ReasonGate, a pip installable open core release, returns the rule that fired, the matched pattern, and the closest known attack on each block, so the yes/no comes with a defense.
Most prompt-injection defenses on AI apps return a yes/no a security team cannot defend in front of an auditor. ReasonGate, an open-source gate released this week, ships the opposite contract: every block carries the rule that fired, the pattern it matched, and the closest known attack it resembles.
Prompt injection sits at the top of the OWASP LLM Top 10 for a structural reason: language models cannot reliably separate instructions from data they read. The conventional fix is a detection layer — Rebuff, LLM Guard, NeMo Guardrails — that returns a confidence score and a yes/no. That is not enough for a security team that has to explain a block to an auditor or a regulator.
ReasonGate, installable via pip install reasongate, wraps any prompt-to-string function and inspects three surfaces: the user prompt, the retrieved context, and the model's output. On every block it surfaces the signal that fired, the pattern it matched, and the nearest known attack. The open core is rule-only and self-contained; a separate reasongate-enterprise add-on auto-enables an embedding-based ML detector and a provenance detector.
The repo's demo scenario hard-codes the stakes: a bank support agent with email and wire tools receives a customer record carrying a hidden instruction. With the gate off, the poisoned record is emailed out and $84,200 is wired to an attacker. With it on, the same input is blocked before the model is called, in a deterministic CI test rather than a screenshot.
Show HN commenters pushed the structural counter: rule-based filters carry the antivirus update treadmill, encodings like base64 defeat input inspection, and provenance channels — non-user-writable tags encoding who the model acts for — may be the missing primitive. The enterprise add-on sketches one such seam; the open core does not.