| Property | Values | Meaning |
|---|---|---|
| Type | one of the catalog | The detection capability it configures (e.g. prompt_guard). |
| Mode | observe · block · redact | What a detection does. |
| Protocol | all · llm · mcp · a2a | Which traffic type it applies to. |
| Direction | input · output | Whether it inspects prompts or responses. |
| Settings | type-specific | The detection’s configuration (thresholds, entities, lists…). |
Mode — what a detection does
The mode is the detector’s enforcement intent. It changes how a detection shapes the guard response, not whether the detector runs.| Mode | Console label | Reports finding | is_flagged | Rewrites payload |
|---|---|---|---|---|
observe | Observe | ✅ | — | — |
block | Enforce | ✅ | ✅ | — |
redact | Redact | ✅ | — | ✅ |
redact is only available for mutable detectors (today:
data_loss_prevention). A typical rollout
starts a detector in Observe to measure signal and false positives, then promotes it
to Enforce (or Redact for DLP) once you trust it.
Direction — input vs output
- Input detectors inspect what goes into the model/agent (the prompt, an uploaded document, requested tools).
- Output detectors inspect what comes back (the completion, the tool calls the model emitted).
direction matches. Many detectors support both
sides; some are input-only or output-only (see each one’s supported sides in the
catalog).
Protocol — LLM, MCP, A2A
protocol scopes a detector to a traffic type. all matches everything; llm, mcp,
and a2a match that protocol only. The agent/MCP detectors are mcp-scoped, for
example.