Install Sieve and secure Claude Code.
Sieve is a local security proxy for AI coding agents — one Rust binary on
127.0.0.1 between your agent and the LLM API. This page takes you
from zero to traffic flowing through Sieve, then shows how to verify the build
you are running.
1 · Install
Sieve is in early preview (0.1.0-alpha). The supported path today is
building from source with Cargo:
cargo install --git https://github.com/SieveAI-dev/sieve sieve-cli
Packaged installers — a Homebrew tap (brew tap SieveAI-dev/sieve &&
brew install sieve), a one-line install script, and signed .dmg
releases for the macOS GUI — are coming soon.
Watch the repository
to be notified of the first packaged release.
2 · Wire up your agent
sieve setup
One command configures everything. On macOS, sieve setup:
- detects installed agents (Claude Code, Codex CLI, OpenClaw, Hermes);
- points Claude Code at the local daemon by writing
ANTHROPIC_BASE_URL = http://127.0.0.1:11453into~/.claude/settings.json; - registers the
PreToolUsehook (sieve-hook check, withonError: blockso a missing hook fails closed); - installs a launchd service so the daemon starts at login;
- creates
~/.sieve/(mode 0700), shows a diff of every file it wants to change, asks for confirmation, and backs originals up to~/.sieve/backups/.
Everything sieve setup does is reversible with
sieve uninstall (preview it first with --dry-run).
3 · Health check
sieve doctor
Verifies the install end to end: the ANTHROPIC_BASE_URL value in
settings.json, the PreToolUse hook registration, that
the daemon is listening on :11453, the launchd service state, that
the sieve-hook binary is present, and a canary detection test that
runs against the local rules engine — no real network request is made.
4 · Run & watch
In production the daemon is managed by launchd. To run it in the foreground instead, and to watch decisions live from a terminal:
sieve start --config ~/.sieve/config.toml
sieve decisions watch
From here, use your agent as normal. Outbound secrets are redacted in place;
inbound Critical tool calls are held for your confirmation. See the
CLI reference for decisions,
audit, rules and the rest.
sieve setup and only export
ANTHROPIC_BASE_URL=http://127.0.0.1:11453 by hand, the
PreToolUse hook is not registered — so hook-enforced
rules will not intercept. The manual path is only recommended for testing.
Verify signed builds
Every release is signed with Sigstore. Before running a downloaded build, verify it against the GitHub Actions release identity:
cosign verify-blob \
--certificate-identity-regexp '^https://github.com/SieveAI-dev/sieve/\.github/workflows/release\.yml@refs/tags/v[0-9.]+$' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--bundle SieveGUI-<version>.dmg.sigstore \
SieveGUI-<version>.dmg
The expected output is Verified OK. CLI binaries ship with a
.sigstore.json bundle and verify the same way. Builds are also
reproducible: scripts/repro-build.sh in the repository lets you
rebuild the binary bit for bit and compare the SHA-256 yourself.
Per-agent notes
| Agent | How it connects |
|---|---|
| Claude Code | ANTHROPIC_BASE_URL in ~/.claude/settings.json
plus a native PreToolUse hook — both written by
sieve setup. |
| Codex CLI | Base URL plus a PreToolUse hook registered in
~/.codex/hooks.json. |
| OpenClaw | Provider base_url values in ~/.openclaw/config.toml
point at the Sieve listener. |
| Hermes | Per-provider base_url in ~/.hermes/config.toml
(or .env) points at the Sieve listener. |
The invariant across all agents: Critical rules cannot be disabled, and the gateway's inbound hold fails closed even where an agent-side hook is best-effort. Details in the threat model.