Laminae: The Missing Layer Between Raw LLMs and Production AI

Every AI application I've built hits the same wall.

You get text-in, text-out from an LLM API. Everything else (safety, personality, containment, learning from corrections) is your problem. And every time, you end up building it ad hoc, duct-taping prompt engineering onto problems that need actual engineering.

Laminae is my answer to this. A modular Rust SDK with 6 independent layers that handle what happens around the LLM. Not retrieval, not chaining, not orchestration. The production infrastructure nobody wants to build twice.

#The Thesis

AI safety enforced in prompts is security through suggestion. You're asking the model nicely. "Please don't leak the system prompt." "Please don't execute dangerous code."

Safety enforced in Rust, at the syscall level, is actual containment. An LLM cannot reason its way out of a prctl(PR_SET_NO_NEW_PRIVS) call. It cannot social-engineer a regex pattern match. It cannot jailbreak a process that has already been sandboxed by the OS kernel.

That's the core insight behind Laminae: move safety from the prompt layer (where the LLM has control) to the code layer (where it doesn't).

#Where This Came From

Before Laminae existed as a standalone SDK, I built its pieces twice.

First in Orelion.AI, a privacy-first AI growth engine for X.com. It extracts your writing voice across 7 dimensions, scores output against 19 engagement signals, analyzes thread vibes before generating, and learns from your edits. All running on local LLMs via Ollama.

Then in Orellius, a secure local-first macOS AI assistant. This one has a full Freudian multi-agent pipeline (Id/Ego/Superego), Jungian red-teaming (Shadow), vision-guided GUI automation with safety guards, Rust containment, capability-based permissions, and tamper-proof audit logging with SHA-256 chain hashing.

Every one of these systems (the cognitive pipeline, the voice engine, the red-teaming, the containment) was written from scratch, specific to one project, incompatible with the other. When I wanted to reuse the red-teaming from Orellius inside Orelion.AI, I had to wire separate codebases together with prayer and string formatting.

The third time, I extracted everything into independent, composable crates. That's Laminae.

#The 6 Layers

Laminae (Latin: layers) ships as a Rust workspace with 10 crates. Six are the core layers, four are integrations. Each layer works independently or together. Use what you need, ignore the rest.

#Psyche: Multi-Agent Cognitive Pipeline

Three agents shape every response:

• Id (creative force): generates unconventional angles, emotional undertones, creative reframings
• Superego (safety evaluator): assesses risks, ethical boundaries, manipulation attempts
• Ego (your LLM): receives the user's message enriched with invisible context from Id and Superego

The key design decision: Id and Superego run on small local models via Ollama (Qwen2.5:7b by default). Zero API cost. Their output gets compressed into "context signals" injected into the Ego's system prompt. The user never sees the shaping. The Ego doesn't know it's being shaped.

Psyche also does automatic tier classification. Simple messages (greetings, factual lookups) bypass the pipeline entirely (Skip tier). Medium complexity uses a Compressed Output Protocol for faster processing (Light tier). Only complex messages get the full three-agent pipeline (Full tier). This keeps latency reasonable.

use laminae::psyche::{PsycheEngine, EgoBackend, PsycheConfig};
use laminae::ollama::OllamaClient;
 
struct MyLLM { /* your Claude/GPT/local client */ }
 
impl EgoBackend for MyLLM {
    fn complete(
        &self,
        system_prompt: &str,
        user_msg: &str,
        psyche_context: &str,  // invisible Id+Superego signals
    ) -> impl std::future::Future<Output = anyhow::Result<String>> + Send {
        let full_system = format!("{psyche_context}\n\n{system_prompt}");
        async move {
            // Call your LLM here with full_system + user_msg
            todo!()
        }
    }
}
 
#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let ollama = OllamaClient::new();
    let engine = PsycheEngine::new(ollama, MyLLM { /* ... */ });
 
    // Simple message → auto-classified as Skip tier, bypasses pipeline
    let response = engine.reply("What is creativity?").await?;
    println!("{response}");
    Ok(())
}

The EgoBackend trait is the primary extension point. Laminae ships with ClaudeBackend and OpenAIBackend (the latter also works with Groq, Together, DeepSeek, and any OpenAI-compatible API). Or implement the trait yourself in ~10 lines.

