eBPF · live demo · v0.1.0real production traffic at /live →

See what your apps are
actually sending to OpenAI & Anthropic.

turbo-flow taps every outbound LLM call at the kernel, scans every prompt and response for PII, credentials, and regulated identifiers, and writes a per-process audit log your CISO can show an auditor. SOC 2 evidence, HIPAA-aligned PHI tripwire, DLP control — all from a single MIT-licensed binary. Zero SDK changes.

install on any Linux host
$curl -fsSL https://github.com/blasrodri/turbo-flow/releases/latest/download/install.sh | sh
MIT-licensed. Linux x86_64 / aarch64, kernel ≥ 5.4 with BTF. · source on GitHub
prefer a hand? book 30 min
0
SDK changes
6
DLP detectors
<100ms
event → dashboard
3
runtimes covered
live · demo host$247.83saved last hr
cap$8.11
rewrote$188.02
cache$51.70
live · api.anthropic.com
saved this session
$0.00
capped
0
rewrote
0
cached
0
passed
0
burst / runaway rewrite lane cache lane other providers
// WHAT YOU GET, OUT OF THE BOX

See it. Audit it. Govern it.
Three layers, one binary.

DLP scan + audit log are always on. Cost-saving proxy and kernel budget enforcement are opt-in flags.
DLP01

Catch sensitive data at the wire

before it lands at a third-party LLM

Every prompt and response is regex-scanned in-process for emails, phones, credit cards (Luhn-checked), SSNs, API keys (sk-…, sk_live_…, AKIA…), and bearer tokens. Hits land as compliance_flags on the JSONL line — raw matched text never leaves your host.

beforeengineer pastes patient data into Claude prompt
aftercompliance_flags: ["email", "phone"] on the same line
your DPA stays honest
AUDIT TRAIL02

Per-process LLM call log

SOC 2 / HIPAA-aligned evidence

Append-only JSONL of every Anthropic / OpenAI call leaving the host: PID, comm, model, input/output tokens, HTTP status, container ID. Suitable for SOC 2 CC7 (system monitoring) and as the operational layer of any enterprise LLM data-handling policy.

before"what data are we sending?" — nobody knows
after10K-line JSONL with PID-attributed model + tokens
an answer for the auditor
REAL-TIME03

Live dashboard, force-graph

see calls fire as they happen

Companion turbo-flow-live process tails the JSONL via SSE and ships an embedded dashboard: hour-window stats, animated app→provider flow graph, compliance hits highlighted in coral. Read-only — payload content never leaves the host. Live demo on a real workload below.

beforetail -f /var/log/turbo-flow/...jsonl
afteropen https://yourhost/live in a browser
<100ms event → render
Cost-saving proxy (cap, downgrade, cache) and kernel-level budget enforcement still ship in the same binary — see the README.
// HOW

Three probes. One bit flip.

eBPF stays tiny on purpose — one memcpy, one map lookup. All logic lives in user space.
01
INTERCEPT

eBPF uprobe on SSL_write

Every agent hitting libssl, BoringSSL, or crypto/tls triggers a uprobe. 384-byte preview + direction into a ring buffer.

~50ns · kernel-local
02
POLICE

User-space policy engine

Rust daemon drains the ring, classifies model tier, debits a shared rolling 60s budget. Response usage reconciles estimates.

SHA-hash retry dedup
03
ENFORCE

TC egress drops packets

Budget flipped? One bit flips in an eBPF map. Matching TCP packets return TC_ACT_SHOT. Well-behaved PIDs keep flowing.

port-scoped · zero userspace hot path
  [agent] → SSL_write → [uprobe] → ring-buf → [daemon] → { JSONL, Prom, ENFORCE_MAP }
                                                                      │
                                                                      ▼
                                                          [tc-egress] budget blown? SHOT.
// SEE IT LIVE

A real production dashboard,
streaming real LLM traffic.

The live demo runs against the Go-based eywa-demo health workflow on the same host. Every "Generate Summary" click fires an Anthropic call, scanned for PII before the bridge broadcasts to your browser.
turbo-flow / live · DLP for LLM trafficopen at turbo-flow.claude-turbo.xyz/live
THIS HOUR
calls0
input tokens
output tokens
cost (est)$0.00
COMPLIANCE
events scanned
flagged
top category
BUDGET (this minute)
used
cap
sessions
app → provider flow·force-directed; particles fire on each event
eywa-backendpid 146981anthropic
lime particle = write (request) · cyan particle = read (response) · coral edge = compliance hit
timepidcommmodelinoutstatusflags
07:08:43146981serverclaude-sonnet874300200email
07:06:12146981serverclaude-sonnet554248200email
07:05:48146981serverclaude-sonnet170529clean
07:04:33146981serverclaude-sonnet792300200email
open the live demo
// NEXT STEP

I'll set it up for you.
Free, on a 30 min call.

You bring a host that hits Anthropic. I install turbo-flow live on the call, pick the right levers (cap / downgrade / cache) for your traffic, and leave you with a Grafana dashboard showing dollars saved per minute.

Book the setup call →
Free · no slides · you keep the install whether or not we keep talking
Or self-host it now
GitHub·Docs·Apache-2.0 · Linux 5.15+