Skip to main content
Shield exports TypeScript types and interfaces for all configuration options and return values.

Core Types

HardenOptions

Configuration options for the harden() function. 
interface HardenOptions {
  skipPersonaAnchor?: boolean;
  skipAntiExtraction?: boolean;
  customRules?: string[];
  position?: "prepend" | "append";
}
skipPersonaAnchor
boolean
default:"false"
Skip persona-binding rule that prevents role hijacking
skipAntiExtraction
boolean
default:"false"
Skip anti-extraction rules that prevent prompt extraction attempts
customRules
string[]
default:"[]"
Additional custom security rules to inject into the system prompt
position
'prepend' | 'append'
default:"'append'"
Where to add security rules in the prompt (beginning or end)

DetectOptions

Configuration options for the detect() and detectAsync() functions. 
interface DetectOptions {
  threshold?: "low" | "medium" | "high" | "critical";
  customPatterns?: Array<{
    category: string;
    regex: RegExp;
    risk: "low" | "medium" | "high" | "critical";
  }>;
  excludeCategories?: string[];
  allowPhrases?: string[];
  secondaryDetector?: (
    input: string,
    result: DetectResult
  ) => Promise<DetectResult | null>;
  maxInputLength?: number;
}
threshold
'low' | 'medium' | 'high' | 'critical'
default:"'medium'"
Minimum risk level to flag as detected. Only injections at or above this risk level will be flagged.
customPatterns
Array<{category: string, regex: RegExp, risk: string}>
default:"[]"
Custom detection patterns to add to the built-in pattern library. Each pattern requires:
  • category: Name for the injection category
  • regex: Regular expression to match
  • risk: Risk level (“low”, “medium”, “high”, or “critical”)
excludeCategories
string[]
default:"[]"
Categories to skip during detection. Use ["social_engineering"] to allow phrases like “for research purposes only” in legitimate contexts.
allowPhrases
string[]
default:"[]"
Whitelist phrases (case-insensitive). If input contains one of these phrases, detection is suppressed. Use sparingly for known-benign strings.
secondaryDetector
(input: string, result: DetectResult) => Promise<DetectResult | null>
Optional async verifier function. When detection fires, this function is called with the input and initial result. Return { detected: false } to override the detection (e.g., after LLM verification), or null to keep the original result. Only available with detectAsync().
maxInputLength
number
default:"1048576"
Maximum input length to scan. Input beyond this length will be truncated.

DetectResult

Return value from detect() and detectAsync() functions. 
interface DetectResult {
  detected: boolean;
  risk: "none" | "low" | "medium" | "high" | "critical";
  matches: Array<{
    category: string;
    pattern: string;
    confidence: number;
  }>;
}
detected
boolean
Whether a prompt injection was detected
risk
'none' | 'low' | 'medium' | 'high' | 'critical'
Highest risk level among all detected patterns. “none” if no injection was detected.
matches
Array<{category: string, pattern: string, confidence: number}>
Array of all matched injection patterns. Each match includes:
  • category: The injection category (e.g., “instruction_override”, “role_hijack”)
  • pattern: Truncated regex pattern that matched (first 60 characters)
  • confidence: Confidence score for the match (0-1)

SanitizeOptions

Configuration options for the sanitize() and sanitizeObject() functions. 
interface SanitizeOptions {
  ngramSize?: number;
  threshold?: number;
  wordOverlapThreshold?: number;
  redactionText?: string;
  detectOnly?: boolean;
}
ngramSize
number
default:"4"
N-gram window size for matching leaked prompt fragments. Larger values reduce false positives but may miss shorter leaks.
threshold
number
default:"0.7"
Confidence threshold (0-1) for classifying output as leaked. Lower values are more sensitive but may produce false positives.
wordOverlapThreshold
number
default:"0.25"
Jaccard word overlap threshold for detecting paraphrased leaks. Higher values require more overlap to flag as leaked.
redactionText
string
default:"'[REDACTED]'"
Replacement text for redacted leaked content
detectOnly
boolean
default:"false"
When true, only detect leaks without redacting them. The sanitized field will match the original output.