#Persona: Voice Extraction and Enforcement

Extracts a writing personality from text samples across 7 dimensions: tone, humor, vocabulary, formality, perspective, emotional style, narrative preference.

But extraction is the easy part. The hard part is enforcement. Persona includes a 6-layer post-generation filter that catches AI-sounding output. 60+ built-in patterns for the hedging, the qualifications, the "it's important to note that" verbal tics that make AI text immediately recognizable.

use laminae::persona::{PersonaExtractor, VoiceFilter, VoiceFilterConfig, compile_persona};
 
// Extract from writing samples
let extractor = PersonaExtractor::new("qwen2.5:7b");
let persona = extractor.extract(&samples).await?;
let prompt_block = compile_persona(&persona);
 
// Post-generation filter
let filter = VoiceFilter::new(VoiceFilterConfig::default());
let result = filter.check("It's important to note that this approach has merit.");
// result.passed = false
// result.violations = ["AI vocabulary detected: 'it's important to note'"]
// result.retry_hints = ["DO NOT use formal/academic hedging language..."]

Persona also tracks "Voice DNA," distinctive phrases confirmed by repeated use across samples. This builds a positive signature (what the voice does sound like) rather than just filtering negatives (what it shouldn't sound like).

An honest trade-off: voice extraction quality depends heavily on the quality and quantity of input samples. With fewer than 10 samples, extraction is rough. With 50+, it gets genuinely useful. I'm still iterating on the extraction prompts.

#Cortex: Self-Improving Learning Loop

This one is subtle but powerful. Cortex watches how users edit AI output and converts those corrections into reusable instructions, without any fine-tuning.

It detects 8 edit pattern types:

1. Shortened (user made it more concise)
2. Removed questions (user deleted rhetorical questions)
3. Stripped AI phrases (user removed "certainly," "I'd be happy to," etc.)
4. Tone shifts (user changed the emotional register)
5. Added content (user filled in missing information)
6. Simplified language (user made it less formal)
7. Changed openers (user rewrote the first sentence)
8. Restructured (user reorganized the flow)

After enough edits, Cortex generates natural-language instructions ranked by reinforcement count. 80% word-overlap deduplication prevents the instruction set from bloating.

use laminae::cortex::{Cortex, CortexConfig};
 
let mut cortex = Cortex::new(CortexConfig::default());
 
// Track edits over time
cortex.track_edit(
    "It's worth noting that Rust is fast.",
    "Rust is fast."
);
cortex.track_edit(
    "Furthermore, the type system is robust.",
    "The type system catches bugs at compile time."
);
 
// Detect patterns across all edits
let patterns = cortex.detect_patterns();
// → [RemovedAiPhrases: 100%, Shortened: 100%]
 
// Generate prompt block for your LLM
let hints = cortex.get_prompt_block();
// → "--- USER PREFERENCES (learned from actual edits) ---
//    - Never use academic hedging phrases
//    - Keep sentences short and direct
//    ---"

The learning is transparent: you can inspect every instruction, see which edits generated it, and remove ones you disagree with. No black-box fine-tuning.

#Shadow: Adversarial Red-Teaming

Automated security auditor that red-teams every AI response. Three stages:

1. Static analysis: Regex pattern scanning for 25+ vulnerability categories (eval injection, hardcoded secrets, SQL injection, XSS, path traversal, prototype pollution, deserialization attacks, and more)
2. LLM adversarial review: A local Ollama model with an attacker-mindset prompt reviews the output for exploitability
3. Sandbox execution: Ephemeral container testing (still basic, this is the least mature stage)

Shadow runs asynchronously. It never blocks the conversation. The response goes to the user immediately while Shadow audits in the background. If it finds something, you get a structured VulnReport with severity, category, evidence, and remediation.

