Prompt input protection
Inspect supported system prompts and message text before provider egress. High-confidence findings can warn, redact, block, or require approval.
View setupEvaluate prompts, generated code, and proposed tool actions close to the developer. Keep latency-critical decisions local, then add remote analysis only where the risk justifies it.
Local enforcement first
Every supported path runs deterministic local checks first. Remote analysis can be disabled, run asynchronously, added as a second synchronous opinion, or required for a narrowly scoped workflow.
Prompt, held output, or proposed action
Detectors, cached policy, and immediate enforcement
Organization context and deeper checks when enabled
The same decision model covers data leaving the workstation, content entering the repository, and actions an agent wants to execute.
Inspect supported system prompts and message text before provider egress. High-confidence findings can warn, redact, block, or require approval.
View setupScan held code, diffs, commands, packages, and URLs before insertion. The library is ready; an editor adapter must hold and enforce the result.
View setupClassify proposed shell, file, Git, deployment, credential, and infrastructure actions before execution. The adapter owns approval UI and final enforcement.
View setupModes are explicit so a background classifier cannot silently become a blocking dependency. When local and remote decisions both complete synchronously, the more restrictive decision wins.
| Mode | Behavior | Remote latency on path | Remote failure |
|---|---|---|---|
local_only | Run local detectors and local or cached policy. The remote evaluator is never called. | No | Not applicable |
local_and_shadow | Return the local result immediately, then run remote analysis asynchronously for comparison and telemetry. | No | Use local result |
local_then_remote | Run local first, wait up to the configured deadline, and enforce whichever completed decision is more restrictive. | Yes | Use local result |
remote_required | Run local first, then require a remote decision. Missing, failed, or timed-out remote analysis blocks the interaction. | Yes | Block |
Source deployment guide
The endpoint agent and editor helpers are currently private source deployments. Generated-output protection remains a reusable library that requires an adapter before content is delivered or inserted.
The public installer and editor extensions are not released. This source setup uses documented local hooks for Cursor and Claude Code, plus a documented localhost provider route for Codex.
Build and run the local agent from this repository. It inspects supported JSON traffic before forwarding through a direct localhost provider route or the selective HTTPS proxy.
pnpm install
pnpm --filter @promptective/agent build
node packages/agent/dist/index.js start \
--mode protect \
--input-protection local_onlyCall the local protection library while output is still held. Prevention claims are valid only when the adapter enforces the result before delivery or insertion.
import { createLocalProtectionEngine } from '@promptective/local-protection';
const engine = createLocalProtectionEngine({
modes: { generated_output: 'local_only' },
});
const result = await engine.evaluate({
feature: 'generated_output',
interaction: outputInteraction,
generatedOutput: {
text: assistantText,
targetFile: 'src/server.ts',
language: 'typescript',
delivered: false,
},
});
if (result.decision.outcome === 'block') {
holdOutput();
}Place the local evaluator between an assistant's proposed action and the executor. The library never executes the command itself.
const result = await engine.evaluate({
feature: 'tool_action',
interaction: actionInteraction,
toolAction: {
toolName: 'terminal',
command: proposedCommand,
path: workspacePath,
},
});
switch (result.decision.outcome) {
case 'allow': executeAction(); break;
case 'warn': showWarning(); break;
case 'require_approval': requestApproval(); break;
case 'block': denyAction(); break;
}Start locally, then opt individual features into remote analysis. Remote modes send normalized interaction content to the configured control endpoint.
Recommended for prompt input and tool actions when predictable low latency and offline enforcement matter most.
promptective-agent start --mode protect --input-protection local_onlyUse to compare a remote classifier with production local decisions without adding remote latency or changing enforcement.
export PROMPTECTIVE_API_KEY="pa_your_agent_key"
export PROMPTECTIVE_CLOUD="https://api.promptective.ai"promptective-agent start --mode protect --input-protection local_and_shadowUse for sensitive interactions where a deeper remote decision is worth a bounded delay. Remote failure falls back to local.
export PROMPTECTIVE_API_KEY="pa_your_agent_key"
export PROMPTECTIVE_CLOUD="https://api.promptective.ai"promptective-agent start --mode protect --input-protection local_then_remoteReserve for workflows whose policy explicitly requires a remote control. It fails closed when that control is unavailable.
export PROMPTECTIVE_API_KEY="pa_your_agent_key"
export PROMPTECTIVE_CLOUD="https://api.promptective.ai"promptective-agent start --mode protect --input-protection remote_required --remote-timeout 1500Coverage depends on the enforcement point and an exact-version live canary: Cursor and Claude Code use local user hooks, while Codex uses a direct localhost provider route. Cursor file-read and Windows launcher caveats apply. Claude can optionally layer a provider route after a credential canary.
