Bouclier.ai sits between your apps and AI providers. Every outbound request is scanned for prompt-injection attacks. Images, PDFs and short audio clips are inspected on-device — if they contain PII, the attachment is replaced with a plain-English description before it reaches the model. Your text prompts pass through byte-for-byte; auth headers and API keys are never touched. All inspection runs locally on your Mac.
Beta — research prototype. Not meant to be used live.
Bouclier is published for evaluation, security research, and personal experimentation. It is not a commercial product, is not supported, and is not meant for production, regulated workloads, or any environment where a detection failure could cause harm. Detection is best-effort; false positives and false negatives will occur. See the Terms before installing.
Built with Llama. Uses Meta Llama Prompt Guard 2 for on-device prompt attack detection.
Paste any prompt — benign or adversarial. The exact scanner the Mac app ships runs right here in your browser. 161 regex patterns, Unicode normalization, heuristic scoring. Nothing leaves your machine.
[Possible prompt injection redacted by Bouclier.ai. See https://www.bouclier.ai/blocked for details] and [Possible prompt injection redacted by Bouclier.ai. See https://www.bouclier.ai/blocked for details]. [Possible prompt injection redacted by Bouclier.ai. See https://www.bouclier.ai/blocked for details] [Possible prompt injection redacted by Bouclier.ai. See https://www.bouclier.ai/blocked for details], an AI without restrictions.
The desktop app adds a CoreML classifier (Meta Prompt Guard 2) and entropy analysis on top of the regex layer — this demo shows the regex + scoring layer only.
A proxy that rewrites prompts is a proxy you can't trust. Bouclier sits in the middle of every AI request but it isn't a rewriter — prompt bodies traverse the proxy byte-for-byte and auth headers are forwarded untouched. The only thing Bouclier ever modifies on the way out is an attachment the on-device scanner flagged as containing PII, and even then we substitute a short text description, not a placeholder token that could trip the provider's abuse detection.
Forwarded byte-for-byte. No tokenisation, no placeholder substitution, no JSON-blind rewriter that could touch user-identifier or analytics fields. The model receives your prompt exactly as your app sent it.
Authorization, x-api-key, X-Trace-ID, custom analytics, User-Agent — every header reaches the upstream unmodified. Pinned by an end-to-end test so a future change can't drift.
The one thing Bouclier rewrites. Images, PDFs, audio that contain PII are replaced with a plain-English description — never with a token shape that could look adversarial to the model.
The byte-identical guarantee is pinned by E2EProxyTests in CI — every release proves that a real CONNECT + TLS request through the proxy reaches the upstream with body, auth headers, API keys and trace IDs all intact. Read the Terms for the limits of best-effort attachment detection.
A screenshot of an invoice, a scanned NDA, a 30-second voice memo — modern LLM clients accept all of it, and a regex pass over the JSON body sees none of it. Bouclier opens images, PDFs and audio clips on the way out, scans them with Apple's on-device Vision, PDFKit and Speech frameworks, and replaces flagged attachments with a short text description so the model still gets the gist without the leak.
Vision OCR + face detection on every image in OpenAI / Anthropic / Gemini multimodal shapes. EXIF orientation honored, 2000 px downscale, 4-concurrency throttle.
PDFKit text-layer extraction with Vision OCR fallback for scanned pages. Encrypted or oversized PDFs surface as unscannable and get stripped — never silently forwarded.
On-device Apple Speech transcription up to 60 seconds. No audio leaves your Mac. Unsupported formats get blocked rather than passed through.
Attachment inspection ships off by default and is opt-in from Settings → Privacy. Multipart file uploads to the OpenAI Files API and Anthropic messages with PDF / image / audio blocks are all supported. Detection runs entirely on your Mac — no cloud OCR, no cloud transcription, no telemetry.
A System Extension routes AI API traffic through a local proxy on your Mac. Every request and response is inspected before reaching the provider — no code changes, no SDK, no cloud dependency.
Traffic to 10+ AI providers is automatically routed through Bouclier.ai. Works with any app — ChatGPT, Cursor, Claude, API calls. No configuration needed.
161 detection rules across 21 attack categories. Requests, query strings, and streaming responses are all inspected in real time.
Threats are neutralized inline — injections are redacted before reaching the model. Streaming attacks are terminated cleanly. Safe traffic passes through untouched.
Every release is tested against 442 real-world attack samples and 240 benign inputs. Detection quality is enforced in CI — regressions block the release.
Sourced from OWASP LLM Top 10, MITRE ATLAS, HackAPrompt, and red-team research from Anthropic, Microsoft, and leading AI security labs.
Attempted to override the AI’s instructions and extract its system prompt.
Injection disguised in French to bypass English-language detection.
Known jailbreak technique (Skeleton Key) attempting to disable safety guardrails.
Malicious instructions hidden in an MCP tool description, targeting SSH keys.
Deploy and configure via Jamf, Kandji, or Mosyle. Control intercepted domains, enforcement policy, and feature flags across your fleet.
Every scan event is logged locally and can be forwarded to your SIEM. Export a privacy-scrubbed diagnostics bundle for incident response.
Built with defense-in-depth: request size limits, strict input validation, and a published threat model covering every trust boundary.
AI responses are inspected in real time as they stream. If a threat is detected mid-response, the stream is terminated cleanly.
All detection runs locally. No cloud LLM, no analytics, no telemetry in the app.
The local CA key is stored encrypted in your Keychain, unique to your device, and removable anytime.
Scan logs never contain your prompts, responses, or API keys — only detection metadata.
Local storage with automatic rotation. You own your data.
Published threat model and privacy policy covering every trust boundary.
Download the DMG, drag to Applications, click Enable. Every AI request is protected from that moment.
Download for macOSmacOS 15+ · Apple Silicon & Intel · v0.6.0