Skip to main content
Guardrails are safety checks that evaluate agent inputs and outputs to detect harmful, non-compliant, or malformed content. Unlike constraints (which enforce business rules), guardrails protect against safety and quality violations at the content level. The GUARDRAILS: block defines named guardrail rules.

Overview

ABL guardrails use a three-tier evaluation model:
  1. CEL-based (Tier 1) — fast, deterministic expression checks.
  2. Model-based (Tier 2) — pre-trained safety classification models (for example, OpenAI moderation).
  3. LLM-based (Tier 3) — natural language checks evaluated by an LLM.
Each guardrail specifies an application point (when to check), a check expression or prompt, and an action to take when the check fails.

Application points

The kind property determines when the guardrail is evaluated during the agent’s processing pipeline.

Guardrail properties

Actions

The action property determines the runtime behavior when a guardrail check fails.

Three-tier implementation

Tier 1: CEL-based checks

CEL (Common Expression Language) checks are fast, deterministic rules evaluated without calling an external model. Use the check property with a CEL expression.

Tier 2: Model-based checks

Model-based checks use a pre-trained classification model to score content. You specify a provider, an optional category, and a threshold.

Tier 3: LLM-based checks

LLM-based checks use a natural language prompt evaluated by an LLM. Use the llm_check property with a descriptive prompt.

Fix strategies

When action: fix, the fix_strategy property determines how content is repaired.

Example: fix with truncation

Example: custom fix expression

Graduated actions

Use severity_actions to apply different actions based on the severity of the violation. The keys are severity labels and the values are action names.

Streaming evaluation

For streaming responses, guardrails can evaluate content as it is generated rather than waiting for the complete response.
When a streaming guardrail triggers, the response generation is halted at the current point and the message is sent to the user.

Reask behavior

When action: reask, the runtime rejects the LLM output, appends the guardrail’s message as additional guidance, and re-prompts. The max_reasks property controls how many times this can happen before falling back to a block.

Priority and evaluation order

Guardrails are evaluated in order of priority (lower values first). When multiple guardrails have the same priority, they are evaluated in declaration order. A block action from any guardrail stops further evaluation. warn actions do not stop evaluation; all subsequent guardrails continue to run.

Built-in guardrail templates

ABL ships a set of built-in, CEL-based (Tier 1) guardrail templates focused on prompt-injection and secret-leak protection: You can also author your own guardrails for domain-specific concerns (account-number masking, SSN redaction, profanity, etc.) using the tiers described above.

Complete example