feat(ai-lakera-guard): scan LLM responses (direction output/both, non-streaming + streaming)#13606
Open
janiussyafiq wants to merge 7 commits into
Open
feat(ai-lakera-guard): scan LLM responses (direction output/both, non-streaming + streaming)#13606janiussyafiq wants to merge 7 commits into
janiussyafiq wants to merge 7 commits into
Conversation
…t and both directions; update documentation and tests
…ce test coverage for output direction
dosubot
Bot
added
size:XL
nic-6443
reviewed
Jun 25, 2026
nic-6443
reviewed
Jun 25, 2026
nic-6443
reviewed
Jun 25, 2026
nic-6443
reviewed
Jun 25, 2026
nic-6443
reviewed
Jun 25, 2026
… mode and fail-open support; update documentation and tests
…sts for fail-open behavior; update documentation
…d readability and maintainability
nic-6443
previously approved these changes
Jun 26, 2026
AlinsRan
previously approved these changes
Jun 26, 2026
membphis
previously approved these changes
Jun 26, 2026
AlinsRan
reviewed
Jun 26, 2026
Comment on lines
+262
to
+291
| if not ctx.var.llm_request_done then | ||
| -- Withhold this chunk until end-of-stream, replacing it with an SSE | ||
| -- keep-alive comment. Not "" (nginx treats an empty body as nothing | ||
| -- to flush) and not nil (which would let the original chunk reach | ||
| -- the client) -- the keep-alive holds the content back while keeping | ||
| -- the connection open. | ||
| return nil, ":\n\n" | ||
| end | ||
|
|
||
| local text = ctx.var.llm_response_text | ||
| if not text or text == "" then | ||
| if conf.fail_open then | ||
| core.log.warn("ai-lakera-guard: streamed response ended without ", | ||
| "an assembled completion (no upstream usage event?); ", | ||
| "fail_open=true, releasing unscanned") | ||
| return nil, concat(buffer) | ||
| end | ||
| core.log.error("ai-lakera-guard: streamed response ended without ", | ||
| "an assembled completion (no upstream usage event?); ", | ||
| "fail_open=false, blocking response") | ||
| return ngx.OK, deny_message(ctx, conf, conf.response_failure_message) | ||
| end | ||
|
|
||
| local code, message = moderate_response(ctx, conf, text) | ||
| if code then | ||
| return ngx.OK, message | ||
| end | ||
|
|
||
| -- Clean: release the buffered stream verbatim, preserving SSE framing. | ||
| return nil, concat(buffer) |
Contributor
There was a problem hiding this comment.
Block-mode streaming can duplicate or drop the response when a protocol converter is active (e.g. Anthropic client → OpenAI upstream via ai-proxy-multi). The same-protocol path tested here is fine.
Root cause: release is gated only on llm_request_done. In ai-providers/base.lua that flag is set before the dispatch loop, and with a converter the loop calls lua_body_filter once per converted chunk. On [DONE], anthropic-messages-to-openai-chat emits two chunks (message_delta + message_stop) — both dispatched with llm_request_done == true.
Two symptoms:
- Upstream without
include_usage: both terminal chunks hitreturn nil, concat(buffer)→ response sent twice + Lakera scanned twice. - Upstream with
include_usage: the converter defers the terminal events to the usage chunk (typeusage, doesn't setllm_request_done), then[DONE]converts to nothing → buffer never released, clean response dropped (client gets only keep-alives).
Fix: gate scan+release behind a one-shot flag (e.g. ctx.lakera_response_released) so it runs exactly once, and ensure the buffer is flushed at EOF even when the final dispatch produced no chunk (an end-of-stream filter pass in base.lua, like the abort path this PR adds). A block-mode ai-proxy-multi regression test (Anthropic client + OpenAI streaming upstream) would lock it down.
…for blocking and clean responses; add tests for output direction
…prove fail-closed behavior; add tests for streaming scenarios
janiussyafiq
dismissed stale reviews from membphis, AlinsRan, and nic-6443
via
ab6cc45
dosubot
Bot
added
size:XXL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
PR-2 of
ai-lakera-guard, following the input-scanning MVP (#13570). Adds response (output) scanning for non-streaming and streaming (SSE) traffic. Back-compatible:directionstill defaults toinput.directionextended toinput/output/both; addsresponse_failure_message.lua_body_filter, the same dispatchai-aliyun-content-moderationuses):ctx.var.llm_response_text; a flagged response is replaced with a provider-compatible deny.[DONE](flagged). Because the stream's200/text/event-streamheaders are already committed when buffering begins, a streamed block is delivered as the deny body —deny_codedoes not apply to streams.Which issue(s) this PR fixes:
Part of #13291.
Checklist