# telemetry

## Event metadata (fleet sensors)

Every mask, MCP enforcement, and ingress proxy call can include:

| Header / field | Example | Purpose |
|----------------|---------|---------|
| `x-blekline-client-surface` | `cursor` | Which client initiated the call |
| `x-blekline-model-provider` | `anthropic` | Model vendor |
| `x-blekline-model-id` | `claude-sonnet-4-20250514` | Model version |
| `mcpToolName` | `write_file` | Tool under governance |
| `downstreamServer` | `daytona` | Sandbox target |

Stored in workspace events as `sensorMetadata` (metadata-only — no prompt bodies in default event ingest).

## Policy stream

`GET /api/workspace/policy-stream` emits SSE:

- `policy` — full snapshot when revision changes
- `heartbeat` — keep-alive every 4s

Revision is SHA-256 of `{ mcpToolPolicy, redactionProfile }`.

## OpenTelemetry (hooks)

Recommended export labels:

```
blekline.ingress.action=mask|block|allow
blekline.client.surface=cursor
blekline.model.provider=openai
blekline.entities.masked=3
```

Wire OTel in your sidecar or agent runtime; Blekline control plane emits structured audit rows via `appendAudit`.

## Rate limits

Adaptive limits via Upstash Redis (`lib/server/rate-limit.ts`). Keys:

- `api:mask`
- `api:mcp:enforce-tool-call:post`
- `api:ingress:openai:post`
- `api:ingress:anthropic:post`

## SIEM

Forward audit + high-risk events with `/api/integrations/siem` (Pro+).

---

**Next steps:** [AI Enablement Stack](/docs/introduction/ai-enablement-stack) · [Telemetry spec](/docs/reference/telemetry-spec) · [Trust boundaries](/docs/security/trust-boundaries) · [Open workspace](https://app.blekline.com) · [Report issue](https://github.com/Blekline/blekline-oss/issues/new?template=bug_report.yml)