Add ML-based prompt injection detection

[dorien-koelemeijer]

Summary

This PR adds BERT model prompt injection evaluation alongside the existing pattern-based approach.

Context

https://docs.google.com/document/d/1GNvriNWLAaJUMpWE1heBapxFshQEED5ZYfn1ixJvGCE/edit?tab=t.0#heading=h.rj4p6llxqvrq

Key Changes

• Updated PromptInjectionScanner to support both pattern-based + ML-based scanning, using the highest confidence score from either method to determine threats. ML-based scanning also looks at recent user messages in addition to tool call content.
• Added ClassificationClient - Generic HTTP client that is compatible with HuggingFace's text classification API, supporting both internal users (Gondola hosted BERT models) and external/oss users (direct endpoints, such as using the hugging face API). The ML inference team is creating an additional wrapper endpoint that allows us to use their BatchInfer API with the same inputs and outputs as the Hugging Face text classification API.
• Updated UI settings to allow users to configure what models to use if they decide to enable ML-based prompt injection detection. Have included BERT in the name of the variables so we can create a follow-up PR to also allow LLM-as-a-judge type prompt injection detection by re-using people's providers, and hopefully prevent confusing names of variables.

Planned follow-up PRs / Related PRs

• Add a bunch of variables to goose-releases (will open PR shortly)
• Re-use provider to do ML-based prompt injection detection rather than users requiring setup of the BERT models (mostly for oss/external users)
• Provide reference implementation for users who want to run their BERT models locally (I've already prepared this but didn't want to make this PR super huge + I am not sure where best to store this info in the repo)
• Waiting for this PR to get merged: https://github.com/squareup/gondola/pull/1085

Type of Change

• Feature
• Bug fix
• Refactor / Code quality
• Performance improvement
• Documentation
• Tests
• Security fix
• Build / Release
• Other (specify below)

Screenshots of changes

Internal:

External:

[Copilot]

Pull Request Overview

This PR standardizes security configuration keys from snake_case to UPPER_CASE convention and introduces ML-based prompt injection detection using BERT models through a new Gondola provider. The changes enable more accurate security threat detection while maintaining backward compatibility through pattern-based scanning as a fallback.

Key changes:

• Configuration key standardization: security_prompt_* → SECURITY_PROMPT_*
• New ML detection infrastructure with Gondola provider for BERT-based model inference
• Enhanced scanner to combine pattern-based and ML-based detection results

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
ui/desktop/src/utils/configUtils.ts	Updated config labels to use new UPPER_CASE keys and added ML detection settings
ui/desktop/src/components/settings/security/SecurityToggle.tsx	Added ML detection toggle UI with model selection dropdown
documentation/docs/guides/security/prompt-injection-detection.md	Updated config examples to use new UPPER_CASE keys
documentation/docs/guides/config-files.md	Updated configuration reference table with new ML detection settings and standardized keys
crates/goose/src/security/scanner.rs	Refactored to support optional ML detection, enhanced conversation context scanning, and simplified tool content extraction
crates/goose/src/security/prompt_ml_detector.rs	New ML detector implementation with model registry and Gondola provider integration
crates/goose/src/security/mod.rs	Updated to initialize scanner with ML detection when enabled and handle fallback scenarios
crates/goose/src/providers/mod.rs	Added gondola module to provider list
crates/goose/src/providers/gondola.rs	New Gondola provider implementation for batch inference with BERT models

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

PR Preview Action v1.6.3
Preview removed because the pull request was closed.
2026-01-08 01:59 UTC

[Copilot]

Pull Request Overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

[Copilot]

Pull Request Overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

[Copilot]

The classification_client module has no test coverage. Consider adding unit tests for the ClassificationClient, especially for critical paths like softmax normalization, error handling for malformed responses, and label interpretation logic.

[DOsinga]

yeah, I understand, but we should write the documentation for the OSS people. I would just drop anything after ", making"

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

[Copilot]

The info box about AutoPilot configuration appears to be incorrectly placed here, as it's unrelated to the security configuration settings being documented. This content should either be moved to the appropriate section about multi-model configuration or removed from this location.

Suggested change

	:::info Automatic Multi-Model Configuration
	The experimental [AutoPilot](/docs/guides/multi-model/autopilot) feature provides intelligent, context-aware model switching. Configure models for different roles using the `x-advanced-models` setting.
	:::

[Copilot]

The concurrent message scanning could create a performance bottleneck when processing 10 user messages with concurrent HTTP requests. The ML_SCAN_CONCURRENCY of 3 means up to 3 simultaneous HTTP requests, but if each request takes 5 seconds (the default timeout), this could add up to 17 seconds in the worst case for tool execution. Consider adding a circuit breaker or reducing the timeout for conversation scans specifically, or making the scan asynchronous to avoid blocking tool execution.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

[dianed-square]

@dorien-koelemeijer Can you please revert the changes to this existing topic for now? Otherwise the docs will go out before this feature is available in a release.

We'll add them back in after the feature is released (except the note below because autopilot has been removed)

[dorien-koelemeijer]

Thanks for the comments! Do you mean it's best to revert all changes to this file for now?

[dianed-square]

Suggested change

	# Classification API Specification
	---
	title: Classification API Specification
	unlisted: true
	---

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

[Copilot]

The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.

[Copilot]

The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.

[Copilot]

The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.

[dianed-square]

Thanks!