Palisade: A Composable Edge Guardrails Platform for ADC AI Solutions
Local mirror of Confluence page
[Design Doc] Palisade: Composable Edge Guardrails Platform for ADC AI Solutions.Confluence page ID:
6018957455Parent folder ID:6018662571Remote version:3Last remote update:2026-06-16T13:37:43.937Z
Status
Draft for review.
Context
Every AI application ADC ships needs two guardrail layers:
- A standard layer for safety categories such as violence, sexual content, self-harm, and PII leakage.
- A bespoke layer specific to the use case, such as Libre Assist checks for food scope, drug references, medical advice, brand mentions, hallucination markers, and tone violations.
Today, this logic lives inside individual applications. That works for one app, but it does not scale to a portfolio because each new AI app reimplements similar checks, validation evidence remains app-specific, checks may add cross-region latency, and guardrail activity is not visible in one shared operational view.
Palisade proposes a shared guardrails platform built on the Cloudflare developer platform, running policy enforcement at the edge, close to users.
Goals
- Provide one reusable guardrails platform for many ADC AI applications.
- Compose a validated base policy with bounded app-specific extensions.
- Support remediation, not only rejection.
- Run enforcement close to users using Cloudflare Workers, Workers AI, AI Gateway, and related platform services.
- Support streaming output enforcement.
- Reuse validation evidence across apps and module versions.
- Design for PHI-capable operation from day one.
- Provide a locked-down developer and DevOps dashboard.
- Use OpenTelemetry for metrics, traces, and logs.
Non-Goals
- Palisade is not a model-quality or offline evaluation platform.
- Palisade is not an LLM orchestration framework.
- Palisade is not a replacement for clinical or regulatory review.
- Palisade is not multi-cloud active-active at launch.
- Palisade is not an end-user-facing product.
System Overview
Palisade is an edge enforcement plane with two integration surfaces:
- Proxy surface: an OpenAI-compatible endpoint that apps can call instead of calling model providers directly.
- Check API surface: explicit
/v1/checkand/v1/remediatecalls for custom app flows.
Both surfaces resolve to the same policy engine and per-app policy profile.
Requirements
| Requirement | Priority |
|---|---|
| Standard safety categories on input and output | P0 |
| Per-app custom deterministic and AI-based rules | P0 |
| Tiered remediation with bounded retry | P0 |
| Composable, versioned, auditable policy profiles | P0 |
| Streaming output enforcement | P0 |
| PHI-capable handling, redaction, telemetry hygiene, and regional controls | P0 |
| OpenTelemetry metrics, traces, and logs | P0 |
| Dashboard behind SSO/Zero Trust with RBAC and audit trail | P0 |
| Shadow mode for safe rollout | P0 |
| Module reuse with inherited validation evidence | P1 |
| Portability escape hatch for a container runtime | P1 |
| Multi-turn/session-aware checks | P2 |
| Cost per request visible per app | P1 |
Design Principles
- Deterministic checks run before AI checks.
- The validated base policy is mandatory.
- Modules, prompts, model IDs, and profiles are immutable once published.
- Validation evidence travels with module versions.
- Prompt and response content is treated as sensitive and excluded from general telemetry.
- Portability comes from a pure core policy engine and thin platform adapters.
Rollout Phases
- Foundation: core engine, Cloudflare adapter, base catalog, profile compiler, Check API, OpenTelemetry export, and a read-only dashboard.
- Libre Assist parity: port Libre Assist rules, add proxy support, add remediation, and run shadow-mode comparisons.
- Enforcement: canary and full enforcement for Libre Assist, dashboard write paths, RBAC, and approvals.
- Platformization: onboard a second app, expand streaming support, add session checks, and keep the container adapter validated.
Risks
- Workers AI latency or availability regressions.
- Judge false positives that degrade user experience.
- Profile drift across teams.
- Residual streaming risk when content is streamed before final checks complete.
- BAA coverage gaps for specific Cloudflare products.
- Observability gaps while Cloudflare OTLP support matures.
- Platform team bottlenecks if profile and module workflows are too manual.
Open Questions
- Which Cloudflare products are covered services under the enterprise BAA?
- Which OTLP backend should ADC standardize on for this platform?
- Should the judge model pool stay with Mistral for continuity or be re-baselined?
- What audit retention period is required?
- When should ownership transfer from innovation to a production platform team?
- How deep should image guardrails go for the first pilot?
- Which app needs multi-turn/session-aware checks first?
References
- Cloudflare AI Gateway guardrails
- Cloudflare AI Gateway dynamic routing and BYOK
- Cloudflare Workers OpenTelemetry export
- Cloudflare Data Localization Suite
- Cloudflare HIPAA/BAA material
- Libre Assist internal demos and current guardrail architecture