Deploy theDocumentation Index
Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
Use this file to discover all available pages before exploring further.
integrations/lasso-security FastAPI wrapper on any public HTTPS host. The gateway calls it at llm_input / llm_output via the Custom Guardrail contract; the wrapper forwards traffic to Lasso API v3 and returns verdict JSON on HTTP 200.
What is Lasso Security?
Lasso Security is a SaaS platform for classifying and remediating LLM traffic. You define deputies and policies in the Lasso platform; the wrapper does not embed policy logic. API v3 exposes two operations used by this integration:| Lasso API | Purpose | Gateway operation |
|---|---|---|
POST /classify | Score prompt or completion; return BLOCK / WARN findings | Validate |
POST /classifix | Apply masks or rewritten text when Lasso provides remediation spans | Mutate |
messageType=PROMPT for input hooks and messageType=COMPLETION for output hooks. Optional sessionId / userId from gateway context are forwarded when present for conversation-aware policy.
How it works
- The gateway POSTs an OpenAI-shaped
requestBody(input) orrequestBody+responseBody(output) to your wrapper URL. - The wrapper extracts user/assistant text and calls Lasso API v3 with your
LASSO_API_KEY. - The wrapper returns HTTP 200 with a policy outcome in the body (see below). Infrastructure failures return HTTP 5xx.
action: BLOCK produce {"verdict": false}; WARN-only findings are logged and allowed. On mutate rails, when Lasso returns mask metadata or rewritten content, the wrapper returns {"verdict": true, "transformed": true, "result": {...}} so the gateway can replace the request or response. Hard blocks without mask data still return verdict: false.
Response contract
| HTTP | Body | Meaning |
|---|---|---|
200 | {"verdict": true} | Allow |
200 | {"verdict": false, "message": "..."} | Block (policy) |
200 | {"verdict": true, "transformed": bool, "result": {...}} | Mutate |
5xx | error JSON | Wrapper or Lasso failure |
verdict: false, not HTTP 4xx. See Custom guardrail response contract.
Wrapper endpoints
| Path | Operation | Target |
|---|---|---|
/lasso-classify | Validate | Request (input) |
/lasso-classify-output | Validate | Response (output) |
/lasso-classifix | Mutate | Request |
/lasso-classifix-output | Mutate | Response |
GET /health — health check. GET /debug/runtime-config — bearer-gated deploy verification.
All POST routes expect Authorization: Bearer <WRAPPER_API_KEY> when the key is configured on the wrapper.
Prerequisites
- Lasso API key from the Lasso Security platform, plus deputies configured for your policies.
- Public HTTPS URL for the deployed wrapper.
WRAPPER_API_KEY— shared secret; the gateway sends it asAuthorization: Bearer …when calling the wrapper.
Setup
Clone and configure
.env
LASSO_API_KEY in the Lasso Security platform. Default API base: https://server.lasso.security/gateway/v3 (override with LASSO_API_BASE if needed).Deploy the wrapper
Docker:Local:Put TLS in front of the service (load balancer, ingress, or your platform’s HTTPS URL). The gateway must reach paths such as
https://<host>/lasso-classify.Deploy on TrueFoundry (optional)
Deploy on TrueFoundry (optional)
Set
TFY_WORKSPACE_FQN, TFY_PUBLIC_HOST, TFY_PUBLIC_PATH, and secret FQNs in .env. Create secrets lasso-api-key and wrapper-api-key under group lasso-guardrails-tfy in Platform → Secrets, then:Register Custom Guardrail configs
AI Gateway → Guardrails → + Add New Guardrails Group → type Custom.
Auth Data → Custom Bearer Auth works the same as Headers if you prefer not to set headers manually.
- Group name:
lasso-security - Add one config per wrapper path (four total), or start with input validate only.
| Field | Value |
|---|---|
| Name | lasso-validate-guardrail |
| Operation | Validate |
| Target | Request |
| Enforcing Strategy | Enforce |
| URL | https://<host>/lasso-classify |
| Headers | Authorization → Bearer <WRAPPER_API_KEY> |
| Config | {} |
| Name (example) | Operation | Target | Path |
|---|---|---|---|
lasso-classify-output | Validate | Response | /lasso-classify-output |
lasso-classifix-input | Mutate | Request | /lasso-classifix |
lasso-classifix-output | Mutate | Response | /lasso-classifix-output |
Attach to traffic
Model pin: AI Gateway → Models → <model> → Guardrails → attach group For PII masking, use the
lasso-security.Per request — X-TFY-GUARDRAILS header, selector format <group>/<config-name>:lasso-classifix-* config names instead of classify.Troubleshooting
| Symptom | Likely cause |
|---|---|
401 from wrapper | WRAPPER_API_KEY on the service does not match the dashboard Bearer token |
| Lasso console shows violation, gateway allows | Finding is WARN only; raise to BLOCK in Lasso, or use validate rails |
| Mutate blocks instead of masking | Lasso returned BLOCK without mask spans; use classify for hard stops |
Gateway allows despite verdict: false | Tenant gateway not honoring verdict-on-200; set Enforce or upgrade gateway |
Reference
| Item | Value |
|---|---|
| Source repo | truefoundry/integrations-custom-guardrails/integrations/lasso-security |
| Lasso platform | lasso.security (API key) |
| Lasso API base | https://server.lasso.security/gateway/v3 |
| Selector | lasso-security/<config-name> |