What is deterministic post-LLM attribution?

It is a security pattern where the system, not the LLM, links the model's output back to specific source documents or database records based on context preserved outside of the model call.

Why should identifiers like UUIDs never go into an LLM prompt?

Including IDs in prompts causes LLMs to hallucinate non-existent references, increases the risk of cross-tenant data leakage, and provides potential vectors for prompt injection attacks.

Can this skill help with multi-tenant data isolation?

Yes, it provides specific Pre-LLM filtering patterns that ensure data is scoped to the correct user or organization before the LLM ever sees the content.

How does this skill prevent prompt injection?

It implements context separation and prompt auditing, ensuring that only content text is visible to the model while system-level identifiers flow through deterministic system code instead.

LLM Safety Patterns

Name: LLM Safety Patterns
Author: yonatangross

byyonatangross

•

Security & Testing

Implements production-grade security patterns for LLM integrations to defend against prompt injection and prevent hallucinations.

About

LLM Safety Patterns provides a standardized architectural framework for building secure AI applications by ensuring sensitive identifiers, such as UUIDs and tenant IDs, never enter the LLM context. It utilizes a robust three-phase pattern—pre-filtering, content-only processing, and deterministic post-attribution—to eliminate risks associated with prompt injection, cross-tenant data leakage, and hallucinated references. This skill is essential for developers building production-ready RAG systems and multi-tenant AI services where data isolation and output integrity are mission-critical.

Key Features

Identifier Isolation: Systematically strips UUIDs and sensitive IDs from prompts to prevent leakage.
29 GitHub stars
Pre-LLM Filtering: Ensures strict tenant isolation and user-scoped data retrieval before model interaction.
Output Validation Guardrails: Scans responses for hallucinations, toxic content, and schema compliance.
Deterministic Attribution: Maps LLM outputs to source data using system-managed IDs rather than model-generated ones.
Prompt Injection Defense: Protects system integrity by separating untrusted content from system instructions.

Use Cases

Implementing robust hallucination checks for automated document analysis and data extraction.
Securing multi-tenant RAG applications from cross-user data leakage and unauthorized access.
Building production-ready AI pipelines with deterministic audit trails and verifiable source tracking.

About

Key Features

Identifier Isolation: Systematically strips UUIDs and sensitive IDs from prompts to prevent leakage.
29 GitHub stars
Pre-LLM Filtering: Ensures strict tenant isolation and user-scoped data retrieval before model interaction.
Output Validation Guardrails: Scans responses for hallucinations, toxic content, and schema compliance.
Deterministic Attribution: Maps LLM outputs to source data using system-managed IDs rather than model-generated ones.
Prompt Injection Defense: Protects system integrity by separating untrusted content from system instructions.

Use Cases

Implementing robust hallucination checks for automated document analysis and data extraction.
Securing multi-tenant RAG applications from cross-user data leakage and unauthorized access.
Building production-ready AI pipelines with deterministic audit trails and verifiable source tracking.