_ _ ___ ____ _____ ____ _ _ _ ____ ____ _____ ____ | \ | |/ _ \| _ \| ____/ ___| | | | / \ | _ \| _ \| ____| _ \ | \| | | | | | | | _|| | _| | | |/ _ \ | |_) | | | | _| | |_) | | |\ | |_| | |_| | |__| |_| | |_| / ___ \| _ <| |_| | |___| _ < |_| \_|\___/|____/|_____\____|\___/_/ \_\_| \_\____/|_____|_| \_\
An AI firewall that runs entirely on your machine. It sits between your local AI tools and cloud LLMs, inspecting prompts for secrets before they leave.
--- what it does -------------------------------------------------
You type something into an AI coding assistant or chat interface.
That text is sent to a cloud LLM — OpenAI, Anthropic, whatever.
NodeGuarder runs between your client and the LLM.
Every prompt passes through three checks:
1. 652 regex rules (ATR community) — matches known patterns in ~2ms. API keys, tokens, connection strings, etc.
2. DeBERTa-v3 (184M param) — semantic model catches injections, social engineering, data poisoning, etc.
3. HITL modal — if you're watching, you decide: redact / allow / block
Only after all three does the cleaned prompt reach the LLM.
Everything runs locally. Zero network calls to a "cloud dashboard."
No accounts. No signup.
That text is sent to a cloud LLM — OpenAI, Anthropic, whatever.
NodeGuarder runs between your client and the LLM.
Every prompt passes through three checks:
1. 652 regex rules (ATR community) — matches known patterns in ~2ms. API keys, tokens, connection strings, etc.
2. DeBERTa-v3 (184M param) — semantic model catches injections, social engineering, data poisoning, etc.
3. HITL modal — if you're watching, you decide: redact / allow / block
Only after all three does the cleaned prompt reach the LLM.
Everything runs locally. Zero network calls to a "cloud dashboard."
No accounts. No signup.
--- detection categories -----------------------------------------
*api_keys
OpenAI, AWS, GitHub, Stripe, etc.
*db_credentials
PostgreSQL connection strings, etc.
*pii
emails, phone numbers, SSNs
*prompt_injection
“ignore previous instructions”
*code_execution
system(“/bin/bash -c ...”)
*social_engineering
phishing attempts in context
*skill_compromise
tool poisoning
*excessive_autonomy
agent requesting dangerous permissions
*model_abuse
jailbreak / DoS / misuse
*data_poisoning
training data contamination
652 total rules (ATR community) + DeBERTa-v3 semantic verification.
False-positive marker system auto-overturns docs examples, tutorial code,
placeholders, and security discussions — real workflows aren't interrupted.
--- quick start --------------------------------------------------
1. Download the MSI from GitHub releases.
Run it. That's the install.
2. Open your AI tool (Cursor, Continue.dev, etc.)
and point its API endpoint to:
http://127.0.0.1:51820/v1
Find your bearer token in Settings — it's shown there.
3. (optional) Open the tray settings to configure
upstream LLM, detection categories, and HITL mode.
The DeBERTa model (~700MB) downloads in the background
on first run. You can use regex-only mode immediately.
No accounts. No configuration files to edit.
The installer sets up auto-start.
Run it. That's the install.
2. Open your AI tool (Cursor, Continue.dev, etc.)
and point its API endpoint to:
http://127.0.0.1:51820/v1
Find your bearer token in Settings — it's shown there.
3. (optional) Open the tray settings to configure
upstream LLM, detection categories, and HITL mode.
The DeBERTa model (~700MB) downloads in the background
on first run. You can use regex-only mode immediately.
No accounts. No configuration files to edit.
The installer sets up auto-start.
--- faq ------------------------------------------------------------
Is it really free?
Yes. MIT / Apache 2.0. No paid tiers, no “Pro” version, no feature gates. Download the code or the binary.
Do I need to create an account?
No. No signup, no telemetry, no “cloud sync.”
Does it work offline?
Yes. Detection runs entirely locally with the rules bundled in the MSI. Internet is only needed for the LLM upstream, first-time model download, and periodic ATR rule updates (the agent checks for new community rules every 7 days when online).
How accurate is the detection?
Regex catches ~90% of secrets in <5ms. DeBERTa-v3 confirms each match semantically. False-positive marker system handles the rest.
What are Agent Threat Rules (ATR)?
ATR (Agent Threat Rules) is a community-driven collection of 652+ regex patterns covering 7 agentic-threat categories — injection, code_execution, social_engineering, skill_compromise, excessive_autonomy, model_abuse, and data_poisoning — plus 3 built-in categories for secrets (api_keys, db_credentials, pii). The agent auto-updates them from the community registry every 7 days. You can toggle auto-update in Settings or disable it entirely. Full rule reference →
Will it slow down my IDE completions?
~50-100ms per prompt. Imperceptible.
How do I update?
ATR community rules auto-update in the background every 7 days — no action needed. For agent binary updates (new features, bug fixes), download the latest MSI from GitHub and run it. The installer preserves your settings.
What about the Enterprise Portal?
Enterprise sync is built into the desktop agent — enroll via Settings to connect to a portal. The portal itself runs via Docker Compose (included in the download). Full portal docs →