Whitepaper: Bauxite Intercept
Deterministic PII Redaction and Resource Isolation for LLM Systems
1. Executive Summary
As enterprises adopt Large Language Models (LLMs), they encounter a fundamental tradeoff:
Security increases latency. Latency increases risk.
Most systems solve this by adding buffers, caches, and inspection layers—expanding both memory footprint and attack surface.
Bauxite Intercept removes this tradeoff.
It introduces a Zero-Disk, Fixed-Heap interception layer that performs streaming PII redaction in real time, without buffering entire payloads or relying on persistent storage.
Security is enforced not through scale—but through strict, deterministic constraints.
2. Streaming Redaction: Zero-Disk by Design
Traditional systems inspect requests by buffering them—either in memory or on disk. This creates a secondary system that must itself be secured.
Bauxite eliminates this entirely.
Streaming Placeholder Swap
In-flight Redaction Sensitive data (emails, phone numbers, IDs) is detected and replaced with UUID placeholders as the request streams through.
Transient Vault (Memory Only) Mappings are stored in a short-lived, in-memory structure (
sync.Map) with strict TTL enforcement.Single-Pass Rehydration As the LLM streams its response, placeholders are replaced with original values using a single-pass byte comparison.
Zero Persistence Sensitive data is never written to disk. No logs, no buffers, no residual state.
3. Fixed-Heap Isolation: The Straitjacket
Most services treat memory as elastic. Bauxite treats it as a hard boundary.
Deterministic Memory Control
Pre-emptive Rejection Before processing begins, Bauxite evaluates memory pressure using
runtime.MemStats. If a request would exceed the configured limit, it is rejected with:HTTP 507 Insufficient StorageFlat Memory Profile
sync.Poolis used to reuse internal structures, minimizing allocations and reducing GC pressure under load.Application-Level Circuit Breaker Oversized or malicious payloads are rejected early—preventing OOM crashes and protecting adjacent services.
4. Technical Characteristics
| Property | Value | Outcome |
|---|---|---|
| Runtime | Go (static binary) | High concurrency, minimal dependencies |
| Memory Limit | Fixed (default: 20MB) | Predictable behavior under load |
| Processing Model | Streaming | No full-request buffering |
| Persistence | None | Eliminates data remanence risk |
| Latency Overhead | ~<1ms typical | Operationally negligible |
| Binary Size | ~15MB | Portable, edge-friendly |
5. Deployment Model
Bauxite is designed to run wherever data leaves your trust boundary.
Local Development Run as a drop-in proxy. Change
BASE_URLand intercept immediately.Sidecar (Recommended) Deploy alongside services to enforce PII boundaries at the source.
Centralized Layer Operate as a shared interception layer for policy enforcement and observability.
Edge / Constrained Environments Runs on low-memory systems (ARM64/AMD64) without degradation.
6. Compliance by Architecture
Bauxite reduces compliance scope by design:
- No persistent storage of sensitive data
- No raw PII sent to third-party LLM providers
- Deterministic data handling guarantees
Supports:
- GDPR
- HIPAA
- PCI-DSS
7. Conclusion
Most systems attempt to secure LLMs by adding complexity.
Bauxite does the opposite.
By combining:
- Streaming redaction (no buffering)
- Zero-disk guarantees
- Fixed memory boundaries
…it enforces security through constraints, not expansion.
If sensitive data never leaves your system, it cannot leak.