sluicesafe channels for untrusted work
github

Sluice — overview

Sluice is a toolchain for feeding untrusted content to local LLMs safely. Every byte of web content and every row of user-generated data passes through a shared three-phase guard pipeline before your model sees it. Local inference, no cloud safety APIs, guards on by default.

The guard pipeline

Three phases, reused by every Sluice binary:

  1. Leakage (Gemma 4 26B). Blocks PII and credentials before anything leaves your machine.
  2. Shield (ShieldGemma 9B). Fast heuristic scan for known injection patterns.
  3. Canary (Gemma 4 26B). Sandwich pattern — the model self-reports if the content tried to override its instructions.

All three run locally. Queries and returned content never touch a third-party safety API.

The tools

  • reed. Web search. Wraps Brave or Google. Credentials stay host-side. Every returned page is scanned for prompt-injection before the markdown output reaches the model.
  • guard. Shield (input classifier) and canary (output validator). On by default. Ships as a library and a wrapper.
  • cellmate. CSV-in, CSV-out enrichment. YAML schema describes the columns an LLM should add. Guards on every row.
  • heron (design-complete). Capability broker. Untrusted code calls named operations, never URLs. Credentials resolved host-side.
  • convict (design-complete). Firecracker microVM per job. Ephemeral. Heron is the only reachable address.

Next

  • Get started — install, pull models, run your first guarded command.
  • GitHub — source, issues, releases.