Introduction
How Tailrace governs agent data flows in-process - detect, policy, apply, audit, and restore at egress.
Tailrace is agent data governance for TypeScript. It sits inside your process at model, tool, and MCP boundaries - detecting secrets and PII, applying policy, and restoring tokenized values only where you trust.
No proxy. No sidecar. No required network call on the request hot path.
1// User message → model boundary (out)2const prompt = `3 Email billing@example.com4 Key sk_test_…FAKE5`;Agent prompt crosses the model boundary
The pipeline
Every check follows the same path:
- Input: A string or JSON object crosses a boundary (model prompt, tool args, MCP payload).
- Detect: Tier 0 recognizers find entity spans with JSON-pointer paths.
- Policy resolve: For each span:
entity × boundary × identity → action. - Apply:
blockthrows ·tokenizewrites the vault ·maskreplaces inline ·allowpasses through. - Audit: Async emit with rule path and content hash; never raw values.
Restore is separate: tailrace.restore() runs only at { kind: "egress", sink } boundaries. Calling restore at a model or tool boundary throws - by design.
Default policy
createTailrace() with no arguments:
| Entity | Action |
|---|---|
Secrets (api_key, jwt, private_key, …) | block |
| Email, phone, credit card, IBAN, SSN | tokenize |
| IP address | allow |
Egress sinks (egress:*) | detokenize |
Secrets cannot be overridden to allow without dangerouslyAllowSecrets: true.
Where Tailrace sits
Your app ──► wrapModel / wrapTools / MCP wrapper ──► tailrace.check ──► provider or tool
│
└──► audit (async)For the Vercel AI SDK, one line wraps the model:
const model = tailrace.model(openai("gpt-4o"));Next steps
| Goal | Link |
|---|---|
| Block a fake key in five minutes | Quickstart |
| Connect Cursor / Claude to docs | Use with AI tools |
| Models, tools, streaming, egress | Protect PII in the AI SDK |
| MCP transports | Govern MCP tool calls |
| Hono OpenAI passthrough | Hono integration |
| Concepts | Boundaries |