Skip to content

airblackbox/otel-prompt-vault

BranchesTags

Repository files navigation

prompt-vault-processor

CI License Go

An OpenTelemetry Collector processor that offloads LLM prompt and completion content to a secure vault, replacing sensitive data in traces with vault references.

Why

Traces should contain references, not content. This processor:

  1. Intercepts spans with LLM prompt/completion attributes
  2. Writes the content to a storage backend (filesystem or S3)
  3. Replaces the attribute value with a vault:// reference
  4. Downstream systems see references, never raw content

Configuration

processors:
  promptvault:
    storage:
      backend: filesystem
      filesystem:
        base_path: /data/vault
    vault:
      keys:
        - gen_ai.prompt
        - gen_ai.completion
        - gen_ai.system_instructions
      size_threshold: 0        # 0 = vault everything
      mode: replace_with_ref   # or "remove"

Modes

Mode Behavior
replace_with_ref Replaces content with vault://sha256hash
remove Removes the attribute entirely, adds .vault_ref attribute

Part of the AIR Platform

This processor is one component of the AIR Blackbox Gateway collector pipeline.

License

Apache-2.0

About

OpenTelemetry Collector processor that offloads sensitive GenAI content to external storage, leaving structured references in traces. Privacy-by-default for LLM observability.

Topics

go privacy encryption ai vault opentelemetry otel-collector llm

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

3 tags

Packages

 
 
 

Contributors

Languages