for teams that ship with AI

Your developers are burning tokens on noise.

Every git status, every test run, every docker logs floods your AI coding agent's context window with output it doesn't need. LazyToken filters that noise before it reaches the model — 60–90% fewer tokens on supported commands — and its Context Firewall redacts secrets locally before they can ever leave the building.

Works with Claude Code · GitHub Copilot · Cursor · Gemini CLI — and more coding agents

ltk — token savings + context firewall
~/acme-api $ ltk git status # raw output: 1,984 tokens → filtered: 203 tokens On branch main · ahead of origin/main by 2 M src/pay/checkout.rs M src/pay/refund.rs ?? .env.production └─ savings this run: −89.8%   ~/acme-api $ ltk cat .env.production # Context Firewall — scanned locally, before the model AWS_ACCESS_KEY_ID=[REDACTED:aws-key] DATABASE_URL=[REDACTED:connection-string] └─ 2 secrets blocked · values never stored, never sent
−89.8% tokens on this command
60–90%
token savings on supported commands
<10ms
overhead per command — invisible to developers
100+
supported commands: git, tests, docker, k8s, AWS
0
bytes of code, paths, or output ever transmitted
how it works

Between the terminal and the model

The ltk agent sits between the terminal and your AI coding agent — Claude Code, GitHub Copilot, Cursor, or Gemini CLI. When the agent runs a command, LazyToken runs it, compresses the output down to what the model actually needs, and passes that on. Commands it doesn't recognize pass through untouched.

LazyToken architecture: terminal → ltk agent → AI coding agent, and ltk agent → self-hosted org server → dashboard terminal raw command output ltk agent filters & compresses output Context Firewall: redacts secrets runs locally, <10ms overhead AI coding agent Claude Code · Copilot Cursor · Gemini CLI ~2,000 tokens ~200 tokens your org server self-hosted · air-gapped ready policy · licensing · analytics dashboard ROI · fleet · FinOps security events numbers only never code · paths · output

01 / install

Hook it in once

ltk init wires LazyToken into your coding agent — Claude Code by default, with --copilot, --gemini, and --codex flags for the rest. Enterprises roll it out silently via MSI / pkg / MDM.

02 / filter

Same information, fewer tokens

When the agent runs git status, tests, docker, or 100+ other commands, LazyToken returns a compressed result with the signal intact. Unknown commands pass through unmodified — nothing ever breaks.

03 / prove

See the savings

The agent reports numbers only to your self-hosted server. The dashboard shows tokens and dollars saved by team, command, and AI agent — with a monthly ROI PDF for leadership.

the platform

What's in the box

An open-core filtering engine on the workstation, and a proprietary control plane your organization runs itself.

Token filtering & compression

Filters the terminal output of 100+ supported commands — git operations, test runners, build tools, docker, kubernetes, AWS CLI, and more — keeping the information the model needs and dropping the noise. Filter levels (strict / balanced) and per-command exclusions are policy-controlled.

  • 60–90% token reduction on supported commands
  • Passthrough fallback: unsupported commands run untouched
  • Under 10ms overhead — invisible to developers

Context Firewall (DLP)

Every command output is scanned locally, before it enters the model's context. Detected secrets are replaced with [REDACTED:type] — the original value is never written to disk and never transmitted anywhere.

  • Rules: AWS keys, GitHub tokens, private keys, connection strings, JWTs, high-entropy strings — plus custom org regex rules
  • Command guardrails: block sensitive output entirely (e.g. cat on **/.env*)
  • Optional PII masking (emails, IDs, card numbers)
  • Events dashboard: type + tool + time only — never the value

Enterprise control plane

One self-hosted server manages the whole fleet: policies are Ed25519-signed and verified by every agent before applying — a compromised server can't push a malicious config.

  • Central policy with versioning, assignment to teams/devices
  • Fleet screen: enrolled devices, versions, silent machines
  • SSO (OIDC / SAML), four-role RBAC, append-only audit log
  • Monthly ROI PDF reports, scheduled to email / Slack
  • Signed agent self-update served from your server only

AI FinOps

Stop managing token quotas in a spreadsheet. LazyToken combines provider usage data (Anthropic usage API, Copilot reports) with its own savings data for one picture: consumed, saved, remaining.

  • Per-developer and per-team quotas
  • Budget alerts at 80% and 95% of quota
  • Rebalancing recommendations: idle quotas vs. throttled developers

SDLC standards distribution

The same signed-policy channel distributes your engineering standards: a uniform CLAUDE.md / AGENTS.md, commit criteria, spec-driven templates. One central version, applied to every workstation with ltk sdlc sync — versioned, signed, and auditable.

Free for individuals

The full agent — every filter, the Context Firewall — is free for personal use. Sign in with GitHub or Google, run ltk enroll --cloud, and get a personal savings dashboard with 30-day history plus a shareable "tokens I saved" card. When you're ready to bring it to the team, that's one button away.

privacy by design

Enforced in code, not promised in policy

The agent's reporting payload is governed by a strict allowlist — a schema so narrow that sensitive data can't fit through it, enforced by automated tests that block merges on both sides of the wire.

The entire dataset the agent can send

Numeric token counters, a tool name (first word onlygit, npm, cargo), a coarse category, which AI agent was used, a timestamp, filter timing, and an optional salted project hash. The tool name is capped at 32 characters and can't contain spaces — no argument can ride along.