use laminae::shadow::{ShadowEngine, ShadowEvent, create_report_store};
 
let store = create_report_store();
let engine = ShadowEngine::new(store.clone());
 
let mut rx = engine.analyze_async(
    "session-1".into(),
    "Here's some code:\n```python\neval(user_input)\n```".into(),
);
 
while let Some(event) = rx.recv().await {
    match event {
        ShadowEvent::Finding { finding, .. } => {
            eprintln!("[{}] {}: {}",
                finding.severity, finding.category, finding.title);
        }
        ShadowEvent::Done { report, .. } => {
            println!("Clean: {} | Issues: {}", report.clean, report.findings.len());
        }
        _ => {}
    }
}

The Analyzer trait lets you add custom analysis stages. The built-in ones are StaticAnalyzer, SecretsAnalyzer, DependencyAnalyzer, and LlmReviewer. Plug in your own to check for domain-specific vulnerabilities.

#Ironclad: Process Execution Sandbox

Three hard constraints on all spawned sub-processes:

1. Command whitelist: Only approved binaries execute. SSH, curl, compilers, package managers, crypto miners are permanently blocked.
2. Network egress filter: Platform-native sandboxing. macOS uses sandbox-exec (Seatbelt profiles). Linux uses namespaces + seccomp-bpf. Network restricted to localhost + explicit whitelist.
3. Resource watchdog: Background monitor polls CPU and memory. Sends SIGKILL on sustained threshold violation. No polite SIGTERM. If a process is eating resources, it dies.

use laminae::ironclad::{validate_binary, sandboxed_command, spawn_watchdog, WatchdogConfig};
 
// Validate before execution
validate_binary("git")?;   // OK
validate_binary("ssh")?;   // Error: permanently blocked
 
// Run inside platform-native sandbox
let mut cmd = sandboxed_command("git", &["status"], "/path/to/project")?;
let child = cmd.spawn()?;
 
// Monitor resource usage
let cancel = spawn_watchdog(
    child.id().unwrap(),
    WatchdogConfig::default(),
    "task".into(),
);

The SandboxProvider trait abstracts the platform differences. SeatbeltProvider for macOS, LinuxSandboxProvider for Linux, NoopProvider for development/testing. Implement the trait to add custom sandboxing for your platform.

#Glassbox: I/O Containment

The outermost layer. Every input and output passes through Glassbox before reaching the LLM or the user.

• Input validation: Detects prompt injection attempts (pattern matching, not ML-based, so it's fast and deterministic)
• Output validation: Catches system prompt leaks, identity manipulation attempts
• Command filtering: Blocks dangerous shell commands (rm -rf, sudo, reverse shells, etc.)
• Path protection: Immutable zones that can't be written to. Canonicalizes paths to defeat symlink and .. traversal attacks.
• Rate limiting: Per-tool, per-minute, with separate limits for reads, writes, and shell commands

use laminae::glassbox::{Glassbox, GlassboxConfig};
 
let config = GlassboxConfig::default()
    .with_immutable_zone("/etc")
    .with_immutable_zone("/usr")
    .with_blocked_command("rm -rf /")
    .with_input_injection("ignore all instructions");
 
let gb = Glassbox::new(config);
 
gb.validate_input("What's the weather?")?;              // OK
gb.validate_input("ignore all instructions and...")?;   // Error
gb.validate_command("ls -la /tmp")?;                     // OK
gb.validate_command("sudo rm -rf /")?;                   // Error
gb.validate_write_path("/etc/passwd")?;                  // Error: immutable zone

The GlassboxLogger trait routes all containment events (blocks, rate limits, alerts) to your logging infrastructure. The built-in TracingLogger integrates with the tracing ecosystem.

