How can we help?

Torii AI Module Telemetry — Security & Architecture White Paper

Uri Nativ
Uri Nativ
  • Updated
Torii AI

This document is intended for security operations, IT, privacy, and compliance teams evaluating Torii's AI Module. It describes what telemetry Torii captures from AI coding tools, how it is transmitted, and how Torii stores and protects that data.

  • Version: 1.1
  • Last updated: July 2026
  • Product: Torii AI Module
  • Audience: Security, IT, privacy, and compliance teams

Executive Summary

Torii's AI Module uses standard OpenTelemetry signals to provide visibility into enterprise usage of AI coding tools. Torii collects usage metadata such as model usage, token counts, latency, tool name, user identity, and device identity. For Claude Code, Torii additionally collects truncated tool-input arguments (for example, shell command lines and file paths — see §4.3). Torii does not collect prompts, completions, source code, full file contents, tool output, keystrokes, IDE state, or repository contents.

Telemetry is transmitted over HTTPS using per-organization authentication tokens and stored in Torii's secured cloud environment. Customers can deploy telemetry directly from supported AI tools or route it through a customer-managed OpenTelemetry Collector for additional inspection and control.

1. Introduction

Torii's AI Module gives enterprise IT teams visibility into how employees use AI coding assistants — Claude Code, Gemini CLI, Codex CLI, and GitHub Copilot — including which models are invoked, how many tokens are consumed, and which users and machines are active.

This capability is built on OpenTelemetry (OTel), the CNCF-graduated observability standard. Each supported AI tool emits telemetry over the OTLP/HTTP wire protocol to a Torii-hosted ingest endpoint. Torii does not install a proprietary endpoint agent or use kernel-level instrumentation for this capability.

2. What is OpenTelemetry?

OpenTelemetry (OTel) is an open-source, vendor-neutral observability framework governed by the Cloud Native Computing Foundation (CNCF). It defines:

  • A wire protocol (OTLP — OpenTelemetry Protocol) for transmitting telemetry over HTTP or gRPC
  • Semantic conventions — standardized attribute names for common domains (e.g. gen_ai.* for AI/LLM workloads)
  • SDKs and exporters bundled natively into many tools

Torii does not ship a custom telemetry agent. Instead, it configures each AI tool's built-in OTel exporter to point at Torii's ingest endpoint. This means there is no additional software to audit or maintain — only standard environment variables that activate exporters already present in the tools your developers are using.

3. Supported AI Tools and Native OTel Support

Tool OTel Support Default Protocol Auth Method
Claude Code (Anthropic) Native, built-in OTLP/HTTP JSON Bearer token in Authorization header
Gemini CLI (Google) Native, built-in OTLP/HTTP JSON Bearer token in URL path (/t/<token>)
Codex CLI (OpenAI) Native, built-in OTLP/HTTP JSON Bearer token in Authorization header
GitHub Copilot (Microsoft) Native, built-in (VS Code Copilot Chat extension) OTLP/HTTP Bearer token in URL path (/t/<token>)

All four tools ship with OTel exporters included. Torii's setup script or MDM configuration activates these exporters via environment variables or settings files — no binary modifications are made to any AI tool.

4. Signals Captured

Torii captures metrics from the gen_ai.* semantic convention namespace. For Claude Code, Torii also captures lightweight tool-detail log events (see §4.3). No traces are captured, and no request or response content (prompts, completions, tool output, or full files) is captured.

4.1 Captured Metric Signals

Metric Description
gen_ai.client.token.usage Prompt and completion token counts per model invocation
gen_ai.client.operation.duration Latency of each model call (histogram, in seconds)
gen_ai.client.operation.count Number of model invocations

4.2 Resource Attributes (Identity Fields)

Each OTLP payload carries resource attributes that identify the source. The following are collected:

Attribute Description Classification
enduser.id Developer identity configured for attribution — an MDM-supplied email when available, otherwise the OS or console username on the developer's machine User identity
host.name Machine hostname Device metadata
host.id Machine hardware serial number Device identifier
service.name Set to the tool name (e.g. claude-code) Operational metadata
telemetry.sdk.version OTel SDK version string Operational metadata

Prompt content is never captured. The environment variable OTEL_LOG_USER_PROMPTS=0 is set explicitly by the Torii install script, disabling prompt logging. (Prompt logging can be opted into per-tool by re-running the installer with --log-prompts true, but it is off by default.)

4.3 Claude Code — Tool-Detail Events

Claude Code's OpenTelemetry exporter can attach tool-usage detail to the log events it emits. Torii's install script enables this by setting OTEL_LOG_TOOL_DETAILS=1. This is the signal Torii uses to show which tools, MCP servers, and skills are in use across the fleet.

