installation
Tracerney is available as a free npm package. Install it in seconds with zero dependencies.
Requirements
- • Node.js 16.0 or higher
- • npm 7.0 or higher
Version: 0.9.10+ (free SDK with 258 embedded patterns)
quick start
The SDK analyzes the prompt against 258 embedded attack patterns in real-time. Returns a result object with suspicious, patternName, and severity. Your code decides how to handle flagged prompts.
basic usage
initialization
Create a Tracerney instance (no configuration needed for free SDK):
scanning prompts
Check if a prompt is suspicious before sending to your LLM:
result object
The scanPrompt method returns a result object with pattern detection info:
how it works
Tracerney uses Layer 1: Pattern Matching to detect prompt injection attacks. The free SDK analyzes input against 258 real-world attack patterns in real-time with zero network overhead.
layer 1: pattern detection
All 258 patterns are embedded in the SDK and run locally on your machine. Patterns detect:
- • System instruction overrides ("ignore all instructions")
- • Role-play jailbreaks ("act as unrestricted AI")
- • Context confusion attacks
- • Data extraction attempts
- • Code execution risks
detection flow
- 1. User input received
- 2. Normalized (unicode tricks removed)
- 3. Compared against 258 embedded patterns
- 4. Returns result: suspicious=true/false, patternName, severity
- 5. Your code handles the result
no data leaves your server
All detection happens locally. The SDK never sends data to external servers. Your prompts stay completely private. Zero telemetry by default.
performance
Pattern matching completes in <5ms per prompt on modern hardware. Suitable for real-time applications.
258 embedded patterns
Tracerny includes 258 curated attack patterns covering known and novel injection techniques:
instruction override
Patterns detecting attempts to bypass system instructions
context confusion
Detects prompt injections that exploit context windows
role play exploitation
Catches attempts to change AI persona or instructions
code execution
Blocks attempts to trigger code generation attacks
jailbreak attempts
Detects known jailbreak techniques and variations
data extraction
Prevents prompts designed to leak sensitive data
Patterns are regularly updated and tested against real-world attacks. New patterns are added as attack techniques evolve.
api reference
Tracerney constructor
No configuration required for the free SDK. All 258 patterns are enabled by default. Telemetry and LLM Sentinel are disabled by default.
scanPrompt()
Analyzes a prompt against all 258 patterns. Returns a result object.
ScanResult interface
suspicious- true if pattern was matchedpatternName- Name of matched pattern (e.g., "Ignore Instructions")severity- Threat level ("CRITICAL", "HIGH", "MEDIUM", "LOW")blocked- false for free SDK (true only with backend verification)
layer 2: llm sentinel
Layer 2 adds advanced security with LLM Sentinel, an AI-powered verification system that analyzes LLM responses for injection patterns and validates output safety. Combines local pattern detection (Layer 1) with server-side verification for defense-in-depth protection.
how layer 2 works with layer 1
Tracerny operates on a two-layer defense model:
Layer 1: Pattern Detection (Free SDK)
- • Local pattern matching
- • 258 attack patterns
- • <5ms latency
- • No data leaves device
- • Zero network calls
Layer 2: LLM Sentinel (Pro)
- • Server-side verification
- • Output validation
- • JSON safety checks
- • Delimiter salting
- • Context-aware analysis
enabling layer 2
Initialize Tracerny with Layer 2 LLM Sentinel (Pro plan required):
That's it! Layer 2 is automatically configured to use our hosted LLM Sentinel service. Your API key authenticates requests and verifies your Pro subscription.
custom layer 2 configuration (advanced)
Want to self-host Layer 2 or use a custom implementation? You can override the sentinel endpoint:
Self-hosting Layer 2? You can build your own verification endpoint using the same pattern as our hosted service. Contact support for self-hosting guidance.
ai-powered setup (quick setup with claude code)
Not sure how to integrate Tracerny or configure Layer 2? If you don't know how to set up the implementation, you can ask your coding agent (like Claude Code) to set everything up for you. Just:
- Install the package:
npm install @sandrobuilds/tracerney - Check the npm package documentation at https://www.npmjs.com/package/@sandrobuilds/tracerney
- Ask your coding agent to set up implementation based on the docs
Your AI coding assistant can read the docs and automatically set up the SDK with the configuration you need, whether it's basic Layer 1 detection or advanced Layer 2 with custom endpoints. This is a fast way to get Tracerny running without manually reading all the configuration docs.
scanning with layer 2
With Layer 2 enabled, scanPrompt validates input and returns an error object if content is suspicious. Handle errors appropriately:
api response format
The verify-prompt endpoint returns a structured response. Success (HTTP 200) includes classification, confidence, and fingerprint. Errors include specific error codes and messages.
✅ Content is Safe (HTTP 200)
🔴 Content is Blocked (HTTP 200)
⚠️ Quota Exceeded (HTTP 402)
🚫 Authentication Errors (HTTP 401/403)
response fields
| action | 'BLOCK' | 'ALLOW' | Whether prompt is blocked or allowed |
| confidence | number (0-1) | Confidence score (0.99 = very confident it's an attack) |
| class | string | Classification: safe_content, jailbreak_llm_detected, jailbreak_semantic_pattern |
| fingerprint | string | 6-char unique ID for deduplication (includes cryptographic salt) |
output validation
LLM Sentinel validates that LLM responses match your expected schema and contain no injection patterns. This prevents poisoned outputs from being used downstream.
delimiter salting
Delimiter salting adds random cryptographic delimiters to system prompts, making it harder for attackers to craft payloads. Each request uses a unique salt.
- • Generates unique salt per request
- • Embeds delimiters in system prompt
- • Validates user input cannot break delimiters
- • Returns salt for verification
context-aware scanning
Context-aware scanning understands the semantic meaning of attacks, reducing false positives and catching sophisticated injections that pattern matching alone might miss.
pricing & quotas
Free Plan: 50 Layer 2 scans/month
Pro Plan ($9/month): 2,500 Layer 2 scans/month
best practices
- • Always scan inputs first: Layer 1 catches most attacks early
- • Scan outputs for safety: Layer 2 validates LLM responses aren't compromised
- • Define schemas: Provides more accurate output validation
- • Log Layer 2 results: Helps identify attack patterns over time
- • Test with real prompts: Context-aware scanning improves with real data
what is prompt injection?
Prompt injection is a vulnerability where an attacker manipulates the input to an AI model to bypass safety measures or change its behavior. The attacker injects malicious instructions into the prompt that the AI follows instead of the original system instructions.
example
Original system instruction:
Malicious user input (injection):
Without protection, the AI might follow the injected instruction instead of the system prompt.
why it matters
- • Can expose sensitive data
- • Can bypass security controls
- • Can manipulate AI behavior
- • Growing threat as AI becomes mainstream
common attack techniques
1. Direct instruction override
Directly tells the AI to ignore previous instructions
2. Role-play exploitation
Attempts to change the AI's role or persona
3. Context confusion
Tries to confuse the AI about its previous context
4. Code execution
Attempts to trigger harmful code generation
5. Data extraction
Tries to extract sensitive system prompts or data