Most enterprise engineering orgs running Claude Code at scale are running into some version of the same three problems.
Security. The first is that nobody can say for sure what’s leaving the building. Claude Code reads files, executes commands, and sends context to Anthropic on every request. Most teams do not have a policy for what that context is allowed to contain. The ones that do have a policy have no way to enforce it in-flight.
Cost. The second is cost. Token spend on Claude Code is not seat-based and not predictable. A single heavy user can burn through a rate window in hours. A single bad prompt can spend more than a small feature. Overages arrive silently. Budgets are guesses.
Rate limits. The third is that the developers actually using the tool keep getting blocked. Rate limits hit at the wrong moment. The account they’re on runs out just as they’re deep in a change. They open a support ticket, or they shrug and switch to something worse.
Three different problems. One underlying gap: there is no control layer between the developer and the API. Sentinel is that layer.
SecurityWhat is leaving the building?$CostSpend is invisible until the invoice.Rate limitsDevelopers blocked mid-change.ONE GAP: NO CONTROL LAYER BETWEEN DEVELOPER AND APISentinelthe control layer between the developer and the APIThree symptoms, one missing piece: a control layer between the developer and the API.Every enterprise we work with is making meaningful investments in AI coding tools without the controls that make those investments defensible. Real money, real headcount, real timelines, with vendor dashboards instead of operating data. When you actually try to run AI as a governed part of your engineering process, four questions come up quickly and none of them have a good answer today:
Those are governance, finance, productivity, and risk questions in that order. In most organizations they belong to four different people, none of whom own the tool. Sentinel exists so the people who do own the tool have something to point at.
Sentinel is a tray app and a bundled local daemon. Activate it once, and every request from that machine flows through the daemon before it reaches Anthropic. The daemon does five things in parallel:
All of this happens on the developer’s machine. The proxy listens only on 127.0.0.1. Credentials sit in the OS keychain. There is no telemetry, no cloud backend, no Intevity involvement in the request path. If you uninstall Sentinel, Claude Code goes back to talking directly to the API.
YOUR MACHINE · 127.0.0.1 · credentials in OS keychainClaude CodeSentinel daemon127.0.0.1:47284inspect · route · meter every requestAnthropic APITHE DAEMON DOES FIVE THINGS IN PARALLELIn-flightscanningsecrets · PII · injectionPermission &sandboxbounded blast radiusMulti-accountroutingauto-switch on limitsTokenoptimizationsame output, lower billUsage &cost telemetrybefore the invoice, not afterOne local daemon on 127.0.0.1 sits between Claude Code and Anthropic, doing five things in parallel — and nothing leaves your machine that you didn't send anyway.Every one of the features above maps to a specific cost you are already carrying, whether you can see it or not.
The security features prevent the incident that ends someone’s quarter. A leaked API key in a prompt. A production credential pasted into context. A prompt injection that convinces the agent to exfiltrate. The catch-up cost of any of these is measured in incident reviews, board notifications, and, in regulated industries, findings that block releases. The cost of preventing them at the request layer is measured in a scan that adds tens of milliseconds.
The cost features prevent the invoice that surprises finance. Most organizations discover their real Claude Code spend by looking at the credit card statement. Sentinel makes the number legible in real time, sets caps that hold, and rewrites payloads so the number is lower than it would be otherwise. A quarter of runaway spend paid for the tool many times over.
The routing features prevent the productivity tax nobody measures. Developers who hit rate limits do not sit and wait. They switch tools, they go back to writing code by hand, or they open a ticket that nobody prioritizes. Multiply that by a team of thirty and it is a real number, invisible on any dashboard but obvious in sprint velocity. Multi-account routing turns that number back into zero.
WHAT IT PREVENTS vs WHAT IT COSTSPREVENTSThe incident that endsa quarterA leaked key, a pastedcredential, an injection that exfiltrates.costs: a scan · tens of ms$PREVENTSThe invoice thatsurprises financeReal spend, legible in realtime, with caps that actually hold.costs: real-time · caps that holdPREVENTSThe productivity taxnobody measuresBlocked developers switch tools orwait. Routing makes it zero.costs: blocked → zeroEvery feature maps to a cost you are already carrying. The price of prevention is a rounding error against the price of the incident.Three value levers, one install. If your team is already spending on Claude Code, the question is not whether Sentinel is worth deploying. It is whether the risks and inefficiencies it removes are ones you are willing to keep carrying.
Sentinel targets Claude Code because that is where the highest concentration of enterprise developer AI
spend is going right now, and because Claude Code’s architecture — an
ANTHROPIC_BASE_URL environment variable, an already-structured settings file, native
OpenTelemetry emission — makes a clean proxy layer possible.
The same control problem exists for Codex, Antigravity, OpenCode, and Cursor. Extending Sentinel to cover them, either as one app or as tool-specific editions, is on the roadmap. Whether we make that investment depends on whether Sentinel earns its place in real production environments first. If your team runs one of those tools and would use this if it existed, tell us. That’s the signal we’re waiting for.
SentinelClaude Codeshipping nowON THE ROADMAPCodexAntigravityOpenCodeCursorDepth on Claude Code first; the same proxy pattern extends to the rest once Sentinel earns its place in production.The same reason as everything else in Intevity Labs: if we shipped this as a paid product, the obvious objection from any reasonable buyer would be great, now you’re another vendor sitting between us and Anthropic. Open source removes the objection. Every request path is auditable. Every credential handler is inspectable. Your security team can read the code. Your platform team can fork it.
MIT license. No accounts, no callbacks, no telemetry. If it stops being useful, uninstall it and Claude Code returns to exactly the state it was in before.
Sentinel is the first release out of Intevity Labs. Our next tool in the series, Trove, takes the same posture — local-first, no telemetry, MIT-licensed — and applies it to observability across every AI coding tool your team uses, not just Claude Code. Sentinel is depth on one tool. Trove is breadth across the portfolio. They are designed to run together and neither depends on the other.
Sentineldepth on one toolClaude Code, all the way down Trovebreadth across the portfolioClaude …CodexCursorOpenCode…local-first · MIT · designed to run togetherSentinel goes deep on one tool; Trove goes wide across the portfolio. Same posture, complementary axes.More tools are in flight. The thesis underneath the whole series is the same one we’ve started calling dark code: AI-authored work is outpacing the artifacts humans use to govern it, and the response is going to have to be built one control layer at a time.
The Sentinel repo is at github.com/Intevity/sentinel. Install it, break it, tell us what needs to change.