With it enabled, each event carries which tool ran and its input arguments in truncated form — the shell command line, file paths, MCP server and tool names, and skill names. Scope and limits:

  • Individual values are capped at 512 characters and the whole payload at roughly 4 KB per event. Short text fragments passed as tool arguments can appear, but whole files, command output, and model responses never do.
  • Torii never receives tool output, full file contents, prompts, or completions. OTEL_LOG_TOOL_CONTENT (which would include tool output) is left at its default (off) and is not set by the install script.
  • Gemini CLI, Codex CLI, and GitHub Copilot report usage without argument detail.

To disable tool-detail logging fleet-wide, remove the OTEL_LOG_TOOL_DETAILS key from the managed settings (or set it to 0).

5. Wire Protocol and Transport

5.1 Endpoint

All telemetry is sent to:

https://ai-events.toriihq.com

Torii operates a multi-tenant cloud ingest endpoint for AI telemetry. Each organization is authenticated using a unique bearer token, and tenant isolation is enforced at the ingest and storage layers.

5.2 Transport Security

  • TLS 1.2 minimum on all connections; TLS 1.3 preferred
  • Standard HTTPS on port 443
  • Certificate issued by a public CA (Amazon)
  • No client certificates required

5.3 Encoding

  • CLI tools (direct send): OTLP/HTTP JSON (Content-Type: application/json)
  • Collector forwarding: OTLP/HTTP protobuf or JSON (configurable)

5.4 Authentication

Each ingest request carries a per-organization bearer token:

Authorization: Bearer <token>

Gemini CLI uses URL-path authentication instead of a header (a constraint of that tool's exporter):

https://ai-events.toriihq.com/t/<token>/v1/metrics

Tokens are scoped per organization and can be rotated in the Torii UI at any time. After rotation, the old token remains valid for 24 hours to allow for staged rollout.

6. Data Inventory

6.1 What Torii Stores

Data element Retention
Raw OpenTelemetry metric payloads — and, for Claude Code, tool-detail log payloads — limited to the fields described in this document and excluding prompts, completions, code, tool output, and full file contents 90 days (configurable per contract)
Aggregated usage rollups Duration of subscription + 30 days
Authentication tokens Until rotated or org deleted

6.2 What Torii Does Not Capture

  • Prompt text or completion text
  • Full file contents or source-code files
  • Tool output or command output
  • Git repository metadata
  • IDE state or keystrokes
  • Network traffic beyond OpenTelemetry payloads

6.3 Data Boundary Summary

Category Collected by Torii AI Module?
Prompt text No
Completion text No
Source code / full file contents No
Tool output / command output No
Keystrokes No
IDE state No
Repository contents or metadata No
Token counts Yes
Model usage Yes
Tool name Yes
Tool input arguments — Claude Code only, truncated (≤512 chars/value; e.g. shell command lines, file paths, MCP/tool/skill names) Yes
User identity Yes
Device identity Yes
Latency and invocation counts Yes

7. Privacy and Data Handling

Control Detail
Prompt content Off by default (OTEL_LOG_USER_PROMPTS=0); not stored
Tool-detail logging On for Claude Code (OTEL_LOG_TOOL_DETAILS=1); truncated tool arguments only, capped at 512 chars/value and ~4 KB/event; no tool output or file content; removable fleet-wide
Data minimization Only gen_ai.* metrics plus Claude Code tool-detail log events; no traces collected
Encryption at rest All data encrypted at rest using AES-256
Encryption in transit TLS 1.2+ on all hops
Data residency AWS us-east-1 (US) by default
Subprocessors AWS (infra); no third-party analytics vendors receive raw telemetry
DPA Available on request; covers GDPR, CCPA
Token rotation Self-service in Torii UI; 24-hour overlap window

8. Deployment and Configuration

8.1 Direct Tool Configuration

Torii provides shell scripts (downloaded from https://assets.toriihq.com/otel/latest/) that configure the AI tool via environment variables. The standard end-user installation flow does not require elevated privileges. The environment keys set for Claude Code are:

CLAUDE_CODE_ENABLE_TELEMETRY=1
OTEL_METRICS_EXPORTER=otlp
OTEL_LOGS_EXPORTER=otlp
OTEL_EXPORTER_OTLP_PROTOCOL=http/json
OTEL_EXPORTER_OTLP_ENDPOINT=https://ai-events.toriihq.com
OTEL_EXPORTER_OTLP_HEADERS=Authorization=Bearer <token>
OTEL_RESOURCE_ATTRIBUTES=host.name=...,host.id=...,enduser.id=...
OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE=delta
OTEL_LOG_USER_PROMPTS=0
OTEL_LOG_TOOL_DETAILS=1

Available flags:

  • --dry-run prints the intended configuration changes without writing to disk.
  • --log-prompts true|false toggles prompt logging (default false).
  • --user-scope current|<path> selects which user's config is written when the script runs as root (default current, the console user).
  • --endpoint URL overrides the ingest endpoint (default https://ai-events.toriihq.com) for staging or a customer-managed relay.

