Validates chat identity before calls cross into an LLM service. This covers supply-chain and model-integrity concerns related to OWASP LLM03; see https://genai.owasp.org/llm-top-10/.
Usage
trust_boundary(
chat = NULL,
allowed_models = NULL,
allowed_hosts = NULL,
require_hash = NULL,
...
)Arguments
- chat
An
ellmerchat object, an object with$chat(), or a function.- allowed_models
Optional character vector of allowed model names.
- allowed_hosts
Optional character vector of allowed hosts or base URLs.
- require_hash
Optional expected SHA-256 hash for an Ollama modelfile manifest.
- ...
Reserved for backwards-compatible aliases.
Details
trust_boundary() returns a chat wrapper. The wrapper validates the chat on
creation and again on each call when require_hash is supplied. Plain
functions are passed through without model or host checks because a function
has no standard model metadata. Chat objects with a $chat() method may
expose model and host fields through common ellmer-style internals or
attributes.
allowed_models and allowed_hosts are allowlists. If the chat exposes a
model or host and it is outside the allowlist, the wrapper raises an OWASP
LLM03 error. require_hash is intended for local Ollama workflows where the
model manifest can be checked with ollama show --modelfile.
This function is not a network firewall. It is an application-level assertion that the chat object being called is the chat object you intended to allow.
Examples
chat <- function(prompt) paste("ok:", prompt)
safe_chat <- trust_boundary(chat)
safe_chat("hello")
#> [1] "ok: hello"