Skip to main content
Most observability tools capture everything by default and store it on the operator’s server. Voight inverts that: you pick the capture level on install, the SDK runs the filter on your machine before any HTTP request leaves it, and every event ships with a chip showing which level captured it.

Capture levels

CategoryMinimalStandardFull
Tool names
Tokens (counts)
USD spend
Model name
Outcome / duration
Throughput / charts
Bash commands✓ scrub✓ raw
File paths✓ scrub✓ raw
User prompts✓ scrub✓ raw
Agent responses✓ scrub✓ raw
Thinking blocks✓ scrub✓ raw
Error messages✓ scrub✓ raw
Git branch / remote / sha
Cwd path
API keys / secretsn/a✗ scrubbed⚠️ raw
Numeric and tag data — tokens, USD, model name, latency, outcomes, tool names — pass through every level unchanged. Dashboard KPIs and charts work identically regardless of which level you pick.

How the filter runs

  1. resolvePrivacyLevel() reads VOIGHT_PRIVACY (set in settings.json or env) and returns minimal | standard | full. Defaults to full for SDK ≤0.3.10 (backwards compat).
  2. applyPrivacy(payload, level) transforms the event:
    • full — passthrough; stamps metadata.privacyLevel: 'full'
    • minimal — rebuild from an allowlist of safe fields (tool name, tokens, outcome, duration); drop everything else
    • standard — deep-walk every string and run scrubPii() over each
  3. Every event ships metadata.privacyLevel so the dashboard can render a per-event chip — your audit trail that scrubbing happened.
Runs in the SDK subprocess on your machine, before the HTTP request leaves it. Source: voight-sdk/src/privacy.ts.

Picking your level

The setup wizard prompts you on install: 
npx -y @voightxyz/sdk setup
Switch any time: 
npx -y @voightxyz/sdk setup --privacy=minimal
npx -y @voightxyz/sdk setup --privacy=standard
npx -y @voightxyz/sdk setup --privacy=full
Or override per-session via env var: 
VOIGHT_PRIVACY=minimal claude   # or 'standard' / 'full'
The level lives in ~/.claude/settings.json under env.VOIGHT_PRIVACY.

Per-event audit chips

Each event in the dashboard carries a chip next to its kind tag:
  • MIN — metadata-only capture
  • STD — full content + PII scrubbing applied
  • FULL — raw capture
Hover for a tooltip listing what was kept, dropped, or redacted. Changing your level mid-project doesn’t rewrite history — old events keep their original chip, new ones get the new chip.

Limitations

By design, the privacy model does not:
  • Prevent the operator from seeing data once transmitted. Standard mode scrubs PII on your machine, but the operator still receives whatever’s left. If that’s not acceptable, pick Minimal.
  • Encrypt event content end-to-end. Transport is TLS; storage is plaintext in Postgres. E2E with user-managed keys is on the v0.2 roadmap (Umbra integration).
  • Enforce server-side quotas. Pricing tier limits are advisory today; enforced server-side starting v1.0 when Stripe billing lands.

Backwards compatibility

SDK ≤0.3.10 defaults to Full (original behaviour). No silent privacy upgrade — switching levels requires re-running setup explicitly. Done deliberately to avoid the trust-eroding “we just scrubbed your API key without telling you” scenario. Existing settings.json files keep working unchanged. The VOIGHT_PRIVACY field is additive.

Next

  • PII patterns — the 12 patterns and Luhn-validated card detection used by Standard
  • Data handling — where data lives, who can access it, retention, deletion