First stable release with SPDX headers and NOTICE
Highlights
- First public release of RAG Integrity Firewall.
- Adds SPDX license headers and a NOTICE file to all source files.
- Ready for adoption in RAG pipelines via
pip install rag-firewall.
Features
-
Scanners
- Prompt injection (regex patterns)
- PII (emails, phone numbers, SSNs)
- Secrets & API keys
- Encoded/Base64 content
- URL/domain allow/deny lists
- Conflict/staleness detection
-
Policy engine
- Allow, deny, or rerank chunks
- Configurable weighting (recency, relevance, provenance, etc.)
-
Provenance
- SHA256 hashing of chunks
- Optional SQLite store
-
Audit logging
- JSONL audit trail of all scanner findings and policy decisions
-
Integrations
- LangChain (
FirewallRetriever) - LlamaIndex (
TrustyRetriever) - Custom retrievers via
wrap_retriever
- LangChain (
-
CLI
ragfw index— index documents with provenanceragfw query— run queries through the firewall
Quickstart
from rag_firewall import Firewall, wrap_retriever
fw = Firewall.from_yaml("firewall.yaml")
safe = wrap_retriever(base_retriever, firewall=fw)
docs = safe.get_relevant_documents("What is our mission?")
for d in docs:
print(d["metadata"]["_ragfw"])Audit logs are written to audit.jsonl.
For full examples, see the examples/ folder:
examples/quickstart.py– minimal demoexamples/langchain_example.py– LangChain with Chroma & OpenAIexamples/custom_retriever.py– framework-agnostic retriever
Installation
pip install rag-firewallLicense
RAG Integrity Firewall is licensed under the Apache License 2.0.
“RAG Integrity Firewall” is a trademark of Tal Adari.