Use this page when you want to configure the built-in NeMo Guardrails plugin
component. The component kind is nemo_guardrails.
The current shipped user-facing backend is mode = "remote". local remains
part of the config model, but it is not yet a finished user-facing backend.
For plugin file discovery, precedence, merge behavior, editor controls, and gateway conflict rules, see Plugin Configuration Files.
NeMo Relay plugin configuration uses the generic plugin document shape, so
field names stay snake_case in every binding and in plugins.toml.
The top-level NeMo Guardrails object contains:
At least one managed Guardrails surface must be enabled.
The current built-in remote backend supports:
To use mode = "remote", the configured remote.endpoint must point at a
Guardrails service that NeMo Relay can reach from the running process and that
exposes the Guardrails remote HTTP(S) contract.
The NeMo Relay plugin config activates Guardrails integration, but the Guardrails service still owns the actual policy content. In practice, NeMo Relay decides when managed checks run, while the Guardrails config decides what to block, allow, or rewrite.
plugins.toml ExampleThis example configures the built-in remote backend for a Guardrails service
that uses codec = "openai_chat", managed LLM input and output, managed
tool_output, and request-default pass-through for backend context plus
backend input and output rail selection.
In that setup, the NeMo Relay plugin chose the managed surfaces to wrap, while the Guardrails config defined the actual blocking policy, such as rejecting secret-seeking prompts, bypass attempts, specific blocked tokens, or private-key-like output.
For example, the Guardrails-side policy can look like this:
This Guardrails-side config defines the policy logic. The NeMo Relay plugin config decides when those checks run.
When mode = "remote":
remote.endpoint is required.remote.config_id or remote.config_ids is required.config_path, config_yaml, and colang_content cannot be present.local settings cannot be present.The current built-in remote backend supports managed LLM execution only with:
openai_chatThe current remote backend supports managed tool_output.
The current remote backend rejects managed tool_input explicitly because the
stock Guardrails remote contract does not activate pre-execution tool-call
rails from externally submitted /v1/chat/completions history. NeMo Relay
rejects tool_input in remote mode rather than leaving a silent
non-enforcing path.
request_defaults lets the built-in plugin pass request-time semantics through
to the selected backend.
Supported request-default fields are:
contextthread_idstaterailsllm_paramsllm_outputoutput_varslogThese are backend request options, not additional NeMo Relay-managed execution surfaces.
This includes fields whose names overlap with top-level managed surfaces:
The rails section can include:
inputoutputretrievaldialogtool_outputtool_inputThose values are forwarded to the backend as request semantics. They do not
mean NeMo Relay owns separate managed retrieval or dialog execution surfaces.
dialog and retrieval are pass-through request options only. Likewise,
request_defaults.rails.tool_input is only a backend pass-through selector. It
does not make managed remote tool_input supported in the stock-remote lane.
For more targeted request-time pass-through, the remote backend also forwards selectors like these:
This richer selector shape demonstrates how request-time Guardrails semantics can be forwarded even when NeMo Relay does not own a separate native managed surface for that category.
The current remote backend emits coarse backend-level marks for remote Guardrails activity:
nemo_guardrails.remote.startnemo_guardrails.remote.endnemo_guardrails.remote.errorThese marks cover managed LLM remote execution and managed tool-result checks.