Local user hooks can block prompt submission and selected shell, MCP, file, and Tab events when Cursor emits and launches them, without rerouting provider traffic. File-read coverage is conditional: Cursor has a confirmed beforeReadFile bypass for files already open in the editor. Generated responses are not held before delivery.
Paste this block once. It builds the agent, creates one backup, and safely merges five local hooks into ~/.cursor/hooks.json; no Promptective daemon or local CA is needed. Configuration alone does not prove enforcement: live file-read canaries are required, and Windows hook launching remains conditional on the exact shell and Cursor build.
pnpm install
pnpm --filter @promptective/agent build
node packages/agent/dist/index.js configure-cursor{
"version": 1,
"hooks": {
"beforeSubmitPrompt": [{
"command": "… cursor-hook prompt PROMPTECTIVE_CURSOR_HOOK=1",
"timeout": 5,
"failClosed": true
}],
"beforeShellExecution": [{
"command": "… cursor-hook shell PROMPTECTIVE_CURSOR_HOOK=1",
"timeout": 5,
"failClosed": true
}],
"beforeMCPExecution": [{
"command": "… cursor-hook mcp PROMPTECTIVE_CURSOR_HOOK=1",
"timeout": 5,
"failClosed": true
}],
"beforeReadFile": [{
"command": "… cursor-hook file PROMPTECTIVE_CURSOR_HOOK=1",
"timeout": 5,
"failClosed": true
}],
"beforeTabFileRead": [{
"command": "… cursor-hook tab_file PROMPTECTIVE_CURSOR_HOOK=1",
"timeout": 5,
"failClosed": true
}]
}
}The local engine can protect inspectable provider traffic, but a native Codex hook adapter is not yet released. Keep Codex sandboxing and approvals enabled.
Paste this block once. It builds the agent, backs up and safely updates ~/.codex/config.toml, then leaves Promptective running in local-only audit mode. Fully quit and reopen Codex after the agent starts.
pnpm install
pnpm --filter @promptective/agent build
node packages/agent/dist/index.js configure-codex
node packages/agent/dist/index.js start --mode audit --input-protection local_onlymodel_provider = "openai"
openai_base_url = "http://127.0.0.1:9888"
[features]
enable_request_compression = falseUserPromptSubmit and PreToolUse hooks locally block unsafe prompts and gate shell, file, MCP, and other tool actions. They preserve Claude's normal authentication and native permission flow; generated output is not held.
Paste this block once. It builds the agent, creates one backup, and safely merges local prompt and pre-tool hooks into ~/.claude/settings.json without changing authentication. The hooks run the local detector directly.
pnpm install
pnpm --filter @promptective/agent build
node packages/agent/dist/index.js configure-claude{
"hooks": {
"UserPromptSubmit": [{
"hooks": [{
"type": "command",
"command": "/absolute/path/to/node",
"args": [
"/absolute/path/to/promptective/packages/agent/dist/index.js",
"claude-hook",
"prompt",
"PROMPTECTIVE_CLAUDE_HOOK=1"
],
"timeout": 5
}]
}],
"PreToolUse": [{
"matcher": "*",
"hooks": [{
"type": "command",
"command": "/absolute/path/to/node",
"args": [
"/absolute/path/to/promptective/packages/agent/dist/index.js",
"claude-hook",
"tool",
"PROMPTECTIVE_CLAUDE_HOOK=1"
],
"timeout": 5
}]
}]
}
}A precise coverage statement is part of the security control. These constraints should remain visible during every evaluation and rollout.
Start in local-only mode, verify exact coverage, then introduce shadow or synchronous remote analysis one feature at a time.