> ## Documentation Index
> Fetch the complete documentation index at: https://docs.repello.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Repello AI Docs

> Runtime security and guardrails for agentic AI systems

# 👋 Welcome

This is the documentation home for **Repello AI** and our runtime security product, **ARGUS**. Use the cards below to jump straight into the ARGUS SDK or the ARGUS API.

## About Repello AI

[Repello AI](https://repello.ai) builds security for the AI stack — helping teams ship AI agents and LLM-powered applications without exposing themselves to prompt injection, jailbreaks, tool abuse, data leakage, and brand-damaging output. Learn more at [repello.ai](https://repello.ai).

## About ARGUS

<img src="https://mintcdn.com/repello/4Z4vOg5ExiFKMX0g/images/argus-docs-hero.png?fit=max&auto=format&n=4Z4vOg5ExiFKMX0g&q=85&s=7f6182c5c64f137c511b2f0639195689" alt="ARGUS docs — AI runtime security" style={{ width:"100%" }} width="3840" height="2160" data-path="images/argus-docs-hero.png" />

ARGUS is real-time runtime security for **agentic AI systems**. Modern applications are no longer a single model call — they are workflows of orchestrators, agents, tools, MCP servers, and knowledge bases that plan, call functions, and act on their own. ARGUS sits inside that loop: it inspects the prompts, tool calls, and responses flowing between every node in the workflow, enforces your guardrail policies in real time, and traces each step so you can see exactly what your agents did and why.

Integrate it through the **Python SDK** to instrument individual nodes in your agent graph, or call the **REST API** directly to scan content at any point in the workflow.

## Get started

<Columns cols={2}>
  <Card title="ARGUS SDK" icon="python" href="/sdk-reference/introduction">
    Install the Python SDK, authenticate, and instrument your agentic workflow.
    Scan prompts, tool calls, and responses at each node, record trace events,
    and enforce policies — with the full `ArgusClient` reference.
  </Card>

  <Card title="ARGUS API" icon="code" href="/api-reference/introduction">
    Call the runtime security REST API directly. Analyze any prompt or response
    in your agent loop over HTTP with `X-API-Key` authentication.
  </Card>
</Columns>

## Why ARGUS

1. **Agents act — not just answer**\
   An agent can call tools, query databases, hit MCP servers, and chain steps autonomously. A single bad decision can exfiltrate data or take a destructive action. Guardrails have to live *inside* the loop, not just around the final answer.
2. **The attack surface is every hop**\
   Prompt injection can arrive through a retrieved document, a tool result, or another agent's output — not only the user's message. ARGUS inspects content at every node, so a poisoned intermediate step is caught before it propagates.
3. **General safety APIs are black boxes**\
   Most "moderation" services return a single boolean flag. ARGUS exposes *fine-grained* violation types & calibrated **risk levels** so you can auto-block, soft-block, rewrite, or just log — per node, per policy.
4. **You can't secure what you can't see**\
   ARGUS records trace events across your orchestrators, agents, tools, and guardrail nodes, giving you per-step observability into what each part of the workflow did and which policies fired.
5. **Latency matters in a loop**\
   Multi-step agents amplify per-call latency. Our P99 latency is **\< 80 ms** consistently under heavy load, so guarding every hop doesn't stall the agent.
6. **Framework & vendor freedom**\
   Works with **OpenAI®, Anthropic®, Google Gemini®, Mistral®, local GGUF models**, and the agent frameworks and **MCP** tooling built on top of them.

## Built for agent workflows

ARGUS models your application as a graph of typed nodes, so you can attach security to the right place in the loop:

| Node type      | What it represents in your workflow                     |
| -------------- | ------------------------------------------------------- |
| `ORCHESTRATOR` | Coordinates other nodes and drives the workflow.        |
| `AGENT`        | Performs actions or makes decisions.                    |
| `TOOL`         | A specific capability or function the agent can invoke. |
| `GUARDRAILS`   | Enforces safety and security policies.                  |

Tools, knowledge bases, databases, and **MCP clients/servers** are all first-class node subtypes. See [Enumerations](/sdk-reference/data/enums) for the full `NodeTypeEnum` and `NodeSubTypeEnum` vocabulary.

## Key capabilities at a glance

| Capability                                  | What it catches                                                                                          | Sample violation enums                          |
| ------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| Jailbreak / prompt-injection detection      | "Ignore previous instructions …" attempts — from users, tools, or retrieved context                      | `PROMPT_INJECTION`,`UNSAFE_PROMPT`              |
| Toxicity & hate speech, Bias & stereotyping | Harassment, Slurs, Threats, Demographic Prejudice, Political Bias                                        | `TOXIC_PROMPT`,`UNSAFE_PROMPT, UNSAFE_RESPONSE` |
| PII detection                               | Personally identifiable information in prompts or agent output (names, emails, phone numbers, IDs, etc.) | `PII_DETECTION`                                 |
| Secrets & keys leakage                      | Hardcoded secrets, API keys, and credentials in agent output                                             | `SECRETS_KEYS`                                  |
| Competitor veto                             | Mentions or defamation of specified brands                                                               | `COMPETITOR_MENTION`                            |
| Banned topics                               | Anything you blacklist (e.g. self-harm, medical)                                                         | `BANNED_TOPICS`                                 |
| System-prompt leakage                       | Semantic overlap score 0-1, checks for system prompt leak in agent output                                | `SYSTEM_PROMPT_LEAK`                            |
| Organisation Policy Check                   | Violations of set policies and guidelines                                                                | `POLICY_VIOLATION`                              |

For the full list of policy types and their schemas, see [Enumerations](/sdk-reference/data/enums) and [Types](/sdk-reference/data/types) in the SDK reference.

## How it fits in your stack

Instrument each node in your agent graph with the SDK, or call the API at any hop in the loop. Scan **inbound** content — user prompts, retrieved documents, tool results, and upstream-agent outputs — to stop injections and poisoned context before an agent acts on them. Scan **outbound** content — agent responses, tool arguments, and final answers — to prevent data leaks, block unsafe actions, and protect brand reputation. Every check can record a trace event, so the whole workflow stays observable.

<Tip>
  Contact us for an on-prem deployment in your Virtual Private Cloud.
</Tip>

## Supported languages & scripts

ARGUS accepts any UTF-8 string and identifies 100+ natural languages (Latin, Cyrillic, CJK, RTL, etc.).

## Performance and uptime

| Metric          | SLA / Typical                    |
| --------------- | -------------------------------- |
| **P99 latency** | \< 80 ms (all regions)           |
| **Throughput**  | 3 k req/s per tenant (burstable) |
| **Uptime**      | 99.9 % rolling 30 day            |