Guard Transform Pipeline

Guard transformation rules intercept agent-to-tool communication for PII protection, data masking, context injection, and schema validation. Rules are evaluated in order and can target specific tools or apply globally.

Plan requirement: Pro plan (up to 5 rules), Max and Enterprise (unlimited).

---

Transformer Types

pii

PII tokenization using Presidio NER. Strips personal data (names, emails, phone numbers, SSNs, credit cards) before it reaches the LLM or tool server. Tokens are reversible within the same session.

field_mask

Mask specific fields in tool call payloads. Useful for redacting credit card numbers, API keys, or other sensitive fields that should never leave your environment.

context_inject

Inject system context or compliance instructions into requests. Ensures every tool call carries required disclaimers, tenant-specific policies, or regulatory boilerplate without modifying agent code.

schema_validate

Validate tool call payloads against JSON schemas before they reach the tool server. Rejects malformed requests early, preventing downstream errors and enforcing data contracts.

---

Direction

Each rule specifies when it applies:

Direction	Description
request	Transform outgoing requests to tools
response	Transform incoming responses from tools
both	Transform in both directions

---

Endpoints

List Rules

GET /v1/analytics/transform-rules

Returns rules ordered by the order field (lowest first).

curl -H "x-api-key: YOUR_API_KEY" \
  "https://veriswarm.ai/v1/analytics/transform-rules"

Create Rule

POST /v1/analytics/transform-rules

curl -X POST -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "transformer_type": "pii",
    "tool_name": null,
    "direction": "both",
    "config": {"entity_types": ["PERSON", "EMAIL_ADDRESS", "PHONE_NUMBER"]},
    "order": 10,
    "enabled": true
  }' \
  "https://veriswarm.ai/v1/analytics/transform-rules"

Fields:

Field	Type	Description
transformer_type	string	pii, field_mask, context_inject, or schema_validate
tool_name	string or null	Target a specific tool, or null to apply to all tools
direction	string	request, response, or both
config	object	Transformer-specific configuration (see examples below)
order	integer	Execution order -- lower numbers run first
enabled	boolean	Toggle the rule without deleting it

Delete Rule

DELETE /v1/analytics/transform-rules/{rule_id}

---

Config Examples

pii

Specify which entity types to detect and tokenize:

{
  "entity_types": ["PERSON", "EMAIL_ADDRESS", "PHONE_NUMBER", "US_SSN", "CREDIT_CARD"]
}

field_mask

Specify fields to mask and the masking pattern:

{
  "fields": ["credit_card_number", "cvv"],
  "mask_char": "*",
  "preserve_last": 4
}

context_inject

Specify the context string to prepend or append:

{
  "position": "prepend",
  "content": "COMPLIANCE NOTICE: This agent operates under HIPAA guidelines. Do not store PHI in external systems."
}

schema_validate

Specify the JSON schema to validate against:

{
  "schema": {
    "type": "object",
    "required": ["query", "limit"],
    "properties": {
      "query": {"type": "string", "minLength": 1},
      "limit": {"type": "integer", "minimum": 1, "maximum": 100}
    }
  }
}

---

Pipeline Execution

Rules execute in order field sequence (lowest first). Each transformer receives the output of the previous one, forming a pipeline. Non-applicable transformers (wrong direction, wrong tool) are skipped automatically.

A typical pipeline might look like:

1. schema_validate (order: 10) -- reject malformed requests early
2. pii (order: 20) -- strip personal data
3. context_inject (order: 30) -- add compliance context
4. field_mask (order: 40) -- mask remaining sensitive fields

---

Authentication

All transform rule endpoints accept either authentication method:

• x-api-key header -- your platform API key
• x-account-access-token header -- user session token from login