Deterministic authorization for LLM tool calls. Policy-based security that cannot be bypassed by prompt injection.
LLMs are probabilistic. Security decisions must be deterministic.
prompt = f"""
Should user {user_id} access {file}?
Respond yes or no.
"""
response = llm.complete(prompt)
# Can be jailbroken
# Different outputs for same inputs
# 100-500ms latency, $0.01/check
@auth.authorize("read", resource="file")
async def read_file(path, user):
# Policy: user.id == file.owner_id
return open(path).read()
# Cannot be bypassed by any input
# Same input = same output, always
# <1ms latency, $0/check
Get Proxilion running in under 5 minutes.
pip install proxilion
from proxilion import Proxilion, Policy, UserContext
auth = Proxilion()
@auth.policy("file_access")
class FileAccessPolicy(Policy):
"""Users can only access their own files."""
def evaluate(self, context) -> bool:
user = context.user
file_owner = context.tool_call.parameters.get("owner_id")
return user.user_id == file_owner
@auth.authorize("read", resource="file_access")
async def read_file(path: str, owner_id: str, user: UserContext = None):
"""Read a file - only accessible to the owner."""
with open(path) as f:
return f.read()
user = UserContext(user_id="alice", roles=["user"])
# Allowed - alice accessing her own file
content = await read_file("/data/alice/notes.txt", owner_id="alice", user=user)
# Denied - alice trying to access bob's file
try:
content = await read_file("/data/bob/secrets.txt", owner_id="bob", user=user)
except AuthorizationError:
print("Access denied")
Every security check is deterministic, auditable, and sub-millisecond.
Define authorization as Python code. RBAC, ABAC, or custom logic. Testable and auditable.
Block prompt injection, SQL injection, and command injection with regex patterns.
Detect and redact API keys, credentials, and PII before they leave your system.
Prevent agents from accessing resources they shouldn't. Runtime ownership validation.
Token bucket and sliding window algorithms. Per-user, per-agent, per-tool limits.
Hash-chained, tamper-evident logs. Every decision recorded for compliance.
Cryptographically bind user intent with HMAC signatures that can't be hijacked.
Emergency halt for runaway agents. Triggered by cost, error rate, or manual intervention.
Z-score statistical analysis detects when agent behavior deviates from baseline.
Proxilion runs inside your application, intercepting every tool call.
Comprehensive protection against Agentic Security Initiative risks.
| OWASP Risk | Proxilion Control |
|---|---|
| ASI01 Goal Hijacking | Intent Capsules with HMAC signatures |
| ASI02 Tool Misuse | Policy-based authorization engine |
| ASI03 Privilege Escalation | Role-based policies, IDOR protection |
| ASI04 Data Exfiltration | Output guards with pattern detection |
| ASI05 IDOR via LLM | Runtime ownership validation |
| ASI06 Memory Poisoning | Memory integrity guard with hash chains |
| ASI07 Insecure Agent Comms | Agent trust manager with HMAC messaging |
| ASI08 Resource Exhaustion | Rate limiting, circuit breaker |
| ASI09 Shadow AI | Comprehensive audit logging |
| ASI10 Rogue Agents | Behavioral drift detection, kill switch |
Additional security tools for specific use cases.
Open source. Zero dependencies. Deploy in minutes.
Get Started on GitHub