Developer track
Deny-by-default tool firewall for the LLM stack you already run.
You stood up self-hosted inference on purpose — sovereignty, cost, latency, or because your data legally can't leave. Now your agents are calling tools, and you've got two bad options: ship unsupported OSS guardrails you'll be maintaining forever, or pipe your prompts out to a cloud guardrail vendor and undo the entire reason you self-hosted. Bridgekeeper is the third option.
What it is, in dev terms
In-process, not a cloud hop
It runs inside your deployment. Prompts and tool-calls never leave the box. Air-gap capable.
Augment, don't replace
Drops into the stack you already run — LiteLLM, Ollama, vLLM, and the proxies and frameworks alongside them — as a layer, not a migration. Container plus config, measured in days.
Tool-call containment, not just I/O scanning
A deny-by-default tool firewall: an agent executes only what's explicitly allowed. Each call is bound to its request (tool + args + hash + TTL), with anti-replay and provenance labels so a captured or injected call can't be reused or laundered through.
Fast enough for the hot path
The heuristic layer screens content in under 0.1ms with no external API calls — usable in voice, streaming, and edge/Ollama deployments where an LLM-judge guardrail's 200–1000ms is a non-starter.
Inbound and outbound, both covered
Input sanitization, prompt-injection detection, and canary tokens on the way in; DLP and provenance on the way out. The deny-by-default action layer sits between them — and a maintained threat-intel feed keeps all of it current.
Why a developer should care
| You feel this pain | Bridgekeeper's answer |
|---|---|
| “Cloud guardrails defeat the point of self-hosting.” | Nothing leaves your network. In-process by design. |
| “OSS guardrails are free, but I'm the one maintaining them at 2am.” | Supported, plus a feed that ships coverage for new techniques as a changelog. |
| “Adding a security layer means another migration.” | Drops into LiteLLM / Ollama / vLLM. Augment, don't replace. |
| “My agent can call tools — I/O scanning doesn't cover that.” | Deny-by-default tool firewall + request binding is exactly the action layer. |
| “Latency budget is blown by an LLM-judge guardrail.” | Sub-millisecond heuristic first layer; the heavy checks are opt-in. |
Try it on one workload
Wrap a single agent that calls tools, turn the tool firewall to deny-by-default, and watch what it blocks — two weeks, on your own infrastructure, with zero data egress. Bridgekeeper runs entirely on your infrastructure; the maintained feed and support are what you add on top.