Local audit for Claude Code
CostClaw reads the Claude Code logs already on your disk, finds the token spend you can get back, and scores your setup across six pillars. It runs on your machine and never reads your prompts.
npx costclaw audit No account, no upload. It parses the logs on your disk and prints a report.
~/.claude/projects 466 sessions · 38 projects
Top fix by recoverable spend
The leak
Anthropic bills you a monthly total. It cannot tell you which dollars you could have kept. Two costs hide there, and both are sitting in the session logs on your disk.
Claude Code caches the front of your prompt so repeat tokens cost a tenth of the price. When a session rebuilds that cache instead of reusing it, you pay full input rate on tokens that should have been nearly free. CostClaw measures the gap and prices it.
A session that fires the same tool a hundred times is usually thrashing: re-reading, re-grepping, circling a problem. It does not show up as a line item, but it burns tokens and time. CostClaw counts the loops and flags the sessions that run hot.
How it works
It reads the JSONL session logs under your Claude directory, in memory, on your machine. Nothing is sent anywhere.
From the raw logs it computes totals: spend, cache hit rate, tool use, session timing. Prompts, paths, and code are dropped here.
It scores six setup pillars from the evidence and ranks fixes by the dollars they recover. The report prints to your terminal.
Stays here. Always.
Optional, on the Pro plan. It only ever receives the derived record above. The free CLI sends nothing at all.
What you get
Real spend over the window you audit, your cache hit rate, and the slice you could get back. The recoverable figure is the headline, so you know what fixing the leak is worth before you start.
CLAUDE.md quality, context hygiene, prompting, session management, tooling, and cost discipline. Each pillar is scored only from what your logs actually show. A pillar with no evidence reads n/a; nothing is invented to fill a bar.
Not a wall of warnings. The list leads with the fix that returns the most spend, carries the exact figure, and tells you the one change to make. Smaller issues sit below it, in order.
Privacy as the moat
The only thing CostClaw produces is an AuditRecord: totals and generated sentences. No prompt text, no file paths, no secrets. That boundary is held by a test that runs on every build.
The test plants tripwire strings, a fake prompt and a fake client path, into sample logs, runs the full pipeline, and asserts that none of them appear in the record. If a leak ever slipped in, the build would fail before it shipped.
// the privacy invariant, enforced on every run
const raw = sessionWith({
prompt: "TRIPWIRE_secret_prompt",
path: "/Users/me/clients/acme",
});
const record = buildAudit(analyze(raw));
const json = JSON.stringify(record);
expect(json).not.toContain("TRIPWIRE_secret_prompt");
expect(json).not.toContain("/Users/me/clients/acme");
expect(hasEmDash(json)).toBe(false);Pricing
The CLI is real and usable right now, at no cost. The hosted plan is in progress, and it will only ever see the derived record, never your logs.
$0runs on your machine
npx costclaw audit In progress
Want it when it ships? Leave your email.
Not ready yet. The CLI does the core job today.
The audit reads what is already on your disk and prints the report. If it finds nothing, you have lost a minute. If it finds the usual, you have found real money.
npx costclaw audit Reads local logs. Sends nothing. No account.