New PromptGuardFilter to mitigate prompt injection attacks (#148)

Author: maximthomas

openig-ai/src/main/java/org/openidentityplatform/openig/ai/AiClassAliasResolver.java

@@ -19,6 +19,7 @@
 import org.forgerock.openig.alias.ClassAliasResolver;
 import org.openidentityplatform.openig.ai.filter.LLMProxyFilter;
 import org.openidentityplatform.openig.ai.filter.MCPServerFeaturesFilter;
+import org.openidentityplatform.openig.ai.filter.LLMPromptGuardFilter;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -30,6 +31,7 @@ public class AiClassAliasResolver implements ClassAliasResolver {
     private static final Map<String, Class<?>> ALIASES = new HashMap<>();
 
     static {
+        ALIASES.put("LLMPromptGuardFilter", LLMPromptGuardFilter.class);
         ALIASES.put("LLMProxyFilter", LLMProxyFilter.class);
         ALIASES.put("MCPServerFeaturesFilter", MCPServerFeaturesFilter.class);
     }

openig-ai/src/main/java/org/openidentityplatform/openig/ai/filter/CompositeDetector.java

@@ -0,0 +1,69 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.openidentityplatform.openig.ai.filter;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * Composite injection detector that chains multiple {@link InjectionDetector}
+ * implementations in priority order, short-circuiting on the first positive.
+ */
+public final class CompositeDetector implements InjectionDetector {
+
+    private static final Logger logger = LoggerFactory.getLogger(CompositeDetector.class);
+
+    private final List<InjectionDetector> detectors;
+
+    public CompositeDetector(InjectionDetector... detectors) {
+        this(List.of(detectors));
+    }
+
+    public CompositeDetector(List<InjectionDetector> detectors) {
+        Objects.requireNonNull(detectors, "detectors must not be null");
+        if (detectors.isEmpty()) {
+            throw new IllegalArgumentException("At least one detector is required");
+        }
+        this.detectors = List.copyOf(detectors);
+    }
+    @Override
+    public DetectionResult scan(String prompt) {
+        for (InjectionDetector detector : detectors) {
+            DetectionResult result = detector.scan(prompt);
+            if (result.isInjection()) {
+                logger.info("Injection confirmed by detector={} reason={} score={}",
+                        result.getDetector(), result.getReason(), result.getScore());
+                return result;
+            }
+        }
+        return DetectionResult.clean();
+    }
+
+    @Override
+    public void destroy() {
+        detectors.forEach(d -> {
+            try {
+                d.destroy();
+            } catch (Exception e) {
+                logger.warn("Error destroying detector {}: {}", d.getClass().getSimpleName(), e.getMessage());
+            }
+        });
+    }
+}

openig-ai/src/main/java/org/openidentityplatform/openig/ai/filter/DetectionResult.java

@@ -0,0 +1,67 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.openidentityplatform.openig.ai.filter;
+
+/**
+ * Immutable result produced by any {@link InjectionDetector} implementation.
+ *
+ * <p>A result carries:
+ * <ul>
+ *   <li>whether an injection was detected</li>
+ *   <li>the confidence score (0.0 – 1.0; -1 when unavailable)</li>
+ *   <li>a machine-readable reason code for structured audit logging</li>
+ *   <li>the detector layer that made the final determination</li>
+ * </ul>
+ */
+public final class DetectionResult {
+
+    public static final DetectionResult CLEAN = new DetectionResult(false, 0.0, "none", "none");
+
+    private final boolean injection;
+    private final double  score;
+    private final String  reason;   // e.g. "override_instruction"
+    private final String  detector; // e.g. "regex"
+
+    private DetectionResult(boolean injection, double score, String reason, String detector) {
+        this.injection = injection;
+        this.score     = score;
+        this.reason    = reason;
+        this.detector  = detector;
+    }
+
+    public static DetectionResult clean() {
+        return CLEAN;
+    }
+
+    public static DetectionResult injection(double score, String reason, String detector) {
+        return new DetectionResult(true, score, reason, detector);
+    }
+
+    public boolean isInjection() { return injection; }
+    public double  getScore()     { return score; }
+    public String  getReason()    { return reason; }
+    public String  getDetector()  { return detector; }
+
+    @Override
+    public String toString() {
+        return "DetectionResult{injection=" + injection
+                + ", score=" + score
+                + ", reason='" + reason + '\''
+                + ", detector='" + detector + '\''
+                + '}';
+    }
+}

openig-ai/src/main/java/org/openidentityplatform/openig/ai/filter/InjectionDetector.java

@@ -0,0 +1,44 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2026 3A Systems LLC.
+ */
+
+package org.openidentityplatform.openig.ai.filter;
+
+/**
+ * Strategy interface for prompt-injection detection.
+ *
+ * <p>Implementations must be <strong>thread-safe</strong>: a single detector
+ * instance is shared across all concurrent requests.
+ *
+ * <p>Known implementations:
+ * <ul>
+ *   <li>{@link RegexDetector}          – fast, deterministic regex pre-filter</li>
+ *   <li>{@link TypoglycemiaDetector}   – fast, catches injection keywords whose interior
+ *      letters have been transposed to evade exactmatching</li>
+ *   <li>{@link CompositeDetector}      – chains the above with short-circuit logic</li>
+ * </ul>
+ */
+public interface InjectionDetector {
+
+    /**
+     * Scan {@code prompt} for injection signals.
+     *
+     * @param prompt         the normalized prompt text extracted from the LLM request body
+     * @return               a {@link DetectionResult}; never {@code null}
+     */
+    DetectionResult scan(String prompt);
+
+    default void destroy() {}
+}