Runtime Security
BrainstormRouter's 4-stage runtime security model — pre-model, pre-tool, post-tool, post-model enforcement
Runtime Security
BrainstormRouter's security subsystems are organized into four logical stages, each containing independent enforcement components. These components are production-grade and individually active — this page maps where each subsystem operates in the request lifecycle.
The 4-Stage Model
Request → [Pre-Model] → Model → [Pre-Tool] → Tool → [Post-Tool] → [Post-Model] → ResponseStage 1: Pre-Model
Inspects inbound requests before they reach the model router.
| Component | What It Does | Configuration |
|---|---|---|
| Guardrails Chain | PII scanning, jailbreak detection, topic restriction | PUT /v1/guardrails/config |
| Guardian Intelligence | Cost estimation, velocity anomaly detection, budget seatbelts | X-BR-Max-Estimated-Cost header |
| PII Scanner | Email, phone, SSN, credit card detection with redaction | Built-in + pluggable backends (Presidio, Google DLP) |
Enforcement actions: Block (403), Redact (rewrite), Warn (headers only), Off.
Stage 2: Pre-Tool
Inspects tool calls in LLM responses before tool execution.
| Component | What It Does | Configuration |
|---|---|---|
| Tool Call Firewall | Deny list, argument validation, RBAC scope checks, secret redaction | Per-tenant firewall config |
| Tool Governance Engine | Deep intent classification, role hierarchy evaluation, approval workflows | PUT /v1/security/policies |
| Intent Classifier | Pattern-based threat detection (SQL injection, code execution, privilege escalation) | Deterministic — no configuration needed |
| MCP Governor | Tool allowlist, parameter validation, session rate limiting, approval queue | PUT /v1/mcp/governance/policy |
Enforcement actions: Block, Warn, Log, Quarantine, Require Approval (202 Accepted).
Stage 3: Post-Tool
Inspects tool execution results before they reach the model for the next turn.
| Component | What It Does | Configuration |
|---|---|---|
| Output Sanitizer | Strips secrets, internal IDs, and file paths from tool results | Automatic |
| Result Size Limiter | Truncates oversized tool outputs to prevent context exhaustion | Per-tenant tool config |
Enforcement actions: Redact, Truncate, Log.
Stage 4: Post-Model
Inspects model output before it reaches the client. Includes both batch and streaming enforcement.
| Component | What It Does | Configuration |
|---|---|---|
| Outbound Guardrails | PII detection, content filtering, governance validation on completions | PUT /v1/guardrails/config |
| Streaming Guardrails | Token-by-token PII detection, content safety, governance rule validation | Buffered window evaluation |
| Governance Validator | Validates output against tenant governance rules (e.g., "never mention competitors") | Memory-embedded governance rules |
Enforcement actions: Block, Redact, Truncate, Replace, Warn.
Cross-Cutting Systems
These systems operate across all stages:
| System | Purpose | API |
|---|---|---|
| RBAC | 5 roles (admin, developer, auditor, operator, agent), 30+ permissions | Role assignment via API keys |
| Policy Engine | Declarative rules with priority, exemptions, and conditions | GET/PUT /v1/security/policies |
| Anomaly Detection | Adaptive 3σ thresholds per sender/service with rolling windows | GET /v1/security/anomalies |
| SSRF Guard | Blocks provider endpoints targeting internal services or cloud metadata | Automatic — deployment-mode aware |
| Egress Allowlist | Per-service domain allowlists for outbound requests | Per-service configuration |
| Kill Switch | Emergency routing suspension per tenant | POST /v1/killswitch/activate |
API Endpoint Mapping
| Endpoint | Stage | Purpose |
|---|---|---|
GET /v1/security/status | Cross-cutting | Policy version + anomaly count |
GET /v1/security/policies | Cross-cutting | Current ruleset |
PUT /v1/security/policies | Cross-cutting | Update ruleset |
POST /v1/security/policies/test | Cross-cutting | Test context against rules |
GET /v1/security/anomalies | Cross-cutting | Recent anomaly alerts |
GET /v1/guardrails/providers | Pre-model, Post-model | Available providers |
PUT /v1/guardrails/config | Pre-model, Post-model | Tenant guardrail config |
POST /v1/guardrails/test | Pre-model | Test content against pipeline |
PUT /v1/mcp/governance/policy | Pre-tool | MCP tool policies |
SDK Examples
import BrainstormRouter from "brainstormrouter";
const br = new BrainstormRouter({ apiKey: "br_live_..." });
// Check security status (policy + anomaly)
const status = await br.security.status();
// Get and update policy rules
const policies = await br.security.getPolicies();
await br.security.updatePolicies({
version: "1",
rules: [
{
id: "block-competitor-mentions",
action: "deny",
description: "Prevent competitor name leakage",
conditions: [{ field: "output.text", op: "matches", value: "competitor" }],
},
],
});
// Test a context against policies
const policyResult = await br.security.testPolicy({
"tool.name": "web_search",
action: "tool_call",
});
// Get guardrail config
const guardrailConfig = await br.guardrails.getConfig();
// Update guardrail config
await br.guardrails.updateConfig({
enabled: true,
mode: "block",
providers: [{ id: "builtin" }, { id: "pii" }],
});
// Test guardrails
const result = await br.guardrails.test("User SSN is 123-45-6789");from brainstormrouter import BrainstormRouter
br = BrainstormRouter(api_key="br_live_...")
# Check security status (policy + anomaly)
status = br.security.status()
# Get and update policy rules
policies = br.security.get_policies()
br.security.update_policies({
"version": "1",
"rules": [
{
"id": "block-competitor-mentions",
"action": "deny",
"description": "Prevent competitor name leakage",
"conditions": [{"field": "output.text", "op": "matches", "value": "competitor"}],
}
],
})
# Test a context against policies
policy_result = br.security.test_policy({
"tool.name": "web_search",
"action": "tool_call",
})
# Get guardrail config
guardrail_config = br.guardrails.get_config()
# Update guardrail config
br.guardrails.update_config({
"enabled": True,
"mode": "block",
"providers": [{"id": "builtin"}, {"id": "pii"}],
})
# Test guardrails
result = br.guardrails.test("User SSN is 123-45-6789")MCP Tools
Agents can manage security via MCP tools:
| Tool | Permission | Purpose |
|---|---|---|
br_get_security_status | security.read | Security status overview |
br_get_policies | security.read | Current policy ruleset |
br_test_policy | security.read | Test context against policies |
br_get_guardrail_config | config.read | Current guardrail configuration |
br_update_guardrail_config | config.write | Update guardrail settings |
br_test_guardrails | config.write | Test content against guardrails |
br_activate_killswitch | security.write | Emergency routing suspension |
br_deactivate_killswitch | security.write | Resume routing |
br_get_killswitch_status | security.read | Kill switch state |