# Retroguard

> Verifiably secure AI guardrails. Run safety classification for OpenAI / Anthropic LLM traffic inside an AWS Nitro Enclave so prompts, responses, and provider keys stay private — even from Retroguard.

Retroguard is a drop-in proxy for OpenAI- and Anthropic-compatible APIs that runs guardrail evaluation inside a hardware-attested secure enclave. Customers swap one base URL and immediately get PII redaction, jailbreak / prompt-injection detection, custom natural-language policies, and per-request cryptographic proof that the published classifier image ran their request.

## Product

- [Landing page](https://retroguard.ai/): pricing, drop-in code snippet, full feature list.
- [Documentation source (open-source proxy)](https://github.com/ttttonyhe/retroguard)
- [Open-source classifier enclave](https://github.com/ttttonyhe/retroguard-classifier-enclave)

## Pricing

- Free tier: 100 blocked requests per month.
- Pay-as-you-go: $2 per 100 blocked requests beyond the free tier.
- Safe pass-through requests are not billed.

## How it works

1. Sign up, create a project, add an OpenAI- or Anthropic-compatible provider key (encrypted in your browser via AWS KMS before it leaves the page).
2. Create an endpoint with one or more natural-language policies (e.g. "Block any text containing US Social Security Numbers").
3. Point your existing SDK at the issued endpoint URL. The proxy forwards safe requests, blocks unsafe ones, and emits a per-request attestation customers can verify against the published enclave image.

## Trust model

- Hardware attestation via AWS Nitro Enclaves (PCR0 measurement of the classifier binary).
- Customer-side encryption of provider keys: plaintext exists only inside the user's browser tab and inside the attested enclave.
- Per-request escrow for blocked content: the cleartext of a blocked prompt / response is encrypted to customer-held X25519 device keys; even Retroguard cannot decrypt without the customer's private key.

## SDK compatibility

- OpenAI SDK (Python, Node, all official SDKs): change `base_url` only.
- Anthropic SDK (Python, Node): change `base_url` only.
- Streaming / non-streaming, tool use, vision, all forwarded transparently.

## Contact

- Public source: https://github.com/ttttonyhe/retroguard
- Security: https://retroguard.ai/.well-known/security.txt