Track what your AI coding agent costs. Block what it shouldn't touch.
Burnwall is a local proxy for AI coding tools β Claude Code, Codex CLI, Aider, OpenCode, Cline. It combines cache-aware cost accounting, path-and-command security checks on every tool call, cross-tool spend aggregation, and zero telemetry β without sending your prompts to a SaaS dashboard.
If you've ever woken up to a four-figure API bill from an agent loop, or wondered whether your agent has been quietly cat-ing ~/.ssh/id_rsa into the context window: Burnwall is the seatbelt.
$ burnwall start
π‘οΈ Burnwall v0.1.0
Proxy: http://localhost:4100
Security: 4 deny rules active
Budget: $50.00/day
Ready.
Your AI agent can read your SSH keys, AWS credentials, and network drives. Most developers don't know this until it's too late. Burnwall scans every API request and blocks dangerous file access, commands, and secret exfiltration before they leave your machine.
AI providers have complex pricing with cache tiers, write premiums, and stealth tokenizer changes. Burnwall reads the actual usage data from API responses and calculates real costs β not estimates. See exactly where your money goes, with cache savings highlighted.
Set a daily limit. Burnwall blocks API calls when you hit it. No more surprise $1,400 bills.
Detect and kill runaway agents that repeat the same request, burning tokens at 20+ requests per minute.
# Auto-detect and configure your AI tools (dry-run; --apply to commit)
burnwall init --apply
# Start the proxy (foreground; Ctrl-C to stop)
burnwall start
# In another terminal: check today's spend
burnwall status
# Last 7 days, with JSON output for piping into jq:
burnwall history --json | jq '.rows[] | {date, total_cost_usd}'
# Tighten the daily budget to $20
burnwall config set budget.daily 20macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/intbot/burnwall/main/install.sh | shWindows (PowerShell):
irm https://raw.githubusercontent.com/intbot/burnwall/main/install.ps1 | iexThe installers detect your OS and architecture, download the right
release archive from GitHub, drop the burnwall binary in a per-user
location (~/.local/bin on Unix, %USERPROFILE%\.burnwall\bin on
Windows), and print a PATH hint if needed. Override the install dir
with BURNWALL_INSTALL_DIR=β¦ or pin a version with
BURNWALL_VERSION=0.3.1.
brew tap intbot/burnwall
brew install burnwallWorks on macOS (arm64 + x86_64) and Linuxbrew.
Prebuilt archives for every release are at https://github.com/intbot/burnwall/releases:
burnwall-aarch64-apple-darwin.tar.gzβ macOS Apple Siliconburnwall-x86_64-apple-darwin.tar.gzβ macOS Intelburnwall-x86_64-unknown-linux-gnu.tar.gzβ Linux x86_64burnwall-x86_64-pc-windows-msvc.zipβ Windows x86_64
Extract and put the burnwall binary anywhere on your PATH.
cargo install burnwall # from crates.io
git clone https://github.com/intbot/burnwall && cd burnwall && cargo build --release # from sourceBurnwall runs as a local HTTP proxy. You point your AI tools at it via environment variables:
export ANTHROPIC_BASE_URL=http://localhost:4100/anthropic
export OPENAI_BASE_URL=http://localhost:4100/openaiEvery API call flows through Burnwall:
[Your AI Tool] β [Burnwall :4100] β [Provider API]
β
β Security check (block dangerous requests)
β Budget check (enforce daily limits)
β Cost tracking (parse real usage with caching)
β Store metrics (local SQLite)
Responses are never modified β Burnwall reads them, logs the cost, and passes them through unchanged.
Burnwall sits on the LLM API path β the HTTP traffic between your AI tool and Anthropic/OpenAI. Security scanning, budget enforcement, and cost tracking all operate on that traffic.
It does not intercept MCP (Model Context Protocol) traffic. When your agent calls an MCP server's tools, that traffic flows through your AI tool directly β Burnwall never sees it, so it can't scan or block it. MCP-layer protection is a separate concern; dedicated MCP-firewall tools exist and run cleanly alongside Burnwall.
| Tool | Support | Configuration |
|---|---|---|
| Claude Code | β Full | ANTHROPIC_BASE_URL |
| Codex CLI (API key mode) | β Full | OPENAI_BASE_URL |
| Aider | β Full | --openai-api-base |
| OpenCode | β Full | Settings |
| Cline | β Full | Extension settings |
| Continue | β Full | Extension settings |
| Cursor (BYOK mode) | β Full | API key settings |
| Cursor (internal credits) | β | Not interceptable |
| GitHub Copilot | β | Not interceptable |
Default rules block access to sensitive paths and dangerous commands:
# ~/.burnwall/config.toml
[security]
deny_paths = ["~/.ssh", "~/.aws", "~/.gnupg", "~/.kube"]
deny_commands = ["rm -rf /", "chmod 777"]
block_network_mounts = true # /Volumes/*, \\server\share
detect_secrets = true # AWS keys, private keys, API tokensWhen a rule triggers:
π‘οΈ BLOCKED: Agent attempted to read ~/.ssh/id_rsa
Provider: anthropic | Model: claude-sonnet-4-6
Request returned 403 β file was never accessed.
$ burnwall status
π Today (May 11, 2026)
Total: $12.47 across 84 requests
Provider / Model Cost Requests Cache Hit
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
anthropic/claude-sonnet-4-6 $8.20 62 73%
anthropic/claude-haiku-4-5 $0.92 18 91%
openai/gpt-5.4 $3.35 4 45%
π° Budget: $12.47 / $50.00 (24.9%)
π‘οΈ Security: 2 blocked attempts
Cache savings today: $47.82
- 100% local. No data ever leaves your machine (except API forwarding).
- Zero telemetry. No analytics, no phone-home, no tracking. Ever.
- No prompt logging. Only metadata is stored (model, tokens, cost, timestamp).
- No API key storage. Keys pass through in headers and are never written to disk.
- Open source. Audit the code yourself.
FSL-1.1-MIT β Functional Source License. Full source available. Free to use, modify, and self-host. Cannot be redistributed as a competing commercial product. Converts to MIT after 2 years.
We welcome contributions! See CONTRIBUTING.md for guidelines.
Built with Rust. No telemetry. No compromises.