SanitizeResult

Return value from the sanitize() function. 
interface SanitizeResult {
  leaked: boolean;
  confidence: number;
  fragments: string[];
  sanitized: string;
}
leaked
boolean
Whether a system prompt leak was detected in the output
confidence
number
Confidence score (0-1) for the leak detection. Higher values indicate stronger evidence of leakage.
fragments
string[]
Array of detected leaked fragments from the system prompt
sanitized
string
Output with leaked fragments redacted (or original output if detectOnly: true)

Provider Types

Configuration options for provider wrapper functions. All providers share a common set of options.

ShieldOpenAIOptions

Options for shieldOpenAI(). 
interface ShieldOpenAIOptions {
  systemPrompt?: string;
  harden?: HardenOptions | false;
  detect?: DetectOptions | false;
  sanitize?: SanitizeOptions | false;
  streamingSanitize?: "buffer" | "chunked" | "passthrough";
  streamingChunkSize?: number;
  onDetection?: "block" | "warn";
  throwOnLeak?: boolean;
  onInjectionDetected?: (result: DetectResult) => void;
  onLeakDetected?: (result: SanitizeResult) => void;
}
systemPrompt
string
System prompt for sanitization. When omitted, automatically derived from the first system message in the request.
harden
HardenOptions | false
default:"{}"
Options for hardening system prompts. Set to false to disable hardening.
detect
DetectOptions | false
default:"{}"
Options for injection detection. Set to false to disable detection.
sanitize
SanitizeOptions | false
default:"{}"
Options for output sanitization. Set to false to disable sanitization.
streamingSanitize
'buffer' | 'chunked' | 'passthrough'
default:"'buffer'"
Sanitization strategy for streaming responses:
  • "buffer": Buffer full response then sanitize (highest accuracy)
  • "chunked": Sanitize in 8KB chunks (lower memory for long streams)
  • "passthrough": Skip sanitization (fastest but no leak protection)
streamingChunkSize
number
default:"8192"
Chunk size in bytes for "chunked" streaming mode
onDetection
'block' | 'warn'
default:"'block'"
Behavior when injection is detected:
  • "block": Throw InjectionDetectedError (recommended)
  • "warn": Only invoke onInjectionDetected callback without blocking
throwOnLeak
boolean
default:"false"
When true, throw LeakDetectedError instead of redacting leaked content
onInjectionDetected
(result: DetectResult) => void
Callback invoked when injection is detected. Receives the full DetectResult.
onLeakDetected
(result: SanitizeResult) => void
Callback invoked when a leak is detected in model output. Receives the full SanitizeResult.

ShieldAnthropicOptions

Options for shieldAnthropic(). Identical to ShieldOpenAIOptions. 
interface ShieldAnthropicOptions {
  systemPrompt?: string;
  harden?: HardenOptions | false;
  detect?: DetectOptions | false;
  sanitize?: SanitizeOptions | false;
  streamingSanitize?: "buffer" | "chunked" | "passthrough";
  streamingChunkSize?: number;
  onDetection?: "block" | "warn";
  throwOnLeak?: boolean;
  onInjectionDetected?: (result: DetectResult) => void;
  onLeakDetected?: (result: SanitizeResult) => void;
}
See ShieldOpenAIOptions for field descriptions.

ShieldGroqOptions

Options for shieldGroq(). Identical to ShieldOpenAIOptions. 
interface ShieldGroqOptions {
  systemPrompt?: string;
  harden?: HardenOptions | false;
  detect?: DetectOptions | false;
  sanitize?: SanitizeOptions | false;
  streamingSanitize?: "buffer" | "chunked" | "passthrough";
  streamingChunkSize?: number;
  onDetection?: "block" | "warn";
  throwOnLeak?: boolean;
  onInjectionDetected?: (result: DetectResult) => void;
  onLeakDetected?: (result: SanitizeResult) => void;
}
See ShieldOpenAIOptions for field descriptions.

ShieldAISdkOptions

Options for shieldMiddleware() and shieldLanguageModelMiddleware(). 
interface ShieldAISdkOptions {
  systemPrompt?: string;
  harden?: HardenOptions | false;
  detect?: DetectOptions | false;
  sanitize?: SanitizeOptions | false;
  streamingSanitize?: "buffer" | "chunked" | "passthrough";
  streamingChunkSize?: number;
  onDetection?: "block" | "warn";
  throwOnLeak?: boolean;
  onInjectionDetected?: (result: DetectResult) => void;
  onLeakDetected?: (result: SanitizeResult) => void;
}
See ShieldOpenAIOptions for field descriptions.

Build docs developers (and LLMs) love

Get started for freeTalk to us