Bauxite Intercept
A zero-latency layer for intercepting LLM traffic and stripping PII in real time.
Bauxite Intercept sits between your application and LLM providers, enforcing in-flight redaction, fixed memory limits, and zero-persistence guarantees—without requiring changes to your application code.
Architecture Overview
Bauxite operates as an inline interception layer, processing requests and responses as they stream.
Core Concepts
Streaming Redaction
Sensitive data is detected and replaced with placeholders during request streaming, then restored during response streaming.
- No full-request buffering
- In-memory, TTL-bound mappings
- Single-pass processing
Zero-Trust Execution
When enabled, Bauxite guarantees:
- No disk writes
- No persistence of sensitive data
- No external telemetry
Fixed-Heap Isolation
Bauxite enforces a strict memory boundary:
- Requests exceeding limits are rejected (
507 Insufficient Storage) - Predictable memory usage under load
- No OOM-induced crashes
Observability
Built-in metrics and logging:
- Token usage per request
- Cost estimation
- Latency breakdowns
Deployment Modes
Bauxite supports multiple deployment patterns without changing behavior.
Local Development
Run Intercept locally and point your SDK to it.
docker run -p 9090:9090 bauxite/intercept
export OPENAI_BASE_URL="http://localhost:9090/v1"Sidecar (Recommended)
Deploy alongside your service to enforce boundaries at the source.
Centralized Layer
Run as shared infrastructure for policy enforcement and observability across services.
Feature Overview
| Feature | Core | Enterprise |
|---|---|---|
| PII Detection & Redaction | ||
| Streaming Proxying | ||
| Fixed Memory Limits | ||
| Zero-Trust Mode | ||
| KV-Aware Routing | ||
| Advanced Optimization |
Navigate the Docs
Security & Architecture
- Straitjacket (memory isolation model)
- Streaming redaction internals
- Zero-trust mode
Deployment
- Local setup
- Sidecar pattern
- Centralized routing
Performance & Scaling
- KV-aware routing
- Cache coordination
- Cost optimization
Quick Start
docker run -p 9090:9090 bauxite/intercept
export OPENAI_BASE_URL="http://localhost:9090/v1"Summary
Bauxite Intercept provides a deterministic control layer for LLM traffic:
- Intercepts every request
- Removes sensitive data in real time
- Operates within strict resource bounds