QUICKSTART

Install Sieve and secure Claude Code.

Sieve is a local security proxy for AI coding agents — one Rust binary on 127.0.0.1 between your agent and the LLM API. This page takes you from zero to traffic flowing through Sieve, then shows how to verify the build you are running.

1 · Install

Sieve is in early preview (0.1.0-alpha). The supported path today is building from source with Cargo:

cargo install --git https://github.com/SieveAI-dev/sieve sieve-cli

Packaged installers — a Homebrew tap (brew tap SieveAI-dev/sieve && brew install sieve), a one-line install script, and signed .dmg releases for the macOS GUI — are coming soon. Watch the repository to be notified of the first packaged release.

2 · Wire up your agent

sieve setup

One command configures everything. On macOS, sieve setup:

  • detects installed agents (Claude Code, Codex CLI, OpenClaw, Hermes);
  • points Claude Code at the local daemon by writing ANTHROPIC_BASE_URL = http://127.0.0.1:11453 into ~/.claude/settings.json;
  • registers the PreToolUse hook (sieve-hook check, with onError: block so a missing hook fails closed);
  • installs a launchd service so the daemon starts at login;
  • creates ~/.sieve/ (mode 0700), shows a diff of every file it wants to change, asks for confirmation, and backs originals up to ~/.sieve/backups/.

Everything sieve setup does is reversible with sieve uninstall (preview it first with --dry-run).

3 · Health check

sieve doctor

Verifies the install end to end: the ANTHROPIC_BASE_URL value in settings.json, the PreToolUse hook registration, that the daemon is listening on :11453, the launchd service state, that the sieve-hook binary is present, and a canary detection test that runs against the local rules engine — no real network request is made.

4 · Run & watch

In production the daemon is managed by launchd. To run it in the foreground instead, and to watch decisions live from a terminal:

sieve start --config ~/.sieve/config.toml
sieve decisions watch

From here, use your agent as normal. Outbound secrets are redacted in place; inbound Critical tool calls are held for your confirmation. See the CLI reference for decisions, audit, rules and the rest.

If you skip sieve setup and only export ANTHROPIC_BASE_URL=http://127.0.0.1:11453 by hand, the PreToolUse hook is not registered — so hook-enforced rules will not intercept. The manual path is only recommended for testing.

Verify signed builds

Every release is signed with Sigstore. Before running a downloaded build, verify it against the GitHub Actions release identity:

cosign verify-blob \
  --certificate-identity-regexp '^https://github.com/SieveAI-dev/sieve/\.github/workflows/release\.yml@refs/tags/v[0-9.]+$' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle SieveGUI-<version>.dmg.sigstore \
  SieveGUI-<version>.dmg

The expected output is Verified OK. CLI binaries ship with a .sigstore.json bundle and verify the same way. Builds are also reproducible: scripts/repro-build.sh in the repository lets you rebuild the binary bit for bit and compare the SHA-256 yourself.

Per-agent notes

AgentHow it connects
Claude Code ANTHROPIC_BASE_URL in ~/.claude/settings.json plus a native PreToolUse hook — both written by sieve setup.
Codex CLI Base URL plus a PreToolUse hook registered in ~/.codex/hooks.json.
OpenClaw Provider base_url values in ~/.openclaw/config.toml point at the Sieve listener.
Hermes Per-provider base_url in ~/.hermes/config.toml (or .env) points at the Sieve listener.

The invariant across all agents: Critical rules cannot be disabled, and the gateway's inbound hold fails closed even where an agent-side hook is best-effort. Details in the threat model.