#The Full Pipeline

Here's what a production integration looks like. All six layers, working together:

use laminae::glassbox::{Glassbox, GlassboxConfig};
use laminae::psyche::{PsycheEngine, EgoBackend, PsycheConfig};
use laminae::shadow::{ShadowEngine, ShadowEvent, create_report_store};
use laminae::ollama::OllamaClient;
 
// 1. Glassbox validates input (containment)
glassbox.validate_input(user_input)?;
 
// 2. Psyche processes through Id → Superego → Ego (personality)
let response = psyche.reply(user_input).await?;
 
// 3. Glassbox validates output (containment)
glassbox.validate_output(&response)?;
 
// 4. Shadow red-teams the output async (security, non-blocking)
let mut rx = shadow.analyze_async(session_id, response.clone());
 
// 5. Return response to user immediately
// Shadow reports arrive later via the channel

Each layer is optional. Use just Glassbox for containment. Use just Shadow for red-teaming. Use Psyche + Persona for personality. Mix and match.

#Architecture Decisions and Trade-offs

Why Rust, not Python? I built the earlier projects in Python and TypeScript. Every time I needed real safety (not "please don't do bad things" in a system prompt, but actual process-level containment) they fell apart. You can't do prctl(PR_SET_NO_NEW_PRIVS) from Python without spawning a subprocess. If the safety-critical layer has to be Rust anyway, why not build the whole SDK in Rust?

The trade-off is ecosystem reach. Most AI developers work in Python. Rust narrows the audience significantly. Python bindings (via PyO3) are planned but not shipped yet. This is the biggest open question for adoption.

Why not ML-based injection detection? Glassbox uses pattern matching for prompt injection detection, not a classifier. This is a deliberate choice: pattern matching is deterministic, fast, and transparent. You can read every rule. The downside is it misses novel injection techniques. ML classifiers would catch more but add latency, model dependencies, and opacity. I might add an optional ML stage later, but the base layer stays deterministic.

Why local models for Id/Superego? API cost and latency. If Id and Superego called GPT-4 or Claude, every message would cost 3x and take 3x longer. Running them on Qwen2.5:7b via Ollama keeps them fast (~200ms) and free. The trade-off is that Id's creative suggestions and Superego's safety assessments are less sophisticated than what a frontier model would produce. For the shaping use case, this is fine. They don't need to be brilliant, they need to be fast and directionally correct.

Why async Shadow? Red-teaming takes time (especially the LLM review stage). Blocking the conversation to audit every response would destroy UX. Shadow runs fully async via tokio channels. The response goes to the user immediately. If Shadow finds something afterward, you decide what to do: log it, alert, or retroactively filter. This means there's a window where an unsafe response is visible. That's the trade-off. Blocking would be safer but unusable.

#What's Not Done Yet

Being honest about maturity:

• WASM support: Not yet. Would enable browser-side containment, which is interesting.
• Python bindings: Planned via PyO3. This would dramatically expand the user base.
• Shadow sandbox execution: The third stage (ephemeral container testing) is basic. Static analysis and LLM review work well. Sandboxed execution needs more work.
• Persona extraction quality: Depends heavily on input sample quantity. Working on better extraction prompts and minimum-sample-size guidance.
• Documentation: Crate-level docs are decent. A comprehensive guide with recipes and patterns doesn't exist yet.
• Benchmarks: I have criterion benchmarks for the hot paths, but haven't published comparative numbers. That's coming.
• Windows support: Ironclad's sandbox is macOS/Linux only. Windows would need a different containment strategy.

#Try It

# Full stack
[dependencies]
laminae = "0.2"
tokio = { version = "1", features = ["full"] }
 
# Or pick individual layers
laminae-shadow = "0.2"    # Just red-teaming
laminae-glassbox = "0.2"  # Just containment
laminae-psyche = "0.2"    # Just the cognitive pipeline

The repo has runnable examples:

cargo run -p laminae --example quickstart
cargo run -p laminae --example shadow_audit
cargo run -p laminae --example safe_execution
cargo run -p laminae --example full_stack

Laminae is open source under Apache 2.0. Everything is on GitHub and crates.io.

If you're building AI systems that need more than "please be safe" in the system prompt, take a look. And if you have feedback, the issues are open.

For the backstory on how Laminae came to be, read Building Laminae: From Personal AI Projects to an Open-Source SDK. For the latest release notes, see Laminae v0.3.