Most enterprise engineering orgs running Claude Code at scale are running into some version of the same three problems.
Security. The first is that nobody can say for sure what’s leaving the building. Claude Code reads files, executes commands, and sends context to Anthropic on every request. Most teams do not have a policy for what that context is allowed to contain. The ones that do have a policy have no way to enforce it in-flight.
Cost. The second is cost. Token spend on Claude Code is not seat-based and not predictable. A single heavy user can burn through a rate window in hours. A single bad prompt can spend more than a small feature. Overages arrive silently. Budgets are guesses.
Rate limits. The third is that the developers actually using the tool keep getting blocked. Rate limits hit at the wrong moment. The account they’re on runs out just as they’re deep in a change. They open a support ticket, or they shrug and switch to something worse.
Three different problems. One underlying gap: there is no control layer between the developer and the API. Sentinel is that layer.
Why we built this
Every enterprise we work with is making meaningful investments in AI coding tools without the controls that make those investments defensible. Real money, real headcount, real timelines, with vendor dashboards instead of operating data. When you actually try to run AI as a governed part of your engineering process, four questions come up quickly and none of them have a good answer today:
- What is a developer allowed to send to Anthropic, and how do we enforce that at the moment they hit enter?
- What is this actually costing us, per user, per project, per week, and what should next quarter’s budget be?
- When a developer is blocked by a rate limit, do they wait, or do we have a way to keep them working?
- If something goes wrong — a leaked secret, a runaway agent, a spike in spend — can we see it, block it, or roll it back?
Those are governance, finance, productivity, and risk questions in that order. In most organizations they belong to four different people, none of whom own the tool. Sentinel exists so the people who do own the tool have something to point at.
What Sentinel does
Sentinel is a tray app and a bundled local daemon. Activate it once, and every request from that machine flows through the daemon before it reaches Anthropic. The daemon does five things in parallel:
- In-flight security scanning. Every request is inspected for secrets, PII, prompt injection patterns, and risky tool use before it leaves the machine. Findings can be observed silently, held for approval, or blocked outright. What ships in your prompts is a policy decision, not an accident.
- Permission and sandbox rules. Allow, deny, and ask rules stay in lockstep with Claude Code’s own settings. Optional OS-level sandboxing limits which files and domains Claude Code’s spawned commands can actually reach. The blast radius of a bad agent run is bounded before it starts, not after it happens.
- Multi-account routing. Enroll every Claude subscription your team owns. Route across them manually or let auto mode pick the account with the freshest rate window. A developer who would otherwise be blocked keeps working. No support ticket, no context switch.
- Token optimization. Reversible payload compression, curated cheaper subagents for routine work, and MCP-based code execution instead of naive tool loops. The same output, at a materially lower token bill.
- Usage, cost, and overage telemetry. Real spend, real token counts, rate-limit windows, spend caps, and threshold notifications. When the number gets uncomfortable, you find out before the invoice does, not after.
All of this happens on the developer’s machine. The proxy listens only on 127.0.0.1. Credentials sit in the OS keychain. There is no telemetry, no cloud backend, no Intevity involvement in the request path. If you uninstall Sentinel, Claude Code goes back to talking directly to the API.
What this costs versus what it prevents
Every one of the features above maps to a specific cost you are already carrying, whether you can see it or not.
The security features prevent the incident that ends someone’s quarter. A leaked API key in a prompt. A production credential pasted into context. A prompt injection that convinces the agent to exfiltrate. The catch-up cost of any of these is measured in incident reviews, board notifications, and, in regulated industries, findings that block releases. The cost of preventing them at the request layer is measured in a scan that adds tens of milliseconds.
The cost features prevent the invoice that surprises finance. Most organizations discover their real Claude Code spend by looking at the credit card statement. Sentinel makes the number legible in real time, sets caps that hold, and rewrites payloads so the number is lower than it would be otherwise. A quarter of runaway spend paid for the tool many times over.
The routing features prevent the productivity tax nobody measures. Developers who hit rate limits do not sit and wait. They switch tools, they go back to writing code by hand, or they open a ticket that nobody prioritizes. Multiply that by a team of thirty and it is a real number, invisible on any dashboard but obvious in sprint velocity. Multi-account routing turns that number back into zero.
Three value levers, one install. If your team is already spending on Claude Code, the question is not whether Sentinel is worth deploying. It is whether the risks and inefficiencies it removes are ones you are willing to keep carrying.
The scope question
Sentinel targets Claude Code because that is where the highest concentration of enterprise developer AI
spend is going right now, and because Claude Code’s architecture — an
ANTHROPIC_BASE_URL environment variable, an already-structured settings file, native
OpenTelemetry emission — makes a clean proxy layer possible.
The same control problem exists for Codex, Antigravity, OpenCode, and Cursor. Extending Sentinel to cover them, either as one app or as tool-specific editions, is on the roadmap. Whether we make that investment depends on whether Sentinel earns its place in real production environments first. If your team runs one of those tools and would use this if it existed, tell us. That’s the signal we’re waiting for.
Why we open-sourced it
The same reason as everything else in Intevity Labs: if we shipped this as a paid product, the obvious objection from any reasonable buyer would be great, now you’re another vendor sitting between us and Anthropic. Open source removes the objection. Every request path is auditable. Every credential handler is inspectable. Your security team can read the code. Your platform team can fork it.
MIT license. No accounts, no callbacks, no telemetry. If it stops being useful, uninstall it and Claude Code returns to exactly the state it was in before.
What’s next
Sentinel is the first release out of Intevity Labs. Our next tool in the series, Trove, takes the same posture — local-first, no telemetry, MIT-licensed — and applies it to observability across every AI coding tool your team uses, not just Claude Code. Sentinel is depth on one tool. Trove is breadth across the portfolio. They are designed to run together and neither depends on the other.
More tools are in flight. The thesis underneath the whole series is the same one we’ve started calling dark code: AI-authored work is outpacing the artifacts humans use to govern it, and the response is going to have to be built one control layer at a time.
The Sentinel repo is at github.com/Intevity/sentinel. Install it, break it, tell us what needs to change.