# Ringfence > Budget firewall for AI coding agents. Caps your daily and > monthly AI spend across Anthropic Claude, OpenAI Codex, and > Google Gemini before any request leaves your machine. Ringfence is a hybrid product: - A local CLI + proxy (the `fence` binary) runs on the developer's machine and intercepts every request to upstream AI providers (Anthropic, OpenAI, Google). It enforces hard per-developer daily and monthly cost caps; when the cap is breached, traffic is blocked with a clear 429 response. - An optional hosted cloud dashboard (ringfence.dev) collects signed metadata heartbeats — token counts, cost, model, status. **Prompts and completions never leave the user's machine.** That's the privacy moat. ## Key facts - Install: `curl -sSL https://ringfence.dev/install.sh | bash` - One single-binary install, ~60 seconds. - Multi-provider on a single port (path-based routing): just set `ANTHROPIC_BASE_URL`, `OPENAI_BASE_URL` (or `OPENAI_API_BASE` for legacy clients), and `GENAI_API_BASE` to `http://localhost:9000`. `fence enable-system-wide` does all four at once for GUI apps. - Streaming SSE preserved — Claude Code's typewriter effect works through the proxy with no buffering. - Self-hosted control plane available for enterprise procurement (data-can't-leave-network customers). ## Pricing (4-tier, flat rates, not per-seat) | Tier | Price | Devs | What you get | | ---------- | -------------- | ---- | ----------------------------------------------- | | Free | $0 | 1 | Local-only. No cloud features. | | Starter | £29 / $39 /mo | 5 | Cloud dashboard, Slack alerts, per-agent caps. | | Team | £79 / $99 /mo | 20 | Per-project tags, audit log, multi-Slack. | | Scale | £249 / $299/mo | ∞ | SSO, priority support, annual option. | | Enterprise | from $4,800/yr | ∞ | Self-hosted control plane, contact us. | ## What Ringfence is NOT - It is NOT a usage analytics tool. There are great ones (Helicone, Portkey, Langfuse) — Ringfence is specifically about **enforcement**: hard cutoffs, not just monitoring. - It is NOT a prompt cache. The proxy doesn't deduplicate or re-serve previous responses; that would compromise the privacy invariant. - It is NOT a key vault. API keys live where they always lived (in your shell env / SDK config); Ringfence only reads enough of them to identify the provider. ## Privacy invariant (the moat) The local proxy NEVER persists, logs, or transmits: - Prompts - Completions - File paths or code content - Anything that could identify what you're working on Only the following crosses the boundary to the cloud (when opted in): - Timestamps, model name, input/output token counts - Cost in dollars/sterling, currency - User ID, team ID, optional project tag - Request status (allowed / blocked / errored) `--offline` mode disables phone-home entirely. Loses Slack alerts and team rollups; keeps budget enforcement. ## Operator and data controller Settleby Ltd, a UK company. Companies House 15107426. VAT GB448267759. Contact: hello@ringfence.dev (plus-aliases: hello+legal@, hello+privacy@, hello+gdpr@ for routing). ## Important URLs - Landing: https://ringfence.dev - Install: https://ringfence.dev/install.sh - Sign up: https://ringfence.dev/signup - Sign in: https://ringfence.dev/signin - Terms of Service: https://ringfence.dev/terms - Privacy Policy: https://ringfence.dev/privacy - Data Processing Agreement: https://ringfence.dev/dpa ## Source The fence + fence-proxy components are open for paying-tier customers via signed download links; the source repository itself is private. Distribution diagram: install.sh + tarballs → public, served from ringfence.dev/dl/ ringfence-cloud (enterprise self-hosted) → gated by HMAC-signed URL ## Common questions **Does this work with Cursor / Aider / Continue / etc?** Yes — anything that reads a configurable base URL via the standard SDKs (Anthropic / OpenAI / Google GenAI) routes through the proxy. Tools that hard-code their upstream (the consumer Claude desktop app, some IDE-embedded Gemini integrations) can't be intercepted without TLS-MITM, which is not yet supported. **How does it differ from Helicone / Portkey?** Those are hosted-first SaaS — your prompts go to their servers. Ringfence runs locally and only ships metadata to the cloud (or nothing in `--offline` mode). The wedge is hard enforcement (not monitoring), self-hosted privacy, and per-developer caps that actually stop traffic. **Does it support OpenRouter / together.ai / fireworks etc?** v1 routes the three first-party providers (Anthropic, OpenAI, Google) on a single port. Routing rules for OpenAI-compatible endpoints (which most aggregators mimic) work today via the `OPENAI_BASE_URL` path; provider-specific extensions are roadmapped post-v1.