern-based only (no HuggingFace auth required)
full Full ML detection (requires HuggingFace auth)

NeMo Guardrails

NVIDIA's guardrails toolkit with multiple detection modes.

Mode Description
all Heuristics + injection detection (default)
heuristics Perplexity-based jailbreak detection
injection YARA-based SQL/XSS/code injection
local LLM-based via Ollama (fully local) 
nemo_guardrails:
  mode: local
  ollama_model: mistral:7b

GCP Model Armor

Enterprise-grade content safety via Google Cloud.

gcp_model_armor:
  enabled: true
  project_id: your-project
  location: us-central1
  template_id: your-template

Response Modes

Mode Behavior
warn Log threats, inject warnings (default)
block Block malicious content entirely

CLI Reference

context-protector              # Run as Claude Code hook (reads stdin)
context-protector init         # Create config file
context-protector --check      # Check content from stdin JSON
context-protector --help       # Show help
context-protector --version    # Show version

Standalone Check Mode

For integration with other tools:

echo '{"content": "test input", "type": "tool_input"}' | context-protector --check

Output:

{"safe": true, "alert": null}

Development

git clone https://github.com/ottosulin/context-protector.git
cd context-protector
uv sync --all-groups
uv run pytest

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for ottosulin from gravatar.com ottosulin

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Otto Sulin
  • Tags prompt-injection , guardrails , llm-security , ai-safety , claude-code , opencode , ai-coding-agent
  • Requires: Python >=3.12
  • Provides-Extra: all , aprielguard
Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

context_protector-1.0.0.tar.gz (28.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

context_protector-1.0.0-py3-none-any.whl (35.9 kB view details)

Uploaded Python 3

File details

Details for the file context_protector-1.0.0.tar.gz.

File metadata

  • Download URL: context_protector-1.0.0.tar.gz
  • Upload date:
  • Size: 28.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for context_protector-1.0.0.tar.gz
Algorithm Hash digest
SHA256 bf0a8b553105ebb97f67f134c0548e36af5da3f654c2ca55803b5d71096c3c2f
MD5 8fbb43d365024e71f8a9ec68c4bd522c
BLAKE2b-256 6ecb2743bb3274ac2892f3e2eedf86d06a773d1dba9d40e43203ccfdcd2b158c

See more details on using hashes here.

Provenance

The following attestation bundles were made for context_protector-1.0.0.tar.gz:

Publisher: release.yml on ottosulin/context-protector

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file context_protector-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for context_protector-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f982961d52a22a18d16e8eb24e95b4c01650687c0d1bc3e2bd32e69a32b2d1cd
MD5 69befefc17bbf2e61b89ea8bf8f5dd7a
BLAKE2b-256 e72c0f55ead4702e02bb6130115dc6d2541285f3e4b670997a3515a840ddf8d0

See more details on using hashes here.

Provenance

The following attestation bundles were made for context_protector-1.0.0-py3-none-any.whl:

Publisher: release.yml on ottosulin/context-protector

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page