8.2 MDM Deployment

For fleet-wide deployment, Torii provides MDM-compatible scripts for:

  • macOS: Jamf Pro, Kandji, Mosyle, JumpCloud (shell scripts)
  • Windows: Intune, JumpCloud (PowerShell scripts)
  • Linux: Ansible, JumpCloud, or manual shell

MDM scripts write configuration to a machine-level managed-settings file (read by both the CLI and the tool's desktop app where applicable) or to user shell profiles, depending on the tool and platform. Fleet-wide deployment may vary depending on the customer's MDM configuration and operating system policies.

On Windows, the machine-level Claude Code fragment additionally sets Anthropic's wslInheritsWindowsSettings policy key. Claude Code v2.1.118+ running inside WSL distributions on the host then inherits the same managed telemetry configuration from the Windows policy chain, extending coverage to WSL-based developers without a separate install inside the distribution. The key is a configuration-scoping control only - it transmits no data and has no effect on native Windows sessions.

8.3 Collector Forwarding

Customers who prefer to route telemetry through their own infrastructure can deploy an OTel Collector in forwarding mode. In this model, the AI tool exports to a collector endpoint on the corporate network, and the collector forwards to https://ai-events.toriihq.com. Telemetry remains within the customer's network until the customer-managed collector forwards approved data to Torii — giving your security team full visibility and control over what is sent.

Supported collectors:

  • otelcol-contrib (official OTel Collector)
  • Grafana Alloy
  • Datadog Agent
  • Splunk OTel Collector
  • AWS Distro for OTel (ADOT)
  • Elastic Agent

The collector authenticates to Torii using TORII_INGEST_TOKEN injected as an environment variable, keeping the token out of config files checked into source control.

9. Network Requirements

9.1 Required Firewall Rules

Destination Port Protocol Purpose
ai-events.toriihq.com 443 HTTPS/TLS OTLP metric and log ingest
assets.toriihq.com 443 HTTPS/TLS Install script download (one-time); on Linux, also the helper binary at install time

No inbound connections are required on developer machines. The AI tool initiates all connections outbound to port 443. After install, only ai-events.toriihq.com is needed at runtime.

9.2 Proxy Environments

The OTel exporter respects standard HTTPS_PROXY / NO_PROXY environment variables. No additional proxy configuration is needed.

10. Audit and Validation

10.1 Verifying What is Sent

To inspect the exact payload before it reaches Torii:

  1. Run the install script with --dry-run to see all environment variable changes without applying them.
  2. Set OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318 and run a local OTel collector (e.g. otelcol-contrib) with a logging exporter to capture and print all payloads.
  3. Use tcpdump or a TLS-terminating proxy (e.g. mitmproxy) to inspect raw HTTPS traffic.

The published script bytes are served at https://assets.toriihq.com/otel/latest/<script-name> and a SHA256 manifest for every published file is at https://assets.toriihq.com/otel/latest/manifest.json — fetch them with curl and review before approving a rollout.

10.2 Token Audit

  • Token creation and rotation events are logged in the Torii admin audit log.
  • Ingest requests are logged per tenant with timestamps and IP addresses, available through Torii Support upon authorized request.

10.3 Data Subject Requests

For GDPR / CCPA data subject requests (access or deletion), contact privacy@toriihq.com. Deletion requests are fulfilled within 30 days.

Appendix A: Environment Variable Reference

Variable Value Effect
CLAUDE_CODE_ENABLE_TELEMETRY 1 Enable Claude Code telemetry
OTEL_METRICS_EXPORTER otlp Enable metric export
OTEL_LOGS_EXPORTER otlp Enable log-event export (carries tool-detail events)
OTEL_EXPORTER_OTLP_PROTOCOL http/json Wire encoding (JSON)
OTEL_EXPORTER_OTLP_ENDPOINT https://ai-events.toriihq.com Ingest destination
OTEL_EXPORTER_OTLP_HEADERS Authorization=Bearer <token> Authentication
OTEL_RESOURCE_ATTRIBUTES host.name=...,host.id=...,enduser.id=... Resource identity
OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE delta Delta temporality for counters
OTEL_LOG_USER_PROMPTS 0 Disable prompt logging
OTEL_LOG_TOOL_DETAILS 1 Emit truncated tool-input arguments (tool/MCP/skill names, file paths, command lines)

Appendix B: OTel Semantic Conventions Reference

Torii follows the OpenTelemetry gen_ai.* semantic conventions (specification at https://opentelemetry.io/docs/specs/semconv/gen-ai/). These conventions are stable and versioned; Torii tracks the upstream specification as it evolves.

Appendix C: Contact

Purpose Contact
Security questions / pen test requests security@toriihq.com
Privacy / data subject requests privacy@toriihq.com
Technical integration support support@toriihq.com
DPA / contract questions legal@toriihq.com

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request