v0.1 — Guardrails: pre/post-call enforcement
Guardrails in the request path on every plan — PII redaction, prompt-injection detection, keyword & regex filtering, custom webhook checks, and post-call response scanning — scoped at org, team, and key level.
Guardrails are live. Every chat completion, embedding, and image request now flows through a configurable safety pipeline before it reaches the provider — and the response flows back through it before it reaches the caller. No Enterprise paywall: every guardrail is available on every plan from day one.
What ships
Five guardrail providers, all in-path:
- PII redaction — Microsoft Presidio. Detects and masks emails, phone numbers, SSNs, credit cards, names, addresses before the prompt leaves our infrastructure.
- Prompt injection — heuristic detection across a weighted library of known injection patterns (instruction-override, role-switching, exfiltration). Blocks the request with a structured 400 when a pattern is matched.
- Keyword / regex blocklists — bring your own term list or regex. Useful for compliance words, competitor names, internal codenames.
- Custom guardrails — point at any HTTP endpoint that returns
{ allowed: bool, redacted_text?: string }. We call it pre- and post-call. - Response scanning — same providers run on the assistant message before the caller sees it.
Scope hierarchy
Guardrails are scoped at org, team, and key level, and they combine — a key-scoped guardrail adds to (rather than replaces) the team- and org-scoped ones, so every applicable guardrail runs. Per-request narrowing is also supported via extra_body.nemo_guardrail_ids — pass an array of IDs to prefer those for this call (block/redact guardrails always still run).
curl https://api.nemorouter.ai/v1/chat/completions \
-H "Authorization: Bearer sk-nemo-..." \
-H "Content-Type: application/json" \
-d '{
"model": "gemini-2.5-flash",
"messages": [{"role": "user", "content": "Email me at jane@example.com"}],
"extra_body": { "nemo_guardrail_ids": ["pii-redact-default"] }
}'When a guardrail blocks, the response is a 400 with error.code = guardrail_blocked — never a silent pass-through.
Configure guardrails at /{org}/guardrails. Audit hits at /{org}/observability.