The agent never transmits:

  • Source code, diffs, or snippets
  • Command arguments, file paths, or directory names
  • Command or terminal output
  • Environment variables or secrets
  • Prompts, model responses, keystrokes, or clipboard

Built so the vendor can't reach your data

  • Self-hosted: your server, your database — no vendor tenant, no vendor access
  • Air-gapped supported: zero outbound calls, technically enforced with a NetworkPolicy
  • Signed policy & updates: Ed25519-verified before applying; updates come from your server only
  • Open-core engine: the code on developer machines is built on an Apache 2.0 open-source engine — auditable line by line
  • Minimal privilege: ordinary user, no root, no listening ports, credentials in the OS keychain

Read the full security & privacy page →

pricing

Simple per-seat pricing

Start free as an individual, grow into the org plan when you're ready. Prices below are indicative — final quotes depend on seat count and contract term.

Free

Individual developers

$0

forever

  • Full agent, all filters + Context Firewall
  • Personal dashboard — 30-day history
  • "Tokens I saved" share card
  • Community support
Download free

Team

10–50 developers

$12

per seat / month · −15% billed annually

  • Org dashboard + ROI reports
  • Central policy management
  • SDLC standards distribution
  • Self-hosted (Docker)
  • Email support
Talk to us

Business

50–250 developers

$18

per seat / month · −15% billed annually

  • Everything in Team
  • Context Firewall (DLP)
  • AI FinOps — quotas, alerts, rebalancing
  • SSO (OIDC/SAML) + full RBAC + audit
  • Docker / Helm · next-business-day support
Free 30-day pilot

Enterprise

250+ seats / regulated

Custom

annual contract

  • Everything in Business
  • Fully air-gapped deployment
  • Custom firewall rules + white-label reports
  • 4-hour SLA + account manager
  • On-site rollout & training
Talk to us

30-day pilot for up to 25 seats — at the end of the month you get a savings report on your own data.

faq

Frequently asked questions

What data leaves my machine?

Numbers and a tool name — that's the entire schema. Each metric record contains a timestamp, the first word of the command (max 32 chars, no spaces allowed, so arguments can't leak), a category, which AI agent was in use, raw/filtered token counts, filter timing, and an optional salted project hash. Never code, arguments, paths, output, or environment variables. The allowlist is enforced by an automated test on the agent and a strict schema on the server — an unknown field is rejected, not silently stripped.

Does LazyToken slow my commands down?

No. Filtering adds less than 10ms per command, and metric reporting happens asynchronously in a detached process — it is never in the command path. If the server is unreachable, commands are unaffected.

Which AI coding agents does it work with?

Claude Code and GitHub Copilot are first-class citizens side by side, along with Cursor and Gemini CLI — in the agent hooks, the dashboard, and the reports. ltk init also supports Codex CLI, OpenCode, and other agents. We cover the fleet you actually run, not one vendor's tool.

Which commands does it filter?

Over 100 commands: git operations, test runners, build tools (npm, cargo, and friends), docker, kubernetes, terraform, the AWS CLI, and more. Commands without a filter pass through untouched — output is never mangled. The dashboard's Opportunities screen shows you which high-volume commands are still passing through, so you know where the next savings are.

What happens if our LazyToken server is down?

Nothing, from the developer's perspective. The agent is offline-first: filtering keeps working, metrics buffer locally (up to 30 days, then oldest-first drop), and reporting resumes with exponential backoff when the server returns. The developer's workflow is never blocked.

How is this different from the free open-source engine it's built on?

The open-source engine solves the problem for one developer. LazyToken adds what an organization needs: visibility (savings by team, in dollars), control (enforced install, signed central policy, managed updates), compliance (self-hosted, audit log, zero external telemetry), the Context Firewall DLP layer, AI FinOps, and accountability (support, SLA, one owner). The engine being open is a feature — your security team can audit every line that runs on developer machines.

Can the vendor see our data?

No. The server is self-hosted in your environment — the vendor has no tenant, no copy, and no access. In air-gapped mode the server makes zero outbound calls, and that posture is technically enforced with a Kubernetes NetworkPolicy you can verify yourself.

When the Context Firewall redacts a secret, is the secret stored anywhere?

Never. Redaction happens locally, in memory, before the output enters the model's context. What gets recorded is {type, tool, timestamp, device} — e.g. "an aws-key pattern was blocked in cat output" — never the matched value, the file path, or the command arguments.

Could a compromised server push a malicious config to our developers?

No. Policies are signed with the org's Ed25519 key, and the agent verifies the signature against a key pinned at enrollment before parsing or applying anything. An invalid signature means the agent keeps the last good policy. Agent updates get the same treatment: sha256 + Ed25519 verification before an atomic replace.

Is measuring per-developer savings employee surveillance?

It doesn't have to be. LazyToken ships a built-in anonymized mode: the dashboard shows teams and "Dev #N" instead of names. The choice is yours, set at policy level and recorded in the audit log — managerial visibility without personal surveillance.

How do agent updates reach developer machines?

Only from your internal server — never the open internet. ltk update downloads from your server's release channel and verifies both the published sha256 and an Ed25519 signature before an atomic self-replace that leaves the old binary intact on any failure. You can also roll out through your MDM.

How long does a rollout take?

The product targets under 60 minutes from server install to a dashboard with real data. Docker Compose for pilots, Helm for production, air-gapped runbook for the strictest environments — plus MDM scripts (Intune, Jamf, GPO) for the fleet. See the docs.

Your first savings report — 30 days from now

Free pilot for up to 25 developers. At the end of the month you get a savings report on your own data — and decide with real numbers in hand.