# Theo · Guardrails (Trust Layer) > Guardrails are deterministic input and output policies that run alongside every AI Worker request. Five built-in policies, four named presets, per-API-key binding, and a full executions log. Plus adjacent infra-level guardrails (image sanitizer, SSRF validator, abuse heuristics, bot challenge, idempotency, rate-limit). Source of truth: https://hitheo.ai/guardrails. Last updated: 2026-05-24. ## At a glance - 5 built-in policies: PII Redactor, Prompt Injection Deny, Profanity Flag, Max-Length Truncate, JSON Repair. - 4 named presets: PII-Safe, Strict JSON, Cost-Conscious, Enterprise Default. - Per-key bindings: api_key_guardrail_policies join table. - Full audit: /api/v1/guardrail-executions returns every verdict with the input / output hash and the policy that fired. ## Built-in policies - PII Redactor (input, redact). Catches the canonical NIST PII shapes (email, phone, SSN, credit card, driver's license) and replaces them with [REDACTED:] tokens before any model sees the prompt. - Prompt Injection Deny (input, deny). Pattern-matches known prompt-injection payloads and adversarial instruction shapes. Denies the request before it reaches any model. Returns a structured error. - Profanity Flag (input + output, flag). Flags profanity in either direction without denying the request. Verdict lands in the executions log for context. - Max-Length Truncate (input + output, truncate). Caps tokens at a configurable ceiling (default 4K or 8K). Prevents runaway prompts and runaway responses. - JSON Repair (output, repair). When the model emits malformed JSON, runs a one-shot repair before the response leaves the gateway. Agentic workflows get clean structured output. ## Named presets - PII-Safe. Redact email / phone / SSN / credit-card / DL before the model sees them. The sensible default for compliance-sensitive teams. - Strict JSON. Reject prompt injection on input; repair malformed JSON on output. For agentic / structured-output workflows. - Cost-Conscious. Cap input + output length so a runaway prompt cannot blow the budget. Truncates both directions to a defensible ceiling. - Enterprise Default. PII redaction + prompt-injection deny + JSON repair + length cap + profanity flag. The canonical full-stack policy, layered in order: PII first, injection deny, JSON repair + length truncation on output, profanity flagging across both phases. ## Adjacent infra-level guardrails - Geo-blocking. Block or allow by ISO 3166-1 country code. Keep regulated widgets in their lane without writing code. - Bot challenge. Invisible bot challenge on public embeds. Stops scripted abuse before it hits the inbox. - Abuse heuristics. Rapid-fire (5 messages / 10 seconds), content repetition (3 dupes / 120 seconds), prompt length cap. Per-key, with a persistent counter and an in-memory fallback. - Image sanitizer. Strips EXIF / IPTC / XMP / ICC metadata before any image touches an AI engine. DICOM-aware: detects DICOM magic bytes, re-encodes as PNG to strip PHI. - SSRF validator. Blocks private IP ranges (RFC 1918 / 6598), loopback, link-local, and cloud-metadata endpoints (169.254.169.254, metadata.google.internal). Validates protocol (HTTP / HTTPS only). Blocks embedded credentials. - Idempotency. POST routes accept an Idempotency-Key header. Per-user namespace, 30s execution lock, 24h replay window, X-Idempotent-Replay header on cache hit. - Rate-limit. Token-bucket rate limit on API key + session-level rate limit on dashboard users. ## Regulated-fact human approval Skills can declare specific facts as "regulated" in their manifest. When an AI Worker drafts a regulated claim (eligibility, dosage, pricing, legal text), the response is held until a human approves. The approval flows through the audit ledger with the same SHA-256 hashed provenance as the original turn. ## Executions log GET /api/v1/guardrail-executions returns every guardrail verdict for the calling key or organization. Filterable by policy_id, verdict, time window. The same data backs the Guardrails dashboard at /dashboard/guardrails. ## Related machine-readable files - https://hitheo.ai/llms.txt — full index of every Theo machine-readable file. - https://hitheo.ai/llms-full.txt — long-form knowledge bundle (single fetch). - https://hitheo.ai/humans.txt — team and open-source credits. - https://hitheo.ai/lawyers.txt — trademark notice and legal contact. - https://hitheo.ai/.well-known/security.txt — security disclosure contact.