Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.voight.xyz/llms.txt

Use this file to discover all available pages before exploring further.

Most observability tools (Sentry, Datadog, LangSmith) capture everything by default. The operator’s database ends up storing your raw prompts, file paths, and accidental credentials. Voight inverts that: You choose what leaves your machine. Per-event, the dashboard tells you what was captured.

The 3 levels

Minimal

Metadata only — tool names, timing, outcomes, token counts, USD cost. No prompts, responses, file paths, cwd, git context.Best for: regulated workflows, maximum privacy, agents handling sensitive customer data.

Standard ★

Everything Full captures, but every string is run through local PII scrubbing before transmission. Credentials, emails, JWTs, credit cards, PEM blocks, phone numbers redacted on your machine.Best for: most developers. The default recommendation.

Full

Everything as-is. No filtering. Backwards-compat default for users on SDK ≤0.3.10 who haven’t re-run setup.Best for: solo dev / personal sandbox / max debug detail.

What’s captured at each level

CategoryMinimalStandardFull
Tool names
Tokens (counts)
USD spend
Model name
Outcome / duration
Throughput / charts
Bash commands✓ scrub✓ raw
File paths✓ scrub✓ raw
User prompts✓ scrub✓ raw
Agent responses✓ scrub✓ raw
Thinking blocks✓ scrub✓ raw
Error messages✓ scrub✓ raw
Git branch / remote / sha
Cwd path
API keys / secretsn/a✗ scrubbed⚠️ raw
Token counts, USD spend, model names, latency, outcomes, and tool names pass through every level unchanged — these are numeric or tag data with no PII risk. The dashboard’s KPIs and charts work identically regardless of which level you pick. Privacy controls shouldn’t break observability for the metrics that matter most.

How it works under the hood

The SDK runs the privacy filter before the HTTP request leaves your machine: 
your IDE → SDK hook subprocess → applyPrivacy(payload, level) → POST /v1/events

                              all the redacting / dropping
                              happens here, on your computer
Three things happen:
  1. resolvePrivacyLevel() reads VOIGHT_PRIVACY env var (set by settings.json) and returns one of minimal | standard | full. Defaults to full if unset (backwards-compat).
  2. applyPrivacy(payload, level) transforms the event based on the level:
    • full — passthrough + stamp metadata.privacyLevel: 'full'
    • minimal — rebuild payload from an allowlist of safe fields (tool name, tokens, outcome, duration), drop everything else
    • standard — deep-walk every string and run scrubPii() over each
  3. Every event ships with metadata.privacyLevel so the dashboard can render a per-event chip — your audit trail that scrubbing happened.
The implementation is in voight-sdk/src/privacy.ts.

Picking your level

npx -y @voightxyz/sdk setup
The wizard prompts you on every install. Switch any time by re-running: 
npx -y @voightxyz/sdk setup --privacy=minimal
npx -y @voightxyz/sdk setup --privacy=standard
npx -y @voightxyz/sdk setup --privacy=full
Or override per-session via env var: 
VOIGHT_PRIVACY=minimal claude  # or 'standard' / 'full'
The level lives in ~/.claude/settings.json (env.VOIGHT_PRIVACY).

Per-event chips in the dashboard

Open any event in the dashboard and you’ll see a privacy chip next to the event-kind tag:
  • MIN (green) — metadata-only capture
  • STD (blue) — full content + PII scrubbing applied
  • FULL (amber) — raw capture
Hover the chip for a tooltip explaining what was kept / dropped / redacted. Useful when you change your level mid-project: old events keep their original chip, new ones get the new chip. The audit trail is verifiable on each row.

Honest disclosure

A few things the privacy model doesn’t do, by design:
  • It doesn’t prevent the operator from seeing data once it’s transmitted. Standard mode scrubs PII on your machine, but the operator still receives whatever’s left. If that’s not acceptable for your use case, pick Minimal.
  • It doesn’t encrypt event content end-to-end. The transport is TLS to our backend; storage is plaintext in Postgres. End-to-end encryption with user-managed keys is on the v0.2 enterprise roadmap (Umbra integration).
  • It doesn’t enforce server-side quotas yet — pricing tier limits are advisory today, enforced server-side starting v1.0 when Stripe billing lands.

Backwards compatibility

Users on SDK ≤0.3.10 default to Full (= original behaviour). No silent privacy upgrade — switching levels requires re-running the setup wizard explicitly. We did this deliberately to avoid the trust-eroding “we just scrubbed your API key without telling you” scenario. Existing settings.json files keep working unchanged. The VOIGHT_PRIVACY field is additive.

Next

PII patterns

The full list of 12 patterns + Luhn-validated card detection, with examples.

Data handling

Where data lives, who can access it, retention policies, deletion flow.