OTEL Guard
The Mima runtime guard detects unattested AI calls and reports them via OpenTelemetry, a local daemon socket, or a JSONL report file.
It answers the question: “Are there AI calls in my codebase that are
not wrapped with @mima.attest()?”
Install
The otel extra adds opentelemetry-api and opentelemetry-sdk.
Enable at startup
Call enable_guard() once at your application entry point, before any AI
clients are instantiated.
Modes
What the guard detects
The guard patches the __init__ method of the following AI client classes:
When one of these is called outside a function decorated with @mima.attest(),
the guard fires.
How it works with @mima.attest()
The @mima.attest() decorator sets an “attested” flag before the decorated
function runs and clears it afterwards. The guard checks this flag on every
patched AI client call.
Thread safety: the attested flag uses threading.local, so each thread has
its own value. Concurrent threads do not interfere with each other.
Async safety: async calls use a contextvars.ContextVar. Each asyncio task
inherits a copy of the context, so concurrent tasks are isolated.
OpenTelemetry integration
When a real TracerProvider is configured (not the default no-op), the guard
emits mima.ai_call spans for every unattested call.
Span attributes
Report mode — ~/.mima/guard_log.jsonl
In "report" mode, every unattested call is written to
~/.mima/guard_log.jsonl as a JSONL record:
The file rotates at 10 MB (3 backups kept).
Review the log directly:
Use in CI — catch gaps before production
Add enable_guard(mode="block") to your test configuration. This causes
the test suite to fail fast whenever an AI call is made outside
@mima.attest(), preventing unattested calls from reaching production.
Then run your tests normally. Any unattested AI call raises MimaAttestationError
and the test fails with a clear message.
Detection fallback chain
- If a real
TracerProvideris configured → emitmima.ai_callOTEL span. - Else if the Mima daemon socket is available → send to local daemon.
- Else → in-process queue + background thread → JSONL report.
The fallback chain ensures the guard always works, even without an OTEL collector or Mima daemon running.
Supported AI libraries
The guard currently patches these libraries when they are installed:
openai>= 1.0anthropic>= 0.20litellm>= 1.0
For other libraries, use mima.wrap() / @mima.attest() directly and the
guard does not need to detect those calls (they are already attested).
Disabling the guard
Or use per-call:
Prefer @mima.attest() over manual flag manipulation.
