Schema reference for TrustGuard and TrustGate metadata events — the fields AlertEngine rules match on, how detection normalization works, and what is not stored.
Alerts and Use Cases evaluate rules over metadata events stored in the NeuralTrust metadata store. TrustGuard and TrustGate each emit one metadata record per request over OpenTelemetry (OTLP); a collector ingests them into separate TrustGate and TrustGuard event streams.
No raw prompt or response text is in the metadata stream. Identifiers, verdicts, counters, and finding labels only. Raw bodies live in a separate store keyed by trace_id for drill-down in the UI.
Entity is not a stored column. AlertEngine derives it from consumer_id — the v1 entity reference for “who” triggered the event.
Logical group key
Stored as
Notes
entity / consumer
consumer_id
Default alert subject
session
session_id
Session-scoped bursts
app
gateway_id (TrustGate) or collector_id (TrustGuard)
Per-gateway or per-collector
route
url_path
TrustGate HTTP path
There is no ip column. Rules that previously grouped by IP now use session or consumer. Predefined nt-uc-111 (Unidentified Consumer Surge) groups by session, not IP.
Rules with a detection: block match over the raw detector_chain JSON array. AlertEngine normalizes each element at query time (not as a stored column).
Elements that only record detector execution (no detection_type, action, or signal.type) do not count as findings — so clean requests where detectors ran but did not fire are excluded from detection matches.